Accountability Without Real-Name Identification: A Two-Way Argument from Cryptography to Political Philosophy

§ 1. Introduction: The Two-Layer Trust Model and the Core Problem

Contemporary debates over the design of digital identity systems are often reduced to a binary opposition between “real-name” and “anonymous” approaches. This reduction obscures a more refined structural question. Identity systems are in fact composed of two superimposed layers of trust mechanisms. The lower layer concerns issuance legitimacy—the question of whether the issuance of an identity credential satisfies the relevant normative conditions. The upper layer concerns exchange architecture—how credentials are presented, verified, selectively disclosed, and conditionally opened at the scene of civic action. Once the two layers are examined separately, the apparently mutually exclusive properties of “anonymity” and “accountability” can be assigned to distinct layers in institutional design and need not crowd each other out at a single interface. Put differently, many long-standing controversies may originate in the conflation of upper-layer selective disclosure with lower-layer issuance conditions, or, conversely, in treating lower-layer traceability as if it imposed an upper-layer disclosure obligation.

Three questions follow from this two-layer framing. First, does accountability in the sense relevant to democratic constitutionalism constitute an antecedent condition (requiring participants to complete natural-person identity binding before entering civic action), or a consequential condition (requiring that, in the event of a rule violation, traceability and sanctioning procedures be available for activation)? Second, can the family of accountable pseudonymity primitives accumulated in the cryptographic literature since the 1990s—including openable group signatures, accountable subgroup multisignatures, accountable ring signatures, anonymous credentials with revocation, and threshold group signatures—bear the burden, at the level of political economy, of conditional ex post opening? Third, which configurations of opening thresholds, distributions of opening authority, and chains of opening evidence in civic action satisfy due process, and which do not?

The argument proceeds as follows. Section 2 reconstructs the structural features of accountability through political-philosophical analysis. Section 3 examines the maturity stratification of cryptographic mechanisms. Section 4 surveys legal precedent to identify institutional templates and the limits of their portability. Section 5 verifies the paradigm-degradation consequences of opening-authority concentration through counter-examples. Section 6 develops a boundary reversal analysis that converts what would be the strongest expected objections into supports for the main argument. Section 7 synthesizes the propositions and delimits remaining open problems. The argument adopts a bidirectional structure: it descends from political-philosophical foundations to engineering design requirements, and simultaneously ascends from cryptographic engineering to conditions of political economy. The two lines converge at the interface of opening-authority distribution.

§ 2. Political-Philosophical Foundations: The Consequential Nature of Accountability and the Identification Distinction

In democratic theory, the dual-structure analysis of accountability has commanded substantial consensus since Schedler (1999) and Bovens (2007). The core requirements of accountability are answerability and enforceability: the former requires actors to provide explanations when challenged; the latter requires that, when explanations are not accepted, sanctions may be imposed.¹ This structure points, by definition, to procedures that occur after an event has taken place; it makes no antecedent identity demand. Mulgan (2000), in his conceptual-history survey, notes that although the term “accountability” has expanded in use, its core remains a relation of “ex post traceability.”²

The accumulation of procedural due process jurisprudence in U.S. case law within the liberal tradition supports the same structural conclusion. Talley v. California, 362 U.S. 60 (1960), struck down a California municipal ordinance requiring leaflets to bear the author’s name. NAACP v. Alabama ex rel. Patterson, 357 U.S. 449 (1958), confirmed that associational anonymity falls within First Amendment protection. McIntyre v. Ohio Elections Commission, 514 U.S. 334 (1995), extended core protection to anonymous political speech.³ The shared logic of these three cases is the rejection of constitutional compulsion to bind natural-person identity prior to participation, while preserving the place of accountability itself within ex post procedures. Doe v. Cahill, 884 A.2d 451 (Del. 2005), and Dendrite International v. Doe No. 3, 775 A.2d 756 (N.J. Super. App. Div. 2001), established a five-factor standard for unmasking procedures. This standard presupposes a critical structure: behind the scenes, there exists a dynamic pseudonymous identification (a system-internal handle that can be identified and, through judicial procedure, linked to a natural person ex post), while at the front, there is no real-name identification (no ex ante binding of legal name).⁴

This distinction has frequently been blurred in the literature; the present article employs it as a basic conceptual tool. What jurisprudential history has rejected is limited to ex ante real-name binding; behind-the-scenes pseudonymous traceability has not been rejected to the same degree. The judicial unmasking threshold for online speech in Doe v. 2theMart.com, 140 F. Supp. 2d 1088 (W.D. Wash. 2001), rests on this distinction. The court required platforms to disclose pre-existing behind-the-scenes identifying information only when specified conditions were met; it did not require platforms to bind real names at the user-registration stage.⁵ Making this conceptual distinction explicit clarifies that what is opposed is antecedent real-name binding; the place of behind-the-scenes dynamic identification within the constitutional accountability structure remains acknowledged.

Within the republican tradition, Pettit (1997, 2012) proposes contestability as the institutional guarantee mechanism for non-domination as a conception of freedom. Contestability requires that the exercise of public authority remain always open to challenge by citizens.⁶ Although contestability might appear to require identification, Pettit treats power-holders and power-subjects asymmetrically in Chapter 6 of On the People’s Terms. Institutional-level power-holders must be identifiable, must be challengeable, and must be replaceable; citizens as power-subjects bear no corresponding obligation.⁷ This asymmetry is critical for the main argument: extrapolating individual-level conclusions to “institutional-level power-holders may also be anonymous” does not hold. The valid range of the political-philosophical argument is therefore limited to the side of “citizen participation,” while requirements of institutional-level identifiability are preserved as an independent counter-thesis.

Three limitations on the normative strength of the foregoing claims must be acknowledged. First, the cited precedents are normative claims, not universal empirical descriptions. Buckley v. Valeo, 424 U.S. 1 (1976), and Doe v. Reed, 561 U.S. 186 (2010), both acknowledged that compulsory ex ante disclosure may be permitted where there is sufficient public interest.⁸ Second, Etzioni’s (2015) communitarian critique reminds us that absolute anonymity, in certain community-safety scenarios, conflicts with mosaic theory.⁹ Third, Sagar (2013) provides a thorough analysis of how ex post accountability at the state level fails under conditions of systemic secrecy, indicating that consequential accountability structures require additional institutional reinforcement when confronting state secrecy.¹⁰ These three limitations jointly indicate that the consequential nature of accountability is a default tendency rather than an absolute thesis; its institutional realization depends heavily on subsequent engineering and political-economic conditions.

§ 3. Cryptographic Engineering: A Maturity Stratification of the Accountable-Pseudonymity Family

Beginning with Chaum (1985) and Chaum & van Heyst (1991), cryptographic constructions have provided the basic tools for implementing “ex post openable pseudonymity.”¹¹ In what follows, the four-decade accumulation is evaluated through a four-tier stratification: the theoretical layer, the standardization layer, the implementation layer, and the governance layer. The purpose of stratification is to avoid common confusions—namely, reading “theoretically exists” as “already deployed,” or reading “already deployed” as “governance-capable.”

L1 — Theoretical Layer, is firmly established. The formal definition and security proofs of anonymous credentials appear in Camenisch & Lysyanskaya (2001, 2002); subsequent variants support zero-knowledge presentation and selective disclosure of attributes.¹² The formalization of group signatures was completed by Bellare, Micciancio & Warinschi (2003), with dynamic extensions handled by Bellare, Shi & Zhang (2005); the BBS construction of Boneh, Boyen & Shacham (2004) achieved a breakthrough in efficiency.¹³ Accountable subgroup multisignatures were introduced by Micali, Ohta & Reyzin (2001); accountable ring signatures were advanced by Xu & Yung (2004) and Bootle et al. (ESORICS 2015).¹⁴ Camenisch, Drijvers, Lehmann, Lyubashevsky & Towa (SCN 2020) provided a short-signature construction for threshold dynamic group signatures, enabling cryptographic distribution of opening authority among multiple parties.¹⁵ The core conclusion at the L1 layer is that, in the cryptographic sense, “conditionally openable ex post pseudonymity” is a mature family of primitives whose existence is not in dispute.

L2 — Standardization Layer, exhibits a state of partial maturity. BBS+ has entered the IETF CFRG and the W3C Data Integrity BBS Cryptosuites v1.0 CRD (2026-04-07); SD-JWT was finalized at the IETF as RFC 9901 (2025-11).¹⁶ ISO 18013-5 mDL Part 2 DIS is still under development; W3C Bitstring Status List v1.0 became a 2025 Recommendation.¹⁷ The EU EUDI ARF (2025-12 Cooperation Group iteration; historically with v1.4 as a stable snapshot) continues to take SD-JWT VC and mdoc as its core, with BBS+ as a candidate but not mandatory.¹⁸ The L2 layer reveals a fact not synchronized with L1: the existence-level conclusions of cryptography do not necessarily translate into proportional advances in the standardization process. The political-economic dynamics of standardization—vendor interests, legacy deployments, interoperability demands—exert substantive pressure on privacy properties such as unlinkability.

L3 — Implementation Layer, exhibits substantial imbalance. Among anonymous credential families that have been deployed at billion-user scale, the dominant category is KVAC (Keyed-Verification Anonymous Credentials), found in the Signal Private Group System, Tor’s lox mechanism, Cloudflare’s Privacy Pass, and ARC deployments.¹⁹ Although BBS+ has progressed through standardization, it has not yet entered the production environment of mainstream identity wallets. Direct Anonymous Attestation (DAA) is another large-scale case; its construction, proposed by Brickell, Camenisch & Chen (CCS 2004), has been deployed across hundreds of millions of TPM chips along with the ISO/IEC 11889 series, but DAA does not include an opener.²⁰

The deployment record of DAA reveals a political-economic paradox worth tracking. Industry acceptance of opener-free DAA is extremely high; acceptance of open-by-design BBS+ is markedly lower. One reasonable observation is that when the legal bearer of opening authority is unclear, vendors prefer the “no one can open” design to avoid bearing potential litigation and political pressure. This observation is offered here as a hypothesis; it has not been systematically verified and requires further case-tracking to clarify its causal mechanism. No strong causal claim about this paradox is asserted here.

L4 — Governance and Political-Economic Layer, constitutes the critical bottleneck. Threshold opening is engineerable in the cryptographic sense; Boneh & Komlo (CRYPTO 2022) provide Threshold Accountable Private Signatures (TAPS), which addresses, at the engineering-design level, the “responsibility-dispersion paradox”—the concern of critics that m-of-n opening leads to no one bearing responsibility.²¹ The key feature of TAPS is that each signatory’s participation leaves an auditable record; opening events can be individually traced to each co-signatory, and each can be held to bear their own responsibility.²² However, the long-term independence of key custodians, the procedural design of proactive resharing, and cross-jurisdictional cooperation mechanisms—these issues have almost no empirical deployments available for reference. Doerner, Kondi, Lee, Shelat & Tyner (IEEE S&P 2023) provide an engineering blueprint for distributed issuance via Threshold BBS+, but empirical governance records remain to be accumulated.²³

The L1-to-L4 stratification points to one conclusion: “Accountable pseudonymity is cryptographically feasible” and “Accountable pseudonymity is deployable as a matter of governance” are two distinct propositions. The bottleneck for the latter lies beyond the existence problem of cryptographic primitives, in three layers: standardization dynamics, issuer-incentive design, and the political-economic structure of opening authority. Locating the contribution of the present argument at L4 both avoids duplicating existing cryptographic work and directly engages the controversies driving actual deployment.

§ 4. Institutional Templates and Three Asymmetries

Democratic constitutionalism has long coordinated privacy and accountability through institutional designs for “conditional opening of privacy.” Five families of institutional precedent can be identified. First, search warrants under the Fourth Amendment. Second, the sealed-indictment and grand-jury secrecy regime under Federal Rules of Criminal Procedure Rule 6(e). Third, the Witness Security Program (WITSEC) under 18 U.S.C. §§ 3521–3528. Fourth, the John Doe pseudonymous-litigation procedure articulated in the line from Doe v. Cahill through Doe v. 2theMart.com. Fifth, the protection of anonymous donations and association articulated in the line from Buckley v. Valeo through NAACP v. Alabama and McIntyre.²⁴ Each family has its own normative emphasis, but they share a strikingly similar procedural architecture.

Across the five families, four structural features recur. First, opening authority and review authority are held by multiple independent agencies. For example, search warrants must be reviewed by a magistrate and executed by law enforcement; sealed indictments must pass through the grand jury and prosecutor and be supervised by the federal court. Second, opening triggers must be defined in advance with explicit language—for example, probable cause, specific articulable facts, or clearly identifiable legal interest. Third, the opening procedure carries traceable internal audits, including warrant records, court filings, appellate review, and supervisory review by higher courts. Fourth, when conditions are met, the ex post opening or disclosure carries an explicit procedural path and evidence chain, leaving little room for arbitrary administrative discretion.²⁵ These four features jointly form an institutional structure that can be mapped onto engineering design: a closed loop of multiparty authority, explicit thresholds, auditability, and conditional execution.

Cross-jurisdictional comparison further demonstrates the generality of this institutional family. The U.K. Contempt of Court Act 1981 designed an analogous conditional-opening structure between the principle of open justice and the protection of parties. The German Federal Constitutional Court established multiparty review requirements for Quellen-TKÜ and communications-data retention through the Online-Durchsuchung line of decisions, including BVerfGE 120, 274 (2008). France’s Loi du 4 janvier 2010 codified the conditional-disclosure procedure for the protection of journalistic sources. Taiwan’s Judicial Yuan Council of Grand Justices Interpretations Nos. 384, 396, 418, 436, 709, 762, and 805 established analogous frameworks of due-process review.²⁶ The EU Whistleblower Directive 2019/1937 and Dodd-Frank § 922 provide contemporary design templates for institutional transplantation of conditional opening—preserving the anonymity of parties while reserving a procedural window for conditional ex post disclosure.²⁷

However, directly analogizing this institutional family to threshold-opening designs runs into three asymmetries. The first asymmetry concerns sovereign scope. Courts’ separation-of-powers structure operates within a single sovereign, whereas threshold-key designs are often cross-sovereign, with key custodians distributed across multiple jurisdictions. The second asymmetry concerns the nature of stakes. The “multiple parties” in courts are differentiated by role (prosecutor, judge, grand jury each have distinct functions)—heterogeneous stakes. The “multiple parties” presupposed by threshold-key designs are often homogeneous stakeholders lacking endogenous role-based checks. The third asymmetry concerns the basis of enforcement. Court enforcement depends on the physical infrastructure of state coercive power; threshold-key opening depends on mathematical guarantees, which cannot directly mobilize state violence in scenarios of sovereign conflict. Microsoft Corp. v. United States, 829 F.3d 197 (2d Cir. 2016), regarding the U.S. dispute over warrants reaching Irish servers, and the subsequent CLOUD Act 2018, which responded through bilateral enforcement agreements, together confirm that sovereign boundaries impose substantive obstacles on judicial enforcement and that legislative responses take an agreement-based rather than unilaterally coercive form.²⁸ The three asymmetries imply that institutional transplantation is not a matter of simply “copying separation-of-powers structures onto cryptographic keys”; it requires the design of new role differentiations and cross-sovereign cooperation mechanisms.

Acknowledging these three asymmetries, the institutional-template argument adopts a weaker version. The search-warrant and adjacent families provide a legitimacy-argument template, but are difficult to view as institutional models that can be transplanted clause by clause; their contribution lies in supporting the structural claim that “conditional opening of privacy” has constitutional precedent. The specific transferability of particular clauses must be verified against the three asymmetries case by case. Pozen’s (2018) analysis of how the normative framework of transparency drifts under different political-economic conditions suggests that normative meaning may transform during institutional transplantation.²⁹ The Reality Winner case, in which a whistleblower’s anonymity failed; the cross-border conflict resolved by the CLOUD Act; and certain Twitter unmasking orders’ inadequacies under the Doe standard all show the limits of existing institutional templates in new scenarios.³⁰ In this sense, the institutional template provides a starting point for argument, but beyond that starting point, case-by-case examination is required of how specific threshold-opening designs handle cross-sovereign key custody, how role differentiation is established to avoid homogeneous stakes, and how the execution stage bridges the gap between mathematical guarantees and physical enforcement.

§ 5. Reverse Verification: Concentration of Opening Authority and Paradigm Degradation

If the main argument holds, a corresponding reverse proposition should be expected: when opening authority concentrates in a single agency, the system will exhibit paradigm degradation. This section verifies the reverse proposition through process tracing of five independent cases, distinguishing between mechanism-necessary and probabilistic causal inference.

The weak version of the proposition takes the following specific form: concentration of opening authority correlates strongly and positively with system paradigm degradation, and in at least the cases of Aadhaar India, China real-name systems, Worldcoin, South Korea’s 2007–2012 real-name regime, and certain biometric ID systems, explicit causal mechanisms can be traced. Compared with the control group of distributed key-custody systems—including the m-of-9 consensus of Tor Directory Authorities, the m-of-7 ceremony of the ICANN Root KSK, and certain threshold accountable signature deployments—the rate of degradation in concentrated-custody systems is significantly higher. This section relies on the weak version; the strong version (causal necessity of paradigm degradation) is treated as an extended hypothesis whose verification requires further QCA (Qualitative Comparative Analysis) cross-case studies. The process-tracing standards of Bennett & Checkel (2015) provide the methodological foundation for this weak/strong distinction, requiring each causal step to have observable implications and that alternative explanations be ruled out.³¹

The Aadhaar case provides a complete observation of a seven-step causal chain. At T0 (2009), the UIDAI design stage, opening authority was concentrated in a single administrative agency. At T1 (2012–2016), the scope of emergency opening authority under Aadhaar Act § 33 continued to expand. At T2 (2017), a leak event of 135 million records was exposed; The Tribune reported that for ₹500, in ten minutes, one could obtain the details of any Aadhaar holder.³² At T3 (2017), Justice K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1, confirmed privacy as a fundamental right. At T4 (2018–2019), even after the § 33(2) amendment, substantive enforcement persisted. At T5 (from 2023), empirical records of the use of Pegasus against journalists and of § 33 enforcement continued to accumulate.³³ Dissent on Aadhaar, edited by Khera (2019), and Drèze, Khalid, Khera & Somanchi (2017) on food security in Jharkhand, document the scale and mechanisms of exclusion harms—including denial of rations on grounds of fingerprint-authentication failure, and reductions in social-security payments on grounds of Aadhaar linkage failure.³⁴

Two types of inference within process tracing must be distinguished. Stages S0 through S2—the concentration of opening authority, the agency’s acquisition of unauditable de-anonymization capability, and structurally necessary events—are mechanism-necessary. Stages S2 through S4—data leakage, political instrumentalization, user-perceived collapse of pseudonymity—are probabilistic events whose occurrence depends on external triggers. Bennett & Checkel’s (2015) layered treatment of “structurally necessary” and “probabilistically transmitted” causal steps provides the methodological basis for this distinction.³⁵ The causal claims of this section extend only to the weak version, making no strong causal assertion that “concentration of opening authority necessarily produces degradation.” The value of the Aadhaar case is that at least the first three steps of its seven-step evolution are mechanism-necessary, while the subsequent four steps exhibit consistent directionality across the five independent cases, providing moderately strong support for the weak version.

The China real-name case provides a second causal chain. The Cybersecurity Law 2017 and the PIPL 2021 jointly constructed a systematic architecture of antecedent real-name identification. Roberts (2018) in Censored measures chilling effects, while Fu, Chan & Chau (2013) analyze the Weibo real-name policy and document shifts in user-behavior equilibria.³⁶ It should be noted that specific effect sizes in Fu et al. should be cited as “has been associated with” rather than “caused”; methodologically, this is at some remove from randomized controlled trials. The China case should therefore be viewed as evidence of mechanism observation and behavioral-shift correlation, not as strict causal verification.

The South Korea case offers a reverse correction. Between 2007 and 2012, South Korea imposed real-name commenting on websites with more than 500,000 daily active users; the Korea Constitutional Court, in 2010Hun-Ma252 (2012), found the policy unconstitutional.³⁷ Two points make this case significant. First, the real-name commenting regime, as confirmed by empirical research, did not significantly reduce malicious speech, yet significantly suppressed the vitality of public discussion. Second, its unconstitutionality reasoning corresponds directly to the direction of the main argument: antecedent identification failed to achieve its claimed accountability function and instead disturbed the core of associational freedom. The South Korea case provides direct normative and empirical support for the main argument.

The Worldcoin case provides a contemporary example of tension between cryptographic-construction design and political-economic consequences. Its centralized-opening structure triggered the Spanish AEPD’s precautionary measure in 2024; Buterin (2023) analyzed several governance risks of biometric proof of personhood, including centralized biometric collection, jurisdictional conflicts in cross-border deployment, and single-point concentration of Orb manufacturing and deployment.³⁸ At the political-economic layer, Worldcoin exhibits a pattern aligned with the DAA political-economic paradox; at the causal-mechanism layer, its long-term evolution remains to be observed, but early-stage signs of a degradation trajectory already appear in the short term. The two aspects are not mutually exclusive.

The control group—Tor Directory Authorities’ m-of-9 consensus, and the ICANN Root KSK’s long-term operation under m-of-7 ceremony—provides evidence that distributed-custody systems have not undergone equivalent degradation.³⁹ Both systems’ key custodians have longer organizational records and have established publicly auditable ceremonies and rotation mechanisms. While these cannot be regarded as strict counterfactual controls, they provide meaningful contrastive observations. Estonia’s X-Road is a boundary case; whether its key custody is cryptographically distributed or merely organizationally distributed remains to be confirmed through direct reading of the technical documentation.⁴⁰

The responsibility-dispersion paradox is a core challenge from opponents: when opening authority is distributed across multiple parties, does no one bear responsibility? At the engineering layer, this challenge has been resolved by Boneh & Komlo’s (CRYPTO 2022) TAPS, whose construction guarantees that each signatory’s participation leaves a cryptographically auditable record; opening events can be individually traced to each co-signatory.⁴¹ At the political-philosophical layer, the responsibility-dispersion paradox still requires careful argument. The m-of-n structure requires each key holder to bear individual political responsibility, and renders the decision-making process publicly contestable, thus exhibiting a design intent of distributing rather than evading responsibility. The engineering basis for this argument is in place via TAPS; its realization in political economy depends on further accumulation of organizational learning among key custodians—including independence reviews, regular rotation, and mechanisms for publicly recording the reasons for exercise of authority.

§ 6. Boundary Reversal: Narrow Boundaries, Strict Standards, and Procedural Firewalls

The main argument must confront three categories of expected strongest objections. The first is the demand by anti-money-laundering and know-your-customer (AML/KYC) regimes for control of criminal funds. The second is electoral-fraud prevention. The third concerns cross-border sanctions and scenarios of irreversible large-scale harm. This section addresses each in turn and offers an observation with somewhat counterintuitive implications: when these objections are rigorously examined, most of them defect to become evidence in support of the main argument. The section therefore treats “boundary domains” separately from “expansion-abuse domains,” the former being limited exceptions acknowledged by the main argument and the latter being restrained by six procedural firewalls.

AML/KYC reversal. Pol’s (2020) systematic survey indicates that global anti-money-laundering regimes affect less than 0.1 percent of criminal funds, with compliance costs exceeding recovered funds by more than one hundredfold; the principal burden falls on vulnerable populations and the unbanked.⁴² Halliday, Levi & Reuter (2024), in UC Irvine Journal of International, Transnational, and Comparative Law 4(1), arrive at the same conclusion from the perspective of transnational legal orders, and cite the IMF’s internal evaluation that “even the IMF acknowledges difficulty in articulating clear goals.”⁴³ The same article notes that the transnational legal order of AML far outpaces the measurement of effectiveness in the speed of rule-making; this gap corresponds precisely to the design absence identified by the main argument—distributed opening thresholds with auditability. Naylor (2002) and Levi (2020), in their long-term research on the criminal-money black market, further support this judgment: the real flow of criminal funds passes primarily through non-bank channels, cash economies, cross-border trade-invoice manipulation, and similar routes.⁴⁴ In other words, the KYC regime, as an antecedent identification mechanism, has failed to achieve its claimed crime-prevention function, while imposing substantial compliance costs and privacy losses. If institutions instead adopt attribute-proof combined with conditional ex post opening, the effectiveness of anti-money-laundering need not decline, while privacy and inclusivity can substantially improve.

The specific ”< 0.1 percent” figure cited from Pol remains contested in the literature; its methodology and measurement scope have generated discussion. The argument here takes Pol (2020) as the principal source and uses Halliday-Levi-Reuter (2024) and Levi (2020) as reinforcement. Even if Pol’s figure is relaxed to 1 percent, the cost-effectiveness asymmetry of AML/KYC remains substantial, and the directional conclusion of the main argument is unaffected.

Electoral-fraud reversal. Levitt’s (2007) Brennan Center survey indicates that, out of approximately one billion votes cast in the United States, only thirty-one credible impersonation cases could be identified—a rate of approximately 0.0003 to 0.0025 percent.⁴⁵ Hasen’s (2012) The Voting Wars arrives at the same directional conclusion through its long-term data integration.⁴⁶ Hajnal, Lajevardi & Nielson (2017) further show that antecedent voter ID has observable impact on minority voting rights.⁴⁷ A methodological caveat is warranted: Hajnal et al.’s measurement methodology has been subject to methodological critique by Grimmer, Hersh, Meredith, Mummolo & Nall (2018) in Journal of Politics 80(3), “Obstacles to Estimating Voter ID Laws’ Effect on Turnout”; their causal identification strategy remains under debate. Even on a conservative interpretation of the results, however, the negative externalities of antecedent voter ID on minorities remain observable.⁴⁸ Crawford v. Marion County Election Board, 553 U.S. 181 (2008); Shelby County v. Holder, 570 U.S. 529 (2013); and Brnovich v. Democratic National Committee, 594 U.S. ___ (2021) reflect the oscillations of U.S. courts on this issue; Issacharoff & Pildes (1998) and Pildes (2004) provide normative frameworks.⁴⁹ Antecedent real-name identification has been empirically demonstrated to address a nearly nonexistent problem in the electoral domain, while imposing observable suppression of voting rights. This reversal directly strengthens the main argument.

Narrow definition of boundary domains. When the three criteria—irreversibility, large scale, and immediate diffusion—are rigorously applied, the domains that genuinely fall within the boundary are nuclear proliferation, weapons proliferation, immediate biological threats, and the identification of role-specific personnel in critical infrastructure (operators, handlers). In such domains, antecedent identification has a complementary insurance value against irreversibility. Even in these domains, however, identification should target specifically identifiable subjects (operators holding particular authorities, handlers of particular dangerous substances), not universal real-name identification. Drezner (2003) and Early (2015) on targeted sanctions, together with Gostin & Wiley (2016) on the constitutionality of compulsory measures during public-health emergencies, provide design principles for narrow boundary domains—including minimal-necessary identification, periodic re-evaluation, and obligations to destroy identification data after the emergency ends.⁵⁰

Procedural firewalls. The three-criterion test has been historically subject to expansionary abuse. The USA PATRIOT Act, originally with a four-year sunset clause, has been extended over nineteen years; fourteen of its sixteen provisions have been made permanent. COVID-19 emergency powers exhibit stickiness across multiple jurisdictions. The scope of the AUMF (Authorization for Use of Military Force) has continually expanded beyond its original grant.⁵¹ These one-way-ratchet historical records require that boundary conditions themselves carry procedural firewalls. Drawing on the current institutional texts of FATF Recommendations 10 and 16, the NIS2 Directive 2022/2555, CISA 2015, and the NIST CSF 2.0, six operational rules of procedural firewall can be extracted. First, attack vectors must be concretely identifiable. Second, the cost-benefit test must be conducted symmetrically (quantifying privacy losses alongside identification benefits). Third, the cryptographic-alternative test must be passed (whether attribute proof, zero-knowledge presentation, and similar tools can achieve the equivalent regulatory goal). Fourth, mandatory sunset clauses with explicit review triggers. Fifth, multiple independent agencies must jointly hold opening authority. Sixth, ex post public-review mechanisms for opening records and for reasons given.⁵²

The six firewalls share a design purpose: to convert boundary conditions from “elastic clauses subject to expansionary abuse” into “limited authorizations with clear operational boundaries.” Cain’s (2014) long-term observations of U.S. political reform offer institutional-design references.⁵³ Once boundary conditions are incorporated into the argument, the content of the main argument becomes clearer. The proposition that accountability does not require real-name identification does not deny the necessity of any form of identification; the point is that the burden and benefits of identification must be symmetrically weighed in the overwhelming majority of civic-action scenarios. In the narrow domain where the three criteria are met, identification can be justified; even there, however, its implementation must comply with multiparty-custody and auditability design principles.

§ 7. Synthetic Proposition and Open Problems

The argument across the preceding sections converges on a synthetic proposition. Accountable pseudonymity is not a cryptographic achievement; it is a political-economic achievement. Cryptography is a necessary but not sufficient condition. In other words, the institutional configuration of opening-authority power determines whether cryptography can deliver on its political promise; the reverse does not hold. Section 2 provides the normative foundation: the consequential nature of accountability and the conceptual distinction between pseudonymous and real-name identification. Section 3 provides engineering feasibility: the L1-to-L4 maturity stratification and the DAA political-economic paradox. Section 4 provides the institutional template: the legitimacy-argument resources of the five families and the limits set by the three asymmetries. Section 5 provides reverse case evidence: process tracing of Aadhaar and four other independent cases for paradigm-degradation evidence, together with TAPS as the engineering response to the responsibility-dispersion paradox. Section 6 provides boundary-reversal analysis: under rigorous examination, AML/KYC and electoral-fraud objections defect to reinforce the main argument.

On the boundary of its claims, the present argument reserves three limiting conditions. First, the asymmetry between the individual and institutional levels must be strictly observed; institutional-level power-holder anonymity remains rejected under republican contestability. Second, processing within a single sovereign as against across sovereigns still awaits institutional innovation; the present argument restricts itself to single-jurisdiction scenarios, leaving cross-jurisdictional redress gaps to subsequent work. Third, the distinction between reversible and irreversible large-scale harm scenarios must be operationally bounded by the six procedural firewalls, lest boundary conditions be expansively abused to justify antecedent real-name identification.

The remaining open problems span several categories. At the political-philosophical level, Pettit’s explicit articulation of the individual/institutional identification asymmetry requires further interpretive confirmation, and Habermas’s specific position on the anonymous public sphere in Faktizität und Geltung § 8.3 requires direct reading of the German original. At the cryptographic-engineering level, the causal mechanism of the DAA political-economic paradox requires systematic verification, and the long-term usability of threshold-opening governance in cross-jurisdictional scenarios requires empirical-deployment accumulation. At the causal-mechanism level, the hypothesis that hybrid regimes are most vulnerable requires further QCA case verification; whether Estonia’s X-Road implements cryptographically distributed custody requires further direct reading of the technical documentation to confirm. At the institutional level, FATF Recommendation 16’s most recent stance toward zero-knowledge alternatives, and the EUDI ARF third-round implementing regulations’ final determinations on unlinkability clauses, both constitute policy nodes for further tracking.

The conclusion is a conditional proposition. The claim that accountability does not require real-name identification, on the side of “civic participatory action,” has a normative basis within the two dominant normative frameworks of liberal due process and republican contestability; it has feasibility support in cryptographic engineering from the family of primitives; it has institutional-design resources in legitimacy templates; it has reverse-case verification in causal mechanism; and in boundary scenarios it has reverse-reinforcement evidence. Its realization requires that the cryptographic capacity of opening mechanisms and the constitutional distribution of opening authority be satisfied simultaneously—neither alone suffices. The core of contemporary debates on digital identity systems can thus be re-positioned: from the binary opposition of “real-name versus anonymous” toward the question of “design quality of the political economy of opening authority.” A digital identity system that can carry the constitutional weight of accountability while protecting privacy through cryptography has its critical gate located in the multiparty-custody design of the L4 governance layer. Whether that gate succeeds or fails will determine whether the next generation of citizen identity infrastructure moves toward a surveillance architecture or toward an accountable pseudonymity regime with constitutional commitment.

References

Footnotes

1. Schedler, A. (1999). “Conceptualizing Accountability.” In A. Schedler, L. Diamond, & M. Plattner (Eds.), The Self-Restraining State: Power and Accountability in New Democracies. Lynne Rienner; Bovens, M. (2007). “Analysing and Assessing Accountability: A Conceptual Framework.” European Law Journal, 13(4), 447–468. Source level A. ↩

2. Mulgan, R. (2000). “‘Accountability’: An Ever-Expanding Concept?” Public Administration, 78(3), 555–573. Source level A. ↩

3. Talley v. California, 362 U.S. 60 (1960); NAACP v. Alabama ex rel. Patterson, 357 U.S. 449 (1958); McIntyre v. Ohio Elections Comm’n, 514 U.S. 334 (1995). Primary sources, level A. ↩

4. Doe v. Cahill, 884 A.2d 451 (Del. 2005); Dendrite Int’l v. Doe No. 3, 775 A.2d 756 (N.J. Super. App. Div. 2001). Primary sources, level A. ↩

5. Doe v. 2theMart.com, 140 F. Supp. 2d 1088 (W.D. Wash. 2001). Primary source, level A. ↩

6. Pettit, P. (1997). Republicanism: A Theory of Freedom and Government. Oxford University Press. Source level A. ↩

7. Pettit, P. (2012). On the People’s Terms: A Republican Theory and Model of Democracy. Cambridge University Press, ch. 6. Source level A. ↩

8. Buckley v. Valeo, 424 U.S. 1 (1976); Doe v. Reed, 561 U.S. 186 (2010). Primary sources, level A. ↩

9. Etzioni, A. (2015). Privacy in a Cyber Age: Policy and Practice. Palgrave Macmillan. Source level B. ↩

10. Sagar, R. (2013). Secrets and Leaks: The Dilemma of State Secrecy. Princeton University Press. Source level A. ↩

11. Chaum, D. (1985). “Security without Identification: Transaction Systems to Make Big Brother Obsolete.” Communications of the ACM, 28(10), 1030–1044; Chaum, D., & van Heyst, E. (1991). “Group Signatures.” EUROCRYPT 1991. Springer. Source level A. ↩

12. Camenisch, J., & Lysyanskaya, A. (2001). “An Efficient System for Non-transferable Anonymous Credentials with Optional Anonymity Revocation.” EUROCRYPT 2001. Springer; Camenisch, J., & Lysyanskaya, A. (2002). “A Signature Scheme with Efficient Protocols.” SCN 2002. Springer. Source level A. ↩

13. Bellare, M., Micciancio, D., & Warinschi, B. (2003). “Foundations of Group Signatures: Formal Definitions, Simplified Requirements, and a Construction.” EUROCRYPT 2003. Springer; Bellare, M., Shi, H., & Zhang, C. (2005). “Foundations of Group Signatures: The Case of Dynamic Groups.” CT-RSA 2005. Springer; Boneh, D., Boyen, X., & Shacham, H. (2004). “Short Group Signatures.” CRYPTO 2004. Springer. Source level A. ↩

14. Micali, S., Ohta, K., & Reyzin, L. (2001). “Accountable-Subgroup Multisignatures.” CCS 2001. ACM; Xu, S., & Yung, M. (2004). “Accountable Ring Signatures: A Smart Card Approach.” CARDIS 2004. Springer; Bootle, J., Cerulli, A., Chaidos, P., Ghadafi, E., & Groth, J. (2015). “Foundations of Fully Dynamic Group Signatures.” ESORICS 2015. Springer. Source level A. ↩

15. Camenisch, J., Drijvers, M., Lehmann, A., Lyubashevsky, V., & Towa, P. (2020). “Short Threshold Dynamic Group Signatures.” SCN 2020. Springer. Source level A. ↩

16. W3C Data Integrity BBS Cryptosuites v1.0 Candidate Recommendation Draft (2026-04-07); IETF RFC 9901 (SD-JWT, 2025-11); IETF CFRG draft-irtf-cfrg-bbs-signatures. Source level A. ↩

17. ISO 18013-5 Mobile Driving Licence Part 1 (2021) and Part 2 DIS; W3C Bitstring Status List v1.0 (2025 Recommendation). Source level A. ↩

18. EU EUDI Wallet Architecture and Reference Framework, 2025-12 Cooperation Group rolling iteration (historical snapshots v1.4 / v1.5). Source level A. ↩

19. Chase, M., Perrin, T., & Zaverucha, G. (2020). “The Signal Private Group System and Anonymous Credentials Supporting Efficient Verifiable Encryption.” CCS 2020. ACM; IETF RFC 9577 (Privacy Pass). Source level A. ↩

20. Brickell, E., Camenisch, J., & Chen, L. (2004). “Direct Anonymous Attestation.” CCS 2004. ACM; ISO/IEC 11889 series (TPM); ISO/IEC 20008-2. Source level A. ↩

21. Boneh, D., & Komlo, C. (2022). “Threshold Signatures with Private Accountability.” CRYPTO 2022. IACR ePrint 2022/1636. https://eprint.iacr.org/2022/1636. Source level A. ↩

22. Ibid., §§ 3–4 on the formal definition of the accountability property. Source level A. ↩

23. Doerner, J., Kondi, Y., Lee, E., Shelat, A., & Tyner, P. (2023). “Threshold BBS+ Signatures for Distributed Anonymous Credential Issuance.” IEEE S&P 2023. Source level A. ↩

24. Federal Rules of Criminal Procedure Rule 6(e); 18 U.S.C. §§ 3521–3528 (Witness Security); Buckley v. Valeo, 424 U.S. 1 (1976); NAACP v. Alabama ex rel. Patterson, 357 U.S. 449 (1958); McIntyre v. Ohio Elections Comm’n, 514 U.S. 334 (1995). Source level A. ↩

25. Federal Judicial Center, Sealed Cases in Federal Courts (2009); Tribe, L. H. (2000). American Constitutional Law (3rd ed., Vol. 1). Foundation Press. Source level A. ↩

26. UK Contempt of Court Act 1981; BVerfGE 120, 274 (2008) Online-Durchsuchung; Loi du 4 janvier 2010 relative à la protection du secret des sources des journalistes; Taiwan Judicial Yuan Council of Grand Justices Interpretations Nos. 384, 396, 418, 436, 709, 762, and 805. Source level A. ↩

27. EU Whistleblower Directive 2019/1937; Dodd-Frank § 922; US Whistleblower Protection Act 1989. Source level A. ↩

28. Microsoft Corp. v. United States, 829 F.3d 197 (2d Cir. 2016) (vacated as moot, 138 S. Ct. 1186 (2018)); CLOUD Act, Pub. L. 115-141, Div. V (2018); Federal Rules of Criminal Procedure Rule 6(e); 18 U.S.C. §§ 3521–3528. Source level A. ↩

29. Pozen, D. E. (2018). “Transparency’s Ideological Drift.” Yale Law Journal, 128, 100–165. Source level A. ↩

30. Reality Winner case mainstream NYT coverage; EFF, “Twitter Lawsuit Against Government Censorship Demands,” and amicus briefs; CLOUD Act cross-border conflict literature. Source level B/C. ↩

31. Bennett, A., & Checkel, J. T. (Eds.). (2015). Process Tracing: From Metaphor to Analytic Tool. Cambridge University Press, ch. 1. Source level A. ↩

32. The Tribune (2017). “Rs 500, 10 minutes, and you have access to billion Aadhaar details.” 2017-01-04 report; Centre for Internet & Society India 135M leak report. Source level B. ↩

33. Justice K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1; Amnesty International (2023). “India: Damning new forensic investigation reveals repeated use of Pegasus spyware.” Source level A/B. ↩

34. Khera, R. (Ed.). (2019). Dissent on Aadhaar: Big Data Meets Big Brother. Orient BlackSwan; Drèze, J., Khalid, N., Khera, R., & Somanchi, A. (2017). “Aadhaar and Food Security in Jharkhand: Pain Without Gain.” Economic and Political Weekly, 52(50). Source level A. ↩

35. Bennett, A., & Checkel, J. T. (2015). Process Tracing: From Metaphor to Analytic Tool. Cambridge University Press, ch. 1 (specifically the layered treatment of deterministic vs. probabilistic causal steps). Source level A. ↩

36. People’s Republic of China Cybersecurity Law (2017); Personal Information Protection Law (2021); DigiChina Cybersecurity Law translation; Roberts, M. E. (2018). Censored: Distraction and Diversion Inside China’s Great Firewall. Princeton University Press; Fu, K. W., Chan, C. H., & Chau, M. (2013). “Assessing Censorship on Microblogs in China: Discriminatory Keyword Analysis and the Real-Name Registration Policy.” IEEE Internet Computing, 17(3), 42–50. Source level A/B. ↩

37. Korean Constitutional Court 2010Hun-Ma252 (2012); Open Net Korea English translation. Source level A. ↩

38. Buterin, V. (2023). “What do I think about biometric proof of personhood?” Vitalik blog. https://vitalik.eth.limo/general/2023/07/24/biometric.html; AEPD (Spanish Data Protection Authority) Precautionary Measure on Worldcoin (2024). Source level B. ↩

39. ICANN Root KSK Ceremonies public records; Tor Consensus Format Specification and Directory Authorities documentation. Source level A. ↩

40. Estonia X-Road technical documentation; whether its key custody is cryptographically distributed remains to be confirmed through direct reading. Source level C. ↩

41. Boneh & Komlo (2022), supra n. 21, §§ 3–4 on the design of accountable thresholds. Source level A. ↩

42. Pol, R. F. (2020). “Anti-money laundering: The world’s least effective policy experiment? Together, we can fix it.” Policy Design and Practice, 3(1), 73–94. Source level A. ↩

43. Halliday, T. C., Levi, M., & Reuter, P. (2024). “Anti-Money Laundering: An Inquiry into a Disciplinary Transnational Legal Order.” UC Irvine Journal of International, Transnational, and Comparative Law, 4(1) (SSRN / eScholarship full text public). Source level A. ↩

44. Naylor, R. T. (2002). Wages of Crime: Black Markets, Illegal Finance, and the Underworld Economy. Cornell University Press; Levi, M. (2020). “Evaluating the Control of Money Laundering and Its Underlying Offences: the Search for Meaningful Data.” Asian Journal of Criminology, 15(4), 301–320 (Springer). Source level A. ↩

45. Levitt, J. (2007). “The Truth About Voter Fraud.” Brennan Center for Justice. Source level A. ↩

46. Hasen, R. L. (2012). The Voting Wars: From Florida 2000 to the Next Election Meltdown. Yale University Press. Source level A. ↩

47. Hajnal, Z., Lajevardi, N., & Nielson, L. (2017). “Voter Identification Laws and the Suppression of Minority Votes.” Journal of Politics, 79(2), 363–379. Source level A. ↩

48. Grimmer, J., Hersh, E., Meredith, M., Mummolo, J., & Nall, C. (2018). “Obstacles to Estimating Voter ID Laws’ Effect on Turnout.” Journal of Politics, 80(3), 1045–1051. Source level A. ↩

49. Crawford v. Marion County Election Bd., 553 U.S. 181 (2008); Shelby County v. Holder, 570 U.S. 529 (2013); Brnovich v. Democratic National Committee, 594 U.S. ___ (2021); Issacharoff, S., & Pildes, R. H. (1998). “Politics as Markets: Partisan Lockups of the Democratic Process.” Stanford Law Review, 50(3), 643–717; Pildes, R. H. (2004). “The Constitutionalization of Democratic Politics.” Harvard Law Review, 118, 28. Source level A. ↩

50. Drezner, D. W. (2003). “The Hidden Hand of Economic Coercion.” International Organization, 57(3), 643–659; Early, B. R. (2015). Busted Sanctions. Stanford University Press; Gostin, L. O., & Wiley, L. F. (2016). Public Health Law: Power, Duty, Restraint (3rd ed.). UC Press. Source level A. ↩

51. USA PATRIOT Act sunset and extension records; Congressional Research Service R45718 (USA FREEDOM Reauthorization) and RL33625 (USA PATRIOT Act Improvement); AUMF scope expansion CRS reports; COVID-19 emergency powers cross-national comparative literature. Source level A/B. ↩

52. FATF Recommendations 10 and 16; EU NIS2 Directive 2022/2555; Cybersecurity Information Sharing Act 2015 (CISA); NIST Cybersecurity Framework 2.0; USA PATRIOT Act § 326 (Customer Identification Program); NIST SP 800-63-4 (Digital Identity Guidelines). Source level A. ↩

53. Cain, B. E. (2014). Democracy More or Less: America’s Political Reform Quandary. Cambridge University Press. Source level A. ↩