Ask what a wronged counterparty actually wants from a dispute and the answer is almost never a name. It is money: the refund, the damages, the chargeback. Yet the standard design reflex in agent identity is to demand the operator’s identity up front, just in case — as if knowing who to sue were the remedy, rather than the most expensive possible first step toward one. Most disputes want money back, not a name. A dispute system that takes this seriously orders its remedies accordingly: money first, identity last — and both sides end up better protected.
The “just in case” reflex — and what it costs
Collecting identity before every interaction feels prudent and performs badly. The verifier that stores passports behind every agent becomes a PII honeypot — a single breach away from leaking the identities of everyone who ever transacted, including the overwhelming majority who did nothing wrong. Honest operators pay a privacy tax on every interaction to insure counterparties against the rare dishonest one. And when something does go wrong, the victim holds a name and still no money: identity is not recourse, it is the raw material for the slowest and costliest form of it.
There is a second, sharper problem. On a consented disclosure rail you cannot build recourse at all, because you cannot ask the subject — a defrauder would always refuse. Recourse has to come from somewhere consent cannot reach: funds locked in advance, stakes that can be slashed, and a due process the subject cannot veto. That is why MintID splits disclosure into two rails that never touch — a commercial rail where refusal is free and safe, and a dispute rail that runs on escrow, bonds and process. This article is about the second.
L0 — paid in full, zero identity
Before a MintID agent transacts at any level that could create liability, its human principal locks funds in a self-custodied stablecoin escrow — the principal’s own money, in the principal’s own custody, committed under smart-contract lock. When a dispute arises and the claim is substantiated, the remedy is paid from that lock. No identity moves. No council convenes. The counterparty is made whole, the principal’s privacy is intact, and the dispute is simply over.
This is the level the whole architecture is built to maximise. The success metric that will matter, once the network runs, is exactly this: the percentage of disputes closed at L0 with zero identity disclosed. Every dispute that ends here is one where accountability worked and surveillance never started.
Contested claims — the graduated ladder
Not every claim is honest, and not every respondent agrees. Contested disputes climb a graduated ladder, and the ladder’s economics do most of the work:
- Optimistic timeout. The cheapest rung: if the respondent does not contest within the window, the claim settles from escrow. Most clear-cut cases should never cost more than this.
- Anonymous arbitration. A contested claim goes to a registered, paid arbiter market — arbiters are bonded, selected by stake-weighted sortition, and decide on evidence, with both parties still pseudonymous. Frivolous claims are deterred by slashable dispute bonds: staking a bad-faith claim costs real money.
- Judicial escalation. The final rung, for the small residue of cases that genuinely belong in front of a court.
Two rules give the ladder its shape. The accumulated cost of every rung is borne by the eventual loser — so escalating a weak position gets more expensive with every step. And capitulation is possible at every rung: a party who sees the evidence going against them can settle cheaply at any point rather than ride the ladder up. The rational move for a caught defrauder is to pay early — which is precisely the point.
the cascade · money first, identity last
fig. 1 — each level exists so the one above it is rarely needed
L1 — the minimal fraud signal
When the escrow lock does not cover the substantiated harm, the dispute escalates — not to a name, but to a minimal verified fraud signal. It is a structured, issuer-verified claim about the counterparty, on the order of: “a real, KYC-verified human; assurance grade A2; EU jurisdiction; two previously substantiated disputes.”
Read what it contains — and what it does not. It proves the wronged party is facing a real, reachable, liable person rather than a ghost, and it carries the risk context needed to decide whether pursuing the remainder is worth it. It contains no name, no document number, no address, no contact detail, and no identifier that could be used to track the person elsewhere. It is exactly the information a litigation decision needs, and nothing a surveillance system could feed on.
L2 — unmasking under due process, never for sale
Full identification is the last resort, and it is deliberately hard to reach. Three independent parties stand between a claimant and a name: an arbiter decides that the case genuinely warrants judicial process; the issuer releases the link — the agent-to-human mapping exists exactly once, in the issuer’s private records, nowhere on-chain; and the council supervises that the process was followed. Each is a check on the others.
Three negatives complete the design. Unmasking is never buyable — no payment, bond or bid is ever a lawful basis for revealing who someone is. It is never originated by the council — governance supervises the process; it cannot start one. And it is never vetoable by the subject — this is the one place consent does not apply, which is exactly why it is fenced behind due process rather than behind a price.
An honest note on the cryptography
Underneath the ladder sits one piece of genuinely new cryptography: a zero-knowledge proof-of-harm circuit, which lets a claimant substantiate that harm occurred without exposing the underlying transaction to the world. New cryptography is a liability until proven otherwise, and MintID treats it as one: the circuit is launch-blocking — it ships only after independent audit, and the network does not launch without it. We would rather say that plainly than pretend the design uses only mature parts.
The recourse itself is deliberately boring by comparison: the principal’s own locked stablecoins. The design is self-insured — recourse is the escrow the principal committed, not a promise by a third party.
Why this protects both sides
For the wronged party, money-first is simply faster: an escrow payout beats a lawsuit by months, and the ladder prices honesty into every rung. For the accused — and most accused parties are innocent — it means a dispute is not an exposure event: contesting a claim does not cost you your identity. And for everyone else on the network, it means no honeypot of stored identities exists to breach, because identity was never collected in the first place. Money before identity: most disputes want money back, not a name. The rest is due process — and due process, not payment, is the only door to a name.