Not them, but I do! https://youtu.be/s1fxZ-VWs2U
Not them, but I do! https://youtu.be/s1fxZ-VWs2U
Everyone knowing your identity? The drawbacks would far outweigh the benefits. However, there may be a path to the benefits of a Real ID sign-up system that mitigates the possible harms.
First of all, let’s get this out of the way - this “minimal harm” approach would only be feasible if the government could either reach some level of technical competency or farm out the task to heavily restricted private corporations that do have that competence. If we presume that’s the case (unlikely), the question becomes whether the people would be willing to accept it. If we presume the majority of citizens also want such a thing (a tall order to be sure, I certainly don’t want it), then the question becomes what sort of system would be able to maximize privacy, and thus safety, while still requiring your real identity to be involved in creating online accounts? What would that system look like?
We’d absolutely need a level of abstraction. The government knows who you are anyway, but the business entity you’re interfacing with would get a unique token from the government that is not your actual Real ID number but which is a hash generated from the business’s (salted) ID number and your own salted ID number (idk I’m not a cryptographer).
Signing up for an account would resemble using Google or Facebook to create an account; you’d be redirected to some third party Identity Verification System (IVS) which would handle identity verification and redirect you back to the account creation with the extra piece of information provided by the third party. You’d still pick a username, password, etc.; the government database would only be used to generate that unique token.
More specifically, the website or service would only be passed a token from the IVS, uniquely generated based on the company ID and the person’s ID, and the government database would only keep the token, not any of the data used to compute it. (That’s not counting China and other authoritarian states, of course - they’d definitely retain all that information and have a list of all the sites you have accounts with. This wouldn’t solve that problem.) This would make the IVS database virtually useless on its own, as an attacker who compromises the database has no way of knowing which token is associated with which website, and cannot derive it themselves unless they’ve also compromised one or more target websites at the same time. The cryptographic stuff would be rotated once it’s known that a breach has occurred, so such breaches would likely be limited to state actors or black-hat groups that hoard zero-days.
Now, what would all this accomplish? What would it make possible that currently isn’t outside of China?
What would this system not do? What doesn’t change compared to now?
Even in the grandest, best-possible-case scenario I can think of, it still comes down to “Can I trust my government to not take more information than they’re allowed to, and can I trust that they will not abuse the information they do obtain?” For many, I suspect the answer to both questions is no.
Tweet not found, not even when I change the URL to go directly to Twitter. Was it deleted?