A Tidal Change: The Future of Digital Identity II

Gm everyone, it's nice to be back to writing articles. I really enjoy doing these from time to time. For those of you who don't know me, hi! I'm dcbuilder, a research engineer at the World Foundation working on World and an active angel investor in crypto (DeFi, cryptography, infra, scalability, privacy), AI, and health. I spend my time thinking about cryptography, blockchains, digital identity, AI, products, and tech. In December of 2023, I wrote an article titled The Future of Digital Identity on my Mirror blog (now deprecated). As with anything, the world moves on, and I believe enough has happened and my thinking on this has evolved significantly to warrant a follow-up.

TL;DR

• Privacy and identity are the key missing piece in the blockchain tech tree that will enable the next wave of products that get real adoption in the world across consumer and institutional applications
• The future of identity is programmable cryptography: individuals, agents, and organizations will express and verify relationships through cryptographic proofs rather than data sharing through selective disclosure.
• Trust itself will become a primitive - measurable, collaborative, transferable, and interoperable across applications.
• Identity will be a key primitive in the age of AI as the relationships between humans and AI agents evolves. Proof of Personhood will become an important pillar.
• Generating Zero Knowledge Proofs on mobile phones (client-side proving) has become feasible and enables true privacy.
• Private Shared State as a primitive will greatly expand the design space of applications built with smart contracts. MPC and Collaborative SNARKs being the technologies used to enable it.

What has changed?

I think the last year and a half has brought huge changes to my world, whether it's AI advancements, regulatory tailwinds in the US and globally for crypto, new companies emerging, technology improving, and products getting to market with meaningful adoption for stablecoins, digital payments, trading, RWAs, prediction markets, and much more.

I often talk with people in the industry, friends, portfolio companies, coworkers, and people I meet at conferences, and I've been trying to figure out what the next pieces of infrastructure and products we need to build are in order to build products that solve real issues that consumers have globally, products that are meaningful, impactful and make a good contribution to the world. Cryptocurrencies and blockchains have thus far been really useful thanks to their properties of censorship resistance, decentralization, composability, programmability, liveness, and permissionlessness. They are a great substrate for individuals and organizations to push the envelope which have led to decentralized payment solutions, sound store of value assets, stablecoins, lending protocols, exchanges, derivative platforms, prediction markets, and so much more, which are much better than existing solutions provided by traditional finance.

The relative success of the products of today provide validation that blockchain technology is mature for these product categories. I personally believe that most human coordination will ultimately live and settle on Ethereum or its ecosystems of L2s because I believe the tradeoffs are just better there, but that's a topic for a different time. I recommend reading Etherealize reports and blog posts and the Ethereum.org landing page for institutions, which summarize a lot of what I believe on this topic in case you want to learn more. However, there are many other product categories that don't exist on blockchains yet, and for good reasons.

Motivation

One of the things that I have learned at World is how you define value and success really matters. What vision do you have impacts what you ultimately optimize for and how you measure progress is what separates growth from building a product nobody wants.

My simplified definition of impact is:

impact = product utility per user * # of users

And I feel this is something that every regular business understands, but we somehow fail to acknowledge in the crypto industry. I see a lot of people, projects, and communities lying to themselves by thinking basic economics doesn't apply to them and that somehow cryptocurrencies and blockchain protocols are not bound by the rules of value creation and gets an everlasting magic monetary premium for no good reason. Economics will always be important and vital tool to design and create products, businesses, protocols, and blockchains that are sustainable. Impact is building something that a lot of people use and find really valuable; it does something for them that no other thing can do, in a better, faster, stronger, larger, more profitable, and/or new way.

The question I'm trying to get at is the following: What are the next technologies and ideas that we can leverage to build truly impactful products within our industry and beyond?

The biggest value capture opportunity that I see in crypto at the moment is taking the oncoming flow of individuals, enterprises, and institutions and onboarding all capital formation, assets, and the coordination thereof to blockchains. The two biggest things that I see missing for that to happen are identity and privacy. Counterparties need to know who they are interacting with in order to transact with one another; they need to share things about themselves with each other and potentially with a regulator or smart contract that sets the rules for the market. They need to do so in a fully private way, otherwise they stand to lose a lot of the value that they would capture from the information, capital opportunities they worked hard to get, and their rights to self-sovereignty and privacy, which legacy financial systems and the rule of law already provide. We can't expect for everyone to adopt new technologies where there is an important subset of primitives and features missing.

The Ethereum Ecosystem

We already have a roadmap for scaling blockchains, which is the same as scaling trust. We can make execution faster, data availability larger, overhead costs smaller, operational efficiency higher, consensus simpler, and eventually ossify the system. Ethereum has the Lean Roadmap for consensus, L2s are working on scaling execution together with the L1 (realtime proving, snarkifying the EVM,...), other teams are working on account abstraction/UX, security, and many other technologies that will take care of all of the properties that we care about in blockchains.

The Ethereum Foundation also recently announced that they are restructuring Privacy Stewards for Ethereum or PSE, formerly known as Privacy & Scaling Explorations. This means that there is finally internal motivation to truly start working on native privacy for Ethereum as well with much better leadership and executive capabilities than the EF ever had in the past. I also want to give a massive shoutout to all the teams who have been working on privacy from the beginning: PSE, ZCash (Electric Coin Company), Tornado Cash, Railgun, Privacy Pools, Aztec, Miden, and so many other wonderful privacy teams who have committed many years and a lot of effort to bringing privacy to public blockchains. So many wonderful engineers, researchers, and now even product and growth people are bringing privacy to the masses, and I love to see it.

Not only is the EF focusing on general privacy infrastructure through PSE, but also focusing on bringing institutions onchain with the newly created - Institutional Privacy Task Force (IPTF) - which aims to help institutions meet their privacy needs, mapping them to solutions in the space and identifying needs. A good first resource to check is their privacy map on GitHub.

Another noteworthy mention is that there is starting to be a demand for AI within the Ethereum ecosystem. The EF created a new decentralized AI team called dAI and is working on ERC 8004: Trustless Agents. There's also been a joint collaboration between Coinbase, Google, and the EF on the Agent Payments Protocol.

Cryptography is maturing

In the world of cryptography, we have seen advancements in all privacy-enhancing technologies (PETs), namely MPC, ZK, TEEs, and FHE on both the practical and theoretical side. Even some more historically impractical cryptographic constructions like indistinguishability obfuscation (iO), and related fields like functional and witness encryption.

At World, I've come to work with MPC, ZK, and TEEs in varying capacities. We have built many tools that leverage these technologies to build our products with, and we have also contributed to pushing the boundaries of what's possible with them. I believe that right now is a great time to really start pushing what's possible, and it's a time ripe for building products leveraging programmable cryptography to deliver better products and services than ever before.

I believe that the technology is ready and constantly getting better, and that the space is currently ripe for building new products by taking advantage of the new capabilities and momentum we have.

Digital Identity, a frame of thought

I want to elaborate further on how I think about digital identity personally, and generally how I see it having worked with different kinds of partners, from onchain native protocols, to government agencies, individual mini-app developers and companies during my time at World over the last three years.

Credentials and RoTs

Let's start by introducing some concepts. The identity of any entity is represented by information held in a credential. The issuer of that credential and the underlying mechanism that the issuer uses to give the credential trust is what we would call the root of trust (RoT). In the example of a digital passport, the issuer is usually a government authority, part of the executive branch of government. This authority has a certificate authority (CA) which signs passport data according to international standards like ICAO 9303: Machine Readable Travel Documents (MRTDs). The RoT here is the trust of the institution issuing the credentials and the technical architecture they employ to attach cryptographic trust to the credentials. The best form of trust in this case scenario is always a direct signature on a commitment (hash) to some data. Once the issuer creates a credential, then any relying party (RP) can consume the credential in various different forms.

In traditional scenarios, the RP will consume the credential directly, in plaintext, alongside the signature to the commitment to the data stored in a particular format. If we go along our digital passport example above, the traditional scenario would be presenting the document at an airport identity verification terminal. You present the document to a document reader; it will take an image of the front page, which includes the machine-readable zone (MRZ). You can derive the decryption key for the data stored in the passport's NFC chip from the MRZ. Then, the terminal will read the data stored according to ICAO9303, verify the chain of signatures (RoT) all the way to the original government issuer, and then the identity terminal will do an automated facial embedding match of the image taken by the integrated camera against the image stored on the passport itself as a form of authentication. This is one of the possible ways that digital identity can work and save airport workers and immigration officers a lot of time. As you can see, the security and integrity of such a system relies on the issuer and technical infrastructure they employ to create passports having integrity end to end for the RP to be able to trust these documents, and then the passport holder also needs to present the document in person for the RP to be able to authenticate the holder against their passport. You can learn more about passports in this article from Trail of Bits.

A relying party might want to know different things about their users or consumers, and in the current day and age, the biggest problem is the lack of privacy, especially online. Many RPs do not need to know everything about their users; they only need to know specific pieces of information about them and to know that the source of the information is trustworthy. Uploading your personal government identity documents to a website to prove you are an adult, that you reside at a specific address, that you are a citizen of or resident in a specific country, or one of any other million things shouldn't be a requirement. RPs needn't collect anything more than what they require to operate their services or offer their products. Not only is it a privacy burden for the user, but it is also a huge liability for any RP. In my experience, no RP wants to collect more information than they absolutely need to run their services. Unfortunately, there are several RPs which are very identity and personal data hungry because their services and their product targeting get a lot better and more profitable the more data they collect, especially because the biggest revenue model of the internet and the digital age is advertising in the form of product targeting to a very catered audience. The more information about users, the better and more targeted the ad, the more revenue is generated by the platform and RP, and so on and so forth. This is especially relevant since advertising is the best business model internet companies have come up with. However, as I mentioned earlier, this data is also a big liability because this data needs to be stored somewhere, usually on the servers of the service provider, which is subject to security vulnerabilities, data leaks, and various other risks. Regulators that create rules for how this data is custodied, stored, archived, deleted, etc., can then issue fines to the service providers for violating the regulations or for having leaked sensitive information about their users, there's also class action lawsuits and other penalties that might arise from mishandling sensitive user data. The fact that the service providers are data honeypots is the reason why it is seen as a liability from a business perspective, and that's why service providers and RPs generally want to minimize their data footprint as much as possible without getting in the way of their core business bottom line (data that is essential to operate their business and provide their product or service).

Attestations

Next, I want to introduce the notion of attestations. Attestations are statements about credential data. In the traditional identity setup, there was no way to directly produce attestations that were derived from the original credential. The credential was the attestation itself because the signature that serves as the RoT only applies to the original data it commits to and not to a subset of the data or to a modified version of it. The way that a lot of identity providers create "attestations" today is through APIs that would proxy the trust over. Google, Clear, Persona, and other identity providers provide RPs the ability for their users to log in with their identity solutions and then share the required information that the identity providers have about the users. However, this again centralizes control of these credentials to big players that have a lot of data on their users and that provide these large identity API services. The RoT in this model is that the data comes from a specific API tied to a DNS that is trusted (google.com, withpersona.com, etc.), but this information needs to be directly consumed by the RP; it can't be proxied to a third party without losing the RoT in the process. If we apply the analogy of passports from before, a passport can be verified to be real by Persona or Clear directly, and then they can proxy the trust to a third-party app. Also, users can choose to only share the fact that they are over 18, for example, without having to disclose their personal information to more than one party. Notice the RoT for such an attestation is the RoT trust score (from 0 to 1, 0 being not trustworthy at all, to 1 being completely trustworthy) of the passport times the RoT trust score of the Persona API (Persona can make mistakes); the RP needs to trust them both, which is strictly worse than only having to trust only the passport's RoT.

Programmable cryptography

Now, do you see why programmable cryptography is so useful? If you need to refresh some of these concepts, I recommend you read my previous article on The Future of Digital Identity. ZK, MPC, and TEEs are especially helpful in the world of digital identity; they greatly expand the design space for identity protocols and they disintermediate trust. How do they disintermediate trust? Well, disintermediation is the reduction in the use of intermediaries between producers and consumers. In the context of trust, disintermediation means that the RP is able to directly consume attestations from a credential through a root of trust that is equivalent to that of the issuer. The most relevant example of this is the advent of ZK KYC. If we go back to the digital passport example yet again, where you have an NFC chip with data on it, the government entity, formally known as the Country Signing Certificate Authority (CSCA), that issued it has a root of trust that signed the hash of that data. That signature and the hash are also stored on the NFC chip. Now we can create a zero-knowledge proof that verifies the signatures that sign the commitment to the data, and that hashing the data produces the aforementioned commitment. Now, if we give a third party the proof, they can verify it to be true, which would be equivalent to reading the document and verifying the signatures for themselves (assuming no document presence/liveness check). The only additional assumption the RP would be making in this case is that the ZK prover and verifier are implemented correctly in code and that the underlying ZK cryptography is secured by sound mathematical constructions. In this case, we aren't using the zero-knowledge property at all; we are only using soundness, completeness, and succinctness.

What ZK also allows you to do is to make a statement such as the holder of the passport is over 18 and of nationality X. The RP in this case would only learn those two things, but with the same root of trust of the original passport. What we just did is called selective disclosure, and it is one of the holy grails of privacy in my opinion. Being able to reveal only what the RP needs to provide their service to the user and having the user custody their own personal data is how everything should work in my view, because everything else oversteps on people's right to privacy, makes product flows clunky, over-engineered, and painful, and in many cases, it doesn't even solve the real issue at hand (e.g. KYC/AML hasn't really solved the issues it set out to solve). One of the issues of trying to disintermediate trust is that sometimes there is just not a real RoT that an RP can trust, and the only solution to that is having a trustworthy institution creating an RoT for a given credential, or have the RoT be self-encompassed like an Ethereum storage proof (anything on Ethereum is correctly executed according to the rules of the EVM, logic defined by a smart contract, and the state it uses as an input).

Summary

I want you to get in the habit of thinking about identity in the way I describe in the paragraphs above. You have information which represents something about an entity - a credential. The information is stored as digital data. This data needs to be created by someone, some entity, or some program. The security and credibility of this system depends on the trustworthiness of the issuer of the credential and the trust assumptions of the technology employed to create it. The credential in our ideal case has cryptographic provenance (signature from the issuer certifying its validity to a third party) which can be used as an input in our programmable cryptography machinery. The progcrypto tools can be used to obfuscate data, compute on it, create proofs about it, share it privately with multiple parties, all of which are really valuable for an identity system. We can create attestations about this credential, derive new ones from multiple data sources, and combine multiple individual attestations into a composite attestation. These attestations carry the weight of the issuer and are only as good as the data + its corresponding RoT chain + the trust assumptions of the code and cryptography used to create the attestations. The attestations + RoTs are consumed by RPs, which can be smart contracts on decentralized blockchains, companies, individuals, any third party, whether a program, an AI, or a human being. This in turn can trigger an action, since usually RPs request information that are provided by attestations in order to enable an action.

This is a good general framework for how I personally think about identity, and it has proven very useful to me because almost all digital identity models can be boiled down to this abstraction.

In my previous article on digital identity, I talked about data, provenance proofs, and attestations. Different kinds of data will have different kinds of provenance proofs with different RoTs (zkEmail, zkTLS, zkKYC, zkLogin, World ID, EAS, etc.), and the resulting attestations from that data will carry that trust forward to an RP so I won't cover that here again. I recommend you read my previous article first in case it's your first time hearing of these things.

How do you design ideal identity systems and products?

Now that we have a good frame of thought for identity, what do we do with it? What properties and functionality should a digital identity system have, what architecture makes sense, but ultimately, what products should we build here? What product experiences do we want to create and what requirements do they have? If you build products without the user and their problems in mind, you won't ever get adoption and have an impact, and so we have to start from there and work our way backwards.

Properties of an ideal digital identity system

Here are some of the core properties an ideal digital identity system should have in my view:

• Multiple issuers, multiple consumers: Ideally, any party can create a credential, and any relying party should be able to consume attestations about them. This one is straightforward, but I feel it's important to mention.
• Fully privacy preserving: Users maintain full privacy if they so choose; only the issuer might know the data in the credentials they issue (e.g., a government knows the data in the passports of their citizens). The data can also be held without the issuer being able to read it on their own by using MPC, OPRF, FHE, TEEs, or other techniques.
• Unlinkability: Attestations made by users should not be linkable with one another or reveal other information stored in other credentials belonging to specific users.
• Good RoT infrastructure: The issuers need to bestow cryptographic trust upon the credentials they can then later use them with programmable cryptography machinery for creating attestations.
• Recovery: Users need to have a recovery mechanism for the accounts that hold their credentials with a simple user experience, without breaking privacy, security, sybil resistance, and other important properties.
• Revocation: The ability to exit the system completely and delete all credentials / identities if the user so desires. This can also apply to individual attestations that were once valid.
• Self-hostable: Any identity system should by default have all users custody their own credentials and not rely on third parties to host it for them in giant honeypots. Users should be able to create attestations about their credentials and only reveal what they want/need to reveal to RPs through selective disclosure.
• Programmable attestations: Users should be able to compose attestations with arbitrary logic about any credentials, compute with them (e.g., the average of this field across 5 credentials is X), and be able to selectively disclose information with the same RoT of the credentials used as inputs into the attestations.
• Secure, transparent, and auditable: The source code of the system needs to be fully open-sourced and audited, use secure and robust cryptographic primitives, and allow for anyone to be able to verify the integrity and security of the system for themselves. The chain of trust needs to be fully auditable.
• Multiple clients / decentralization: Anyone should be able to build a client for this digital identity system, thus being able to build and operate any part of the system without any third party being a point of failure or pose centralization risk. The client should be interoperable with all other clients using the same system. This is a superpower of blockchains and why they are a great fit for building identity systems thanks to their liveness, decentralization, permissionlessness, and censorship resistance properties.
• Data storage optionality: The data in the credentials should be able to be stored either privately with one individual client-side for maximum privacy, shared privately across multiple individuals, or be public. Ideally, the system is flexible to allow for the users of it to choose the properties of how to handle data without breaking the reliability of the system (there is a big tradeoff space here).
• Sybil resistance: A user shouldn't be able to have multiple valid credentials representing the same thing, nor be able to create multiple valid attestations to RPs for the same thing. There are several use cases which don't require sybil resistance, so not needed for those, but the optionality of having it is very valuable in the digital identity protocol design space.

I would say that digital identity systems today really lack good RoT infrastructure and user experience, because oftentimes the systems were designed only to make a primitive or a specifc kind of attestation come to life as a demonstration of it being something that could potentially exist, not focusing on the actual end product experience. For example, World App and World ID have changed a lot just by having come into contact with millions of users, recovery of World IDs wasn't even possible in the beginning and there are a few edge cases that are hard to account for. One of the examples of unforeseen side effects of recovery is that if you add recovery or key rotation into a World ID Semaphore tree then the given user can void the sybil resistance guarantee for a given action. They would be able to do an action more than once if they are able to rotate (recover) their World ID private key, unless the action is only live for less than the rotation grace period. Self-hostability and perfect privacy also require client side proving which require a really performant ZK toolchain for mobile phones, novel cryptography and just a lot of clever research and engineering. All of these features are really hard to get into a real product at the same time and that's why it's something to strive towards and where the real opportunities lie.

What should we build with what we have?

While the properties above describe what an ideal system should look like, the reality is that the infrastructure, governance models, and user expectations of today are still far from supporting this vision. The path forward lies in building products that solve real problems now, while progressively laying the foundations for systems that move us closer to this ideal.

Facing reality

Note that a lot of the following paragraph is mostly my own personal interpretation of how I see the world, I'm also not a lawyer.

One reason why digital identity in the traditional sense hasn't truly seen public support, in my view, is because a lot of the existing proposals for digital identity systems are faced with skepticism from people who are worried about their privacy and the potential abuse that can come from digital identity systems being leveraged to take people's rights away through surveillance and other methods. One of the recent examples of such skepticism is the petition to not introduce digital ID in the UK. One of the reasons that I saw online for the skepticism were the arrests over social media posts under Section 127 of the UK Communications Act 2003 (over 12,000 arrests were made in 2023) and the fact that if you tie your digital ID to your social media, for example, to prove that you are over a certain age, the government could censor speech that it deems to violate Section 127, which is worrisome now that the Online Safety Act 2023 is requiring age verification for many online products and services. These concerns also arose at the same time that there started to be signs of governments wanting to push for backdoors in encrypted messaging and storage solutions such as iCloud (UK), Signal, WhatsApp, and others like the EU Chat Control proposal which was thankfully withdrawn by Denmark (the country that proposed it) after it sparked EU-wide controversy.

The tension between the need for more robust digital identity systems and the public's concerns about their potential misuse will have to be confronted in the coming years if we are to build truly innovative solutions that deliver value without compromising fundamental rights. Especially now in the age of AI, where we stand to make the world a lot better, but where we also face increasingly bigger risks. Navigating the tradeoffs and making good and nuanced decisions when it comes to digital identity will be very important to successful human coordination.

The way to move the world forward, in my view, is to contribute to the discussions on digital identity by bringing forward pragmatic solutions that provide more value than previous approaches, but also leverage programmable cryptography that respects the rights of its users. There is a lot of work to do here: research, engineering, product design, standardization, spreading awareness, and pushing the good kind of digital identity forward.

I don't have good answers for how to address this tension as of now, I'm trying to learn more about the topic, how it plays into politics, ethics, morals, cypherpunk ideals, and the like, but maybe I'll address some of my thoughts on this in a follow up blog post.

What products can we build today?

To push the envelope, we need to build privacy and identity infrastructure that doesn't compromise the values of our space, because without them, getting to mass adoption of these technologies will also be extremely hard anyway. Without credible neutrality, decentralization, and the ideal properties I mention above, it will be very hard to really get any product off the ground because people everywhere will push against it, like people have with World ever since it's inception. If World weren't open-source, operating on Ethereum and progressively decentralizing, it would have never even stood the chance to reach mass adoption beyond maybe a few tens of millions of users. That's when incentive structures for such digital identity systems start to break down and trust starts to erode. What gives World and Ethereum legitimacy is the never-ending quest for credible-neutrality and decentralization.

One of the most important things that I have also noticed over the years is that privacy cannot be a detriment to product experience. A private version of any product is strictly worse than the non-private version of the same product just because it usually comes at a huge cost that will be pushed down on the user; thus, the user will much rather use the non-private better UX version in most cases, also because non-private solutions create economic subsidies for "free" products by generating advertising revenue. I believe that programmable cryptography enabled privacy and identity allows us to build strictly better products, and that is the reason why users will adopt them, not because of the fancy technologies they employ. HTTPS is one of the biggest wins of the internet; we can browse privately without anyone but the server and the client being able to decrypt traffic. This directly allowed things like credit card payments on the internet and a lot of other products and services, which is why HTTPS is now a standard and part of all browsers today. Applications and protocols we build need to do the same.

Identity and privacy legos

Next I want to mention some of the teams which, in my opinion, are building some of the main building blocks that will allow us to build the products of the future.

Aztec is a project that was started in 2017 with the goal of giving programmable privacy to blockchains. Previous privacy solutions directly baked the use case into the implementation, whether it was private payments, private swaps, private mixers, or private voting. The protocols didn't allow for general programmability, and that is what Aztec solves. There are other teams working on programmable privacy, like Miden or Aleo, and there will be more to come, but none quite like Aztec, which has persevered for 8 long years building privacy technology with conviction. What building blocks does Aztec bring to the table?

• Noir: a language that allows us to write privacy-preserving ZK programs.
• Aztec Network (currently in testnet): a decentralized L2 on Ethereum that allows us to run Noir programs as smart contracts and compute with the private and public state of the network.

These allow us to build fully privacy-preserving smart contracts and identity solutions on top of their tech stack, for example, zkEmail and zkPassport, both built with Noir, which allow us to create proofs about email and passport data using selective disclosure and preserving the RoT that email and passport systems already employ.

TACEO, a great team working with ZK and MPC, based out of Graz, Austria, is building a private shared state network:

as well as collaborative SNARKs tooling. World has directly worked with TACEO on designing and implementing our iris code AMPC technology, and they have been great partners.

Private shared state has been a missing primitive because up until now private state was only able to be kept only by one user on their local device, let alone verifiably compute on it with others, this is where coSNARKs come into the picture!

World (I'm definitely not biased, haha). I'll talk about World in a later section.

The reason why I believe private shared state and coSNARKs coupled with a verifiable privacy zkDSL like Noir is important is that I believe these were the last missing primitives needed to build truly robust solutions for digital identity and privacy. Another missing piece was the ability to create ZK proofs on mobile phones (client-side proving) in order for privacy to not come in the way of app user experience by taking forever to run or by not being able to run on consumer devices at all. This was bottlenecked by cryptography research and engineering, where World has been significantly contributing with ProveKit, our client-side proving backend for Noir which is a few months away from being production ready. Here you can read more about the reasoning behind building it or you can watch my presentation about Privacy and Identity at Scale at ETHCC:

Client-side proving directly enables privacy applications to run on devices users have, directly providing true privacy with no intermediaries that hold the data/credentials used to make attestations about (in ZK called private inputs to the witness of a circuit).

Approaches to building identity products

Some of the low-hanging fruit that can be built into products today is to represent all credentials and their RoTs as ZK (Noir) circuits into a wider protocol that can compose attestations about them so that any RP can consume them easily. One of the problems with this is that many credentials and information you'd want to have in such a product is often not even digital, let alone have an RoT. That's why it is good that people started with things like ZK KYC, ZK email, and similar products, because they have RoTs that directly commit to the data. These can be represented as circuits and allow anyone to create attestations about them such as >18 proofs, nationality proofs, residency proofs, proof of payment receipts which allow for a p2p fiat on/off-ramp exchange to be built, all of which are already valuable. One of the biggest problems that needs to be solved is how to bring data which don't have an RoT that can be used in the world of programmable cryptography — like internet/API data, legal agreements, ID credentials which aren't digitally signed, and everything else that might contain useful identity data.

I recommend you to read this article from Vitalik, which explains some of the above: Does digital ID have risks even if it's ZK-wrapped?

There are two general approaches to solving the problem:

1. To onboard all of the existing data, issuers, providers, companies, RPs, and everyone else that might be relevant and have them start using digital identity infrastructure that is compatible with the ideals we have, which is unrealistic because it is really hard to sell this without having a very clear value proposition and even harder because there are no major network effects to having ZK identity as of yet since adoption of these products is negligible.
2. To meet the world where it's at and create suboptimal cryptographic proxies for trust, meaning that if there are no digital RoTs that we can use to feed our cryptographic machinery then we can create it some other way which may not have the same level of trust. This helps us to build useful and economically valuable products with data that has no RoTs, and if the product catches on, it will incentivize the existing platforms that have the data to create RoTs for it, or incentivize competition to build a better competing product where the edge is new/better experiences powered by digital ID. One of the popular proxies for trust are the projects that fall under the web proof or zkTLS category where you can get a signature from one or multiple TEEs to attest to some data being on a given website even when the server doesn't directly signed their responses with a public key that a certificate authority binds to their DNS. TEEs are a fun way to try to create proxies for trust of data that lives in different places, but it comes with its own security and trust assumptions, so tread carefully.

There is merit to both approaches, but if you don't have a lot of resources, the latter option is more pragmatic. However, if you have good ideas on how to build better RoT infrastructure, definitely bring it on, it helps a lot if you understand deeply what the data you care about having an RoT for represents and how would potential RPs want to consume data in a way where the system still maintains the ideal properties we talked about. Also a topic I might elaborate on later in the future.

So far, several of the teams that I mentioned in previous articles and some that have popped up since haven't seen much traction so far, but I believe that a lot of the reasons behind that are because building infrastructure is hard and also because selling shovels when there is no gold rush is even harder. If you have an idea for a product that would benefit from having access to identity and privacy, then you can build the infrastructure that is required to make it happen, and you can iterate on the product and infrastructure as you try to find PMF. It is a lot harder to pivot an infrastructure product when there is no market to give you feedback unless you have an unwavering and compelling vision. Product-driven development works a lot better from what I've seen in my professional experience. I feel like the technology is only just now getting to a point where building products with programmable cryptography is feasible, and we now have a good window of opportunity to try something new.

Some ideas that I've had that might be worth building

Agentic commerce x digital identity

One of the ideas that I've had for a while that I think would be worth building is an agentic commerce marketplace where you can prove to an agent what kind of customer you are, and the agent can use that information to better advertise to you without collecting personal information. For example, I can create an attestation proving that I've taken more than 100 Uber rides, and Waymo can create a discount code for me to get a ride for free if I can prove that. This kind of user targeting with no middlemen, where attestations about data from different platforms flows freely at the direction of the user, without the user losing privacy, is something we haven't seen before. AI platforms like ChatGPT have recently launched a feature for in-app checkouts using the Agentic Commerce Protocol they co-developed with Stripe (which is launching the Tempo L1 as I mentioned during the intro). Also, Google came out with their own solution called the Agent Payments Protocol (AP2).

As AIs start handling a lot more purchases, having a way to mediate identity information, purchase preferences, etc., will be really important in my opinion. Not only can the user prove things to the agent directly (for example, by using an identity MCP, but you could also have a self-hosted personal agent that creates attestations for you that other agents (RPs - for example, using the Agent2Agent protocol (A2A) can consume according to a policy you set yourself (for privacy and other preferences). Because if we keep building things the same way web 2 has been building them until now, we are heading towards a privacy nightmare, if we aren't already in one. I believe that identity systems with privacy built in that leverage private programmable blockchains like Aztec to settle this economic activity is going to move the needle in the right direction.

Blockchains will be directly involved in the value flow of agentic commerce because they will act as the coordination and settlement layers. There are standards like the x402 The internet-native payment protocol that was developed by Coinbase and already has partners like Cloudflare, which handles around 15-20% of internet traffic globally and which also recently announced their own stablecoin called NET Dollar. There are also designs for how to make x402 private using privacy pass by Kobi Gurkan and this great writeup from Cloudflare: Anonymous credentials: rate-limiting bots and agents without compromising privacy.

During my original introduction of the things that have changed, I also mentioned that the Ethereum ecosystem has a new decentralized AI (dAI) team led by Davide Crapis that has two main focus areas:

• AI Economy on Ethereum - giving AI agents and robots ways to pay, coordinate, and follow rules without middlemen.
• Decentralized AI Stack - making sure the future of AI doesn't rely only on a handful of entities but has open, verifiable, censorship-resistant alternatives.

One of the first things the dAI team is working on is ERC8004 (Ethereum Magicians discussion), which is an extension of the A2A protocol from Google. I think that this trend of agentic commerce will continue, and identity tooling is going to play an important role here.

Agentic browsers, TEEs and identity

One way that I think we could build a more powerful identity framework in the age of AI is by using a web proof tool like Pluto (Disclosure: I'm an investor) and delegate control of the Frame API (example) to an agent that is capable of using the browser (e.g., Browser Use). Since the Frame API runs inside of a TEE, you can produce an RoT for any web data without having to code a script to fetch it. The agent can then navigate the website and fetch any information that you want it to by leveraging the Playwright API and get a web proof for it. Of course, this is not the best solution because the RoT is not only the trust of the company and their API, but also the trust of the RoT, which in this case is a TEE proxy.

An identity toolkit for AI browsers. As AI browsers like ChatGPT Atlas, Perplexity Comet or Dia (Browser Company / Atlassian) become more prevalent, they will introduce complex security and privacy challenges. To mitigate these, we should design their identity and authentication primitives around programmable cryptography by enabling precise, auditable access controls instead of blanket permissions to identity, payment accounts, or other sensitive information.

Web of Trust

Another use case that I would really like to see is a global and decentralized trust network where individuals and organizations can attest to each other and to their beliefs in a public manner or with some form of selective disclosure of attestations to a select target audience. With programmable cryptography machinery and already existing tools like the Ethereum Attestation Service (EAS) or Intuition (disclosure: I'm an investor) you could create all sorts of reputation networks, undercollateralized lending protocols (e.g. Wildcat and Accountable - disclosure: I'm an investor) interesting new kinds of markets and augment existing ones. This use case likely warrants an article on its own as there are a lot of things you could build if you had credible trust data on different individuals, institutions and entities. Underwriting credit and better credit risk analysis is one example I gave, but there's many other kinds of financial derivatives and structured products that benefit from having access to this. Almost like a better Bloomberg Terminal, but with cryptographic trust attached to some of the important information. And I'm sure there's many non-financial use cases as well, one of the obvious ones is in the context of social media, because I'm personally getting tired of seeing takes on X where the author has no credibility on a given topic and there's no easy way to validate whether that's the case unless you spend a lot of time digging through a lot of information.

World

I've been working on World over the last 3 years, and it's been really awesome to see it evolve from an early product with about 1M users to a network with over 37.3M users of World App, and 17.4M of those being orb-verified. Since this article is about digital identity and privacy, it only makes sense that I talk about what role I believe World plays in all of this.

At World we are building the real human network for identity and finance. One of the core primitives is the World ID protocol which powers privacy-preserving proof of personhood for the age of AI. As AI systems continue to improve and surpass every Turing test imaginable, bringing us closer to AGI (however one defines it), the distinction between human and machine-generated content online will blur and many of the systems, platforms, and applications we know and love today will begin to break down. We are already experiencing symptoms of this with bots on social media, deepfakes that can fool even the most AI-aware users, etc.

I want to explain in a simplified manner how proof of personhood works. First, let's start with the orb. The orb is a hardware device whose purpose is to prove two things: first, that when signing up, the user in front of it is a real person (liveness), not an image of a cat or a dog, a picture of a human on a piece of paper, someone wearing glasses or contact lenses, or anything else that might occlude their face and eyes. Second, to take a high-resolution image of the person's face and irises and compute an iris code pair which will later be used to prove the user is unique in the set of verified humans to date (uniqueness).

The orb's goal is also to be secure against spoofing of all kinds, whether it is on the hardware, firmware, or on the AI/machine learning front so as to preserve the integrity of the system and the privacy of the user. The orb runs everything locally and only communicates with the user's World App (on their phone) through an encrypted communication channel in order to give the user their personal data custody package (PCP) at the end of their verification, which contains signed images of the user's irises and face and the iris code computed by the orb. After this, the orb deletes all images it took during the signup process. Once the iris codes are with the user, they are split into linear secret shares. Here is a video explaining how it works:

You can also read our AMPC explainer. AMPC is a cryptographic technique that allows you to encrypt the iris codes and compare them against all of the other iris codes of all users without having to decrypt anything. This is how World's architecture verifies uniqueness of every user that signs up without leaking any information about the user. After that, the user's World ID public key, which was generated on the World App on the user's phone during signup is inserted into a list in a World ID smart contract on Ethereum. This World ID smart contract list of public keys is represented as a Merkle tree, and using zero-knowledge proofs, users can create a proof that they own a private key to a public key in the Merkle tree without revealing which one they own.

This is what privacy-preserving proof of personhood means in the context of World, and it is packed with fascinating technology that Tools For Humanity, the World Foundation, and our partners have built. From the orb (hardware, software, to the MPC biometric algorithms, to the cryptography (ZK, MPC, TEE), to the World ID smart contracts on Ethereum, to the buttery smooth UI/UX of World App, and more, there is so much amazing technology, and most of it is open source (excluding the World App). If you want to learn more, I recommend you read our whitepaper or watch a series of longform videos we recorded with Encode Club explaining how World works if you want to know the details. Also happy to answer any questions about it.

World ID is a protocol that allows anyone that is orb-verified to prove they are a unique human online and onchain in a fully privacy-preserving way. Proof of personhood also solves sybil resistance, because thanks to nullifiers, you can make sure that each user can only do an action only once (without knowing who they are).

Besides World ID, there is also World App, which is a mobile client to World ID and a wallet (Safe smart account), and there is World Chain, which is an L2 on Ethereum powered by the OP Stack. World App also has Mini Apps, which allows anyone to build an app on top of World App, leverage its APIs and features, and distribute it to the entire World App user base of 37.4M+ users, which is one of the largest consumer bases in all of crypto.

These are most of the things that we have been building over the last few years, but I also want to talk about the future and my personal hopes and dreams for the project. In previous sections, I mentioned that one of the biggest bottlenecks to digital identity and privacy was client-side proving. The ability to create zero-knowledge proofs on mobile devices in a way that is fast and meets real-world requirements to support the scale and distribution of World App is going to unlock the next wave of products and features such as selective disclosure of KYC credentials by leveraging ZK KYC as part of World ID Credentials, World ID Orb+ where you can prove you are the same person that went to the orb by using ZK Face ID on the phone, and others to come.

As World keeps decentralizing and creating new possibilities in the field of identity, I'd like for World ID to be a general-purpose identity protocol that embodies the ideals I described earlier. For anyone to be able to create any credential, for anyone to be able to build their own client for this protocol, for anyone to be able to write their attestations about these credentials, and for any user on World App and beyond to be able to use any mini-apps or applications on top. Everyone should be able to leverage these capabilities to build awesome products with privacy-preserving, self-sovereign digital identity available to them.

The future that I'd love to see

The reason I got captivated by crypto in late 2017 as a teenager was because I saw that there is a better way for not just finance to work (even though I understood very little about it at the time besides the basics of fractional reserve banking and what Bitcoin and Ethereum allows), but because I really love the fact that crypto is so open to everyone and allows everyone to coordinate with one another while preserving self-sovereignty and individual freedom. Decentralized digital identity, combined with privacy and the power of blockchains are the perfect ingredients to improve human coordination at scale by disintermediating trust the same way that blockchains are disintermediating money already. A world in which people leverage onchain identity systems that respect user privacy and self-sovereignty, where mechanisms and protocols can be designed to coordinate more efficiently will inevitably create value, grow and innovate faster than anything we have been able to build so far.

If we truly want to onboard all of human activity from traditional systems onchain, we need to have identity and privacy be native and core to the blockchains and applications built on top of them because it is simply impossible to get there otherwise in my view. The properties of blockchains like atomicity, composability and decentralization coupled with privacy and identity will surely also bring new innovations and create emerging phenomena that weren't possible before like when flashloans were created in DeFi. We can finally bring all existing transactions onchain, streamline the use of blockchain applications, make them much more efficient and pleasant to use and enable new use cases never thought possible before.

Identity and privacy are the primitives that were missing in order to build truly compelling onchain applications and so I hope the advent of these technologies maturing will be a major catalyzer for Ethereum and its values permeate in the real world.

The end

I hope you enjoyed reading this article as much as I enjoyed writing it, I believe that the next couple of years will be really interesting thanks to AI advances, mainstream adoption of crypto products and other technological improvements. I hope this will inspire at least some of you to contribute to this wonderful technology.

I want to thank my teammates at World for believing in me for all these years and for supporting me as I do so.

Also a big thank you to friends from the EF, World, Bain Capital Crypto, TACEO teams and everyone else that helped me with reviews, feedback and typo fixes in this article!

If there are any typos, questions you'd like to ask or topics you'd like to bring up feel free to DM me on X or ask me for my Telegram/Signal.