“This infrastructure is inherently dual-use: it can be architected to empower individuals with control over their data, but it can just as easily be configured to enable unprecedented levels of state and corporate surveillance, social management, and economic control.”
— Comprehensive analysis of Digital ID legislation and technical specifications across 23 countries
The Invisible Infrastructure
Fifty-three percent of humanity is now enrolled in some form of national Digital Identity system. That’s 4.3 billion people whose biometric data (fingerprints, facial scans, iris patterns) sits in government databases, linked to a unique identifier that increasingly determines access to banking, employment, healthcare, and the internet itself.
This isn’t a distant threat. It’s already here. And it’s accelerating.
Between 2024 and 2026, a wave of legislation across 23 countries is transforming digital identity from an optional convenience into mandatory infrastructure. The European Union mandated that all 27 member states must provide citizens with a Digital Identity Wallet by November 2026. Mexico passed laws in July 2025 making a biometric national ID compulsory for accessing healthcare, education, and banking. China launched its national cyber ID system in July 2025, positioning the Ministry of Public Security as the central gatekeeper for all online activity. Vietnam made its VNeID platform effectively mandatory for all businesses. Laos began issuing biometric ID cards in October 2025 with technical support from Vietnam’s security apparatus.
This is a global investigation into the architecture being built beneath our feet. Over six parts, we’ll examine the technical systems, the convergence with Central Bank Digital Currencies, the infrastructure for social scoring, the surveillance implications, the exclusion it creates, and the few places where resistance has worked.
Part 1 starts with the fundamental split: two competing models for digital identity, each with radically different implications for freedom.
A Tale of Two Architectures
The global Digital ID landscape is bifurcating into two distinct models, each representing a different philosophy about the relationship between citizen and state.
The Framework & Wallet Model: User Control as Marketing
The first model, dominant in Western democracies, is the “Framework and Wallet” approach. Governments create a regulatory “trust framework” (a set of rules and security standards) and then certify public and private organizations to act as identity service providers. Citizens interact with the system through a smartphone “digital wallet” app that stores verified credentials.
The pitch: You control your data. You choose what to share. It’s voluntary, decentralized, privacy-preserving.
The reality: The “voluntary” label is a temporary marketing strategy designed to overcome public resistance to national ID systems.
The European Union: EUDI Wallet
The EU’s approach is codified in Regulation (EU) 2024/1183, which entered force in May 2024. Every member state must provide citizens with a European Digital Identity Wallet (EUDI Wallet) by November 2026.
The wallet is designed to link your national identity with other personal attributes: driving license, university diplomas, professional qualifications, payment information. The system employs “selective disclosure” (proving you’re over 18 without revealing your date of birth) and requires wallet software to be open source for transparency.
Here’s the erosion of “voluntary”: While the EU insists the wallet is optional, the regulation obligates certain private sector entities (particularly banks legally required to perform strong customer identification) to accept the EUDI Wallet for authentication. This creates network effects. The more services that accept it, the higher the cost of non-participation.
The United Kingdom: The “BritCard”
The UK government finalized its Digital Identity and Attributes Trust Framework (DIATF) in June 2025. Rather than a single government ID, it certifies private organizations to provide identity services, creating a competitive marketplace of certified identity providers.
The framework emphasizes security: fraud prevention against synthetic identities, adherence to ISO 27001, rigorous penetration testing of all infrastructure.
But here’s the mandate hidden in the voluntary system: The UK government plans to make its digital ID (dubbed the “BritCard” by critics) mandatory for all “Right to Work” checks by the end of parliament. This single requirement effectively forces the entire working population, including all legal residents, to obtain the Digital ID to secure or maintain employment.
A parliamentary petition against the BritCard gathered over 1.6 million signatures. Critics argue it represents “a short step from authoritarianism and state control.”
Australia: Expanding the Accreditation Scheme
Australia’s Digital ID Act 2024 commenced in November 2024, creating a voluntary, federated framework built around government accreditation. The Act includes stronger privacy safeguards than the existing Privacy Act: prohibitions on single identifiers across the system, bans on marketing use of data, and restrictions on biometric collection.
State and territory governments could join from November 2024, with private sector expansion by late 2026. A new “Trust Exchange (TEx)” initiative will facilitate credential verification across this expanding ecosystem.
The safeguards are real. But so are the exceptions. The Act permits disclosure of personal and biometric information to law enforcement when authorized by warrant. While judicial oversight is critical, the system creates a centralized access point for state authorities that didn’t exist before.
Canada: Pan-Canadian Trust Framework
Canada’s approach is guided by the Pan-Canadian Trust Framework (PCTF), formalized in August 2025 with the approval of national standard CAN/DGSI 103-0:2025. This provides technical “building blocks” for public and private organizations to create trustworthy, interoperable digital ID programs aligned with international frameworks like the EU’s eIDAS.
The strategy is part of “Canada’s Digital Ambition 2024-25,” aiming to modernize government services with a focus on being “user-centric, trusted, and secure.”
Switzerland: The Referendum That Almost Worked
Switzerland’s case reveals the fragility of democratic resistance. In 2021, voters rejected a digital ID law by 64%, largely due to concerns over private company involvement in issuing identity credentials.
Parliament responded with a revised e-ID Act in December 2024, placing the system entirely under government control. The new version featured decentralized data storage and minimal data disclosure by design, incorporating privacy demands from the 2021 opposition.
A referendum on this revised, state-run model was held September 28, 2025. It passed by the narrowest margin: 50.4% in favor.
Even when citizens understand the risks and organize to resist, the state can iterate until it wins.
The Centralized State Model: Identity as Instrument of Governance
The second model is defined by a single, mandatory national identity database administered by the government—often by ministries of public security or interior. Biometric data is core. The unique identifier becomes the master key for all interactions with public and private services.
This model prioritizes state objectives: national security, crime prevention, administrative efficiency. User control and data minimization are not design principles.
China: The Ministry of Public Security as Internet Gatekeeper
China’s national cyber ID system officially took effect July 15, 2025, after a year-long pilot. Administered by the Ministry of Public Security (MPS), it establishes the government as the central intermediary for all online identity verification.
Citizens register with their official ID and biometric facial recognition to receive a unique “web number” or “web certificate.” When accessing online services, users present this government-issued credential instead of personal data. Private companies no longer hold raw identity information—they rely on the state for authentication.
The system integrated with 67 major platforms, including those from Tencent, Alibaba, and ByteDance. State media heavily promoted it. Authorities insist it’s “voluntary.”
Legal scholars whose dissenting opinions have been censored argue the true purpose is comprehensive tracking of all digital activity, creating an “internet kill switch” for individuals deemed problematic by the state. By revoking a person’s cyber ID, the government can “erase their entire online existence.”
“China’s Slow March Toward Cyber IDs represents infrastructure of digital totalitarianism. The system allows for comprehensive tracking of individuals’ digital activity.”
— China Media Project, June 2025
Mexico: The Biometric CURP and the “Spy Bill”
Legal reforms published July 16, 2025, transformed Mexico’s Unique Population Registry Code (CURP) into a mandatory, biometric national identification document. The new CURP incorporates photograph, fingerprints, and potentially iris scans, making it the single source of identity for all individuals.
Its use is now obligatory for accessing healthcare, education, social programs, and banking.
The data is managed through a “Unified Identity Platform (PUI)” accessible in real-time to prosecutors, search commissions, and the National Intelligence Centre for investigation of crimes or location of missing persons.
Digital rights organization R3D warned this creates a “massive surveillance ecosystem.” Opposition lawmakers dubbed it the “Spy Bill” because it grants authorities access to interconnected databases without requiring a court order and without any mechanism to notify citizens that their data has been accessed.
This is particularly alarming given Mexico’s documented history of deploying Pegasus spyware against journalists, human rights defenders, and political opponents.
Vietnam: VNeID and the Security State
Under Decree No. 69/2024/ND-CP, effective July 1, 2025, use of the VNeID (Vietnam Electronic Identification) platform is now effectively mandatory for all businesses to conduct administrative procedures like business registration, licensing, and taxation.
The platform is administered by the Ministry of Public Security’s National Population Data Center. To obtain a corporate account, a company’s legal representative must first obtain a Level-2 personal e-ID, requiring in-person registration at a police or immigration office to provide biometric data (fingerprints and photo).
This anchors all economic and civic activity to a centralized, state-controlled identity database managed by the security apparatus.
Vietnam routinely pressures technology companies to hand over user data, removes critical content, and imprisons activists and journalists for online speech. Internet freedom is severely restricted.
Laos: Vietnam Exports Its Model
The Lao government officially launched its digital citizen identification scheme July 30, 2025, with biometric ID card issuance beginning October 2025. The stated purpose: “improve citizen management affairs and national security” through a centralized citizen database.
The project is being implemented with significant support (funding and technical assistance) from the government of Vietnam and its Ministry of Public Security.
This represents technological and ideological transfer. Vietnam is exporting a specific model of governance where digital identity is primarily an instrument of state administration and security. The Laos-Vietnam partnership creates a regional sphere of influence for authoritarian digital governance.
India: Aadhaar and the Scale of De Facto Mandatory
India’s Aadhaar program, launched in 2009, is the world’s largest biometric identity system: over 1.3 billion enrolled residents. Administered by the Unique Identification Authority of India (UIDAI), it assigns a 12-digit number linked to fingerprints from all ten fingers, iris scans, and facial photographs.
Initially voluntary, Aadhaar became de facto mandatory through “function creep”: it’s now required to file taxes, open bank accounts, receive government subsidies, obtain SIM cards, and access numerous other services.
In 2018, India’s Supreme Court upheld the program’s constitutionality but imposed restrictions on private company use. Despite these safeguards, civil liberties groups cite multiple data breaches exposing millions of records, exclusion affecting India’s poorest who struggle with biometric authentication, and the creation of a comprehensive surveillance apparatus.
Aadhaar is a cautionary tale: a voluntary program designed for financial inclusion evolving into de facto mandatory infrastructure for state monitoring.
Nigeria: The SIM-NIN Blockade
Nigeria’s National Identification Number (NIN) system, administered by the National Identity Management Commission (NIMC), pursues an ambitious goal: enrolling 180 million citizens by December 2026, with World Bank support.
The system collects fingerprints and facial photographs. The NIN has become increasingly mandatory. In 2020, the government ordered telecommunications companies to block SIM cards not linked to a NIN, affecting millions of Nigerians and creating severe disruptions.
The rollout has been marked by long queues at enrollment centers, technical difficulties, and concerns about data security in a country with limited digital infrastructure and weak data protection laws.
The Voluntary Illusion: A Four-Stage Process
The erosion of “voluntary” follows a strategic pattern across Framework & Wallet systems:
Stage 1: Introduction as Optional Convenience
Acknowledging historical public resistance (particularly in countries like the UK with strong anti-ID traditions), governments introduce systems as optional tools to simplify online life.
Stage 2: Mandatory for High-Stakes Interactions
Create powerful incentives by making Digital ID mandatory for specific, critical functions. UK’s “Right to Work” checks for employment. This forces adoption without technically being “mandatory.”
Stage 3: Compel Private Sector Acceptance
Legislation requires critical sectors (banking, telecommunications) to accept the Digital ID for identity verification. This creates network effects where utility grows with each new accepting service, increasing the cost of non-participation.
Stage 4: Integration with CBDCs
The final and most compelling step (examined in Part 2): making Digital ID the gateway for accessing Central Bank Digital Currency. This makes the ID indispensable for basic economic participation.
“The ‘voluntary’ label is a temporary marketing strategy for an adoption phase, not a permanent feature of the system’s design. The architecture is built for ubiquity, with the goal of achieving de facto mandatory adoption over time.”
— Analysis from European digital rights organizations
Developmental States: Digital Leapfrogging or Digital Trap?
A third category includes developing nations pursuing Digital ID to “leapfrog” developmental stages, often with World Bank financial and technical support. The public narrative centers on financial inclusion, reducing corruption, and improving service delivery.
These systems are being implemented in environments with weak data protection laws, fragile democratic institutions, and histories of state overreach or ethnic conflict.
Ethiopia: Fayda ID Amid Civil War
The Fayda digital ID is the centerpiece of “Digital Ethiopia 2025,” backed by the World Bank. The National ID Program (NIDP) aims to enroll 90 million people by 2027 using biometrics: fingerprints, iris scans, facial images.
The stated goal is providing legal identity for millions, enabling access to banking, healthcare, and social safety nets.
The pilot was announced in 2021 amid a brutal civil war marked by widespread ethnic profiling of the Tigrayan minority.
Human rights groups raised grave concerns that a centralized biometric database could be weaponized to “embolden ethnic profiling through disproportionate arrests and surveillance,” transforming a tool of inclusion into an instrument of persecution.
“This represents a gateway to a brighter future for refugees and the unbanked—but vulnerable minority groups perceive it as a potential tool for hunting them down.”
— Context analysis, Thomson Reuters Foundation
Zambia: Learning from Ethiopia
Zambia is implementing its Integrated National Registration Information System (INRIS), aiming to provide digital identity to all citizens over 16. The initiative has $120 million from the World Bank for Digital Public Infrastructure, plus $30 million with UNHCR for biometric cards for refugees.
In October 2025, Zambia signed a Memorandum of Understanding to collaborate with and learn from Ethiopia’s Fayda program.
Independent reports on Zambia’s digital services landscape point to “weak data protection, opaque practices, and infrastructural limits” that undermine trust and effectiveness.
Papua New Guinea: From Service Delivery to Social Control in 72 Hours
On October 3, 2025, Papua New Guinea’s cabinet approved the National Digital Identity Policy 2025, establishing the “SevisPass” Digital ID and trust framework. The policy positions SevisPass as foundational Digital Public Infrastructure with open, interoperable architecture.
Stated goals: streamlining government services, reducing fraud, enabling financial services.
Almost immediately upon approval, the government announced its intention to require the SevisPass digital ID for all users aged 14 and over to access social media platforms.
This immediate pivot toward using ID to regulate online speech sparked fears of censorship and surveillance, demonstrating how quickly function creep transforms systems from service delivery to social control.
The Dilemma at the Heart of Digital Public Infrastructure
International bodies and development banks promote Digital ID as a pathway to financial inclusion and empowerment. But in countries with histories of human rights abuses or weak rule of law, the same infrastructure built for inclusion can become a tool for exclusion and state control.
The identity of the implementing state and the political context in which the technology is deployed are paramount factors often downplayed in technology-centric development narratives.
Ethiopia’s Fayda serves as stark warning: a system designed for refugees and the unbanked is perceived by vulnerable minorities as a tool for hunting them down.
Hybrid Approaches: When Civil Society Fights Back
Some jurisdictions represent hybrid approaches or systems in flux, shaped by domestic political factors and civil society engagement.
Taiwan: Civil Society Forces a Pivot
Taiwan’s journey is a powerful example of how civil society can act as a bulwark against state overreach.
The government’s plan to roll out a mandatory, chip-based eID card was announced in 2018 but postponed in 2021 after fierce opposition from human rights groups, legal experts, and cybersecurity professionals. Concerns centered on lack of data protection legal framework, risks of centralized database, and potential for government surveillance.
This successful legal and public pressure campaign forced a pivot. The new approach is the “Taiwan Digital Identity Wallet (TW DIW),” expected by end of 2025. This mobile-first solution aligns with international decentralized identity standards (DID and Verifiable Credentials), prioritizing user control and selective disclosure.
This citizen-centric wallet is distinct from the mandatory Taiwan Digital Arrival Card (TDAC), implemented October 1, 2025, for all foreign nationals—a conventional centralized system for border control and tracking.
What’s Being Built
Whether Framework & Wallet or Centralized State, these systems share common architectural components:
Universal Digital Identifier: A unique key linking an individual across all interactions
Biometric Foundation: Fingerprints, facial scans, iris patterns anchoring identity to physical person
Interoperable Data Exchange: Platforms enabling verification across previously disconnected domains
Integration with Essential Services: Banking, employment, healthcare, internet access
These components create the technical foundation for unprecedented data aggregation and analysis. Every time a digital ID verifies an attribute—accessing healthcare, boarding a flight, opening an account, entering a building—a transaction log is created.
Over time, the accumulation of these logs across previously disconnected domains allows construction of a comprehensive, cradle-to-grave digital dossier on every individual.
The very interoperability that provides convenience creates the infrastructure for mass monitoring—long before any such policy is formally announced.
What Comes Next
53% of humanity is now enrolled. The infrastructure is already in place for the majority of the world’s population.
In Part 2, we examine the most powerful driver for adoption: the convergence of Digital ID with Central Bank Digital Currencies. We’ll show why Digital ID is the missing piece required for mass rollout of retail CBDCs, and how this symbiotic relationship transforms “voluntary” systems into economic necessities.
The choice of whether to participate in Digital ID is rapidly becoming a choice about whether to participate in the economy at all.
References
Regulation (EU) 2024/1183 amending Regulation (EU) No 910/2014 on electronic identification and trust services (eIDAS 2.0), European Union, entered into force May 20, 2024. Full implementation by member states required by November 2026. Available at: https://digital-strategy.ec.europa.eu/en/policies/eudi-regulation
“UK Digital Identity and Attributes Trust Framework (DIATF) gamma 0.4,” UK Government, finalized June 2025. Establishes rules and standards for certified identity service providers in the United Kingdom. Available at: https://www.gov.uk/government/collections/uk-digital-identity-and-attributes-trust-framework
Digital ID Act 2024 (Commonwealth of Australia), commenced November 30, 2024. Establishes legal framework for Australia’s federated digital identity system and privacy protections. Available at: https://www.digitalidsystem.gov.au/what-is-digital-id/digital-id-act-2024
CAN/DGSI 103-0:2025, “Digital Trust and Identity – Part 0: Techniques – Code of Practice,” Standards Council of Canada, approved August 2025. National standard providing technical building blocks for interoperable digital identity in Canada.
“China’s Slow March Toward Cyber IDs,” China Media Project analysis by David Bandurski, published June 4, 2025. Examines the rollout of China’s national cyber ID system and its implications for online surveillance. Available at: https://chinamediaproject.org/2025/06/04/chinas-slow-march-toward-cyber-ids/
Decree No. 69/2024/ND-CP on Electronic Identification Accounts and Authentication for Agencies, Organizations, and Enterprises, Government of Vietnam, effective July 1, 2025. Makes VNeID platform effectively mandatory for business registration and licensing.
“What should companies know about Mexico’s digital identity reforms?”, Hogan Lovells legal analysis, published July 2025. Examines the implications of Mexico’s biometric CURP reforms and the Unified Identity Platform (PUI). Available at: https://www.hoganlovells.com/en/publications/what-should-companies-know-about-mexicos-digital-identity-reforms
“Ethiopia digital ID prompts fears of ethnic profiling,” Thomson Reuters Foundation Context reporting, 2024. Documents human rights concerns about Ethiopia’s Fayda ID program deployment during ethnic conflict. Available at: https://www.context.news/surveillance/ethiopia-digital-id-prompts-fears-of-ethnic-profiling
World Bank Identification for Development (ID4D) Program documentation, 2024-2025. Includes funding commitments for Digital ID infrastructure in Ethiopia (120M for DPI, $30M for refugee IDs), and other developing nations.
“National Digital Identity Policy 2025 (SevisPass),” Government of Papua New Guinea, approved by cabinet October 3, 2025. Establishes framework for national digital ID and government data exchange platform (SevisDEx).
This is Part 1 of a 6-part investigation into the global Digital Identity infrastructure.
