FAQ about Cardless ID
Please ask me more!
I’ve received a few questions about how Cardless ID works, and I’m sure I will receive many more. This is a first pass at answering them.
First, there's a new and better version of the demo online, so please visit cardlessid.org to see the latest.
Your Questions Answered
I know you're not going to store that selfie and photo ID because "trust me, bro"? That sounds like a privacy nightmare in and of itself.
This is a legitimate concern, and for the near term, the answer is "trust me, bro." But it points to why we created this as a nonprofit in the first place. We want to signal in as many ways as possible that we’re not in this for the money. As the platform becomes more well-known, my hope is that people will have more trust.
What do you plan to do about AI-generated selfies or other methods of deception to get an arbitrary number of accounts?
One thing that’s not obvious from the site is that we won’t be doing the verification ourselves. Instead, we will partner with identity verification companies who specialize in this. There are more than a dozen of them that I have personally investigated and am now testing prototypes. In addition, Google has an identity verification tool they already use with some of their products.
So I don’t have a definitive answer to this question, but I’m sure these companies spend a lot of time thinking about it. Many of their customers are large financial institutions that need it to comply with “know your customer” and anti-money laundering laws (known in the trade as KYC/AML).
The state laws requiring age verification generally refer to “commercially feasible” technologies, not NSA-level security. We don’t pretend to be the perfect solution, just a compliant one.
Do you believe a selfie is the state of the art for online ID verification?
There are a few approaches I’ve looked at, but for most applications, this is sufficient. OnlyFans uses this same approach as a precursor to sending more than $5 billion worth of payouts annually to their creators.
Who would validate potentially hundreds of millions of users, and how exactly?
This is already being done by Xvideos in France using commercial technology. Scalability is always a challenge, so I don’t want to hand-wave, but I’ve launched multiple tech companies that had to handle millions of transactions per day. I’m familiar with what that’s like and believe this is a solvable problem.
How do you plan to conform to various privacy laws around the world, especially in the EU?
Part of the reason Cardless ID exists is to be the single source of truth on these issues. Currently, every single site has to learn all this themselves. We allow them to outsource most of that.
That said, the EU is already well on the path to making it easy. They have a well-specified definition for digital wallets, and several countries are expected to roll it out in 2026.
You say you are a non-profit; does that mean you don't incur any costs at all that you're not willing to absorb?
As mentioned above, the purpose of being a non-profit is to make it more trustworthy, but not just for users. The sites themselves also care a lot about privacy and security. They are already spending money on commercial solutions, so we are asking them to reallocate that funding toward a general-purpose solution serving all sites.
But we also want it to be free even for the smallest sites, so they don’t have excuses. From a game theoretical perspective, a free solution incentivizes the larger sites to report non-compliant peers to state authorities and to petition hosting platforms to de-platform them on the same grounds. (This has generally been their argument against the laws in the first place—that bad actors will ignore them.) The best way to get sites to comply is to make it very painful not to comply.
Even if your scheme was completely watertight and generally adopted, do you believe it to be a good idea to let any website ban a person from any other website, for life and for any reason they care to make up? Who would you go to if you thought your ban was unjustified?
This is a fair question, and I thank the asker for reading about that part.
In practice, I expect more granular policies to emerge, but it’s too soon to decide them in detail. However, I do want sites and creators to know that a complete ban is possible. There really are some psychos out there!
Your claim of providing "decentralized identity" looks bogus, and you're using the kinds of algorithms used for ACTUAL decentralized applications, like "zk proofs and blockchain queries," in a cargo-cult-like way to make this look like one as well (possibly deliberately deceptively), reminiscent of people using E2EE protocols without actually providing end-to-end encryption.
This person got a bit hostile with me in the comments section of Astral Codex Ten. As I tried to explain, the public-facing site is geared toward lay users who just want to know the basics. It’s not a technical specification.
I am not a cryptologist myself, but I’ve worked with various crypto technologies since 2017. In the 2000s, I worked on a startup seeking to commercialize Hashcash, which is the precursor to Bitcoin. (This came from working at an email marketing company and learning how spammers exploit protocols to evade filters. I’m old enough to remember when Paul Graham wasn’t a legendary VC, but just a smart guy who created a Bayesian spam filter.)