Hacker News new | past | comments | ask | show | jobs | submit login
Senators push to ditch social security numbers in light of Equifax hack (techcrunch.com)
1126 points by Varcht on Nov 8, 2017 | hide | past | web | favorite | 464 comments

The main problem trying to be fixed here is "identity theft". What that crime is, I think, is not clearly understood. This is when a criminal defrauds a bank or other company by getting credit using your identifying information and then defaults. The bank then misinforms the credit bureaus that you defaulted on your loan and this lie by the bank hurts you when you want to get any type of loan. This crime would be better called "bank slander" and the banks that do it should be fined heavily with some money going to the person slandered.

Banks should have to know who they are loaning money to and if they make a mistake, that needs to be solely their problem. Then banks will figure out ways to confirm your identity better and people won't get into the hell that is trying to get the "bank slander" removed from their credit report.

You said it in your comment and I've seen it in other posts here on HN. It shouldn't be called identity theft. It should be called fraud. That's what it is.

The idea of an identity, especially a permanent one that travels with you throughout your life, is a relative recent one. 200 years ago, you could escape your past sins, so long as you didn't have an identifiable face and could speak the language at your destination. (If you couldn't you ran the very real risk of becoming a slave, which is caused by removing a person from their context; e.g. family, language and community).

There is a deeper question of "What is an identity?" and we also have to realize that the digital identities have never existed throughout history. Not in the way they do today. It's hard for us to imagine a world before passports, before real borders and before permanent numbers and documents that follow citizens throughout their lives.

And the principal reason we have digital identities today? Debt. It is solely to trace debt. It has nothing to do with proving you went to x university or worked at y job. There are other ways to track that, which are terribly inaccurate when you really start to look at them. The principal reason for your SSN, your digital identity, is to track credit and debt. I highly recommend the book _Debt: The First 5,000 Years_. It really goes into depth on this concept.

But remember that 200 years ago you couldn’t travel, were most certainly dirt poor, and worked to eat.

And you did have identity records. If you were rich enough to have checks, you’d appear in a city directory and banks would rate your creditworthiness. If you travelled, you’d have to have silver or gold in hand, as your Boston banknote was worthless in Virginia.

200 years ago was 1817... I think you both need to go a little further back.

My family was in Ireland. 1817 wasn’t much different than 1617.

Heck no, Ireland was going gangbusters in the later part of those 200 years! [0] It's what came shortly after -- around 1845 -- that erased all the progress.

> No matter what degree of culpability should be assigned to Britain, the consequences of the famine to Ireland are indisputable: it broke the nation in half. At a million or more fatalities, it was one of the deadliest famines in history, in terms of percentage of population lost. A similar famine in the United States today would kill almost forty million people. Only the famine of 1918-22 in the Soviet Union may have been worse.

> Within a decade of the blight another two million fled Ireland. Many more followed in subsequent decades, inexorably driving its population down. The nation never regained its footing. As late as the 1960s its population was half what it had been in 1840.

> Today Ireland has the melancholy distinction of being the only nation in Europe, and perhaps the world, to have fewer people within the same boundaries than it did more than 150 years ago.

-- Transcribed from the book "1493" by Charles C. Mann.

[0] https://commons.wikimedia.org/wiki/File:IrelandEuropePopulat...

> At a million or more fatalities, it was one of the deadliest famines in history, in terms of percentage of population lost

That accounts to 20-25% of the population, including emigration [0]

I found out the Great Famine of Mount Lebanon under Ottoman rule during 1915-1918 was much worse : 50% of the population (of 400 000) died. [1]

[0] https://en.wikipedia.org/wiki/Great_Famine_(Ireland) [1] https://en.wikipedia.org/wiki/Great_Famine_of_Mount_Lebanon

The Turkish government instigated the Great Famine of Mount Lebanon during the time they were also committing the Armenian Genocide.

When few noticed, Adolf Hitler seems to have taken it heart[0]:

> "Our strength consists in our speed and in our brutality. Genghis Khan led millions of women and children to slaughter -- with premeditation and a happy heart. History sees in him solely the founder of a state. It's a matter of indifference to me what a weak western European civilization will say about me."

> "Who, after all, speaks today of the annihilation of the Armenians?"

[0] http://www.armenian-genocide.org/hitler.html

Wow, thats seriously disgusting to read.

I've been quite aware of the history but to read how he takes inspiration of cruelty makes it even more disgusting.

(Oh, and yes I'm fully aware a number of others like the French terror reign, Pol Pot, Rwanda, China, former Yugoslavia, Japan/China, India/minorities, a number of colonies of Western countries, natives of south and north America but for some reason the Armenians seems to go unnoticed. Thanks for reminding.)

There are historical famines with as much as 90% fatalities among local populations. Losses of 20-50% are relatively common.


That's a fascinating fact as an Irish descendant in America of emigrants who left because of the famine, but I have to wonder if it's cherry picked. Is the same true of any number smaller than 100?

If I don't get an answer, I'll try to find some demographics numbers and figure it out tomorrow.

Are you arguing that individual SSNs are the primary driving force of the economic development of the last 200 years?


I would say that post-war, consumer credit drove American economic success, and that the SSN became a key part of that system. Had it not existed, something else would have served that function.

Yep, we would likely have the equivalent of a DUNS number instead, controlled by some private company spamming you on a regular basis.

Oh god, this should be criminal. Once Dun & Bradstreet have your business information -- because you can't do any contracting without one! -- you start to get really really scummy calls trying to trip you up and get you to sign up for their business "services". They will call you and it will sound exactly like some government agency doing some routine government communication and verification of your information -- not asking you to volunteer any of it, because remember, they have all your information already because it's a legal requirement to have a DUNS number, which only they can issue -- and if you're distracted at all or just not on your game, suddenly you'll be signed up for all this expensive shit which is as sticky as any other scumbag subscription "service" out there. They are scummy dirtbags. What a nightmare!

If only we had laws prohibiting racketeering and officials sworn to enforce them.

"racketeering" is a terribly vague term, and if that is what your laws are supposed to prevent then you must expect official discretion. Which means you must expect politically connected incumbents to not be much touched by it.

The point of parent is that there are two crimes (or at least a crime and a tort) here: - by the scammer against the bank, i.e. fraud - by the bank against the legitimate identity owner, i.e. what the parent calls "bank slander"

And related to your prior point about slavery, the function of personal bankruptcy is to prevent debt slavery: https://en.m.wikipedia.org/wiki/History_of_bankruptcy_law

Which makes the changes to the rules surrounding personal bankruptcy in 2005 even more ominous, especially when it comes to big ticket items such as student loans.


The primary changes were to do with credit card debt. If you make >40k then you are not able to do Chapter 11. Instead, you need to do Chapter 7.

No no no no, none of this is correct. Income limits are based on your state's median income for your family size. Chapter 11 is always available; it doesn't make sense for most individuals because of quarterly UST fees. Chapter 7, and Chapter 13 plans based on actual expenses were means tested. Private student loans were made non dischargable. Times between serial filings yielding a discharge were increased by 25%. Pre and post filing counseling/edu were mandated.

Google BAPCPA for more because the bill Bush signed sucks. EDIT: Nevermind, the wiki link in the post before yours is great.

Thief: Hi, I'd like to withdraw $100 from Joe's account.

Bank: Here is $100 from your account, Joe.

Joe: Hi bank, where's my $100?

Bank: Already gave it to you.

Joe: Wasn't me.

Bank: Well, Joe, you screwed up big time. You let someone steal your identity. Sucks to be (the real) you!

On the other side though, if Joe is protected againstany fraud (as he is with credit cards) what's to prevent Joe from GIVING his identifying info to someone and then claiming identity theft? Or just buying stuff and claiming identity theft?

I would think that each new account or transcation should generate a notification to Joe and he should be able to reverse them within a certain amount of time.

Joe could make it so that his device ignores notifications about transactions made by his own device, and only hear about other ones.

> what's to prevent Joe from GIVING his identifying info to someone and then claiming identity theft? Or just buying stuff and claiming identity theft?

That would be the same crime as someone using Joe's stolen credit card info - fraud.

Then the bank has incentive to shift responsibility back to you, e.g. by requiring withdrawal request to be signed with your private encryption key. And you have an incentive to care about security of this key.

Well, until the bank offers such a feature on my account then it should be on them.

There's no shared secret between just the bank and you.

Therefore the bank can't establish that it was you, who leaked the secret. (Because it's easy to leak SSN, it could have been any random company you did business with. Or the SocSecAdmin.)

And even if your shared secret was used to withdraw, there's still a chance of the bank leaking it.

So usually the shared secret's hash is stored.

This works pretty well.

Around here banks ask you to give your PIN for identification, or you have to present your ID, and they compare it with what they have on file. (So trust on first use is still important.) Sure, it's probably not hard to fake these plastic cards, but that's a rather serious crime, and then the bank can pull the security cam footage, etc...

Of course, requiring confirmation on an SMS even when you do in person banking might make sense.

And that's why the rest of the world's governments issue their own national IDs to their citizens. Heck, I have two!

I have one given to me at birth, which is a sequence of 13 numbers that gets calculated with a formula and has a control number at the end (kind of like credit card). This one is random enough for nobody be able to guess anyone else's (for example, how many babies were born before you on your birth day in that region is a relevant factor in the formula) and is used with government entities and government entities only (it is illegal for the businesses to require from you to provide that number to them to give you a service).

And I have the second one, which is the national ID number. This one was given to me when I was 18, and it serves as a proof of identity with the businesses.

And there you have it. Two distinct numbers. One for your government, and the second one for you dealing with businesses. Someone can't fake anything important (as in, government-related) with your ID, and businesses have a second number that is usually proven on the spot with the photo of you in your national ID.

Problem is solved.

No no no no no no no!

Absolutely not. I mean, I don't know which jurisdiction we are talking about, but I don't know of any that bases identity on a number.

The numbers don't serve as proof. They are just a number to help refer to you in databases.

The proof of identity is provided by the plastic cards and other items/papers. (Such as a birth certificate. And usually if you lose that to get a new copy you need some ID, and if you lose your ID cards, then a written statement from the police that you lost your ID card.)

Sounds like you live in a country with a compulsory national ID card.

Not all countries have or want that.

Naive question, why wouldn't someone want a national ID card? From my understanding and time in sweden (granted only 5 months) they seem like a much better system than SSN

In the US, ID card policies were and still are often used to disenfranchise minorities from voting. The policies behind them are often inconsistently applied and sometimes require large bureaucratic efforts to rectify. Obtaining a copy of your birth certificate in the US often means going back to your home county and visiting some municipal office for hours on end. If you work a 9-5, there's no way in hell that's happening.

Voter suppression in the United States has had a long, sordid history. Blacks were given the right to vote after the civil war, prompting southern states to implement literacy tests, poll taxes, basically any legitimate-seeming test to de-facto turn away black people at the polls. This got so bad that we literally wrote an Amendment (24th) to state "yeah you can't do this either".

What's fucked up is that this sort of thing STILL happens. This past Tuesday, a number of voters in Virginia received calls telling them to go to a different polling station from the one they were assigned. See https://theintercept.com/2017/11/07/virginia-voters-get-myst...

Stuff You Should Know did a really good episode on voter suppression in the US that I'd recommend.

Historically, registries of citizen identities have been used for horrendous exploitation of the public. They have been used to ease profiling, targetting, discrimination, and elimination of anyone who is politically problematic. Personally, I resist most sort of formalization or systemization of human life or identity. Any person who says "our policy doesn't mention your situation" or "the software doesn't allow that value/have a field for that" and considers this to be a problem of the person with a life that doesn't fit the mold the designers of the system fantasized about really ought to be punched in the mouth, and creation of an easily-indexed national ID is an important step in such systems.

Why do they want a NUMBER? Because names are too... human. They're messy, and they can change, and they don't fit standard forms. It's an impulse to purge the humanity from social identity that motivates establishment of national ID numbers.

How do you propose keeping track of people without assigning an ID number? Require everyone have a unique name?

In the US at least, in theory the proposal for a long time was just to not keep track of people in the first place. The federal government collected taxes on things like property and tariffs that were hard to avoid, they performed a census once a decade to get a rough idea of how many people there were, and anything beyond that was none of their business.

Then we got income taxes and federally guaranteed pensions (Social Security) and medical assistance (Medicare/Medicaid) and a few other, smaller safety net programs. Furthermore, while there's plenty of fighting around the margins, the overwhelming majority of Americans are broadly in favor of keeping at least some of the Great Society programs, and that means we have to have a national registry of some sort.

It turns out that when the population is broadly distrustful of the idea of a national registry but broadly in support of a tax regime and social programs that require a national registry to function the stable equilibrium is a really really shitty national registry that everyone hates but nobody feels they can improve without getting shouted out of office. American politics is dumb.

That is the whole point. Some cultures have residual beliefs about limited government and privacy. Some sub-cultures and families in those cultures have maintained a strong believe that no one should be "keeping track" of them.

Very well said!

Based on your phrasing it sounds like you think owning a national ID card is commonplace in Sweden. The national ID card system isn't widely used at all, most people use either their drivers license or passport when they need to identify themselves.

The only thing everyone has is a person number, and the difference is that it is explicitly considered public information and you can get anyone's person number by just asking the Tax Agency. It's just a convenient way to keep track of people, not a way to actually identify yourself.

Scalability. Transactions are usually pretty small compared to annual incomes so the people doing this are doing it a lot, and you will be under some scrutiny after the 75th fraud on your account this year.

This is only an issue because of tracked non-anonymous accounts. The key for money laundering in high profit / service retail businesses is using dirty anonymous cash. Often the customers literally do not exist, imaginary entries are made at the register and cash is stuffed in.

The last suggestion is easily worked around, merely trade device IDs along with account IDs. In fact the easiest way to steal money would be simply to clone your device outright complete with saved passwords etc. Joe certainly doesn't control his own device, not the firmware, OS, or apps, not to mention MITM attacks.

Bank: Here is $100 from your account, Joe.


Joe: Hi bank, where's my $100?


Bank: Here is $100 from thin air, Joe.


Joe: Hi bank, why is there an IOU for $100?

Exactly, "identify theft" is usually just weasel-wording for "someone broke our lazy authentication system".

Followed by "and we compounded our failure by falsely telling lots of other institutions that it was your fault."


There won't be any improvement until the legal system creates a stronger incentive for institutions to be more secure.

The term itself is almost ambiguous.

Popular interpretation: "Theft of an identity"

Better interpretation: "Theft, by forging an identity"


It's easy to understand why the victim of this type of fraud (the banks) would like to shift the damages onto an unrelated third party (the person whom the original perpetrator is purporting to be); it makes life much easier for them.

What's not clear is why anyone else would would go along with it. If someone breaks into my home and steals my microwave, I cannot then break into my neighbor's home, steal their microwave, and then claim that my neighbor was the true victim of the burglar. I am the victim of theft, and now that I've stolen my neighbor's microwave, he is also the victim of theft. It doesn't cancel out!

I think it's important to be clear about what's going on here, who the victims are, and who they are being victimized by.

> What's not clear is why anyone else would would go along with it.

Anyone else (i.e. us plebs) don't need to go along with it. The banking industry has enough $$$ to pass laws favorable to them with or without our blessing.

This reminds me of the recurring Onion title:

‘No Way To Prevent This,’ Says Only Nation Where This Regularly Happens.

I don't understand why the US has identity theft. Is it because there's no national ID? Here in Europe we don't have any "secret" number that someone can just use to open a bank account in your name.

In Europe fraudsters end up using passport copies and numbers, and the only perhaps good thing is the crime becomes localised, but if you travel into that area you might be in for a shock as I was. And then try to explain it wasn't you in a foreign language. I think the single US system has a chance of being sane to correct if you are a victim.

I have lost the battle to clear my name. Different states in Germany for example have different police systems and argh..

Don't you guys routinely use ACH transfers to buy things, give out your bank info, and just hope everything goes well?

SEPA Direct Debit, yes, is used like that.

But abuse is very low, as it requires that whoever does it identifies themselves first at another bank, and opens a merchant account (which has other verifications). And then reversing it is easy, too.

And you can't even shop with stolen IBANs at Amazon, because every major retailer will first send you a 1ct transaction with transaction info set to a OTP you use to verify that you own the account.

Wouldn't the equivalent of ACH transfer be SEPA Credit Transfer (SCT)?

I'd add that SEPA being mandatory for all participating countries has simplified transfers a great deal. Now most banks remember creditors, just like a phone book but for money, so sending money from your phone is pretty neat.

Additionally, the SEPA effort created ISO 20022, which is gaining ground worldwide as a one-stop-shop format for financial transfers. See this article from the US Federal Reserve a couple of weeks ago: https://fedpaymentsimprovement.org/news/press-releases/feder...

Well, depends on if you consider push or pull.

SCT is entirely push, and requires signing the transaction with your card, or using at least 2FA for verification. This doesn’t happen by accident.

SDD is entirely pull, and is the only one that could theoretically be abused, but that’s as mentioned also not that easy.

And the merchant needs to have a valid direct debit mandate that he has submit to his bank which in turn transmit it to your bank for it to check. After your bank has confirmed the mandate the transfer can be initiated.

SDD can be reversed without giving any reason for a whooping 8 weeks by the customer sometimes simply by clicking "reverse" and entering a TAN.

B2B is a different beast though.

In the US, everything needed to initiate an ACH is printed on a Check... and people feel very safe writing checks to one another and to companies. You never really know who sees your checks, where they are stored long-term, etc. Also, it's trivial to find a website that will sell you a box of checks, they do no verification to your identity/ownership of the accounts, they basically just print what you tell them to. Nothing is secure about banking, it really does need a modern reboot where we just sever ties to the legacy features

legally you can write a check on anything: post-it note, napkin, etc.

As a technicality, yes, but your bank almost certainly has a rule about what it will accept. And there's nothing illegal about that rule.

Isn't it literally a money transfer contract?

I’m pretty sure that ACH is only a USA thing.

Yes it is. I actually didn't know what it was before looking it up.

The grandparent comment is using ACH but he means the EU equivalent (whatever it's called, I'm not sure). Paying for things in EU with a direct bank transfer is very common. Almost every online shop takes it, every bill you might need to pay, even when just sending money to a friend - direct bank transfer is common.

For me with my German bank account, sending money this way always requires a one time use code. The code is not digital, the bank sends you a list of 100+ codes printed on a piece of paper. So, I'm not really worried at all because there is no possible way for a scammer to get my codes.

UK: Bank account numbers are public-ish and it's normal to give them to your friends so they can send you money (it's not normal to buy from an actual shop that way). Jeremy Clarkson made a point of giving his out on national TV. The one way to get money out of someone from those numbers is a direct debit, but as sibling comments have said the other end of those can only be a merchant account and the individual is easily able to reverse them.

For me with my German bank account, sending money this way always requires a one time use code. The code is not digital, the bank sends you a list of 100+ codes printed on a piece of paper. So, I'm not really worried at all because there is no possible way for a scammer to get my codes.

Hummmm no?

Germany might have such a system thought.

We still have identity theft in Europe, though the procedure to accomplish it effectively is usually more involved.

Are there statistics for how common it is in various places, and what amounts are typically being stolen?

Hmm, really? I've never heard of any cases, what does it look like?

See for example this story about Jeremy Clarkson.


He published his bank account details (and how to find his address) and dared people to withdraw funds from it. Which people did.

The Direct Debit is 100% reversible. Clarkson didn't reverse it because the people who did it chose a charity and he can afford the money. If you found the money was somehow going to an actual crook you'd reverse it.

A utility company Direct Debited money from me when they screwed up and billed me for someone else's supply. I called my bank, said I wanted the Direct Debit cancelled and the money returned, they did it and the money was back in my account the same day.

The utility company sent me all manner of outraged paperwork, including threatening to set lawyers on me, but they couldn't magically take my money, and sure enough once they understood their mistake I got an apology and they wrote off all my actual bills for the past 12 months.

It changed last year in my country, we no longer have direct debit, it is now called e-invoice. You sign up for it and start getting invoices in your bank account then it is just one click to pay or you can enable auto-pay, so its essentially direct debit which you can enable/disable at any time.

But when I did have direct debit it always included the maximum pay amount which I usually set 2x the amount of average bill so if utility company makes a mistake payment will not go through.

To be fair, people didn't withdraw funds, someone was able to set up a recurring transfer (direct debit) from his account to a charity. Which makes it useless for theft, since the thief would leave definite proof of their identity (receiving account number).

The best part, I think, is Clarkson's response:

Clarkson now says of the case: "Contrary to what I said at the time, we must go after the idiots who lost the [personal information] and stick cocktail sticks in their eyes until they beg for mercy."

Bank fraud frequently requires the crook to supply an account number to transfer the funds to. This is not a problem if the only activity on the account is:

1. Opened with a fake identity

2. Stolen funds received

3. Stolen funds transferred to a bank with (intentionally) poor record keeping, potentially bouncing around a few more times.

Wire transfers seem to be a big hole at the moment.

That's in the UK, which has a common law system like the US.

Someone opens an account in your name, order 2fa credentials (to your real address), pick ups the letter and manages to convince the people at the counter that he is you, and voila, full access to all accounts. It was a pretty common one a few years ago. Nowadays I think they require you to go to a bank office to pick it out.

You get phished, someone sells your info, the buyer empties your bank account over the phone.

This and variations are very common in Europe.

Your posts in this thread would be more helpful with some source. Is it personal experience? Are you an European LEO?

Personal experience. I used to frequent several private forums related to this sort of activity and had many friends who did this for a living. I am fascinated by the inner workings of these things, so naturally I asked lots of questions.

There used to be some public discussions on the alphabay forums, which was filled with small time bank fraudsters from both the US and the EU. The EU ones actually seemed much more prevalent.

I couldn't find many interesting scrapes quickly, but this one might be worth a look: https://evidencebasedsecurity.org/forums/data/dk/darkode_scr...

I'm sure there's an AB forum scrape floating around somewhere too... But not here https://www.gwern.net/DNM-archives

> I'm sure there's an AB forum scrape floating around somewhere too... But not here https://www.gwern.net/DNM-archives

I believe the AlphaBay forums were integrated into the main site and so would be findable in the AB dump; most DNMs kept their forums on separate .onions so had to be crawled separately.

I'm 100% sure the AB forums were separate from the main site and on a different onion address. Perhaps you're confusing with Hansa?

I'll grab the dump and check the contents anyway.

When you go to open a credit card in Europe how do you prove that you are you? What prevents me from pretending to be you?

The key limitation is that you'd have to have proper ID.

Forging or getting a fake ID is harder than counterfeiting money (maybe accessible to organized crime, but certainly not worth the cost/effort/risk just to steal a few thousand dollars); lost/stolen IDs have a registry that all the banks check; and you have to show up in person so if detected you don't get a second chance, you're leaving the building in handcuffs.

Seriously, the only problem with IDs I recall from banking was the use of IDs bought off of homeless people to register shell companies for money laundering, but those were real IDs and usually with the real owner "hired" for the initial account opening.

You have to show national ID, a proof of residence and have your tax number ready.

But the tax number isn't secret right? So that doesn't do much?

What is proof of residence? A copy of your apartment lease or something like that?

Yes, the tax number isn't secret, it's just to prove that you know it and so they can correlate your tax situation, I think. The biggest proof is the identity document, which is not trivial to forge.

Proof of residence is a copy of your lease, or a bill by a power or phone company, basically a piece of formal correspondence with your address on it, so you can sort of prove you live where you say.

The bank photocopies all this, so if you forge an ID card to include your photo, they store the photo too, and if you get caught you're in deep trouble, as forgery is a serious crime. I think that's actually what prevents most identity theft here.

In France, the institutions emitting the proofs of residence add a 2D-Doc, a flashcode printed on the document that includes the key information, signed with the institution's private key.


Translated: https://translate.google.com/translate?sl=auto&tl=en&js=y&pr...

Ya, so I think the big difference between Europe and the US is that you can open a lot of accounts online in the US so there is no opportunity to examine and copy a physical ID card. I can definitely see how that would raise the difficult of pretending to be someone else.

I just opened a bank account in Germany via an app.

I had a choice between either using my eID for verification, or doing a video call and showing the ID into the camera (in a way that their systems can automatically verify the security measures).

It took 20 minutes to go from nothing to having an account, and being able to move money to ans from it.

Plus there is an option where you either go to the local post office or the postman comes and verifies your ID.

Proof of residence makes it seem like it's not automated. Is the credit card approval process not automated there?

I'm not sure, I've never wanted a credit card. Why would you want automated credit card issuance?

Well, you've never wanted a credit card.

>The biggest proof is the identity document, which is not trivial to forge.

But it's usually trivial to purchase a forgery.

No, not really. I've read that in USA it's somewhat common for people to possess fake IDs e.g. for students for age-verification purposes; but in EU forged IDs are serious business - it's really hard to make a somewhat passable forgery, it's harder than counterfeiting currency, so unless you've got contacts with organized crime (e.g. your local drug dealer doesn't have such access) you're not going to find anyone willing to make you such an ID, and if you do, it's likely a police sting operation. Getting a fake ID gives limited benefits and means jailtime even if you don't attempt to use it (fraud charges would be extra), there's not much demand among "normal people" for it (unlike e.g. drugs), so there's not a flowing market that would make such a purchase trivial.

Also, even if you could get one, it's going to cost thousands, so it's not worth it for mass scamming. Also, you'd have to show up in person and risk immediate arrest if the forgery gets detected.

> e.g. for students for age-verification purposes

What I'm hearing is our idiotic age limit on drinking makes ID forgery lucrative enough to outweigh the risks. Therefore: The drinking age in the USA is largely responsible for making identity theft easier.

I'm kidding, another major hole in this is a unique nexus of states having different ID/Driving License implementations and the fact that a vast portion of our citizens lack a passport.

Also, I'm not sure where the money is in the current system, but every time the USA tries to create a national ID all sorts of astroturfed nonsense comes out about Big Brother and COMMNUNISM!!

> it's really hard to make a somewhat passable forgery

It's not, I've held several. For EU countries.

>unless you've got contacts with organized crime

Or an internet connection!

>Getting a fake ID gives limited benefits and means jailtime even if you don't attempt to use it

My personal experience has been very different. But I guess this'll vary from country to country.

>there's not much demand among "normal people" for it

How many undocumented migrants are there in Europe again? Are those people not "normal"?

>Also, even if you could get one, it's going to cost thousands

Nonsense, hundreds.

It's not, I've held several. For EU countries.

As in an actual national ID that can be used to open bank accounts and cross borders, or some other sort of non-official ID that might be good enough to get you into bars?

Open bank accounts and cross borders kind.

I suspect that what you have seen were all forgeries of temporary non-machine-readable IDs, ie. ID-2 format laminated cardstock, instead of ID-1 (credit card size) plastic (smart) card, which are good enough to cross land borders, for getting beer at bar or for cursory inspection by police, Such IDs are usually insufficient to open bank account (and generally rejected by anyone who cares, including many parts of government) or air travel.

Edit: or given the thread context you mean forgeries of the same level as US driver licenses for under age drinking, which is quite possible, but such forgery is readily distinguishable by anyone who has actually seen real EU ID card.

>ID-1 (credit card size) plastic (smart) card


>ID-2 format laminated cardstock

Not these, I've seen a plenty of US ones like this.

I am talking about forgeries specifically sold for the purpose of opening bank accounts.

You're seriously admitting to holding various forged ID cards in several EU countries? To me that is similar to someone just casually noticing that they have made counterfeit money or stolen a wallet – seriously criminal.

And I'm also heavily doubting that an internet connection is enough to get a forged ID card. It does elude me how one would do that without some sort of special machines.

There are tons of online sellers... ID cards and passports are far easier to ship than drugs.

Even the reddit fakeid community seems to have some pretty good EU ids.

You use the Internet connection to find and do business with people who have the special machines, would be my guess.

If someone is targeting you and especially you, I assume it wouldn't be super complicated.

However, purchasing a thousand SSNs and automating signups sounds hell of a lot easier than purchasing a thousand passports and physically visiting the bank offices.

Still, requiring criminals to buy forged IDs is much more friction than not even asking for ID, as happens in the US.

If you have a way to circumvent the electronic signing solution used by most European eIDs, then nothing stops you anyway.

Nobody would ever question a broken chip. I don't think they even read them in most places, perhaps Estonia? (before the Infineon thing anyway)

Banks, police, city administration, doctors, pharmacies, insurance - those are the reasons I've pulled out my ID card in the past 10 years, and every single time it was to read the chip, with barely a passing glance given to the card itself.

I suppose you'd just use a passport instead then? Or do they actually verify those too?

If you use a passport, it'll take a lot longer to verify.

For example, banks will photocopy your passport and verify the signature on it to ensure that it's correct.

(Basically, there's an algorithm used to compute a 30 digit hash on the ID or passport, which is computed from the IDs content and a secret seed. Anyone can verify this hash easily with open algorithms and tools, but only the government can create them).

>What is proof of residence?

At least within the Netherlands, your residence is officially registered with the municipality. This is tied in with your Citizen Service Number (BSN). Without this, you cannot open a bank account.

and I bet you can't get a residence without a bank account huh.

Don't the credit card companies do a credit check or is your tax information sufficient to know your credit worthiness? If a credit check is done, do you know which identifier the credit rating agencies use?

Every country is different, but here’s the belgian system:

There is a national ID number, equivalent to SSN, which is printed on the ID, and to which the credit history is linked. It is used for distinguishing identity, but not for authentication. For authentication you need the physical ID and sometimes the pin code. The ID card carries a digital certificate which makes them hard to forge (I’ve never heard of outright forgery), and allows for online identity (like filing taxes or opening a bank account online). Obtaining a new ID requires either presenting the old one, or visiting the police to have your identity verified in other ways.

You have an ID card with a photo on it. They're normally renewed every 10 years. For credit cards you must also show income data.

Credit cards are harder to obtain. This is not clearly a bad thing.

It sounds like it's mainly that you have to sign up for one on person? And you can't really do it online? Is that most of it?

I signed up for all my bank accounts and credit cards online. But they have to check your ID, more and more through videochat nowadays, before that you'd either need to mail documents or go to a post office where the staff is able to stamp a form that says they've checked your ID.

Also in most European countries the administration knows your official address and companies can check that you live where you pretend to.

The bank may refuse to issue one if they don't like you, and they often do so. For example, if you're not a citizen of the country. Or don't have permanent residence yet. Or they don't like your accent. Or…

My first credit card application was rejected with no explanations.

Sure you can sign up for one online. But at least in Sweden you generally have to identify yourself with a cryptographic token issued by your bank.

In Europe credit cards are very rare so bank accounts are usually the target instead. In Europe it's also practical to send wire transfers online without going to a branch, unlike the US.

Getting your bank accounts emptied sucks much more than having someone open a credit card in your name.

>>In Europe credit cards are very rare

I think we most be from different parts of Europe. Where I live it is hard to avoid getting one or more credit cards

In my experience of living on both continents: European credit cards are much more like debit cards in the US and US-style credit cards are super rare.

Everyone I know in Europe with a “real”credit card just has an Amex.

Don't try to generalise banking/credit cultures across Europe, some countries may be the same as each other but there's a wide variety.

According to https://merchantmachine.co.uk/visa-mastercard-amex/ there are very few places in Europe where AmEx is #1 for credit cards (and, being from the UK, I'm actually surprised to see UK as one of those countries... I would have bet money on Visa/Mastercard having higher market share than AmEx here, even for credit cards alone).

From personal experience: what kind of cards (both debit vs credit, and what network they're on) varies massively in different EU countries.

I had a European Visa. It was very different than my US Visa.

In the US it collects points and cashback and you can magically go above the limit if you have money on your checking account. You have to do really really crazy stuff to get a transaction rejected. It gives you insurance for car rentals and concierge services for things I never considered.

In Europe I had a Visa and a MasterCard. No points, no cash back. Couldn’t go over the limit, forced to pay everything off every month. If you don’t, card is blocked.

In the US you can (often?) pay off as little as $25 on a massive CC debt and there’s a lot of interest on what you don’t pay off. I didn’t have any interest in Europe, it just stopped working if I didn’t pay it off next month.

From what I can tell, most Americans wouldn’t recognize my European Visa or MasterCard as a credit card. It behaves like a half step between debit and credit.

Are other cards in Europe closer to the American version?

Both MasterCard and Visa offer both types of cards. I've got two different Mastercards from my bank. One that is a debit card, draws money directly from my account and stops working if there is no money in the account. The other is a credit card with a line of credit, a bill at the end of each month and an option to only pay off a small part of what I owe.

That being said the debit card version is the one you get by default, and the credit card version is something you have to ask for separately.

It varies by country, and by what companies offer to different consumers. I'm not an expert in this area, but a few examples I know of:

- In the UK, Visa/Mastercard are the most common networks used for bank debit cards, using them pulls money from your bank account directly. Most banks give most adults (citation needed, but I think) a debit card by default with an account.

- In the UK, you can apply for credit cards from a number of companies, including banks (but it's a seperate to any bank account you might have with them), and credit card only companies. Different providers offer different types of cards, and the kind of deal you can get will depend on your credit history, salary, etc. They will (nearly always) have a credit limit, which could be a few hundred or could be very large. They will have a specific rule about minimum payments - some might want your balance paid in full each month, others will ask for a minimum payment (which could be a tiny percent of the amount owed) each month. If you pay in full, you don't get charged interest. If you take longer to pay, but within the agreed terms, you'll pay some sort of interest, which could be reasonable or extremely expensive depending on the card you have. Some cards offer benefits (points or cashback, maybe other perks like special deals, concierge services, etc.) while some are purely lines of credit with no other benefits.

- In France, I was given a Visa debit card when opening a standard bank account. No experience with French credit cards.

- In Belgium, if you want a card on the Visa/Mastercard networks, you need to get a credit card - most people use debit cards which use different networks (I think they use Maestro and another one..)

> No experience with French credit cards.

They basically don't exist here.

I am in France and it seems Visa Premier and Mastercard Gold with payments deferred to the end of month - with zero interest - are now considered "credit cards" (because they can be regarded as a limited form of credit, I suppose).

I have a small "CREDIT" label next to the chip of my new card and airlines (EasyJet, Ryanair...) now reject my card if I select the cheaper "Debit card" payment option.

I have bonus points on some cards and cash back on other. All include stuff like travel insurance if I pay > 50% of the trip with the card. I can not go over the limit based on how much money I have in the bank since the cards are not connected to my bank account. But my limit is not a problem since some increase it without me asking and the only time I have needed to increase it on a card I could do that online in two minutes. I select how much of the balance I want to pay back each month, if I pay all there is no interest if I pay parts the interest is high and the CC company makes money

You probably ended up with some kind of crappy "starter" not-really-a-credit card due to a lack of credit history in the relevant country. Those exist in the US too. It's odd that you call it a "European visa". Different European countries have different banking systems. In the UK at least, credit cards work the same as in the US.

You're overgeneralising. As a European I have four Visa cards in my wallet, two of which behave like your "US Visa" and two of which behave like your "European Visa".

The UK has credit cards that are used by ordinary people much the same as in the US. Cards are very common there, most people have at least one.

But it has different laws so that they're not as exploitative. The card companies accepted these laws in order to get a chance at the relatively wealthy British customer base. In particular:

* Issuers have to tell you each month how much it's going to cost in total to pay off your debt gradually, which is usually a scarily enormous figure. * Issuers own the risk of buying most things with the card. If you pay £200 for a hat from an online merchant with the card, and then the merchant goes out of business without delivering, the law says the Issuer bought that hat, you owe nothing. * Issuers own the risk of card fraud. Unfortunately juries and judges both tend to believe the smartly dressed bank official in a trial, but in law all the responsibility for fraud lies with the Issuer unless they can prove it's your fault.

A lot of people like me have a credit card, and then have the issuing bank also automatically pay off the balance every month from their current account. So the effect is that their credit card is a rolling 30 day interest free loan.

All of those rules sound like the experiences I've had with US credit cards, at least recently. Statements have an area showing "If you only pay the minimum balance, it will take X years and end up totaling $Y." Almost all cards I have used have fraud protections built in, with many even having additional warranties for products purchased.

I have several Visa and Mastercard credit cards. Amex tries go get into the market here, but have higher interest rates and a yearly fee, while most Visa and Mastercards are without any yearly fee, so Amex is rare here. The credit cards I have are not connected to my account and if I pay all the next month there is no interest, but if I only pay parts there are lots of interest. I do get points/credits on some of the cards, so that are the cards I do use.

So I am not sure what is the difference between these cards and "US-style" cards. Maybe that we only need to get an automated credit check based on past years tax reports to get them, instead of having to work hard to get a good credit score?

The differences between different parts of Europe can be larger than the difference between some parts of Europe and USA

Everyone I know in Europe with a “real”credit card just has an Amex.

Lived in Sweden for the past 12 years, and never seen anybody us an Amex card (seen lots of ads for Amex though). Mastercard seems to own basically the entire credit card market here.

Does it really matter if it's MasterCard or Visa?

In my country (Bosnia), there's pretty much no difference between them. Maybe half a euro more per month for one or the other. All the banks I know of let you pick between them. Citizens usually pick randomly. They're accepted the same, you still have to chase your own bank's ATMs to avoid unnecessary fees etc.

Makes no difference to the end user. My bank recently switched it's debit card from Visa to MC and it changed nothing for me.

You can send wire transfers online in the US with most banks FWIW.

On the other side though, EU wire transfers within SEPA cannot cost more than a domestic transfer and overall the domestic fees are insanely cheap, if not free.

In the USA, wire transfers average $10-25 on the outbound. Inbound, domestic wire transfers are often free, but inbound International transfers can run you $15.

This fee structure is why you see Vimeo and Square Cash (and PayPal before those) become so popular.

Unless you already send wires regularly, they'll tell you to go to a branch once you click send.

Not sure what bank you are working with, but that is not my experience (as a US citizen & resident). I have sent both domestic and international wires completely online.

> I have sent both domestic and international wires completely online.

Were these wires to a company that receives lots of similar wires? Do/did you have a history of sending wire transfers? Were any of these wire transfers a significant chunk of your account balance?

All of these things matter. In the US the average person is simply far more likely to be sent to the branch when wiring $10k than in EU.

Not all of Europe has national ID. Here in the UK there's no such thing and no general requirement that you be able to identify yourself (though most banks would require photo ID like a passport or driving license or both before they let you open an account) - on the continent I have to remember to always carry my passport with me, which feels weird and oppressive.

At least as a citizen in Germany, you're not required to carry ID. You are required to own some ID (ID card or passport), and you're required to register the place you live in with the authorities. Not sure what the rules for non-citizens are.

In any case, most people I know always carry their ID card with them in their wallet. You don't need it all that often, but you might as well carry it around, and having government issued proof of your identity is actually quite handy in many situations (situations that are handled with SSID and/or credit card in the US).

> You are required to own some ID (ID card or passport), and you're required to register the place you live in with the authorities.

Fair enough, but still, that's not a requirement here, and seems weird and oppressive (indeed my memory is that being required to register where you lived was a classic example of the non-free-ness of the Soviet Union).

> In any case, most people I know always carry their ID card with them in their wallet. You don't need it all that often, but you might as well carry it around, and having government issued proof of your identity is actually quite handy in many situations (situations that are handled with SSID and/or credit card in the US).

Sure, in practice I carry my driving license around most of the time in the UK. But the fact that I don't have to feels important.

Declaring a single legal domicile is a great way to prevent problems with location-based voting and taxation.

Hypothetically, if you owned two houses, and spent exactly 182.5 days per year in each, an outside observer would not be able to tell which one you considered to be your true home. So that observer might presume it is not your home, and prevent you from voting there, or presume that it is, and levy location-based taxes as though it were your full-time residence. Worse, different observers could make those determinations separately, and you might end up paying double taxes while being denied the ability to vote in either place.

There are also concerns about the correct address the government should use to send its official communications to you. It isn't always about knowing exactly where to send the cops in ninja gear to rouse you out of bed at 2 AM.

As I understand it, the vast majority of people in the UK must tell the tax service when their address changes: https://www.gov.uk/national-insurance/change-of-circumstance

> on the continent I have to remember to always carry my passport with me, which feels weird and oppressive.

Is the passport the weird part or always carrying something to identify yourself weird?

Because I'm always carrying a wallet, with identification in the US; which I must be able to show to certain agencies at any time.

> which I must be able to show to certain agencies at any time.

Which agencies and for what reason? There is no general obligation of US citizens to carry identification or even to provide your name to authorities unless you are reasonably suspected of a crime.

I was pulled over once for doing a U-turn on a street (There was no No U-Turn sign) to pick up a friend from work whom I saw was walking. It was a very cold night and he had on only a T-Shirt. I didn't have my wallet on me, but knew exactly where it was at home.

I sat in the back of a police car for a hour while they researched everything about me.

Again, there was no No U-Turn sign. I was simply suspected of something, of which the police never informed me of.

That was the day I learned I always needed my license, for apparently any reason, in the US. Even if you're white.

Didn’t you just name a reason?

The always carrying something to identify myself is weird. In practice I usually carry my driving license around, but I'd expect to be able to go out without it (and do so occasionally if I'm in an outfit without much pocket space).

Because the US has a much bigger consumer credit market. Almost every retail chain offers a credit account to customers. Even with the large amount of losses from fraud the banks and credit issuers accrue, they still make bank because of the high interest rates they charge.

If you want to live in such a "free market" world then if I'm a bank and someone fraudulently used your information to obtain a loan then I don't want to issue any more loans to anyone who uses your information.

If one person used it fraudulently then there's a much higher probability that any subsequent loan application with the same information is also fraudulent.

Which mean that if a bank has failed to correctly check the identity of a client, the client will be punished his whole life by banks refusing him.

Yes. If you consider this a poor outcome, then you should consider regulating the banks.

Banks need to make loans, if they reject people based on such things they will quickly go out of business as there is an ever smaller slice of the population left over.

Instead, all that's going to happen is banks will simply require someone to show up in person and present sufficient identification.

I think this is even broader. If it becomes harder to verify identities any products that involve post-paid billing will become rarer.

It already is a crime if you tell the bank that they have made a mistake and they don't correct it. It's not hell to fix it. You just have to send a few letters.

It also already is almost all the bank's problem. After all, they are the ones that lose the money in the scenario you describe.

I think there are underlying issues beyond slander or misinformation.

In many ways, credit scores are an early example of data related problems that will become more common. Some will become serious issues in the next few years.

Credit scores are basically an estimate of credit-worthiness. The system is designed to solve the banks' problems, not consumers'. For banks, some number of false positives (creditworthy person with a bad score) is acceptable. It may narrow the market slightly, but it improves the quality of the remaining majority of customers.

This is true of a lot of statistical/algorithmic decision making. Paypal flagged me as "high risk" when I moved countries, so I can't use paypal now. For paypal, losing 1 of me to avoid 2 malicious users is an acceptable trade-off. For me, it's annoying but not a big deal because paypal is rarely the only option.

If paypal's "danger" flag were shared across the financial system, this would become a serious problem for me. It could freeze me out of online transactions entirely, maybe other things. If landlords had access to paypal's "high risk" filter, would it be worth using to filter out bad tenants? Seems possible.

The false positive problem goes from an annoyance to a fundamental rights vioation quickly, if data is shared.

Insurance is acquiring similar issues, though with very different mechanisms. As statistical inference improves, insurance ceases to be insurance... Risk gets pooled across ever smaller groups. The whole purpose of insurance is to pool risk widely. IMO, this is the problem the US' health policy architects underestimated. Insurance companies know too much to be insurance companies.

More such issues are coming soon. China seems to want a credit score system, with alarmingly ambituous and and political breadth... The Social Credit System.

Adtech companies and conglomerates (especially FB) are really hitting their stride. I wouldn't be surprised if they can score credit worthiness, insurance risk and other things using their web browser and app datasets.

Should adtech be allowed to service banks, insurance companies, real estate agencies and employers? If not, we should probably decide this now.

I don't know what the answers are, but credit score may be the place to start. I think approaching the problemfrom and identity/data protection perspective is fundamentaly flawed.

> Insurance is acquiring similar issues, though with very different mechanisms. As statistical inference improves, insurance ceases to be insurance... Risk gets pooled across ever smaller groups. The whole purpose of insurance is to pool risk widely. IMO, this is the problem the US' health policy architects underestimated. Insurance companies know too much to be insurance companies.

Insurance companies typically want the best of both worlds, to -know enough- to pool narrowly (or often, exclude high risk), but glean the benefits from wide pooling.

The banks should definitely be made responsible and made to pay for all the fraud they sign off on at all of their desks.

We already know what happens when the banks run out of money. They get bailed out. That means they will NEVER be the victim.

That means we can make them pay for bailing out fraud victims and taking the hit on their behalf. It should be a service, a duty, and an honor.

But that will never happen, because this is America.

"this should be solely their problem" - from a legal standpoint, it is. The only reason it "isn't" is because the credit bureaus suck and don't move fast enough. I'm generally not in favor of using regulation as a blunt hammer, but I think a regulation that makes total sense is to strongly punish anything resembling a credit reporting agency (credit bureau or otherwise) that can't demonstrate RESULTS (not effort) in remediating errors related to ID theft.

The FCRA put a lot of measures in place to RESPOND to consumer complaints, but they don't work well and only matter when the consumer decides to complain and is willing to put the time in to do so. That's not enough - if a CRA can't demonstrate success, they should either not be allowed to exist or they should be de-certified. CRA's that can't meet that standard could still exist as businesses, but the shouldn't get the government protected oligopolistic designation they get now.

Notice how the solutions proposed to solve "identity theft" tend to be things that make it harder for the individual to engage in financial activity. Not make the credit agencies or financial institutions get their act together, but force the individuals to engage jump through more hoops to manage their own money.

I agree with your assessment here. But the first thing I thought of when I saw this headline was fixing the fact that SSNs are massively bad as authentication. Instead of giving people a number to authenticate, we should be using public key crypto and digital signatures. If the Equifax hack is the catalyst that pushes us to public key crypto instead of SSNs, then I'm all for it.

I totally agree. We need to throw our reliance on SSN out the window since the hackers are selling all of ours on the dark web as I speak. I like the idea floated out here or some other strong ID route such as SSH keys between 2 parties. All adult American SSN have been compromised so we have to move on to something else that offers stronger deterrents against hackers or ahole credit bureau agencies like Equifax who steal consumers financial data and make it broadly available for hacking.

> This is when a criminal defrauds a bank or other company by getting credit using your identifying information and then defaults.

ID Theft isn't just this. Illegal aliens use ID purchased on the black market to get jobs and pass ID verification. While they have those jobs, they have payroll taxes withheld, but don't file taxes leading to some Americans being hounded by the IRS.



Additionally, some American babies are assigned SSN's already associated with illegal aliens:

> Illegal aliens generally prefer SSNs that have not yet been legally issued or, failing that, the SSNs that belong to American children since these numbers can be used for years without anyone knowing it – except the IRS and the Social Security Administration.

> However, the Social Security Administration does not remove unassigned SSNs used by illegal immigrants from its database. That means the numbers are eventually assigned to newborn, American infants. Neither the Social Security Administration nor the IRS notifies American citizens when their or their children’s SSNs are used by others. In other words, the federal government has facilitated identity theft and protected the identity thieves.


> The main problem trying to be fixed here is "identity theft".

It wasn't a problem, at least it wasn't up until the point that creditors reframed it as "identity theft." It's fraud, plain and simple, and if it were treated as such, the burden would be on entities that have the resources to handle it (and who are also responsible for enabling it) instead of ruining the lives of normal people just going about their business. Oh, you loaned money to someone claiming to be me? I don't see how that's my problem. Sucks to be you. Maybe rethink mailing out pre-approved credit cards in the future.

> Banks should have to know who they are loaning money to and if they make a mistake, that needs to be solely their problem.


Mitchell and Webb had a great bit on this point: https://m.youtube.com/watch?v=CS9ptA3Ya9E

Just like any retailer who makes and delivers a sale over the internet without physical verification the issuers of credit should be held liable. this will mean getting instant credit for purchases and such will be very difficult but that is the price the lenders need to pay for the risk of having, not the consumer.

perhaps they will need to partner with local banks and such. I don't care. by default they should not be able to issue credit where the liability is on the consumer until physical verification is complete

You’re onto something with “bank slander”:


“Bank Presidents and Officers must exercise great care in protecting the privacy of information they gather on people, because there are legal liabilities if a bank intentionally defames a person or invades the privacy of an individual”

This. I once applied to my bank to take out a loan for my business and the questioning I faced was very vigorous and the process took almost a month. Contrast this with getting a Visa/Mastercard for almost equivalent amount-- the sales rep fills out the information in a minute in a big box store and the card is mailed to you within a few weeks.

Agreed, a previous discussion on HN illustrated this very nicely:


I wonder if anyone has tried to sue a bank for this?

Why can't I upvote this comment?

Sorry you are wrong. SSNs and other identity mechanisms are an infrastructure provided by the government to facilitate business. It Should never be the responsibility of individuals/ business to validate identity. If there are flaws in the existing system that lends itself to be manipulated, then the solution should be that the government should fix it.

Edit: In my country we didn't have a unique id till a couple of years back. So everywhere you had to submit photocopies of your id proof and a nother of your address proof. Imagine giving copies of your id to the lowest ranking person of the business you are dealing with. You have extra challenges if you have moved recently.

SSN are NOT an identity mechanism or infrastructure to facilitate business. They are to facilitate tracking your contributions to social security. Businesses have abused them for their own ends because at one time social security numbers were the only globally unique identifier in common use.

> SSN are NOT an identity mechanism

That's exactly what they are. I don't understand who you're trying to fool here. It's a number, for social security, that is assigned to a person. It's poor as an identification method, so it's commonly used in fraud, but that's just hand waving to distract from the discussion about the purpose.

Don't think parent poster was trying to mislead. Sounds more like poster is complaining that SSNs got overloaded beyond their original purpose (as guids for the SSA) to being used for business authentication more generally and that because they started being used for purposes they weren't originally intended or designed for, it ended up being a generally bad at it.

I tend to agree. Best practices are that we shouldn't use guids as authentication/security mechanisms in software systems because 1. they aren't necessarily random so it's difficult to prevent fraud as a result of guessing and 2. you can't rectify authentication issues (e.g. via rotation of authentication or adding additional entropy) without compromising the identification function see (https://tools.ietf.org/html/rfc4122#section-6).

We should never have used them as authentication methods IRL.

How in the world does the fact that it is an ID number in the Social Security system mean that it's meant to be used as an identity mechanism by businesses?

Is it only used by businesses? Don't you have to provide the SSN for your driver's license? If the government is using it as an ID across it's departments, then it is an ID.

Those are two separate statements. 1. It's an ID number in the Social Security System.

2. It's also now used as an authentication mechanism by many businesses (because it's relatively ubiquitous and banks, gov, etc. assumed that the SSN owner would and could keep it secret) :

    a. accepting card payments on stripe (https://support.stripe.com/questions/why-do-you-need-my-date-of-birth-and-4-digits-of-my-social-security-number)

    b. driving with lyft (https://www.lyft.com/drive-with-lyft under "What are Lyft’s requirements?")

    c. also for bonus points take a look at what happens when you search google for "SSN for resetting" and marvel at all the banks that let you reset your password with your SSN.
(update to try to fix formatting)

SSN are NOT an identity mechanism or infrastructure to facilitate business.

> SSN are NOT an identity mechanism

You purposely misquoted them to make your point. That's pretty lame.

It's a misquote if you parse the original statement as "NOT an ((identity mechanism or infrastructure) to facilitate business)" That would be removing important qualifiers.

It's not a misquote if you parse the original statement as "NOT ((an identity mechanism) or (infrastructure to facilitate business))". It's perfectly fine to simplify "Not A or B" into "Not A" when your argument is "Yes A".

In the context of godzilla82's wording, I think the latter interpretation is more likely, making it not a misquote. Even if that's mistaken, I doubt it was an intentional misquote.

For a long time it was illegal to use SSNs as identifiers except for tax purposes. It was a mistake to allow that restriction to be rescinded.

It was never illegal, just not recommended (as printed on the SSN card).

The printing was removed because nobody gave two shits about it.

In researching the matter further I find that I was mistaken. I was thinking of the Privacy Act of 1974, which stated: "no Federal, State, or local government could withhold a right, privilege or benefit from a person simply because the person refused to furnish his or her SSN."[1] Somehow I've believed for many years that it applied to private businesses as well, my mistake.

[1] https://www.ssa.gov/legislation/testimony_031606.html

“At one time”

What alternative would you propose now?

Having a personal relationship with the person you're loaning tons of money to so you know they are who they say they are? I know it sounds ridiculous.

And if your excuse is "well, we're too big to know our customers!" maybe you shouldn't be in the business of loaning money.

So if you move to a new town, you can't get a loan because the bank doesn't know you?

If you're an immigrant? If you're a protected class?

The whole point of the fair lending act is that lenders have to use consistent lending criteria across population groups. Going back to the pastoral days of personal relationships with bankers is the wrong answer.

PS "lending" not "loaning"

> So if you move to a new town, you can't get a loan because the bank doesn't know you?

If you are using a different bank in this new town, then yes, you're kind of SOL. However, it's not too wild to think of a way for credit history and verified identity from one bank branch to be stored in some kind of software system, which could share data between branches. The initial work in establishing trust is annoying, but verifying identity once you have some system in place is easy enough. A short phone or video call with someone who _did_ know you and works within the same institution would be a pretty sufficient way to go about it. Hell, universities have an even more archaic way of doing this: if you need proof of enrollment or a transcript then the university will send sealed snail mail to whatever institution needs the information. You can even request and deliver these yourself personally, if you want to.

Perhaps "personal" is the wrong word for the kind of relationship you want to describe though. Your relationship with the bank as an institution is independent of any SSN, they just track any credit or debt to your identity using it. There's no reason why a single number needs to track that kind of information, when the banks could just be required to verify their own knowledge of you themselves. At some point we have to admit that someone at the bank must know you, or be able to vouch that who you are is who you say you are. Even just a second check of a photo of you compared to a face scan would be more than what's verified now.

It's actually hard to understand how America has this problem because it was the USA that basically invented the concept of "know your customer" and the modern anti money laundering system in the 60s and 70s. Failing to do KYC is supposed to be a serious offence that can lead to jail time. So how is it possible that banks routinely don't know their customer sufficiently well that identity theft is a real problem?

That is crazy backwards. Banks make money liquid.

Alice in Pittsburgh wants a $100K loan to go to college.

Bob in Hawaii wants to invest $50K at a 5% return rate.

Charlie in China wants to invest $50K.

Without banks - Alice & Bob fly across the country to meet, and Bob, who knows nothing about college, hopes the college is real & Alice will pay. Alice, who knows nothing about Bobs hopes he won't get really impatient after 10 years and rob her. They talk for 30 minutes and hope that short interview is enough to establish trustworthiness on both sides.

We then repeat the whole process with Alice & Charlie.

With banks - Bob invests $50K into the bank. Charlie invests another $50K. Alice gets a $100K loan from the bank. The bank already has channels to ensure Alice is trustworthy, to verify her admission/enrollment in college, to collect loan payments, to eat the loss and give Bob his 5% returns anyways if not repaid. Even though Alice pays back $12K every year, the bank has enough liquidity to give Bob $1K every month instead as he prefers.

I think the idea is that the bank should get to know Alice, Bob and Charlie better.

By the way, banks don't lend deposited money, they create money.

In the context of the hypothetical, Bob and Charlie lend the bank $100k, which the bank keeps in its vault, for whenever the bank examiners stop by to check up on them. They then lend out $1000k as numbers in loan accounts. They put $100k in Alice's loan account, and periodically transfer numbers from Alice's account to the university bursar's account. They do the same thing for Dana, Eddie, Frank, George, Harriet, Iona, Jerry, Karen, and Lisa. Whenever someone comes by to check up on their money, the bank takes them back to the vault and points to the same pile of cash, and they leave satisfied.

Bob and Charlie get maybe 1% interest on their $100k, while the bank charges 10% on all $1000k of the leveraged loans. At year's end, the bank has paid B and C about $1k, and collected from A D E F G H I J K and L about $100k. If Bob, Charlie, or the bursar ever unexpectedly come around to make a withdrawal, the bank phones up the national central bank and says, "Yo. Boss says you need to come by and do that thing we talked about that one time. It's important." Then a truck shows up with very important pieces of fancy paper that the bank can give to people, so that they go away without getting mad. It's very important that no bank ever runs out of those, because then people wouldn't give them back to the banks to be reused, by giving them to other depositors!

It's all very complicated and important and not crooked at all. You can certainly trust those banks, because all their employees are clean and smell nice and speak clearly and wear good-looking suits.

But it is also important to realize that the bank does not need to know Bob or Charlie very well. It isn't really even strictly necessary that Bob or Charlie be real people. All that is necessary is that they have entrusted a symbol of their savings to the bank, to be used as the bank sees fit, without any direct oversight, in exchange for a pittance in interest. This is really only a good deal if you have so much money that your investments would otherwise overwhelm the capability of businesses to generate a good return on it. So banks have a few customers that deposit enormous quantities of cash with them, because the only other entities that can actually pay out a 3% return on that much dosh are national governments, state-partnered enterprises, and multinational mega-corporations. Bob and Charlie represent round-off errors. But there are a lot of Bobs and Charlies, and in aggregate they do help the bank make money, so they are tolerated, with a token amount of ass-kissing to keep them happy. And if one gets screwed over by accident once in a while, that's no big deal (to the bank).

The bank does need to know Alice and D E F G H I J K and L, but only just enough to figure out how much extra they need to charge to cover their default risk. The bank's major concern is that one of those people might actually be Maurice, who plans to default, but he is untouchable, because the bank does not know who he really is. But they know who he was pretending to be, so screw that guy; he shouldn't have let someone else pretend to be him without his knowledge, right?

So I'm not really certain that knowing all the insignificant peons would actually help. The fundamental problem with banking is that the (remaining) individual firms are too large for the median customer to matter to them at all. They have no intrinsic economic incentive to even acknowledge that a problem exists, much less admit responsibility for it, because their real business is aggregating investment opportunities that are too small to bother with individually into packages large enough to interest investors with colossal amounts of cash, and taking a percentage off the top.

But are you, as the customer, ok with having a personal relationship with a banker? Also, in a court of law, how would you define personal relationship?

How do you solve the case of a scammer loaning tons of money from a bunch of lenders and moving to a different state? The answer can't be "only loan money you know/trust," because that excludes newcomers to an area from loaning money.

> SSN are NOT an identity mechanism

They are an identification mechanism, what they are not is an authentication mechanism.

They are similar to IBAN in that way, they're suitable to e.g. give you money, they're not suitable to take money out.

>one time social security numbers were the only globally unique identifier in common use.

And now do you have other mechanism s? If you do, you should be using them, if you don't, then scrapping the only one is not a solution. Asking businesses to do verification on their own is definitely not a solution.

Why isn't it a solution to ask businesses to pay to validate the person they are conducting business with?

How does schools do background checks? How does the police force do it for their officers? Why can't the same method be used for a bank?

Those checks you talk about, involve using SSNs at some point. Also, these checks are not scalable. I think, because you have not lived within a system without an id mechanism, you have no idea of the set of challenges you face as a business as well as an individual. Just think how would you prove to a lender your financial status. You would have to give him a copy of documents of all your assets (bank statements, property documents), copies of your tax returns.

Because as the previous commenter mentioned, you’re then in the position of needing to share out much more intrusive info to many more people. It’s also a pain in the ass from a customers standpoint given the statistical rarity of someone being impacted by ID theft.

Sure, a photo copy of your ID and your address might seem more personal but ultimately the SSN is just as personal because someone can ruin your life with that one number + your name. In that sense it seems like you are already giving out the most personal of information to some random employee at said business.

Those examples are for getting a phone or electricity connection. For a loan, you would have to give bank statements, income tax return proofs etc. And if that is not sufficient, you need to get your property apprised by "authorized" valuators!

> Should never be the responsibility of individuals/ business to validate identity.

Um, what? If you are doing business with someone based on an assumption about their identity (giving them a loan based on credit history, for example), it sure should be your responsibility to verify that that assumption is correct--that the person you're dealing with is indeed the one that all the data you have applies to. And if your assumption turns out to be wrong, the last thing you should do is blame it on the person who actually is the one all your data applies to.

> If there are flaws in the existing system that lends itself to be manipulated, then the solution should be that the government should fix it.

The government is largely the cause of the flaws in the existing system. The last thing we should do is expect the government to fix it. If private corporations are going to make use of information about you, it should be their responsibility to make sure that information is accurate.

> The government is largely the cause of the flaws in the existing system. The last thing we should do is expect the government to fix it.

“The software developers are largely the cause of the bugs in the existing software. The last thing we should do is expect the developers to fix it.”

I mean, I do believe private businesses should be held responsible, but one way to make them do that is by regulating them through an agency with higher authority, which probably means government.

> The software developers are largely the cause of the bugs in the existing software. The last thing we should do is expect the developers to fix it.

Flawed analogy. Software developers introduce bugs inadvertently, and they have both an incentive and the knowledge to fix them. (In cases where that is not true, bugs indeed do not get fixed, and we should not expect the developers to fix them. That is why open source software is important--so I can fix bugs in software I use that the developer can't or won't fix.)

Government introduces bugs on purpose, to serve special interests, or out of ignorance, because government officials who make regulations are clueless about what they are regulating--but they don't get penalized for making clueless regulations and they don't get rewarded for fixing them. So government has neither an incentive nor the knowledge to fix bugs it introduces. (And the analogue to open source software in this case is libertarianism: if the government can't or won't fix bugs in regulations, it should not regulate in the first place.)

> The original purpose of the SSN was to enable the Social Security Board to maintain accurate records of the earnings of individuals who worked in jobs covered under the Social Security program. The card was never intended to serve as a personal identification document—that is, it does not establish that the person presenting the card is actually the person whose name and SSN appear on the card.


So maybe there does need to be a federal or state identification method, but because we lack a legitimate method it should also be the responsibility of the individual to do due diligence that the person they're giving credit to is the person they say they are.

> it should also be the responsibility of the individual to do due diligence

How? ask them to carry a copy of their address proof and id proof? As an individual, do you feel ok to have copies of your id and address proofs in the hands of low level clerks?

Exactly this. I’ve been on the recieving end of ID theft before. It was a pain in the ass for a small time, but mostly resolved with a few phone calls and 3 letters sent out. Still this is better than what is being proposed in this thread.

I’d really prefer not to need to carry around utility bills and other nonsense every time I need to conduct business. I’d also bid those folks consider what happens when you are homeless or otherwise don’t have a fixed address with utility bills in your name.

> Today, the Senate Commerce Committee questioned former Yahoo CEO Marissa Mayer, Verizon chief privacy officer Karen Zacharia and both the current and former CEOs of Equifax on how to protect consumers against major data breaches.

So, ask the person who lost 3 billion accounts, the person who is stuck with the mess from losing 3 billion accounts, the person who lost 145 million SSNs, and the person who is stuck with the mess from losing 145 million SSNs how to protect against data breaches?

I appreciate the relevance of those individuals to data security, but they're clearly not subject matter experts. If I wanted to secure my home against burglars, burglary victims probably wouldn't be my first consultation.

That said, the mostly fixed nature of SSNs and their intrinsic potential for introspection is a huge liability and we should move away from them.

[edit: Karen Zacharia may well be a subject matter expert here, it's a little unfair to group her in with my rant.]

Burglary victims should be your first consultation, because most people who weren't burgled were probably just lucky, or were burgled but haven't realized it yet.

If there are 10 houses, a burglar tries to get into all 10 but only succeeds on 2, then you should talk to the 8 owners who successfully protected their houses. If there are 1000 houses, a burglar tries to get into 10 but doesn't tell you which 10, and succeeds on 2, you should talk to those 2 owners because they know for a fact what can fail. 990 owners will just say "do what I do" without having any evidence that their strategy is actually safe.

Or, you know, maybe stop talking to homeowners, victims or not, and start talking to people who make locks and safes. Actual subject matter experts rather than targets.

CEOs, at best, will be proxies for whatever security personnel they have on staff and we have no way of evaluating the credentials of those security staff. At worst, they'll be advocating for policies that reduce their exposure/costs at the expense of greater overall fraud costs.

The senate should use their own knowledgeable proxy in this case. NIST has already shown itself capable of creating security standards of a reasonable quality. Run another public competition for a national ID system capable of replacing SSN and let real security professionals propose (and then debate) a way out of the current mess. Senators can then codify the results of that process into law.

> Or, you know, maybe stop talking to homeowners, victims or not, and start talking to people who make locks and safes. Actual subject matter experts rather than targets.

You want to talk to the burglars. They already know the locks and safes and likely know even better how to break them than the creators. In this case, you want to talk to hackers.

The reason Congressional panels do things like this, is to put on a good show. They like to be seen dealing with higher level matters/people as a demonstration of stature.

> In this case, you want to talk to hackers.

No - the problem here isn’t hacking, it’s allowing a fixed, easily learned number be a sole proof of ‘identity’. SSNs were used in identity theft long before hackers.

Maybe a bad analogy, but I do think that it doesn't make sense to ask "burglary victims" for computer security at least.

They know what parts of their system were compromised, at least partially.

Yes, without Equifax, how could anyone know they should apply security patches to their systems? No one knew this until Equifax.

Technically, it is still only one data point: we should probably run some kind of controlled study to verify that this is actually a problem before we go overboard.

Ok, so why didn't they? Should we ask TransUnion what went wrong at Equifax, and what laws and regulations are needed, if any? Or should we ask Equifax?

>> Ok, so why didn't they?

The parent post was sarcasm. Equifax did not follow security practices that are common and widespread in the industry. And by industry I don't mean credit reporting companies, but companies that have systems connected to the internet.

I understand that. Why didn't they follow those practices? What can we do to force companies to follow them in the future?

Make the liability for data safe keeping in the company that holds the data. You don't see medical records have issues like this, because the laws surrounding it is quite fierce.

I will actually answer your question, because Equifax has already explained:

One guy was supposed to install the update, but forgot for some reason. Everything was his fault.

Did you expect anything else from a company so incompetent? With a paltry $3b/year, they can't be expected to pay for more than one person to install updates.

You force companies to secure data by giving out enormous fines to the company and criminally charging the negligent or incompetent corporate officers.

Sure, but just because you got sent to the hospital doesn't make you a doctor.

They aren't burglary victims but the guards that sleep (drunken) in their night shift.

> Karen Zacharia may well be a subject matter expert here, it's a little unfair to group her in with my rant.

"Millions of Verizon customer records exposed in security lapse - Customer records for at least 14 million subscribers, including phone numbers and account PINs, were exposed." http://www.zdnet.com/article/millions-verizon-customer-recor...

"1.5M customers of Verizon anti-hacker unit hacked" https://www.usatoday.com/story/tech/news/2016/03/25/15-milli...

It's 2008 all over again. The US/International shit show we call a media tried to make Occupy seem like lost-goalless hippies. It was the ghost of Nixson. You know why people were mad? All those executives at the highest levels committed fraud, perpetuated fraud, created a culture from top to bottom of fraud where people who issued loans were encourage to forge documents, make up incomes and sell people on terrible mortgages. Then the media blamed those people instead of the people who put that system into place.

None of those executives went to jail. None of them faced any real fines. None of them faced any real consequences. Many of them walked away with millions. PNC bought National City Bank for $5 billion and got a $5b tax credit (National City wasn't allowed any TARP funding). Big banks knew 2008 would happen, and when it did, they used it to buy all their competition at the expense of millions of Americans who lost their homes, retirement savings, etc.

It doesn't matter if it was Bush or Obama or Hillary or Trump, because no matter which puppet is on stage, no one in the 1% who either allowed such terrible things to happen or made them intentionally happen or profited from things that happened to have fallen into their laps; none of them face any real consequences. The executives who sold off Equifax shares getting off without any wrongdoing is a perfect example. It's obvious they knew. They made money and they will never and can never be held accountable in today's world because they control, to various levels, all the world leaders and banks.

Um, what does any of that have to do with the Congressional hearing?

Is there a transcript of what kind of questions were asked? I can imagine useful information being gleaned by questions like, "what was the nature of the attack, how were people able to get in, what exactly happened here, how did you store the data, why were you confident it was secure, etc?" That gives you a starting point of what the facts are, what was really experienced. When you are working from a ground zero of zero knowledge (and I bet most of these committee members have zero knowledge, if not all of them), it's good to establish facts of what happened before figuring out solutions.

I haven't seen a transcript anywhere but presume it may end up in the Congressional Record.

The archived webcast is available https://www.commerce.senate.gov/public/index.cfm/hearings?ID...

The prepared statements from the witnesses are available to view at the bottom of that link as well.

I was burglarized by someone who kicked my front door down. Everyone who hasn't experienced that thinks it's important to fully gate off your back yard. My first-hand experience tells me that that advice wouldn't be sufficient to secure my home. Why would you prefer speculation over experience?

One of the houses I lived in had a really strong lock on the front door. The lock wasn't really the problem, though: the door is made up of four float glass panels. Of course, even if it was a solid wood door, there's another problem: the bit the lock slides into is held onto the frame by two screws.

It's crazy some door knob/dead bolt kits come with screws that just screw into the jamb. Little 3/4" screws. You really need those 3"+ screws that go into the studs. I'm sure you do this now given your experience but if you ever get a kit that doesn't come with screws like that they should definitely be purchased separately.

Another pro tip: good deadbolt kits have a lock cup with one or two holes inside as well so you can secure it even further.

Second pro tip: replace your door hinge screws (on the jamb and door) with larger 3-4” screws.

Third tip: outside doors should be solid wood or metal, not hollow.

It truly is crazy. Every door frame to the outside in my house used to have these tiny screws. It's so trivial that even I who massively struggles with the simplest home improvement tasks was easily able to replace the screws with much larger screws that go into the studs. Yet it seems to be standard practice to use these tiny screws. The other thing I recommend is getting security film for your windows and have it anchored to the window frame. It doesn't prevent anyone from breaking them but it makes the process take much longer and be much noisier.

Politicians need to look like they are doing something. It doesn't matter if they actually do anything. If they look busy, they are busy and are obviously working hard and should be kept in that position.

> So, ask [the people who lost billions of accounts and SSNs] how to protect against data breaches?

It's worse than that. These are the very people who profit on trading in data linked to identity information. It's like asking the fox how to secure the henhouse, after he ate all the hens.

Any new identity scheme has to be something that does not rely on security practices of any third parties. The public component of the identifier must be useless as an identifier without the private part held only by the individual.

I suppose Karen Zacharia is the token black hat? Verizon aggressively breaks people’s expectations of privacy by MITM rewriting HTTP connections.

(Or, maybe she was at Yahoo! during the breaches...)

Verizon isn't breaking people's expectation of privacy implicitly by MitM-rewriting unencrypted HTTP.

They are breaking this expectation by using the MitM-rewriting of unencrypted HTTP to inject tracking identifier headers for third parties.

Comcast also MitM-rewrites requests and occasionally leaves extra fingerprinting entropy, but they don't intentionally kill your privacy like Verizon.

They aren't asking them for security advice. They are trying to find out the specific ways that they fucked up their security.

There could be numerous other companies that are messing things up in exactly the same way, they just have had the misfortune of being breached yet.

You can keep the SSN as primary key for identity, you just need a different mechanism for authenticating as that identity.

This is a solved problem in most countries, the U.S. can just pick any from a long list of countries to copy the model of wholesale.

> Multiple times throughout the hearing, Brazil’s Infraestrutura de Chaves Públicas system of citizen IDs through digital certificates came up as a potential model for the U.S. as it moves forward. In this model, a certificate lasts for three years at maximum and can be used to issue a digital signature much like written signatures are used now. Unlike its counterpart in the U.S., these identity accounts can be revoked and reissued easily through an established national protocol.

I believe most Americans are opposed to a national ID, so SSNs have been used as a (utterly terrible) workaround. Some reasoning for this, to quote an ACLU article on the subject[0], 'Former Senator Alan Cranston has described the national I.D. card as "a primary tool of totalitarian governments to restrict the freedom of their citizens." '

The Brazil solution mentioned seems pretty reasonable though. I like the built in expiration and ease of reissue. Anyone have experience with or thoughts about this sort of system?

[0] https://www.aclu.org/other/national-identification-cards-why...

> Former Senator Alan Cranston has described the national I.D. card as "a primary tool of totalitarian governments to restrict the freedom of their citizens."

Ugh. National IDs are common in Europe as well as other places where identity theft is mostly an exotic concept featured in the news about America. It's hard to call Belgium a totalitarian regime.

Whereas in countries without national IDs, people are forced to provide personal details to scores of vendors big and small who use these details for their purposes and may lose them to online criminals. But hey, we are protected against a hypothetical tyranny.

> we are protected against a hypothetical tyranny

This is America in a nutshell. Most of it's efforts are spend protecting against what it can't see and not on the problems in front of it.

Sad I can only upvote once. But then, aliens and zombies will have a hard time invading the US.

On the other hand, there are countries that use national IDs to restrict the freedom of their citizens.

You can't base your reasoning about something like this solely on what's happening in some countries right now. That's how SSN mess started in the first place. They weren't intended as a global identifier, there were concerns that they will be used as such, but those concerns were ignored.

Also, I'm not convinced that spinning up a new ID system is necessary to solve the issue at hand.

Isn't it legally required that you carry your ID at all times unless you are within 200 meters of your home? That would horrify most Americans. I know it is not in reality, but it sounds totalitarian.

> Isn't it legally required that you carry your ID at all times unless you are within 200 meters of your home?

In Germany there is no such requirement, even though many Germans also think that you have to carry it with you. But the Ausweispflicht (Obligation of identification) only means that you have to own an ID, but you can leave it home most of the time (which I do).

When I lived in Germany I by mistake didn't check into a tram once and was discovered by a ticket inspector. Long story short since I didn't have ID on me I ended up getting escorted by two police officers back to my house to show them my passport.

So yes, you don't have to carry ID on you in Germany, but only in the most pedantic sense. You'll just get a free police escort back to where you keep your ID in case you need to identify yourself. That hardly qualifies as not needing to carry ID when going about your business in the sense that Americans would be familiar with.

But could they have forced you to identify yourself if you hadn't broken some rule? I get it was a mistake (which I've made in the past as well), but still, the US police will probably want to identify you as well if they have reason to fine you.

I'm not sure, but in several European countries the police is able to ask you for your ID when you're going about your business, there's no limitation that it must only be in relation to an offence.

Thus any interaction with them could result in you needing to put a stop to anything else you're doing as you're escorted back to your house to fetch your ID, unless you're carrying it in the first place.

But the example I provided wasn't such an example, since there was a fine involved. However just having compelled ID changes even that situation. If Germany didn't have that I'd probably been able to just pay the fine on the spot without need to establish my identity.

I don't believe there's anything equivalent to that in the US. Furthermore since there's no national ID system they don't even know if you have a driver's license, social security number or passport, so their options for compelling you to produce ID are limited.

In most US states, the police can't force you to provide a physical identification card period. At most, they may be able to compel you to verbally identify yourself, e.g. by providing your name and address.

The idea of being legally required to provide government-issued identification to a law enforcement official under any circumstances is simply verboten in the US.

>The idea of being legally required to provide government-issued identification to a law enforcement official under any circumstances is simply verboten in the US.

As long as you're not within 100 miles of the border inside the "limited civil rights zone". [1]

Personal experience is that border patrol officers feel no need for "probable cause" before pulling you over and searching your vehicle.

[1] https://www.aclu.org/other/constitution-100-mile-border-zone

In such situations you have to identify yourself somehow, that's what obligation of identification means.

I was with a friend in the same situation (he forgot his ticket and had no ID). I just had to witness that he was indeed the person he said he was and it was fine.

There are many situation where in the US the police will immediately arrest you while the German police will just write down your identification and let you go for now. I will rather take the German approach.

Ironically, if you drink alcohol in the United States, you're essentially forced to carry your ID at all times because bars and restaurants check ID aggressively (even for people who are visibly much older than the legal drinking age).

So even though, as an American, I'm not required to carry my driver's license around at all times, I almost always do, and many of the few times I've left it at home I ended up regretting doing so.

Based on my visits to Europe I'd imagine Germans would find this whole situation ridiculous.

I should clarify that I was talking about Belgium which was the country the parent comment used as the example. I am aware that the laws are not the same across EU.

I think it's only fair to compare that the to _de_ _jure_ status of many modern day US states.

More than 23 states require that someone be able to prove their identity (probably with a government-issued card) "if there is reasonable suspicion of a crime"[1].

Given that a book called "Three Felonies a Day" which cites facts such as the number of crimes in the US Code, the fact that most people haven't even started reading it nor have it memorized, nor have the legal skills required to determine whether (if it's even deterministic without a judge/jury) they have committed a crime, I would argue that a clever police officer probably has the ability to use that law as a tool to create a crime where none existed before.

[1] https://en.wikipedia.org/wiki/Stop_and_identify_statutes

Isn't it legally required that you carry your ID at all times unless you are within 200 meters of your home?

There might be a country somewhere in Europe that has that law, but it's certainly not normal.

I was talking about Belgium, which is the country the comment I was replying to had used as example.


Yes. People don't though. In practice people do tend to have a driving license in your wallet.

This joyous setup is the result of the Schengen zone. When national borders were "abolished" (not really, they came back due to the migrant crisis) the way governments got police and immigration forces on board with it was to say that everyone had to have their ID on them at all times and an ID check could be done anywhere at all within the zone. I've never heard of anyone getting in trouble for not having ID on them though.

That's a log of myths and misinformation spread here. In the EU you only have to carry an ID while you're crossing a border. If you stay in another country of the EU you should have your ID available somewhere in that country.

But if you actually have to carry around your ID all the time depends on the laws country you're in. Here in Germany you don't.

Direct from Wikipedia:


It is the obligation of everyone travelling within the area to be able to show a fully valid form of personal identification approved by other Schengen states.[98]


Although travellers within the Schengen Area are no longer required to show documents at an internal border (although there have been some controversial instances when they have, and it is fairly common at major land border crossings with Switzerland), the laws of most countries still require them to carry identity documents

Your interpretation of this doesn't seem to be correct. The whole point of Schengen is that you don't have to show ID at internal borders, which were supposed to cease existence. Rather, you have to be able to show your ID at any time whilst travelling ... where "travelling" is such a general concept that it effectively means at all times unless you are e.g. at home.

Year 2011, I was touring Berlin with a friend, and a policeman asked us to show our ID. So, tourists need to carry passport at all times? How'd police know who is a tourist?

Spotting tourists is usually not hard for someone who lives at the location.

Additionally, it could just have been chance.

In general, yes, you should have your ID/passport on you, but there is no real punishment for not having it other than being required to later show up at a police station and/or being escorted by the policeman to your apartment/hotel to show your ID.

A bigger problem is usually not having a drivers license on you, that gets some of the people in the police riled up (but again, no real punishment as long as you show up later at the police station)

> A bigger problem is usually not having a drivers license on you

Why? What about people that just don't have / need a drivers license?

It’s required but many people don’t do it. If you get into a situation where police stops you and you don’t have your ID on you, just tell them you forgot it at home or you didn’t take it with you because you just went out for short walk. Police should then drive you home where you show them your ID.

> (…) It’s required but many people don’t do it (…)

Not in general.

In Germany you just have to own an ID be able to produce it when legally required. However only under a very narrow set of circumstances it is legal to ask for an ID.

The police may ask for an ID only during a "Identitätsfeststellungsverfahren", which is only legal to do if you're suspect of a crime or if you happen to be within an area of specific public vulnerability, i.e. crime hotspots designated for vetting operations. Other than that it is in fact illegal for the police to ask for your ID. But even under that circumstance it is absolutely lawful not to carry an ID with out; worst case scenario is, that the police has to escort you to whereever you have placed your ID and you be able to show to them there. Depending on circumstances this might create (major) inconveniences, but has no legal consequences.

In addition to that there are certain business transactions where an ID must be produces. For example when checking into accomodation, closing a contract with a telephone company (that's new since this year, and totally ridiculous) and opening a bank account.

In Romania it's legally required to carry your ID everywhere. I am not aware of a minimum distance :)

That's already the de facto case for non-white Americans. If you don't you risk getting snatched up by ICE.

In this context wouldn't the EU be a better entity to compare against the US federal government? In that sense the ID situation in the US is pretty much the same as in Europe (each member state issues its own IDs), except the US has an extra ID number at the federal level that was never even intended to be a federal ID number (and is consequently terrible at being that).

No, at least some of the IDs in Europe is valid in all or most of EU. In Sweden, the ones given out by the police is valid in EU, while for example drivers licenses is not (as an ID. They are valid to drive with).

What do you mean? I can use my driver's license as an ID in any state.

An EU driving licence is only proof of being qualified to drive, not proof of residence or nationality.

That makes it ok for some identity purposes (age, name) but not sufficient for crossing a national border.

(I'm not sure this is relevant, but I'm explaining the situation here.)

A drivers license is not an ID in the EU. It is usually used for age verification.

If you do a post-ident or anything official, you need your proper ID.

In most (all?) US states the DMV or equivalent issues both IDs and driver's licenses, with the side effect that if you have a driver's license it is also your state ID. So the fact that they are separate in the EU is tangential. The term "driver's license" in the US is synonymous with both "ID" and "driver's license" in the EU, and can be compared to either.

To proof your age but not to identify for official business (e.g. opening bank accounts) or with governments.

Who has authority to revoke the ID? Can someone get angry and un-citizen me? Will the process of getting re-identified take a day, a week, a month, years? Will I be able to continue working in that time? We need to build with these security concerns in mind. The reason SSNs are failing is that security was never supposed to be a concern for them, so no thought was paid to it.

No, the ID's cannot be revoked, and they are assigned at birth or at the moment you apply for immigration. There are some efforts to allow stripping dual-nationality criminals of their citizenship, but that process requires both a judge and a cabinet minister to sign it, and the ECHR will not allow people to be stripped of their only citizenship. And even in those cases, the national ID's will not be revoked, just invalidated.

So let's skip all the hypotheticals about having to recover one, unless you can point to an actual case from the EU, instead of Hollywood?

The clear answer to that would be only you can revoke the certificate either by signing or by going to something like the post office/DMV with 1-2 additional pieces of ID (for cases where your card is lost/stolen). Also the cert is only for SSN like things and proving your identity in those cases not that you're not a citizen if your cert is out of date. So you couldn't say open a new bank account or apply for a new loan but everything else just keeps working.

> The reason SSNs are failing is that security was never supposed to be a concern for them, so no thought was paid to it.


The reason SSNs are "failing" is because they have been adopted by the public and private sectors because they are a de facto "username".

SSNs serve the same purpose as driver's license numbers and passport numbers, only they have less authentication, but are still more common (because most young children don't have DLs or passports).

IDs get lost and stolen sometimes, so there are established processes for that. In Germany, they cost 28.80€ to replace and take 3-6 weeks to be manufactured. You can continue working normally, and generally there are is no impact on your daily life. The process takes less than an hour, excluding waiting time.

Your citizenship isn't tied to the ID, either.

Forgive my ignorance, I only (sort of) know how this works in the United States. How do Belgian creditors verify the creditworthiness of an applicant who claims to be the individual identified by a particular credit history?

Am I wrong to presume the Belgian National ID is not used for identification and verification by Belgian creditors?

I also wonder (just thinking out loud, not part of my question) what would prevent US creditors from shirking the responsibility and withholding the required resources to establish an identification and verification system which does not rely on a national ID (different from a Social Security number).

EDIT: remove extraneous word, add parenthetical to last sentence.

There is a governmental agency, part of the national bank, that keeps track of credit. Information is kept for three months after a successful repayment of credit, one year after a delayed yet complete repayment, and 10 years after a default.

Only credit information is kept, nothing regarding defaults on rent, unpaid medical bills etc...

Getting a record of your own credit history is completely free, either online, by writing a letter, or just stopping by the bank.

Yes, national ID is used for that purpose. I've only very rarely heard of identity theft by strangers, there are many hoops to jump through, like photo ID and a physical letter sent to the corresponding address for verification.

What would prevent that? Privacy laws. Keeping and sharing blacklists is not forbidden but regulated in Europe. Creditors also are obligated to use the central credit agency.

I'm not Belgian, I just had to deal with them extensively, so I can't reply. But the credit score is not related to the existence of the national ID.

I know that the monstrous institutions thriving on the FICO score are an exception. In most countries, it's the usual payslips, bank statements, stuff like that. No one needs weird stuff like secured credit cards or asking their relative to "piggyback" on their credit score.

I know that the US credit agencies tried to "educate" the local business communities in some countries on the importance of the credit score and are currently occupying a small obscure niche.

>>>Ugh. National IDs are common in Europe as well as other places

Proving the Senator Point.. I am sure you believe Europe is free, it is not. Europe is very very very very very Authoritarian and restrictive.

> It's hard to call Belgium a totalitarian regime.

Belgium is Totalitarian. Seemed pretty easy to me, I just typed things on my keyboard and they appeared like magic on my screen....

National ID is the first step to https://www.aclu.org/ordering-pizza

> National ID is the first step to https://www.aclu.org/ordering-pizza

A national ID is by no means required for something like this. If businesses wanted to, they could already identify us uniquely enough to pool all their information and be able to do something like that.

Did you miss a <sarcasm> tag or are you being serious?

Here's a relevant pop science video by CGP Grey[0] that explains all the various problems with SSNs. My favorite part is the fact that until quite recently (2011) you could decrement or increment a given SSN by 1 and get another valid SSN, since they were sequential.


SSNs are 9 digits, which means that mathematically 1 of 3 SSNs must be valid

Unpacking this for others who scratched their heads like I did:

There are 1 billion possible social security numbers. There are roughly 300 million people in the USA. So roughly 1/3 possible SSN’s is currently in use.

Does the US re-use previously issues SSN's when people die? With such a limited numeric space, they probably have to, right?

Q20: Are Social Security numbers reused after a person dies?

A: No. We do not reassign a Social Security number (SSN) after the number holder's death. Even though we have issued over 453 million SSNs so far, and we assign about 5 and one-half million new numbers a year, the current numbering system will provide us with enough new numbers for several generations into the future with no changes in the numbering system.


100 years doesn't really equate to "several generations"...

Haven’t had to yet - they’ve only been around since the ‘30s and we haven’t quite used them all up yet.

Yes, they do.

A couple of years ago I accidentally filed my tax return with a typo in the SSN. I was stunned to find that the IRS accepted it. It took months to fix.

My twin and I have SSNs a single digit apart.

Why would that be surprising? They are incremental, as far as I know..

> I believe most Americans are opposed to a national ID, so SSNs have been used as a (utterly terrible) workaround.

The federal government was never intended to administer services or benefits directly to all US citizens. The US Constitution enumerates a very limited set of federal powers: defense, foreign policy and regulation of interstate commerce, none of which concerns the average citizen day to day. It was intended for state and local governments to directly serve the people in almost all circumstances.

The New Deal was a terrible imposition of big government on the country and we're dealing with the cascade of problems and constitutional issues to this day, SSNs being a very visible example.

The role of the government has certainly evolved since the 18th century, and thank goodness we're not stuck with a union with a weak central government. Do you really look at the balkanized, fractious EU and think to yourself, "Gee, I wish we had that"? IMHO the New Deal didn't go nearly far enough.

Not OP, but I actually do wish that, yes. I think a lot of the problems we're having with political deadlock on the federal level these days boil down to pulling too many divisive issues onto that level, where the resolution, whichever way it goes, applies to over 300 million people - so you end up with a large dissatisfied minority more often than not. Specific issues aside, it doesn't strike me as particularly democratic, either; and I'm not sure representative democracy can even meaningfully scale to the point where legislators ostensibly "represent" millions of people at once.

OTOH, if we had more federalism, I think the West Coast states might have been implementing their own full-fledged public healthcare system right now, instead of trying to come up with some compromise that the other half of the country can maybe accept (like ACA).

All that said, I don't see a problem with national ID. It's just as useful to the states as it is to the feds, and it's clear that something like that can only be run by the feds.

> Do you really look at the balkanized, fractious EU and think to yourself, "Gee, I wish we had that"?

That sounds pretty nice actually.

Do you look at the balkanized fractious USA and think to myself, "Gee, I wish we had that"? Endless wars, being rules by people who live thousands of miles away and don't understand your states' needs?

>and think to yourself, "Gee, I wish we had that"?

No I think "why the hell didn't they put a sunset provision in all those bills?"

As an aside, one could construct a pretty good argument that the new deal was the result of all the Europeans who got off the boat in the prior decades throwing away freedom they really hadn't come to appreciate in exchange for the government playing the role of a lord who has some responsibility to prevent his peasants from hitting rock bottom (lest they revolt) with the catch being that said lord also has a ton of control over their freedom.

You don't engage in interstate commerce on a day to day basis? Do you only eat food grown in your own state, sold by local businesses who don't operate in any other state?

Do you only eat food grown in your own state

Even if you did, it doesn't matter. https://en.wikipedia.org/wiki/Wickard_v._Filburn

So what? People who live in the EU engage in inter-state (-nation, I mean, to disambiguate) commerce daily as well, and that seems to be going no worse over there than it is over here.

I don't really see your point. Practically speaking, I only food sold in my local grocery store. Sure the grocery chain probably really does take deliveries directly from other states every day, but I'm not directly involved in the interstate portion of the supply chain.

While you're right, and I dont think you ought to be downvoted, governments evolve.

Actually, Social Security is a terrific program which has done more to reduce and prevent poverty than any other government program ever.

It is the US Constitution that is bad, by making entrenching dysfunction and hindering reform.

How does the US Constitution entrench dysfunction and hinder reform?

There are a number of issues that contributed. Predominantly a lack of clarity on federal vs state power which stems from a combination unnecessarily high barriers to change (other countries tend to change their Constitutions rather frequently) and a lack of accountability (very long election cycles).

The patchwork nomic-style lawmaking that leads to eventual entrenched dysfunction and resistance to reform was assured. The US will not likely last half as long as Rome. We're 1 economic collapse away from fractionating into new aggregations.

Do you have an opinion on the correct balance between state a federal powers, and how long ought an election cycle be - does the adding a ballot based recall mechanism change things?

I'd argue our style of law making is no different than other western democracies. How do you feel law making should be different?

> on the correct balance between state a federal powers, and how long ought an election cycle be

The US doesn't have mechanisms for removal through accountability. This would mediate any need for an optimal cycle (which doesn't exist due to factors like breadth of initiative). Legal controls on "good faith" grace periods would be an effective control, but we don't even get that due to corruption. The US legal system has festered for too long imo.

> most Americans are opposed to a national ID

Easy solution: make the national ID optional, just like a passport.

Let financial institutions decide whether they want to risk extending credit to anybody, or just people with secure national IDs.

They could require the passport right now. Financial institutions want to loan money to everyone with low friction, if they think they will make a profit.

Brazilian here, currently attending the Brazilian Symposium on Computer Security, and today's speakers include the people behind this proposed national ID (it's not widespread yet).

If you have any questions I can relay it to them directly.

New Zealand has RealMe (https://www.realme.govt.nz/) which is an opt-in system you can use to identify yourself when interacting with various government departments and other entities.

RealMe is a shitty non-compliant SAML2 (not really) identity provider that's impossible to interact with correctly. I worked on a contract where RealMe was giving us different unique IDs for the same people. It's a joke and a piece of rubbish.

It's from the government who brought you Novapay and it's a piece of shit. No one uses it to manage identities and you don't really need to because there are only 4 million people there anyway. Their problem set is much more manageable.

Please never use RealMe as a real world example of anything done right. Please also never use RealMe if you can avoid it.

I think I have 2 RealMe accounts, and they're linked to different services, I have no idea which ones though. I'm not really sure what's up with them. The only government service I really use online is the IRD, who don't even use RealMe, they have their own login system.

NZTA don't even bother, and just require your drivers license number and version, which is useless security, I could change ownership of anybodies car, just to be a dick, or possibly even to steal a car.

RealMe is a RealMess. I find it's usually easier to just ring up the relevant department that requires me to login to RealMe.

New Zealand is a bit funny because people don't (or didn't) want a national identity system. There was public concern when photo drivers licenses were introduced because they might become a de-facto national ID card.

The privacy commissioner (that's a thing) had this to say: "the proposal to oblige drivers to carry the licence at all times while driving would mean, in effect, ... provide ideal conditions for government agencies, police officers, retailers and other businesses, to ask for the card as standard identification in a variety of dealings unrelated to road safety." https://privacy.org.nz/news-and-publications/reports-to-parl...

Which is has. Every time I've been pulled up, or talked to, by the police for more than 30 seconds, they've asked me for my drivers license, regardless of whether I'm driving, or walking.

Indeed. Which means they have the worst of both worlds - hard to hide your identity and no common standard for everybody. So now there's all kinds of alternatives - licence, passport, 18+ card, birth certificate(!). RealMe is pretty nice from the user's perspective to avoid all that crap.

It's funny in light of all the "cars are freedom!" posts in the Bob Luntz post that is also up on the front page, but we DO effectively have a state-level ID system in the form of driver's licences.

The idea that people have a single, unambiguous identity is fallacious, in my opinion. If you're interacting with people, you usually only need their identity for the purpose of that interaction. The main place it becomes critical seems to be when you have a system that is driven by number bias rather than consideration of reasoned, adaptive alternatives.

how do you stop fraud from people opening a new ID and taking out loans with it instead of their "main" ID ?

What lender would trust a new id with no history?

How would you get history if no one trusts an id with no history?


Ask anybody who immigrated to the US, it's a royal pain. (Especially since you have global brands - like e.g. Mastercard - incapable of referencing their data from outside the US).

You start with a secured credit card for $200. Next, you buy a clunker of a car for all-cash. At that point, you have enough history to get a CC with $500-$1,000 limit. Now you pay everything through that CC. And make damn sure you're always 100% on time - a single slip costs you a lot of time setting up that history. After a year or two of that, you usually get a CC covering one or two months of income. Keep building.

It's a really painful process.

You can also go with capital one which has an unsecured $500 credit limit immigrant credit card. Citibank also had a program for new immigrant credit cards. The citibank one references your current income, I got a card with a $10k limit.

This was ~6 years ago so YMMV

yes but if you can make a new independent "ID" cert at a whim then any unsecured debt instrument will be subject to massive fraud

Or you start by getting a job with direct deposit, and depositing some savings in a bank account.

In the USA, what builds credit scores is showing a pattern of using revolving credit and servicing the debt over a period of time. You are penalized if you use too much of your available credit. You are also penalized if you use too little of it, as I found out when I paid off the balance of the one remaining card that held a balance, and saw my credit score hit by about 15 points shortly thereafter. There are other rules, too.

Basically, I can only conclude that we are encouraged to be 'good citizens" by borrowing money and paying interest on it while slowly paying back the principal. People who live on a cash-only basis, which was considered to be a respectable practice not that long ago (borrowing was shameful) have terrible credit scores.

So what, you may ask?

There are very real and increasing disincentives to having bad or no credit. Creditworthiness (in the form of a nice, easy to understand number) is being taken more and more by various entities as a sign of responsibility and even good character.

A credit score is now used by some entities, beyond the mainstay car dealers, to judge risk and character: apartment rentals and employers, to name two.

I'm not suggesting that all employers and apartment management companies do this, only that the trend (I have no citations but it should be searchable) is on the increase.

The bottom line is that in the USA today, credit scores depend on how - and how much - you borrow and repay.

Furthermore, the higher your credit score, the better you are treated, to a degree: better rates on loans, no problems getting a job (all other things being equal), and so on. The opposite is true for bad scores.

This is one of the many ways we are corraled into greasing the gears of the economy, and it is a wasteland for cash-only operators (unless, I suppose, they have a huge amount of cash).

>>Basically, I can only conclude that we are encouraged to be 'good citizens" by borrowing money and paying interest on it while slowly paying back the principal. People who live on a cash-only basis, which was considered to be a respectable practice not that long ago (borrowing was shameful) have terrible credit scores.

Welcome to the new consumerism.... Being Thrifty, having savings, and generally being responsible with your income is bad. The Government does not like it and punishes you with low/no interest on savings and inflation that outpaces that savings, Banks hate it because they would rather you spend spend spend so you need their loans to live above your means so they can not only get interest but maybe you will also over draft on your checking and they can kill you in fees.

Retail shops hate it because they need to sell you increasing amounts of cheaply made poor quality product you must replace every 12-18 months

The economy lives and dies with debt. If everyone started saving and living with in their means tomorrow the national economy would come to a screeching halt and we would have a depression that would make 1929 looks like a boom year

That doesn't help at all, unfortunately.

American Express can reference and transfer credit if you move abroad.


I'll second that. Had a similar experience.

You don’t really need a history. I.e. it’s very possible to get around just fine without credit card or loans. Most people I know in continental Europe just have debit cards and only buy things they have enough cash in their bank account to afford.

The only exception is mortgage which is usually the only loan people take their entire life. And it’s possible to get it without having a credit score. You’ll need your complete history of employment and addresses and based on that bank can borrow you money. Perhaps car leasing is another loan people might take but that works similar way.

Borrowing money to buy everything seems to be an American fetish (but also present in U.K. which is most America like part of Europe and Asia, not continental Europe though). It always seemed insane to me to have to borrow money from bank to buy a latte or groceries.

Having my consumption expenses separate from my actual bank account is quite nice - it means my bank account statement gives me a quick summary of what I spent this month (x went to my mortgage, y went on utility bills, z went on buying things) and then my credit card statement has the details. You could see it as borrowing money for your latte but you can also see it as being billed at the end of the month for your lattes which is normal for many things. In principle I'm all about living within your means, but really why wouldn't I do things this way and get a month's grace on paying for everything and free plane tickets every so often?

I get the same thing with prepaid debit card. I use Monzo which sends me push notification every time I buy something and I can see my weekly / monthly / annual spending habits per category (utilities, groceries, entertainment, eating out etc). The credit card is absolutely not needed for this and most modern banks give you very detailed summaries like this via their web / mobile interfaces.

Because I don't want to pay an extra 2% "tax" to the banks, for loans that I don't need?

The only place I use a credit card is online. So i can pay quickly and worldwide.

How do you end up paying anything? I don't. A few shops charge a fee for using a credit card, in which case I'd use cash[1], but that's rare.

[1] Not actually true, because I find the convenience of the card is worth it - but I understand people taking the opposite position.

There's a risk you miss the credit card payment and have to pay exorbitant fees. Why risk it, just pay with debit and there is zero risk.

I've got a direct debit set up to my bank account, so there's no risk of accidentally not paying (of course it's possible to overdraw my bank account, but that would be possible when paying by debit card as well).

Yes I had similar setup when I had credit card in the past (when I worked in Hong Kong I had to open bank account with HSBC and my account came with Visa credit card, the debit card they issued was not Visa or MasterCard so did not work in many stores so I used credit card mostly).

It was annoying as even though I setup automated direct debit I simply didn't have peace of mind. I don't trust HSBC systems to be bug free and a bug in their software which would not process by direct debit is something I'd keep worrying about. Much better not to have this additional subconscious stress.

But if you are in UK or Germany or country like that there is no need for credit card really. Debit cards are ubiquitous and work everywhere (UK banks will give you a proper Visa/MC debit card, not some Mickey Mouse debit card which only works in ATMs).

> But if you are in UK or Germany or country like that there is no need for credit card really.

There's no need, indeed. But as I said, a month's grace on paying for everything and free plane tickets every so often.

Shops make everything slightly more expensive if most people use a credit card... So you still end up paying for it.

You skip it - don’t have a credit score, and when you finally get around to buying a home use a lender that will manually underwrite your mortgage.

The fallacy of needing to use debt for day to day living is ruining people.

The same way someone new (young people, immigrants) gains history now. Start with something low/no risk in order to build history.

The same way you do now, as a new adult: apply for a very low-limit credit card, get an older relative to co-sign a loan for you, etc. Over time you build history that shows you are (or are not) trustworthy to lend to.

This is not a new problem. The solution is the same as it is today, you must build a history with small limit revolving lines, cosigners and guarantors.

People do have a single identity, it just isn't bound up in their documents.

You must not know (m)any LGBTQ+ people. I have several identities, and each serves a perfectly legitimate and harmless purpose.

Those are arguably facets of a single identity.

For instance, you did not refer to yourself as "we".

The confusion you have here is that you have the wrong conception of "identity". You are assuming there is a single "authoritative" identity established by your physical being, and that is the fundamental error here. You can't refute that by simply assuming it again.

I'm not the same person I was when I was 30 years younger, and I'm not the same person here that I am in person. Those differences are differences in Identity. It doesn't matter if you want to call the 'different facets', because the only thing that matters is that they are distinguishable, and thus not the same identities. Your understanding of Retra is as much an understanding of me as it is an understanding of 2-year-old me.

Sure, but you're still the same person/individual underneath. Your various identities share, for example, the same creditworthiness.

There are crypto solutions that could make his much more interesting, such as bling signers, identity based encryption, zero knowledge proofs, etc. Most of the downsides could be worked around, if we innovate a teal solution instead of something off the shelf.

Blind signers. But I do wonder what a bling signer would do...

And “an ideal solution”. How long until we have semantic awareness in autocorrect?

Certainly national IDs are a feature of totalitarian regimes, but I don't see how they necessarily lead to one. Plenty of free societies in the world have national IDs and live quite democratically.

Estonians seem to do kind-of fine. Ignoring the weak random number generation thing ofc.

How would you know you were issuing the certificate to the right person though?

The same way you do with any other document.

Doesn't that not even really work though?

I think the idea here is that it shifts the person checking identity to the government, rather than individual organizations.

Most of the time it does. When it doesn’t you revoke the cert.

By checking their Social Security number?

National ID is the first step to https://www.aclu.org/ordering-pizza

It would be incredibly expensive to implement. I personally would make a lot of money on it, but the complexities are almost unlimited.

The GOP would never let it happen because it would make it too difficult to suppress black and poor voters by making registration unnecessary.

Wait, I thought GOP was in support of voter ID to suppress voting?

If you replaced SSN with a universal ID, that would imply that anyone filing a tax return would need one.

The purpose of voter ID laws is to suppress voting by poor people, especially African Americans, who lack ID because they do not drive, or have a difficult time meeting the standard of proof for getting an ID, or have difficulty going to the one DMV that supports their geography an hit away without a car. It’s the most recent of techniques used to suppress voting since the poll taxing and literacy tests of the reconstruction era.

Unfortunately my comment wasn’t well-received, but that doesn’t take away from the reality. A federal ID, unencumbered by the bullshittery imposed in many states, would be opposed bitterly.

Digital certificates sound like a terrible idea.

I would prefer a smart token/card with a PIN on it.

And the government should not do anything stupid like try to put a GPS on it "for security purposes", which even if it was technically a good feature for that and not just another backdoor through which intelligence agencies can spy on everyone, it would kill the whole idea immediately.

A smart card is just a carrier for a digital certificate.

> I would prefer a smart token/card with a PIN on it.

What do you think is inside the token?

So, you would prefer that your legal obligations be determined by a privately manufactured black box?

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact