# **The Problem: Non-Government Digital ID** This document is part of the not.botâ„¢ Problems series, which presents public evidence for the problems not.bot exists to solve. This one covers the identity layer itself. Government databases and Big Tech logins stand in for digital identity today, and the costs of that arrangement arrive as breaches, surveillance, and exclusion. Every figure below carries its source and date. The incidents are on the public record. --- ## **Identity online means someone else's database** To prove who you are online, you photograph a government document and upload it to a server you will never see, or you borrow a login from a platform. A Forrester evaluation of the identity-verification market lists the methods in commercial use: document upload with a selfie match, public-records lookups, phone-number and email reputation, behavioral biometrics (Q3 2025). The same evaluation describes document- and records-based verification as "becoming commoditized." Businesses paid US$15.2 billion for identity checks in 2024, and Juniper Research projects spend to pass US$26 billion by 2029 (December 2024). Each check leaves a copy. The copies accumulate in cloud stores whose condition is measurable: in a 2025 survey of 3,163 security and IT professionals fielded by S&P Global Market Intelligence's 451 Research, 68% named credential and stolen-secrets attacks the fastest-growing attack class, 8% of organizations encrypt 80% or more of their cloud data, and human error remains the leading cause of cloud data breaches (June 2025). Gartner's verdict on the arrangement is one sentence: "Security and privacy for identity data remain lacking" (July 2024). The other half of the layer is the platform login. Researchers counted 1,632 of the Tranco top 10,000 websites offering sign-in through Google, Facebook, or Apple (SSO-Monitor study, Ruhr University Bochum, February 2023). Sweden shows the end state of login concentration: BankID reports 8.6 million users, 99.9% of registered citizens aged 18 to 67, in a country of 10.5 million (BankID statistics, 2024). One layer signs Swedes into banking, taxes, and government services. ## **Documented incidents** **The national identity portal of France.** In April 2026, attackers breached France Titres, the agency portal behind French passports, national ID cards, driver's licenses, and residence permits. France Titres put the confirmed figure at 11.7 million accounts; the attacker advertised more on a criminal forum. Exposed fields included names, emails, dates of birth, account identifiers, and for some records postal addresses, places of birth, and phone numbers (France Titres statement, April 24, 2026; BleepingComputer, April 28, 2026). The breached system was the infrastructure of French legal identity itself. **Passport photocopies, retained to sell train passes.** Eurail, the Dutch seller of Interrail passes, lost data on 308,777 people in a December 2025 intrusion it noticed weeks later and disclosed to victims on March 27, 2026. Records from the DiscoverEU youth program included passport photocopies and bank details. Eurail advised travellers to consider replacing their passports at their own cost and announced no compensation (breach notifications filed with US state attorneys general, March 2026; SecurityWeek, March 2026). None of that data was needed to sell a train ticket. **"Deleted" identity documents that were not.** In October 2025, Discord disclosed that about 70,000 users may have had government-ID photos exposed through a customer-service contractor that held them to review age-related appeals (Discord statement, October 2025). Discord's support pages had stated that identity documents were deleted after age review. The IDs were sitting with a vendor. **Exposure during a mandatory ID rollout.** A flaw in the UK Companies House WebFiling service exposed directors' dates of birth, residential addresses, and email addresses to other logged-in users from October 2025 until March 2026, a window covering the months in which the law began requiring millions of company directors to verify their identities (Companies House confirmation, March 2026). The agency estimates 6 to 7 million people must verify by November 18, 2026. **Fingerprints from a government vault.** The 2015 breach of the US Office of Personnel Management took background-investigation records on 21.5 million people, including 5.6 million sets of fingerprints (OPM statements, September 2015). A password can be rotated after a breach. A fingerprint cannot. **An identity revoked by a classifier.** In February 2021, a San Francisco father photographed his toddler's groin at a nurse's request for a telehealth appointment. Google's scanning flagged the images, reported him to authorities, and terminated his account: email, contacts, photos, and his phone number went with it. The San Francisco police investigated and cleared him. Google refused to restore the account (The New York Times, August 21, 2022). Every service downstream of that login lost its anchor with no due process and no appeal that worked. ## **The scale** - A single credit bureau's 2017 breach exposed personal data on 147 million people; the resulting settlement with the US FTC, CFPB, and 50 states reached up to US$700 million (FTC, July 2019). - India's identity program demonstrates runtime exclusion at population scale: UIDAI acknowledged to India's Supreme Court a 12% authentication-failure rate for government services (March 2018), and reporting documented named, enrolled individuals denied food rations when fingerprint authentication failed (Economic and Political Weekly; The Quint, March 2018). - Facebook's 2018 "View As" breach let attackers steal access tokens for about 30 million accounts, revised from an initial 50 million estimate. Facebook warned the tokens could have reached third-party apps using Facebook Login and reset tokens for 90 million accounts as a precaution; its log analysis later "found no evidence that the attackers accessed any apps using Facebook Login" (Facebook disclosures, September 28 and October 12, 2018). - On October 4, 2021, Facebook went down for about six hours and took "Log in with Facebook" with it; sites with no connection to Facebook beyond the login button lost their users for the duration (Meta engineering statement, October 5, 2021). ## **Watched at every use** A centralized identity layer sees every use of the identity it holds. A platform login reports every site you sign into back to the platform. The ISO/IEC 18013-5 mobile driver's license standard includes a server-retrieval mode in which the issuing authority is contacted at the moment of presentation, and so learns where and when the license is used. A coalition including the ACLU, EFF, EPIC, CDT, and Bruce Schneier launched the "No Phone Home" campaign against that mode (June 2025), and Utah disabled it by statute before launching its own mobile license. Julia Social and its founder are among the signatories. Germany's Digital Affairs ministry conceded the principle while defending its program: the phone-home function "must be ruled out" so as "not to make users transparent" (heise online, August 26, 2025). When the regulator building the wallet names the surveillance risk, the risk is settled. Gartner notes that government wallet programs began with implementations built to track COVID-19 vaccinations (July 2024). The record shows where pooled identity data ends up. A joint investigation by CORRECTIV, Solomon, and Computer Weekly found Europol had operated internal platforms holding passport photos, phone records, financial transactions, and location data on people never suspected of a crime: at least two petabytes by 2019, about 420 times the size of its primary lawful database, with the agency's own data protection officer finding 99% of operational data outside the regulated environment (May 5, 2026). The EU's privacy supervisor closed its monitoring in February 2026 with 15 of 150 recommendations unimplemented. The incumbent verification market runs on the same trade. Gartner's own analysis of impersonation defenses stacks the layers from "more privacy" to "more assurance," with assurance bought by behavioral biometrics and device surveillance, and concedes "obvious trade-offs between privacy and assurance" (October 2025). In a centralized architecture, certainty about identity is purchased with visibility into the person. ## **Locked out by the layer** The same gate that admits can refuse. India's identity program shows refusal at population scale: a 12% authentication-failure rate for government services means denied rations for enrolled people whose worn fingerprints no longer match the database. Mexico made the trade explicit: a July 16, 2025 decree makes a biometric national ID mandatory, and telecom rules require an estimated 127 million mobile lines to be linked to it by June 30, 2026 or face suspension the following day (Official Journal of the Federation, July 2025; telecom guidelines, December 2025). Refuse the credential, lose your phone. Platform identity refuses in its own way. The Google case above shows revocation without recourse. The 2021 outage shows the layer failing for everyone at once. Account takeover supplies the criminal version: Gartner names it "a major attack vector," with groups such as Scattered Spider acting "under the guise of trusted users" (October 2025). An identity that lives in a provider's database is yours at the provider's pleasure. ## **Regulation arrives, and builds more of the same** Governments are now constructing digital identity at speed, and the programs answer few of the objections above: - The EU requires every member state to offer citizens a digital identity wallet by the end of 2026 under eIDAS 2.0 (European Commission; Regulation (EU) 2024/1183). A separate regulation that applies from July 2025 lets private entities, with the holder's consent, read the facial image from an ID card's chip to check identity (Regulation (EU) 2025/1208). - The UK announced a digital ID in September 2025, mandatory for right-to-work checks by 2029. A petition against it gathered about 3 million signatures, and by January 2026 the government had dropped the single-mandatory-credential design; digital right-to-work checks remain slated to become mandatory, and no bill has been introduced as of June 2026 (UK government announcement, September 25, 2025; House of Commons Library, 2026). - Switzerland's voters approved a state e-ID by 50.39% in a September 28, 2025 referendum, after rejecting a private-sector version in 2021 with a 64% no vote. Availability is expected no sooner than summer 2026 (Swiss federal referendum results, September 2025). - Idaho moved the opposite way: Senate Bill 1299, signed April 1, 2026, bars government agencies from requiring digital ID and from denying services to anyone who refuses one. - US federal policy reversed itself within five months: Executive Order 14144 (January 16, 2025) directed agencies to accept digital identity documents for public-benefit programs, and a June 6, 2025 executive order rescinded those provisions. Login.gov added passport-based remote verification in August 2025 (GSA). The FCC proposed know-your-customer rules in April 2026 that would require voice providers to collect and verify a government-ID number before provisioning service (FCC, April 30, 2026). Read together: identity requirements are spreading through commerce and government on every continent, public consent is narrow where it is sought at all, and each program concentrates more identity data behind logins and portals of the kind documented above. Demand for identity infrastructure is rising either way. The unanswered question is architectural: who holds the data, and who gets to watch. ## **Who bears the cost** **People whose documents sit in databases.** Names, birthdates, fingerprints, and passport scans do not rotate. France Titres, Eurail, Discord, and OPM victims carry the exposure for life; Eurail's victims were advised to buy new passports at their own cost. **People the database says no to.** Authentication failure excludes even the enrolled: in India, a fingerprint mismatch at a ration point can mean no food. The person holds valid identity; the runtime check refuses it anyway. **Account holders.** A platform login is a single point of failure for a person's digital life: revocable by a moderation error, gone in an outage, and a standing target for takeover. **Enterprises and relying parties.** They fund the US$26 billion verification market, and every retained ID copy is a liability on their books. Eurail and Discord show the breach duty landing on companies whose business was never identity. **Governments.** They keep funding identity programs the public keeps rejecting: a 50.39% referendum, a 3-million-signature petition, a state-level ban. A national identity portal breached at 11.7 million accounts spends public trust that the next program needs. ## **The deepest cost: identity becomes a permission** When identity is a record in someone else's database, a person holds it at the owner's discretion. The database can leak it, as in France. The operator can revoke it, as Google did to a cleared man. The state can make it the price of carrying a phone, as Mexico's rule does. Each failure is documented above; together they change the relationship between a person and their own name. Analysts already name the direction of the fix. Gartner projected that by 2026 at least 500 million smartphone users would be making verifiable claims from digital identity wallets, and sized decentralized identity at US$3.3 billion by 2031 (July 2024). Juniper recommends decentralized approaches for security and privacy by name (December 2024). The unsettled question is whether the replacement inherits the watching. A wallet issued by a government that phones home moves the database without removing it. The German ministry already stated the standard the public will hold every system to: identity use must not make users transparent. ## **What an adequate solution requires** The evidence defines the requirement set: 1. **No central database of identities.** Enrollment and verification must work without accumulating a record store, because every accumulated store, government or commercial, has been breached. There must be nothing to empty. 2. **Verification that does not call home.** Neither the issuer nor the operator may learn where, when, or whether an identity is used. The No Phone Home coalition and the German ministry converged on this requirement from opposite sides. 3. **Keys held by the person.** An identity must survive any provider's outage, business failure, or moderation decision. No party should hold the power Google exercised over a cleared man's digital life. 4. **The claim, not the document.** A service that needs one fact, an age or a name, should receive that fact and nothing else. Eurail needed to sell train passes and held passport photocopies; the gap between those two is the breach surface. 5. **A government-grade anchor without a government query.** Government documents remain the strongest root of trust. Checking the cryptographic signature a government placed inside a passport chip requires no database lookup and tells the government nothing. 6. **Accountability without surveillance.** Lawful unmasking under due process must remain possible, as a deliberate and narrow exception, or platforms and regulators will reject the system. Anonymity to operators and accountability to courts are compatible when the architecture is built for both. [The not.bot App (Doc #5)](http://doc_05_notbot_app.md) describes how not.bot meets these requirements: identity anchored once, at enrollment, in the signature a government already placed inside the holder's passport chip, then held and used by the person alone, with no central identity database, no login provider in the path, and an architecture under which Julia Social cannot see who uses an identity or whether it is used at all. [Privacy Architecture (Doc #7)](http://doc_07_privacy_architecture.md) carries the proof. ## **Related documents** - [The not.bot App (Doc #5)](http://doc_05_notbot_app.md): the consumer identity that answers this problem. - [Privacy Architecture (Doc #7)](http://doc_07_privacy_architecture.md): the architectural guarantee that Julia Social cannot see identity data or identity use. - [Identity Architecture: DIDs, Aliases, and Ownership (Doc #6A)](http://doc_06A_identity_architecture.md): how user-held identity works underneath. - [Law Enforcement and Accountability (Doc #9)](http://doc_09_law_enforcement.md): the deliberate exception, unmasking under due process. - [The Problem: Age Verification Without Surveillance (Doc #43)](http://doc_43_problems_age_verification.md): the adjacent problem of proving one fact without uploading a document.