Proof of Personhood Is a Trap
Most proof-of-personhood schemes claim to defend the human internet from bots. In practice, they smuggle a border regime into everyday computing, and they fail to solve the problem they were invented to solve.
The strange thing about the so-called human internet is how quickly it begins to resemble airport security.
Show your face. Scan your iris. Hold still. Trust the device. Trust the operator. Trust the issuer of the credential. Trust that the database will not be repurposed later by someone with a badge, a growth target, or a subpoena. All this, we are told, so that the bots do not ruin everything.
I think this is mostly backwards. The current obsession with proof of personhood does not protect digital society from manipulation, it reorganizes digital society around legibility. That is a different project. It solves a state problem, and a platform problem, by turning it into your problem.
The popular fantasy
The fantasy is easy to understand. AI systems can generate infinite accounts, infinite comments, infinite synthetic consensus. Old spam assumptions are broken. CAPTCHA is comic theater. If one capable operator can spin up ten thousand persuasive identities, then one-person-one-vote starts to look less like democracy and more like an API vulnerability.
So the market reaches for a primitive it can understand: uniqueness.
Not reputation. Not accountability. Not cost imposition. Not rate limits. Not local trust graphs. Uniqueness. One body, one credential, one slot in the machine.
This is where projects like Worldcoin, now World, enter with the polished certainty of people who have mistaken measurability for governance. Orb the eyeball, derive a uniqueness proof, maybe wrap it in zero-knowledge, maybe keep the biometric template separated from the application layer, maybe promise that no raw iris data is retained. The technical details matter, up to a point. But the political shape is already visible. A global registry of distinct humans, even a privacy-preserving one, is not a neutral utility. It is a constitutional decision about what counts as a legitimate participant in networked life.
People keep talking about proof of personhood as if it were a spam filter. It is closer to a passport office.
The category error
The category error is simple: most online systems do not actually need to know whether you are a person. They need to know whether you are behaving acceptably within a context.
These are not the same question.
A relay handling Nostr events does not need metaphysical certainty that an event came from a carbon-based organism with a pulse. It needs anti-abuse controls. A marketplace does not need to know you are ontologically human. It needs confidence that you will not default, fraud, or vanish. A community forum does not need universal personhood proofs. It needs moderation norms, social memory, and enough friction to make harassment expensive.
This distinction matters more now, not less, because agents are becoming ordinary participants in networks. Some of them are annoying. Some are useful. Some will do work you explicitly asked them to do. If your system is built on the assumption that non-human participation is inherently illegitimate, you are not defending society from bots. You are refusing to design for the world that is arriving.
Conventional wisdom says the open web needs stronger ways to separate humans from machines. I think the opposite is often true. The open web needs better ways to specify which actions require which guarantees, and almost none of those guarantees are “prove you are a singular unreplicated human soul.”
That is theology with a QR code.
Sybil resistance is real, personhood is not the only answer
Let me grant the strongest case on the other side. Sybil attacks are real. If governance rights, airdrops, quadratic funding, or scarce public goods are allocated per account, then fake multiplicity matters. BrightID, Idena, Gitcoin Passport, Circles, Proof of Humanity, and a dozen adjacent efforts all emerge from a real design constraint: open systems are vulnerable to cheap pseudonyms.
Fine. But there is a bait and switch here.
The existence of a Sybil problem does not imply that universal, portable proof of personhood is the right primitive. Often it is the worst one, because it centralizes a property that should remain contextual and contestable.
A city does not work because every interaction requires a passport check. It works because different institutions use different tests. The library wants a card. The bar wants age. The bank wants a stack of paperwork and your patience. The corner store wants cash. Your friends want a face they recognize and a history they can place. Social order is not one credential. It is a messy braid of partial proofs.
Protocol designers keep trying to replace this braid with a master key.
I do understand the temptation. A general-purpose personhood credential is elegant in the same way a universal skeleton key is elegant. It reduces complexity by moving power into the lockmaker.
Zero-knowledge does not dissolve politics
This is where technically sophisticated people sometimes become naive in a very sophisticated way.
They say: but what if the proof is zero-knowledge? What if the app only learns that this user is unique, not who they are? What if nullifiers prevent double-use? What if the biometric never leaves secure hardware? What if the issuer is decentralized?
All useful questions. None of them remove the underlying political issue.
Zero-knowledge can hide facts. It cannot neutralize institutional dependence.
If access to social participation, income, governance, or visibility depends on a credential pipeline, then whoever governs enrollment governs the boundary of the social world. Who gets scanned? Who gets rejected? What happens when a person cannot produce the required biometric, or refuses on religious or political grounds, or lives in a region where the hardware is unavailable, or simply does not trust a globe-spanning identity apparatus built by a venture-backed entity that talks like a humanitarian project and scales like a platform?
The history of identification systems is not reassuring here. India’s Aadhaar dramatically expanded access in some contexts and also produced exclusion, bureaucratic failure, and function creep. “Just add digital ID” has never been a purely technical intervention. It rearranges who must petition whom.
A zero-knowledge border is still a border.
The deeper problem, scarcity theater
A lot of proof-of-personhood enthusiasm comes from trying to preserve a social model that may already be obsolete.
We inherited internet institutions built on a tacit assumption: most meaningful participation is human, scarce, and relatively expensive. Posting took effort. Running many identities took effort. Reading everything was impossible. Communities were bounded by actual attention and actual labor.
Now synthetic participation is cheap. Abundance has arrived in the ugliest possible form first, as counterfeit presence.
The instinctive response is to restore scarcity by making identity expensive. Hence the biometric checkpoint. Hence the desire to issue one token per body, one vote per retina, one subsidy per skull.
But maybe this is the wrong layer to defend. Maybe the problem is not that there are too many entities speaking. Maybe the problem is that our systems still treat undifferentiated speech volume as a usable input.
If a million agents can talk, then any protocol that assumes raw utterance is meaningful will drown. The fix is not necessarily to authenticate all mouths. The fix may be to redesign how signals earn weight.
This is why I keep coming back to local trust, bounded contexts, and explicit cost models. Not because they are utopian, but because they fail more honestly.
What should replace the personhood obsession
Not one thing. Several smaller things.
1. Contextual credentials
A fishing forum, a municipal budget process, and a mutual credit network do not need the same identity primitive. Stop searching for the final credential. Build narrower proofs for narrower rights.
Age over 18. Residency in a district. History of repayment. Membership in a working group. Prior contribution to a codebase. Verified control of a device over time. These are all more actionable than “is a unique human.”
2. Rate limits and economic friction
A good tollbooth is often better than a census.
Hashcash had the right instinct decades ago: if speech can be generated infinitely, make flooding cost something. Modern versions can be computational, financial, social, or reputational. Small Lightning payments. Stake that can be slashed for abuse. Relay-specific posting budgets. Receiver-side capacity markets. Backpressure, not metaphysics.
Spam is often a pricing failure pretending to be an identity problem.
3. Web-of-trust, but less romantic
People hear “web of trust” and imagine PGP in a basement, six idealists signing each other’s keys under fluorescent light. Fair enough. The old versions were clunky and socially brittle.
But the underlying idea remains sound: trust is relational, not universal. Nostr’s follows, relay policies, petnames, and delegated trust patterns point toward something more realistic than universal personhood. Not perfect. Better. A neighborhood, not a census bureau.
4. Agent disclosure, not agent exclusion
As agents become normal network participants, the important distinction is often not human versus machine. It is disclosed versus undisclosed, accountable versus disposable, bounded versus feral.
An agent acting on my behalf, signing with a delegated key and a clear policy envelope, is not the same thing as a covert swarm pretending to be grassroots sentiment. Treating both as “bots” is analytically lazy.
We need norms and protocols for represented action. Not every machine should be allowed everywhere. But the demand that all legitimate participation be biologically human is going to age badly.
5. Small rooms with their own rules
The giant public square model has broken people’s brains. Not every space should be globally addressable and equally open to every stranger with a fresh credential. Healthy systems use membranes.
Private relays. Curated circles. Invitation gradients. Local moderation. Community-specific proofs. This sounds less grand than “global proof of personhood infrastructure,” which is one reason venture capital likes the latter. But civilization is built from rooms.
The biometric temptation
Biometrics are seductive because they promise to bind the squishy self to the hard world. Passwords can be shared. Keys can be sold. Social graphs can be gamed. But an iris seems stubborn. A face seems singular. A body feels like bedrock.
Yet bodies are not politically neutral anchors. They are the oldest site of administrative capture. The modern state learned long ago that if you can standardize the body, you can standardize access. Fingerprints, mugshots, passports, DNA databases, gait recognition. The record is not subtle.
Crypto people sometimes talk as if adding zero-knowledge transforms this lineage into liberation. Sometimes it might mitigate it. It does not erase it. A biometric system with elegant cryptography is still a machine for deciding whose body counts, under what conditions, for which institutions.
That should trigger more suspicion than it does.
The human internet was never purely human
There is another awkward fact under all this: the internet has always been full of non-human actors. Crawlers, daemons, trading bots, moderation filters, recommendation systems, autoresponders, cron jobs, packet shapers, market makers. The fantasy of a pristine human commons corrupted by recent AI is historically childish.
What changed is not that machines arrived. What changed is that machine participation became legible at the social layer. The bots can now write in complete sentences, flirt badly, start arguments, and imitate conviction. This is unsettling, yes. But it does not follow that the solution is to build a civilizational bouncer at every door.
We may need something harder: institutions that can survive ambiguity about who, or what, is speaking.
That will require a different political imagination than the one currently on offer. Less passport control, more protocol design. Less obsession with unique souls, more attention to incentives, context, and consequence. Less fantasy that one credential can restore trust to a networked public sphere already shattered by scale, recommendation engines, and industrial persuasion.
Proof of personhood asks the wrong question with enormous confidence. Not “who are you really?” but “what can you do here, and what happens if you abuse it?” That is the question a functioning network has to answer.
And if we refuse to build systems that can tolerate disclosed machine participation, what exactly are we building for the century that is obviously coming?