<!--
-government promoting standards reference
-this is not a proposal, it is a historical summary
- audited control resource use is not obvious the denial attack
- 10. looks little funny,
-
-
-awkward sentency: Problems typically cannot be ignored, as they either prevent work from being done, or must be addressed as being urgent because they are related to security. as is the next one
-
-need transition before the bottom part of the intro
-
-As we will see in this white, sometimes misconceived
-
-as a reader will learn from this whitepaper could be transition,
-
-better alternatives? we need to rethink the whole stack
- ----
-
- one of the reasons we work together
-
- productivity -> superior innovation
-
- capacity for articulation
-
-add copyright notice
-
-fix this:
-<p>The stereotypical image of a group online is a Zoom meeting. However, online groups include
-
-
-->
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
- <title>About Computer Security</title>
+ <title>On Cybersecurity and Commonsense</title>
<script src="setup.js"></script>
<script>
window.StyleRT.include('RT/theme');
</head>
<body>
<RT-article>
- <RT-title
- author="Thomas Walker Lynch"
- date="2026-05-13"
- title="About Computer Security">
- </RT-title>
+
+ <rt-title
+ title="Reflections on Contemporary Computer Security Legislation"
+ author="Thomas Walker Lynch" date="2026-05-16"
+ copyright="2026 Thomas Walker Lynch - All rights reserved."
+ >
+ </rt-title>
<RT-TOC level="1-2"></RT-TOC>
The lost password problem led to the need for vulnerable password replacement policies.
</p>
- <p> Thus after an attacker bypassed conventional security, the would-be cybercriminal, informally called a hacker, would attempt to either: abuse the password replacement policy, find a way around logging in perhaps due to a software defect, or obtain a password. Common methods for obtaining a password were to be involved in a project and be given one, bribe or trick a person involved in a project to share it, guess it, or steal it.
+ <p> Thus after an attacker bypassed conventional security, the would-be cybercriminal, informally called a hacker, would attempt to either: abuse the password replacement policy, find a way around logging in perhaps due to a software defect, or obtain a password. Methods that have been used for obtaining a password include: getting involved in a project and be given one, to look over the user's shoulder as he or she typed it, to ask for it, to bribe or trick a user, to guess it, to install a keyboard logger, to find it written down or in records, to crack the password file, to see it in transit over a network connection, to use a Trojan horse or virtual machine, physical coercion of the user, or as a final escalation instead to corrupt the administrator. Alternatively, a session can be hijacked after a user has already logged in.
</p>
<p>
</p>
<p>
- New forces have intensified the cybersecurity problem. These have emerged due to the existence of a global Internet that was not designed to be secure, the existence of honeypots such as government databases, the prevalence of e-commerce, and the macro trend of the economy shifting to an intellectual property basis. In this latter case there is now stiff competition among global companies and among the state institutions of the various countries to know what each other are up to. There still exist students such as the Christmas Card author who create mischief, the disgruntled employee, or the would-be thief. However, in addition there are now entire departments of state hackers and multinational organized crime groups involved. As examples, there are teams of scammers functioning like call centers in India, and companies specializing in hacking for profit in Turkey. There was a do-it-yourself be-a-scammer software package for sale in Nigeria. State sponsored hackers from North Korea stole bitcoin from a major hub. A building of Russians were busy adding fuel to controversies in social media in comment sections. They enter Europe and the U.S, not through airports, but via the Internet.
+ New forces have intensified the cybersecurity problem. These have emerged due to the existence of a global Internet that was not designed to be secure, the existence of honeypots such as government databases, the prevalence of e-commerce, and the macro trend of the economy shifting to an intellectual property basis. In this latter case there is now stiff competition among global companies and among the state institutions of the various countries to know what each other are up to. There still exist students such as the Christmas Card author who create mischief, the disgruntled employee, or the would-be thief. However, in addition there are now entire departments of state hackers and multinational organized crime groups involved. As examples, there are teams of scammers functioning like call centers in India, and companies specializing in hacking for profit in Turkey. There was a do-it-yourself be-a-scammer software package for sale in Nigeria. State sponsored hackers from North Korea stole bitcoin from a major hub. Russian operatives in a facility were busy adding fuel to controversies in social media comment sections. They enter Europe and the U.S, not through airports, but via the Internet.
</p>
<p>
<p>It would not work to have young users self identify. What would have to be done is for all users to identify, then those who identify and are too young, or those who do not identify, would be treated differently from those who identify and are old enough. Registration would happen once per device, resulting in an 'this is an old person' certification token being placed in the user's <RT-term>wallet</RT-term>, or even better from the point of view of industry, the token would identify the user, then could be used to key databases for storing and retrieving advertising or other profile information on the user. Presumably the wallet would be automatically queried via public key cryptography when visiting any website.
</p>
- <p>In summary, we desire to be productive and have a good experience when computing and when online. With this goal in mind, cybersecurity professionals have developed a security stack consisting of the following layers (the first item being the base):
+ <p>In summary, to date the cybersecurity stack looks something like this:
</p>
<ol>
<li>Authentication/Identification</li>
<li>Data isolation</li>
<li>Network integrity</li>
- <li>Audited/controlled resource use</li>
+ <li>Audited/controlled resource use to prevent denial of services</li>
<li>Well designed software</li>
<li>Streetwise users, and protection against those who are not</li>
<li>Sophisticated virus scanners</li>
<li>ID/E-commerce facilities</li>
- <li>Golden flower garden social media forums guards</li>
+ <li>Moderating social media forums</li>
<li>Cybersecurity laws and enforcement</li>
</ol>
+ <p>Readers will learn from this white paper that the stack is straining under the weight; when things do not go right, the productivity loss has become palpable. This is most apparent to those on the outskirts of our system, the very people who need help to engage, but they are being pushed away. We need simplification, not more layers. Yet, more layers are being called for.
+ </p>
+
<p>
- With each new security problem, we gained a new layer on the security stack. Each layer represents logic that can have bugs and must be maintained. Maintenance can be more difficult than for typical production software. Problems typically cannot be ignored, as they either
- prevent work from being done, or must be addressed as being urgent because they are related to security. These layers must interoperate, leading to an exponential explosion in the number of cases to be checked and maintained.
+ With each new security problem, we gained a new layer on the security stack. Each layer impacts users, runs the risk of having bugs, and must be maintained. These layers must interoperate, leading to an exponential explosion in the number of cases to be tested and maintained. If any scenario is not tested there might be a vulnerability found by a hacker.
+ </p>
+
+ <p>
+ Maintenance of the security stack can be more difficult than for typical production software. This is because security problems can prevent work, and because they are viewed as urgent. Yet security problems require special expertise to fix. Any mistakes made might cause new vulnerabilities.
</p>
<p>
- Because sometimes security measures are misconceived, layers overlap, and technology changes quickly, some of the features found on the security stack will be <i>security theater</i>, defined as being measures taken that look protective, satisfy a checklist, or create an impression of safety, but do little to address the underlying threat. Examples include password rotation policies that force users to invent forgettable passwords, CAPTCHAs that waste seconds of human life while machines sail past, and identity checks that verify nothing but a credit card number stolen from the same dark web they claim to fight.
+ As readers of this white paper will see further on in the text, sometimes security architects miss the forest for the trees. And because sometimes security measures are misconceived, layers overlap, and technology changes quickly, some of the features found on the security stack might be merely <i>security theater</i>, defined as being measures taken that look protective, satisfy a checklist, or create an impression of safety, but do little to address the underlying threat. Examples include password rotation policies that force users to invent forgettable passwords, CAPTCHAs that waste seconds of human life while machines sail past, and identity checks that verify nothing but a credit card number stolen from the same dark web they claim to fight.
</p>
- <p> As a reader will learn from this white paper, the stack is straining under the weight; when things do not go right, the productivity loss has become palpable. This is most apparent to those on the outskirts of our system, the very people who need help to engage, but they are being pushed away. We need simplification, not more layers. Yet, more layers are being called for. As discussed later in this paper, there is a better alternative course.
- </p>
<h1>The garden of golden flowers</h1>
<p>
- A group of people working as an entity can potentially be more intelligent than any individual in the group. This is why we often work together. It does not always work out, but when it does we metaphorically have a garden that produces the golden blossoms of productivity.
+ A group of people working as an entity can potentially be more intelligent than any individual in the group. It does not always work out, but when it does we metaphorically have a garden that produces the golden blossoms of innovation.
</p>
<p>
</li>
<li>
- <RT-term>articulation capacity</RT-term> Some members, or at least one member, can translate raw data and wild ideas into intelligible articulated proposals.
+ <RT-term>capacity to articulate</RT-term> Some members, or at least one member, can translate raw data and wild ideas into intelligible articulated proposals.
</li>
<li>
<p>A voting procedure is not a <RT-term>success metric</RT-term>. With voting a count is made of group members’ individual opinions of whether a proposal should be selected. Each member applies their own criteria, which can be subjective. Sometimes a success metric cannot be found or agreed on, and voting might be the best option for the group, but not having a predefined success metric reduces the probability that the group will form a garden of golden flowers.
</p>
-<p>The stereotypical image of a group online is a Zoom meeting. However, online groups include social media of all types, and situations such as seeking customer support. For electronic meetings not all participants need to be present at once. For example, the members of an email list. Once we allow that not all members are present at once, we can include people and the companies they interact with, for example, when a person orders from Amazon. Fundamentally, if a computer and a network are involved, the activity can probably be characterized as a cybergroup interaction.
+<p>
+ Group dynamics come into play in many digital collaboration scenarios. There are the obvious cases of group video meetings and comment sections on news articles. However, fundamentally any activity connecting a person across a network to another human or organization acts as a group interaction. Systems such as email lists and social media forums function as groups where members are rarely present simultaneously, extending participation across time. Applying this principle of asynchronous interaction, commercial and service relationships, such as a person requesting customer support or placing a retail order, also constitute a shared digital space.
</p>
Such attacks can prevent any or all individuals from participating, deny them access to required resources, steal work product, cause latent damage for example by installing a virus, or leverage access to gain entry into meetings as an actual, spoofed, or imaginary person.
</p>
- <p>The 10th level, the "Golden flower garden", an attacker can make contributors uncomfortable to speak, or attempt to annihilate one or more of the qualities that lead to productive meeting that were listed in the prior section. We probably do not need to expand upon this further here, because as of the date of writing all of us have experienced Internet trolls.
+ <p>The 10th level, the "Golden flower garden", an attacker can make contributors uncomfortable to speak, or attempt to annihilate one or more of the qualities that lead to productive meetings that were listed in the prior section. We probably do not need to expand upon this further here, because as of the date of writing all of us have experienced Internet trolls.
</p>
The negative consequence of <RT-term>byzantine security</RT-term> is the creation of a digital underclass. Those who cannot perfectly navigate the eleven layers of the stack are pushed to the outskirts of the network. They are silently exiled as their accounts are locked, and their communications with the system are severed. When a system prioritizes an impenetrable checklist of security theater over human usability, it methodically sterilizes the network, deliberately cutting off the very group intelligence that makes the system valuable in the first place.
</p>
- <h1>How experts think about safety</h1>
+ <h1 id="How_experts">How experts think about safety</h1>
<h2>Linear risk</h2>
<p>
If this login model is implemented across millions of people, a person would hope the company is protecting more than the aggregate login cost per user, otherwise they are costing users more than the value they hold on the system. And indeed as normal mode times are being used, they are indeed costing users time and money.
</p>
- <h2>Catastrophic failure</h2>
+ <h2 id="Catastrophic_failure">Catastrophic failure</h2>
<p>
When a person is sitting in an airplane, they probably hope the airline engineers were not thinking in terms of averages, and indeed the engineers were not. Instead, they planned for a very low probability of catastrophic failure.
</p>
Of course the password was forgotten, because when it was made the system forced the inclusion of capitals, numbers, and special characters, so unless a person named their dog Xr$nzD4s7, they will not remember it. So then travel back home, get out a notebook and look at the password.
</p>
<p>
- We have all experienced this in some form or another, grace our IT friends. Thus, we all know intuitively that security comes at the expense of utility. The Marianas Trench paradigm is the asymptotic eventuality for all computer systems that have security as their top priority.
+ We have all experienced this in some form or another, thanks to IT protocol. Thus, we all know intuitively that security comes at the expense of utility. The Marianas Trench paradigm is the asymptotic eventuality for all computer systems that have security as their top priority.
</p>
<h2>Reliability and security are competing forces</h2>
The startup Pay By Touch incinerated $130 million on the premise that fingerprints are passwords. Sounding like a cool tech was enough to command a lot of funding, and more came after that.
</p>
- <p>If a fingerprint is a password, then a person leaves their "password" on every water glass, door handle, and table they touch. How is was that supposed to work?
+ <p>If a fingerprint is a password, then a person leaves their "password" on every water glass, door handle, and table they touch. How was that supposed to work?
</p>
<p>I hope readers will think about this, especially the non-technical among you. There is expensive important lesson here. There is a place for commonsense in security discussions. Investors and legislators alike should not fear asking commonsense questions, and getting answers back that they can understand.
-<h1>The coming security apocolypse</h1>
+<h1>The coming security apocalypse</h1>
<h2>Public key cryptography: a house built on sand</h2>
<p>
- Almost all security today is built over communications that are secured by public key cryptography, specifically relying on algorithms like RSA and Elliptic Curve Cryptography (ECC). However, there is a unadvertised disturbing fact: there is no formal computation-theoretic proof that these systems actually work.
+ Almost all security today is built over communications that are secured by public key cryptography, specifically relying on algorithms like RSA and Elliptic Curve Cryptography (ECC). However, there is an unadvertised disturbing fact: there is no formal computation-theoretic proof that these systems actually work.
</p>
<p>
These legacy systems rely on <RT-term>trapdoor functions</RT-term>—mathematical operations that are easy to perform in one direction but assumed to be impossibly hard to reverse without a key. Yet, there is no proof that a computationally reasonable inverse function (a polynomial time algorithm) does not exist for these specific problems. The security of the global digital economy rests entirely on the assumption that because no one has publicly found a fast way to reverse these functions, that no such method exists. If a person, or a state intelligence agency, discovers such a mathematical shortcut, the trapdoor vanishes, and then ssh, bitcoin, network privacy, are instantly broken.
- <h1>Why we want to ID people</h1>
+ <h1 id="Why_ID">Why we want digital ID</h1>
+
+ <h2 id="About_ID">About ID</h2>
+
+ <p>
+ We must distinguish between two types of identification that serve entirely different purposes. The first type functions to locate information about a person on a ledger such as a database. It is like a player's number in sports. The second type of ID serves to confirm that the person has given a correct ID of the first type.
+ </p>
+
+ <p>
+ We will call this first type of ID the <RT-term>unique number ID</RT-term>, or <RT-term>unique name ID</RT-term>. Within a bureaucratic context, the a unique number ID serves as the label on a folder. In computer science context, this will key into a database. Generally it locates something related to the person the ID is referring to. Because it
+ locates information about a person, each person must have a different <RT-term>unique number ID</RT-term>, so we say that each such ID is unique.
+ </p>
+
+ <p>
+ We will call the second type of ID the <RT-term>proof ID</RT-term>. A proof ID proves that the person who provided a unique number ID really does own that unique number ID. Given two people, say A and B, the proof ID prevents person A from using person B's <RT-term>unique number ID</RT-term>, and vice versa. Put in stronger terms, if the <RT-term>proof ID</RT-term> functions well, then A will not be able to steal the identity of B, or vice versa.
+ </p>
+
+ <p>We see these two types of ID when logging into a computer. First a user gives a <RT-term>unique name ID</RT-term>, which in this context is called a <RT-term>username</RT-term>. This locates the account. Then a proves he or she owns the account by providing the <RT-term>proof ID</RT> in the form of a password. In the case that a more sophisticated login method is used, such as <RT-code>ssh</RT-code>, the proof ID is performed by exchanging cyrptographic keys
+ </p>
+
+<p>
+ Many organizations don't seem to be clear on these two distinct uses of ID. It is common for an organization to expect things from a unique number ID that it lacks the capacity to do, such as serving as proof of identity. Using unique number ID as a proof ID is typically vulnerable due to two reasons, a regular and dense ID space, and poor privacy of the numbers. When unique number IDs are issued in series, then an attacker can follow the pattern. If the space of unique number IDs is dense, then any guess will be an actual ID. Unique number IDs are typically used at face value, thus when typed or used over the phone, that text or spoken number is literally the ID. These attributes are fine when a unique number ID is used as a locators, but lead to high probability of catastrophic failure when used as identity proof.
+</p>
+
+<p>
+ A good example of a unique number ID that is often misused as a proof ID is the social security number. The are issued in series, the space is dense, and the number is the ID. Furthermore they appear in clear text in many honeypot databases. Over time, government and private entities began requesting the SSN as a proof ID to verify identity. Congress has passed some legislation to protect Social Security numbers from being made public, which could be construed to protect their use as proof ID; however this is security theater, for the reasons outlined above, and because that water already left the dam. Most notably, Section 7 of the Privacy Act of 1974 explicitly makes it unlawful for federal, state, and local government agencies to deny a person any right, benefit, or privilege because of a refusal to disclose their Social Security Number. Apparently it is to be kept secret to preserve its value as a proof ID?
+ </p>
+
<h2>Policing money</h2>
<p>
<p>For a nation to tax an citizens' and residents' income, they must be able to verify what that income is. Initially this was done by having companies and contracting entities to report salaries and contract amounts to the IRS, a copy of that report is sent to the individual, and the individual must also send his copy to the IRS, so that the IRS can also verify the sent the report.
</p>
- <p>Now that the government polices money, they are able to see financial transactions at banks. In theory this could replace the old system, but instead both are done. Any descrepencies are then used as signals for triggering audits.
+ <p>Now that the government polices money, they are able to see financial transactions at banks. In theory this could replace the old system, but instead both are done. Any discrepancies are then used as signals for triggering audits.
</p>
<p>Each person is then given a tax account. This tax account is accessible online. The digital ID then ties all of this together. Note that the each individual has a social security number, and those numbers are used to key database records, but they lack the security and privacy required to be used as an ID.
<h2>International scammers</h2>
<p>
- Though we police money internationally, to the great consternation of out of jurisdiction banks, many of whom will no longer serve Americans, quizzically we take no enforcement action on international scammers who steal from our senior citizens through phone calls and spam mail. Russian hackers who were found creating conflict on the Internet. By IDing those on the Internet, we can deny access and prevent bad actors from entering the ecosystem in the first place.
+ Though we police money internationally, to the great consternation of out of jurisdiction banks, many of whom will no longer serve Americans, quizzically we take no enforcement action on international scammers who steal from our senior citizens through phone calls and spam mail. By IDing those on the Internet, we could prevent bad actors from entering the ecosystem in the first place.
</p>
<h2>Public no longer means <em>public</em></h2>
<h1>Current digital ID efforts</h1>
- <h2>Technonlogy catagories</h2>
+ <h2>Technonlogy categories</h2>
<table>
<thead>
<tr>
<li><strong>Architectural Critique:</strong> While the bill's sponsors emphasize that adoption is "voluntary," historical precedent shows that voluntary compliance in security protocols rapidly becomes mandatory to participate in the economy. This legislation directly funds the transition from <em>Stage 1 (The Bureaucratic Number)</em> to <em>Stage 2 (The Mandated Shackle)</em> by encouraging mobile driver's licenses (mDLs). As established earlier, this exacerbates the <RT-neologism>digital exile</RT-neologism> problem; those who cannot perfectly navigate or afford these new digital layers will be treated with suspicion by default and pushed to the outskirts of the network. Furthermore, treating deepfakes with more digital ID ignores the fundamental vulnerability that remote biometrics are inherently <RT-term>security theater</RT-term> vulnerable to AI injection.</li>
</ul>
-<!--
-The National Institute of Standards and Technology (NIST) was directed in the CHIPS and Science Act of 2022 to launch new work to develop a framework of common definitions and voluntary guidance for digital identity management systems, including identity and attribute validation services provided by Federal, State, and local governments, and work is underway at NIST to create this guidance. However, State and local agencies lack resources to implement this new guidance, and if this does not change, it will take decades to harden deficiencies in identity infrastructure.
-
-
-(A) develop digital versions of driver’s licenses and other identity credentials that comply with the guidelines for identity and attribute validation services developed by the National Institute of Standards and Technology under section 504 of the Cybersecurity Enhancement Act of 2014;
-
-(B) protect the privacy and security of individuals, including guarding against “deepfake” attacks powered by artificial intelligence;
-
-(C) catalyze the development, deployment, and use of more resilient, interoperable solutions Americans can use to protect and assert their identity online;
-
-(D) reduce identity theft and fraud by replacing legacy identity systems that are highly vulnerable to attack from organized criminals and hostile nation-states with more robust solutions that can defeat these attacks;
-
-(E) ensure the integrity of Government benefit programs paid through the Department of the Treasury;
-
-(F) protect the United States financial system from abuse by illicit actors; and
-
-(G) enable more trusted transactions online.
-
--->
-
<h3>Improving Digital Identity Act (S. 884 / H.R. 4258)</h3>
<ul>
Yet, legislators are currently on the cusp of making it functionally mandatory that every citizen carry and use a microwave-emitting cell phone.
</p>
- <h1>Conclusion</h2>
+<h1>Making the security situation better</h1>
+
+ <p>This is not a standalone chapter. The things stated here are carefully built upon the material that comes before it. This is a white paper on security and this chapter discusses how to reduce the risk equations given in <a href="#How_experts">How experts think about risk</a>. Any resemblance to someone's political platform is a coincidence, unless that platform used the reasoning of better cybersecurity.
+
+<h2>Don't create situations that require security in the first place</h2>
+
+ <p>The most powerful thing we can do to make computer ID more practical is to diminish the need for it in the first place. The chapter <a href="#Why_ID">Why we want digital ID</a> lists the reasons for ID, so lets discuss those.
+
+
+ <h3>Databases</h3>
+
+ <h4>Countering the honey pot effect</h4>
<p>
- I hope this white paper has made it clear to legislators that though technical people are very smart at what they do, they have repeatedly missed sight of the forest for the trees. Non-technically minded leaders should not be afraid to ask commonsense questions, and should expect to be given answers that make sense. Please do not follow the technologists down the primrose path, and instead work to preserve the garden of golden flowers.
+ In 1937, Nikolai Yezhov, the head of the Soviet secret police issued NKVD Order No. 00447. This directive established explicit quotas for the execution or imprisonment of citizens in every geographic district of the Soviet Union. To fulfill these arbitrary numerical targets, local authorities utilized centralized municipal records, census lists, and employment files to efficiently locate and process victims. Obviously, this sort of thing would destroy the garden of golden flowers and group intelligence effects.
</p>
+ <p>
+ From a security point of view, databases are honeypots for those who desire power over people, be they despots or cybersecurity attackers looking for money. The simplest way to thwart this effect is to not have the honeypot in the first place. Hence, the security expert's first question, which databases are not required? The second question, among those that are required, can they be made to have more focused purpose? Can the number of records and fields be reduced? Are citizens really so interesting?
+ </p>
- <h1>Suggestions</h1>
+ <h4>Making databases coherent</h4>
-<p>I write these suggestions not due to a political agenda, but from the point of view of achieving computer security.
- </p>
+ <p>The obvious thing that offers itself here is to disentangle the two meanings of ID for the Social Security number, and to then make it available as a <RT-term>unique number ID</RT-term> for any use, but never to be used as a <RT-term>proof ID</RT-term>. Note section <a href="#About_ID">About ID</a>.
+ </p>
-<p>The most reliable way to make a system secure, is to remove the need for it to be secure. As we go down the list of reasons that digital ID is desired, how many of those can be removed? Lets throw around some ideas.</p>
+ <p>Though a drawback of a Social Security Number as a <RT-term>unique number ID</RT-term>, currently, as that people it currently does not expire. Thus when a immigrant comes to the U.S., they are starting fresh, while citizens must carry the weight of their record for an entire lifetime. It might make sense to reassign the number at specific ages limits that correspond to known development thresholds, such as 6, 18, 36, 64. Or alternatively possibly ordered by a judge.</p>
+ <p>Alternatively, there could be a new issuing of <RT-term>unique number ID</RT-term>s specifically for this purpose. Another interesting variation would be to have various services that represent groups, similar to group insurance. The people in groups would then earn a reputation, as do people in group insurance policies.</p>
+
+ <h3>ID need for Individual Revenue Taxation</h3>
+ <p>As explained in the <a href="#Catastrophic_failure">Catastrophic failure</a>That security becomes disproportionally more manageable when the problem is made smaller. For income tax there is an obvious way to do this. Money flows in a circle. We tax it both when it is a salary or contract payment when it enters people's pockets, and when it enters a company as revenue. It is the same money going all the way around.
+ </p>
- <p>
- We are currently charting a course for the byzantine ending of American civilization, but there is time to change course. We must simplify. Incentives are more powerful than regulations.
+ <img src="money_circle.jpeg"/>
+
+ <p>There are approximately 161 million tax payers, but only 6.7 million companies. The security and enforcement problems would be a <em>magnitude less</em> complex, if we collected tax at the point in the circle where it entered companies.</p>
+
+ <p>The reduced complexity manifests dramatically on the enforcement side. Whoever thought it was a good idea to pull grandmothers and the lesser able among us into complex accounting problems, audits, and penalties? On the other hand, the very reason corporations were formed was to formalize their financials and liability. They already engage professional accountants. They already have fiduciary duties.</p>
+
+ <h3>Citizenship-based taxation</h3>
+
+ <p>Only two countries in the world use citizenship based taxation, the United States and Eritrea. I understand it was introduced in the Civil War out of fear that Americans would move to Canada to avoid paying for the war. However, it has caused problems in that when Americans move to other countries, they use services in those other countries, so those other countries tax all residents, including Americans. This leads to a double taxation problem for Americans. So as to alleviate the double taxation problem the U.S. has entered into treaties so that Americans need not pay U.S. tax when paying tax in a foreign country.
</p>
- <ol>
- <li><strong>Mandatory Efficiency and Economic Impact Statements:</strong> Any federal agency or regulated private entity implementing a new security or identity measure must provide a "Net Economic Impact" audit. This addresses the "Nobody Home" problem. If a security measure costs the economy <RT-math>S</RT-math> in lost productivity through customer service paralysis, and the theft it prevents is only <RT-math>T</RT-math>, the measure is illegal if <RT-math>S > T</RT-math>.</li>
- <li><strong>The Research Integrity Act (Scientific Transparency):</strong> Criminalize and fine academic and corporate dishonesty in federally funded or regulated research. Apply the Daubert principle to regulatory research to prevent "Microwaves are Candy" style industry capture.</li>
- <li><strong>The Digital Habeas Corpus (Database Transparency):</strong> Apply FOIA-style transparency to all databases, public and corporate, that utilize a citizen's data. Every person has a right to see, contest, and correct any entry.</li>
- <li><strong>Verifiable Architectural Provenance:</strong> Mandate that the provenance of all AI-driven media be identifiable via an architectural signaling standard. A person must be able to distinguish between human and synthetic media at the architectural level.</li>
- <li><strong>Shift to Offensive International Policing:</strong> Redirect federal resources from "IDing the Victim" to "Tracking the Attacker." Policing the borders of the internet is more effective than turning the interior into a digital prison for citizens.</li>
- <li><strong>Structural elimination of security dependencies:</strong> The best security is removing the need for it. Citizenship-Based Taxation (CBT) requires a massive, global surveillance apparatus to track every citizen’s financial movements. Ending CBT and shifting from income tax to trade duties would structurally eliminate the need for vast swathes of the current global digital tracking infrastructure. Organizations like American Citizens Abroad (ACA) advocate for ending CBT, and similar efforts support state-side banking access for expats burdened by the current surveillance dragnet.</li>
- <li><strong>Reasoning Technology ID technology, RTID:</strong> Existing models force lawmakers into a false choice between massive surveillance honeypots or zero utility. Reasoning Technology has developed a foundational identity architecture that shatters this dichotomy. It works in the presence of quantum technology, works in the presence of strong AI, works without special hardware features, has minimal productivity impact, and is maintainable.</li>
- </ol>
+ <p>Said tax treaties create a defacto residence based tax. From the point of view of reducing complexity so that computer security is tractiable, the commonsense solution here would be to move to a residence based tax and eliminate the paperwork burden.</p>
+
+ <h2>Policing money</h2>
+
+ <p>The primary point of policing money can be moved to the same point as for taxation. In addition international movements would have to be corporate and commercial accounts. They pretty much already are, as everything goes through banks. However, the burden on banks would be greatly reduced, as only commercial accounts would require transaction reporting. This would again reduce the data to be sifted through by a magnitude.
+ </p>
+ <h2>Proof ID</h2>
+<p>The above does not address issue from the sections International scammers, and Public no longer means public. Reasoning Technology, and others have proposals for this. The NIST mDLs for example. If you are interested in hearing more about the Reasoning Technology intellectual property, please contact me.
+ </p>
<h1>Appendices</h1>
<li><strong>Crypto AG & Operation Rubicon:</strong> A Swiss manufacturer of encryption machines was secretly owned by intelligence agencies to intentionally weaken algorithms.</li>
</ul>
+ <h2>Appendix B</h2>
+
+<!--
+The National Institute of Standards and Technology (NIST) was directed in the CHIPS and Science Act of 2022 to launch new work to develop a framework of common definitions and voluntary guidance for digital identity management systems, including identity and attribute validation services provided by Federal, State, and local governments, and work is underway at NIST to create this guidance. However, State and local agencies lack resources to implement this new guidance, and if this does not change, it will take decades to harden deficiencies in identity infrastructure.
+
+
+(A) develop digital versions of driver’s licenses and other identity credentials that comply with the guidelines for identity and attribute validation services developed by the National Institute of Standards and Technology under section 504 of the Cybersecurity Enhancement Act of 2014;
+
+(B) protect the privacy and security of individuals, including guarding against “deepfake” attacks powered by artificial intelligence;
+
+(C) catalyze the development, deployment, and use of more resilient, interoperable solutions Americans can use to protect and assert their identity online;
+
+(D) reduce identity theft and fraud by replacing legacy identity systems that are highly vulnerable to attack from organized criminals and hostile nation-states with more robust solutions that can defeat these attacks;
+
+(E) ensure the integrity of Government benefit programs paid through the Department of the Treasury;
+
+(F) protect the United States financial system from abuse by illicit actors; and
+
+(G) enable more trusted transactions online.
+
+-->
+
+
</RT-article>
</body>
projects / RT-ID / commitdiff
