37 comments

[ 3.1 ms ] story [ 40.3 ms ] thread
Can states build on Login.gov?
Yes, according to https://login.gov/partners/
I can confirm first hand experience states will be onboarded (since 2021 [1]). I would strongly encourage you to advocate within your state for them to partner with Login.gov for government service delivery identity services. There is no reason states should be relying on Okta, Auth0, or ID.me when Login.gov is available and they are offering these partnership opportunities.

Login.gov could also be made available to private businesses, but requires Congressional action to do so (allowing OMB to publish a circular or a memo that would allow GSA to sell Login.gov services to business customers) [2].

[1] https://web.archive.org/web/20220218215902/https://gcn.com/c...

[2] https://beeckcenter.georgetown.edu/wp-content/uploads/2021/1...

That would be pretty cool. Especially if they nail scoping tightly. Classic example: you want to buy alcohol online and need to verify your age. Instead of clicking “yes I’m old enough” (zero validation) or uploading a photo of your drivers license (way too much info), login with your digital ID.

The e-commerce site asks hey is this person (1) a resident of region X and (2) at least Y years old? The e-commerce site is responsible for knowing what ages to check for what regions. ID service is responsible for validating the facts you want to share. You get the age controlled service and no third parties get more info than they need. Better.

(comment deleted)
How would you address concerns from privacy advocates and small-government folks about this expanding federal control into states’ business?
It's a great question, and top of mind (as I considered applying for the open Deputy Director role running Login.gov that recently opened up, and prepared accordingly).

Privacy must always be a first class citizen as it relates to digital identity solutions, and any compromise must be as minimal as possible. Trust alone is not enough, the stakes are too high, and the history of breaches and data loss (both public and private) speak for themselves. I would argue that Login.gov, GSA, and the federal government aren't attempting to control state business, but are acting in service of it. They are a vendor, and if states and local govermnet choose to implement in a manner that allows for pluggability (in order to prevent vendor lock in to Login.gov), that would be reasonable (encouraged even). Login.gov should be chosen because it is the best solution, not the default solution because of .gov. If states and local governments wish to fallback or opt to other solution providers who meet digital identity regulations, they should be able to do so. It is above all, a partnership, not a power hierarchy.

I would also say that governance and transparency are non negotiable, and should be enumerated both contractually and in statute. What Login.gov stores, how long it stores it, how data privacy and security are addressed should be documented and attested to. And most importantly, Login.gov should not have the ability to deny service once onboarded without exceptional cause (codified in statute). It should be treated like a utility: inexpensive, reliable, trustworthy, to the point you forget it even exists. It should Just Work.

I think there's a reasonable case that identity is a 'natural monopoly'.

If we end up with multiple pluggable third parties, what happens when they disagree? There's inevitably going to be data sync issues, and the risk of having an "extra" ID provider lying around that contains bad data, or is simply compromised at the authentication level, is enormous.

So we really want to pick one standard. Given that, a federally backed service has the least hostile incentive structure:

* It would be subject to very strict rules about universal service. I suspect there are going to be private players, and even some more reactionary states, who might try to sabotage industries by denying them identity data. (We see this in payments already, where a lot of firms really don't want to go near porn and guns)

* It doesn't have any reason to look for auxillary revenue. Having it store more data than necessary, or sell it to third parties, becomes politically radioactive rather than good business.

NYS is fucking obsessed with rolling its own everything. It has its own shitty equivalent to login.gov sso that's buggy as hell and even can cause you to duplicate accounts with no deduping possible. They recently launched their own mobile driver license app instead of just integrating with Android or apple wallet. Given the state of other IT projects, it's most definitely political kickbacks to companies like Infosys.
In a rational world, it should be gov.us, but well.
It's just .gov because the US invented the Internet.
Same reason the country code for dialing the US is 1.
The US didn’t “invent” the internet.

It did play a pivotal role in its development, but CERN also was there at the beginning!

The US arguably just deployed it widely first.

You are confusing the internet, which became operational in 1969, with the web, introduced in 1990.

The US Government (specifically DARPA) started funding research into packet-switched networks in 1960, and funding by the USG for the internet continued uninterrupted until it was clear that the internet no longer needed outside funding in 1992 or 1993. Internet email dates back to 1972. Multiplayer online games began on the internet in 1979 (but they were text-only). Richard Stallman started using the internet to distribute free software in 1984.

Just to defend myself from the pedants out there: it was not called the internet till 1983. Before then the name alternated between ARPAnet and DARPAnet, but the userbase remained mostly the same across the transition to the name "Internet", and email, multiplayer games and other services (FTP, telnet) continued with only minor interruptions.

That's not necessarily true. I think this speaks to how American Exceptionalism (often observed in US defaultism on the web) is a problem.
Not being sure that your brand new invention will even be useful, and therefore not bothering to think about international politics while inventing packet switched networking is now “American exceptionalism”? That’s just absurd.
This is a law signed by California governor Gavin Newsom, so it only affects cities and counties in California — not all cities and counties in the US (which would be great).
That's nice. Our city uses .org, but even small technical tasks takes them forever - I expect a huge mess until they finally transition successfully!
What about .ca.us? How do they choose between .us and .gov?
The problem with .us here is that private entities can register domains there.

I think this change is great, because when you are looking for official information for a city or county and all you find is a .com, there's no way to be sure it's legit. Using .gov signals it's official, but .us does not.

I didn't realize, thanks for explaining.
Yikes. Stupid phone thinks it can spell better than me. Fixed. Thanks.
Ah I first misred "countries" and thought, wow
(comment deleted)
This is a control thing - if a city or county wishes to secede from the state, its website and emails can be shutdown easily now.
That's okay. In my experience every time some place secedes they always want to redesign the website anyway.
Is this even possible?
No, cities do not have the right to secede and there's no legal mechanism for them to do so. California practices home rule and cities have a lot of power, but they still are overridden by state laws.
or else what?

did this law codify any penalties?

I propose CalPERS pension invalidation for everyone thats ever been employed in that municipality, I think this is the trick that can change departments from the inside when the old guard gets affected

In August 2023, I received this text message from a number I don't recognize:

  Do you live in San Francisco and have a child age 7 or younger? Take a 10 minute survey to share your voice! The first 300 participants will get a $10 gift card! https://tinyurl.com/bdzxjsvu
The message didn't have any information about who it was from, or how they got my number.

Also, the link was to a URL shortener, which is often used for scams. I was curious, so I clicked anyway.

The link redirected to a form on another web site:

https://survey.communityvoicecommunitychoice.com/jfe/form/SV...

That website said it was an SF government department. But the web site domain did not end in sf.gov, which made me more suspicious.

I was curious about the questions, though, so kept clicking through.

But then just before the end or the survey, it wouldn't let me continue without entering my full name and email address.

I decided to alert someone at the department which allegedly hosted the survey. When I Googled the department name, the first result had the domain sfdec.org

Now, if SFDEC actually exists, then there's a good chance that sfdec.org, being the first link, is legit.

But I had never heard of that department before, so how could I know it was legit? It would take a bunch of time to look at .gov sites and see if they refer to sfdec.org

I emailed someone listed on the sfdec.org site, and they replied saying the survey was legit. But to this day I'm not sure whether the sfdec.org site is a legit government site.

It seems like it would be easy to create a fake department and fake web site.

In at least this case, sf.gov confirms the existence of the agency[1], and has a page linking to sfdec.org[2][3]. So, it most likely really is just government agencies being bad at domains here.

[1]: https://www.sf.gov/news/san-francisco-launches-new-departmen...

[2]: https://www.sf.gov/departments/child-care-health-program-cch...

[3]: https://provider.sfdec.org/ (linked as "Department of Early Childhood Provider Portal" in [2])

Right!

(This was almost a year ago and I don't recall whether I did the checking you did. The other details, the ones I shared above, are from an email I wrote at the time, which is why I'm certain of those.)

Most people won't do that sleuthing, and will instead just shrug and permanently drop their guard.

> “…will instead just shrug and permanently drop their guard.”

?? Go back to Instagram cat videos — ignore, disengage…

Way back when the Interwebz were just a twinkle in Mr. Berners-Lee eye, high-speed networks were 56K (when you could use the phone line), and domains without exclamation marks in them [1] were all shiny and new, I was supervising IT at a particular municipality. Nobody quite knew how this DNS thing was supposed to be arranged, but like any good Yellow Pages it should be arranged geographically. So I filled out a (paper) form and (paper) mailed it to the registrar, and got us a (free) (for life) domain--ci.<9letrcity>.<st>.us. Just checked, they're still using it. No telling how many times I've been anonymously cursed.

Edit: Think I got us a Class C too, although we had no way to route it.

[1] https://en.wikipedia.org/wiki/UUCP