USA: Government Agencies Starting to Mandate ID.ME for Identity Verification

What could go wrong?

I hope we will still be able to conduct our affairs by snail-mail, as I’m not at all ready to jump on board with this!

They expect people to wait around for literal hours to get verified? Who thought this was a good idea?

Guess I’ll buy some H&R Block stock, nobody’s gonna go for this BS.

Yeah, it’s crazy even by US Government standards.

I can think of several groups that will oppose this vociferously:

.Privacy advocates ()
.Fundamentalist Christians
.Persecuted/vulnerable groups
.Advocates for the homeless, disabled, mentally ill, elderly, etc.
.Advocates for immigrant communities
.Representatives for people of color
.Certain conspiracy theory adherents
.Anti-government groups
.The National Rifle Association
.Right-leaning news outlets
.Left-leaning news outlets
.The Libertarian Party
.The many victims of previous major data breaches
.Representatives for rural populations
.Native American tribe councils
.Americans living abroad
.The technologically challenged
.Amish and other modernity-rejecting religious groups
.Etc.

Though, of course, bad actors for nefarious foreign regimes will be all over it from Day One.

From experience here, the most vulnerable to this change will be those claiming money from the government. They will not be given any choice other than, well, stop claiming money from the government, which for many people in that situation is no choice. Most other people who interact with the government can still (for now) opt out.

I still submit my tax returns and other tax-related documents on paper, not because I am a Luddite, but because I refuse to accept any of the technological solutions that my government has so far come up with. How long will I continue to have that option?

Every time I ring the [IRS equivalent] here they offer to register a voiceprint for secure identification. Each time I politely decline. How long will I continue to have that option? What could go wrong indeed?

I had to call Spectrum cable to get a new cable box and they wanted to do some voiceprint security thing too. I just said “Really?” and declined also. Life is getting really strange these days. SciFi

Fun reading: https://www.id.me/privacy

“…your Personally Identifiable Information and Sensitive Information reside on a secure server to which only select personnel and contractors have access.”

Oh, joy…

“The ID.me Website allows users to access Facebook Connect to interact with friends and to share on Facebook through Wall and friends’ News Feeds.”

“contractors” no doubt including some third party companies that contribute to their operations

plus any hackers (activist, thrillseekers, criminal organisations, foreign governments) who gain access to those systems or gain access to third party supplier systems or who compromise software suppliers (supply chain compromise)

plus the occasional inadvertent disclosure (e.g. extract done and left accessible from the internet or e.g. real data released for testing)

Key questions would be:

• What information is accessible from the internet? Everything (because all information needs to be)? Only those things that need to be?
• Is information stored encrypted so as to defeat at least basic hacks?
• Are their backups properly secured?
• What legislation impinges on how this company handles your data? Are they compliant?
• Are any relevant (related or third party) companies located in other jurisdictions?
• Have all relevant companies been independently audited for security and compliance across all aspects of their operations? Is that report publicly available?

Quite apart from any of the above, when it involves government, there is always concern about mission creep. Is this information automatically available to law enforcement? security agencies? available but with checks and balances? Not available? Plus, more generally, what will it be used for in the future that it is not currently used for?

Don’t forget:

• When will IDme be bought by Facebook (or Google)?

(IDme partners with “cash back” programs from various sites and services, and advertising platforms, as I understand it.)

Disappointing that if this is required it cant at least be an in-house government owned solution, thanks for the heads up.

There are ways to avoid IDme for now, I guess, (snail-mail, phone, etc.), at least for some things, but it’s worrisome that it might become mandatory in more functions that involve online government/official services.

Yes, that would be a sorry day. Identity functions are part of the government, like passports. In many European countries this is regulated for a long time. If used well it can protect your privacy ass well (not from evil government of course). For instance in Holland all tax declaration is online using DigiD. It is made easy by prefilling all you (known by them) income beforehand. (the government knows more of you than yourself…!). So far no problems (wait till the Russians take over )

Yes.

I would go further to make explicit things like

• an absolute prohibition on government’s monetising the collected data
• an absolute prohibition on government’s selling off the entire function in the future
• an absolute prohibition on the government’s releasing all or part of the data in any form, including in ‘anonymised’ form or aggregated form, to any entity outside of government
• an absolute prohibition on private entities using the id for their own purposes
• strict controls over who within government can access the data and for what purposes
• strict controls over what information is collected i.e. a requirement that only what is essential to the purpose is being collected

At one time or other all of these restrictions, sadly, have shown themselves to be needed.

Actually if you look to the Dutch usage of their identity system all your requirements are met. I.e. if somebody buys alcoholic beverages only “passed age level” is provided, no further identification (unlike showing a drivings license or other physical ID).

The Netherlands has one of the most comprehensive (electronic) peoples administrations in the known world. This backfired in the WW2 when the German occupiers got ease access to it for nefarious purposes (e.a. selecting people on race/religion base).

image878×774 102 KB

Is that provable to the user? i.e. are data flows auditable to the user? or taken on trust?

Also, doesn’t that leak tracking information about the user to the government? i.e. if you bought alcoholic beverages at three different stores at different times on the same date, would it provide a rough outline of your movements? and the more government-restricted transactions you do, the more precise the track of your movements?

I totally understand the point you are making - and that is at least better in some ways than what happens here, where you are likely to have to show your drivers licence e.g. on entry to a licensed club, hence leaking your full date of birth, your address, your full name, your drivers licence number to the licensed club but most likely not leaking anything to the government, unless something major happens at the club and then the government would likely seize the records of the club.

In other words, here if you trust the business more than the government then low-tech is better. If you trust the government more than the business then high-tech is better.

Wouldn’t it be good if you didn’t have to trust either of them?

This is audited by the independent (government)agency for privacy (AP = Autoriteit Persoonsgegeven). Also all digital data are protected by the EU GDPR.

The Dutch government takes privacy extremely serious (I know first hand while working on these systems).

I Reveal My Attributes makes for an interesting read on this topic: https://privacybydesign.foundation/irma-explanation/

An interesting read but left me wondering … is that what @Jan2 is referring to? Or is iDIN what is being referred to by @Jan2? Or something else again?

Is there an independent audit of the system available somewhere (yes, it would have to be in English for me to read it but …)?

What stops a person who is over 18 giving an attribute that says “I am older than 18” to a person who is not over 18? I’ve read the explanation and it appears to suggest that two cooperating users could achieve this. This of course is not privacy failure. However if I were the government, that is the first question I would be asking.

I do not know if Jan2 is referring to IRMA itself exactly, but he is at least referring to the a similar implementation. It seems Jan2 is Dutch, I know I am

Scientific publications: https://privacybydesign.foundation/publications/
Reviews: https://privacybydesign.foundation/reviews-en/

Both Privacy By Design and SIDN are highly-regarded authorities (for what it is worth), and IRMA is open source: https://github.com/privacybydesign

The attribute for your birth-date would be created by the government and cannot be changed by the user. The attribute for your cinema subscription would be issued by the cinema.
The attribute for your bus ticket would be issued by the bus company.

IRMA is not about making it difficult to execute illegal activities. Of course two cooperating users could easily circumvent any check by not actually checking the official attribute. This currently happens with the corona-check-scanner: a malicious app exists, that approves any qr.

That qr is a good example of revealing an attribute as well. The qr only reveals that one has a valid test/vaccination/recovery, but not which of the three, nor when it was issued.

Both the corona-chec-app and -scanner are also open source: https://github.com/minvws

That’s right. Noone can modify his or her own birth date. Follow the links to https://privacybydesign.foundation/reviews/irmago-gabi-audit/ and this is referred to as Requirement S1 (Authenticity). No problem there. This is easy.

Digressing for a moment … claiming the credential “I am older than 18” is absolutely not what I intend as claiming the credential “my birth date is dd-mmm-yyyy”. Clearly though if I throw the latter credential at the operator of restricted premises, that will be sufficient to prove that I am older than 18. However this is exactly what I want to avoid i.e. surrendering my date of birth as an alternative to merely correctly claiming that I am older than 18.

For a start, surrendering my date of birth goes further towards losing anonymity, and secondly, surrendering my date of birth assists a criminal employee of the restricted premises in carrying out identity theft.

However, for the purposes of my actual question, either credential can serve as an example.

End of digression.

The actual requirement that I was asking about is referred to as Requirement S4 (Non-transferability).

Now continuing to follow the links to the original research paper, it makes the crucial observation:

Moreover, we suggest more effective means of preventing users from sharing their credentials, by introducing all-or-nothing sharing: a user who allows a friend to use one of her credentials once, gives him the ability to use all of her credentials i.e. taking over her identity. This is implemented by a new primitive, called circular encryption.

Perhaps the state of the art has progressed since that paper in 2001 but it leaves some doubt for me.

To be clear, by two cooperating users I am talking about two members of the public (two “users”), who are the people who are controlled by this system involving “issuers” and “verifiers”. I am not talking about a member of the public (a “user”) cooperating with a “verifier” in order to skip the check, which is as you say straightforward.

Don’t get me wrong though. It’s great that the Dutch government cares about privacy enough to design it into the system. That is much more than my government cares (close to zero, except when it suits them) and I suspect it might not be much of a priority in the US either.

… at which point perhaps we should end this lengthy hijack and allow someone knowledgeable about ID.ME to elaborate on its privacy and security properties.

Indeed, I’m Dutch and retired for some time. (2 attributes for free ). When working for the government DigiD was available as the general tool for proving your identity for government use only (Think electronic tax declarations). This system was then connected to your BSN (unique number for each citizen) and could be cross referenced to all available government registrations. You can find the BSN on physical documents like passport and driving license.

Soon it became clear that this (meant to be anonymous) number became one’s full identification and research was done to provide a more safe way, still easy to use. iDN (persons) and eID (companies) where explored. All as central systems under government control. After increasingly more focus on privacy the Government choose for (partly) decentralization and now there is IRMA.

Since the interconnection of government registrations (back till the 90’s) two principles where leading:

• no wrong door - no mater where you provide info to the government: Provence, local community, etc. you don’t have to do it twice. (i.e. change of address)
• purpose limitation (“doelbinding” in Dutch) - information (about persons) is provided and limited based on need [for a given purpose]

Purpose limitation is now also incorporated in the European GDPR. Whatever we mistrust our Dutch government, it always tried to do the right thing. Sometimes unintentional unsuccessful. (I’m aware that for the secret services this may not be the case). The whole process from BSN to IRMA was evolutionary, no Big Bam. We will see what will come tomorrow …