[avianlyric]

> On a related note, they built their digital ID so that third parties could verify attributes

Isn’t that the entire point of government ID of any variety? The only reason anyone ever asks to see ID is so they can use it verify attributes of your identity, such as name and age. Otherwise what’s the point of an Identity Document, if it’s not to document something?

Digital ID has always been sold as something approximating your passport/Driver License (there is no official government ID in the UK), but digital, on your phone, and actually a government identity document. Rather than a government document that has a specific purpose (such as crossing the border or driving a car), which people pretend is government ID. Something that can cause a serious problem for people because passports and driver’s licenses aren’t free to obtain, replace or keep valid. Plus the government departments that issue them refuse to take any responsibility or liability for the accuracy or validity of the documents for any use case outside their very specific role in narrow government functions, like crossing the border, or figuring out if you’re allowed to drive a car.

The UK already has citizen SSO that stretches across all digital government services, and has had that for a decade plus now. Although it’s not really attached your identity, it’s just a unified auth system so government departments don’t end up creating their own broken auth systems instead.

[rtkwe]

> Isn’t that the entire point of government ID of any variety?

Ideally this could be done without deanonymizing accounts to service providers unless the user wants to for a 'verified' account linked to their identity publically but I don't think any digital ID system has been built that way. Imagine it acting like OAuth but instead of passing back an identity token it's just verification of age, platforms would store that which would show they had performed the age verification and could be used for other age gates if there are any.

[sorenjan]

That's how EU's digital wallet is supposed to work:

> The selective disclosure of attributes will allow you to only share the specific information requested by a service provider, without revealing extra information.

> For example, with the selective disclosure of attributes you could choose to share your date of birth, but without revealing any other identifying details that could be used for profiling.

https://ec.europa.eu/digital-building-blocks/sites/spaces/EU...

[xp84]

You're totally right that it would be easy from a tech perspective to do that. it's a shame that:

(A) most people cannot grasp how it could be that "GovSSO" can attest "This person you just sent our way just logged into GovSSO [with biometric 2FA], and they are at least 16 years old" without the receiving system having any way of knowing who that citizen is or even whether they're 16 or 99.

(B) very real terrible government policies the UK has (like jailing people for speech, and like demanding encryption backdoors that compromise the security, at minimum, of the whole of every British citizen's devices, and at worst every device in the world) incline anyone who's paying attention to assume that the government will somehow use anything related to "ID" and "internet" to do idiotic things like figuring out who owns a Twitter account that committed some wrongspeak so the bobbies can come round them up.

[Aurornis]

> (A) most people cannot grasp how it could be that "GovSSO" can attest "This person you just sent our way just logged into GovSSO [with biometric 2FA], and they are at least 16 years old" without the receiving system having any way of knowing who that citizen is or even whether they're 16 or 99.

The loophole that every kid everywhere would instantly figure out is that they just need to borrow their mom’s ID, their older brother’s ID, or a pay some Internet service $1 to use their ID.

This is why the services aren’t designed to totally separate the ID from the account. If nothing actually links the ID to the account then there is no disincentive for people to share their IDs or sell their use for a small fee. Stolen IDs would get farmed for logins.

So the systems invariably get some form of connection to the ID itself. The people making these laws aren’t concerned about privacy aspects. They want maximum enforcement of their goals.

[xp84]

> The loophole that every kid everywhere would instantly figure out is that they just need to borrow their mom’s ID, their older brother’s ID, or a pay some Internet service $1 to use their ID.

Do most kids have their parents' ATM card and PIN? Their Gmail credentials and 2FA device? Tons of stuff today relies on a secret the parents aren't supposed to share with their kids. When logging in on a device that wasn't marked "remember this next time" it should be requiring 2FA. Yes, your 19 year old bro can get you porn, but that's been true for like 60 years buying Penthouse at the liquor store.

Of course all this is academic, since the fact is that because things like oAuth are not intuitively grokkable by non-computer people, so no one would accept "having to sign into <porn site> with GovSSO" even if everything was verifiably privacy-respecting.

[kdinn]

You just described OpenID

[nine_k]

A digital ID can be better than a passport / driver license, because it can verify only specific attributes of the bearer to a third party. E.g. only the fact that you're older than 21 in a liquor store or a car rental, but not other details readily visible in a passport.

[Aurornis]

Any ID has to reveal enough info to reasonably convince the other party that the ID belongs to that person.

These threads always bring up a hypothetical digital ID that simply says “over 21”, but it’s missing the key point that the ID needs to also give enough information to reasonably tie the identity to the user. Otherwise everyone underage would run around with borrowed or stolen IDs because there was no way to prove it did or did not belong to them.

In theory a digital passport could reveal age 21 or older with a photo and name, but it’s only marginally less info for a lot more complexity.

[avianlyric]

There are solutions to this. Look at how state ID on iOS is handled.

There’s an enrolment process where your identity is bound to your phone, and secured using biometrics.

When you need to prove age, the device can produce a signed token attesting to fact that your older than 21 etc. and your device is trusted to validate your identity using a biometric scan performed by your phone.

All of this is dependent on everyone trusting your phone to both validate your physical identity before signing something, and also not sharing anything it shouldn’t. But given you can already enroll US state ID on iOS, those problems are clearly solvable.

[bgbntty2]

You mentioned "on your phone". Is it only for phone OSes? A depressing "download from the Google Play Store or the Apple App Store only" app? Are UK citizens required to have it?

[subscribed]

It's not a "citizen SSO", even non-residents use it when paying taxes, for self-assessment purposes.

It's Government services SSO.

And no, Digital ID wasn't sold as something like this, it has been sold as a way to prevent (?) "illegals" from working, by introducing system entirely similar to the current eVisa.

Unless you slept through all these televised discussions where Keir Starmer with a stern face explained how a wholly-digital system replacing wholly-digital system will stop these pesky immigrants from getting work (it's almost like in the current systems employers didn't have to do these checks already).

There's been SO, SO MANY lies, like that this system wi be similar to the Polish/Estonian, only these two are primarily physical documents, additionally bearing certificates that can be used to authenticate against the participating systems.

Sure, some countries ALSO have a digital form of the ID, but never advertised as a hate-whip against the others.

The primary problem with the only-electronic Certificate you call ID, is that it's supposed to be always online (never cached, like, say...... Um.....actual Digital ids or cards in the normal phones), so it can be cancelled at any point, also due to the errors of the government employees or systems.

The problem is that MANY people had a very serious problems with eVisa already, leading to being bounced off the Border Patrol or failing to prove right to rent.

Even if the idea of the ID was in general good (and I use one I really love, works wonderfully well), this government lied too many times and is forcing us to eat the frog that we've seen many times prior, is half baked and will burst in someone's face.

This idea is tainted because we're lied to and it's half-baked, and hostile in principle, not helpful.

[avianlyric]

You’re making the assumption that inherently support the creation of Digital ID. I’ve not expressed support for it, I’m just highlighting that if someone is going to criticise it, they should at least understand it well enough to make useful, accurate, criticism.

Criticising ID for making it possible for 3rd parties to verify attributes is a ridiculous thing to do, because that’s the entire point of ID.

If someone wants to criticise the exact mechanism used to allow 3rd parties to verify attributes of someone’s ID, then they should be clear about what that mechanism is, and why it’s problematic. Otherwise it’s impossible to have a sensible discussion, and discuss the various pros and cons of different implementations.

At the end of the day it’s beyond clear we’re moving towards a world where governments and people expect the internet to work closer to how the real world works, with equivalent limitation such as age gating. Putting forward inaccurate, and hyperbolic arguments about arbitrary, indistinct risks associated forms of Digital ID ultimately does us all a huge disservice, because it creates the opportunity to dismiss all criticism as little more than hysterical whining by people uninterested in learning about the societal problems Digital ID is meant to deal with. Which ultimately means we’re removed from the entire discussion about alternative approaches to Digital ID, or implementations of Digital ID that are privacy preserving.

If we’re not involved in those discussions, and seen as creditable contributors to solving the underlying problem, then those pushing for more authoritarian approaches win the argument by default.

[FridayoLeary]

Nobody asked for it. Digital ID is being introduced to help the government, not the people.