Because the alternative is that we provide our passport to every online service that 'needs' to verify our identity. Then – lo, would you believe it! – they get hacked, and now all of our data is in the wild again.
I'd much rather the government, who already know everything about me because may I remind you they issued the documents, had some way of that company querying my 'verified identity'. They might do it by me providing, say, an ID number string which is looked up. That's all they get: my ID number. In return, they get confirmation that I am who I say I am.
Oh by the way I already have at least 2 of these ID numbers as an Australian citizen. My aforementioned passport, and my driver licence. Both of which I know I should keep 'private', lol, but if I want to interact with the world in any meaningful way the reality is that I spray these digits – along with my date of birth and address and whatever else they ask for – all over the goddamned place.
But sure, centralised identity is bad.
I really really really don't want to 'verify my identity' everywhere. Why the F is that normalised these days?? If I buy something online my payment and delivery address is all they should need. And all they've had to have for the last 30 years
> I'd much rather the government, who already know everything about me because may I remind you they issued the documents, had some way of that company querying my 'verified identity'.
Um yeah but right now they don't know what you do with your life all the time. Anna have absolutely no business to.
The question isn’t whether the government can/will identify and track you. They do, in good faith or bad. This is unfortunate and attempts to allow them to decrypt or acquire additional data about citizens’ activities (like chat control) should be opposed, but identity/activity tracking is omnipresent and irreversible.
The question is whether identity credentials should be available which reduce the risk of additonal credential theft or bad-faith action (e.g. by other entities stealing non-secure-for-digital-use credentials like passports).
That's what verifying your identity is for. The payment. This cuts down on fraud. My credit cards often require me to enter a code they text me for a purchase to go through, when it's somewhere online I've never shopped before. That's confirming my identity. And my credit card needed my identity originally to look up my credit history, because they're literally loaning money.
Businesses want to know who you are to reduce fraud. Otherwise people input stolen credit cards, the charges get reversed, and the business is out of merchandise and money.
Obviously if you pay in something irreversible like Bitcoin then a business generally couldn't care less who you actually are, as long as there aren't any know-your-customer regulations (like if you're a bank or the address is in a sanctioned country etc).
What service needs a solution to verify identity that doesn't already exist?
Banks do KYC now. Employers already need a National Insurance number to employ someone. Benefits get paid to a named payee. Emergency healthcare needs no insurance and waiting lists come via a GP who indeed knows me.
What service needs a further centralised deposit of power over identity?
opening a bank account, getting a credit card, getting a mortgage or a loan, buying a flight ticket, signing up for internet service, signing for mobile services, buying a concert ticket and the list goes on.
What's common here is the service provider need to know you are actually the person say it is you and not someone else.
Back in the old days where we apply the service in person, you can take your driving license or passport to authenticate yourself, but with myriad of services now moving online, we need a centralised system that mimic the physical ID.
For example I get married abroad and I need to change my name, if a system was present I could just go to a website, enter my request, identify and then wait for my new docs to arrive, all while staying abroad.
But it’s even better - banks / employers don’t need all of my information all the time, thy just need to verify that I am who I say I am at that moment, so the credentials I am giving them through a digital system can reflect that. Call it requesting a scope from a government openid system.
And I have the power to revoke that.
And all of the various little government agencies don’t need to request all the documents to bootstrap trust every single time, they can just be given a convenient (timed) access token by me.
Implemented right, it gives much less data to people in a much more convenient and secure way. I guess the “implemented right” is the problem.
But maybe that’s an orthogonal thing that needs to be solved by itself? How we have an independent central banks that doesn’t (shouldn’t) succumb to the whims of governments - they have a clear narrow mission and they are supposed to follow it regardless of what an administration would want.
If we had an “auth provider” government thing that’s mission might be more closely aligned with the population, giving a government _just enough_ data to make it efficient but so it cannot abuse it.
Built in adversity and distrust is how we finally got a government to “work” with the separation of powers and all of that, maybe we need to think about improving the political system with some know how from web tech, cause I think working efficiency, effectively and reliably in an environment of mistrust is what web tech is known for.
Predictably enough, then...
https://en.wikipedia.org/wiki/2022_Optus_data_breach
> In September 2022, Australian telecommunications company Optus suffered a data breach that affected up to 10 million current and former customers comprising a third of Australia's population. Information was illegally obtained, including names, dates of birth, home addresses, telephone numbers, email contacts, and numbers of passports and driving licences.
The fix is very simple, but requires more interaction: (1) You ask merchant for stuff (2) Merchant sends you a "money claim" (3) you sign your money claim (4) the merchant takes the signed claim to the bank (5) the bank verifies the signature using your public key (6) bank transfers the money to merchant from your account
And mortgage, bank etc I just do on premise of course. These things are rare and important enough to warrant to just go there.
But here in Europe we have much better payment methods like iDeal in Netherlands and Bizum in Spain (now going pan-EU with Wero)
Besides, parenting is the parents' job.
https://securityaffairs.com/54969/hacking/flight-bookings.ht...
When will we KYC shoes?