THE END OF ANONYMITY

Web, privacy and identity

I. The Moment You Stop Being Nobody

The end of free identity – There is a precise moment when you stop being nobody.

It arrives through the accumulation of decisions that seem reasonable taken individually. A law to protect children, a secure access system, a verification requirement — and then, without anyone declaring it, the possibility of existing online without stating who you are becomes suspicious, then a technical anomaly, then impossible.

This is new. In the physical world, we have never moved through space with our identity permanently on display, leaving a traceable record of every interaction. Privacy was the default condition of human presence — not a privilege, but the baseline. When the internet emerged, it inherited that condition by design.

Before platforms existed, the network operated on different assumptions. BBS (Bulletin Board Systems) were built around the free flow of information. Similarly, the first online communities were MUDs (Multi-User Dungeons) — role-playing environments where people interacted in explicit discontinuity with their physical identities. The pseudonym, the anonymous account, the search without permanent trace — all of these extended into digital space something we had always taken for granted offline.

As life migrated online, however, we surrendered it gradually. Without noticing. One terms-of-service agreement at a time.

Now, four jurisdictions are building the architecture of its replacement. And they are building it together, with different tools converging toward the same point.

II. The UK-EU Axis: Scanning and Identity

Two Systems, One Architecture

The United Kingdom passed the Online Safety Act in 2023. Meanwhile, the European Union has been negotiating the CSA regulation since 2022 — dubbed “Chat Control” by critics. On paper, these represent different objectives and distinct mechanisms. In practice, however, they form two halves of the same architecture.

At the technical core of both regulations lies Client-Side Scanning: software that analyzes every message on the user’s device before it gets encrypted, comparing it against databases of illegal content. As a result, end-to-end encryption remains technically intact — messages still travel encrypted. Yet the protection becomes illusory, because the content is examined before encryption occurs.

The UK Framework

In the United Kingdom, Clause 122 of the OSA grants Ofcom the power to impose this technology on messaging providers. Although technical guidelines are expected by spring 2026, by October 2025 the regulator had already launched five enforcement programs and opened twenty-one investigations.

Furthermore, the Investigatory Powers Amendment Act 2024 completes the framework: companies must notify the government in advance of any changes to their services that could affect the effectiveness of interceptions. If they want to implement stronger encryption, they must request permission and wait up to 180 days. In other words, vulnerability must be preserved by law.

The European Framework: identity control

In Europe, the EU Council approved a modified version of Chat Control in November 2025. While mandatory scanning has been postponed, the text includes a review clause requiring the Commission to assess “the necessity and feasibility of including detection obligations” within three years. In the meantime, Google, Meta, and other platforms can continue voluntarily scanning all unencrypted messages.

The pattern is recognizable: introduce the principle, normalize the practice, then expand the mandate.

Danish Justice Minister Peter Hummelgaard, the proposal’s main architect, stated explicitly: “We must break with the completely erroneous perception that it is a civil liberty for everyone to communicate on encrypted messaging services.” This statement reveals what is truly at stake: not child safety, but the redefinition of what constitutes a right.

The Other Half: Digital Identity

Yet scanning is only half of the European architecture. The other half is digital identity.

In 2024, the EU adopted eIDAS 2.0 — the regulation requiring member states to offer citizens an “EU Digital Identity Wallet” by the end of 2026. The Commission presents the system as “privacy-preserving”: you prove only your age, not your complete identity. However, to generate proof of age, you must first verify your identity with a government document. Consequently, the system knows who you are. It merely promises not to tell third parties.

And promises can change. On November 26, 2025, the European Parliament voted 483 to 92 for age limits on social media with “real identity verification.” Denmark, France, Greece, Italy, and Spain are already testing the system. Today, the wallet verifies age for pornographic sites. Tomorrow, it could be required for any online service.

III. The Parallel Laboratories: Australia and the United States

Australia: The Most Advanced Laboratory

Australia represents the most advanced laboratory. In December 2025, the world’s first law banning social media access for under-16s came into force. Meta began removing teenage accounts from Instagram and Facebook as early as December 4.

Yet Australia had already paved the way in 2018 with the TOLA Act — legislation granting authorities unprecedented powers to access encrypted communications, including the obligation for companies to build new access features on request.

The results are telling: according to the Australian Federal Police, approximately 96% of legally intercepted content is unintelligible due to encryption. Authorities cite this figure as justification for more aggressive interventions. Nevertheless, it can also be read as evidence of encryption’s effectiveness in protecting communications.

The United States: Death by Liability

In the United States, the path runs through KOSA (Kids Online Safety Act) and EARN IT Act — laws that erode end-to-end encryption through platform liability. If a provider can be sued for content it couldn’t see because it was encrypted, the economic pressure to weaken encryption becomes irresistible.

Additionally, Texas, Utah, and Louisiana have passed laws requiring Apple and Google to verify every user’s age before downloading an app.

The Convergence Question

Governments with incompatible political traditions are arriving at identical technical solutions, simultaneously, without declared coordination. When this happens, it is worth asking what force is orienting them in the same direction.

One answer is economic: the identity verification market is projected to double to $35 billion by 2030. Other answers are harder to name but easier to recognize — data extraction, algorithmic governance, behavioral prediction, and the competitive pressure from states that have already built the infrastructure and demonstrated what it enables.

IV. The Empirical Proof: Salt Typhoon

When Backdoors Become Attack Vectors

That government backdoors constitute a structural vulnerability is not academic theory. It is recent news.

In September 2024, American security analysts discovered that a group of hackers affiliated with Chinese intelligence — code-named Salt Typhoon — had been inside the networks of nine American telecom companies. For an estimated period of one to two years.

Their primary target was not commercial data. Instead, it was the “lawful intercept” systems — the legal interception infrastructure that telecom companies have been required to maintain since 1994, when the Communications Assistance for Law Enforcement Act mandated that providers design their networks to facilitate authorized interceptions.

Thirty years later, those backdoors became the attack vector for Chinese espionage.

The Scope of the Breach

Salt Typhoon stole metadata from millions of users, geolocated individuals at will, and intercepted communications of approximately one hundred people involved in government activities — including Donald Trump, JD Vance, and Kamala Harris campaign staff. Most critically, however, they gained access to the interception systems themselves: Salt Typhoon could see who the American government was surveilling.

In August 2025, the FBI confirmed that the group had compromised at least 200 companies across 80 countries. They remain active.

The Lesson

The Electronic Frontier Foundation summarized the lesson: “When engineers insert legal backdoors into communication systems — even with the best intentions — they create openings where there shouldn’t be any.”

There are no backdoors “only for the good guys.” And while Salt Typhoon was empirically demonstrating the failure of this model, the United Kingdom and European Union were building analogous systems — applied not to phone calls, but to every private message of their citizens.

V. The Technical Failure

How Perceptual Hashing Works — And Doesn’t

The dominant technology for Client-Side Scanning is “perceptual hashing” — algorithms that generate digital fingerprints of images, designed to produce similar signatures for visually analogous images even when slightly modified.

Academic research, however, has documented structural vulnerabilities. A malicious user can apply imperceptible perturbations to an illegal image, modifying the hash without altering the visual content — achieving evasion rates exceeding 99%. Conversely, it is possible to modify completely legitimate images to match content in the illegal database, thus generating false positives on innocent people.

The Empirical Data

Empirical data confirms these criticisms. In Ireland, where automated reporting systems are already operational, of 4,192 reports received by police, only 20% proved to be actual illegal material. Meanwhile, 11% were confirmed false positives — innocent people erroneously flagged.

At global scale — billions of messages daily — this means hundreds of thousands of innocent people flagged every year. And the real criminals? Those who understand the system can circumvent it with imperceptible modifications. As a result, the system catches those who cannot defend themselves and lets through those with minimal technical skills.

VI. Big Tech: The Battle Over the Bill

Who Pays for Verification?

Meta, Apple, and Google are in conflict — but not to defend users. Rather, they are fighting over who pays for verification.

Meta argues that app stores should verify age, like a liquor store checking IDs. Apple and Google counter that verification should happen at the individual app level. Yet while they argue publicly, all three are building the infrastructure: Apple has introduced the “Declared Age Range API,” Google the “Play Age Signals API.”

The debate is about who implements. No one is questioning whether to implement.

VII. The Resistance

Industry Pushback

In 2023, seven competing companies — WhatsApp, Signal, Threema, Viber, Wire, Element, and Session — jointly signed an open letter to the British government, warning of the Online Safety Act’s risks to everyone’s privacy. Meta declared it would rather see WhatsApp blocked in the UK than weaken encryption.

Public Response

A petition for OSA repeal exceeded 500,000 signatures. Nevertheless, the government confirmed its intention to proceed. Following the implementation of age verification, VPN sign-ups increased by 1,400%.

The Digital Divide

Technical resistance works — for those with the skills. But this creates a bifurcation: those with technical resources bypass the system; those without bear the weight of surveillance. Like every form of social control, it strikes unevenly.

VIII. The Invisible Damage

The Biological Cost

The subtlest damage is biological.

Developmental biology calls the adolescent period of provisional identity a “moratorium” — roles tried, mistakes made, contradictions held without permanent consequences. That instability is not a flaw in the process. It is the process. Anonymity was that space in digital form.

Identity Frozen

Universal verification does not merely surveil: it freezes. Every search, every doubt, every experiment becomes permanently attributable to a legal name. The adolescent exploring their sexuality, the student searching for information about substances out of curiosity, the young person flirting with radical ideas before finding balance — every exploration leaves a trace linked to an identity.

The damage will not appear in datasets. It will appear twenty years from now, in the conformity of those who never had space to be provisional.

IX. The Room Without Doors

Bentham’s Vision, Realized

In 1791, Bentham designed the Panopticon — a prison where control derived from the permanent possibility of being observed. Prisoners never knew when they were being watched, so they behaved as if they always were.

The system now emerging — universal scanning, mandatory identity verification, the end of anonymity — is a digital Panopticon. No longer walls and towers, but code and algorithms. No longer cells and prisoners, but devices and citizens.

The Crucial Difference

The difference is that you couldn’t exit the physical Panopticon because the doors were locked from outside.

You cannot exit the digital Panopticon because the doors no longer exist. To communicate, to work, to participate in contemporary social life, you must pass through identity checkpoints. Every message can be read. Every action traced. Every relationship mapped.

Once the infrastructure is built, it doesn’t matter who wanted it or why.

Only who holds the keys.

Stay human. Decode the digital. Resist.

FOLLOWTHEALGORITHM