Evolve Identity Manifesto

Proving and Protecting Identity in a Decentralized World

Definition of Identity

1. The distinguishing character or personality of an individual—that is, their individuality.

2. The relationship established by psychological identification.

Why Identity Matters

Part (1) of Webster’s definition frames identity as the intersection of who we are, what we have done, and what we own (including possessions, accomplishments, and relationships) combined with the reputations that others assign to us. Part (2) suggests that everything an individual identifies with—such as preferences, memberships, and associations—also becomes part of their identity. In essence, identity both distinguishes us from others and connects us to those with shared characteristics. For the purposes of this manifesto, we will focus on part (1), which pertains to proving and protecting individual identity.

Proof of identity is often crucial. For instance, when boarding a commercial airline, you must provide official documents (like a passport or driver’s license) so that airlines and authorities can accurately identify you and screen for potential risks. Similarly, banks require authentication (using an ATM card, PIN, or other official ID) before allowing withdrawals—protecting the institution and the account holder from fraud.

Likewise, any viable system of “ownership” or “liability” must reliably associate property with a unique owner. Strong identification is essential to manage property rights and the accompanying responsibilities.

Without a clear understanding of identity, building trustless systems becomes prohibitively expensive. In contrast, robust identification allows us to design frameworks that use reputation as a proxy for the genuine trust cultivated through repeated, reciprocal interactions—much like seller ratings on eBay, Amazon or Uber.

Today, many platforms allow anonymous or pseudo-anonymous transactions, but these are often rife with fraud (such as theft and money laundering via cryptocurrencies) and vulnerable to “Sybil attacks” (for example, the spread of fake news on social networks).

Components of Identity

An individual’s identity can be connected to and confirmed by multiple factors:

Facts About Me:

Name, date of birth, home address, phone numbers, email addresses, bank records, educational records, employment history, health records, driving records, criminal records, tax filings, etc.

My Biology:

DNA, fingerprints, iris patterns, vascular patterns, voice timbre, facial structure, gait, etc.

Things I Own:

State-issued ID documents (driver’s license, passport), private membership IDs (from school, work, or clubs), and title documents (for real estate or vehicles).

Things I Have:

Keys, collectibles, NFTs, items bearing a serial number, etc.

Secrets and Shared Secrets:

Information known only to me—or shared with trusted individuals or organizations.

My History of Interactions:

Attendance records, credit history, browsing history, career statistics, song selections, purchasing history, etc.

Attestations from others:

Endorsements or confirmations provided by those who know me or have transacted with me.

Personal identity is also shaped by how others perceive us—our reputation. While our personal narrative influences how people see us, our actions (and the perceptions of those actions) ultimately form the collective narrative. We use letters of recommendation, referrals, and character witnesses to build trust because trust is founded on shared history and proven reliability.

Digital Identity Today

What happens when someone can’t prove their identity? Membership in institutions—such as schools, jobs, or even citizenship—would be impossible to verify. Historical records (medical, credit, educational, or residential) would vanish, forcing individuals to interact anonymously. This lack of verifiable identity incurs high risks and costs due to the absence of trust or recourse.

Yet, proving one’s identity does not require sacrificing privacy. For example, in voting, a voter must show proof of identity to receive a ballot; however, the ballot itself remains anonymous. In the digital realm, we often separate authentication from access control to balance security with privacy.

Existing Identity Authentication Methods

Username and Password:

The most common method relies on a secret (the password) to authenticate users. However, a 10-character password can be brute-forced over time, and credentials are frequently stolen via social engineering (as seen in spear-phishing attacks). A username and password confirm that you know a secret—they do not conclusively prove that you are the account owner. Moreover, password reset processes (via email or security questions) introduce additional vulnerabilities.

Two-Factor Authentication (2FA):

2FA adds a second layer by requiring a trusted device to verify access. Although this makes unauthorized entry more difficult, SIM card hacking can still compromise security. Ultimately, 2FA verifies access to credentials rather than confirming the user's true identity.

CAPTCHA and Bot Prevention:

Proof-of-personhood tests (such as CAPTCHAs) help mitigate brute-force attacks, denial-of-service attacks, and automated abuses by bots. While effective at filtering out non-human traffic for now, CAPTCHAs do not address the core challenge of uniquely identifying real users.

Biometric Authentication:

The latest approach uses biometric sensors to measure unique physical features—fingerprints, facial structures, or even 3D scans. While biometrics offer a more reliable means of authentication than traditional methods, they are typically used only to grant access to personal property. For example, unlocking your smartphone with your fingerprint is secure because only you care about that device. In contrast, when TSA captures fingerprints for pre-check enrolment, they use secure equipment and databases to establish an unambiguous link between your physical features and your official state ID. Although this method boosts security, it also raises significant privacy concerns regarding the storage and potential misuse of biometric data.

Genetic Authentication:

Genetic sequencing offers a unique identifier, however, its use for authentication must be carefully weighed against the following risks:

Irreversibility:

Unlike passwords, genetic or biometric data (fingerprints, facial features, iris patterns, etc.) are inherently immutable. Once compromised, you cannot simply "reset" your genetic or biometric identifiers, leaving individuals permanently vulnerable.

Privacy Invasion:

Genetic and biometric data contain highly sensitive personal information—not only about identity but also about health, ancestry, and predispositions. Exposure can lead to unintended profiling or misuse of intimate data.

Discrimination and Ethical Concerns:

Access to genetic information could enable discrimination by employers, insurers, or other organizations. This raises ethical issues regarding consent, fairness, and the potential misuse of such data.

Data Breaches and Centralization Risks:

Storing genetic or biometric data in centralized databases makes them attractive targets for hackers. A breach could expose vast amounts of personal data, affecting not just individuals but potentially their relatives.

Familial Implications:

Your genetic data is shared with close family members. Using it for authentication could inadvertently expose sensitive information about relatives who did not consent to it.

Legal and Regulatory Challenges:

Using genetic or biometric data for authentication raises complex legal questions regarding ownership, consent, and the regulation of such sensitive information, potentially leading to significant legal liabilities.

Technological Limitations and Errors:

Although genetic sequencing technology is advanced, there is still a risk of errors or misinterpretation, which could lead to false positives or negatives in the authentication process.

Traditional Identity Authentication Methods

Government-issued Photo IDs (Driver’s License, Passport):

While widely accepted and containing a photograph for visual verification, these IDs are susceptible to forgery, loss, or theft, and they expose a wealth of personal data that, if compromised, can facilitate identity theft.

State-issued Identity Cards (National IDs):

These offer standardized identification but are vulnerable to centralized data breaches and misuse of sensitive information. Their static nature means they do not easily adapt to changes in one’s personal circumstances.

Birth Certificates:

Often used to verify identity, they lack photo or biometric data, making visual confirmation difficult. Compared to other forms of official ID, they can also be easier to forge or alter.

Supplementary Documents (Utility Bills, Bank Statements):

While sometimes used to support identity verification, these documents are not designed primarily for that purpose, can be outdated or manipulated, and may reveal sensitive personal or financial information if intercepted.

Affidavits and Witness Testimonies:

Leverage notarized affidavits and corroborative statements from trusted individuals to verify identity when official documents are unavailable.

Enhanced Credibility:

Human attestations provide an additional, trusted layer of verification that complements digital methods.

Contextual Insight:

Affidavits and witness testimonies offer detailed, personal context about an individual’s identity that purely digital data might miss.

Legal Weight:

Notarized statements carry formal legal recognition, reinforcing the authentication process with a documented sworn affirmation.

Resilience Against Digital Attacks:

The human element can be more resistant to automated digital fraud, adding robustness to identity verification.

True Authentication vs. Access Control

Most digital authentication methods function merely as access control mechanisms—they require possession of a key or knowledge of a secret rather than verifying the true identity of the person making the request.

Imagine if we could genuinely authenticate a user every time. What problems would disappear, and what new opportunities might arise? Consider the following potential threats that could be eliminated with actual authentication:

Spoofing:

Impersonating another by falsifying data to gain an illegitimate advantage.

Tampering:

Unauthorized modification of products or data is often undetectable after the fact.

Repudiation:

A statement’s author can deny authorship or the validity of a contract.

Disclosure:

Unauthorized collection and dissemination of personal or sensitive information.

Elevation of Privilege:

Exploiting vulnerabilities to gain unauthorized access to protected resources.

Denial of Service:

Conspirators attempting to overload systems with excessive requests to render them unavailable could be identified.

By authentically verifying every connection and transaction, we can establish ubiquitous accountability. Fraudsters would no longer hide behind pseudo-anonymous accounts—each individual would be uniquely identifiable. This clarity in ownership and responsibility creates a middle ground between preserving privacy and ensuring access to personal data.

Currently, organizations own the data we supply or generate on their platforms. They create reputation profiles and ratings of us that we neither control nor directly benefit from. But what if we could own, control, and profit from our data? Since this data largely defines our digital identity, we need a secure repository to store it—and a way to share it selectively when we choose.

Right now, we are doubly exploited. Platforms harvest and monetize our digital behaviour for profit while using this data to manipulate us. We now have the power to compel these platforms to pay for access to our behavioural data—but we have yet to develop the necessary tools and policies. Perhaps this is why social networks have not fully addressed the issue of fake accounts; doing so would upend the current business model of surveillance capitalism by reducing control over and profits from user data.

A New Paradigm for Digital Identity

Over twenty years ago, Kim Cameron wrote The Laws of Identity at Microsoft. Although many of his concerns have been partially addressed, several challenges remain. The last two decades have brought significant advances in biometric authentication and distributed applications, but there is still ample room for improvement.

At Cameron’s writing, biometric technologies were not as ubiquitous as they are today; nearly every smartphone now features fingerprint or facial recognition. Additionally, distributed applications (such as Bitcoin and Ethereum) represent unimaginable breakthroughs back then. Biometrics provide proof of personhood and strong authentication, whereas traditional methods rely on easily compromised factors like what you have or what you know. Distributed applications decentralize data ownership, distributing it securely across encrypted networks.

Evolved Laws of Identity

Anonymity with Accountability:

An Evolved user remains anonymous (yet authorized) until they choose to disclose their identity or breach a contract.

Data Ownership:

An Evolved user owns and controls all their data and can grant or revoke access at their sole discretion.

Direct Data Flow:

Data should not pass through intermediaries (for example, using PayPal should not require sharing your Visa credentials with vendors).

Device-Agnostic Authentication:

An Evolved user can authenticate from any device at any time.

Singular Identity:

An Evolved user is limited to one EVOLVE ID, although multiple third-party accounts or possessions may be linked.

Binding Agreements:

Agreements between Evolved users are binding and material.

Foundational Policies:

Policies formed through these agreements become the foundation for future identity claims.

Evolve Identity Methodology

Multi-Layered Verification:

Combining affidavits, witness testimonies, and unique device ownership creates a robust, multi-factor authentication system in which each layer compensates for the weaknesses of the others.

Enhanced Accountability:

Linking human attestations with device-specific credentials provides stronger non-repudiation and traceability, making it more difficult for fraudulent actors to bypass verification.

Redundancy and Resilience:

If one authentication factor is compromised or fails, the remaining layers (device ownership and personal attestations) help maintain overall system integrity.

Contextual Confirmation:

Human testimonies add contextual details that digital credentials alone might miss, strengthening identity validation.

In conclusion, by combining affidavits and witness testimonies with unique device ownership, we create a robust, multi-layered verification system that significantly strengthens our defences against conventional bad actors and advanced AI-driven threats, such as deepfake phishing attempts. This multi-factor approach ensures that the remaining factors maintain overall system integrity even if one layer is compromised. Enhanced accountability through traceable, human-sourced attestations linked to device-specific credentials makes it exceedingly difficult for fraudsters to impersonate or manipulate identities. Furthermore, the contextual confirmation provided by human testimonies fills in the gaps that purely digital credentials miss, offering an additional safeguard against sophisticated AI attacks. Together, these benefits build a resilient and trustworthy digital ecosystem that not only deters malicious actors but also adapts to evolving security challenges, embodying the very essence of an Evolved Identity.

Evolution is inevitable.