There should be nothing to leak. The record of verification should be a signature saying what was verified and how and when and nothing about the underlying documents/images/data off of which the verification was based.
That is needlessly complicated. The problem is the US federal government does not provide identity verification API as an infrastructure service. And they easily could using the USPS’s physical locations and their workflow in processing US passport applications, which already involves identity verification.
Or even just coordinating the 50 states’ motor vehicle commissions or whatever since they are also verifying identities to issue drivers’ licenses and state identification cards.
A friend applied for a job in the UK civil service - you were required to verify your identity by giving data to a third party, for profit company (and paying for the privilege). All of the companies had recently had significant data breaches. One of them - right there on the government provided guidance - lied about the company (Post Office) to imply a historied bastion of trust. It was blatant.
Verification could have been done using government data, but Tories have to also make a profit off of everything so they instead chose to give every civil service applicants data away to companies with a track record of data leaks.
Exactly this. Even non-civil servants are required to sign up with one of these services for certain government ID accounts.
I don't recall which it was now, but I had to choose from a bunch of providers (I selected Post Office) when I registered for something Gov related a few years back. I don't remember what now since I haven't used it since, but PO still has the details and provides auth for a government service for me. Insanity.
I do honestly think the real reason for this outsourcing is because the Passport Office and DVLA don't provide their databases for identity verification purposes, even to other government agencies, aside from say the security services and police.
Even in banking, where the government mandate thorough KYC/ID vetting, no APIs are made available by the government to actually verify a copy of ID is legitimate. So you're left looking at whether it "looks" correct.
For better or worse, of course, but there's an argument to be made that the refusal of the govt to provide "ID verification as a service" is pro-privacy.
It is more that the Federal government is Constitutionally prohibited from mandating such a thing, the most they can do is ask nicely and hope for compliance. Coordinating the several dozen States, which can do it, is like herding cats. This is further complicated because there are large factions of both Democrats and Republicans that are against it for a litany of unrelated reasons, so the resistance to it is robust and bipartisan.
It has little to do with "monied interests". It is primarily the product of nigh insurmountable legal and political hurdles.
The Federal government can build one but they can’t require it or make people use it, and an ID you can opt out of is useless. Only the States have that authority. This is settled law with a lot of precedent, and largely the reason the US has no national ID system no matter which politician runs the country. Courts have consistently held this to be outside the narrow Constitutional authority of the Federal government.
Having a mandatory Federal ID would require a Constitutional amendment, but since the States have refused to do it voluntarily it seems exceedingly unlikely that a super-majority of States would ratify an amendment that forces them to do it.
Is a legally mandatory ID is required to solve this problem? The Federal government could create a voluntary one and/or coordinate the state IDs system into a modern digital ID system, then Uber and banks could use that instead of letting an SSN number or photo of ID being enough to commit identify fraud. If someone don't want to use the system, that's between the client and Uber.
Yes I know if this happens it will become of those "technically not mandatory but in practice yes" things.
I don't believe that this is actually unconstitutional. The whole argument about the Fed not being able to set up a Federal ID hinges on the Tenth Amendment, saying that it's not a specifically delegated power.
But that is a ridiculously weak argument, there are tons of ways the Federal Government can mandate the unified ID. For example, it can be tied to the Social Security number. The government can (quite reasonably) argue that it needs to positively identify people to be able to correctly track their SS contributions.
Why this hasn't been done yet? Probably because nobody cares about that. Real ID gets postponed time after time, exactly for the same reason.
Everything you say is true of state IDs too. They are not mandated. They are useful because some people choose to have them. Some people would also choose to have a federal id.
Perhaps you didn’t hear about “Real ID”. You need it to fly, and it involves data sharing/matching with the federal government. They did a back door federal ID system by simply integrating with all of the state ID systems.
The constitution doesn't say what the federal government is disallowed from doing. The constitution says what the federal government is allowed to do, and they are not allowed to do anything it doesn't say.
I don't think you need to really coordinate all the states. Each state can provide their own ID verification system. Yes, it's a pain that every product wanting to use it will have to do 50 different integrations rather than one, but ultimately things will converge to a more or less standardized API (or a few of them).
Of course it's dumb that taxpayers will have to pay for 50 of these things through their state taxes instead of one of them through their federal taxes.
Then again, what's most likely to happen is that the states will outsource it to a private company like this one, and we're no better off.
And one of the major causes of that problem is that there is no US equivalent to the GDPR, even as the current ID systems are being abused quite thoroughly. Until we have something like the GDPR to prevent companies needlessly demanding personal information, simply making ID verification easier would mean even more places asking for identifying information, using it to build even more surveillance databases, and eventually leaking it all. For starters, imagine that every website currently using SMS login nags as an excuse for collecting phone numbers would switch over to requiring full legal names, inescapable ID verification, and then hard linking their collection of dossiers with the rest of the surveillance industry.
Are you suggesting that bulk-buying a year of Experian credit report access for the few people who haven't already won a subscription from some other leak isn't a consequence? Or that being able to see your own credit report isn't compensation enough? Heresy!