We've been using it in Europe for years. However, I use it exclusively for government services like social security, car registration etc. It would never occur to me I would use it for commercial services like Google or Facebook. The moment any such service asks for a proof of identity, whether physical or digital, I cancel it.
There were two exceptions. One was Airbnb - and I understand them, they have to do some minimum verification of people given the history of abuse and the very nature of human interaction. The other was Hetzner - again, I understand they need to do their duty to protect themselves from spammers, scammers and other abusers. These were the only 2 exceptions in the last 20 years or so for me.
We already do this in The Netherlands. We can use our drivers license or newer id cards to activate a digital identity app from the government, by scanning the nfc chip in it. Works great honestly.
I believe many services you log into then do not store much personal information, only what’s needed to connect to your id and of course whatever is needed for the service itself.
Does this work for companies as well? I've only ever encountered this kind of verification as part of the Digid login process, which is only usable for government and semi-government websites. I don't think you can use Digid to prove to an online web store that you're allowed to order alcohol, for instance.
With the way Digid works, I'm not too sure if I'd trust the system that much either, to be honest. Allowing the government to track what citizens visit what websites when seems like a massive privacy infraction. There are technologies that can fix these shortcomings, but I don't think the government cares about them.
Alright, that's what I thought. I believe iDIN would come closer, though that's bank-based rather than government-based.
I don't think the Australian system introduced in the linked article is comparable to the card-based Digid system; the risks and benefits of a system where companies can authenticate people using government ID are very different from just authenticating to (semi) government.
We can do a lot of paperwork online, it's great when it works. I belive is one of the few "internet stuff" that wasn't just regarded as a waste of money. (we had a scandal about a simple site that costed millions).
You can pay taxes and other services, change your family doctor, see documentation related to unemployment/social security, etc
The "verification" is done by a few online private providers via Webcam or you can do it at the post office (still private but the line is blurred).
The name is "IO", a wordplay on Imput/output and the fact that "io" means "me" in Italian
A failure mode that is common in many shared identity providers is that the services using the IdP often are able to ask for and receive information that should generally not be seen as mandatory shared information. A simple example of this is email address. Giving the same email address to many companies generally means that eventually that address will end up on spam lists. This is a one way non-recoverable situation (once you're on the list, that email is burned), with a probability of it happening scaling approximately linearly with the count of services that use the same address. The impact scales in the same proportion (if you choose to disable the address, then you have to change with all the services).
This is not theoretical. Services that use GitHub auth do this regularly.
Only for government services / banks, everywhere else no. Nordic countries already do this. Japan also recently introduced "MyNumber" exactly for this purpose and makes doing taxes more straightforward, though "MyNumber" is kinda mixed bag as it allows connection to many third party services and offers points for purchases etc..., I only limit my use for the taxes and government services.
For Finland I use it with ISPs too. Which I find reasonable as that means no need to go in person to set it up. So there is certain services mostly specific subscriptions where it can make sense.
Not saying credit card is not valid option for streaming. Or having someone like Klarna in online shopping. But when we think of phone, landline-internet, electricity and so on strong authentication does make some sense and is acceptable.
It's yet to be seen how this new version will work, however they say in the story it's an upgrade of mygovid.
Mygovid as it stands is a cluster. It insists you have a single email address as your one true name, if insists you use that one true name everywhere you use mygovid to authenticate, if you upgrade your phone it throws away the ID. It's unreliable, as in the app have race conditions with it's internal state and external requests to identify yourself. Those race conditions cause it to not identify you at all, not notify you there is ID request and various other indeterminate states.
As a cherry on the top, mygovid is used in to authenticate against my.gov.au (the closeness of the two names is so confusing they have to put big red warnings not to confuse the two), and my.gov.au has been the victim or rampant identity fraud to the tune of $0.5B.
As others have mentioned here, there were far better thought out identity schemes around when mygovid was introduced. They chose to roll their own instead.
I hope this is an improvement, but there are few grounds for hope. The bill moving this forward is based on what the government needs - so although they allow for many ID providers the bill repeatedly mentions just one, I presume they want one true name and a centralised data store. Amusingly at first glance the bill looks devoid of technical details and I'm guessing that's because the lawyers think they left the design wide open so the subject matter experts can implement something that works. In reality and probably unwittingly, they've already set the technical foundations in stone, and they've chosen the wrong ones. Nonetheless if it defrauded like the present system has been, they'll blame the implementers.
For commercial services, no. There's a new W3C standard named DID that's much better for this. Using DIDs and a trusted authority, you can prove you're a real person without having to reveal your identity. You can even choose which verified data to reveal (e.g. age). But I guess some large entities would have to push it into the market for it to become widely used.
Definitively not for porn and alike, no issues for my banks or public administrations services. I use them since they was introduced...
Beside that I criticize two aspects:
- many state (at least here in EU) have chosen private companies to provide identity services at least for eIDAS level two authentications (user+password + OTP, essentially) witch can't be trusted and generally impose Android/iOS macrospy devices, so something insecure and untrustworthy by default;
- many states have introduced smart-card BUT with proprietary middlewire and crappy crapplications to use them;
both trends MUST be demolished from the ground before digital identities became the norm for all serious things. We need instead to build a chain of trust model where the public sign a citizen subkey as a proof valid for the public, and private parties might agree something similar each others for their customer/purposes.
I mean, banks, brokerages, credit cards all have asked for such information, and I don't trust them to not leak it (intentionally or not).
It's not KYC I mind as much as having to give them a residential address. I don't want that leaked across the internet. I hate giving out a residential address. The government can have it, I don't care so much about that, but private companies don't need to know where I sleep to know who I am.
What if some random sentence I say on the internet becomes the subject of a death threat? What if a startup I found becomes hated by a small group of armed individuals? I'm not a billionaire and don't have the $ for 24/7 security. I really don't anyone to be able to just look up where I sleep.
Social security number and some kind of ID number (license, passport) should really be more than enough for KYC purposes.
They don’t apply to me, so I am not trying to work around them.
If something is going to be too difficult to work around, and it’s a total requirement, then I suppose I will be forced to go with the flow if it means that I will starve or have no bed to sleep in.
Unfortunately, most people wouldn't care enough to put up with any extra friction, and eventually you'd be against the tide and increasingly locked out of interacting with modern society.
I mean, people apparently willingly upload pictures of their driver's license to facebook already.
But on the other hand, who would have though 10 years ago that VPN’s would catch on so much that they plague the YT advertising and often run on commercial TV and radio?!
In India we use Aadhar, the associated phone number and a digi-locker app to verify our identity. Mostly used for governmental, financial and insurance verification. Works seamlessly most of the time.
Would be nice if such a system would make specific (and to the user clearly understandable) verifications possible, without revealing the users identity.
I believe that with technologies like IRMA/Yivi (https://irma.app/docs/what-is-irma/) this could be done securely and privately, though I wish the app wasn't so centralised in its token exchange. For this use case (with the government playing a role in the authentication already), that wouldn't be an issue, though.
Permitted services could request minimal data tokens, verified by one or more instances of choice, and the user would see the data being exchanged and with what party the data is being exchanged exactly.
In my opinion, this beats a lot of current implementations, which redirect to either a plain government login or bank login, where the backend does all the data exchange.
I have to admit that I haven't done anything with this tech myself because I can't be bothered filing a request for access for such a system. Still, I can see the potential here.
I think a lot of people would also be interested to add a citizenship/immigration status field to these sorts of IDs in the US. To me it’s kind of crazy how much redundant data there is for people in the US and reconciling it across government systems myself is one of those things that drives me crazy.
> But at least some Coalition senators also voiced concerns about privacy. Matt Canavan and Gerard Rennick expressed dissent during the Senate committee process
> Senator Gallagher called the senators "conspiracy theorists" and accused the Coalition of appeasing them.
The government denouncing elected officials voicing the smallest of concerns over privacy as "conspiracy theorists" should set off a lot of alarm bells.
The Australian government has a history of spying, often illegally, on citizens for such 'crimes' as being Muslim or caring about the environment.
Imagine that you have to use your personal id to log into various services online. Google. Facebook, Reddit, this site and others.
But then you are like me perma banned on most of them because of radical ideas. Never ever in your life you will be able to use those services. Sorry the computer says no.
respectfully, fuck that. it's not an "option" to verify with private companies because those companies make basically the sole decision about how ID and auth are set up. by making it easy, making it like a "sign in with google" button, the government spreads this further
we created unions because although employment is technically a free choice, a few companies hold huge power on negotiations relative to one tiny, individual worker. similarly, this may be a "voluntary adoption" but in practice is not. privacy has no value to companies and destroying it is worth 50% lower fraud
i don't have a good philosophical basis for this but am actually a strong believer in leaving open the possibility to commit crimes. so we should go back to circulating large-denomination bills, reduce the burden of KYC, and not create this non-falsifiable new ID regime
Sweden has been doing this since 2003 with BankID. Welcome to the 21st century.
You can use it to log into bank account pages, file taxes, book appointments with dentists, place orders in (private) pharmacies, check your electricity company account and many more. Any reasonably serious company could request integration.
Sweden doesn't require that you have id to vote. You could alternatively bring in someone who will vouch for you and can present their id and personal id number.
> För att kunna rösta ska du kunna styrka din identitet. Du styrker din identitet genom att visa upp en giltig id-handling eller genom att en annan person kan bekräfta din identitet. Då måste den som bekräftar din identitet kunna uppvisa id-handling och ange sitt personnummer.
Why is this such a problem? There's so many things you cannot do without an ID, I just can't buy the argument that there are people out there without ID and cannot get an ID. I worked for many years with the homeless, getting an ID and verifying their identity was never a problem.
There has to be some other reason, unless it's to encourage fraud?
You should not lose your right to vote if, for example, you lost your wallet the day before the election.
The type of in-person voter fraud that can be identified by an ID is very low, and trying to change an election this way would be very expensive. More people have gone to trial because while they were legally entitled to vote they were unable to get appropriate ID.
Other types of voting fraud, like registering in and voting in multiple districts, is much more common.
The people who for decades fought against requiring ID for so many things said it was a slippery slope. Now you are on the slope, thinking it flat.
> Existing research and evidence shows that voter impersonation is extremely rare. Between 2000 and 2014, there were only 31 documented instances of voter impersonation.[3][4][5] There is no evidence that it has changed the result of any election. In April 2020, a voter fraud study covering 20 years by the Massachusetts Institute of Technology found the level of mail-in ballot fraud "exceedingly rare" since it occurs only in "0.00006 percent" of individual votes nationally, and, in one state, "0.000004 percent — about five times less likely than getting hit by lightning in the United States." - https://en.wikipedia.org/wiki/Voter_impersonation_in_the_Uni...
Mail-in ballots don't require id, and still have a low rate of fraud.
We can easily find cases of people unable to vote because they did not have id and were unable to get id.
There were two exceptions. One was Airbnb - and I understand them, they have to do some minimum verification of people given the history of abuse and the very nature of human interaction. The other was Hetzner - again, I understand they need to do their duty to protect themselves from spammers, scammers and other abusers. These were the only 2 exceptions in the last 20 years or so for me.