75 comments

[ 534 ms ] story [ 1739 ms ] thread
Those seems like it should be an easy problem to solve, creating a login system isn't exactly rocket science.
Disclaimer: I interviewed with the USDS team that was embedded in IRS circa 2015-2016 to solve identity pre-ID.me, thoughts and opinions are my own.

I have tried to get info out of IRS on the topic using FOIA requests, but they have not been forthcoming. I think there is heartburn over the whole ID.me situation (which they rushed into due to return fraud that occurred due to lacking knowledge based proofing systems, and got blindsided by the PR fallout of suboptimal machine vision/facial recognition tech and overzealous marketing).

The article states Charles Rettig, who was then IRS commissioner, argued that login.gov can’t meet their request rate requirements, and yet it serves over 220 agency websites and is the primary identity provider for the Social Security Administration website since September 2021. I would be very interested in the technical challenges being more publicly available versus hand waving by the bureaucracy.

https://secure.ssa.gov/RIL/SiView.action

There was recent funding to have the USPS perform in person identity proofing; login.gov appears to be leveraging this. They are also working to offer login.gov to state unemployment systems concurrently (a colleague is on this team).

https://fcw.com/digital-government/2022/05/postal-service-sh...

https://fcw.com/digital-government/2022/10/labor-department-...

https://www.login.gov/help/verify-your-identity/verify-your-...

https://tcf.org/content/commentary/biden-budget-would-signif...

https://www.gao.gov/assets/730/720919.pdf

> In addition to the forthcoming work with the jobless aid system, USPS is also working with GSA's Login.gov, a shared sign-on and identity proofing service.

> “The Postal Service’s unmatched retail footprint offers a unique opportunity for government agencies, such as the General Services Administration that need to complete an in-person proofing. We are actively working with government agencies to do this today,” a USPS spokesperson told FCW.

> In-person identity proofing is offered for Login.gov at seven USPS locations in Washington D.C., Maryland and Virginia, according to the Login.gov website. Individuals start the process online and then bring state-issued identification and proof of address to be reviewed in-person to match the digital application with the real person behind it.

My note/opinion: stronger requirements are necessary to enable login.gov to deliver whatever gap private identity providers (id.me) are offering and require federal agencies to use login.gov

PLEASE also just make this happen when I next have to go in to renew my State Drivers License/ID AND/OR my passport (years from now).

Then login.gov can support the addition of known crypto IDs as alternate signatures and a review that can also happen at any of the interaction points (some USPS branches, DoL/DMV, Homeland Security offices for enhanced passport ID stuff).

I would be interested in reading the FOIA responses. Maybe you can redact your mail address and post on some doc share site. Crowd-sourced open government helps others, also.
I would need to be convinced Id.me is not wholesale fraud. If it can’t look at a passport picture and look at me, (which is the entire thing it’s supposed to do) then there is just nothing there. I think it’s Theranos level. Maybe sometimes they farm out the facial recognition to another company, maybe sometimes they just make it up, but usually just go to a real person who does the check manually.
Please not the post office. Small town post offices are so vindictive with no oversite giving them this power would be horrific. My house has not received mail for years now because my mother had cancer and could not get her mail timely enough for them. The turned her mailbox off and made her open a PO box if she wanted mail. When I later moved to the home I inherited I was not and have not been able to restore service, and the USPS just redirects me to the local post office :(
You may have already done this but if not: USPS is pretty close to being a federal agency. It is funded by Congress. Call your congressman's office in your town/county and ask for help with a federal agency. It works wonders for all sorts of issues, and this sort of pettiness will likely get sorted out.
how about everyone gets a pgp key to establish a long term online identity... kinda like keybase sought to do.

Not so great for sending secret messages, but really great for an identity toehold.

The USPS would be a great fit for this. Thru have delivery and address / identity verification infrastructure and lots of local physical presence. They could issue tokens and act as the root CA for the PKI.
and also maybe a 1GB email mailbox for a small fee. that might serve as a good alternative to the ad supported webmail prevailing today.
The USPS would be horrible for this. Small town post offices are too vindictive and not professional enough to be given this level of authority/power.
Most people struggle not to lose their credit cards (which can be disabled and replaced without significant pain), much less long-term key material. I shudder at the thought of civil servants needing to understand key revocation.

(That's even before quibbling over whether PGP would be the right choice for civil cryptographic identities, which it probably isn't.)

In some countries you get your private key embedded in the smart chip in your government ID card (accessible by NFC from any recent smartphone or a $10 USB reader), which you'll want to replace anyway if you lose it.
The mexican version of the IRS already does that.
I like the idea but my preference would be a hybrid of this.

- Go to the post office, have ID verified, papers verified, pictures taken, GPG keys created multiple so you can revoke one and leap-frog to another without being in an orphaned state, ID card printed that has a GPG signed PDF417 [1] code on both sides and a color picture.

- Lost card? Go back to post office and have them revoke your card and your active GPG key. Get new card that uses one of your unused GPG public keys that have already been uploaded to the various government servers.

- No RFID, no NFC, no Magstrip, no eco-friendly plastic. Make this thing nearly indestructible and only the PDF417 is used by sensors and can be scanned or photographed by someone paying their taxes or filing other government forms.

- Braille dots along top of card to make it easy to find the card and to show which way to hold and insert card in readers that should also have corresponding braille dots.

[1] - https://en.wikipedia.org/wiki/PDF417

Why couldn't they design and offer alternatives similar to the French tax services (alongside many other French online services) [1]?

[1] https://franceconnect.gouv.fr/franceconnect

(comment deleted)
Because it is the law in the United States that agencies must transition to the centrally managed login.gov. ID.me never should have been rolled out in the first place.
(comment deleted)
To expand on this, France Connect is open source and uses open standards (OAuth), so any government can adopt it.
but muh "we must reinvent the wheel because look at these poor multi-billion dollar companies. how will they pay for their CEO's planes"
Yes, there's a solution, it's called one's social security number.

If people are fraudulently abusing the social security number system, stealing other people's numbers and so on, then they should be prosecuted for fraud.

Implementing a Chinese-style facial recognition and social credit score program in order to keep tabs on everyone is just another authoritarian fantasy project, and government incompetence during the pandemic is no excuse for creating such a dystopian system.

One party wants to empower the Gestapo and the other party wants to empower the STASI. What could go wrong?

a social security number is not called that because it has anything to do with security, or is a good idea to use for that purpose...

your comment is equivalent to telling developers to stop wasting time on endless security fixes when we should just make computer hacking illegal, and prosecute people for it.

> If people are fraudulently abusing the social security number system, stealing other people's numbers and so on, then they should be prosecuted for fraud.

Who's going to do that? My spouse had an Oakland luxury apartment rented in her name, with her social security number and everything. But Oakland PD won't do anything, and nobody else cares either. The apartment management wasn't even sure they could evict because of covid restrictions at the time. It's fully reported, not our problem anymore.

Could you even imagine where to start for pursuing a fraud case on the Equifax SSNs?

If!? Basically every SSN has been breached. It's statistically certain at this point with how many breaches there have been. You think its feasible to prosecute that much fraud? For the same org thats paying $200m for broken websites?

>Implementing a Chinese-style facial recognition and social credit score program in order to keep tabs on everyone is just another authoritarian fantasy project

Who is doing this?

Also, even the “social credit score” system in China has been greatly overblown and misinterpreted in western media. [0]

[0] https://www.wired.co.uk/article/china-social-credit-system-e...

> Five years later and more than $187 million in government investment later, however, it still hasn’t been widely rolled out.

I know anything like this is going to be more complicated than it seems. Integration of lots of legacy systems, of which the federla government is probably about as complicated as it gets, with the most security-sensitive application possible.

Still, and I'm really not an expert here, but I am astonished that $187 million could possibly not be enough to get this done. If it can't be done for $187 million, it seems likely it will never be done.

But, intended with real humility and not sarcasm, I would love to hear more from someone who has more context. $187 million just seems astonishing.

Or maybe the quote is wrong that it "hasn't been widely rolled out"?

> with the most security-sensitive application possible.

I certainly don't see my tax returns that way.. is that a commonly held view?

(comment deleted)
Doesn’t it have your social security number?
Conventionally, yes.. but there's no reason the IRS has to use this alone to identify me. Conceivably, it would be very easy to check a box on my W-9 and have a unique yearly "Tax ID" generated and placed on my W-2. Then I can file using that unique number and the imputed need of the highest security ever can just evaporate.
I run a small business and I need to collect W-9's from basically everyone I ever pay, which means I have an absurd amount of SSN's in PDFs sitting in a folder on my computer. It feels very wrong, but apparently that's how taxes work. Kind of makes SSN's feel less secure/protection-worthy than I used to believe shrug
First job out of college I was given, with no oversight or training, access to thousands of peoples SSNs, names, phone numbers and addresses. I also had a private investigator locate someone from my childhood once and got not only their phone number, address, and SSN but their entire family and neighbors and anyone who had a name similar to theirs. It's outrageous how insecure everything is.
Between the Equifax breech and others, hasn't the average American had their SSN compromised several times over by now?
I've found addresses of people in USA based on: their entire name; their first name and the state they live in, and confirmed by a single friend's name; their name, city and that they lived near a golf course

Then you can see where they've ever lived, and who with. All for free

> It feels very wrong, but apparently that's how taxes work. Kind of makes SSN's feel less secure/protection-worthy than I used to believe shrug

It is very right, because social security numbers are not meant to be a secret.

What is wrong is being liable for a debt (or whatever) because a creditor failed to properly verify the identity of a borrower.

Those whole situation can be easily fixed by removing the ability of lenders and governments to claim they verified identity by simply asking for SSN/date if birth.

We have pocket computers with video cameras that can record and transmit spoken agreements within seconds, and we have a nationwide network of USPS offices that already do in person identity verification for issuing passports. Executing the solution is basically done, all that is left is political.

> What is wrong is being liable for a debt (or whatever) because a creditor failed to properly verify the identity of a borrower

You're never liable for a debt you didn't sign for. If someone else used your information, don't pay it. The court will always side with you.

Having to spend time and money to deal with the courts is a liability.

Also, credit and credit reporting is utility/infrastructure with how life is lived, including access to a place to live. So much that the federal government obligated credit reporting agencies to provide people an annual report. Having to spend time and money to fix it is also a liability, in my opinion.

No need to deal with courts. Just ignore it.
I'm not talking about "tax returns", I'm talking about "SSO used by citizens/residents/customers for the federal government", which is what login.gov is.
> Or maybe the quote is wrong that it "hasn't been widely rolled out"?

I think it's wrong in some senses: Login.gov has been rolled out to the SSA, OSHA, Treasury, RRB, VA, DHS, and quite a few other orgs and agencies. There's no one good metric for these things, but if you measure it by org/agency size and/or budget, Login.gov looks very good.

I agree that $187 million is an eye-popping number, and I wish we had the ability to put it into context: it's entirely possible that $187 million spent means that each agency is saving $X million in separate/legacy maintenance each year.

Edit: Another framing is that, if the GSA's user predictions are correct[1], Login.gov will end up costing a little under $2 USD per user.

[1]: https://federalnewsnetwork.com/it-modernization/2022/06/gsa-...

For me, it's not a question of whether the cost is "worth it", but that the cost seems very very high for what seems to have been produced.
Agree with jrochkind1 that it doesn't matter whether it's worth it or not. I suppose chairs and desks for all US Government employees pay for their cost 1000x over, but I would hope people would still not let their costs balloon to more than, say, 2x what they "should" cost by some common-sense metric.
Sure, but what's the common-sense metric here?

As posted elsewhere in the thread: this is ~$40m/year for an IdP/login scheme for the entire USG (and, increasingly, state and local governments). That's significantly less than the engineering talent at companies like Okta and Authy probably cost each year, even before factoring in overhead and non-engineering roles.

All things considered, this looks like a very efficient use of taxpayer money to me. Particularly since it seems to have been primarily paid for on GS pay grades, not with private contractors.

Part of that big price tag is likely because of requirements for any kind of government contracted software, some of which are reasonable, some of which are not. Often companies charge a lot more for complying with those requirements. The Fedramp version of most SaaS offerings is significantly more expensive than the non-fedramp version. And part of that is just to cover paying the higher prices for their dependencies to be fedramp compliant.
$187M = $37M per year

At average FAANG salaries with overhead (benefits, space, equipment both desk and datacenter/cloud, internal workplace support functions like Recruiting, IT, HR, ER, DEI...) that's 60 people.

That's not many when dealing with multiple massive counterparties. You'll see ratios of non-dev to dev easily 10:1 to 30:1.

Yes, they could genuinely spend $187M so far on a project accomplishing only 2 devs x 5 years worth of work and rework.

That's actually good perspective,thanks!
Also consider the cost per taxpayer. At $187 million that's roughly $1 per person. For someone making the average income, it costs them maybe $0.15 in taxes for ID.me.

The IRS estimated that the average taxpayer spends $240 and 13 hours of time on their taxes. Multiply by 157 million taxpayers and that's $37 billion and 2 billion hours of labor. Although likely skewed by a small % who hire professionals, plenty of people spend $100+ on services like TurboTax.

The IRS spending a couple billion to make the tax process a little bit easier is really not a big deal. $187 million is nothing, and if that's all it costs to streamline their ID verification process, then it means the government is much more efficient with our tax dollars than people give it credit for.

Simple to use != simple to make is so often a hard fact to keep in mind when looking at these numbers
A friend has been waiting for the transition to receive last year's tax return-- eventually there will a deadline for collecting it and they'll need to do the video call or whatever (short on documents).
A centralized federal ID system, I'm sure there's no historical precedent for how this could go wrong.
Well don't leave us hanging, what's the precedent? The Nazis using government records to find the Jews in occupied territories? Not really applicable because the IRS and Social Security already know all Americans, including "race". A central ID system could only bring benefits in UX.
We already have a central ID system: the passport. They even come in wallet-friendly card form now.

The difference is it's not a forced central ID system, which is the primary difference between a useful tool and the foundation of a police state. "Your papers, please" was a meme before there was even the concept of memes.

> We already have a central ID system: the passport. They even come in wallet-friendly card form now.

Passports being optional and expensive, they don't fit the same utility as a universal ID system, but you're right, they could.

> The difference is it's not a forced central ID system, which is the primary difference between a useful tool and the foundation of a police state

Laughable bullshit. Specific technical things, especially ones with actual utility, such as ID cards, or speeding cameras, are not "the foundation of a police state". A police state is a systemic thing, and can be achieved with low tech (Stasi) or high tech solutions (drones doing facial recognition and pattern tracking) regardless of utilities available to the general population.

What you actually want is laws and systems preventing police abuses, spying without just cause, tracking en masse, etc.. Refusing utilities that have actual real life applications that are genuinely useful because they could be abused isn't preventing anything. Do you forget the Patriot Act and everything that came out of it? The US president ordering the execution of an American citizen without due trial? Guantanamo? Police abuses on a massive scale? And I'm sorry, it's ID cards that are the foundation of a police state? Your efforts are misguided and wasted.

And again, the US federal government already has multiple ways of knowing everything about anyone - like with IRS records and not to mention credit reporting agencies and telecoms selling this kind of data to whoever, including government agencies. That ship has long ago sailed, why not actually make it into something useful?

As tempting as it is to ignore an argument beginning with garbage like "Laughable bullshit," you immediately contradict yourself by claiming police states are systemic problems and then arguing for a systemic change moving in that direction. You mention "spying without just cause" without addressing the fact that the ACLU considers forced national identity systems to be profound privacy issues.

If you had a real counterproposal involving an achievable goal, such as legislation strengthening protections of existing national ID systems, making them cheaper or more accessible to encourage adoption, or anything at all other than a national forced ID system, it would be a more credible argument. Several states have already passed laws prohibiting compliance with such systems. It's never going to happen without decades of brutal legal battles in a country that can barely pass a budget from year to year.

In other words, the "laughable bullshit" is in fact the default policy and people with your convictions are going to have to be much more convincing of the utility you claim it will bring, which is arguable at best. You say my efforts are wasted, but I don't recall having made any, and here we are with no national ID, and a strong bipartisan opposition to the idea.

I'm not going to bother with the breathless whataboutism, because it's completely irrelevant. The plain fact is that citizens on average don't need to identify themselves to the federal government that often, and those who do already have avenues through which to do it. That's a lot of inertia, and your arguments have so far been insufficiently compelling to overcome it. I remain confident that these conditions will persist.

The problem with historical totalitarian states was that they were totalitarian, not that they had identification.

ID is a basic component of pretty much any functioning bureaucracy. Further, we already have near universal ID at the state level, what about the federal government makes it so much more magically tyrannical than the states?

Germany had identification record systems before they became totalitarian, when Jews were treated as citizens and decorated veterans of WW1 under the law. A person does not know when their government will become totalitarian and cannot rely on legal solutions to data problems.
What you’re saying is that water is wet.

Name a government in existence that functions without a central identification infrastructure of some sort. Having ID isn’t what leads to totalitarianism, it is a ubiquitous fact of having a bureaucracy that delivers services to its citizens.

In most instance, having government id is not a harbinger of risk of totalitarianism. There are more important things to focus on.

>Name a government in existence that functions without a central identification infrastructure of some sort.

Within living memory, the United States of America.

Social Security Numbers Drivers Licenses

And before "but drivers licenses are not national" they effectively are via cooperation between the various states and between the states and the federal government

You were alive when social security was rolled out?
> “Login.gov can handle less than 30 transactions per second,” Rettig told lawmakers. “We need more than about 1,500 transactions per second.”

Even on a $2/mo VPS that's enough for image recognition in something as slow as Python. What gives?

I'm skeptical of the number that Rettig quotes. I'd like to know where he got those numbers. Also, the code that runs Login.gov is (mostly) in the public domain: https://github.com/18F/identity-idp – anybody with a $2/mo VPS could run the code and do their own load testing.
> If you are getting the error:

>

> LoadError: cannot load such file -- sassc

>

> Try make run for a short time, then use Ctrl+C to kill it

That's.. confidence making.

Consider submitting a PR to improve that functionality as a public service.
I am a US person living abroad . I tried to register with ID.me and got stuck on one of the last steps after scanning my face with my webcam, it asked for my phone number. ID.me said all my numbers were not valid, I assume they need a real phone number and not phone forwarding services like Google Voice that I use. I guess my only option to complete the ID.me signup is buy a US sim card, send it to my country, activate it and see if ID.me accepts it. I wish there was an easier alternative.
Tried to do the face scanning for ID.me. Try as I may, it never would work. I tried so many different backgrounds, dark, light, pattern. Indoors, outdoors, sunlight, artificial light, 2 different phones. It finally refused and told me to contact them. I just gave up and moved on.