Twenty years ago, in a paper that now reads like a digital prophecy, Microsoft's Kim Cameron laid out "The Seven Laws of Identity."¹ His work was a blueprint for a future where digital interactions could be imbued with the same trust and nuance as our physical ones. At its heart was a stark warning: the internet, built without a native identity layer, was a house built on sand, vulnerable to the coming storms of fraud and misinformation. We were, he cautioned, "headed toward a deep crisis." Two decades on, that crisis is no longer a future prospect; it is our lived reality. In our haste for digital convenience, we largely ignored Cameron's prescient guidance, and the consequences are now woven into the very fabric of our increasingly online lives.
Cameron’s laws were not technical specifications but a set of guiding principles. They spoke of user control and consent, minimal disclosure for a constrained use, and the importance of a pluralistic, interoperable system. At their core was a profound respect for the individual’s right to control their own identity. The first law, “User Control and Consent,” stated that “technical identity systems must only reveal information identifying a user with that user’s consent.”¹ This simple, yet powerful, idea was a direct challenge to the burgeoning trajectory of the internet, a path that would lead us not to empowerment, but to the digital panopticon we inhabit today.
The early 2000s were a period of explosive growth for the internet. The dot-com bubble had burst, but from its ashes rose the titans of Web 2.0. Social media platforms, in their infancy, were beginning to understand the immense value of personal data. The business model of the internet was solidifying, not around the user’s needs, but around the monetization of their attention and information, a phenomenon Shoshana Zuboff would later term “surveillance capitalism.”² It was in this environment that Cameron’s laws were largely ignored, not out of malice, but out of a collective rush to build, to connect, and to profit.
The Rise of Federated Identity
In the years that followed, instead of a user-centric identity layer being woven into the fabric of the internet, we witnessed the rise of the federated identity model. Led by the tech giants, services like “Log in with Google” or “Connect with Facebook” became the de facto standards for authentication. On the surface, this appeared to be a step towards simplicity and convenience, a welcome reprieve from the tyranny of managing countless passwords. However, this convenience came at a steep, and often invisible, cost.³
The federated model, in direct contravention of Cameron’s “Law of Pluralism of Operators and Technologies,” concentrated immense power in the hands of a few large corporations.¹ These entities became the gatekeepers of our digital lives, their identity services the keys to a vast and growing kingdom of online services. This concentration created a single point of failure, not just technically, but in terms of privacy and control. Our digital identities became tethered to our social media profiles, our email accounts, and our online shopping habits. The rich, multifaceted nature of our real-world identities was flattened into a single, commercially exploitable profile.⁴
This consolidation directly violated another of Cameron’s key tenets: “The Law of Minimal Disclosure for a Constrained Use.” This law posits that “the solution which discloses the least amount of identifying information and best limits its use is the most stable long term solution.”¹ The federated model, however, operated on a principle of maximal disclosure. Every login, every interaction, became a data point to be collected, aggregated, and used to build ever-more-detailed profiles of our behaviors, our preferences, and our beliefs.⁵ We were no longer the customers of these services, but the product.
Cameron's Warnings Made Reality
Fast forward to 2025, and the identity landscape is a testament to our collective failure to heed this warning. The intervening years have seen an explosion in the digital sphere, far beyond what many could have imagined in 2005. Social media has morphed from a niche activity to a dominant force in public and private life, shaping our very sense of self and community. The “Internet of Things” has connected our homes, our cars, and even our bodies to the network. And the relentless march of data-hungry business models has turned our personal information into the most valuable commodity on the planet.
This rapid expansion, built upon the shaky foundations Cameron warned of, has given rise to a host of new and amplified challenges. Data breaches, once a novelty, are now a daily occurrence. The statistics are staggering, with billions of personal records compromised annually.⁷ This isn’t just an abstract loss of data; it’s the raw material for identity theft, financial fraud, and sophisticated social engineering schemes. The very platforms that promised to connect us have become fertile ground for disinformation campaigns that can sway elections and tear at the social fabric.
Furthermore, the rise of artificial intelligence has added a terrifying new dimension to the identity crisis. AI-powered tools can now create deepfakes that are virtually indistinguishable from reality, making it easier than ever to impersonate individuals and spread malicious falsehoods.10 The potential for AI-driven identity-based attacks, from hyper-personalized phishing scams to automated disinformation armies, represents an existential threat to the integrity of our digital world.9
In response to this growing chaos, we have seen the emergence of national digital identity systems. While well-intentioned, these often fall into the trap of centralisation, raising the spectre of government surveillance and control.11 The very tool designed to empower citizens could, if not implemented with the utmost care and adherence to principles like Cameron’s, become a mechanism for oppression.
The Consequences
The consequences of this architectural misstep are now a daily reality. The persistent drumbeat of massive data breaches, exposing the personal information of hundreds of millions of individuals, is a direct result of the centralised honeypots of data we have created.⁶ Identity theft has skyrocketed, with criminals leveraging stolen information to perpetrate fraud on an industrial scale. The very systems designed to verify our identities have become the primary vectors for their compromise.
Beyond the overt security threats, a more insidious challenge has emerged: the erosion of privacy and the chilling effect it has on free expression. When our digital identities are inextricably linked to a handful of powerful platforms, the fear of being de-platformed, of having our digital selves erased, becomes a powerful tool of social control. We self-censor, we conform, and we shy away from expressing dissenting or unpopular opinions for fear of the economic and social consequences.
Furthermore, the lack of a truly interoperable and user-controlled identity layer has stifled innovation. Startups and new services are often forced to rely on the identity systems of the tech giants, reinforcing their dominance and making it harder for new, more privacy-respecting alternatives to emerge. We are locked into a digital ecosystem that was not designed for our benefit, but for the benefit of those who control the data.
The rise of mobile computing has only amplified these challenges. Our smartphones, now the primary gateways to our digital lives, have become sophisticated tracking devices, their applications constantly siphoning personal data with or without our meaningful consent. The convenience of mobile access has further blurred the lines between our physical and digital selves, making the need for a robust and trustworthy identity framework more critical than ever. As we look towards 2025, the challenges of deepfakes and evolving fraud tactics further underscore the fragility of our current identity infrastructure.⁸
In the two decades since Kim Cameron penned his Seven Laws, the identity landscape has morphed into a complex and often hostile environment. The warnings were clear: without a conscious and deliberate effort to build an identity layer that empowers the individual, we would inevitably create a system that disempowers them. The challenges we face today — the rampant data breaches, the erosion of privacy, the concentration of power, and the stifling of innovation — are not unforeseen consequences. They are the predictable result of our collective failure to listen.
