“Login.gov is already used to access 200 websites run by 28 Federal agencies and over 40 million Americans have accounts,” Wyden wrote in a letter to the IRS today. “Unfortunately, login.gov has not yet reached its full potential, in part because many agencies have flouted the Congressional mandate that they use it, and because successive Administrations have failed to prioritize digital identity. The cost of this inaction has been billions of dollars in fraud, which has in turn fueled a black market for stolen personal data, and enabled companies like ID.me to commercialize what should be a core government service.”
If the IRS (or Sen. Wyden) is looking for a "core government service" which has been inappropriately commercialized, they might start with tax preparation.
This article[1] has more details. Sen. Wyden[2] has been pushing for more funding to IRS to develop its free file program, but Turbotax has been successful via their lobbying of Republican politicians and some Democratic politicians in preventing it from happening.
Lol. Its always the Republicans. If it was priority for the Dems, they'd have done it. They have gotten through several other things the Republicans opposed.
Anyhow, the better alternative is to return to lower the rates and remove deductions (aside from the standard deduction). Even simpler yet would be to go to a flat tax with an extremely high standard deduction (e.g. ~$50k with ~10% after that).
I can't think of many good reasons to continue complicating the IRS code aside from political targeting and giving Congress more kickbacks.
> Even simpler yet would be to go to a flat tax with an extremely high standard deduction (e.g. ~$50k with ~10% after that).
That's not a flat tax. That is a progressive tax with two brackets.
Once you have accepted that progressive taxes are acceptable, it is hard to see why two brackets is better than three, or 4, or even dozens. One might argue that two brackets is simpler than say 10 brackets, but that is a very weak argument since it is just a table lookup, and nobody can argue with a straight face that a 10 line table is too complicated.
An interesting exercise is to consider what it would be like if instead of a single tax to cover everything funded by income tax we did a two bracket progressive tax for each budget item separately, with the taxes applied serially. By applied serially I mean that the taxable income for tax N+1 is what is left after you have paid tax N.
You then end up with a progressive tax with N+1 brackets where N are the number of budget items (and then you would have a table big enough that it would arguable be complicated!). If you keep the same total budget but divide the budget items into smaller subitems, your tax curve approaches a continuous curve which represents a progressive tax with an infinite number of infinitely small brackets.
I remember working out the equation for that curve once, and finding the result mathematically satisfying, but I've totally forgotten what it was.
> Once you have accepted that progressive taxes are acceptable. . .nobody can argue with a straight face that a 10 line table is too complicated.
First, I don't think anyone should pay taxes on their labor. And just because my labor makes more shouldn't mean I pay a higher percentage; so, no, I don't agree with the concept of progressive taxation on labor. Regardless, that's what we have.
Anyway, 10% after $50,000 is dead simple. e.g. make $120,000 as a family, take away $100,000, left with $20,000, I pay $2,000. Real tax rate is only 1.6%, so maybe that's too nice for the American family? You can change it to 15% after $25,000 and it's still simpler. $120k-$50k=$70k x .15=$10.5k or 8.75% real tax rate, all without worrying about IRAs, 401ks, HSAs, etc.
With a 6-12 tax brackets with crazy amount of deductions, I need to:
1) calculate taxable income. This is some func of deductions. i.e. standard deduction ($25k) + max 401k ($20k) brings taxable income to $75,000. There's other deductions such as IRAs, HSAs, 529, etc; all with their own maxes based on various criterias and income, which has it's own list of gotchas that screw over people. Hopefully you didn't forget a deduction on top of all that.
2) Now determine tax rate. 22%. Feels bad, but whatever -nearly a quarter of your income (nominally, at least) to finance the debt to keep inflation going. The graph says ~$4,800+22% of anything over ~$42,000. Alright. So $4,800+(22% x $33,000)=$12,060 are taxes owed.
3) Now determine your credits, if any. Such as a child credit. I hope you know your credits, because you might've forgot about a tax credit for something you bought. Let's assume you know you get $3600 for a toddler, and put that in. Now your $12,000 is $8,400.
4) Ensure your paid taxes is correct. You paid throughout the year, adds up to ~$8000. So taxes due are now $400.
5) Now you go to pay $400. Welp. Now you need to pay $50 because you decided you wanted to buy a stock that gave you $10 in dividends in a brokerage account, and now you can no longer free file. But you don't want to be audited, so you report the $10 and pay the $50.
Yeah, that's very simple and straight forward. But good news is the actual tax rate is actually only 7%, even though you felt like you just paid nearly 22%, wasted hours of your life, and were insulted with an additional fee just to pay your taxes.
> With a 6-12 tax brackets with crazy amount of deductions, I need to [list of 5 steps]
None of your steps are made more complicated by more brackets or less complicated by fewer brackets. You determine your taxable income (the complicated part), then lookup that taxable income in the tax tables (simple).
If the taxable income is low enough, there is a table with a large number of entries that each cover a small enough range that you don't even have to do any computation. You just find the line that covers your taxable income and the table tells you the tax.
If your income is too high for that table you have to use a smaller table with entries that cover larger ranges. That table currently has 4 entries. You find the row whose range includes your taxable income, and calculating your tax involves a multiplication and a subtraction--which is just as much work as calculating your tax under your proposed two bracket system for people whose income is high enough to be in the second bracket.
You're not wrong in saying that tax codes in general are complex. The problem is, they're complex for a reason.
Tax codes are a tool of policy makers. They allow wealth and income distribution. They allow compensation. And they allow policy makers to promote or penalize specific behaviors or activities.
Look at the legal system as a code base (in French, 'law' translates to 'code'). And imagine having 538 product owners, each asking for 'just one feature' that is both 'critical and urgent'. Is it any wonder that we are in this situation?
Perhaps we should implement more sunset provisions? I don't know. But 'we need a simpler system' is sort of like 'we have too many LoC'. It's true, but not easily actionable.
Yes, but we all know that business rules and logic can be very complex, but you can still simplify the interface for the vast majority of users.
The IRS collects tax information from most businesses with employees, banks and investment firms, so it's is comically easy to pre-load that information in a tax return. Ask a few simple questions (did you buy a house, did you start a business, do you have a new dependent). Pre-fill what you can. Generate a report which you can directly file or share with your tax expert. Many developed countries do this.
While this (correctly) tanks an entire industry of tax preparation software, it actually makes it easier for politicians to do their thing. Right now a tax break for X is buried under form 92921X2 which you learn about after reading the instructions for line 48 on schedule 8812 which you are filling in after being told to in the supplementary instructions for line 21 on your 1099. If you elected to use the alternative streamlined maximum option, of course, if you chose for the default minimum compensation model, well, those are different forms.
With a properly made simple official tax filing process, you just see you got an extra $400 back this year because of the tax break for X.
>They allow wealth and income distribution. They allow compensation. And they allow policy makers to promote or penalize specific behaviors or activities.
Robbing Peter to pay Paul is not a good reason to tax. Taxation should be decided by the whims of a crab bucket.
>Look at the legal system as a code base (in French, 'law' translates to 'code'). And imagine having 538 product owners, each asking for 'just one feature' that is both 'critical and urgent'. Is it any wonder that we are in this situation?
We're in this situation because most of congressmen believe they have the right to impose their morals on and the expense of thst individual men and women by way of legislative fiat.
>Perhaps we should implement more sunset provisions? I don't know. But 'we need a simpler system' is sort of like 'we have too many LoC'. It's true, but not easily actionable.
It is actionable. Politicians, however, are usually ignorant of tax law until there comes a point where the "wrong" people "win" too much. That is the issue in what should mostly be an administrative affair, if it should at all occur. The people who complicate the tax do not code lack the wherewithal to simplify it. Their feigned weakness and indifference is a choice.
The GOP opposes it; they are the obstacle. I think such actions by the GOP has become normalized for people, and so they overlook it. I don't see how you can blame the Democrats, who are voting for it.
> If it was priority for the Dems, they'd have done it.
Seems like the donations are pretty evenly split for the companies that would be the largest lobbies over the past several years. This seems like the case of the uniparty being apparent, where there's no real drive to simplify the tax code because it's something both can blame each other on when nothing is done. Of course, this was the entire point of the TEA Party (which later became manifested as MAGA), which was mainly a conservative movement, so it manifested inside the GOP, but the GOP RINOs in Congress did nothing.
I haven't seen the Dems get into law a significant simplification of the tax code in the last 20 years. The last simplification we got was from Trump (which was a good step, but obviously isn't the final desired location).
He also did that before the Dems took back the House, so he had the GOP sign on to it.
This is a really good point - if the tax code were a few dozen pages for the common case instead of a few hundred, then you might not even need tax-prep software in the first place. "The best program is the one that doesn't exist", to quote a popular refrain.
Ongoing software projects require periodic refactoring to reduce complexity and increase comprehension - why would the law be any different?
I think we've fairly well established that the complexity of the code isn't the problem. The IRS knows what you owe and could just tell you if they wanted to.
Having citizens exposed directly to the mechanics of it during the filing process is a policy choice and the way to fix that is to change the policy, not try to reinvent the tax code from first principles.
This is a complex set of laws yes but it is also detailed multi-generational documentation of all the shit people have tried to pull. You don't just throw that out because it has grown complex. Like all necessary complexity, you isolate and manage it, not spray it all over the end user.
> The IRS knows what you owe and could just tell you if they wanted to.
This is true often, but not always. Examples just off the top of my head:
* Had large medical bills compared to your AGI? How does the IRS know that?
* Paid for college tuition? How does the IRS know that?
* Deducting state sales taxes? How does the IRS know what those were for you?
* Paid for daycare? How does the IRS know how much?
I'm sure I could find more examples if I went and looked at the actual tax forms right now. And while these are all things that don't affect everyone every year, they do affect a large fraction of people at some point in their lives. They certainly affect everyone who pays for college or has kids.
Note that this is not getting into anything too esoteric here, and completely ignoring anything involving self-employment or consulting, or running a small business or whatever. I _think_ those are rarer than having kids anyway.
Now could we have a more streamlined filing process that did the easy bits when possible and asked more directed questions to find out whether people might be in edge cases that might need more handholding or professional help? Absolutely. Could we get rid of the edge cases I listed above with a simpler tax code? Perhaps.
Itemize if you feel deductions will exceed the standard deduction, leave the rest of us alone to agree/disagree with the amount on the postcard the IRS sent and mail our checks. Now that our paid mortgage interest is low enough to not matter, I can’t remember the last year that the IRS couldn’t have just send us a postcard with the amount they think we owe, and we would have paid probably exactly that amount. And we have a ton of stock transactions and the like. I’m willing to wager that for the vast majority of U. S. residents for the vast majority of their lives, their deductions will not exceed the standard deduction.
First of all, just to repeat: I am very much in favor of the IRS doing as much as it can on its end and then prompting for info it does not have but thinks should be relevant.
That said, neither daycare nor college tuition are itemized deductions. You can take the standard deduction and get credits/deductions for those at the same time.
Or the EITC: That one depends on who lived with you during the year, which the IRS also does not know. But it could ask that one question and then compute it for you...
Handling of stock transactions is the _easy_ case here, assuming the brokerages correctly track basis, because they already report all the relevant info to the IRS.
> I’m willing to wager that for the vast majority of U. S. residents for the vast majority of their lives, their deductions will not exceed the standard deduction.
That is a very sure bet, but not that relevant to whether the IRS can compute one's taxes because our tax code as currently structured has a bunch of credits and deductions that are not part of Schedule A that matter to quite a number of people.
And as I said, the vast majority of people who paid for child care would need to correct whatever number the IRS came up with for that.
Now I agree there are lots of people (healthy retirees, young college grads with no kids) who probably _could_ have their taxes done by the IRS entirely. And I'm all in favor of that happening, as long as we're clear that this is not going to reach everyone, and will generally benefit the people who are in the best position to navigate the current system already....
Which brings us back to reducing the underlying complexity, so the IRS could handle more cases itself.
> This is a complex set of laws yes but it is also detailed multi-generational documentation of all the shit people have tried to pull. You don't just throw that out because it has grown complex. Like all necessary complexity, you isolate and manage it, not spray it all over the end user.
Who says that complexity is necessary?
Most of that complexity just grew out of other complexity.
If you have a simpler tax code to begin with, you don't need to patch all the work-arounds people found.
Of course, that's much easier said that politically done. Simpler taxes are popular as an idea, but rarely when you get into the specifics.
> The IRS knows what you owe and could just tell you if they wanted to.
I must admit I've always sort of blindly believed the same thing, but here I am year after year accumulating and submitting my own absurd set of turbo-tax button smashes.
Honestly I have trouble figuring out how much I owe myself. I would believe that they have some core set of data linked to my SSN, and every time I submit they run some sort of markov-chain statistical model that says - "meh, looks pretty close. No need for further review. Please pay the refund to the latest identity scam." or "red flag for actual review".
100% chance the IRS is understaffed, running legacy spaghetti, managed by folks just trying not to be the next scape-goat so they can go home to their family and watch the next episode of what everyone at work is talking about.
> I think we've fairly well established that the complexity of the code isn't the problem. The IRS knows what you owe and could just tell you if they wanted to.
The IRS has no way to know which of your expenditures are tax-deductible.
If you think you can do better than the standard deductions, you’re more than welcome to itemize — just like today. Pretending that the current system is as good as it can get the for the vast majority of individuals is disingenuous. Just look at every other country that sends out prefilled forms.
Some people have complicated taxes (need to itemize; IRS is missing information). Some people have simple taxes (standard deduction; IRS knows what they owe). Why should the second group have to pay for tax prep software or fill out forms by hand? Just to share the pain of the first group?
Do you honestly believe that the majority of individuals in the United States have complicated or unusual taxes? Do you believe that most individuals have tax situations that change significantly year to year? I suggest you talk with some European colleagues about how prefilled tax forms work in their home countries. I think you’ll be surprised.
Eh, you can take the standard deduction and the foreign tax credit or any of a bunch of other things that don't always have great information on forms.
A whole lot of preparing a tax return is plugging in numbers from forms that are sent to you and the IRS. It would be simpler (but perhaps less timely) if the IRS sent the taxpayer the return and if you disagreed, you could send in an ammended form with any documentation, or just pay the bill/cash the check.
Of course a tax code is complicated. It touches pretty everything with respect to income and expenditures, with numerous special cases. The truth is, that most people only deal with the same two forms, a 1040 and a W2. Like anything complex, only a very small portion is actually utilized by any particular individual. Glossing over this, and instead trumpeting some canard like number of pages, or number or words, is simply a rhetorical device to mask different objective.
Of course there are "special cases" - that should be obvious. However, it's very much not obvious that there are 74,000 pages worth of special cases, which is the actual argument that I'm making that you conveniently ignored. It's pretty clear that the extreme case of tailoring the tax code to the individual results in a hundred thousand clauses of the tax code, which is infeasible, and so there's necessarily the lossy aggregation of many real-world individual financial situations into a smaller number of "paths" through the tax code.
> Glossing over this, and instead trumpeting some canard like number of pages, or number or words, is simply a rhetorical device to mask different objective.
There's no "glossing over" - it's pretty clear that even though there are "a lot" of special cases, that there are reasonable (and unreasonable) amounts of complexity of the tax code relative to the distribution of circumstances. It sure sounds like you have another objective that you're masking yourself.
It is glossing over, because the vast majority is irrelevant to most people.
Do I care about the ins and outs of alimony and child support? Nope! I am not divorced.
Do I care about the ins and outs of how to deprecate the cost of my car as a business expense? Nope! I’m not self-employed.
How about foreign investment income? Nope!
How about income from farms? Oil wells on government land? Military income while serving overseas? Nope! Nope! Nope!
Do I care about the Earned Income Tax Credit? Yup! Do I understand it? Nope! Has the IRS sent me a letter after I filed saying that I qualified for the EIC, and they amended my 1040 to claim it? Yup!
The point is, if the special cases aren’t applicable, it’s the same as if they don’t exist.
Why do you care about inapplicable parts of the tax code?
Let’s be honest here. Most people have a W2, and that’s pretty much it. If they have a mortgage, their lender has already submitted a 1090 on their behalf. That’s it. You spend your day literally just copying numbers from forms and then subtracting. There’s no point to a person doing this.
> if the tax code were a few dozen pages for the common case instead of a few hundred
Isn't this the fantasy of clean sheet software? 'We'll get rid of all this cruft and make it clean and simple.' But it turns out that the cruft is needed to deal with reality, which is messy rather than the abstract clean-room requirements of our imaginations.
I can't see how the tax code can be short, having to deal with such a wide range of situations. Has anyone every successfully used a tax code like the short, simple ones that people fantasize about?
> Isn't this the fantasy of clean sheet software? 'We'll get rid of all this cruft and make it clean and simple.' But it turns out that the cruft is needed to deal with reality, which is messy rather than the abstract clean-room requirements of our imaginations.
The fantasy is that the software can be made completely clean and simple because there are no edge cases. The reality is that it can be made less terrible by reworking complex parts of the design that were slowly hacked into place over time, and by eliminating technical debt. The fact that the ideal is unobtainable is irrelevant to the fact that there are still concrete, worthwhile, and necessary improvements to be made.
If your perspective on taxes were applied to software engineering, then most large projects would have collapsed by now.
> I can't see how the tax code can be short, having to deal with such a wide range of situations.
Not "short", but short-er than the 74,000 pages that it currently is. And, it's already dealing with a wide range of situations by simply compressing the feature-space down a lot, so one way of making it simpler is to compress it down even more. For instance, you could eliminate a bunch of individual rules that reduce effective taxes for low-income earners, and then just reduce the tax rate at that bracket.
(Slovakia is a Central European country, far from Baltic.) But all three of Estonia, Latvia and Lithuania also have pretty flat tax rates I believe. Not sure about deductions and other details.
I still don't understand why tax returns aren't primarily automatic. Every year, I have these forms that I collect that were all generated automatically, and most of them are sent to the IRS anyway (or the data they contain). So why can't I login to some IRS website, choose how I want to file, report anything extra, and then hit submit?
Moving overseas made me even more angry at the American tax filing system.
Literally, what I do for Norwegian taxes:
1. Get a letter stating that they've calculated last years' taxes.
2. Look at the tax authority's website and as long as things are correct, I don't have to do anything else, though I can click a conform button. (I usually do)
3. Wait for refund - IIRC, they pay out in summertime. Or alternatively, pay tax if you owe.
You get the choice of doing it yourself and filing differently and stuff, but I don't see the point.
It was carelessness. I know Sen. Wyden has been good on this issue and other issues of digital governance. My comment came originally out of the frustrating irony that id.me was getting heat for commercializing what should be a government service when Intuit's behavior is so much more galling. I originally posted my comment attributing the quote to the IRS, then corrected the attribution to Sen. Wyden without thinking about the broader context. The sarcasm probably didn't add much to the conversation anyway; sorry.
HN has a lot of "both sides are the same" centrists and libertarians. They don't realize there there is still a tiny thread of pro-worker pro-middle-class democratic action in the US government. I have no idea how much longer it can survive, but people like Wyden, AOC, Bernie, etc fight the good fight and that goes against everything centrists and 3rd party types believe. Everyone is a republican to them and when shown otherwise, they either nitpick with whataboutisms or just clam up.
I don’t think it’s so much “everyone is a {whatever party I hate}” (which changes with your frame of reference). It’s more “everyone is part of the elites against the people”. The party labels are pretty meaningless, which itself is a bit shattering for those who come to realize it late.
But you’re right, there are a few left that seem to be fighting for the people. Some are effective and others are naive but well meaning.
But they are clearly the minority. They’re fighting bombastic partisan media coverage on both sides, they’re often fighting people within their parties, they’re often struggling just to earn their place.
At first, you get excited at the prospect of holding police accountable when Rand Paul introduces laws against knockless warrants, or you hope for the prospect of a real, sustainable income plan from Yang or Gabbard.
And then you watch as they get maligned and lied about on Fox News and CNN alike. You think, “this plan they’re advocating for will surely attract support from the rest of their party” and then you watch in awe as both sides warp, twist, or outright attack their plans.
You watch with weary eyes as someone like AOC who appears to come from the outside with a background similar to your own gets taken in by people like Pelosi, and you hope against the odds that she will remain true to her ideals, but you know that so many before her did not. After all, at one point Pelosi herself was fighting for the freedom of the internet, yet look at her now.
At some point, you get tired of putting hope into the good ones. You get frustrated every time they seem to make progress only to be struck down. You get sick of seeing them naively fall for the notion that their colleagues are as genuine as they are.
At some point, you just find it easier, both for the sake of conversation but also your own peace of mind, to wrap it all up into the same package of “they’re all bad” and just stop wasting your emotional energy on it.
You pick AOC and Bernie as examples of people fighting for the middle class. AOC's Green New Deal would've destroyed the middle class. She probably means well, but she really is just a useful idiot.
I am sort of confused by this. There was never even any actual concrete legislation to pass.
AOC introduced a resolution (text here: https://www.congress.gov/bill/116th-congress/house-resolutio...) which if passed, would have basically just affirmed (in a non-binding way) the interest of the house to create a "Green New Deal". The actual legislation itself would, if the house agreed to do so, need to then be created, debated, and voted on before being passed.
"House resolutions are not binding law, but rather express the collective sentiment of the House on a particular issue, person, or event."
The actual resolution itself is pretty short, and I find most of the statements and goals in it pretty tame and agreeable. But again, it is not as if this resolution being passed means that all of those things necessarily must end up in the actual Green New Deal to be passed or even that it gets created at all.
Could you elaborate on how this would destroy the middle class? I might have missed something but there was never even any policy proposed, because the Green New Deal was never created to be voted on. I don't understand how you can make an evaluation like that without examining the actual policies to go into effect.
- assume my "filters" are wrong. A difference of opinions doesn't mean my filters are wrong. It simply means I made different conclusions. If you want to support AOC and her policies, go for it. I won't partake.
- believe I'm in a bubble. Right. That's why I'm on HN; because I'm in a bubble and you think exactly as I do?
- Now I believe in a flat earth. That's just a wasted comment.
- Pointing to the "New Deal" that "saved the middle class". It's highly debatable if the New Deal prolonged the Great Depression or not. While it helped many Americans keep food on the table, no doubt, it didn't stop the Great Depression. Regardless, I can turn around and say, I want the "____ New Deal", and it must be good because that's what I called it? That's a laughable concept.
By your measure, healthcare actually became more affordable after the Affordable Healthcare Act became law - because that's the title of the law?
Regardless, I agree that the infrastructure can be improved. My state is already doing it. They've rebuilt an interchange in record time because a bridge wall collapsed. What is your state doing?
Stating that everyone should have access to "high-quality health care" or "economic security" isn't an olive branch. Obviously no one disagrees with that. The discussion is "how", and that's the only important discussion to have.
But, if you want to stick with mudslinging and belittling those who disagree with you, go for it.
The commercialization itself isn't the problem, but that the data that the IRS already has on you isn't available for you, I guess?
If they made the data available to you, an open source program could take it and spit out your tax forms. The existence of commercial alternatives wouldn't hurt this workflow one bit.
Of course, the problem seems to be that those commercial alternatives come with considerable lobbying to make access hard. And from what I've heard, US taxes are so complicated, that it's hard to do them right.
I was extremely confused when I was asked to create an ID.me account for IRS. I have implemented Login.gov for some projects and it's rather easy; I can't see why they'd choose something else.
Login.gov is a fine authentication service, but cannot deliver the identity assurance level (IAL-2) required to identify people. (It may not be able to deliver AAL-2 authentication soon either as standard evolve.) Uploading a picture of your drivers license is not a meaningful validation of your identity.
The reaction of the Senators here is the equivalent of “I’m shocked to hear there is gambling happening here”. Typical pandering. Literally every drivers license and ID in the country is running through a biometric identity provider run by a contractor to identity duplicate licenses. Many DMVs outsource credential production to a third party.
I don’t think ID.me is the best solution, but it is better than providing a trivially stolen number “what was your AGI last year” that facilitates billions of dollars of fraud annually.
No third party/private solution is appropriate here.
The government that oversees the issuing of these IDs and attests that they are sufficient for government use (Real ID) cannot themselves validate said ID?
Corruption or incompetence are the only paths that lead to outsourcing federal identity verification.
The only IDs issued widely by the US government are military credentials, immigration credentials, and passports. Driver’s licenses are issued by states and other entities. They are also fraught with problems as millions of people do not have REAL IDs, yet need to interact with government.
The problem is that any bartender who has scanned your drivers license has the information required to scam an online validation without some other validation.
If you want good online validation for the public, you need a third party right now. In the future, in some states, you’ll be able to use a mobile drivers license, provided you own a smartphone. Also problematic, as the government has to support everyone. Foreign nationals pay tax. People in nursing homes who cannot appear before a DMV need to pay taxes.
You can yak about corruption and incompetence, but that honestly attests to ignorance on the topic.
You continue to make some good points, but at the end of the day, this is a government function and responsibility, not that of a private company. Login.gov can use the same AWS services in GovCloud as ID.me uses (Rekognition, available since 2017 in GovCloud). With USDS and 18F, it cannot be argued GSA (which Login.gov falls under) doesn’t have the skills available to build this capability.
This is a call to enhance Login.gov’s identity abilities, and US government citizen identity management in general. Login.gov (and perhaps USPS for in person proofing) should be funded to do this, not ID.me. Higher level, this is about building strong public goods and defending them.
USPS is already the agent for a national id program in all but name — passports and passport cards, which are much better than DMV issues credentials in many ways.
As another poster mentioned, the problem is that both progressive and conservative constituencies are strongly against meaningful national identity for different reasons, some of which are insane.
It’s a policy problem that won’t be solved in our lifetime. Our best bet long term is for states to issue mobile credentials, but even that is problematic because it will disenfranchise people.
> You continue to make some good points, but at the end of the day, this is a government function and responsibility, not that of a private company.
I 100% agree. Problem is, the federal government (and the state governments and to a large extent big chunks of the citizenry) are fundamentally opposed to the issuance of a non-passport general citizen's ID and/or number. Those opposed to it don't have any good solution to "how to protect information the government keeps about you" either, so it's no good asking them.
Devising an actual public system for identity verification when you're being told the government cannot identify people is ... challenging.
> Problem is, the federal government (and the state governments and to a large extent big chunks of the citizenry) are fundamentally opposed to the issuance of a non-passport general citizen's ID and/or number.
I wonder if this mightn't change with states increasingly requiring voter ID.
After all, it'd be pretty dumb to on one hand mandate that every voter have government-issued ID, and on the other to oppose it.
The bulk of those who are pushing for more voter ID are from the most political alliance most vocal about both (a) insisting the voting is a state matter (b) federal government issuing ID is not OK.
> You continue to make some good points, but at the end of the day, this is a government function and responsibility, not that of a private company.
Private companies have been part of the government discharging its responsibilities since first days of the Republic. You'd probably be shocked when you learn who does credit monitoring after government servers get hacked, by the way.
By your logic the government couldn't use cloud computing (run by a private company), couldn't use computer hardware even if they wanted to run a private cloud (hardware is built by private companies).
> If you want good online validation for the public, you need a third party right now.
In all reality, this is fine. I have no particular problem with using facial recognition, but I want it regulated and I want recourse.
Fine, outsource it to ID.me. But the terms of service better be a page, maximum, and include the ability for me to appeal a decision that says I am not who I say I am and to use other forms of validation that may be slower or more procedural (such as presenting myself to a Post Office). I want no binding arbitration clause in the agreement, and if that means the Federal government has to indemnify ID.me, then so be it. I want it in the TOS that the data ID.me uses for this will be segregated and kept for a very limited time and that I have the right to review and correct it.
Use the third party for what they are good for but enforce suitable rights for the rest. This is doable, it just wasn't fully done here.
ID.me does have the ability to appeal the decision by hopping on a video call to complete the registration. They also do have the ability to close your account and through that delete all your data.
> If you want good online validation for the public, you need a third party right now.
I should not under any circumstances need to enter into a direct agreement with a private entity like id.me in order to access public services. The government might reasonably subcontract out some of the work, but public services need public accountability. The government service itself needs to be the direct counterparty to the public.
The government issues HSPD-12's, of which CAC/military PIV cards qualify as. In theory both federal staff and contractors need an HSPD-12 compliant ID/"smart credential" to access facilities and networks.
Just wanted to point out that there are lots and lots of federal IDs that are not military, immigration, or passports.
Real ID validates that you are the person you are at the time of issuance, but does not guarantee that the possessor of the ID is that person. This stems from the fact that an ID is "something you have". Like any secure system, you should use multifactor authentication. The facial scan is "something you are", so the combination of ID and scan provides that. One might also use "something you know", such as your adjusted gross income (AGI) that the IRS used before.
I think the difficulty is that the (federal) government can't currently do anything except the "something you know" part. It can't use "something you have" (because too many people are opposed to federal government issued ID), and "something you are" appears beyond the scope of the federal govt to implement (correctly) at this time.
Every IRS, Social Security, DHS/CBP, and USPS branch are locations where they could proof your identity in person. It is simply a matter of will to implement the policy and enable the software features for government employees to perform the function.
I would also propose finding ways to drastically reduce the cost of issuing smart passport cards, and slowly transforming that into a national ID over time as the electorate composition changes. Your passport number eventually becomes your national ID number.
The government cannot build a competent identity solution because a majority of voters believe that to do so presages something from genocide ("Papiere, bitte!") to the literal end of the world (“Mark of the Beast”).
We are still in the same universe where the OPM breach happened, right?
Like no, I don't trust the government to protect the big bucket of PII on everyone in digital form. Not because of lizard people but because the government can barely keep it's own sites secure. Giving them more dangerous data in the form of bulk PII is the wrong move.
Login.gov was the first thing, in a long time, that was well executed. I need to see more things like that to restore my faith. ID.me is the wrong direction.
The IRS already has almost all our PII. Not sure how adding a photo materially changes anything in that regard.
I do agree ID.me is the wrong approach. And login.gov should be used in some form over a private enterprise. But, my concern is two-fold… it’s a private entity that I don’t really want to do business with. And the process described by Krebs was impossible - can we really expect everybody to have email, valid phone (what if they aren’t the account owner for the phone), photo ID, and whatever else was required?
My father doesn't have any sort of web-connected camera, which caused a whole set of problems with his unemployment that I can't remember how they got fixed.
On a similar note, I don't have a lot of documents tied to my name, so I had nothing that they wanted when my photo verification didn't work for whatever reason. Pretty sure I just never solved that one and left the last couple weeks I would have gotten unemployment on the table.
The IRS has our PII, but lots of it is not in a big bucket, it's quite diffuse. If PII is dynamite (and it is) then we want it divided up in silos, with firewalls, and limited access where nobody has universal access. Ideally a lot of it is protected by differential privacy - if I am getting audited, the auditor only see's my returns and not my identity, and someone else gets only my identity.
GSA has really upped the game over the past 10 years for digital services delivery. Such as Login.gov. Look for other places 18F/USDS are involved, and you'll see significant improvements.
With a remotely sane identity system, knowing someone’s identifiers and basic biographical facts would not help you to impersonate them. PII has the sensitivity that it does in today’s world only because we abuse knowledge of PII as a poor man’s authentication mechanism.
login.gov meets IAL2 since it NIST SP 800-63-3 "allows for remote or in-person identity proofing" (800-63A page 8). Likewise, TOTP is explicitly mentioned as an allowed multi-factor OTP authenticator (800-63B pages 20-21). I'm not aware of changes in SP 800-63-4 that would affect login.gov's current implementation, but it's been a minute since I last read the -4 draft and could be wrong.
Login.gov permits me if the IRS could do identity proofing.
The IRS can't do identity proofing (hence the need for ID.me, which is implementing "remote or in-person identity proofing"), and login.gov doesn't do it for the agency. Login.gov can only record whether the identity was created at IAL-1 or IAL-2.
Use of login.gov is orthogonal to the question of ID.me.
I've also implemented login.gov as an identity provider of last resort for a system that requires identity proofing (IAL2). It works great once folks are signed up and verified for a login.gov account, but the identity assurance process always seems to end up requiring a piece of mail sent to new users' homes. The phone/utility verification process never seems to work right, and the postal mail option adds a week's delay (or more) to our user enrollment process. In my and several test users' cases, we've had our phone numbers in our names for literally decades, so it isn't a matter of public records being ambiguous.
We've also had problems getting login.gov to proof new users with national but not state IDs. For example, we have someone with a passport but no driver's license. They should be able to use just the passport for identity proofing since the passport itself requires two or more forms of SUPERIOR/STRONG evidence (per NIST SP 800-63-3), but login.gov must not authenticate the passport with the State Department, meaning it fails 800-63A 4.4.1.2 (evidence collection requirements) rule 1 and must implement rule 2, instead (collect two pieces of STRONG evidence, i.e., national _and_ state IDs both). It's really frustrating because I cannot demand my users go out and get (pay for) state IDs they don't otherwise want or need.
All that said, even though login.gov isn't perfect, I do like it and am very impressed with 18F/TTS's work. They've done a very thorough job with their SAML implementation compared to the ADFSes/Oktas/Pings/etc. of the world.
Really? Not that I particularly wanted to, but all I had to do was take a photo of the front and back using my iPhone and it went through without any problem.
That's debatable. login.gov would certainly be better than id.me, but a centralized database of everyone sounds like a problem in all cases. A unique identifier for everyone is the path to more social/technological control.
Here in France, some people from the anti-nazi resistance from the 40s later got into heated arguments about the national ID card, which had been made mandatory by the collaborationist regime. The idea is that if there were reliable/secure unique identifiers during WWII, the resistance movement could not have existed at all, and could not have saved countless lives.
To this day, France is one of the rare countries where it's perfectly legal to walk anywhere without any identifying document with you. This doesn't mean that you won't be harassed by fascist cops though, depending on what you look like.
I'm pretty much against fraud in the common sense of the word. But the biggest frauds are done by the rich and don't require to make up new identities. They're hidden in plain sight with lawyers and contracts with offshore corporations. I personally couldn't care that social services fraud costs the government some millions every year, when tax evasion and corrupt-government contracts (remember the Pentagon audit?) account for literally trillions going missing and nobody in government wants to do anything about that.
I’m very happy Wyden is my senator. I made a point the last time I was in DC to stop by his office and express my support but his staffers were profoundly uninterested. Oh well, I voted for him, not them.
Not great that there is billions of dollars in fraud or that the government uses a private company to harvest and retain the biometric data of over 40 million Americans. Great that the IRS is no longer part of this biometric data harvesting scheme that represents a massive attack on the privacy and dignity of every taxpayer.
I have used login.gov for my global entry application and I'm actually impressed. The only complaints I have with it are:
1. It doesn't make it obvious on how to add additional u2f keys (you have to go to login.gov explicitly to do that)
2. I still can't find a way to remove u2f keys
But then when I used id.me with CA DMV I'm also impressed by it (granted CA DMV does not require any crazy biometric stuff there like IRS planned to do).
I recently had to sign up for login.gov (to renew my Global Entry, after they moved away from their own one-off CBP login system) and was pleasantly surprised with how good it was. Hopefully the TreasuryDirect.gov folks migrate some day
You can use a CAC card as your second factor with the mandatory 2FA, but if you don't have one I think Yubikey-type devices are the only other hardware auth option
Success is possible. Fingers crossed Login.gov is the solution they’re moving to [1]. Big thanks to everyone who complained to the IRS or their Congressional reps.
Onward to yeeting ID.me from state and local government next [2].
[1] “The IRS will also continue to work with its cross-government partners to develop authentication methods that protect taxpayer data and ensure broad access to online tools.” (From IRS’ press release on the topic in a sibling comment)
Oh, and the IRS has already been breached at least once. I'm not wild about waiting for the next one. Maybe government is not the best group to be holding your personal data.
All things being equal, the US government is simultaneously (1) the single most legitimate non-medical third party that needs to access my personal data, and (2) the single best entity to hold my data in terms of personal recourse. That's not saying much, but it is better than the open scorn and disrespect for my privacy that corporations offer.
The solution to government breaches is what it's always been: to make the breached data less valuable. Hacking the IRS would be significantly less appealing if we criminalized corporate use of SSNs as credentials.
That’s the slow way, but sure. I was referring to the fact that the government does occasionally react to negative press and roll back plans, as is evidenced by this case. I’ve yet to see Equifax change its security policies based on negative press.
Personal data sold to model and modify behavior. It's even more valuable to gov agencies, which spend spend drastically more than the private sector to get it.
Because our society would fall apart without a social credit system. How else are we going to judge flight risk, loan risk, apartment lease risk, employment risk, etc?
Flight risk is an FAA thing or a bail bondsman thing. Or are you using a version I haven't heard before? Similarly, I have no idea why Equifax would have anything to say about Employment Risk.
But, yes, they provide a service. And? There are two other major players who didn't fuck up who supply the same service.
> Similarly, I have no idea why Equifax would have anything to say about Employment Risk.
If you got hired for any job worth doing at any point in the last decade, chances are high that among the various background checks, your employer also ran a credit check on you.
> a bail bondsman thing
Why wouldn't a bail bondsman care about your credit history?
Do you notice a pattern of state legislatures who sponsor privacy legislation not having online political support or donations from people who track patterns like this? If you're following it this closely, you should be following the political careers of the folks who work hard to pass laws that have teeth and laud them, no?
It's not just the potential for a breach. I didn't want id.me itself to have my information. It's ridiculous to have a private company, not accountable to the public, gatekeeping government services, regardless of how many certifications they have.
Hopefully id.me will get booted from other government agencies as well.
I recently needed to access some information on the IRS website, and had to do a 3 hour, very annoying, ID.me registration. Everything failed. The OCR software thought the issue date of my passport was my birthday (so I wasn't old enough to register), fail. The 'link' they send via SMS to take photos of your ID, failed (wouldn't load). A VPN was needed to do some steps from outside the US. I was kicked out of the 'queue' twice to video call with a human where I have to hold up my 'biometric' printed-on-paper social security card.
The killer? This morning I woke up to spam emails from ID.me offering me a discount on my first blue apron meal order.
Where I am in the Netherlands there is a government-issued digital ID (DigID), that was very straightforward to sign up for and easy to use.
I’m glad you mentioned the spam from id.me. When I first came across it a few years ago I thought it was a scam due to the heavy marketing of third party “deals” on the site. Not a good look.
Hmm... In the US, login.gov still uses id.me for verification (at least on new signup), and this is the sso for TSA stuff like Global Entry, and the Social Security site. I guess it's used "less" now, but is still present for US Government services.
And now for some contradictory information, straight from id.me, which may indicate it's a lost cause.
On that page it says:
"What happens to my deleted account? Your account information is purged. After seven days, you can create a new ID.me account with the same email address you used in the one that was deleted."
However, when following that exact process on the site, it states:
"If you decide to create a new ID.me account (at any point in the future), you will not be allowed to use the email address(es) lined to your previous account."
Both locations state:
"ID.me will retain a portion of your account's attributes on file to comply with applicable laws and help us prevent fraud."
What was the vendor selection process for ID.me? Their UX, privacy, and security practices seem terrible. What’s the real story on how ID.me became so pervasive in the public sector with such a terrible product?
Gov cyber security, financial services cyber security, and anyone else who puts on their home page how they “take your security seriously”, all want to buy from ex mil execs. Must be to manage all that military grade encryption between your browser and their web site.
ID.me does not have a monopoly on former military in the IDV space. Understand that lots of former military have clearance, relationships, etc., but does not explain the success of such a low quality solution being this ubiquitous in government at both the state and local level.
Interesting news. But I see a lot of negative comments regarding the biometrics.
Here's my two cents.
I'm the founder of a biometric users identity check solution, called Typing AI Biometrics ( https://typing.ai ). We identify users by the way they type. Typing biometrics can be used as a two factor (2FA) or multi factor (MFA) authentication method.
Instead of combining the usual username + password with an OTP code that you recive on your smartphone or email, you can combine the basic username + password with a typing pattern check, it's much more secure and efficient. The typing signature translated into a 300+ encrypted characters hash, which is (up until now) impossible to break.
You can even remove the username + password and combine the typing biometrics check (known as keystroke dynamics) with an OTP verification. Biometrics are the future of authentication and authorization, because they are unique to each person, but only with the promise of not keeping and sharing the users data.
So then, I need to type the same password the same way every time?
If I set up an account while I'm still waking up, and then try to use it after lunch and coffee, wouldn't I get locked out due to inputting faster than expected?
Or what if I'm on the phone with someone, and trying to type with one hand? That would probably lock me out, right?
Our algorithm learns from previous detections. You will be able to enter different texts. Like writing your email or anything you want.
In the case of having an accident, you will be able to login into Typing AI and update your signature.
"Or what if I'm on the phone with someone, and trying to type with one hand? That would probably lock me out, right? " - good question. Your "one-hand" typing is totally different than writing with two hands but we also got this covered. The authenticity detection rate won't be over 90%, but it will still be over 80%.
So then, I need to pre-auth my typing styles depending on how I expect to type?
It isn't much of a stretch for me to think of 4 scenarios:
1. Laptop keyboard, 2 hands
2. Laptop, 1 hand
3. External keyboard (let's pretend I'm using only one out of my collection)
4. External with one hand
How about when I break my wrist and it's in plaster for a couple of weeks? Seems unlikely that I'll maintain my characteristic typing pattern well enough to be recognised...
"How about when I break my wrist and it's in plaster for a couple of weeks?" - good question.
Your "one-hand" typing is totally different than writing with two hands but we also got this covered. The authenticity detection rate won't be over 90%, but it will still be over 80%.
In case of using the Typing AI as a two factor auth method, you can just skip to using a different factor, such as fingerprint/face recognition or OTP.
"trying a new typing layout, or just joining your first touch typing course?"
You have just described the case where your typing pattern is changed. In this case you'll have to just login to your account and update the signature or remove it and create a new one.
typing biometric software has been around for a long time (biorhythm) and from what I remember from years ago had issues with users typing in from different devices all the time, laptop to ext keyboard, iphone to ipad with keyboard, kiosk, etc... I don't think it would be more secure or as you put it "much more secure" than say, user/pass and a push notification as the push notification is out of band. These used to be called 1.5 factor as it wasn't quite 2 factor.
I understand your opinion, and yes, it's hard to be able to identify the owner of an accountby checking smartphones, tablets and desktop keyboards. The recommendation is to create separate signatures for all of these devices, in this way the typing signature will be more stronger and the keystrokes verification will be more accurate.
We are adding new cases to our algorithm almost weekly, the typing detection keeps getting better.
thank goodness. I received an ambiguous letter from the IRS last week talking about how I may need to file something special this year related to the $1400 covid credit. I was going to login to the IRS site to get more details until I saw the facial ID requirement and quickly noped away from there.
I had a phone screen at ID.me and then some of the articles came out and I started looking more into them. They tried to have me start doing interviews but I declined. I watched a motivational video from their CEO and his energy was a bit of a turn off as well.
I actually gave it a try, and couldn't successfully signup due to the phone number check, even though my name is on the line. Figure I've wasted a couple hours on it in total. Unnecessary friction.
here is a repeat of my comment a few weeks ago, which scored 134 on YNews. This was about using biometrics for getting social benefits.. later, someone said "hey! I object, taxes are not benefits" and I reply "the similarity is that biometric requirement to use (obviously efficient) online services. That includes both social benefits like unemployment, and also required interaction like taxes" .. hope that clears it up
the core of the thought is -- if the government interaction is flawed such that it is not actually doing only what it says it is doing, to the detriment of most ordinary people, and is subject to insider gaming with rewards to do so THEN additional and perhaps draconian requirements on the ordinary individual, do not solve the flaws, burden and antagonize an ordinary person, and the implementation becomes a new attention target WITH new penalties attached, for the ordinary person. hth
--
American here
"perhaps better known as the online identity verification service that many states now use to help staunch the loss of billions of dollars in unemployment insurance and pandemic assistance stolen each year by identity thieves"
In the great State of California, billions in unemployment benefits were sent to the wrong people.. because their internal systems were designed to delay, deny and deprive, I say. Actual people with real jobs were repeatedly refused, while insiders who knew how to fill out paperwork, and apparently knew where the blind spots were, filed hundreds of claims in the early pandemic days. A newly appointed Director (young, tech savvy woman) soon stopped making public statements, and the situation nearly two years later, is not resolved. This is at a time when California has record income to the State.
Now, some people may jump on this and say "well, you see how photo ID would have helped that" and, with incomplete knowledge and personal opinion, I say no, it would not solve it. You see, people with real jobs, with every real paper filed, were denied benefits, while insiders were pulling checks with both hands, using certain kinds of identities that would slip through. How would ever more restriction, requirement and verification, have helped here?
I am deeply against the collective government making ever more demands on citizens for "papers, please" enrollment to massive money social services (edit e.g. govt unemployment benefits). It is not going to have the desired effect, despite superficial evidence otherwise. Additionally this represents a slippery slope where the ability to interact as an individual will be eroded, and opportunity for insider graft will increase
Was this just a Theranos level scam?
It simply didn't work, right?
I uploaded perfect scans of my passport and driver's license and it couldn't recognize them, so I had to wait several hours to video chat with a real person, who confirmed my identity.
Great - now lets fix Home Depot. As of Feb 1, veterans only receive their 10% discount if they submit their photo id to a website and use a phone at the register.
No. But do note that H&R Block (along with Intuit and others) pay lobbyists to make filing your taxes a difficult costly process. I'd recommend using https://freetaxusa.com (legit, great site for only $15) or paying a local, independent CPA, to file your taxes instead.
I'm aware of the cartel and their lobbying. Unfortunately I doubt FreeTaxUSA will work for me as ex-patriot in a slightly complicated situation and there are no CPAs here. I'll check it out though, thanks.
Oh, no! I'm sorry you have to deal with that situation. I've heard filing as an expat is terrible with FATCA reporting etc. I'm planning to move out of the country in retirement but it's still years away for me.
If you don't mind me asking: how does managing your financial accounts work where you are? Do you still maintain USA bank/investment/retirements accounts (via mail forwarding?) or do you have them open in your country? What types of hurdles do you run into?
I only opened a US bank account recently because of those COVID-19 relief checks that were sent out and nobody around here would cash them for me*. Other than that I've had no financial connection to the US.
* Checks are considered an arcane and insecure technology from the stone age here.
I'm glad you put the time and effort to look into some of the reasons they used in their decision to not implement it, particularly those mentioned in the article.
What I would like to see next is an investigation into why this process was considered at all and how the vendor was selected. I find this entire situation deeply suspicious, since MOST online services (including financial services) do not need this kind of invasive verification process and do not require interfacing with a random third-party. My cynical guess is that id.me has some connection (like via political donations) to those who had the power to effect this change.
>Let us also find out why a non governmental entity is handling *
Ex-gov here. It is baked into gov thinking that the most desirable solution to difficult problems is to give it to the commercial sector. To a degree, it recognizes that a core responsibility of US gov is to support US commerce. One may argue how that philosophy encourages certain forms of corruption (swinging door, price abominations etc) but it's an accepted cost of doing business. What's good for GM is still, in those corridors, felt to be good for America.
I'm not arguing that this is a good thing. But it's how US gov thinks. That is why these problems are farmed out to the commercial sector. And as ex-gov, I can tell you that the government is a cash cow. And that's how they like it. And business. They like that too.
Has anyone identified which politician or subset of politicians helped give this specific idea life? Not the general one about contracting out work through bidding where the circumstances call for it. The specific one about doing so as a global approach to such an extent that we have non government entities handling so many core competencies.
