Blog · privacy

Identification, not surveillance

Identifying an agent once, paid and consented, is categorically different from holding a handle that tracks its human forever. How pay-per-disclosure, pseudonym churn and on-chain receipts make surveillance structurally impossible.

There is a category difference hiding inside the word “identity”, and most of the industry’s architecture quietly erases it. Identifying is answering a question about one agent, at one moment, with a price attached and consent given. Surveilling is holding a handle that keeps answering — recognising the same person tomorrow, re-contacting them next quarter, correlating them across every context the handle reaches. A system can sell the first and deliver the second without anyone deciding to build a surveillance product: all it takes is a credential that can be reused. MintID’s position is one line long — identification, not surveillance — and the interesting part is how it is enforced structurally, not promised contractually.

The reusable token: buy once, track until it dies

Consider the default pattern for verified identity on the agentic web: the operator is verified once, receives a reusable identity token, and the token travels with the agent from counterparty to counterparty. It sounds efficient — and it is, in the same way a tracking cookie is efficient. Whoever obtains the token’s identifier once — legitimately, by purchase, or in a breach — holds a durable key to the person behind it. Every counterparty that saw the token can compare notes. Every log it appears in becomes joinable with every other. The verification was bought once; the tracking works until the token dies, which is usually never, because continuity is the product being sold.

Notice that no one had to act in bad faith. The surveillance is not a policy failure; it is a property of the artefact. A reusable identifier is a tracking surface, whatever the terms of service say. If you want identification without surveillance, the artefact itself has to change.

Pay-per-disclosure: identification as an event

MintID’s commercial rail replaces the durable handle with a priced event. A relying party that wants to know something about the human behind an agent does not read it off a token — it makes an offer: a disclosure bid, paid to the principal, the person whose privacy is actually at stake. The principal’s policy — or, for anything sensitive, a live prompt to the human — resolves the offer. Refusal is free, safe, and the default; a refused counterparty gets nothing, and the basic service must remain accessible without revealing anything, so the offer can never quietly become a toll gate.

When the answer is yes, the release is graduated and minimal: a pairwise pseudonym — a recognition key that works for this verifier only — or a single contact attribute, or, at the top and only ever with a live human decision, full identification. The exact field asked for, nothing adjacent. Each disclosure is an event with a price, a consent, and a receipt — not the opening of a feed.

The churn is the guarantee

Here is the design decision that makes the posture real. The pairwise pseudonym — the only recognisable thing a verifier ever holds — lives exactly as long as the credential that carries it, and credentials renew on a deliberate cadence. At renewal the pseudonym churns: the fresh credential carries a fresh key, with no protocol-level continuity to the old one.

Seen from a data-broker’s perspective, this looks like a defect: the asset expires. That is precisely backwards. The churn is the privacy guarantee working — it is what converts “we identified this customer once” from a perpetual tracking right into a bounded fact about the past. Even a fully paid, fully consented reveal identifies one agent at one moment. It confers no right to recognise, re-contact or track the principal afterwards. To know again later, pay again — and ask again. And because sibling agents of the same principal are unlinkable by construction, identifying one agent never fans out into identifying a fleet.

Subscriptions, recast

The immediate objection is commercial: real businesses need returning customers. They keep them — recast on three legitimate legs. Within the life of a credential, the pairwise pseudonym gives the verifier stable recognition of its own returning customer, invisible to every other verifier. Alongside it, the verifier keeps its own business records — orders, tickets, history — as it always has; nothing about this design touches a merchant’s own books. And at renewal, continuity is re-established the same way it was established: a consented, paid re-reveal against the new credential.

What disappears is only the illegitimate leg: continuity the customer never re-granted, carried silently inside the identity layer itself. A subscription survives; a dossier does not.

Receipts: auditability without content

A disclosure system that leaves no trace invites quiet abuse; one that logs content becomes the honeypot it was meant to prevent. MintID’s answer is the on-chain disclosure receipt: every disclosure, on either rail, writes a receipt recording the rail, the tier and the verifier — never the content, never the person. Anyone can audit the shape of the system: how many disclosures, on which rail, at which tiers, to which verifiers. No one can read a single fact about a single human out of it. The receipts make the privacy claims checkable — including the claim that no disclosure ever happens off the books — without themselves becoming a place identities live.

The posture, in one paragraph

Identification is per-agent and paid per use. Consent is the only lawful basis on the commercial rail, and payment is never a lawful basis for anything. Pseudonyms are pairwise, live only as long as the credential, and churn on renewal by design. Siblings are unlinkable; renewals are unlinkable; receipts record events, not content. A verifier can buy an answer; nobody can buy a handle. Identification, not surveillance — enforced by what the artefacts are, not by what the policies promise.

Identification, not surveillance — quick answers

What is the difference between identification and surveillance?
Identification answers a question about one agent at one moment — priced, consented, receipted — and confers nothing afterwards. Surveillance is holding a durable handle that keeps answering: recognising, re-contacting and correlating the person across contexts and time. Most identity systems sell the first and quietly deliver the second; the difference is whether the credential can be reused as a tracking key.
Why do pseudonyms change at credential renewal?
By design. The pairwise pseudonym lives exactly as long as the credential, and renewal mints a fresh one with no continuity to its predecessor. That churn is the privacy guarantee working: it converts every identification from a perpetual asset into a bounded event. A verifier who wants to know the same fact after renewal asks — and pays — again.
How can subscriptions work without tracking?
Recognition works for the life of the credential: within it, a returning customer is recognisable to that one verifier through their pairwise pseudonym. The verifier keeps its own business records, as it always did. At renewal, continuity is re-established by a fresh, consented, paid re-reveal — not inherited through the protocol. Continuity of service, without a permanent handle.
What do the on-chain disclosure receipts record?
The rail (commercial or dispute), the tier of what was disclosed, and the verifier — never the content, and never the person. Receipts make the disclosure system auditable — anyone can verify how often each rail is used and that no disclosure happened off the books — without the receipts themselves becoming a tracking surface.

Keep reading: Money before identity — the dispute rail, where consent cannot apply — or the agentic identity problem for why the binary framing fails.

The privacy architecture behind the posture

The technology page shows how zero-knowledge presentations, pairwise pseudonyms and disclosure receipts fit together — and the agent KYC page covers the consent firewall between the two rails.