[HN Gopher] Privatizing Our Digital Identities
___________________________________________________________________
Privatizing Our Digital Identities
Author : soopurman
Score : 97 points
Date : 2023-03-10 14:57 UTC (8 hours ago)
(HTM) web link (notes.volution.ro)
(TXT) w3m dump (notes.volution.ro)
| specialist wrote:
| Thought provoking. I like it.
|
| I've long supported the "right to be forgotten".
|
| But, until this essay, I had never considered the corollary
| "right to be remembered".
|
| This real world concern is timely, relevant.
|
| Nicely done.
| ciprian_craciun wrote:
| [Post author here,] thanks for nailing it! I want anyone to be
| able to choose any of these two extremes ("right to be
| forgotten" and "right to be remembered") or anything in
| between.
|
| I want to be able to configure my Discord or Slack "profile" to
| have all my messages automatically deleted after say 2 months.
| But at the same time I also want my email address to be
| permanently available (even after I die) because it's
| registered in so many places, tied to so many important things,
| so that if Google decides to erase me I'll be in a lot of
| pain...
|
| And although I do use a *payed* GMail account, I do it mainly
| because I trust them more from a security point of view than I
| trust myself. However I don't trust them not even 1% not to
| screw me over if the accountants say it's more profitable to
| drop GMail...
|
| At the same time I don't trust the government not even 1% not
| to screw the security of such a system, or not try to misuse it
| for political gains. But, I also don't see any way out of this
| situation with the technology, society, economy, and judicial
| system we have right now...
| brabel wrote:
| What do you think about Decentralized Identity (DIDs -
| https://www.w3.org/TR/did-core/)? With it, you can have
| several identities and easily generate new ones when needed
| (but you probably need to have a single, government-
| recognized identity for the real world).
|
| Europe seems to be working hard on establishing an identity
| for every citizen: https://commission.europa.eu/strategy-and-
| policy/priorities-... (most countries already have that, but
| this is about unifying the various countries' ID systems).
| ciprian_craciun wrote:
| Unfortunately no purely technical solution works. As I've
| said in the end of my article:
|
| > We need to support the case when a person wakes but-naked
| in a corn field, suffering from complete amnesia, and
| remembering nothing about himself. Today, such a person has
| a chance of getting his identity back, but in a pure
| technological world, "the computor just says no!"
|
| ----
|
| Regarding the various European ID initiatives: they might
| seem a good idea, but they don't actually work in practice:
| for better or worse, our internet solutions seem to have
| settled on email as the de-facto identification system. Are
| any of these EU ID initiatives completely interoperable
| with the email system? If not, they are useful only for
| purely official interactions with the government, and solve
| nothing outside of that realm.
|
| Also, because most such ID initiatives are actually X.509
| tokens that work solely on Windows, with Adobe products,
| they are beyond useless...
|
| (Let alone that one costs ~50 EUR per year in my country,
| Romania...)
| specialist wrote:
| FWIW, ironically and counter intuitively, "the right to be
| forgotten" achievement is unlocked with the combo of RealID
| (or equiv) and "translucent database" techniques.
|
| (Over simplifying: just like properly salted and hashed
| password files. Lose the password and you cannot retrieve the
| encrypted data.)
|
| Using your essay as a starting point, I'll start pondering
| what a future "right to be remembered" system might look
| like. Both technically and legally.
| mindslight wrote:
| It would be trivial for governments to create email addresses for
| their citizens, and it would be a good idea for general digital
| enfranchisement.
|
| The problem is that there needs to be laws preventing private
| companies from _requiring_ this identity, otherwise it would
| devolve into yet another unique identifier for the surveillance
| industry to abuse. And in the US context, we don 't even have
| basic privacy laws. So until the abuse of basic identifiers like
| social security and driver's license numbers gets reigned in,
| having the government create digital structure just feeds into
| the surveillance industry.
| lancesells wrote:
| My argument to all of this, at least in the US, is you don't need
| the internet to do things or be a person. Yes, it's 1000x more
| convenient (and cheaper) but you don't need to be online to do
| things with the government.
|
| Maybe that changes in the near future but the internet is only as
| real as you make it.
| WallyFunk wrote:
| > you don't need the internet to do things or be a person
|
| The new paradigm is that everything has shifted online. The
| Internet is the proverbial town square. If you don't
| participate, that's on you, but all manner of discourse happens
| online now, and most importantly; that discourse _shapes_
| public opinion, and can have real lasting change in the world.
| dcow wrote:
| Exactly and in the US you don't need a drivers license
| (generally a government-issued ID) to be a person. It helps but
| it's not mandatory. The digital equivalent is signatures so
| digital society needs to be coerced to allow any signature.
| That doesn't preclude having certificates issued to you when
| you pass a driving test or meet residency requirements, but
| those aren't sources of truth. Your personhood is.
| AlotOfReading wrote:
| You're going to struggle to get a job or rent a house without
| using the Internet. That job will almost certainly require you
| to use the Internet for things like email, while the utilities
| on that house will send you increasingly absurd volumes of mail
| about switching to paperless. Some of them may not even have
| alternative payment that allow you to avoid the Internet.
|
| Seems pretty real to me.
| dcow wrote:
| The internet _is_ real so we need to make it as accessible as
| a utility.
| CrisMystik wrote:
| In my country, Italy, all online public services already must
| accept government-issued digital IDs only, by law.
|
| They come in two forms: SPID (which is just username and password
| + TOTP, issued by private companies on behalf of the State, but
| allowing you to change your provider without becoming "a
| completely different person" [1]), and CIE (which is the new
| national ID card, and can be used as an electronic ID using any
| NFC reader). Additionally, some services allow to log in using
| equivalent eIDs from other EU countries [2].
|
| [1] https://www.spid.gov.it/en/frequently-asked-questions/
|
| [2] https://eid.gov.it/?lang=en-001
| Zamicol wrote:
| Our contribution to solving the digital identity problem is Coze,
| an open source and cryptographic messaging specification.
| [https://github.com/Cyphrme/Coze]
|
| We use Coze to sign messages that authorize user actions, such as
| uploading images, logging in, and leaving comments.
| iisan7 wrote:
| An authoritative digital address increases the power of the
| private sector. At present, I think it will always be easy to
| find a new ID-card provider if your current one locked you out
| for your cat-video-hating ways. Having a permanent authoritative
| ID could actually make it harder to get services because it would
| be easier for the private sector to share information about you.
|
| Imagine you got that address assigned, 42@id.tld. Now, every
| private company you want to do business with wants you to
| register using that ID. Now, when you get banned, they can share
| that ban throughout their network. Because every company requires
| you to register using your national email address for password
| recovery, you've created a system that radically expands the
| power of the private sector to profile you and control your
| reputation, if not your identity.
|
| Maybe very careful regulation could prohibit companies from
| asking you for your government email address, but I recall the
| (apocryphal?) quote by LBJ, "You do not examine legislation in
| the light of the benefits it will convey if properly
| administered, but in the light of the wrongs it would do and the
| harms it would cause if improperly administered."
|
| I prefer your proposed solution of some regulation that treats
| email like phone or utilities so there are a few protections
| before services are terminated.
| dcow wrote:
| The other option is self-sovereign identity.
|
| We desperately need to break the assumption that email is your
| identity. It's like saying your postal address is your identity
| and if it changes everything gets messy. It doesn't work: it's
| not universal and some people don't even have addresses.
|
| The problem is not that email is privatized (though I agree I'd
| love to see ssn@id.gov as a usable recovery address), it's that
| we're tied to it as the only way to identify people online.
| Hopefully webauthn will change this and as long as services
| accept any signature, we aren't tied to blessed identity
| providers. So in my book, legislation and political effort need
| to focus around the "right to self-sign".
|
| Less abstractly, we cannot allow Google, Apple, and Facebook to
| become the de-facto blessed ID providers. It's silly and there's
| no meatspace equivalent because it would be absurd like the
| article points out. We need to require that services accept any
| email (side rant and any oauth provider url so you can run self-
| hosted oauth) and, as webauthn proliferates, any signature.
|
| Finally, we need a political solution here because this is not
| behavior that has or will come naturally. Platforms want to own
| identity for profit and lock in. Other companies using identity
| want to only trust certain platforms/oauth providers/vendors for
| "security" and product simplicity. Nobody is thinking about
| protecting users' rights so we must take that upon ourselves.
| pphysch wrote:
| "Self-sovereign identity" is an oxymoron.
|
| "Self-sovereign" means each individual is their own identity
| provider.
|
| "Identities" must be uniquely identifiable, otherwise...
| they're not identities, they're just bits of data.
|
| Practically, that means there must be a centrally-managed
| namespace of identities that is tightly regulated, ACID-
| compliant, etc. Federation is practical here, but it will all
| tie back to the central entity (e.g. government).
| dcow wrote:
| Philosophically, identity is _not_ "a centrally-managed
| namespace of identities that is tightly regulated, ACID-
| compliant, etc.". The government or a bank or airport or
| certain business might want that level of book-keeping and
| verification, but that's not inherent to _identity_. Identity
| _is_ self-sovereign. I think, therefore I am.
|
| When I go get a drivers license, I'm issued a physical
| "certificate" by my local government that says I qualify to
| drive a motor vehicle. It has some useful properties like
| being hard to counterfeit. A drivers license is not my
| identity. It's a document that asserts claims about my
| identity like "I passed a test", "I showed up in person", "I
| have a utility bill for this address", etc. Meatspace
| identity is self-sovereign but also sometimes assertions
| about an identity are made are verified.
|
| All of this is possible with a self-sovereign digital
| identity system. It's how the CA system works. I make an
| identity, I get it certified for a short period of time. The
| CA issues me a digital certificate with useful properties
| like being hard to counterfeit. It's a document that asserts
| claims e.g. "I manage this domain". CA system is self-
| sovereign and also sometimes you verify the authenticity of
| my certificate.
|
| But the signature on my certificate is _not_ a stable
| identifier. That 's my public key. The pubkey _is_ the
| identity. The certificate authority just issues and signs a
| document vouching for it.
|
| So the appropriate digital analog to the present day identity
| system is one where we create keypairs and then sign
| assertions about their owners. The thing you're looking for
| is a modern social security office that looks at your birth
| certificate, requires you to digitally sign your name, and
| then issues an assertion along the lines of "a human in
| possession of this birth certificate showed up before me, a
| truthful government agent, an signed their name like so". And
| thus, you have bound some human assertion to a pubkey. (And
| if your use case cares about a country-unique birth-
| certificate verified human, then you require the pubkey owner
| present you the certificate and you verify it.)
|
| Or maybe you're looking for a novel digital email
| verification service that verifies a given pubkey controls a
| specific inbox. The email verification service periodically
| sends you a secret via email, you sign the secret and reply,
| and in response the service issues you a certificate stating
| that your pubkey is associated with and in control of the
| email address it just verified. You re-verify every 3 months.
| In fact, your email client automatically does it for you as
| you login via webauthn every so often.
|
| Just like I can wear a mask, have a twin, have my license
| stolen, copy the data on my license, or use someone else's
| drivers license in places that don't care about the picture
| or credit cards in places that don't check the signature, the
| same can happen with a private key. Identity is not as
| sophisticated as you are making it out to be.
| vineyardmike wrote:
| PKI can be both self-sovereign and unique. Look at crypto
| currencies- wallets are uniquely yours and also free from a
| central identity provider (since you only need the private
| key). You don't need a blockchain. Self-signed certs are
| enough for people to auth their candy crush accounts.
| Pxtl wrote:
| They fail the uniqueness test. I can create as many self-
| signed certs and wallets as I like, allowing me infinite
| sockpuppets. That's not an identity.
| gnramires wrote:
| I think you're conflating two things. Creating infinite
| identities is known as the sybil problem is
| cybersecurity, or sybil attacks. Indeed you need a way to
| verify identity in the real world with trusted parties to
| defeat this.
|
| (In my interpretation 'uniquely identifiable' should be
| satisfied by your unique ability to sign data -- actions,
| statements, etc. associated with that key. there's a
| problem of making the identity itself human readable,
| which essentially needs a name system on top)
|
| That said, I think the government de facto already has
| many useful functions around identity verification, I
| think making it more accessible, modern and useful is a
| good idea. Also with good design practices of digital
| systems, we can also make things more transparent,
| auditable, etc.. The downside I would say is the
| possibility of some kind of catastrophic breach or denial
| of service event having a large impact (any of our usual
| web services are subject to that though), and having a
| fallback offline infrastructure should be worthwhile.
| pfoof wrote:
| Fingerprint + iris scan + vein scan
| nathias wrote:
| I agree, but this sounds like it was written in 2000, Google
| Apple and Facebook have been the defacto ID providers for years
| and I don't see that changing without some form of goverment
| enforced protocol. This won't happen because the goverments
| just see the power of platforms and want it for themselves.
| dcow wrote:
| I'm talking about in a webauthn world. Luckily email being
| self-hosted is totally normal right now and thank god
| platforms don't lock that down. However, with webauthn
| platforms has the chance to nefariously lock down who can
| sign webauthn challenges. I hope to God they don't or we
| prevent it.
| ghoshbishakh wrote:
| I was also about to mention SSI. The Decentralized Identifiers
| (DIDs) [1], and Verifiable Credentials [2] are W3C
| Recommendations for solving this exact problem. There are
| implementations of these also - check Hyperledger Indy and the
| Identity Foundation projects [3].
|
| I along with IBM Research folks wrote a paper on even more
| interesting ways of exchanging identity information between two
| entities called Private Certifier Intersection [4].
|
| [1] https://www.w3.org/TR/did-core/
|
| [2] https://www.w3.org/TR/vc-data-model/
|
| [3] https://identity.foundation/
|
| [4] https://www.ndss-symposium.org/ndss-paper/private-
| certifier-...
| numpad0 wrote:
| > It's silly and there's no meatspace equivalent because it
| would be absurd like the article points out
|
| There is meatspace equivalent that is landline phone numbers
| and telecommunications companies
| ineptech wrote:
| Nobody really wants government-run auth, but we need it
| nonetheless. For extreme cases like having your identity
| stolen, the solution of last resort is "go to a place and talk
| to a human." No tech company will pay all those salaries to run
| a free service, so realistically that place is going to the be
| the DMV or similar.
| Kinrany wrote:
| It could be a network of companies that safeguard your keys.
| You give five parts of a key to five agencies and you need
| three to replace the lost/leaked keys.
| ineptech wrote:
| The hard part isn't storing it, the hard part is updating
| it. What do you do when the automated process fails due to
| a corner case, like your angry ex using your phone to reset
| your credentials? The government solution might be annoying
| or time consuming, but the private sector answer is "Go
| fuck yourself."
| Pxtl wrote:
| Exactly. A government system providing the last line of
| authentication defense would be ideal. A single point of
| access where you can say "my credentials have been
| compromised please shut down those credentials and help
| me create new ones", and where businesses can check "hey
| is this person linked to a real account? Can I get a hash
| to confirm that the account is unique?".
| Kinrany wrote:
| You can't rely on either, not for auth, not if you want
| to actually own it. People fall through the cracks
| everywhere, so there shouldn't be any cracks to fall
| through.
| johnfonesca wrote:
| Speaking as a application developer (digital signatures
| solution) which has to integrate with government related
| entities, i'd love an official government-run authentication.
| Just give me an OAuth endpoint for the government solution
| which allows me to authenticate users and it will make the
| life simpler for everyone.
| aliceryhl wrote:
| We have this in Denmark. It's pretty great. Two-factor
| authentication for bank logins, gov websites, and for
| online card purchases.
| vorpalhex wrote:
| > No tech company will pay all those salaries to run a free
| service, so realistically that place is going to the be the
| DMV or similar.
|
| Or we legislate and make companies provide a minimum amount
| of service. You can't offload your operating expenses to the
| government.
| zokier wrote:
| I put lot of blame for the current situation on the
| shortsightedness of turn of the century internet activists
| (cryptoanarchists and hackers and whatnot) who were extremely
| vocally rejecting any sort of government involvement on the
| internet
| sparkie wrote:
| You have a problem and you think "I know, I'll get government
| involved."
|
| Now you have problems.
| pphysch wrote:
| https://en.wiktionary.org/wiki/deepity
| hanniabu wrote:
| Web3 offers digital identities owned by the user.
| liquide wrote:
| I would offer that Web3 assumes that there are digital
| identities owned by the user, typically by proving control of a
| private key.
|
| It doesn't really solve any of the traditional usability
| problems of maintaining a private key, which is why so many
| users end up just signing up for a website that will handle it
| for them.
|
| Specifically the issues that come to mind are key recovery and
| rotation.
| HPsquared wrote:
| At least there is the prospect of full control by the user.
| thr717272 wrote:
| Only as long as enough others are in on the idea.
|
| I.e MyAwesomeBlockchain can be totally awesome but since no
| one uses kt it is useless.
|
| This will be the fate of well over 90% of the block chains
| that exist today I think. In fact I guess more than 90% of
| them.
| realce wrote:
| "Full control" by being forced to engage with a protocol
| they never designed in order to authenticate their own
| existence? That sounds more like full submission to me.
| AstixAndBelix wrote:
| Web3 offers digital identities owned by the type of strategy
| the blockchain uses.
|
| Do you use Bitcoin and tomorrow Venezuela buys up 51% of global
| hashing power? Your identity is now managed by Venezuela, have
| fun
| dcow wrote:
| Yeah I am bearish on the web3 identity space because it's
| chain infected. They are attacking the right problems but IMO
| not deploying the right solution. Just allow self-signed
| identity not backed by a chain.
| k__ wrote:
| As far as I know, DIDs don't have to be "on chain".
| dcow wrote:
| If DIDs are just a self-signed document format/spec for
| what the fields look like and how to handle/process one
| and how to attach signed assertions then great! That's
| all we need. I thought the idea was you'd publish your
| identity to a chain and the chain would "ratify" it or
| something. That part seems unnecessary.
| AstixAndBelix wrote:
| Self signed identity is meaningless, especially online
| dcow wrote:
| How does putting your ID on a chain or even having an
| identity provider vouch for it change anything? By your
| logic being a human is meaningless because anybody can do
| it.
|
| Self-signed identity means you own a private key. Being a
| human means you own a body. You can call yourself
| whatever you want in meatspace. People deal with it. You
| can sign whatever statements you want in cyberspace. If
| you need to verify that someone has passed a driving
| test, then yes you need an authority to issue a
| certificate (or whatever better tech you choose) saying
| this private key met these requirements.
|
| There's no inherent problem with the identity being self-
| signed if you just need a user-id.
| AstixAndBelix wrote:
| Identity cannot be self-signed. "Self signed identity" as
| you call it is just a pseudonym. Anyone who has access to
| your private key can post with your "identity" and there
| is no way for checking fraudolent usage. If you see two
| instances of an account signing something with the same
| private key you cannot say that those two actions belong
| to the same person. You can only say that those two
| actions were performed by some entity which knows the
| private key. It could be the righful owner, it could be a
| hacker, it could be a bot.
|
| On the other hand, a real ID check makes sure with a high
| degree of certainty that the person is actually the same
| one who performed other actions (was born, purchased a
| home, has money, etc.)
| dcow wrote:
| I can use a pseudonym in real life. Nobody is "hard
| checking" my identity 99% of the time. Not even the
| government. They don't care if someone else does my
| taxes. It's up to me to share details about my identity
| with my tax accountant as I see fit. About the only
| institutions that actually care are banks because they
| don't want to give my money to someone else and airports
| because they don't want 9/11.
|
| So yes, you can have self-signed identity. And you can
| use it 99% of the time. If you need government-level
| identity verification, you can build that, do the hard
| check, and link to a self-signed identity by issuing a
| certificate for a reasonable amount of time until a re-
| check is desired. Your drivers license is exactly that in
| physical form. I'm not saying we shouldn't have a digital
| DMV that issues digital drivers licenses. I'm saying you
| don't need that as the foundation of your identity
| system. Identity is self-sovereign by nature. Don't fight
| it.
| [deleted]
| kornhole wrote:
| The article completely ignores domain name registration. I own a
| myname.com domain and email address with that domain that I use
| wherever I need real ID. I also maintain the home page with my
| latest contact methods. My contacts only need one thing to put in
| their address book, https://myname.com. I can move registrars
| easily if needed. I am also not dependent on platforms since
| people can always find me here if I leave a platform.
|
| Edit: It does not completely ignore this option but frames it a
| bit restrictively. I set mine for auto renewal and use my domain
| at an email provider. It is not necessary to run your own SMTP.
| arran-nz wrote:
| No, it's not completely ignored.
|
| > What can you do? Register your own domain and run your own
| SMTP server? Better make sure you renew your domain each year,
| else... --- You are no more. Don't have $5 per month to lease a
| VPS and run your SMTP server? --- You are no more. Has your
| domain gotten on some mail blacklists? --- You are not more.
| pedro2 wrote:
| Thinking somewhat along the same scale, I'm planning for
| having 2 years+ of domain name registration, Fastmail payment
| & (I should) have Thunderbird constantly syncing the full
| IMAP to the disk.
|
| In the name of efficiency, it won't be the state doing it
| until someone, or groups of someone, get sufficiently pissed.
|
| EDIT: passwords & other secrets must be shared with someone
| of trust.
| chucksta wrote:
| What's the next person with your name supposed to do?
| kornhole wrote:
| There are plenty of TLD's (top level domains) available. You
| don't need to use yourname.TLD, but it should be something
| easy and memorable for your contacts.
| DeathArrow wrote:
| What if you fail to renew the domain or to pay for hosting?
| What if the registrar wants to shut you down? What if your
| hosting facility catches fire?
| JohnFen wrote:
| I've had all of those happen to me at various times over the
| decades and, honestly, they're all pretty easy to resolve and
| recover from.
| nobody9999 wrote:
| >What if you fail to renew the domain or to pay for hosting?
| What if the registrar wants to shut you down? What if your
| hosting facility catches fire
|
| What if you[1] fail to renew your driver's license, passport,
| professional certification, homeowner's/renter's insurance
| and/or refilling your prescription for a life-saving drug? If
| so, _you_ screwed up. Not paying your bills or maintaining
| your person-hood and infrastructure is _your_ fault.
|
| Unless (in the US at least) you are a member of a "protected
| group/class"[0], no one is _required_ to do business with
| you. And even if you are a member of such a group, good luck
| proving that you 're being discriminated against _because_ of
| your membership in such a group /class _even if that is the
| case_. And even then, there is more than one registrar on the
| planet.
|
| If my "hosting facility" catches fire, I have much bigger
| problems (i.e., finding a new place to live and replacing all
| my belongings) than not getting email. And since there is
| more than one "hosting facility" (including your own
| premise), just move to another one.
|
| It's not clear to me what, exactly, you're railing against.
| Each and every potential issue you mention has a "meat space"
| parallel that, I imagine (please do correct me if I'm wrong)
| you are a responsible human who makes sure to do what's
| necessary to maintain your life/person-hood/place in society.
|
| If those digital things you mention are so unimportant _to
| you_ that you don 't/won't take responsibility to manage
| them, that's on you, not the rest of the world.
|
| [0] https://en.wikipedia.org/wiki/Protected_group
|
| [1] That's a general "you" rather than DeathArrow
| specifically. But it applies just as much to DeathArrow as it
| does _everyone_ else. Including me.
|
| Edit: Removed text artifact.
| debugnik wrote:
| > What if you fail to renew your driver's license,
| passport, professional certification, homeowner's/renter's
| insurance and/or refilling your prescription for a life-
| saving drug?
|
| You just renew them late. There's a risk that you'll need
| them right then, sure, but generally those mistakes don't
| lock you out of fixing them for the future. However, a
| domain is easily irrecoverable.
| JohnFen wrote:
| Same is true for domain names. At least with the
| registrars that I've used and accidentally allowed my
| domains to lapse with, the domains stop resolving right
| away but the registrar doesn't just sell the domain to
| someone else immediately. You have a grace period to
| renew it late.
| layer8 wrote:
| Auto-renewal is a standard feature. You normally don't have
| to do anything to renew (other than continue paying the
| domain fees). You can transfer your domain to a different
| registrar at any time (for the standard TLDs). If your
| hosting facility catches fire, you can point your DNS (which
| should be a different provider, at least for one of primary
| or secondary DNS) to a new server restored from your backup,
| at a different hoster. This is usually possible in less than
| an hour. Email is robust, sender MTAs typically retry for
| days when your MX is down.
| lancesells wrote:
| > Register your own domain and run your own SMTP server? Better
| make sure you renew your domain each year, else... --- You are
| no more.
|
| It does mention it along with the associated costs.
| verisimi wrote:
| If you think government is a purely coercive entity, dedicated to
| enslaving humanity, why would you want the id that it provides?
| The reason is to access the services it licences.
|
| Government and its ids, licenses, laws and monopoly on force, is
| not there to help. And yet, despite all the examples of how
| government is by far and away the cause of most problems we
| experience, on hn you will find endless discussion on how to best
| assist it. Eg here - 'what type of id is best?'. It's amazing.
|
| Programmers, technologists, etc seem to be hardwired to develop
| the enslavement structure of everyone, including themselves, for
| the sake of some perceived comforts, such as a nice holiday,
| better car. Its literally turkeys voting for Christmas, as we
| plan and develop the hardcore enslavement of the future.
|
| Just think - do woodland creatures need id? Does any individual
| _need_ an id? No. It is only useful if you want to control access
| to this or that for others. Ie you want to force your control on
| others who are doing you no wrong.
| matheusmoreira wrote:
| Completely agree. The real problem is these services demanding
| IDs to begin with. They should just accept some random
| identifier without complaining. That's how it used to be on the
| internet and it was great. The more the web strays from that,
| the more painful it becomes. I don't even have to register a
| nick on IRC but Discord pesters me for my phone number. Why?
| micropresident wrote:
| Spam is the reason. Phone numbers are a costly resource to
| spammers. Having them permanently banned from Discord after
| spamming is a way to keep spam down quite a lot.
|
| I've been working on this exact problem for years, and have
| solved it differently. If anyone is interested, here's the
| draft whitepaper on my solution:
| https://www.stampchat.io/whitepaper.pdf
| Buildstarted wrote:
| Not quite sure what's wrong but the FAQ on your site
| doesn't expand when you click the questions. Debugger says
| `__webpack_require__` is undefined. (no adblock or
| scriptblock)
| skybrian wrote:
| If you use the same ID with multiple websites then it can easily
| be used to connect them, for better or worse.
|
| Meanwhile, even if you somehow had secure, irrevocable ownership
| of some kind of identifying name or number, websites could still
| cancel your account with them for any reason and keep you from
| logging in with that ID. They can use the ID to more easily share
| reputation information, similar to credit scores. Your ID could
| be put on a list, similar to what happens with ad blockers and
| lists of spammers.
|
| By itself, ownership of a name or number doesn't get you much. If
| you use Google to log in to a website, what it's really providing
| is a minimal kind of reputation, sort of like how a captcha
| vouches that you're probably not a bot. For an ID to be useful,
| there needs to be reputation attached, and that isn't something
| you can do yourself; other people or entities need to vouch for
| you. It's also not permanent. Good reputations can go bad if
| people decide they don't like you anymore.
|
| Instead of centralizing using a single ID, there's a lot to be
| said for having having multiple identities (alts) for when you
| don't need reputation and you don't want what you're doing to
| affect unrelated activities.
| JohnFen wrote:
| > If you use the same ID with multiple websites then it can
| easily be used to connect them, for better or worse.
|
| This. While I avoid creating accounts as much as I can, when I
| do, I do not use the same "identity" for each of them. The
| ability to have multiple independent identities is, in my
| opinion, essential.
|
| What I don't want about any kind of identity system is that I
| can only have one.
| DerekBickerton wrote:
| > What I don't want about any kind of identity system is that
| I can only have one
|
| The globalist types[0] are looking to implement such a
| system. From what I have gathered, they want a social credit
| score. Unvaccinated? Good luck getting a loan. Posted
| something 'wrong' on an online message-board? You can't
| travel. And the list goes on...
|
| [0] https://id2020.org/
| gnramires wrote:
| That's a good point. I think maybe in that case you should just
| not use their service (if they require you to give your
| identity for a web service?). I have used a few services like
| online banking that require me to upload documents that
| effectively serve as uniquely identifying me individually. This
| situation doesn't seem to change with a digital id of sorts. I
| definitely would avoid using a digital id unless absolutely
| necessary, such as when dealing with banks, or the government
| itself. In this sense I think digital id is fine (and at least
| in my country already exists in some ways without any of those
| issues).
|
| I think at the core digital id is just having a form of asking
| your government "Can you verify this is me to someone else?"
| (which is already something you do with id photos, passports,
| etc.). I wouldn't want to use it everywhere.
|
| I think consumer protection laws that restrict denying digital
| service to a customer (without something like a criminal or
| legal basis) or indiscriminately requiring digital ids could be
| useful in reaping the benefits without the downsides.
| imnotlost wrote:
| They're already doing it in Estonia [1].
|
| Is it impossible to do in the US? Why? Zero trust in government
| (at all levels)?
|
| [1] https://e-estonia.com/solutions/e-identity/id-card/
| ok_dad wrote:
| The USA is approx. 250x larger than Estonia, so there's that.
| Also, there are vested interests that would fight a USA federal
| ID, due to politics and etc.
| ryandrake wrote:
| The population of Maine is about the size of Estonia. Why
| can't an individual state try to implement it? Surely that
| small scale is not a show-stopper.
| krapp wrote:
| OK... so at best you wind up with 50 independent state ID
| systems (although probably fewer, some states ), none of
| which have any value outside their respective states, and
| no political will to integrate them into a single Federal
| system, out of unreasonable fears the US government will
| hunt down gun owners and put Christians into re-education
| fears, and more reasonable fears they might do those things
| to anyone else. Then what?
| fwlr wrote:
| Falsehoods programmers believe about digital identity: it exists.
|
| Attempts at creating digital identity will invariably be gored by
| one of the two horns of the bull: either it is _recoverable_ like
| a password-protected account and therefore anyone who can pass
| the recovery check can steal that identity, or it is _non-
| recoverable_ like a crypto wallet address and therefore it can be
| lost due to carelessness.
|
| Our philosophical concept of an identity is not stealable (you
| cannot actually become someone else, you can only pretend to be
| them in some way, and they don't stop being themselves when you
| do) nor is it losable (you can't stop being yourself).
|
| Note that "recoverable" and "non-recoverable" are mutually
| exhaustive. There really is no third way here.
|
| You might think you can asymptotically approximate a digital
| identity by making it exponentially hard for anyone except you to
| pass the recovery check; if you do, you're also making it harder
| for _you_ to pass the recovery check - you're just offloading
| into the "non-recoverable" failure state (loss).
|
| Likewise, you might think you can asymptotically approximate a
| digital identity by making it extremely easy to keep the access
| code so it won't get lost; if you do, you're also making it
| easier for anyone else else to steal the access code - you're
| just off-loading into the "recoverable" failure state (theft).
|
| It fundamentally cannot be done. Instead, everything must be
| built to work without a Single Source of Identity Truth.
| zokier wrote:
| > either it is recoverable like a password-protected account
| and therefore anyone who can pass the recovery check can steal
| that identity,
|
| That is equally true for physical identity documents like
| passports and various id cards, and yet it isn't nullifying
| completely the utility of such documents.
| pessimizer wrote:
| What you quoted was not a conclusion, it was the statement of
| a problem. Two options for solving the problem were presented
| very soon afterwards, and there was a claim that both present
| contradictions which create difficulties. It was very clear.
|
| > yet it isn't nullifying completely the utility of such
| documents.
|
| I don't think that anyone is claiming the absolute
| uselessness of any means of identifying anyone for any
| purpose, so "complete nullification" shouldn't be the
| standard. The standard should at least be "more benefit than
| cost."
___________________________________________________________________
(page generated 2023-03-10 23:01 UTC)