Comment by toomuchtodo
1 year ago
Ahh, cool, pour the corpus through GPTs and start tweeting Congressional rep personal info at them until they pass a law to outlaw data brokers (in keeping with historical precedent [1] [2]).
[1] https://en.wikipedia.org/wiki/Video_Privacy_Protection_Act
[2] https://jolt.law.harvard.edu/digest/dodging-the-thought-poli...
For argument sake, instead of outlawing data brokers wouldn’t it be better to design a better ID system that renders one’s name, dob, and SSN as harmless information?
I don’t know what that would look like but if I had congresses attention I’d like them to fix the problem rather than playing whack-a-mole with banning data sources. I don’t think any actual solutions come from that.
In many countries in Europe, your ID card contains a chip with a cryptographic key, much like chip&pin on a debit or credit card.
Those bits of information are worthless when you need to create a cryptographic signature with your ID card to do almost anything important.
If the card is lost or stolen they can just remove your old one from the keyserver. It's literally just public key crypto.
Identity theft is rampant in the countries that don't have such a system and basically require you give them increasing amounts of private information to prove who you are. In the UK that's every address you've lived in for 5 years, your council tax bill, your energy bill, your bank statement for a month... all because British people think an ID card means you'll get stopped on the street to show your papers.
No, fraud is rampant in the countries that don't have such a system. Calling it identity theft makes it sound like the onus on preventing the practice is on "whoever's identify was stolen", instead of correcting pinning the onus on the bodies issuing accounts and loans without verifying information or identity.
The US has three dumb points pushing back on this.
The first is religious nuts who think it would be a "mark of the beast"
The second is anti-government types who are, well, anti-government anything.
The third is many business owners, because it would become much harder/risky to hire illegal immigrants to work.
28 replies →
> all because British people think an ID card means you'll get stopped on the street to show your papers.
That's probably because all of the anti-immigration and anti-foreigner people who are asking the government to stop people and ask them for their papers... this is not unique the the UK, Canada, or the United States either, and some of the countries plan to do more than just deport people.
Strong identity is increasingly a meaningful technical requirement, but glossing over the human impact of strong identity controls by the government is not going to have good outcomes either.
19 replies →
> Those bits of information are worthless when you need to create a cryptographic signature with your ID card to do almost anything important.
That depends on the type of attack you're protecting against. It might prevent an attacker from filing your taxes for you, but many companies are still going to use this kind of information as primary key. But it's not going to stop an attacker from pretending to be a bank employee, calling a genuine bank employee via a secret internal-only number, and claiming they've got Mr. Doe in their branch trying to do a critical transaction but their phone broke so they can't use the bank app. Yeah, the Mr. Doe living at 987 Main Street, that one. See, you even verified their ID, and it has a SSN of 123456 printed on it - just compare that to our customer database to make sure it's legit!
It also opens up a whole new type of attack. The problem with those smart cards is that there isn't really a way for the user to know what operation is actually happening. You're using a regular PC or smartphone to interface between the smart card and whatever entity you're trying to communicate with. But that could just as well be a phishing website pretending to be that entity, or malware doing a MitM. Or even just a random website pretending to need a signature for "age verification" when it's actually applying for a loan behind the scenes.
There's no "Do you really want to sign over your house to XYZ?" message on the card itself. And suddenly the government/bank/whatever is getting a request with a cryptographic signature which can obviously only be made by you - why would they have to double-check it if it cannot possible be fraudulent?
I agree that we should be moving to more secure systems, but those ID smart cards aren't a one-size-fits-all solution.
10 replies →
The US has infrastructure, but it's only issued to military and federal employees.
https://en.m.wikipedia.org/wiki/Common_Access_Card https://en.m.wikipedia.org/wiki/FIPS_201
How is key revocation authenticated?
Funny you should say that. Australia is trying to launch TEx -designed on open-source models to do this kind of thing. It's hitting the usual roadblocks of public acceptance of government mandated ID, in an economy which trashed the "australia card" idea back in the 80s. We're wiser now, we've been frogs boiled slowly: the downsides of central safe ID/auth are outweighed by the risks of loss of info giving everyone 100 points information.
The government now knows what we do most of the time anyway: layer-2 logs on our phones are constant. We lost any privacy some time ago. So now, getting security back might be a net win.
https://www.abc.net.au/news/2024-08-13/trust-exchange-digita...
Except it's being implemented by the people who brought you robodebt.
So i imagine the "Number of people driven to suicide" KPI is going to be pretty high. They're not going to want to ship something that performs worse.
2 replies →
> layer-2 logs on our phones are constant.
Huh?
2 replies →
We should be doing both, for different reasons. Ban data brokers because they allow anyone with a credit card to stalk people, more or less legally. Fix the SSN identity system because even if you ban data broker businesses, dark web brokers don't abide by the laws anyways.
I’d replace “instead of” with “in addition to”.
Going after data brokers seems like low hanging fruit, and necessary even if the ID system needs to be replaced. This is a top level issue that need to be addressed regardless.
While I think it’d be great to design a system where the information you mention is harmless (I’m curious how this would work without just shifting the problem to whatever new identifier is established), the reality is that this information is not harmless, and will continue to be dangerous to leak for the foreseeable future due to the myriad of systems that use this data in its current form. Any theoretical project to replace this would likely be a long and drawn out undertaking. Addressing the information environment in the meantime seems like a good idea.
> I’d like them to fix the problem rather than playing whack-a-mole with banning data sources
We should fix the problem and ban the data-sources. Whack-a-mole makes it sound like we're talking about a ban on one company, but what clearly needs to be done is a categorical ban on super sketchy business practices, and that seems simple enough. Data-brokers, if they are going to exist at all, need to accept the burden of proof to establish that every single row involves consent, and they need to acquire new consent for every single resale of the information. If that makes the whole industry unprofitable, too fucking bad. And if this looks bad for business, it gets even worse: good luck getting consent for reselling what is mine without offering me a cut.
Since the above kind of common sense looks crazy these days, let's throw in something even more radical. For anyone looking to fund UBI, ^ here's a start. The trouble with the often-mentioned idea of "tax the data" as a solution for privacy concerns is that these taxes are just redistributing wealth from corporations to governments, while all of profit is made with our information. Who wants the monetized details of their personal life to pay for the next unjust war, or even the roads in some place they don't live. If we are so valuable, put some of that money back in our hands, and if the price doesn't sound fair to us, then let us opt out of the sale.
The uneven availability of information means that no, it's not better to just design a better ID system. Data brokers give corporations far more advantages than a normal person could ever protect themselves against, because even if the data broke doesn't have your government issued credentials they can still easily designate who you are buy collating all the data from other means such as purchasing habits, cellular, and service guest lists.
It's politically a non-starter in the US. US states have a lot of power that is derived from their ability to maintain their own ID systems. The states have fought for almost 20 years on requirements as simple as REAL ID.
Plenty of countries have smart cards with chips and RSA keys that can be used to verify ID with much higher level of certainty, but then they usually don't use it.
Even just name, DOD and last 4 of the SS number and you are done.
It's ridiculous.
https://news.ycombinator.com/item?id=40961834
TLDR Login.gov, and publishing a circular to allow businesses to use it to identity proof. Push all liability onto the business for losses if this method is not used to identity proof. ID card as ljm mentions, such as a passport card. Very similar to credit card EMV chips and the liability shift from magstripe.
> I don’t know what that would look like but if I had congresses attention I’d like them to fix the problem rather than playing whack-a-mole with banning data sources. I don’t think any actual solutions come from that.
Aggregating data means it can be lost. You must therefore make aggregating and storing data toxic, and impossible to be leaked through eventual mismanagement.
We detached this subthread from https://news.ycombinator.com/item?id=41249125.
I thought it was a legitimate proposal to the problem at hand, but respect and understand the decision. My apologies for taking the conversation potentially off topic.
https://paulgraham.com/founders.html
> Though the most successful founders are usually good people, they tend to have a piratical gleam in their eye. They're not Goody Two-Shoes type good. Morally, they care about getting the big questions right, but not about observing proprieties. That's why I'd use the word naughty rather than evil. They delight in breaking rules, but not rules that matter. This quality may be redundant though; it may be implied by imagination.
While scoped to founders, I think it broadly applies to a subset of curious people who are wired to solve problems, imho.
Err, why do you need a GPT for this stunt? For a quarter of the price of a 2010s mid-range HP laptop, I have a Python script for you.