I don't trust the UK government either. But I'm both British and Australian and I see the need for a centralised identity service.
Because the alternative is that we provide our passport to every online service that 'needs' to verify our identity. Then – lo, would you believe it! – they get hacked, and now all of our data is in the wild again.
I'd much rather the government, who already know everything about me because may I remind you they issued the documents, had some way of that company querying my 'verified identity'. They might do it by me providing, say, an ID number string which is looked up. That's all they get: my ID number. In return, they get confirmation that I am who I say I am.
Oh by the way I already have at least 2 of these ID numbers as an Australian citizen. My aforementioned passport, and my driver licence. Both of which I know I should keep 'private', lol, but if I want to interact with the world in any meaningful way the reality is that I spray these digits – along with my date of birth and address and whatever else they ask for – all over the goddamned place.
Your mistake is assuming good faith on behalf of the government who arrests thousands of people for social media posts. Beyond faith, they are incredibly incompetent and this data will be stolen.
Just because it’s social media doesn’t excuse inciting violence or hate speech. I’m not going to claim that every arrest in the UK due to social media posts was just, but I also disagree that social media should permit unrestricted speech.
They didn’t arrest anyone for “making social media posts”. The police (not the government) arrested people due to the content in the posts breaking an existing law. Big difference.
You miss GP’s point. They’re not assuming good faith, they’re pointing out that the government already knows identity credentials and can, encrypted or not, quite easily correlate digital activity with those credentials.
The question isn’t whether the government can/will identify and track you. They do, in good faith or bad. This is unfortunate and attempts to allow them to decrypt or acquire additional data about citizens’ activities (like chat control) should be opposed, but identity/activity tracking is omnipresent and irreversible.
The question is whether identity credentials should be available which reduce the risk of additonal credential theft or bad-faith action (e.g. by other entities stealing non-secure-for-digital-use credentials like passports).
What service needs a solution to verify identity that doesn't already exist?
Banks do KYC now. Employers already need a National Insurance number to employ someone. Benefits get paid to a named payee. Emergency healthcare needs no insurance and waiting lists come via a GP who indeed knows me.
What service needs a further centralised deposit of power over identity?
In Australia (and many other countries), we need to KYC when we get a new mobile plan. This makes sense: you can do a lot of criming with a 'dark' phone number.
> In September 2022, Australian telecommunications company Optus suffered a data breach that affected up to 10 million current and former customers comprising a third of Australia's population. Information was illegally obtained, including names, dates of birth, home addresses, telephone numbers, email contacts, and numbers of passports and driving licences.
Yes, all of these services. Plus a ton more - hotels, car hire, various government digital services.
For example I get married abroad and I need to change my name, if a system was present I could just go to a website, enter my request, identify and then wait for my new docs to arrive, all while staying abroad.
But it’s even better - banks / employers don’t need all of my information all the time, thy just need to verify that I am who I say I am at that moment, so the credentials I am giving them through a digital system can reflect that. Call it requesting a scope from a government openid system.
And I have the power to revoke that.
And all of the various little government agencies don’t need to request all the documents to bootstrap trust every single time, they can just be given a convenient (timed) access token by me.
Implemented right, it gives much less data to people in a much more convenient and secure way. I guess the “implemented right” is the problem.
But maybe that’s an orthogonal thing that needs to be solved by itself? How we have an independent central banks that doesn’t (shouldn’t) succumb to the whims of governments - they have a clear narrow mission and they are supposed to follow it regardless of what an administration would want.
If we had an “auth provider” government thing that’s mission might be more closely aligned with the population, giving a government _just enough_ data to make it efficient but so it cannot abuse it.
Built in adversity and distrust is how we finally got a government to “work” with the separation of powers and all of that, maybe we need to think about improving the political system with some know how from web tech, cause I think working efficiency, effectively and reliably in an environment of mistrust is what web tech is known for.
> Because the alternative is that we provide our passport to every online service that 'needs' to verify our identity.
I really really really don't want to 'verify my identity' everywhere. Why the F is that normalised these days?? If I buy something online my payment and delivery address is all they should need. And all they've had to have for the last 30 years
> I'd much rather the government, who already know everything about me because may I remind you they issued the documents, had some way of that company querying my 'verified identity'.
Um yeah but right now they don't know what you do with your life all the time. Anna have absolutely no business to.
As an adult, you probably need to authenticate yourself in the following situation.
opening a bank account, getting a credit card, getting a mortgage or a loan, buying a flight ticket, signing up for internet service, signing for mobile services, buying a concert ticket and the list goes on.
What's common here is the service provider need to know you are actually the person say it is you and not someone else.
Back in the old days where we apply the service in person, you can take your driving license or passport to authenticate yourself, but with myriad of services now moving online, we need a centralised system that mimic the physical ID.
For a flight ticket I just ID myself at the airport so that's not an issue. For concert tickets I don't need to do this now. For internet service I absolutely don't need that, all they need to know is that I pay.
And mortgage, bank etc I just do on premise of course. These things are rare and important enough to warrant to just go there.
Given the ongoing "age verification" fiasco, I'd be quite wary of giving UK government any more digital powers. They don't seem to be any good at using what they have.
Yeah age verification is another such idiocy. The EU is starting this BS as well. Great way for conservative politicians to make a name for themselves with their backers, but other than that it's not effective at all, considering the torrents are full of this stuff with no gating whatsoever.
> If I buy something online my payment and delivery address is all they should need.
That's what verifying your identity is for. The payment. This cuts down on fraud. My credit cards often require me to enter a code they text me for a purchase to go through, when it's somewhere online I've never shopped before. That's confirming my identity. And my credit card needed my identity originally to look up my credit history, because they're literally loaning money.
Businesses want to know who you are to reduce fraud. Otherwise people input stolen credit cards, the charges get reversed, and the business is out of merchandise and money.
Obviously if you pay in something irreversible like Bitcoin then a business generally couldn't care less who you actually are, as long as there aren't any know-your-customer regulations (like if you're a bank or the address is in a sanctioned country etc).
The "credit card" model for buying stuff seems to be flawed. When you give some company your credit card number and CVV to buy something, they could always turn around and give the number to someone else.
The fix is very simple, but requires more interaction: (1) You ask merchant for stuff (2) Merchant sends you a "money claim" (3) you sign your money claim (4) the merchant takes the signed claim to the bank (5) the bank verifies the signature using your public key (6) bank transfers the money to merchant from your account
Absolutely, credit cards are insanely insecure, everything that is needed is written on it. I don't know why we are stuck with this archaic American system. They patched it with a form of 2FA (Mastercard 3D Secure / Visa whatever) but it's still really patchy and in many cases is not even triggered at all even for big purchases.
But here in Europe we have much better payment methods like iDeal in Netherlands and Bizum in Spain (now going pan-EU with Wero)
That's basically how PSD2/SEPA payment flows function in Europe if there is a functional eID system. I think I've used such a system for nearly a decade now.
Airlines and airline middle-men organisations are the worst offenders and centralised identification is not going to help there. Having flied with a few airlines, your details are out there. In the UK, national and travel passport are the same.
Because the alternative is that we provide our passport to every online service that 'needs' to verify our identity. Then – lo, would you believe it! – they get hacked, and now all of our data is in the wild again.
I'd much rather the government, who already know everything about me because may I remind you they issued the documents, had some way of that company querying my 'verified identity'. They might do it by me providing, say, an ID number string which is looked up. That's all they get: my ID number. In return, they get confirmation that I am who I say I am.
Oh by the way I already have at least 2 of these ID numbers as an Australian citizen. My aforementioned passport, and my driver licence. Both of which I know I should keep 'private', lol, but if I want to interact with the world in any meaningful way the reality is that I spray these digits – along with my date of birth and address and whatever else they ask for – all over the goddamned place.
But sure, centralised identity is bad.