Hacker News new | past | comments | ask | show | jobs | submit login

Your talking about "identity theft" as if it's an unquestionable concept demonstrates precisely why there is opposition to strengthening the technicals of identification. Every bit that makes identification stronger is yet another excuse for businesses to assert that it is infallible. Even currently, rather than banks simply admitting they were defrauded and thanking/compensating the innocent bystanders for helping them set things right, they keep pushing this "identity theft" narrative to make it seem like the unlucky victims of bank's incompetence have some sort of intrinsic involvement!

It's understandable how it got this way, as from inside the system's paradigm it does look like an "identity was stolen". But the map is not the territory - despite businesses wishing that it were because they can only operate in terms of the map. We are not subjects of the government nor of corporations - free people must resist being cataloged and controlled by database rows that seek to override our actual existence.

Furthermore in regards to the US, it's basically a foregone conclusion that any government-mandated ID system will not include effective restrictions that keep corporations from hooking on to build invasive tracking. Let's hold them to reigning in the ongoing widespread abuse of license plates, driver's license numbers, etc before we go advocating for even more identifying requirements on individuals in this age of surveillance.




> they keep pushing this "identity theft" narrative to make it seem like the unlucky victims of bank's incompetence have some sort of intrinsic involvement!

But how is it that it's not really a problem in Estonia, where we have strongly e-identity attached to a citizen. Or are you saying our banks, institutions, telecom and other companies are somehow more competent?

You also have SSNs which is a government-mandated ID system that keeps you as rows in a database. Stop the holier-than-thou please.


> But how is it that it's not really a problem in Estonia, where we have strongly e-identity attached to a citizen

I have no idea how your dispute process looks in Estonia. What happens if you lose your national ID card, don't realize it for a week, and someone has used it to do a bunch of things in your name? The sensible answer is that anything unauthorized should be rolled back or otherwise not attributed to you. This need is obvious when an "ID" is a plain 10 digit number. But when the average person can't imagine an ID being cloned because it's stored on a "smartcard", then it's a lot easier to sell responsibility as being on the person that lost their card.

> You also have SSNs which is a government-mandated ID system that keeps you as rows in a database. Stop the holier-than-thou please.

I only left off SSN next to license plate and driver's license number for brevity's sake. I was directly referencing ongoing problems here, so I certainly wasn't trying to be "holier-than-thou" in some kind of nationalist cheerleading. My point is that the existing ID systems that exist are being straight up abused (license plates -> ANPR, driver's license -> Retail Equation, SSN -> LexisNexis, for some of the most blatant abuses). The USian political philosophy discourages any sensible regulations that would reign this in, and that needs to be fixed before providing even more raw data for surveillance companies to build on.

In Estonia, how would you deal with a supermarket deciding to make it so that customers wanting a sale discount card have to link their national ID?


> What happens if you lose your national ID card, don't realize it for a week, and someone has used it to do a bunch of things in your name?

If you were stupid enough to attach the PIN codes to the card then you're liable for anything done with it by law. Dispute process is trough the court system.

> so I certainly wasn't trying to be "holier-than-thou" in some kind of nationalist cheerleading.

Then I take back my passive aggressiveness.

> The USian political philosophy discourages any sensible regulations that would reign this in

Right now maybe, but who knows what'll happen in ten years.

> In Estonia, how would you deal with a supermarket deciding to make it so that customers wanting a sale discount card have to link their national ID?

It is already being done - national ID as loyalty program. Though it is not considered an issue because both card payments and loyalty programs already have all the same information - except the unique personal identification number which isn't considered a secret (composed of public data). There's also the national and EU privacy laws that give one the right to be forgotten.


> If you were stupid enough to attach the PIN codes to the card then you're liable for anything done with it by law. Dispute process is trough the court system.

Regardless of the stupidity, that's still a pretty poor outcome. I assume the same applies if you were shoulder surfed, or you're an early victim of a newly discovered security bug? Or if you're kidnapped and forced to perform a transaction? It's kind of ridiculous to be made to have an item that creates essentially unbounded liability for you. This is exactly what I mean about "identity theft" morphing to be considered a real thing. This is commercially expedient, but utterly unjustifiable to those caught on the other side of it.

> It is already being done - national ID as loyalty program. Though it is not considered an issue because both card payments and loyalty programs already have all the same information

So you're saying there's no technical aspect that prevents stores from obtaining your identity? That's an outright failure. I've personally moved back to strictly paying cash for groceries [0], so this would certainly not be a welcome development for me.

> There's also the national and EU privacy laws that give one the right to be forgotten.

This is kind of the crux in that you're essentially trusting national laws to police the companies' use of the identifiers, and reign in their worst abuses. This is basically a non-starter in the US - industries basically buy the laws they want, and do whatever they like behind closed doors.

And sure, maybe we'll get to a future where GDPR-style anti-surveillance rights come to the US, are found to be workable, are enforced, actually enter into our culture, and further augmented with laws making it illegal to collect national identifiers in the first place (for anything but a narrow list of purposes) - only then would it make sense to discuss strengthening identifiers. Until then, it carries heavy downsides to the individual person.

[0] For the sale prices, ask the cashier to swipe the store card, enter a random phone number, or periodically sign up for new discount nyms with junk information. Which is all only possible because stores don't clamp down too hard, because requesting eg SSN would scare people away.


> Regardless of the stupidity, that's still a pretty poor outcome. I assume the same applies if you were shoulder surfed, or you're an early victim of a newly discovered security bug? Or if you're kidnapped and forced to perform a transaction?

All of those are possibly overturned if you can prove it wasn't really you or you were kidnapped. Things like signing away your company or emptying your bank account has the usual countermeasures. The physical aspect of your online identity does mean that you can take clear and simple precautions of it leaving your possession, someone just shoulder-surfing can't do much. It can't just be your SSN (our ID code) leaving your knowledge, it has to be someone near to you in which case no other system protects you either. So it really isn't a downgrade at least in my opinion.

> So you're saying there's no technical aspect that prevents stores from obtaining your identity? That's an outright failure. I've personally moved back to strictly paying cash for groceries [0], so this would certainly not be a welcome development for me.

If you choose to, yes, there's nothing that stops them. If you don't then they can't remotely collect that information. Unlike the CIA or NSA has, there isn't a private-company accessible facial recognition API :P




Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: