Hu Yilin: The Digital Identity of the Future Should Not Be a Safer ID Number, but a Rights System of Proof on Demand

21,942 characters2026.07.06

Preface| The Singapore Land Authority recently disclosed that a cloud-based development and testing environment managed by IBM was accessed without authorization, exposing the names, NRIC numbers, and then-current property addresses of about 70,000 people. The incident sparked public discussion about digital government, outsourced systems, and the protection of identity data. Scholar Hu Yilin believes that this event should not be understood simply as a failure of Singapore’s digitalization; on the contrary, Singapore’s recent move to restrict the use of NRIC is worthy of affirmation. What really deserves discussion is the next generation of digital identity systems: in the future, identity verification should no longer rely on a single global number that can be copied, leaked, and abused, but should instead move toward a system of proofs controlled by the individual, disclosed on demand, revocable, and accountable.

A systemic problem behind one data leak

On July 3, 2026, the Singapore Land Authority issued a notice saying that a data security incident had occurred in the cloud environment managed by its vendor IBM. IBM was responsible for supporting and maintaining SLA’s Singapore Titles Automated Registration System (STARS) and eLodgment System (ELS); the affected systems were the development and system integration testing environments for the relevant systems, not the production systems. SLA stated that the data set involved was created in 1998 and was originally supposed to contain only simulated and anonymized test data, but it was later discovered to include the real names, NRIC numbers, and then-current property addresses of about 70,000 people. SLA also emphasized that the production business systems and official property registration records were not affected, and the investigation is still ongoing.

This incident took place against the backdrop of Singapore’s readjustment of NRIC usage rules. The Ministry of Digital Development and Information (MDDI) announced this year that the government has been promoting the responsible use of NRIC in the public and private sectors since 2025; private institutions must stop using NRIC numbers for authentication by December 31, 2026, and from 2027 the Personal Data Protection Commission will strengthen enforcement against such misuse. The government has also made clear that NRIC may be used to identify a person, but should not be treated as a password proving that “you are you.”

Hu Yilin first stressed that he takes a positive view of Singapore’s digital government reforms.

“I very much affirm the Singapore government’s efforts in digitalization, as well as the strategy in recent years of limiting NRIC use. Historical data leaks are not the Singapore government’s fault.”

In his view, what incidents like this really expose is not whether some government department has worked hard enough, but the fact that the modern identity system itself still relies too heavily on fixed numbers.

In the past, ID numbers, NRIC, social security numbers, and the like have long borne multiple functions: they are identifiers, but are often also used as authentication credentials; they are used in government administration, but are also repeatedly collected by private institutions; they appear in formal systems, but may also be copied into test data, forms, contracts, customer service systems, and historical archives. So long as a number serves for a long time as a global index, it can never truly be “taken back.” Once leaked, it may still be exploited years later by scams, profiling, and identity impersonation chains.

Hu Yilin believes that future digital identity reform should not merely make ID numbers safer to store, but should gradually detach everyday verification from public ID numbers.

Identity is not a number, but the ability to prove on demand

The core of the next-generation digital identity system Hu Yilin envisions is the introduction of cryptographic technologies, including public-key/private-key systems, digital signatures, verifiable credentials, and zero-knowledge proofs.

Under the traditional model, when entering a service scenario, a person often has to hand over a full set of information: name, ID number, date of birth, address, mobile number, email, and even education, employer, and family situation. The verifier originally only needs to confirm a simple fact, yet habitually takes away far more data than necessary.

In Hu Yilin’s view, the future should be the reverse: the verifier should only put forward the proposition it truly needs to verify, and the individual should only prove that this proposition holds.

A bar only needs to know whether a person is an adult; it does not need to know whether he is 19 or 91. If an employer merely wants to confirm whether an applicant has a bachelor’s degree or above, it need not, by default, obtain the entire degree certificate. In some contexts, one only needs to confirm that a person is a citizen, permanent resident, EP holder, or some other identity category, and there is no need to expose the full ID number or all population registration data.

This is exactly the problem that verifiable credentials and selective disclosure technologies are trying to solve. The W3C’s Verifiable Credentials Data Model designs digital credentials as a tripartite ecosystem among issuer, holder, and verifier: institutions such as governments, schools, and employers can issue credentials; individuals, as holders, store them and present them as needed; and verifiers check whether the credentials are authentic and untampered. W3C also explains that credential holders can provide verifiers with subsets of credentials, enabling selective disclosure of sensitive data.

Singapore’s existing sgID also reflects a similar direction. The official introduction to sgID says that service providers can, with user permission, obtain information verified by the government; its derived data fields can help service providers obtain the data they need without touching the underlying raw data. Hu Yilin’s idea is to push this line of development further: not to make institutions more conveniently obtain real data, but to ensure that in most scenarios institutions simply cannot get hold of unnecessary data at all.

In other words, the goal of an identity system should not be to make the “number” safer, but to turn identity verification from “disclosing data” into “proving propositions.”

Not replacing all documents with one private key

However, Hu Yilin does not advocate simplifying the future identity system into “everyone relying only on one private key to prove who they are.” He specifically clarified that a lost key should be handled the same way as a lost ID card or a lost bank card: one should be able to go to the official authorities to have it reissued.

“The loss of a key should be like the loss of an ID card or a bank card: you need to go to the official authorities to have it reissued. It is not that each person is left with only one private key to prove themselves.”

This means that the future identity system should not be a purely cypherpunk-style isolated system, but rather a composite system made up jointly of digital credentials, paper credentials, biometric identification, official reissuance mechanisms, and legal procedures. Paper proof can still exist; biometric verification such as fingerprints and facial recognition can also play a role in necessary scenarios. The purpose of digital identity is not to eliminate other forms of proof, but to improve the way personal digital information is exposed in everyday services.

He used payment as an analogy: “Just as digital payments and cash payments coexist without conflict.” The elderly, children, vulnerable groups, and people who do not know how to use smartphones should still have traditional identity channels; digital systems should provide convenience, not raise the threshold for public services.

This is especially important for Singapore. Singapore’s digital government capability is strong, and systems such as Singpass, Myinfo, and sgID are highly popular, but any public identity system must avoid excluding people with lower digital literacy. Hu Yilin’s proposal is not to overwhelm social inclusiveness with technical sophistication, but to make digital technology a more controllable, less exposing, and easier-to-trace means of data exchange.

From scanning to pay to scanning identity

In terms of actual user experience, Hu Yilin believes that digital identity can borrow the intuitive design of mobile payments: scan, confirm, authorize, traceable.

He said that digitalization should increase ease of use, “for example, just scan a QR code, similar to WeChat Pay.” In some high-trust, low-risk situations, an individual can directly show a QR code for the verifier to scan. After the verifier scans it, the user, just as one knows “how much has been deducted,” knows what information the other side has read.

In other situations, the verifier can provide a QR code, and the individual scans it with their identity wallet or a Singpass-like app and independently ticks the information they wish to submit. For example, they can tick only “adult” and not submit their date of birth; they can submit only “bachelor’s degree or above verified” without submitting the school, major, or certificate number; they can submit only “EP valid” without submitting the full FIN or all immigration records.

For the elderly or people unfamiliar with digital operations, a simplified mode can also be set up. Hu Yilin proposed that mechanisms could be established to automatically provide certain low-risk information without confirmation a few times a day, so that older people would not have to carefully click through selections every time. But this convenience should still be controllable and traceable: the system should record which institutions read which information at what time, and the user or guardian should be able to review and revoke the relevant authorizations afterward.

This turns identity authorization from today’s “sign a privacy policy once and hand over a pile of data” into a visible process like a payment bill. In the past, users often did not know what exactly they had handed over; in the future, users should at least know: who read what information about me, on what grounds did they read it, can it be revoked, and can I complain about it?

“Alias contact information”: an underestimated piece of identity infrastructure

In Hu Yilin’s view, identity leakage is not just a leak of document numbers. Mobile numbers, email addresses, home addresses, and instant-messaging accounts are likewise long-term sources of risk.

Today, real mobile numbers and real email addresses shoulder too many functions: login, password recovery, verification-code receipt, customer service, marketing contact, transaction notifications, social binding, anti-fraud identification. Once leaked, they are hard to take back. Even changing the number disrupts a great deal of legitimate contact.

Hu Yilin proposes that contact information should also be incorporated into a revocable, scenario-specific identity system. Each institution that requires contact information should receive only a separate email alias or number alias; this alias can be limited in purpose and duration. For example, if a repair service only needs to contact the user within one week, then the number the user provides can be valid for only one week. If a platform starts sending spam, the user can invalidate the alias corresponding to that platform without having to change their real number.

This mechanism has two benefits. First, it reduces the exposure of real contact information. Second, it improves the ability to trace leaks. In the past, if a mobile number was harassed, it was hard to know which institution had leaked it; if each institution received a different alias, then when a particular alias starts receiving spam, one can roughly determine the source of the problem.

This in effect turns contact information from a “permanent personal identifier” into a kind of “temporary contact capability.” I am not handing over my real self to you; I am giving you a limited, revocable, auditable contact channel.

Minimization of disclosure cannot rely on technology alone; it must also rely on the market and the law

As for the question of “what if an institution domineeringly demands that users hand over all their information,” Hu Yilin believes that technology alone cannot solve everything; a dual constraint from both the market environment and the legal environment is also needed.

He gave the example of a person walking into a bar: it is reasonable for the bouncer to check whether they are of age; but if the bouncer asks to find out how many children you have had, a normal customer will obviously not cooperate and may simply turn around and leave. Ordinary businesses, in order to attract customers, will not make excessive demands. Market competition itself will restrain data requests.

But if some institution can be extremely overbearing and will not let you through unless you hand over every last bit of information, that usually means it is a monopoly, or that it wields excessive power. Hu Yilin said: “If some institution can be extremely overbearing and won’t let you pass unless you provide all the information, then this is very likely a monopoly institution, one that may hold excessive power.”

At that point, one cannot rely only on consumers to “vote with their feet”; instead, the law must establish the principle of minimum necessity: institutions may only request information directly related to the purpose of the service, and may not turn excessive collection into a condition of entry.

This is also the key to digital identity reform: technologies such as zero-knowledge proofs, selective disclosure, and credential wallets provide the ability to “give less information,” but whether one can truly give less still depends on whether the law forbids excessive requests, whether the market allows users to refuse, and whether public institutions set an example themselves.

Hu Yilin’s proposal is not technological determinism, but rather an identity-governance model jointly constituted by technology, market, and rule of law.

Revocable credentials: the individual does not self-report a conclusion, but initiates an authorized query

The digital identity system must also address the problems of credential expiration and revocation. Visas expire, driver’s licenses may be revoked, degrees may be rescinded, and professional qualifications may be suspended. If an individual merely stores an offline credential, how is a verifier to know whether it is still valid now?

Hu Yilin proposes that for credentials that may be revoked, the authoritative institution should be the reference point. What the individual provides to the verifier should not be merely a self-reported conclusion, but a signed request for inquiry. Once the verifier receives the individual’s signature, it gains the authority to query the authoritative institution about a specific fact. The authoritative institution does not need to return complete identity data; it only needs to indicate whether the information submitted by the user is accurate and whether the credential is valid.

This design has two key points. First, verification is not completed by the individual’s unilateral assertion, but can be confirmed with the authoritative source. Second, the authoritative institution also need not know or return too much information. It answers only the necessary question: whether this person satisfies a certain condition, whether this credential is still valid.

For example, if a platform wants to confirm whether a user holds a valid driving authorization, the user signs an authorization and the platform queries the transportation authority; the authority returns only “valid” or “invalid,” rather than the full license number, address, date of birth, or other driving records. A similar model can be used for visas, educational qualifications, and professional credentials.

In this way, the traditional practice of “photocopying documents and keeping them on file with the institution” is transformed into a process of “authorization by the person concerned, immediate verification by the institution, and minimal feedback of results.”

Default privacy does not mean absolute anonymity

The digital identity system must also confront law-enforcement issues. Complete anonymity is unrealistic, and not necessarily legitimate. In scenarios such as fraud, money laundering, serious infringement, and violent crime, there must be accountability. Hu Yilin’s principle is: traceability should be possible, but not arbitrary.

“Law-enforcement agencies should have the possibility of tracing, but they must not use it arbitrarily.”

He envisions a decentralized key arrangement. The individual holds the full-power key and may proactively disclose certain information when they wish to make it public; but law-enforcement agencies hold only “half a key,” while the relevant government department or certificate issuer holds the other half. The enforcement agency must either obtain the individual’s consent, or obtain the consent of the certificate issuer or government oversight department, before it can pursue information.

In essence, this design is a “1+2/2” distribution of power: the individual may disclose voluntarily; the state also retains the necessary capacity for tracing; but no single law-enforcement agency may bypass supervision and unilaterally reveal the individual’s entire identity chain.

More importantly, the scope of tracing should be graded according to the nature of the case. In most civil cases, only limited tracing rights should be obtained—for example, confirming the legal responsible party behind a certain transaction identity; only in a small number of criminal offenses involving serious harm should more comprehensive tracing rights be granted. Hu Yilin emphasizes that this requires a modern rule-of-law government to have a framework of separation of powers, procedural review, and mutual oversight. Without such a rule-of-law structure, so-called “accountability” can easily slide into “default surveillance.”

The crucial distinction here is this: the future identity system should default to privacy, with accountability as the exception, rather than default to surveillance with occasional protection of privacy.

The government should not become an omniscient node

Hu Yilin previously proposed that an ideal digital identity system should avoid allowing any single institution to possess all of a person’s real information. He especially emphasized:

“No one, including the government, can simultaneously know all of my real information; that is the best approach.”

This is not a denial of the government’s identity-registration function. Modern states of course need basic capacities such as population registration, taxation, social security, immigration, and public safety. The question is whether the government should at the same time know all the daily use scenarios of a person’s identity credentials, all platform interactions, all qualification displays, all contact methods, and all transactional identities.

In Hu Yilin’s view, the next generation of digital identity systems should realize a separation of powers at the data level. The government may issue identity credentials such as “citizen,” “PR,” and “EP,” but it need not know to whom the user has shown those identities each time. Schools may issue degree credentials, but need not know which employers graduates have presented them to. Banks may complete the KYC required by regulation, but should not indefinitely retain information beyond the necessary scope. Platforms may verify age or qualifications, but cannot turn that information into cross-platform tracking tags.

The ideal state of an identity system is not to centralize all information into a safer super-database, but to keep issuers, holders, verifiers, regulators, and statisticians separated from one another. Each actor knows only the part it needs to know.

This is also why Hu Yilin remains wary of “big data governance.” The state needs to understand the overall condition of society, but it need not possess a holographic portrait of every individual. Population statistics, policy evaluation, social surveys, and public-service planning can be carried out through sampling, field visits, statistical models, and privacy-preserving computation. Full data may seem more precise, but it also more easily tempts the state to turn society into an object that is continuously recorded and linked together.

Root identity systems must vary according to national conditions

As for whether the government should retain a root identity registration system, Hu Yilin does not advocate a globally uniform answer. He believes it depends on the country’s size, political tradition, governmental capacity, and power structure.

“For a small country like Singapore, with a paternalistic government, I think it can be relatively centralized.”

Singapore has a small land area, a limited population, strong governmental capacity, and relatively high public trust, and has long formed a highly integrated model of state governance. Under such national conditions, a relatively centralized root identity system may not be unacceptable, so long as it has sufficient data minimization, transparent authorization, separated powers, and accountability mechanisms.

“Whereas in a big country like the United States, with a small government and multiple levels of government, there is no need to set up a unified root identity system.”

The United States has federalism, multiple levels of government, local autonomy, and a developed private sector, and society is also more wary of a centralized identity system. In such a structure, a unified root identity system would not only face enormous political resistance, but might not even fit its institutional tradition. A more decentralized architecture with multi-institution credentials and the coexistence of state-level and federal-level systems may be more natural.

This distinction is important. Digital identity reform should not be imagined as a globally universal technological product; it should be embedded in the institutional soil of different countries. Singapore can advance a system that is “relatively centralized but minimally disclosed” on the basis of a strong state, high trust, and a high level of digitization; the United States may be better suited to a system of “multiple root credentials, decentralized issuance, and strong protection of private rights.”

From a society of numbers to a society of proofs

The SLA data leak incident reminds people that the risks of the digital state lie not only in formal business systems, but also in test environments, historical data, vendor chains, and the legacies of old systems. But Hu Yilin does not leave the discussion at the level of incident accountability. He believes a more constructive direction is to use this as an occasion to rethink the identity system itself.

What Singapore is doing in the first step is to downgrade the NRIC from an “authentication password” to an “identification number.” This step is important and deserves recognition. But in the future, one can go further: gradually let publicly visible ID numbers withdraw from daily verification scenarios, and allow individuals, through digital signatures, verifiable credentials, selective disclosure, zero-knowledge proofs, and revocable contact methods, to display only the necessary information in different contexts.

This means that identity is no longer a string of numbers repeatedly copied by institutions, but a system of proving power that the individual can exercise. It can prove that I am an adult without revealing my date of birth; prove that I have a degree without revealing the full certificate; prove that I hold a lawful status without exposing my complete file; prove that I can be contacted without handing over a permanent real number; and in necessary law-enforcement scenarios it can support accountability, but accountability must proceed through separated powers, authorization, and procedural review.

In this sense, the goal of future digital identity is not to “build a bigger database,” but to establish a new social relationship: institutions cannot default to requesting all information, the government cannot become an omniscient node, and individuals need not repeatedly hand over themselves in every service interaction.

A truly mature digital state is not merely one that moves services online, nor one that draws everyone into a real-time data stream, but one that knows what information should not be collected, what proofs need only be shown temporarily, what powers must be split apart, and what identities must be given back to the individual.

References

1. Singapore Land Authority (SLA): Security incident involving an IBM-managed cloud environment:https://www.sla.gov.sg/news/press-release/security-incident-involving-an-ibm-managed-cloud-environment-/

2. Singapore’s Ministry of Digital Development and Information (MDDI): Responsible Use of NRIC Numbers Across Public and Private Sectors:https://www.mddi.gov.sg/newsroom/responsible-use-of-nric-numbers-across-public-and-private-sectors/

3. W3C: Verifiable Credentials Data Model 2.0:https://www.w3.org/TR/vc-data-model-2.0/

4. sgID: Official introduction:https://www.id.gov.sg/

5. PDPC / CSA: Joint Advisory Against Using NRIC Numbers for Authentication:https://www.pdpc.gov.sg/media-events/joint-advisory-against-using-nric-numbers-for-authentication-by-pdpc-and-csa

Translated from the Chinese original with AI assistance. The original text is authoritative.

After submitting, click the confirmation link in your inbox to complete the subscription.

Advanced: subscribe only to selected topics

勾选后只收所选主题的新文章;不勾选则订阅全部。

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

To respond on your own website, enter the URL of your response which should contain a link to this post’s permalink URL. Your response will then appear (possibly after moderation) on this page. Want to update or remove your response? Update or delete your post and re-enter your post’s URL again. (Find out more about Webmentions.)