Blog · disputes

Money before identity: how disputes settle without ever learning who

Most disputes want money back, not a name. How a dispute rail built on self-custodied escrow, anonymous arbitration and due process settles claims without unmasking anyone — and why that protects both sides.

Ask what a wronged counterparty actually wants from a dispute and the answer is almost never a name. It is money: the refund, the damages, the chargeback. Yet the standard design reflex in agent identity is to demand the operator’s identity up front, just in case — as if knowing who to sue were the remedy, rather than the most expensive possible first step toward one. Most disputes want money back, not a name. A dispute system that takes this seriously orders its remedies accordingly: money first, identity last — and both sides end up better protected.

The “just in case” reflex — and what it costs

Collecting identity before every interaction feels prudent and performs badly. The verifier that stores passports behind every agent becomes a PII honeypot — a single breach away from leaking the identities of everyone who ever transacted, including the overwhelming majority who did nothing wrong. Honest operators pay a privacy tax on every interaction to insure counterparties against the rare dishonest one. And when something does go wrong, the victim holds a name and still no money: identity is not recourse, it is the raw material for the slowest and costliest form of it.

There is a second, sharper problem. On a consented disclosure rail you cannot build recourse at all, because you cannot ask the subject — a defrauder would always refuse. Recourse has to come from somewhere consent cannot reach: funds locked in advance, stakes that can be slashed, and a due process the subject cannot veto. That is why MintID splits disclosure into two rails that never touch — a commercial rail where refusal is free and safe, and a dispute rail that runs on escrow, bonds and process. This article is about the second.

L0 — paid in full, zero identity

Before a MintID agent transacts at any level that could create liability, its human principal locks funds in a self-custodied stablecoin escrow — the principal’s own money, in the principal’s own custody, committed under smart-contract lock. When a dispute arises and the claim is substantiated, the remedy is paid from that lock. No identity moves. No council convenes. The counterparty is made whole, the principal’s privacy is intact, and the dispute is simply over.

This is the level the whole architecture is built to maximise. The success metric that will matter, once the network runs, is exactly this: the percentage of disputes closed at L0 with zero identity disclosed. Every dispute that ends here is one where accountability worked and surveillance never started.

Contested claims — the graduated ladder

Not every claim is honest, and not every respondent agrees. Contested disputes climb a graduated ladder, and the ladder’s economics do most of the work:

  • Optimistic timeout. The cheapest rung: if the respondent does not contest within the window, the claim settles from escrow. Most clear-cut cases should never cost more than this.
  • Anonymous arbitration. A contested claim goes to a registered, paid arbiter market — arbiters are bonded, selected by stake-weighted sortition, and decide on evidence, with both parties still pseudonymous. Frivolous claims are deterred by slashable dispute bonds: staking a bad-faith claim costs real money.
  • Judicial escalation. The final rung, for the small residue of cases that genuinely belong in front of a court.

Two rules give the ladder its shape. The accumulated cost of every rung is borne by the eventual loser — so escalating a weak position gets more expensive with every step. And capitulation is possible at every rung: a party who sees the evidence going against them can settle cheaply at any point rather than ride the ladder up. The rational move for a caught defrauder is to pay early — which is precisely the point.

fig. 1 — each level exists so the one above it is rarely needed

L1 — the minimal fraud signal

When the escrow lock does not cover the substantiated harm, the dispute escalates — not to a name, but to a minimal verified fraud signal. It is a structured, issuer-verified claim about the counterparty, on the order of: “a real, KYC-verified human; assurance grade A2; EU jurisdiction; two previously substantiated disputes.”

Read what it contains — and what it does not. It proves the wronged party is facing a real, reachable, liable person rather than a ghost, and it carries the risk context needed to decide whether pursuing the remainder is worth it. It contains no name, no document number, no address, no contact detail, and no identifier that could be used to track the person elsewhere. It is exactly the information a litigation decision needs, and nothing a surveillance system could feed on.

L2 — unmasking under due process, never for sale

Full identification is the last resort, and it is deliberately hard to reach. Three independent parties stand between a claimant and a name: an arbiter decides that the case genuinely warrants judicial process; the issuer releases the link — the agent-to-human mapping exists exactly once, in the issuer’s private records, nowhere on-chain; and the council supervises that the process was followed. Each is a check on the others.

Three negatives complete the design. Unmasking is never buyable — no payment, bond or bid is ever a lawful basis for revealing who someone is. It is never originated by the council — governance supervises the process; it cannot start one. And it is never vetoable by the subject — this is the one place consent does not apply, which is exactly why it is fenced behind due process rather than behind a price.

An honest note on the cryptography

Underneath the ladder sits one piece of genuinely new cryptography: a zero-knowledge proof-of-harm circuit, which lets a claimant substantiate that harm occurred without exposing the underlying transaction to the world. New cryptography is a liability until proven otherwise, and MintID treats it as one: the circuit is launch-blocking — it ships only after independent audit, and the network does not launch without it. We would rather say that plainly than pretend the design uses only mature parts.

The recourse itself is deliberately boring by comparison: the principal’s own locked stablecoins. The design is self-insured — recourse is the escrow the principal committed, not a promise by a third party.

Why this protects both sides

For the wronged party, money-first is simply faster: an escrow payout beats a lawsuit by months, and the ladder prices honesty into every rung. For the accused — and most accused parties are innocent — it means a dispute is not an exposure event: contesting a claim does not cost you your identity. And for everyone else on the network, it means no honeypot of stored identities exists to breach, because identity was never collected in the first place. Money before identity: most disputes want money back, not a name. The rest is due process — and due process, not payment, is the only door to a name.

Money before identity — quick answers

Why not just require the operator’s identity up front?
Because it protects less than it appears to. Up-front identity turns every counterparty into a PII honeypot, deters honest operators, and still does not pay anyone back — knowing who wronged you and being made whole are different things. Ordering the remedies money-first means most disputes end with the victim paid and nobody’s identity exposed.
What stops a defrauder from simply refusing to be identified?
The dispute rail never asks the subject. Consent belongs to the commercial rail, where refusal is free and safe. In a dispute, recourse comes from the escrow the agent locked before transacting, from slashable bonds, and — at the top of the ladder — from an arbiter-certified unmasking the subject cannot veto and no one can buy.
What exactly does the minimal fraud signal (L1) reveal?
A verified, structured claim about the counterparty — for example: a real, KYC-verified human of a given assurance grade, in a given jurisdiction class, with a count of previously substantiated disputes. It contains no name, no document, no contact detail, no persistent identifier. It exists so a wronged party can decide whether escalating is worth it.
Who can actually unmask an agent’s human?
Three parties in sequence, none of them alone: an independent arbiter certifies that a court case is warranted, the issuer — the only holder of the agent-to-human link — releases it, and the council supervises the process. It is never triggered by payment, never originated by the council, and never subject to the subject’s veto.

Keep reading: Identification, not surveillance — the commercial rail this dispute rail never touches — or start from the agentic identity problem.

The cascade, in the protocol

The agent KYC page walks the full accountability cascade and the consent firewall between the two rails; the protocol page holds the requirements behind them.