Should Private Corporations Run the World’s Identity Infrastructure?

Trying to sell your handcrafts on Etsy? Well, providing your bank account and verifying your email is no longer enough. Companies like Etsy have launched very aggressive biometric and ID verification systems run by private firms financed by investment capital. This seems to be a growing trend in digital platforms and will only become more intrusive, gradually replacing the traditional role of governments—with no public oversight or control.

This will be soon ubiquitous: when you open a bank account, apply for a remote job, or even sign up for certain online communities, you may be asked to verify your identity. Increasingly, this doesn’t mean showing your ID to a government clerk. Instead, you upload your passport or driver’s license and take a selfie—all of which gets processed by a private corporation like Persona, Onfido, or Jumio.

Another example is ID.me, a private tech company, not a public agency. Their loyalty is to their investors, not to the people whose data and identity they manage. They are another example of a “public-private” partnership, a neoliberal Trojan horse where a private corporation takes on the function of a government agency, in this case to manage the identity and data of perhaps millions of citizens. They are not accountable to anyone, not to the people in the form of a public board, a commissioner, or some other governing body but only to their investors and shareholders.

• As of early 2025, ID.me secured a $275 million credit facility from Ares Management, which also intends to make a substantial equity investment (ID.me Network).

An example of a public agency answerable to the people, would be the US Social Security Administration, established by the 1935 “Social Security Act”. They are answerable to the people in the form of their Congressional representatives in the US House and Senate, are subject to congressional oversight and to the laws and regulations of the United States enacted by the US Congress.

This all raises an unsettling question: should private corporations really run the world’s identity infrastructure?

The Case For Private Corporations

Companies like Persona argue that they are the most efficient and innovative way to manage identity in the digital age. They promise verification that takes seconds instead of days, using AI to spot fraud that human clerks could easily miss. For businesses operating across borders, these services also provide a way to accept IDs from dozens of countries through a single system, saving time and money. In this view, outsourcing to a private vendor is not just convenient—it is necessary for modern commerce and global digital participation.

But the story doesn’t end with convenience. What corporations sell as efficiency may also come with hidden costs to personal privacy and long-term freedom.

The Risks

Relying on private corporations to safeguard our most sensitive personal data carries real dangers. First, these companies are accountable to their investors, not to citizens. Protecting privacy is not their primary business model; their incentive is growth and profit. Second, by centralizing government IDs and biometric data, they create tempting targets for hackers. A single breach could expose millions of passports, driver’s licenses, and face scans.

And here lies the biggest concern: this system is largely unregulated. Once your identity data is handed over, it is often segmented, shared across multiple vendors, and stored in ways you cannot fully track. History shows that such data is frequently hacked, leaked, or even sold on the black market, where stolen identities fetch a high price. The very thing meant to protect your identity can end up putting it at greater risk.

The Alternatives

If corporations should not be the default custodians of identity, who should? Governments already issue the official documents, so they are logically better positioned to oversee digital verification. While states are not immune to abuse, they at least operate within legal frameworks and are ultimately accountable to citizens.

Another alternative is to develop open, decentralized protocols that give individuals greater control over their data. Self-Sovereign Identity (SSI) and Decentralized Identifiers (DIDs) are still in their early stages, but they show promise in creating systems where personal information is not locked inside private corporate databases.

Why It Matters

Identity is the key to access: to money, healthcare, education, and political participation. Whoever controls identity infrastructure controls inclusion itself. Private corporations have already shown how quickly they can turn data into a commodity—something to be packaged, monetized, and even traded like an asset on the market. But identity is not a commodity. It is a fundamental human right.

Governments, for all their imperfections, are more legitimate custodians of this sensitive information. They can create rules, ensure oversight, and at least in democratic societies, be held accountable by the people. The same cannot be said of corporations driven by quarterly earnings and investor returns.

Closing Thought

Private corporations should not run the world’s identity infrastructure. Their profit motive means they inevitably treat personal data as a resource to be exploited. Our most intimate details—faces, fingerprints, passports—should never be reduced to a tradable commodity.

If identity is the foundation of citizenship, then it belongs in the public domain, safeguarded by governments under strict regulation, and ideally complemented by open protocols that give individuals more control. Anything less is an invitation to exploitation—and a risk we cannot afford.