Services need the ability to obtain an identifier that:
- Belongs to exactly one real person.
- That a person cannot own more than one of.
- That is unique per-service.
- That cannot be tied to a real-world identity.
- That can be used by the person to optionally disclose attributes like whether they are an adult or not.
Services generally don’t care about knowing your exact identity but being able to ban a person and not have them simply register a new account, and being able to stop people from registering thousands of accounts would go a long way towards wiping out inauthentic and abusive behaviour.
I think DID is one effort to solve this problem, but I haven’t looked into it enough to know whether it’s any good:
Agreed that offering an identifier like this would be ideal. We should be fighting for this. But in the meantime, using a passport ticks most of the boxes in your list.
I’m currently working on a social network that utilises passports to ensure account uniqueness. I’m aware that folks can have multiple passports, but it will be good enough to ensure that abuse is minimal and real humans are behind the accounts.
I hope that enough are willing to if the benefits and security are explained plainly enough. For example, I don’t intend to store any passport info, just hashes. So there should be no risk, even if the DB leaks.
First, not everyone has passports - there are roughly half as many US passports as Americans.
Second, how much of the passport information do you hash that it's not reversible? If you know some facts about your target (imagine a public figure), could an attacker feasibly enumerate the remaining info to check to see if their passport was registered in your database? For example, there are only 2.6 billion possible American passport numbers, so if you knew the rest of Taylor Swift's info, you could conceivably use brute-force to see if she's in your database. As a side effect, you'd now know her passport number, as well.
> Second, how much of the passport information do you hash that it's not reversible?
That doesn't even matter. You could hash the whole passport and the passport could contain a UUID and the hash db would still be usable to correlate identities with accounts, because the attacker could separately have the victim's complete passport info. Which is increasingly likely the more sites try to use passports like this, because some won't hash them or will get breached sufficiently that the attackers can capture passport info before it gets hashed and then there will be public databases with everybody's complete passport info.
Less than half of Americans have passports, and of the remaining half, a significant fraction do not have the necessary documents to obtain one. Many of these people are poor, people of color, or marginalized in other ways. Government ID is needed, but you generally find the GOP against actually building a robust, free, ubiquitous system because it would largely help Americans who vote Democratic. This is also why the GOP pushes Voter ID, but without providing any resources to ensure that Americans can get said ID.
To be fair, you generally don't see Dems pushing for such a free and ubiquitous system, either - "voter ID is bad" is so entrenched on that side of the aisle that any talk about such a system gets instant pushback, details be damned.
< you generally don't see Dems pushing for such a free and ubiquitous system, either
Yes, and this seems like a huge missed opportunity for Dems. I would strongly support such a system, and I would be willing to temper my opposition to Voter ID laws if they were introduced after such a system was implemented fully.
Passport might be a bit onerous - it's expensive and painful process and many don't need it.
But it's a hilarious sign of worldwide government incompetence that social insurance or other citizen identification cards are not standard, free, and uniquely identifiable and usable for online ID purposes (presumably via some sort of verification service / PGP).
Government = people and laws. Government cannot even reliably ID people online. You had one job...
When it comes to government-issued IDs, "standard" and "free" is a solved problem in almost every country out there. US is a glaring exception in this regard, particularly so among developed countries. And it is strictly a failure of policy - US already has all the pieces in place for this, they just need to be put together with official blessing. But the whole issue is so politicized that both major parties view it as unacceptable deviation from their respective dogmas on the subject.
> But it's a hilarious sign of worldwide government incompetence that social insurance or other citizen identification cards are not standard, free, and uniquely identifiable and usable for online ID purposes (presumably via some sort of verification service / PGP).
Singapore does this. Everybody who is resident in Singapore gets an identity card and a login for Singpass – an OpenID Connect identity provider that services can use to obtain information like address and visa status (with user permission). There’s a barcode on the physical cards that can be scanned by a mobile app in person to verify that it’s valid too.
In the United States, the lack of citizen identification cards is largely due to Republican opposition. People who lack ID are more likely to be democratic voters, so there is an incentive to oppose getting them ID. There's also a religious element for some people, connected to Christian myths about the end of the world.
It's kind of half true - there is an association between not having an ID and being blue. Because people without IDs are more likely to be people of color or of other marginalized groups, which then are more likely to be blue.
In addition, there's a strong conservative history of using voter id as a means of voter suppression and discrimination. This, in turn, has made the blue side immediately skeptical of identification laws - even if they would be useful.
So, now the anti-ID stuff is coming from everywhere.
It's absolutely not true. People have to supply IDs for tons of activities. They have IDs. We know who they are. They are registered to vote -- how did that happen w/o ID? Of course they have IDs.
The statistics just don't back this up. Plenty of, predominantly poor, people don't have driver's licenses. And that's typically the only ID people have. Also, poorer people may work under the table or deal in cash.
Where do you get this idea that you need to have an ID card in order to register to vote? It's certainly not a federal requirement.
In NY, you can register with ID, last 4 digits of your social, or leave it blank. If you leave it blank, you will need to provide some sort of identification when voting, but a utility bill in your name and address will suffice.
- Belongs to exactly one real person.
- That a person cannot own more than one of.
- That is unique per-service.
- That cannot be tied to a real-world identity.
- That can be used by the person to optionally disclose attributes like whether they are an adult or not.
Services generally don’t care about knowing your exact identity but being able to ban a person and not have them simply register a new account, and being able to stop people from registering thousands of accounts would go a long way towards wiping out inauthentic and abusive behaviour.
I think DID is one effort to solve this problem, but I haven’t looked into it enough to know whether it’s any good:
https://www.w3.org/TR/did-core/