I believe stronger digital identity is good for security and online safety.
But it should not come at the expense of privacy, and it does not have to.
The many signatories of the No Phone Home statement are saying just the same: identity systems should not be built with the technical ability to track when or where identity is used. If either the verifier app or the user app has to call back to the issuer during verification, you have created the machinery for surveillance whether you meant to or not.
A simple example: if I need to prove I am over 18, the system should be able to confirm that fact without also reporting where I was, when I checked in, and which credential I used. That is the line.
That should make more people uncomfortable than it currently does.
The privacy problem is not hypothetical
A lot of digital identity conversations get stuck on convenience: Faster onboarding. Easier proof of age. Fewer plastic cards. Less manual checking. Fine. Those are real benefits. But privacy does not disappear just because the user experience got smoother.
If the act of proving "I am over 18" or "I hold this qualification" also reveals where I was, when I used it, and which authority can later query that trail, we have built something very different from a simple credential system. We have built a monitoring system with identity attached.
Verification should not require a live callback
The interesting bit here is technical, but the consequence is social.
Modern verifiable credentials can be designed so a verifier can confirm authenticity without contacting the original issuer every time. The W3C Verifiable Credentials Data Model v2.0 sits inside that broader ecosystem and explicitly deals with privacy, correlation, and phoning-home risks. That is the model the No Phone Home initiative is pushing for, and it is the right default.
Why? Because a live callback creates central visibility. And once that visibility exists, somebody will want to use it. Maybe for fraud analytics. Maybe for product metrics. Maybe for law enforcement access. Maybe just because it is there and nobody drew a hard line early enough. That is how these systems drift.
And it is not a fringe concern. The Decentralized Identity Foundation write-up describes support from a broad coalition that includes groups such as the ACLU, EFF, Brave, and Bruce Schneier. That is not a tiny camp of purists. It is a serious warning from people who have seen how these systems get used once the capability exists.
Security gets better too
This is not only a privacy argument. Centralised verification trails create a very attractive target. If one service can see every check, every verifier, every timestamp, and potentially every person behind those checks, that service becomes a treasure chest. Reduce the data. Reduce the exposure. I keep coming back to the same point in security work: if you do not collect it, you do not have to defend it later.
The better question
When teams discuss digital identity, they often ask whether the credential is trustworthy. The better question is this: can the system verify trust without creating a built-in observation channel? If the answer is no, I think you should be much more cautious.
If you are in security, privacy, or architecture, ask that question early. Ask it before procurement. Ask it before rollout. Ask it before someone tells you interoperability is more important than privacy because the implementation timeline is tight. Because once the tracking path exists, removing it later gets politically and technically harder.
I am not arguing against digital identity. I am arguing against treating passive surveillance as an acceptable implementation detail.
Build credentials that prove, not credentials that report.
Related
- Stop Using PII as Evidence of Identity for why PII makes a poor identity check
- Information Security vs. Cyber Security vs. Privacy for the distinction between privacy and security