The US Identity System

Everything. We need a public online presence that is authentic, trusted, cannot be impersonated, and that I can use in the real world as well as the online world. Many serious problems like fraud and identity theft are rooted in the fact that we don't have a trusted identity system. The technology already exists and we use it everywhere today.

This system holds our individual identities and must therefore be held in the public trust. Our public identities should be treated with the same care that we would protect people. This system extends into the physical world typically through a smartphone or payment card.

I think the easiest explanation for non-technical people is by real-world example. I will use the scenario of accessing your IRS information using their identity provider ID.me.

1. A person tries to access their personal info on IRS.gov
2. If they are not already authorized, then it redirects them to id.me to get an auth token
3. If the person doesn't have an account, there is a one-time setup.
   • It is a pain in the butt because it verifies that you are who you say you are in a very thorough way.
   • You only have to ever do it once.
   • If I am an objective observer I am very confident that they are the authentic individual that claim to be.
   • The IRS will likely need access to some specific items of your personal information. They would ask for you to allow their access to those items so they can provide the service.
4. The person authenticates with id.me and return to the irs.gov site with the new token and it shows them the content.
5. If they go to any other irs.gov page (or any service using that provider) then they do not need to log in again.

We use identity systems every day. It is a mandatory requirement for any system in FedRAMP scope so this is nothing new for you. It consolidates the platform identities spread across various providers into a single identity with strict identification requirements. The id.me system used by the IRS is an example of one such system and is the one I would probably consider first. All other systems must accept this federation.

Thar's gold in dem thar hills. Here are a couple of free ideas for all you prospectors out there.

A huge problem online is we don't know who we are really dealing with. Behind a username could be a citizen, bot, criminal, foreign agent, or really just about anything. With a reliable and secure identity most impersonation fraud is useless.

In online age verification we only need to know if they are over 18 or 21. When we login with our identity it only communicates this as true or false without your name or birth date.

In real-world scenarios I imagine a small box that communicates over wifi. You put it at the entrance to a bar for example, and patrons tap their phone on it. A phone app would show their photo and a checkbox that indicates if they are over 21. Much better than exposing your entire ID and much easier to verify.

A you tired of Visa and Mastercard ripping everyone off for 4% on every transaction? I know I sure am. The worst part is no one can speak out against them because Visa and Mastercard can prevent them from doing commerce. These actors think they are untouchable, but they unfortunately just met me.

We cannot allow unelected, unaccountable private entities to exercise Article I authority. Make a payment system that is beholden to the public. This is literally a national security threat as these companies could halt commerce.

While we're on it, I don't know how much we've spent on RealID so far, but I suspect we're getting ripped off big time.

Just saiyan.

A nice thing about a common identity is that we all recognize the same authority so we can use it to produce digital signatures that can only be produced by you and can be verified by anyone. Signing a document is the most obvious use.

Why not sign other things? It would be nice to take a photo that gets automatically signed proving that we made it. With all pictures signed we can remove deepfakes and AI nonsense. Our browsers would need a feature to block unsigned pictures by default and we would need to define the protocol. Fortunately, it isn't rocket surgery.

In the real world I'd love something like microscopic RFID chip beads that could be flashed with an artist's digital signature. They could mix these beads with their paints and digitally sign their real picture as they paint it. Later an observer holds their phone near the finished work and it shows info about the picture, artist, etc. I'd love to see what artists like Banksy do with technology like this.

Whenever government centrally collects personal data there is a valid concern that it not become a tool of oppression. Past efforts have mostly relied on anonymity, obscurity, and keeping data compartmentalized. This comes with several disadvantages that I won't talk about here but I will offer this thesis without proper foundation anyway:

The best way to protect privacy is with a central identity system authorized by the public and serving the exclusive interests of our citizens through privacy and transparency.

We've been working on digital privacy legislation for years and can't even produce a lame solution like GDPR. America can do way better when it's working for its own interests instead of by consulting with CEOs who are more worried about what privacy does to their illegitimate use of my data.

Private companies cannot be trusted with our personal data because users of our data have failed to protect it, use it responsibly, or be held accountable in literally any way. Their fiduciary responsibility is to their company and not to the owner of the data.

This is evidenced by a huge number of data breaches over the past few years. The number of personal data breaches over the last few years has been alarming. Any news about these events and data brokers like LexisNexis quickly disappear from the public eye. It's caused billions of dollars in damage to consumers and continues every year. This is how the personal data brokerage industry communicates where I should be focusing my privacy efforts. These problems disappear when consumers are in control of their own data.

I assert ownership over my identity and all information that personally identifies me. I reject all other claims to my identity and its derivatives as illegitimate.

Private companies have proven repeatedly that they cannot be trusted as wardens of our personal data. It must be an entity with fiduciary responsibility to the public.

This gives us a way to know who we are interacting with and if we want to be interacting with them. An online forum won't have any more information than "this entity is a unique authentic human" and their username. You know it wasn't shared because you didn't approve the service to share it and they can get it no other way.

Law enforcement concerns are valid and I would solve it with our court warrant system requiring valid scope, time, and access requirements. It would be nice if the access requests were made public by default in some way, maybe after the case has resolved.

I think we could provide datasets with anonymous data and aggregate usage using the standards that we control. I would suggest that we use this mechanism to generate revenue that funds the project.

Data consumers and brokers will use our data only with a legally binding contract. It will be for data specifically approved by the owners, for specific purposes, is for a limited time, and cannot be resold. Other organizations who want access to our data must make their own agreement with us. Any other use of our personal data is illegal and must be recognized as unlawful.

I'm going to upend your business models and there is nothing that you can do about it. You will compensate us for the use of our data. This is your new business model and I recommend you adapt now. The early executive lands the business opportunity or however that expression goes. Don't wait until I've completely broken you. By then it will be too late to save your company.

Don't let private companies get rich while we're just stuck with their bill.

Oh and while we're on this subject: Companies will try sticking us with their huge AI compute costs while they profit from the outputs. Don't let these weasels fleece us yet again. Wall Street, I've got my eye on you. You will steal our tax revenue no longer because your days of legislative capture end now.

We use identity systems every day. It is a mandatory requirement for any system in FedRAMP scope so this is nothing new for you. It consolidates the platform identities spread across various providers into a single identity with strict identification requirements.

The id.me system used by the IRS is an example of one such system and is the one I would probably consider first. This is what we need in general.

• People will create their identities when they first use a service that uses it like in the IRS example.
• Internet services that use personal data must
  • Accept this as a federated login.
  • Only store and use personal data that they have been specifically granted access to. The access must be limited appropriately in scope and time.
• The service should generate a unique ID by domain to prevent cross-domain data sharing but still let a site know that you are a specific unique user.

Very low implementation and maintenance costs overall for all actors.

It's not fully specced out but there is enough information to generally show what you need and what it can do. We need it and we need to maintain national sovereignty over the system. We cannot let private companies or other governments have any authority within it.