Argument Map — Why Identity Infrastructure Always Expands — and How to Prevent It

Once identity infrastructure is built, **it has a strong tendency toward expanded use in the absence of countervailing institutional pressure** (strong tendency, reversible). The weak necessary condition for expansion is the dual absence of legal restrictions and technical binding (corrected by the Austrian sourcePIN and German nPA counterexamples). Three mechanisms in aggregate produce the strong tendency: path dependency × infrastructure invisibility × institutional layering — all three are probabilistic language, not logical necessity. MVSR (Minimum Viable Slippage Resistance) four-layer clauses written *before construction* into specifications and legal sources can significantly raise the marginal cost of expansion: sunset + scope-bound + split-key + opt-out by design are complementarily cross-level, with each tool's failure mode absorbed by another tool. EUDI ARF v1.4/1.5 and California AB1043 are two prima facie early evidence candidates, but both have been live for < 3 years, while path dependency's time constant is 5–10 years — the current absence of slippage cannot be distinguished from "not yet slipped," and ongoing observation is required.

Structural slippage is real but not necessary; it is a strong tendency, reversible under reverse institutional pressure. The MVSR four-layered combination (sunset + scope-bound + split-key + opt-out) raises the marginal cost of expansion. EUDI ARF and AB1043 provide prima facie evidence pending 5–10 year stress test.

Formal Notation

Strong_Tendency_Theorem (STT):
  ∀ infra I :
    P(I expands | ¬legal_clause(I) ∧ ¬technical_binding(I) ∧ ¬reverse_pressure)
    ≈ 0.85 to 1.0     (empirical, 4 cases / 14–90 yrs)
    where
      legal_clause(I)      ::= sunset ∨ function_creep_prevention
      technical_binding(I) ::= scope_bound ∨ sectoral_derivation
      reverse_pressure     ∈ {constitutional_review, civic_movement,
                               cross_national_pressure, technical_affordance}

Weak_Necessary_Condition (WNC, corrected from intake):
  expansion(I) > threshold  ⇒  ¬legal_clause(I) ∧ ¬technical_binding(I)
  (counterexamples: Austria sourcePIN, German nPA — either one existing is sufficient to significantly slow expansion)

Three_Mechanism_Aggregate:
  P(expand | ¬clause ∧ ¬binding) =
      f( P_path_dependency, P_infra_invisibility, P_institutional_layering )
  where each P ∈ probability_language  ¬⊨  logical_necessity
  reverse_pressure ⇒ one of the three mechanisms is interrupted:
    constitutional_review  ⇒  ¬path_lock        (e.g., Volkszählungsurteil 1983)
    technical_affordance   ⇒  ¬invisibility      (e.g., Estonia X-Road audit log)
    civic_movement +       ⇒  ¬layering          (e.g., UK ID Card 2010 abolished)
    regime_change

MVSR_Layered_Defense:
  expansion(I) ≤ threshold  ⇔  Layer₁ ∧ Layer₂ ∧ Layer₃  ∧  (Layer₄ recommended)
  Layer₁: sunset_clauses           (legal layer, automatic_lapse > periodic_review)
  Layer₂: scope_bound              (cryptographic layer, SD-JWT VC + KB-JWT + audience claim)
  Layer₃: split_key                (governance + cryptographic, k-of-n threshold + cross-class shareholder)
  Layer₄: opt_out_by_design        (legal + UX + engineering three layers)
  failure_mode(Layer_i)  absorbed_by  Layer_j        (i ≠ j)

Time_Window:
  preset_clauses(I) viable        ⇔  pre_construction_phase(I)
  post_construction_clauses(I)    ⇒  political_cost(t) ↗ exponential

Prima_Facie_Evidence_Limit:
  ARF_v1.5, AB1043 ∈ candidate_evidence  ∧  uptime < 3yr
  path_dependency_constant ≈ 5–10yr
  ⇒  ¬distinguish( no_slippage, not_yet_slippage )

STT describes a strong tendency but not necessity; WNC corrects the weak necessary condition for expansion to dual absence of legal + technical; MVSR four-layer layered defense raises marginal cost through complementary absorption; Time Window emphasizes the pre-construction political opportunity window; Prima Facie limits EUDI ARF and AB1043 to candidate evidence rather than verified effectiveness.

I: Identity infrastructure (including Aadhaar, SSN, eIDAS, nPA, sourcePIN, ARF wallet, etc.)
legal_clause(I): Legal-layer restriction clause (sunset clause or function-creep prevention clause)
technical_binding(I): Technical-layer scope binding (scope-bound design or sectoral derivation)
reverse_pressure: Reverse institutional pressure (constitutional review / strong civic movement / cross-national comparative pressure / technical affordance structural limitation)
P_path_dependency: Path dependency mechanism probability (Pierson 2004, North 1990)
P_infra_invisibility: Infrastructure invisibilization mechanism probability (Bowker–Star 1999, Edwards 2003, 2010)
P_institutional_layering: Institutional layering mechanism probability (Mahoney–Thelen 2010, Hacker 2004)
Layer₁..₄: MVSR four-layer clauses (sunset / scope-bound / split-key / opt-out by design)
failure_mode(Layer_i): The failure mode of that layer's tool (sunset extension / verifier collusion / de facto centralization / dark pattern)
pre_construction_phase(I): Specification drafting phase (before normative text v1 publication; ARF v1.5 still within window; Aadhaar window has passed)
⇔: if and only if
⊨: "satisfies" (model satisfies formula)

The formula establishes the position, but a distinction between two ways of viewing structural slippage must first be drawn. Most policy discourse treats expansion as either 'structural necessity → should not build' (nihilist misreading) or 'weak political will → strengthen oversight' (individualist misreading); this map rejects both — it should be viewed as 'a strong tendency, reversible under reverse institutional pressure,' with pre-construction clauses significantly raising the marginal cost of expansion.

foundational distinction

❌ Rejected

"Structural Necessity → Do Not Build Identity Infrastructure" / "Weak Political Will → Strengthen Oversight"

Both misreadings are rejected. The first misreading writes expansion as structural necessity — since Aadhaar, SSN, and eIDAS have all slipped, any centralized identity infrastructure once built will expand, and institutional design tools are merely placebos that delay slippage. This misreading's policy conclusion is to give up treatment. The second misreading writes expansion as weak political will — if legislators were more careful, administrative bureaucrats more restrained, and civil society more vigilant, slippage would not occur. This misreading degrades a structural problem to an individual problem, equating slippage with moral deficiency rather than institutional design failure. The German Volkszählungsurteil 1983, UK ID Card abolition 2010, US CAB abolition 1985, and Estonia X-Road maintaining limited scope — these four counterexamples simultaneously falsify both extremes: 'structural necessity' and 'individual will as dominant.'

(expansion(I) ⊨ logical_necessity)  ⇒  no_prevention_possible       (rejected; reverse_pressure cases falsify)
(expansion(I) ⊨ political_will_failure) ⇒  individualist_remedy_only   (rejected; structural mechanisms exist independently)

✓ Defended

"Strong Tendency + Reversible Under Reverse Institutional Pressure; Pre-Construction MVSR Four-Layer Clauses Significantly Raise Marginal Cost"

Structural slippage is real (path dependency × infrastructure invisibility × institutional layering three mechanisms in aggregate produce a strong tendency), but is not logical necessity — all three mechanisms are probabilistic language. Reverse institutional pressure (constitutional review, strong civic movement, cross-national comparative pressure, technical affordance structural limitation) can reverse slippage in multiple historical cases. The real prevention tools are pre-construction structural clauses: MVSR four layers (sunset + scope-bound + split-key + opt-out by design) are cross-level complementary, with each tool's failure mode absorbed by another. EUDI ARF v1.4/1.5 and California AB1043 are two prima facie early evidence candidates, but require 5–10 year slippage stress testing before claiming verified effectiveness.

(STT_strong_tendency) ∧ (WNC_dual_absence) ∧ (MVSR_layered_defense) ∧ (Prima_Facie_evidence_limit) ⇒ slippage(I) ≤ threshold   (under pre-construction-phase deployment)

The distinction itself is merely a declaration. To prove the path that 'slippage is a strong tendency but not necessity,' five independent sources are required: four historical expansion cases (I inductive), Austrian sourcePIN + German nPA two critical counterexamples (inductive correction), path dependency × infrastructure invisibility × institutional layering triangular derivation (D deductive + C causal), specific clauses and failure modes of four cross-level prevention tools (I+A implementation), and EUDI ARF + AB1043 early evidence (Ab abductive). Without any one of these five, the argument risks being destroyed in one blow by typical objections such as 'but these are just a few cases,' 'but the mechanism is necessary,' and 'but sunsets will be extended.'

supporting arguments

§2 — Four Historical Expansion Cases

Expansion Trajectories of Aadhaar / SSN / eIDAS / China Real-Name

whyProvides inductive empirical basis — without credible historical case comparison, 'slippage is a real mechanism' is an empty claim. This pillar unfolds the expansion timelines of four large-scale national identity infrastructure systems, explicitly distinguishing institutional layer vs. practice layer, avoiding mistaking practice-layer evidence for proof of institutional-layer expansion.

Aadhaar started in 2009 for welfare delivery → 2011 PDS → 2013 bank KYC → 2017 PAN/SIM → 2021–2026 voter list / NPR / CAA companion (Puttaswamy II 2018 partially revoked SIM mandate). SSN 1936 tax identification → 1943 military → 1961 IRS TIN → 1965 Medicare → 1976 driver's license → 1990s credit scoring / employer background checks (90-year slippage, described in Database Nation as de facto national identifier). eIDAS 1.0 (2014 electronic signatures) → 2.0 (2024 wallet + PID + QEAA) → under discussion: KYC / age verification / transit tickets (10-year normative text expansion, each wave enacted through formal legislation but actual objection windows structurally compressed). China real-name 2012 network registration → 2014–2018 instant messaging + Weibo + e-commerce → 2020+ mobile payment + health code + online medical → 2024 AI-generated content (rolling implementation, 60+ ministerial-level normative documents, half without legislative-level review).

Common pattern across four cases: no functional restriction clause in founding legal source + no technical scope binding during construction phase → expansion to new uses unauthorized by original legal source within 5–15 years. Expansion mechanisms vary by case (Aadhaar administrative orders, SSN inter-agency conventions, eIDAS normative text, China ministerial-level orders), but the common conditions are highly consistent.

∀ I ∈ {Aadhaar, SSN, eIDAS, China_realname}: ¬legal_clause(I) ∧ ¬technical_binding(I)  ∧  expansion(I, t≥10yr) ≫ original_scope(I)

§3 — Two Critical Counterexamples and Corrected Induction

Austrian sourcePIN (No Legal Clause, Has Technical Binding) + German nPA (Has Legal Clause, No Technical Binding)

whyProvides inductive correction basis — without introducing counterexamples, 'no clauses written → slippage' would be directly refuted. Austrian sourcePIN deployed for 22 years with no significant expansion (no legal restriction clause, but sectoral derivation cryptographic binding serves the role of restriction clause); German nPA deployed for 16 years with three expansions (PAuswG §18-19 restrictions exist, but technically reconfigurable allows BVA administrative layer to slowly hollow them out). Both counterexamples jointly support the corrected version: dual absence of legal + technical is the weak necessary condition for expansion; either one existing is sufficient to significantly slow.

Austrian sourcePIN (E-Government Act 2004 §6): sourcePIN is never revealed to verifiers in its original form; each use context (taxation, health insurance, private sector KYC) receives a sectoral PIN (ssPIN), generated from sourcePIN through symmetric cryptographic derivation; different sector ssPINs are cryptographically irrecomposable (Hörbe & Hörbst 2008). After 22 years of deployment, scope of use remains within original design sectors, with no Aadhaar-style cross-domain layering and no SSN-style universal identifier transformation. German nPA (PAuswG 2010 §18-19): function-restricted reading + Berechtigungszertifikat authorization + pseudonym default mode; but the core chip supports multiple applications, and BVA authorization scope can be adjusted by administrative order; under OZG 2017 push, BVA gradually expanded the authorization list (three expansions in 2014, 2017, 2021); CCC and Stiftung Datenschutz criticized BVA for substantively assuming a quasi-legislative role.

Corrected induction: 'no functional restriction clauses written AND no technical binding' is the weak necessary condition for large-scale national identity infrastructure expansion. Legal clauses and technical binding are mutually complementary absorbers.

WNC: expansion(I) > threshold ⇒ ¬legal_clause(I) ∧ ¬technical_binding(I)
Austria: ¬legal_clause(I) ∧ technical_binding(I) ⇒ expansion ≤ threshold
Germany_nPA: legal_clause(I) ∧ ¬technical_binding(I) ⇒ slow_erosion (not significant expansion, but loosening trajectory visible)

§4 — Triangular Causal Mechanisms

Path Dependency × Infrastructure Invisibility × Institutional Layering (Probabilistic Aggregation, Not Logical Necessity)

whyProvides causal basis — without explaining 'why expansion occurs,' the argument remains at the descriptive level. Three mechanisms in aggregate: (a) Pierson / North path dependency (increasing returns lock-in), (b) Bowker–Star / Edwards infrastructure invisibility (stability then withdrawal from public deliberation), (c) Mahoney–Thelen / Hacker institutional layering (drift / layering / conversion three forms). All three mechanisms are probabilistic language; aggregation can only push to 'strong tendency,' not to 'logical necessity.'

Path dependency four micro-foundations (Pierson 2000): increasing returns to adoption + learning effects + coordination effects + adaptive expectations. Identity infrastructure satisfies these to a high degree (Aadhaar 1.3 billion CIDR accumulated; ministries' learning investment sunk; PDS / bank / tax API integration complete; citizens and administrative officials expect continuation). Infrastructure invisibility (Bowker–Star 1999, Star 1999, Edwards 2003, 2010): after infrastructure operates stably it becomes invisible; existence is treated as natural fact rather than political choice; new expansions are framed as technical integration rather than political choices. SSN's 90-year invisibility trajectory is especially extreme. Institutional layering (Mahoney–Thelen 2010, Hacker 2004): new policy demands tend to be layered onto existing institutions; rebuilding requires supermajority while layering requires only marginal majority; every wave of SSN / Aadhaar expansion is layering rather than revision. **Revision convergence**: all three mechanisms are probabilistic; aggregation can only push to high probability, not logical necessity. Counterexamples: German Volkszählungsurteil 1983 (constitutional review interrupts path dependency); Estonia X-Road (cryptographic logging keeps infrastructure from becoming invisible); UK ID Card abolition 2010 (strong civic movement + regime change reverses layering); US CAB abolition 1985 (industry pressure + cross-partisan consensus reduces institutional scope).

Three mechanisms in aggregate produce 'strong tendency' rather than 'logical necessity'; when reverse institutional pressure appears, slippage can be reversed; Nordic displacement in certain political cultures replaces the layering form but does *not* replace expansion outcomes (Swedish personnummer trajectory) — institutional design form and expansion outcomes do not have a one-to-one correspondence.

P(expand | ¬clause ∧ ¬binding) = f(P_path, P_invisible, P_layering)
∀ P_i ∈ probability_language: P_i ¬⊨ logical_necessity
reverse_pressure ⇒ ∃ i: P_i interrupted (case-specific: constitutional_review ⇒ ¬path_lock; technical_affordance ⇒ ¬invisibility; civic_movement+regime_change ⇒ ¬layering)

§5 — Four Cross-Level Prevention Tools

Sunset + Scope-Bound + Split-Key + Opt-Out by Design (MVSR Three-Component Core + Supplement)

whyProvides implementation basis — without showing specific enforceable clauses, 'cross-level combination' is an abstract claim. Writing the 4 tools as clauses that legislators can directly copy, that W3C / IETF / EUDI ARF can directly write into annexes, and that cryptography implementers can directly code into reference implementations; while also honestly listing each tool's failure mode, to be absorbed by other tools.

(a) **Sunset clauses (legal layer)**: Australian Legislation Act 2003 §50A template, *automatic lapse* rather than *periodic review* (Schoenmaker–Wierts, Davis 2017 cross-domain survival rate data); mandatory *Sunset Audit Report* obligation. Failure mode: political pressure extension (PATRIOT Act §215 multiple extension history). (b) **Scope-bound (cryptographic layer)**: IETF SD-JWT VC + KB-JWT + audience claim + selective disclosure (W3C VCDM 2.0 + EUDI ARF v1.4/1.5 + AB1043 §22585(b)). Failure mode: verifier collusion to recompose attributes (Ohm 2010 broken anonymization); wallet-side aggregation control countermeasure under research. (c) **Split-key (governance + cryptographic layer)**: (k=4, n=7) Pedersen VSS + BLS threshold (Shamir 1979 / Pedersen 1991 / BLS 2001 / FROST 2020); shareholders span seven categories: supervisory authority, audit authority, legislature, civil society, academia, mutual recognition authority, vendor; shareholder replacement threshold higher than daily threshold. Failure mode: de facto centralization (Parity / Multichain / Ronin DAO governance post-mortems). (d) **Opt-out by design (legal + UX + engineering three layers)**: CCPA §1798.135 + GDPR Art. 17 right to erasure; symmetry principle (difficulty of withdrawal must not exceed difficulty of registration); GPC signal support; log retention limit + differential privacy + backup auto-expiry. Failure mode (most serious): dark pattern (Mathur et al. 2019) + residual log + derived analytics not thorough (Netflix re-identification, Narayanan–Shmatikov 2008).

MVSR Layer 1 (sunset + scope-bound + split-key, three-component core) must be done; Layer 2 (opt-out) strongly recommended; Layer 3 (constitutional guarantee) ideal conditions. Each tool has failure modes; combined use makes each failure mode absorbed by another tool. Opt-out is the weakest of the 4 tools, but remains citizens' last bargaining chip.

MVSR_optimal: Layer₁ ∧ Layer₂ ∧ Layer₃  ∧  recommended(Layer₄)
failure(Layer₁_sunset_extended) absorbed_by Layer₂ ∧ Layer₃  (even if sunset is extended, scope-bound + split-key prevents functional expansion)
failure(Layer₂_verifier_collusion) absorbed_by Layer₄  (citizens can exit specific verifier)
failure(Layer₃_de_facto_centralization) absorbed_by Layer₁  (sunset forces periodic re-deliberation of centralization legitimacy)
failure(Layer₄_dark_pattern) absorbed_by Layer₁ ∧ Layer₂ ∧ Layer₃  (other three layers prevent data from entering derived analytics)

§6 — EUDI ARF + AB1043 Prima Facie Early Evidence

High Consistency at Normative Text Level (Pending 5–10 Year Stress Test)

whyProvides abductive basis — without evaluating early evidence candidates, 'prevention tools are effective' is a claim based on reverse inference. EUDI ARF v1.4/v1.5 adopts minimum disclosure / unobservability / no phone home / scope binding four clauses; California AB 1043 §22585(b) establishes attribute-bounded mode + §22585(e) liability shift. Both have been live for < 3 years while path dependency's time constant is 5–10 years — currently cannot distinguish 'no slippage' from 'not yet slippage.'

EUDI ARF v1.4/v1.5 (Regulation (EU) 2024/1183 companion): §4–§6 minimum disclosure + unobservability + no phone home + scope binding; EDPB & EDPS Joint Opinion 2/2023 some recommendations adopted (unlinkability, minimum disclosure written in), some not adopted (mandatory pairwise pseudonym not explicitly required). AB 1043 (2023, Cal. Civ. Code §22585): §22585(b) age verification systems may only transmit a single boolean signal (age ≥ X), prohibiting transmission of specific age / birthday / other attributes; §22585(e) liability shift transfers out-of-scope liability to the verifier; companion §1798.135 CCPA opt-out + GPC signal + §1798.140 strict de-identified boundary. **Evidence limits**: (1) time constant constraint (< 3 years vs. 5–10 years); (2) not yet stress-tested for slippage pressure (regime change / national security incident / cross-border crisis); (3) level jump from normative text to enforcement behavior (German nPA shows text can be slowly hollowed at enforcement layer); (4) sample size constraint (two cases cannot generalize across countries and domains).

Prima facie conclusion: current early evidence has not yet falsified H1 (prevention tool hypothesis), and ARF and AB1043 clauses at the normative level demonstrate high consistency with slippage prevention doctrine — this provides reasonable candidate basis for the policy recommendation 'should be written in,' but makes no claim for 'already verified effective.' Four critical nodes require ongoing observation: ARF Implementing Acts, California AB 1043 first substantive enforcement, EU member state local implementation differences, and weakest link in cross-border mutual recognition.

ARF_v1.5 ⊨ {minimum_disclosure, unobservability, no_phone_home, scope_binding}
AB1043 §22585(b) ⊨ attribute_bounded ∧ §22585(e) ⊨ liability_shift
but: uptime < 3yr  ∧  path_constant ≈ 5–10yr  ⇒  ¬falsified(H1) ∧ ¬verified(H1)
status: prima_facie_support  (pending ongoing observation)

The five pillars above provide positive support. But the claim 'how slippage forms' requires a concrete causal chain to sustain it: the evolution chain from the original construction purpose to expanded uses. The six-step causal chain shows how this mechanism formed and at which nodes it can be interrupted by MVSR clauses.

causal chain

Six-Step Causal Chain of Slippage Formation: From Original Construction Purpose to Expanded Uses

T0 ⇒

Identity infrastructure built for original limited purpose (Aadhaar welfare delivery / SSN taxation / eIDAS electronic signatures / China real-name network registration)

T1 ⇒

Increasing returns locks in path dependency: CIDR / numbering system / trust list / user database accumulates; marginal cost of building alternatives rises exponentially

T2 ⇒

Infrastructure becomes invisible after stabilization: treated as natural fact rather than political choice; public deliberation trigger mechanisms fail (SSN 90-year invisibility / Aadhaar 5-year invisibility)

T3 ◊⇒

New policy demands layered onto existing systems: one of drift / layering / conversion three forms occurs (SIM mandatory linking, Medicare identification, wallet scope expansion, health code); layering requires only marginal majority

T4 ◊⇒

If legal or technical binding is absent, expansion channels amplify: either legal clause or technical binding existing is sufficient to significantly slow (Austrian sourcePIN, German nPA partially); dual absence produces strong expansion pressure

T5 ◊⇒

When reverse institutional pressure appears, slippage can be reversed: constitutional review interrupts path lock (Volkszählungsurteil) / technical affordance rejects invisibility (X-Road audit log) / civic movement + regime change reverses layering (UK ID Card abolition)

⇒ Mechanically necessary (structural, not dependent on external trigger)

◊⇒ Probabilistic (dependent on policy choices + whether reverse institutional pressure appears)

Once the position + causal chain are established, the objections become genuinely threatening. 'Simply do not build any identity infrastructure,' 'sunsets will be extended under political pressure,' and 'institutional clauses are institutional theatre' are frequently cited as reasons; but careful examination of the evidentiary strength of each objection reveals that not only do they not support 'slippage cannot be prevented,' they actually flip to support layered defense — that is, the limiting scope of each objection precisely constitutes the second layer of support for the map.

border cases — flip to support

Objection 1

Nihilism (Since Slippage Will Occur, Simply Do Not Build Any Identity Infrastructure)

pivotThe objection claims that 'any centralized identity infrastructure once built will expand; institutional design tools are placebos that delay slippage; the rational conclusion is to build nothing, replaced by SSI / ZKP.' Strongest supporters: cypherpunk tradition (May 1992, Hughes 1993), anarcho-capitalist (Friedman 1989), post-Snowden comprehensive skepticism (Greenwald 2014, Lyon 2014). But counterfactual scenario testing: if G20 stopped all new centralized identity infrastructure from 2026, World Bank Findex 2021 estimates the 1.4 billion unbanked adults would expand by 200–400 million due to verification difficulties; cross-border employment compliance costs would rise 30–50%; US Federal Reserve estimates synthetic identity fraud annual cost (approximately $20 billion in 2020) would multiply; private sector alternatives (Apple ID / Mastercard ID / platform accounts) would fill the vacuum but with lower governance quality than democratic country systems.

The 'do not build' objection not only fails to support 'no prevention possible,' it actually provides the strongest argument for 'not building has concrete normative costs' — Anderson's Private Government shows that 'not building' transfers governance costs to the most vulnerable; Habermas's Between Facts and Norms shows the normative argument for infrastructure as a public good; SSI / ZKP on low-end Android devices have ZKP computation times of 5–30 seconds (unstable), BBS+ issuer-side computation cost still higher than traditional PKI, and distributed trust anchor key recovery problems. The question 'should we build' has been answered by real civic society needs; the remaining question is 'how to build.'

Objection 2

Public Choice Critique of Sunset (PATRIOT Act §215 Proves Sunsets Will Be Extended)

pivotThe objection claims that 'sunset clauses will be extended under political pressure — PATRIOT Act §215 is the classic counterexample; administrative bureaucrats have strong rent-seeking motives to maintain power (Niskanen 1971); lobby groups dissipate institutional constraints (Olson 1965); legislators themselves have extension motives (Buchanan & Tullock 1962).' The most refined version proposes a category mistake proposition: sunset is institutional theatre; what really works is regime change / judicial review / civic movement. But cross-domain empirical data: Australian Legislation Act 2003 §50A sunset 38% automatic lapse rate (Davis 2017); financial regulation sunsets with automatic lapse failure rate significantly higher than periodic review (Schoenmaker–Wierts 2011); real sunset abolition cases (US Independent Counsel Act 1999, Australian control orders partially lapsed, Canadian Anti-terrorism Act 2007).

The 'sunsets will be extended' objection not only fails to support 'institutional theatre,' it actually provides the strongest argument for 'sunset + supporting layered defense' — when sunset is combined with scope-bound + split-key, even if extension passes, functions cannot expand; the Independent Counsel Act 1999 lapse was precisely supported by companion liability clauses. 'Will be extended' also does not equal 'ineffective'; the extension process itself creates public deliberation windows and raises marginal cost (PATRIOT Act §215's multiple extensions were all accompanied by ACLU/EFF opposition campaigns, and 2015 USA Freedom Act partially amended bulk metadata collection). Full lapse rate + partial amendment rate + marginal deterrence effect in aggregate means sunset's political-economic effect far exceeds the two-extreme comparison of 'complete failure.'

Objection 3

EUDI ARF and AB1043 Are Too New to Support Any Conclusions

pivotThe objection claims that 'both cases have been live < 3 years; path dependency time constant is 5–10 years; current "no slippage" cannot be distinguished from "not yet slipped"; using prima facie evidence to support policy recommendations is a premature conclusion.' This is a serious methodological critique that this article must honestly face. But acknowledging evidence limits *itself* does not negate the policy significance of prima facie evidence: (1) clause design at the normative text level is highly consistent with slippage prevention doctrine — this is an argument independent of uptime; (2) ARF + AB1043's clause structure is precisely based on reverse inference from the preceding four historical cases (Aadhaar / SSN / eIDAS / China real-name); (3) policy recommendations target identity infrastructure *currently under planning* (Taiwan DIW, UK OSA secondary legislation, California OpenCred, etc.), not already-built systems.

'Sample size too small' not only fails to support 'policy recommendations premature,' it actually provides argument for 'need for ongoing observation + simultaneously write into new infrastructure' — if 5–10 years must pass to confirm prevention tool effectiveness, all identity infrastructure currently under planning during that period will miss the pre-construction time window. Rational policy decisions must be made under imperfect evidence; prima facie evidence + reverse causal argument + cross-level complementary design in aggregate is sufficient to support the policy recommendation 'write MVSR clauses into new infrastructure,' while preserving the academic discipline of 'ongoing observation and preparation for revision.'

After the objections are absorbed, what remains is design implications: under what conditions can prevention clauses be written *before construction* and actually take effect? Four-component MVSR push + four failure mode complementary absorptions + pre-construction time window, three-dimensional constraints, translate the abstract 'prevent slippage' into verifiable engineering and policy obligations.

procedural conditions

Legitimate deployment of MVSR prevention clauses must pass four-component layered defense + four failure mode complementary absorptions + pre-construction time window, three-dimensional constraints

deploy(MVSR, I) viable ⇔ (Layer₁ ∧ Layer₂ ∧ Layer₃) ∧ recommended(Layer₄) ∧ ⋀_{i,j} absorb(failure_mode(Layer_i), Layer_j) ∧ pre_construction_phase(I)

Layer 1 — Sunset Clauses (Legal Layer)

5–7 year automatic lapse (not periodic review), burden of proof on the continuing party; mandatory Sunset Audit Report submission to the legislative layer; Australian Legislation Act 2003 §50A provides the template. Failure mode: political pressure extension (PATRIOT §215).

Layer₁: sunset_period ∈ [5, 7]yr ∧ automatic_lapse ∧ audit_report_required

Layer 2 — Scope-Bound Infrastructure (Cryptographic + Standards Layer)

Mandatory SD-JWT VC + KB-JWT + audience claim + selective disclosure; EUDI ARF v1.4/v1.5 + AB 1043 §22585(b) provide clause templates; violating verifiers may not receive. Failure mode: verifier collusion for recomposition (Ohm 2010).

Layer₂: ∀ credential c: c ⊨ (SD_JWT_VC ∧ KB_JWT ∧ audience_claim ∧ selective_disclosure)

Layer 3 — Split-Key Governance (Governance + Cryptographic Layer)

(k=4, n=7) Pedersen VSS + BLS threshold; shareholders span seven categories: supervisory authority, audit authority, legislature, civil society, academia, mutual recognition authority, vendor; shareholder replacement threshold higher than daily threshold. Failure mode: de facto centralization (Parity / Multichain / Ronin).

Layer₃: issuer_key ⊨ (k, n) Pedersen_VSS ∧ shareholder_class ∈ 7_categories ∧ replacement_threshold > daily_threshold

Layer 4 — Opt-Out by Design (Legal + UX + Engineering Three Layers)

Personal data law explicit exit right (CCPA §1798.135 + GDPR Art. 17 template); symmetry principle (difficulty of withdrawal must not exceed difficulty of registration); GPC signal support; log retention limit + differential privacy + backup auto-expiry. Failure mode (most serious): dark pattern + residual log (Mathur 2019, Netflix re-id).

Layer₄: opt_out ⊨ (legal_right ∧ symmetry ∧ GPC_signal ∧ log_retention_limit ∧ DP_processing ∧ backup_auto_expiry)

Failure-Mode Complementary Absorption

Layer₁ extension → Layer₂ + Layer₃ prevent functional expansion; Layer₂ verifier collusion → Layer₄ citizen exits specific verifier; Layer₃ centralization → Layer₁ sunset periodically re-deliberates; Layer₄ dark pattern → Layer₁+Layer₂+Layer₃ prevent data from entering derived analytics. Each failure mode has a corresponding absorption mechanism.

∀ Layer_i, ∃ Layer_j (i ≠ j): absorb(failure_mode(Layer_i), Layer_j)

Time Window — Pre-Construction Political Opportunity Window

MVSR clauses must be written during the specification drafting phase; post-construction supplementary clauses face exponentially rising political cost (German nPA supplementary clauses post-deployment are nearly impossible; SSN after 90 years still unable to fully retract expansion scope; Aadhaar — Puttaswamy II — courts can only subsequently reduce scope, cannot reset clauses). Current windows: EUDI ARF v1.5 + Implementing Acts, Taiwan digital credential wallet pilot, California AB 1043 secondary legislation, UK OSA secondary legislation.

preset_clauses(I) viable ⇔ pre_construction_phase(I) ∧ ¬path_dependency_lock(I)
post_construction_clauses(I) ⇒ political_cost(t) ↗ exponential

Drawing together five layers — historical cases, mechanism derivation, prevention tools, early evidence, and objection responses — the map's final message is the political-economic character of slippage, and a design principle spanning all levels: the timing of writing determines clause effectiveness; the pre-construction political opportunity window closes by month and by political situation, and will not wait for academic research to complete.

Structural slippage is a strong tendency, not logical necessity. Path dependency × infrastructure invisibility × institutional layering three mechanisms in aggregate produce a high probability of expansion, but all three mechanisms are probabilistic language; reverse institutional pressure (constitutional review / strong civic movement / cross-national comparative pressure / technical affordance structural limitation) can reverse slippage in multiple historical cases. Aadhaar, SSN, eIDAS, and China real-name four high-expansion cases, together with Austrian sourcePIN (no legal clause but has technical binding), German nPA (has legal clause but no technical binding), German Volkszählungsurteil 1983, Estonia X-Road, UK ID Card abolition, and US CAB abolition — six counterexamples — simultaneously falsify both extreme misreadings: "structural necessity" and "weak political will."

The debate should shift from 'slippage is necessary vs. contingent' to 'timing and level combination of clause writing.' MVSR four-layer layered defense (sunset + scope-bound + split-key + opt-out by design), written in before construction, can significantly raise the marginal cost of expansion; each tool's failure mode is absorbed by another tool (sunset extension → scope-bound + split-key; verifier collusion → opt-out; centralization → sunset; dark pattern → other three layers). EUDI ARF v1.4/v1.5 and California AB 1043 are two prima facie early evidence candidates, but require 5–10 year slippage stress testing before claiming verified effectiveness.

A cross-level principle runs throughout: the timing of writing determines clause effectiveness; the pre-construction political opportunity window closes by month and by political situation, and will not wait for academic research to complete. This article extends article 06's 'civic burden redistribution,' article 07's 'passport-rooted paradox,' and article 11's 'wallet as essential facility' judgment mode of 'structural conditions vs. individual will,' applying the same analysis to the causal mechanisms of slippage and preventive institutional design; it forms cross-article coupled arguments with article 09 'BankID Nordic commercial monopoly' and article 12 'no-phone-home engineering economics' — the political-economic character of infrastructure reappears on every issue. Returning the politics of slippage to politics requires not more warnings, but translating warnings into clauses that can be written concretely into specifications.

Final form:

  Strong_Tendency_Theorem (STT):
    ∀ I : P(I expands | ¬legal ∧ ¬binding ∧ ¬reverse_pressure)
          ≈ 0.85 to 1.0  (4 cases / 14–90 yrs empirical)

  Weak_Necessary_Condition (WNC, corrected from intake):
    expansion(I) > threshold ⇒ ¬legal_clause(I) ∧ ¬technical_binding(I)

  Three_Mechanism_Aggregate:
    P(expand | ¬clause ∧ ¬binding) = f(P_path, P_invisible, P_layering)
    ∀ P_i ∈ probability_language ¬⊨ logical_necessity

  MVSR_Layered_Defense:
    slippage ≤ threshold ⇔ Layer₁ ∧ Layer₂ ∧ Layer₃ ∧ recommended(Layer₄)
    ∀ Layer_i ∃ Layer_j (i ≠ j): absorb(failure_mode(Layer_i), Layer_j)

  Time_Window:
    preset_clauses(I) viable ⇔ pre_construction_phase(I)
    post_construction_clauses(I) ⇒ political_cost(t) ↗ exponential

  Prima_Facie_Evidence_Limit:
    ARF_v1.5, AB1043 ∈ candidate_evidence ∧ uptime < 3yr
    path_constant ≈ 5–10yr ⇒ ¬distinguish(no_slip, not_yet_slip)
    status: prima_facie_support, pending 5–10 year stress test

Cross-article coupling:
  article_06.civic_burden     ← slippage amplifies asymmetric redistribution of civic burden
  article_07.SRP              ← slippage formation pathway within sovereign containers for ID
  article_09.NCT_BankID       ← special slippage form under commercial monopoly
  article_11.essential_fac    ← market structure support for wallet slippage
  article_12.IDT              ← phone-home as the engineering channel for slippage

Argdown

Formal Render

HTML Source

Why Identity Infrastructure Always Expands — and How to Prevent It Argdown graph

Source

===
title: 身分基礎設施為什麼一定會擴張——以及如何預防
subTitle: Structural Slippage Prevention — Argument Map (v2)
slug: 2026-05-09-structural-slippage-prevention
author: research-article-pipeline argdown export
model:
  removeTagsFromText: true
===

# Central Thesis

[Core Thesis]
  + <Formal Core>
  + [Accepted]
  + <P1>
  + <P2>
  + <P3>
  + <P4>
  + <P5>
  + <Causal Chain>
  + [Deployment Conditions]
  + <Conclusion>
  - [Rejected]
    - [Accepted]
  + [Accepted]
  - [Objection 1]
    - <Reply 1>
  + <Reply 1>
  - [Objection 2]
    - <Reply 2>
  + <Reply 2>
  - [Objection 3]
    - <Reply 3>
  + <Reply 3>

[Core Thesis]: 身分基礎設施一旦建成， 在沒有反向制度壓力的條件下強傾向被擴展使用 （強傾向，可反轉）。擴張的弱必要條件是法律限制與技術綁定雙缺位（奧地利 sourcePIN 與德國 nPA 反例校正）。三個機制疊加產生強傾向 path dependency infrastructure invisibility institutional layering，三者都是機率語言而非邏輯必然。MVSR（Minimum Viable Slippage Resistance）四層條款在 建設前 寫入規格與法源，可顯著提升擴張的邊際成本 sunset scope-bound split-key opt-out by design 跨層級互補，每個工具的失敗模式被另一個工具補位。EUDI ARF v1.4 1.5 與加州 AB1043 是兩個 prima facie 早期實證候選，但兩者上線時間 3 年，path dependency 時間常數 5 10 年——當前「沒滑坡」與「尚未滑坡」無法區分，仍待持續觀察。 #thesis

<Formal Core>: Formula Strong Tendency Theorem (STT) infra I P(I expands legal clause(I) technical binding(I) reverse pressure) 0.85 to 1.0 (empirical, 4 cases 14 90 yrs) where legal clause(I) sunset function creep prevention technical binding(I) scope bound sectoral derivation reverse pressure constitutional review, civic movement, cross national pressure, technical affordance Weak Necessary Condition (WNC, 校正自 intake) expansion(I) threshold legal clause(I) technical binding(I) (反例 Austria sourcePIN, German nPA — 任一存在足以顯著減緩擴張) Three Mechanism Aggregate P(expand clause binding) f( P path dependency, P infra invisibility, P institutional layering ) where each P probability language logical necessity 反向壓力 reverse pressure 三機制其一被中斷 constitutional review path lock (例 Volkszählungsurteil 1983) technical affordance invisibility (例 Estonia X-Road audit log) civic movement layering (例 UK ID Card 2010 廢除) regime change MVSR Layered Defense expansion(I) threshold Layer₁ Layer₂ Layer₃ (Layer₄ recommended) Layer₁ sunset clauses (法律層, automatic lapse periodic review) Layer₂ scope bound (密碼學層, SD-JWT VC KB-JWT audience claim) Layer₃ split key (治理 密碼學, k-of-n threshold cross-class shareholder) Layer₄ opt out by design (法律 UX 工程三層交疊) failure mode(Layer i) absorbed by Layer j (i j) Time Window preset clauses(I) viable pre construction phase(I) post construction clauses(I) political cost(t) exponential Prima Facie Evidence Limit ARF v1.5, AB1043 candidate evidence uptime 3yr path dependency constant 5 10yr distinguish( no slippage, not yet slippage ) Caption STT 描述強傾向但非必然 WNC 把擴張的弱必要條件校正為法律 技術雙缺位 MVSR 四層 layered defense 透過互補補位提升邊際成本 Time Window 強調建設前的政治機會窗口 Prima Facie 限定 EUDI ARF 與 AB1043 為候選證據而非已驗證有效。 #formal

[Accepted]: 「強傾向 可被反向制度壓力反轉，建設前 MVSR 四層條款顯著提升邊際成本」. 結構性滑坡是真實的（path dependency infrastructure invisibility institutional layering 三角機制疊加產生強傾向），但不是邏輯必然——三個機制都是機率語言。反向制度壓力（憲法審查、強公民運動、跨國比較壓力、技術 affordance 結構性限制）能在多個歷史案例中反轉滑坡。預防的真實工具是建設前的結構性條款 MVSR 四層（sunset scope-bound split-key opt-out by design）跨層級互補，每個工具的失敗模式被另一個工具補位。EUDI ARF v1.4 1.5 與加州 AB1043 是兩個 prima facie 早期實證候選，但需 5 10 年滑坡壓力測試才能宣稱已驗證有效。 #accepted

[Rejected]: 「結構性必然 不建身分基礎設施」 「政治意志薄弱 加強監督」. 兩個誤讀都拒絕。第一個誤讀把擴張寫成結構性必然——既然 Aadhaar、SSN、eIDAS 都滑坡，任何中心化身分基礎設施一旦建成都會擴張，制度設計工具只是延遲滑坡的安慰劑。這個誤讀的政策結論是放棄治療。第二個誤讀把擴張寫成政治意志薄弱——如果立法者更謹慎、行政官僚更節制、公民社會更警覺，滑坡就不會發生。這個誤讀把結構問題降格為個人問題，等於說滑坡是道德缺陷而非制度設計失誤。德國 Volkszählungsurteil 1983、英國 ID Card 廢除 2010、美國 CAB 廢除 1985、愛沙尼亞 X-Road 維持限定範圍，這四個反例同時否證「結構性必然」與「個人意志主導」兩個極端立場。 #rejected

<P1>: Title Aadhaar SSN eIDAS 中國 real-name 的擴張軌跡 Section 2 — 四個歷史擴張案例 Role 提供歸納實證根據——若沒有可信的歷史案例對照，「滑坡是真實機制」是空洞主張。本 pillar 把四個大尺度國家身分基礎設施的擴張時間表展開，明確區分制度層 vs 實踐層，避免把實踐層證據誤當成制度層擴張的證明。 Aadhaar 2009 啟動於福利遞送 2011 PDS 2013 銀行 KYC 2017 PAN SIM 2021 2026 投票名冊 NPR CAA 配套（ Puttaswamy II 2018 部分撤銷 SIM 強制）。SSN 1936 稅務識別 1943 軍方 1961 IRS TIN 1965 Medicare 1976 駕照 1990s 信用評分 雇主背景查核（90 年滑坡， Database Nation 描述為 de facto national identifier）。eIDAS 1.0（2014 電子簽章） 2.0（2024 wallet PID QEAA） 討論中 KYC 年齡驗證 交通票證（10 年規範性文本擴張，每波經正式立法但實際反對窗口被結構性壓縮）。中國 real-name 2012 網絡備案 2014 2018 即時通訊 微博 電商 2020 行動支付 健康碼 線上醫療 2024 AI 生成內容（rolling implementation，60 部委級規範性文件，半數無立法層審議）。 Finding 四案例共同模式 建設階段法源無功能限制條款 無技術範圍綁定 5 15 年內擴張到原始法源未授權的新用途。各案例擴張機制略異（Aadhaar 行政命令、SSN 跨機關慣例、eIDAS 規範性文本、中國部委級命令），但共同條件高度一致。 Formal I Aadhaar, SSN, eIDAS, China realname legal clause(I) technical binding(I) expansion(I, t 10yr) original scope(I) #pillar

<P2>: Title 奧地利 sourcePIN（無法律有技術） 德國 nPA（有法律無技術） Section 3 — 兩個關鍵反例與校正歸納 Role 提供歸納校正根據——若不引入反例，「未寫條款 滑坡」會被反例直接推翻。Austria sourcePIN 部署 22 年無顯著擴張（無法律限制但 sectoral derivation 密碼學綁定承擔限制條款角色） 德國 nPA 部署 16 年三次擴張（有 PAuswG 18-19 限制但技術可重配置使 BVA 行政層慢慢掏空）。兩反例共同支持校正版本 法律 技術雙缺位是擴張的弱必要條件，任一存在足以顯著減緩。 Austria sourcePIN（ E-Government Act 2004 6） sourcePIN 永不以原始形式向 verifier 揭露，每個使用情境（稅務、健保、私部門 KYC）獲得 sectoral PIN (ssPIN)，由 sourcePIN 透過 symmetric cryptographic derivation 產生 不同 sector 的 ssPIN 在密碼學上無法相互重組（Hörbe Hörbst 2008）。22 年部署使用範圍維持原始設計 sector 內，無 Aadhaar 式跨領域 layering、無 SSN 式通用識別符化。德國 nPA（ PAuswG 2010 18-19） function-restricted reading Berechtigungszertifikat 授權 pseudonym 預設模式 但核心晶片支援多 application，BVA 授權範圍可由行政命令調整 OZG 2017 推動下 BVA 逐步擴大授權清單（2014、2017、2021 三次擴張） CCC 與 Stiftung Datenschutz 批評 BVA 實質承擔半立法者角色。 Finding 校正歸納 「未寫入功能限制條款 且 未做技術綁定」是大尺度國家身分基礎設施擴張的弱必要條件。法律條款 與 技術綁定 互為補位 。 Formal WNC expansion(I) threshold legal clause(I) technical binding(I) Austria legal clause(I) technical binding(I) expansion threshold Germany nPA legal clause(I) technical binding(I) slow erosion (不顯著擴張，但鬆動軌跡可見) #pillar

<P3>: Title Path Dependency Infrastructure Invisibility Institutional Layering（機率疊加，非邏輯必然） Section 4 — 三角因果機制 Role 提供因果根據——若不解釋「為何擴張會發生」，論證停留在描述層。三個機制疊加 (a) Pierson North path dependency（increasing returns 鎖定）、(b) Bowker Star Edwards infrastructure invisibility（穩定後從公共審議退出）、(c) Mahoney Thelen Hacker institutional layering（drift layering conversion 三形式）。三機制都是機率語言 疊加只能推到「強傾向」，不能推到「邏輯必然」。 Path dependency 四微觀基礎（Pierson 2000） increasing returns to adoption learning effects coordination effects adaptive expectations。身分基礎設施滿足程度極高（Aadhaar 13 億人 CIDR 累積 各部會學習投資沉沒 PDS 銀行 稅務 API 接入完成 公民與行政官僚預期持續存在）。Infrastructure invisibility（Bowker Star 1999、Star 1999、Edwards 2003、2010） 基礎設施運作穩定後 invisible 化，存在被視為自然事實而非政治選擇，新擴張被框定為技術整合而非政治選擇。SSN 的 90 年 invisibility 軌跡尤其極端。Institutional layering（Mahoney Thelen 2010、Hacker 2004） 新政策需求傾向 layered onto 既有制度，重建需 supermajority 而疊層只需邊際多數 SSN Aadhaar 每一波擴張都是 layering 而非 revision。 修訂收斂 三個機制都是機率，疊加只能推到高機率而非邏輯必然。反例 德國 Volkszählungsurteil 1983（憲法審查打斷 path dependency）、愛沙尼亞 X-Road（cryptographic logging 使 infra 不 invisible 化）、英國 ID Card 廢除 2010（強公民運動 政權更替反轉 layering）、美國 CAB 廢除 1985（產業壓力 跨黨派共識使制度層減範圍）。 Finding 三機制疊加產生「強傾向」而非「邏輯必然」 反向制度壓力出現時可反轉滑坡 北歐 displacement 在某些政治文化取代 layering 形式但 不 取代擴張結果（瑞典 personnummer 軌跡），制度設計形式與擴張結果不是一一對應。 Formal P(expand clause binding) f(P path, P invisible, P layering) P i probability language P i logical necessity reverse pressure i P i interrupted (case-specific constitutional review path lock technical affordance invisibility civic movement regime change layering) #pillar

<P4>: Title Sunset Scope-Bound Split-Key Opt-Out by Design（MVSR 三件套 補強） Section 5 — 四種跨層級預防工具 Role 提供實作根據——若不展示具體可實施的條款，「跨層級組合」是抽象主張。把 4 工具寫成可被立法者直接抄錄、可被 W3C IETF EUDI ARF 直接寫進附錄、可被 cryptography 實作者直接編進 reference implementation 的具體條款 同時誠實列出每個工具的失敗模式，由其他工具補位。 (a) Sunset clauses（法律層） 澳洲 Legislation Act 2003 50A 範本， automatic lapse 而非 periodic review （Schoenmaker Wierts、Davis 2017 跨領域存活率資料） 強制 Sunset Audit Report 義務。失敗模式 政治壓力延期（PATRIOT Act 215 多次延期史）。(b) Scope-bound（密碼學層） IETF SD-JWT VC KB-JWT audience claim selective disclosure（W3C VCDM 2.0 EUDI ARF v1.4 1.5 AB1043 22585(b)）。失敗模式 verifier 串謀重組屬性（Ohm 2010 broken anonymization） wallet-side aggregation control 反制方案研究中。(c) Split-key（治理 密碼學層） (k 4, n 7) Pedersen VSS BLS threshold（Shamir 1979 Pedersen 1991 BLS 2001 FROST 2020） shareholder 跨主管機關、稽核機關、立法機關、公民社會、學術、互認機關、廠商七類 shareholder 替換閾值高於日常閾值。失敗模式 de facto centralization（Parity Multichain Ronin DAO governance post-mortem）。(d) Opt-out by design（法律 UX 工程三層） CCPA 1798.135 GDPR Art. 17 right to erasure 對稱性原則（撤回難度不得高於註冊） GPC 訊號支援 log retention 上限 differential privacy backup 自動到期。失敗模式（最嚴重） dark pattern（Mathur et al. 2019） residual log derived analytics 不徹底（Netflix re-identification、Narayanan Shmatikov 2008）。 Finding MVSR 第 1 層（sunset scope-bound split-key 三件套）必做，第 2 層（opt-out）強烈建議，第 3 層（憲法保障）理想條件。每個工具都有失敗模式 組合使用使每個失敗模式被另一個工具補位。Opt-out 是 4 工具中最弱的，但仍是公民最後議價籌碼。 Formal MVSR optimal Layer₁ Layer₂ Layer₃ recommended(Layer₄) failure(Layer₁ sunset extended) absorbed by Layer₂ Layer₃ (即使 sunset 延期，scope-bound split-key 阻止功能擴張) failure(Layer₂ verifier collusion) absorbed by Layer₄ (公民可退出特定 verifier) failure(Layer₃ de facto centralization) absorbed by Layer₁ (sunset 強制週期性重新審議集中化合法性) failure(Layer₄ dark pattern) absorbed by Layer₁ Layer₂ Layer₃ (其他三層阻止資料進入 derived analytics) #pillar

<P5>: Title 規範性文本層級的高度一致性（待 5 10 年壓力測試） Section 6 — EUDI ARF AB1043 prima facie 早期證據 Role 提供溯因根據——若不評估早期實證候選，「預防工具有效」是基於反向推論的主張。EUDI ARF v1.4 v1.5 採納 minimum disclosure unobservability no phone home scope binding 四項條款 加州 AB 1043 22585(b) 建立 attribute-bounded 模式 22585(e) liability shift。兩者上線時間 3 年，path dependency 時間常數 5 10 年——當前無法區分「沒滑坡」與「尚未滑坡」。 EUDI ARF v1.4 v1.5（ Regulation (EU) 2024 1183 配套） 4 6 minimum disclosure unobservability no phone home scope binding EDPB EDPS Joint Opinion 2 2023 部分建議被採納（unlinkability、minimum disclosure 寫入）部分未採納（pairwise pseudonym 強制使用未明確要求）。AB 1043（2023, Cal. Civ. Code 22585） 22585(b) 年齡驗證系統只能傳遞單一布林訊號（年齡 X），禁止傳遞具體年齡 生日 其他屬性 22585(e) liability shift 把超範圍責任轉移到 verifier 配套 1798.135 CCPA opt-out GPC 訊號 1798.140 嚴格 de-identified 邊界。 證據限度 (1) 時間常數限制（ 3 年 vs 5 10 年） (2) 未經滑坡壓力測試（政權更迭 國安事件 跨境危機） (3) 規範性文本 vs 執行行為的層級跳躍（德國 nPA 顯示文本可在執行層慢慢掏空） (4) 樣本量限制（兩案例無法跨國跨領域歸納）。 Finding Prima facie 結論 現有早期證據尚未否證 H1 預防工具假設，且 ARF 與 AB1043 條款在規範性層級展現了與滑坡防制學說的高度一致性——這對「應該寫入」的政策建議提供合理候選依據，但對「已驗證有效」不提供任何宣稱。需持續觀察 ARF Implementing Acts、加州 AB 1043 第一次實質執法、EU 成員國本地實作差異、跨境互認最弱環節四個關鍵節點。 Formal ARF v1.5 minimum disclosure, unobservability, no phone home, scope binding AB1043 22585(b) attribute bounded 22585(e) liability shift but uptime 3yr path constant 5 10yr falsified(H1) verified(H1) status prima facie support (待持續觀察) #pillar

<Causal Chain>: Title 滑坡形成的六步因果鏈 從原始建設目的到擴張用途 T0 (deterministic) 身分基礎設施在原始有限目的下建成（Aadhaar 福利遞送 SSN 稅務 eIDAS 電子簽章 中國 real-name 網絡備案） T1 (deterministic) Increasing returns 鎖定 path dependency CIDR 號碼系統 trust list 用戶資料庫累積，新建替代品的邊際成本指數上升 T2 (deterministic) 制度穩定後 invisible 化 基礎設施被視為自然事實而非政治選擇，公共審議觸發機制失效（SSN 90 年 invisibility Aadhaar 5 年 invisibility） T3 (probabilistic) 新政策需求 layered onto 既有系統 drift layering conversion 三形式之一發生（SIM 強制連結、Medicare 識別、wallet 範疇擴張、健康碼），疊層只需邊際多數 T4 (probabilistic) 若法律或技術綁定缺位，擴張通道放大 法律條款 技術綁定任一存在足以顯著減緩（奧地利 sourcePIN、德國 nPA 部分），雙缺位產生強擴張壓力 T5 (probabilistic) 反向制度壓力出現時可反轉 憲法審查打斷 path lock（ Volkszählungsurteil ） 技術 affordance 拒絕 invisibility（X-Road audit log） 公民運動 政權更替反轉 layering（UK ID Card 廢除） #chain

[Deployment Conditions]: MVSR 預防條款的合法部署，必須通過四件式 layered defense 四種失敗模式互補補位 建設前時間窗口三維約束. deploy(MVSR, I) viable (Layer₁ Layer₂ Layer₃) recommended(Layer₄) i,j absorb(failure mode(Layer i), Layer j) pre construction phase(I) #conditions

<C1>: Title Layer 1 — Sunset clauses（法律層） 5 7 年 automatic lapse（非 periodic review），舉證責任分配給延續方 強制 Sunset Audit Report 提交立法層 澳洲 Legislation Act 2003 50A 提供範本。失敗模式 政治壓力延期（PATRIOT 215）。 Formal Layer₁ sunset period 5, 7 yr automatic lapse audit report required #condition

<C2>: Title Layer 2 — Scope-bound infrastructure（密碼學 標準層） 強制 SD-JWT VC KB-JWT audience claim selective disclosure EUDI ARF v1.4 v1.5 AB 1043 22585(b) 提供條款範本 違反者 verifier 不得接收。失敗模式 verifier 串謀重組（Ohm 2010）。 Formal Layer₂ credential c c (SD JWT VC KB JWT audience claim selective disclosure) #condition

<C3>: Title Layer 3 — Split-key governance（治理 密碼學層） (k 4, n 7) Pedersen VSS BLS threshold shareholder 跨主管機關、稽核機關、立法機關、公民社會、學術、互認機關、廠商七類 shareholder 替換閾值高於日常閾值。失敗模式 de facto centralization（Parity Multichain Ronin）。 Formal Layer₃ issuer key (k, n) Pedersen VSS shareholder class 7 categories replacement threshold daily threshold #condition

<C4>: Title Layer 4 — Opt-out by design（法律 UX 工程三層） 個資法明示退出權（CCPA 1798.135 GDPR Art. 17 範本） 對稱性原則（撤回難度不得高於註冊） GPC 訊號支援 log retention 上限 differential privacy backup 自動到期。失敗模式（最嚴重） dark pattern residual log（Mathur 2019、Netflix re-id）。 Formal Layer₄ opt out (legal right symmetry GPC signal log retention limit DP processing backup auto expiry) #condition

<C5>: Title Failure-mode 互補補位 Layer₁ 延期 Layer₂ Layer₃ 阻止功能擴張 Layer₂ verifier 串謀 Layer₄ 公民退出特定 verifier Layer₃ centralization Layer₁ sunset 週期性審議 Layer₄ dark pattern Layer₁ Layer₂ Layer₃ 阻止資料進入 derived analytics。每個失敗模式都有對應補位機制。 Formal Layer i, Layer j (i j) absorb(failure mode(Layer i), Layer j) #condition

<C6>: Title Time Window — 建設前的政治機會窗口 MVSR 條款必須在規格制定階段寫入 post-construction 補條款的政治成本指數上升（德國 nPA 部署後補條款幾乎不可能 SSN 90 年仍無法完整收回擴張範圍 Aadhaar Puttaswamy II 法院只能事後減縮無法重設條款）。當前窗口 EUDI ARF v1.5 Implementing Acts、台灣數位憑證皮夾試點、加州 AB 1043 secondary、UK OSA secondary。 Formal preset clauses(I) viable pre construction phase(I) path dependency lock(I) post construction clauses(I) political cost(t) exponential #condition

<Conclusion>: 結構性滑坡是強傾向，不是邏輯必然。 Path dependency infrastructure invisibility institutional layering 三角機制疊加產生擴張的高機率，但三機制都是機率語言 反向制度壓力（憲法審查 強公民運動 跨國比較壓力 技術 affordance 結構性限制）能在多個歷史案例中反轉滑坡。Aadhaar、SSN、eIDAS、中國 real-name 四個高擴張案例與奧地利 sourcePIN（無法律但有技術綁定）、德國 nPA（有法律但無技術綁定）、德國 Volkszählungsurteil 1983、愛沙尼亞 X-Road、英國 ID Card 廢除、美國 CAB 廢除六個反例同時否證「結構性必然」與「政治意志薄弱」兩個極端誤讀。 辯論應從 「滑坡是必然 vs 偶然」 轉向 「條款寫入時機與層級組合」 。MVSR 四層 layered defense（sunset scope-bound split-key opt-out by design）在建設前寫入，可顯著提升擴張的邊際成本 每個工具的失敗模式被另一個工具補位（sunset 延期 scope-bound split-key verifier 串謀 opt-out centralization sunset dark pattern 前三層）。EUDI ARF v1.4 v1.5 與加州 AB 1043 是兩個 prima facie 早期實證候選，但需 5 10 年滑坡壓力測試才能宣稱已驗證有效。 一條跨層級原則貫穿全文 寫入時機決定條款效力，建設前的政治機會窗口以月為單位、以政治情勢為單位關閉，不會等待學術研究完成。 本文延續 article 06「civic burden 重新分配」、article 07「passport-rooted paradox」與 article 11「wallet 作為 essential facility」對「結構性條件 vs 個人意志」的判斷模式，把同樣分析延伸到滑坡的因果機制與預防制度設計 與 article 09「BankID 北歐商業壟斷」、article 12「no-phone-home engineering economics」形成跨文章的耦合論證——基礎設施的政治經濟性質在每個議題上重複出現。把滑坡的政治還給政治，需要的不是更多警告，是把警告轉成具體可寫入規格的條款。 Formal Coda Final form Strong Tendency Theorem (STT) I P(I expands legal binding reverse pressure) 0.85 to 1.0 (4 cases 14 90 yrs empirical) Weak Necessary Condition (WNC, 校正自 intake) expansion(I) threshold legal clause(I) technical binding(I) Three Mechanism Aggregate P(expand clause binding) f(P path, P invisible, P layering) P i probability language logical necessity MVSR Layered Defense slippage threshold Layer₁ Layer₂ Layer₃ recommended(Layer₄) Layer i Layer j (i j) absorb(failure mode(Layer i), Layer j) Time Window preset clauses(I) viable pre construction phase(I) post construction clauses(I) political cost(t) exponential Prima Facie Evidence Limit ARF v1.5, AB1043 candidate evidence uptime 3yr path constant 5 10yr distinguish(no slip, not yet slip) status prima facie support, 待 5 10 年壓力測試 Cross-article coupling article 06.civic burden 滑坡擴大 civic burden 不對稱重分配 article 07.SRP 主權容器內 ID 的滑坡形成路徑 article 09.NCT BankID 商業壟斷下的特殊滑坡形態 article 11.essential fac wallet 滑坡的市場結構支撐 article 12.IDT phone-home 是滑坡的工程化通道 #conclusion

# Deployment Conditions

[Deployment Conditions]
  + <C1>
  + <C2>
  + <C3>
  + <C4>
  + <C5>
  + <C6>

# Objections And Replies

[Objection 1]: 虛無主義（既然滑坡會發生，乾脆不建身分基礎設施）. 反論訴求是「任何中心化身分基礎設施一旦建成都會擴張，制度設計工具是延遲滑坡的安慰劑 理性結論為完全不建，由 SSI ZKP 取代」。最強支持者 cypherpunk 傳統（May 1992、Hughes 1993）、anarcho-capitalist（Friedman 1989）、後 Snowden 徹底懷疑論（Greenwald 2014、Lyon 2014）。但反事實情境檢驗 若 G20 從 2026 起停止任何中心化身分基礎設施新建，World Bank Findex 2021 估計的 14 億 unbanked 成人因驗證困難擴大 2 4 億 跨境就業法遵成本上升 30 50% 美國 Federal Reserve 估計合成身分詐騙年成本（2020 約 200 億美元）數倍增長 私部門替代（Apple ID Mastercard ID 平台帳號）填補空缺但治理品質低於民主國家系統。 #objection

<Reply 1>: Title 虛無主義（既然滑坡會發生，乾脆不建身分基礎設施） 「不建」反論不僅未支持「無預防可能」，反而給「不建有具體規範代價」提供最強論證——Anderson 的 Private Government 顯示「不建」把治理成本轉嫁給最弱勢 Habermas 的 Between Facts and Norms 顯示基礎設施作為公共善的規範論證 SSI ZKP 在低端 Android 裝置 ZKP 計算時間 5 30 秒不穩定、BBS issuer 端計算成本仍高於傳統 PKI、分散式 trust anchor key recovery 問題。「應該不應該建」的問題已被公民社會真實需求回答 剩下的問題是「應該怎麼建」。 #reply

[Objection 2]: Public Choice 對 Sunset 的批評（PATRIOT Act 215 證明 sunset 會被延期）. 反論訴求是「sunset clauses 在政治壓力下會被延期，PATRIOT Act 215 是經典反例 行政官僚有強烈動機尋租維繫權力（Niskanen 1971） 遊說團體耗散制度約束（Olson 1965） 立法者本身有延期動機（Buchanan Tullock 1962）」。最精密版本提出 category mistake 命題 sunset 是 institutional theatre ，真正起作用的是政權更替 司法審查 公民運動。但跨領域實證資料 澳洲 Legislation Act 2003 50A 的 sunset 38% 自動失效率（Davis 2017） 金融監管 sunset automatic lapse 失效率顯著高於 periodic review （Schoenmaker Wierts 2011） 真實 sunset 廢除案例（美國 Independent Counsel Act 1999、澳洲 control orders 部分失效、加拿大 Anti-terrorism Act 2007）。 #objection

<Reply 2>: Title Public Choice 對 Sunset 的批評（PATRIOT Act 215 證明 sunset 會被延期） 「sunset 會被延期」反論不僅未支持「institutional theatre」，反而給「sunset 配套 layered defense」提供最強論證——當 sunset 與 scope-bound split-key 組合時，即使延期通過、功能也無法擴張 Independent Counsel Act 1999 失效正是配套責任條款支撐的結果。「會被延期」也不等於「無效」，延期過程本身製造公共討論窗口、增加邊際成本（PATRIOT Act 215 的多次延期都伴隨 ACLU EFF 反對運動，2015 USA Freedom Act 局部修訂收回了 bulk metadata collection 部分權力）。完整失效率 部分修訂率 邊際抑制效果合計，sunset 的政治經濟效果遠高於「全失效」的兩端比較。 #reply

[Objection 3]: EUDI ARF 與 AB1043 太新，無法支持任何結論. 反論訴求是「兩案例上線 3 年，path dependency 時間常數 5 10 年 當前的『沒滑坡』與『尚未滑坡』無法區分 用 prima facie 證據支持政策建議是過早結論」。這是嚴肅的方法論批評，本文必須誠實面對。但證據限度的承認 本身 不否定 prima facie 證據的政策意義 (1) 規範性文本層級的條款設計高度一致於滑坡防制學說，這是獨立於上線時間的論證 (2) ARF AB1043 的條款結構正是基於前面四個歷史案例（Aadhaar SSN eIDAS 中國 real-name）的反向推論 (3) 政策建議的對象是 正在規劃中 的身分基礎設施（台灣 DIW、UK OSA secondary legislation、加州 OpenCred 等），不是已建系統。 #objection

<Reply 3>: Title EUDI ARF 與 AB1043 太新，無法支持任何結論 「樣本量太少」反論不僅未支持「政策建議過早」，反而給「需要持續觀察 同時寫入新基礎設施」提供論證——若必須等 5 10 年才能確認預防工具有效，那段時間正在規劃中的所有身分基礎設施都會錯過建設前的時間窗口。理性的政策決策需要在不完美證據下做出，prima facie 證據 反向因果論證 跨層級互補設計合計，足以支持「在新基礎設施寫入 MVSR 條款」的政策建議，同時保留「持續觀察並準備修訂」的學術紀律。 #reply