cross-posted from: https://lemmy.ca/post/60478981
Borges alleges that a little-known federal tech team called the Department of Government Efficiency, or DOGE, copied the government’s master Social Security database into a cloud system that lacked normal oversight.
If his account is correct, the mishandling of this information could expose hundreds of millions of people to fraud and abuse for the rest of their lives.
The whole idea that we have some permanent “secret” number which is used to uniquely identify us is just really, really dumb in this day and age. There are better solutions, but they are hard, cost money and will probably face an insane level of political resistance. So, we continue to lurch on with the dead corpse of a bad idea that is social security numbers. But hey, at least it’s cheap, right?
What if social security was instead a gpg key pair?
Although it will probably become a blue checkmarked profile on X.com
Do you have any idea how many people will lose their key?
Could set up a key escrow with the issuing agency so there is a recovery mechanism if they can prove their identity through other means. That’s at least as secure as the current model in terms of issuance.
Ideally we would move towards self-sovereign identities, but that’s a whole other effort.
You’re thinking of digital signatures, which have their own issues to solve.
That’s really my thinking on it. Though, I would do the same thing the US Government does for ID cards now: smartcards.
So, we already have the Read ID act, which started the standardization of ID in the US, let’s take it one step further. The US Government stands up a PKI infrastructure, which then issues subordinate issuer certificates to the States. The States are then in charge of issuing each person a smartcard with a personal digital certificate. These cards would be tied to drivers licenses or state ID cards, much as Real IDs are today. There would need to be a Federal standard on what types of card technologies would need to be used. And we’d probably want both contact chip and NFC communications.
When you want to access Government services or specific areas which actually need that level of identity confirmation, you would go through a similar process to any digital certificate login. You tap/dip the card, enter a pin and the systems exchange an encrypted nonce to verify the private key. I’d also want to see some regulation around when you can be asked to use it. With GDPR style fines (e.g. 5% of global revenue, per incident) behind those regulations.
To throw a bone at the “think of the children” crowd, to get them on-board politically, it would also be interesting to investigate the possibility using the system for age verification, without providing identification to anyone. E.g. using something akin to a zero-knowledge proof, or just a bit which can be set when signing a nonce which shows that the ID is valid for whatever age is required for something. But maybe that’s just my not-quite-awake brain coughing up silly ideas.