Vitalik Buterin’s recent essay about digital identity raises a valid and well-framed concern: even if identity leverages zero-knowledge (ZK) properties, enforcing uniqueness without pseudonymity can surface risks like coercion, surveillance, and cross-context correlation. He raises the point that even with ZK-wrapping, there is still danger in creating a future where a person’s online persona is maintained under a single, public identity.
The threats addressed in Vitalik’s article are not unique to ZK-based digital identity platforms, but are embedded in many different digital identity architectures — representing broader issues stemming from antiquated approaches to onchain identity. As these critical issues in digital identity enter the public discourse, Billions has already been deploying solutions to these challenges by creating frameworks and applications that have been adopted by governments, institutions, and organizations worldwide.
With Billions, the critical questions and concerns addressed in Vitalik’s article are already being addressed at scale, and are in the hands of users across the world.
Billions Network is the first universal human and AI network built with mobile-first verification, making it easy to prove who you are — from your own device, and in a secure and scalable way. The DeepTrust framework from Billions sets the standard for giving AI agents unique, reputation-based identities that can be associated with the human responsible for their creation. The Billions tech stack is based on nearly a decade of research around Zero Knowledge (ZK), with a specific focus on its application to decentralized identity.
The Billions.Network mobile app is now live for iOS and Android devices, harnessing a system that enforces per-app pseudonymity, protects against cross-context tracking, and supports robust key control. The design and architecture of Billions’ mobile apps also address concerns raised by Vitalik, highlighting the next-generation of identity infrastructure at scale.
A Note on Origins: The Roots of ZK Identity
The team behind Billions Network also pioneered the concept of ZK-based identity (ZKID) with open source contributions more than six years ago, leading to technical breakthroughs. The Billions core team also made the decision to open-source their work far before it become common to do so, resulting in:
- A complete identity protocol designed for selective disclosure and unlinkability.
- The development of the foundational Circom language and SnarkJS, now widely used across the ZK ecosystem.
- A client-side proof system optimized for constrained environments (e.g. mobile) with support from the Ethereum Foundation.
- A full ZK identity stack including query formats, schema registries, and onchain verifiers, developed during our incubation with Polygon.
Following a successful incubation and spin-off from Polygon as Privado ID, the Billions team conducted an impact assessment to uncover the impact of Circom on the broader decentralized identity ecosystem.
Ultimately, over 9,000 projects were found to be using some part of the original Circom tech stack developed by the core Billions team, including several projects mentioned in Vitalik’s own essay alongside web2 giants such as TikTok.
Solving the Foundational Problem: Per-App Pseudonymity
Vitalik rightly identifies a core tension: true pseudonymity and user privacy often require managing multiple online personas — a practice that fundamentally threatens the single identity’ model of many current digital verification systems.
This is precisely the problem that we set out to solve. At the heart of the Billions experience is the Profiles mechanism: a system where every verifier sees a unique, pseudonymous identifier (a decentralized identifier, or DID), generated for the user with an anonymous and unlinkable nonce. With no global identifier shared across apps, there can be no centralized registry that links a user’s identities together.
Each Profile DID is generated in the following format:
hash(genesis_identifier || profileNonce)
Key characteristics:
- profileNonce is random, not incremental — avoids predictability or correlation.
- Derivation is client-side.
- No server or issuer has access to the linking data.
- Users can have many Profiles for the same application.
📘 Formal spec:
📘 Implementation docs:
This Billions profiles system is designed for unlinkability, context isolation, and non-correlatability by default — even if the same credential is used for multiple applications. This functionality directly addresses the concern of cross-context correlation, and restores the user’s ability to maintain separate, pseudonymous identities across different apps.
Context-Based Unique Identifiers
To safeguard user privacy and prevent permanent unique identifiers, Privado ID provides each application context with a separate Context-Based Unique Identifier (CBUID).
Context-Based Unique Identifiers (CBUID) can:
- Be cryptographically derived from any kind of the Proof of Uniqueness Credential, with optionality for credential type given to the application. Some applications could opt for a Biometric (Facial Recognition) verification, while others might request an ID-based verification.
- In all cases, and for all verification formats, unlinkability, context isolation, and non-correlatability is included by default
For CBUIDs,the applications are endless — from enforcing a single vote per citizen through unique identifier tracking to ensuring social media platforms stay bot-free with facial scan verifications.
Live Today: The Billions Mobile App
All of the above is currently live and in production today, in the Billions.Network mobile app:
- Users can present ZK proofs based on verifiable credentials that assert “Proof of Unique Human” and “Proof of Live Personhood”.
- Each app sees a different DID, even for the same credential.
- Profiles are managed locally and securely.
- Verifiers cannot track or correlate usage across services.
This is not a theoretical architecture. It is already in use daily, around the world.
Profile System Security: Deeper Design Considerations
The Profile system offers additional security enhancements:
- Random nonces (not incremental) are used as secrets
- Profile secrets are stored:
- Locally on-device (mobile).
- End-to-end encrypted in storage (web wallet implementation), decrypted using user-held keys.
- Locally on-device (mobile).
- The system supports multiple identity derivation paths:
- Baby JubJub private key.
- Ethereum wallet.
- Smart accounts.
- Baby JubJub private key.
This means users can choose hardware or software-based identities, and rotate them securely.
Key Rotation: Control, Security, and Roadmap
Another critical risk highlighted in Vitalik’s blog post is the threat of coercion, in which a user could theoretically be forced to reveal their master secret and expose their entire history of interactions. While no system can entirely prevent physical coercion, our architecture is designed to maximize user control and minimize the impact of a potential user compromise.
Our technology architecture already supports key rotation:
- The master identity stays constant, even as control keys are updated
- If compromise is suspected, users can rotate keys locally and regain access
And in the next few months, the system will be strengthened further:
- Limiting scope of keys (e.g., separate keys for login, approval, or state transitions).
- Using smart accounts to enable:
- Introducing multi-factor authentication (MFA) for key rotation.
- Social recovery.
- Time-locked updates.
- Revertible key changes.
These enhancements mitigate the risk of an account takeover if the authentication key is lost or compromised.
Identity Programmability and Future Flexibility
Our technology also supports programmable identities — used mainly by onchain trustless issuers:
- Smart accounts can embed custom control logic.
- KYC conditions, policy rules, and threshold signatures can be layered in.
- Future integrations may support more advanced multi-sig, delegation, and usage policies at the protocol level.
This gives users and developers a path toward expressive, programmable control, without compromising privacy.
Issuer Diversity and Trust Minimization
Finally, Vitalik correctly argues for a “pluralistic identity” model, warning against the systemic risks of any single ID system becoming dominant and achieving near-total market share.
We could not agree more. Our system is explicitly designed to avoid single points of failure:
- The Privado.ID trust layer includes dozens of active issuers of credentials:
- There are multiple trust providers, because the flexible, open framework does not concentrate risk around any single "one-size-fits-all" issuer.
- Verifiers decide which trust provider to rely upon, and also define any additional checks of the user credentials.
- Anyone can create their own issuer.
- Verifiers can add additional checks to uniqueness requirements, e.g. being not only unique, but also from a specific country / not from specific countries, over the age of 18, or additional KYC/AML checks.
- The master identifier is never shared with applications.
- Each interaction uses a locally derived Profile DID, scoped to the issuer/verifier.
This reduces correlation risk and decentralizes trust without diminishing credential integrity.
Conclusion
Vitalik’s post rightly cautions against the illusion of safety offered by “ZK-wrapping” alone. But the architecture he calls for — pseudonymity, non-correlation, local control—is already here.
The Billions Network mobile app, among other implementations we have created, proves that we can enjoy:
- Uniqueness without traceability.
- Verifiability without surveillance.
- Recovery and flexibility without custodians.
This is not just theory. It’s a working protocol stack with real users, real ZK proofs, and a privacy model grounded in cryptography.
We welcome more builders to join the thousands of projects, enterprises and governments building on top of it.
Our DMs are open, and we’d always love to hear from you at hello@billions.network
