Chapter 1: The Identity Problem
What you'll learn:
- Why digital identity is still unsolved despite decades of effort
- The three structural problems with how we prove identity today
- Why the answer requires rethinking who holds the credential, not just how it is transmitted
A simple question with a complicated answer
You arrive at a hotel. You hand over a passport. The receptionist glances at your photo, confirms it looks like you, types something into a screen, and hands back the passport. The whole exchange takes thirty seconds. You go to your room.
Now imagine that same scenario — but digital. You visit a website that needs to confirm you are who you say you are, that you are over 18, and that your address is current. What happens?
You fill in a form. You upload a photo of your passport. You receive an email with a link. You re-enter your password. You solve a CAPTCHA. You wait for a verification email. You photograph yourself holding your passport. You wait 24 to 72 hours while a human reviews the image in a call centre somewhere.
The physical version took 30 seconds. The digital version took three days.
This is not a minor inconvenience. It is a sign that something is structurally wrong.
Problem 1: Your identity lives in other people's databases
When you create an account on a website, that website stores your details. Your name, email address, date of birth, phone number — all of it sits in a database owned by a company you may never have heard of, running on a server in a country you do not know, protected by security measures you cannot inspect.
You have no copy of what they hold. You have no way to update it if your address changes. You cannot take it with you if you leave. You cannot see who else they have sold it to.
We have become so accustomed to this arrangement that it feels normal. It is not. Imagine handing your passport to a hotel and being told they will keep it in their filing cabinet permanently, might share it with their partners, and will not give it back when you check out. You would refuse. Yet this is the default model of digital identity.
The consequence is that each time you interact with a new service, you hand over your data again. Every service builds its own copy. Across hundreds of services, there are hundreds of copies of your identity, most of which you have forgotten about, many of which will eventually be leaked.
By the numbers: The Identity Theft Resource Center reported over 3,200 data breaches in the United States alone in 2023. Each breach exposes personal details that were stored in a centralised database on behalf of users who had no alternative but to hand over that data in the first place.
Problem 2: You prove more than you need to
When a bar in the UK checks your age, they look at your driving licence or passport. To confirm you are over 18, they see your full name, your exact date of birth, your address, your photo, and often your licence number.
They needed to know one thing: are you over 18? They learned everything.
In the physical world, this is a limitation of how credentials are designed — a passport cannot reveal only the year of birth without showing the rest of the page. In the digital world, there is no such excuse. Software can share precisely one attribute and withhold the rest. Yet most digital identity systems are designed to share everything, because they were built by companies whose business model depends on collecting data, not minimising it.
Privacy is not just a personal preference. The EU's General Data Protection Regulation (GDPR) enshrines data minimisation as a legal principle: you should collect only the data that is necessary for the purpose. Digital identity systems that reveal your entire profile to confirm you are over 18 are not merely inconvenient — they are non-compliant by design.
Problem 3: Every system is its own island
You have a verified identity with your bank. You have a verified identity with your mobile phone provider. Your government has verified your identity to issue your passport. Your employer has verified your identity to add you to their payroll.
Each of these verifications was done independently. Each resulted in a record in a different silo. None of them talk to each other. When you need to open a new bank account, the new bank cannot call your existing bank and say "this person has been verified." They start from scratch.
This is not just wasteful — it is a barrier to inclusion. People who lack fixed addresses, formal employment, or the correct type of government-issued document are disproportionately excluded from digital services, not because they lack identity, but because no system exists to recognise the identity they do have.
What would the ideal look like?
Picture this instead.
You visit a government office and provide the necessary documents — once. The government issues you a digital credential: a signed, tamper-proof statement that says "this person is who they say they are, their date of birth is verified, and their address is current." This credential is stored in an app on your phone — your digital wallet.
Whenever you need to prove something — your age, your address, your right to work — you open the wallet. The requesting service asks a specific question: "are you over 18?" Your wallet answers it, sharing only the fact that you are over 18, without revealing your exact date of birth or anything else. The service gets what it needs. You share nothing more.
The credential lives on your device. No central database holds a copy. If you change address, you get a new credential. Old copies cannot be used. The service verifying your credential does not learn who else has verified you.
This is not a fantasy. It is what the standards in this book make possible. The chapters that follow explain exactly how it works.
Summary
The digital identity problem has three roots: data is stored by others instead of by you, too much is revealed when you prove identity, and no system interoperates with any other. These are not bugs in individual systems — they are structural features of how identity has been built on the internet for the past 30 years.
| Problem | Root cause | Consequence |
|---|---|---|
| Data held by others | Centralised databases | Breaches, no user control |
| Over-sharing of data | All-or-nothing credentials | Privacy violations, GDPR risk |
| Siloed verification | No interoperability | Repeated KYC, exclusion |
Self-sovereign identity is the response to all three problems. The next chapter explains what it means.