Comment by imiric
7 months ago
On the one hand, yes, this might work, but I'm concerned that it will inevitably require loss of anonymity and be abused by companies for user tracking. I suppose any type of user identification or fingerprinting is at the expense of user privacy, but I hope we can come up with solutions that don't have these drawbacks.
The benefit of majorly reducing fraud can create an ecosystem where the trade off is worth it for users to take. For example generous free plans or trials can exist without companies needing to invest so much in antifraud for them.
> I'm concerned that it will inevitably require loss of anonymity and be abused by companies for user tracking.
Are you sure you read my comment fully?
> trusted authorities (e.g. governments)
the governments powerful enough to roll something like this out are not trusted authorities which will protect the privacy of their citizens. remember before the Snowden revelations when the NSA's director of national intelligence swore under oath that they did not collect "any type of data at all on millions of Americans"?
https://en.wikipedia.org/wiki/James_Clapper#Testimony_to_Con...
> the governments powerful enough to roll something like this out are not trusted authorities which will protect the privacy of their citizens.
The trust I mentioned was the ability for third-parties to trust that the authority will not hand out IDs in an uncontrolled manner. I was not saying that the ID holders need to trust the authority:
> Users can identify themselves to third-parties without disclosing their real-world identity to the third-party and without disclosing their interaction with the third-party to the issuing body.
If the authority doesn’t know how your ID is used, you don’t have to trust the authority to keep that information private.
Ultimately trust must be placed in an entity of some type. A democratically elected body isn't perfect but I can't think of a better option. If the electorate don't care about digital privacy or elected lawmakers do not protect their rights, then that needs to be addressed first. Governments have a monopoly on violence. If a citizen can't trust their government to enact (or enact but then not follow) laws that protect human rights, they frankly have much bigger problems to solve.
1 reply →
I did. It doesn't matter that the website might not be able to directly associate a real-world identity with a digital one. It takes a small number of signals to uniquely fingerprint a user, so it's only a matter of associating the fingerprint with the ID, whether that's a real-world or digital one. It can still be used for tracking. By having a static ID that can only be issued by governments or approved agencies we'd only be making things easier for companies to track users.
> It can still be used for tracking.
This doesn’t make sense. The whole point of using IDs in this way is in an authenticated context.
Did you think I was suggesting that this ID would be accessible to any website without asking? This is something you would send as part of a registration step. So, for instance, if you spam Hacker News, you get banned, you try to register again, it receives the same ID as before and knows not to let you register.
2 replies →
This sounds like a red herring to me.
If the only way to associate a user with their ID is by fingerprinting them, you can do the same thing without an ID with having shadow profiles. If the proof system is designed for privacy, the ID doesn't make you more trackable.
In other words, if the ID never directly leaks companies can just make up a static ID for you and get the same results.
2 replies →