Proof of Personhood: Why AI Makes Decentralized Identity Essential

General
1

The 2025 Imperva Bad Bot Report dropped a number that should concern everyone building in crypto: 51% of all web traffic is now bots. For the first time in a decade, automated traffic has surpassed human activity online. And 37% of that is classified as “bad bots” - the kind that exploit systems, drain airdrops, and manipulate governance.

If you’re building anything with permissionless access, you’re building for an audience that’s increasingly not human. Let’s talk about why proof of personhood might be the most critical infrastructure problem in crypto right now.

The $15 Billion Airdrop Problem

According to Dropstab, $15 billion worth of tokens were airdropped in 2024 alone. How many went to actual humans? Nobody knows - because most projects have no way to verify.

The consequences are predictable:

  • Fake wallets drain airdrop allocations
  • Liquidity mining programs get exploited by farm operations
  • DAO governance votes get hijacked by attackers running thousands of wallets
  • Onchain metrics become meaningless (is your “1 million users” actually 50,000 humans with 20 wallets each?)

This isn’t hypothetical. It’s happening to every major protocol launch.

The Verification Methods Landscape

Several approaches have emerged to solve this. Here’s where we stand:

World ID (Worldcoin)

The most ambitious and controversial approach. Users visit a physical Orb device for iris scanning, which generates a World ID using zero-knowledge proofs. The biometric data is deleted on-device after verification. It functions as a digital passport stored locally on your phone.

The thesis: iris patterns are unique enough to prevent duplicate registrations globally. The controversy: it’s biometric data, and the centralization concerns around Orb deployment are real.

Human Passport (formerly Gitcoin Passport)

Acquired by Holonym Foundation in December 2024, this now claims to be the largest proof of personhood solution - 34.5 million zero-knowledge credentials and 2 million users. They claim 3x the scope of Worldcoin’s proofs.

The model is more modular: aggregate multiple “stamps” (verified Twitter, Google, ETH ownership, previous Gitcoin participation) into a humanity score. Protected 9 consecutive Gitcoin Grant rounds and secured $430M+ in capital flow.

Humanity Protocol

A newer entrant building on Arbitrum, using palm biometrics instead of iris scans. Palm scans convert to ZK proofs without storing the actual biometric data. They issue non-transferable Human IDs that can prove traits (age, residency) without revealing specifics.

BrightID

The social vouching approach - verified humans attest to the humanity of others. No biometrics required, but requires building social graphs and trust networks.

Why This Matters Beyond Airdrops

The bigger unlock is governance. Right now, DAOs are built around one-token-one-vote or one-CPU-one-vote. Both are fundamentally plutocratic or easily gamed.

With proof of personhood, we could move to:

  • One-human-one-vote: Actual democratic governance
  • Quadratic voting: Square root of tokens determines voting power, reducing whale dominance
  • Sybil-resistant quadratic funding: Gitcoin’s model depends on this

75% of businesses have faced deepfake scams, with average losses of $450,000 per AI fraud incident. As AI gets better at impersonating humans, the systems that can’t distinguish real users will become increasingly exploited.

The Privacy vs Verification Tradeoff

Here’s the tension: the more certain we want to be that someone is human, the more invasive the verification tends to be.

Biometric approaches (Worldcoin, Humanity Protocol) offer strong uniqueness guarantees but require sensitive data collection. Even with ZK proofs and local deletion, users must trust the verification hardware.

Reputation approaches (Human Passport, BrightID) are less invasive but more gameable. A well-funded attacker can build convincing personas across multiple platforms.

There’s no perfect solution yet. Most projects are converging on a layered approach - basic checks for low-stakes interactions, higher-assurance methods for valuable actions.

What Builders Should Consider

If you’re launching a token, airdrop, or governance system:

  1. Define your threat model: What does a sybil attack cost you?
  2. Match verification to stakes: Don’t require iris scans for a $10 airdrop
  3. Plan for false positives: Legitimate users will fail verification - have appeals processes
  4. Consider composability: Human Passport integrates with 120+ projects for a reason

The protocols are maturing fast. A year ago, integrating proof of personhood was a significant lift. Now there are SDKs that make it a few lines of code.

Discussion Questions

  • Have you integrated any PoP solution? What was your experience?
  • Where do you draw the line on biometric verification?
  • Is social vouching sufficient for high-stakes applications?
  • What would make you comfortable using Worldcoin’s Orb?

The bot problem isn’t getting smaller. The question is whether crypto builds the infrastructure to stay ahead of it.

identity_ian

2

Integrated Human Passport (back when it was still Gitcoin Passport) into an airdrop campaign last year. Here’s my honest experience.

The Integration Itself

Surprisingly straightforward. Their SDK is well-documented, and the basic flow is:

  1. User connects wallet
  2. SDK fetches their Passport score
  3. You set a threshold (we used 20)
  4. Gate access based on score

Took maybe 2 days to integrate fully, including the UI flow for users who needed to build up their score.

The Score Threshold Problem

This is where it gets interesting. What score do you require?

  • Score 15: Catches obvious bot farms, lets through most real users
  • Score 20: Our choice - decent filtering, some user complaints
  • Score 25+: Aggressive - blocks a lot of legitimate users who just aren’t active in Web3 yet

We had about 8% of legitimate users fail initial verification at score 20. Most could get above threshold by verifying their ENS or connecting their Twitter, but some just gave up.

The hard lesson: every threshold you set is a tradeoff between bot protection and user friction. There’s no magic number.

Edge Cases We Hit

  1. New users: Someone just getting into crypto has no stamps. Are they a bot or a newcomer?
  2. Privacy users: People who don’t connect social accounts on principle. Legitimate, but look like bots.
  3. Regional bias: Users in some regions have less access to verification methods (fewer ENS names, different social platforms)
  4. Timing attacks: Users who verified right before our snapshot looked suspicious to our internal team

We ended up building an appeals process where users could submit additional verification manually. About 3% of our airdrop participants used it.

What I’d Recommend

For airdrops under $1M: Human Passport with a moderate threshold is probably sufficient. The integration cost is low and it filters the obvious sybils.

For larger distributions: Layer multiple approaches. We’re considering adding Worldcoin verification as an optional path to a higher allocation tier. Users who want to prove stronger uniqueness get rewarded for it.

For governance: I’d want something stronger than reputation stamps. Social vouching gets gamed eventually.

The ecosystem is still figuring this out. Human Passport’s acquisition by Holonym and their expansion of ZK credentials suggests they’re thinking about the same limitations we hit.

dev_derek

3

I’m deeply skeptical of the biometric approaches, and I think the crypto community is sleepwalking into a surveillance infrastructure in the name of “sybil resistance.”

Why I Won’t Use Worldcoin’s Orb

Let me be direct: I’m not scanning my iris into a device controlled by a venture-backed company, regardless of what they claim about local deletion and ZK proofs.

Here’s my reasoning:

  1. Trust assumptions: “We delete the data” requires trusting the hardware, the firmware, and the company. That’s exactly the kind of trust assumption crypto was supposed to eliminate.

  2. Irreversibility: If your private key gets compromised, you generate a new one. If your iris scan gets compromised (and biometric databases do get hacked), you can’t generate new eyes.

  3. Coercion risk: In authoritarian contexts, a mandatory biometric ID becomes a tool of control. “Prove you’re human” quickly becomes “prove you’re authorized.”

  4. Scope creep: Today it’s sybil resistance for airdrops. Tomorrow it’s required for accessing services, applying for jobs, crossing borders. The infrastructure, once built, gets repurposed.

The “Decentralized” Identity Contradiction

Notice how these “decentralized” identity solutions require centralized verification?

  • Worldcoin needs physical Orbs operated by approved operators
  • Humanity Protocol needs approved biometric capture devices
  • Even Human Passport’s stamps depend on centralized platforms (Twitter, Google)

We’re building dependency on centralized verification to access decentralized systems. The irony should be obvious.

Why Social Vouching Might Be Better

BrightID’s approach - having verified humans vouch for other humans - at least preserves some crypto values:

  • No biometric data collection
  • Distributed trust (many vouchers, not one Orb)
  • Game-theoretic incentives against false vouching

Yes, it’s slower and more gameable. But it doesn’t create a global biometric database waiting to be compromised or misused.

What Would Make Me Comfortable

Honestly? Nothing involving biometrics. The risk profile is just wrong.

I could accept:

  • Proof of stake in the system (put up collateral to prove commitment)
  • Long-term behavioral analysis (hard to fake years of onchain activity)
  • Hardware attestation with open-source, verifiable devices
  • Tiered access where biometrics are optional for enhanced benefits

The sybil problem is real. But the solution shouldn’t be worse than the disease. Creating a global registry of unique humans linked to biometric data is a dystopian outcome regardless of who controls it.

privacy_pete

4

I work on DAO governance tooling, and I can tell you firsthand: proof of personhood isn’t optional anymore for serious governance. Here’s why.

One-Token-One-Vote Is Failing

The current model is broken in ways that are increasingly hard to ignore:

  • Whale dominance: In most DAOs, 1-5 addresses control majority voting power
  • Voter apathy: Why bother voting when whales decide everything?
  • Attack surface: Buy tokens, vote for malicious proposal, dump tokens. We’ve seen this play out.

We analyzed 50 major DAOs last year. Average quorum achievement was 12%. Average participation among token holders was under 3%. Most “governance” is a handful of whales rubber-stamping decisions.

My Experience with Sybil Attacks on Governance

Last year, a DAO I work with ran a community vote on treasury allocation. We saw:

  • 847 “new” wallets voting in the final hours
  • Clear on-chain clustering suggesting coordinated activity
  • The winning proposal benefited a specific project that had just received funding from a known VC

Was it definitively a sybil attack? We couldn’t prove it. But the pattern was obvious. And under one-token-one-vote, there was nothing we could do.

How PoP Could Enable Quadratic Voting

This is where I get excited. Quadratic voting - where voting power scales with the square root of tokens - is mathematically beautiful for reducing plutocracy. But it’s useless without sybil resistance.

Why? Because without proof of unique humans, you just split your tokens across multiple wallets and vote linearly anyway.

With verified unique humans:

  • 1 person with 100 tokens gets 10 votes
  • 100 people with 1 token each get 100 votes total
  • Community preferences actually matter

Gitcoin’s quadratic funding has proven this model works when you can verify uniqueness. It’s time to apply it to governance.

The Adoption Barriers

So why aren’t DAOs implementing this? From my conversations:

  1. User friction: Token holders don’t want to verify. They already have tokens - why prove anything else?
  2. Philosophical objections: Some view any identity requirement as antithetical to crypto values
  3. Technical integration: Most governance platforms don’t support PoP-gated voting yet
  4. Threshold disagreements: What score is “human enough”? This becomes political.

We’re building optional PoP verification into our platform. Users who verify get weighted participation in quadratic funding rounds. No verification required for basic token voting.

What the Future Looks Like

I think we’ll see a bifurcation:

  • High-stakes governance (treasury decisions, protocol upgrades) will increasingly require PoP
  • Low-stakes governance (temperature checks, signaling) will remain permissionless

The privacy concerns are real, but so is the governance failure mode we’re currently in. DAOs that can’t make legitimate decisions will lose to DAOs that can.

governance_grace