The History of Identity Documents — A 3-Part Series

• Part 1: From Ancient Identity Records to Medieval Passports
• Part 2: When the State Began Recording Faces
• Part 3: From Genealogy to Digital Databases (current article)

The History of Identity Documents, Part 3: From Genealogy to Digital Databases

In a local government office in late Joseon Korea, men worked through the night with their brushes — but not to write. They were falsifying genealogical records. Changing ancestors, rewriting bloodlines, inserting family names into the registries of prestigious noble clans. The Annals of the Joseon Dynasty record a case from the 18th century in which an official was caught running a genealogy forgery ring.^[1] In Joseon Korea at that time, a genealogical record was no mere family archive. It was the most powerful document proving who a person was — and therefore worth forging.

Some 250 years later, a farmer in India walked into a bank to collect a government subsidy. He placed his finger on a scanner. A few seconds later, a single 12-digit number confirmed his identity. No genealogy, no paperwork, no witnesses. Only his fingerprint proved he was who he said he was.^[2]

The answer to the question “who are you?” shifted from blood to pixels — and here, in this final chapter, we trace how that long transformation came to its present form.

Genealogy — When Blood Was Identity

In East Asia, genealogical records were not simply books that catalogued families. They were proof of identity.

The oldest known Korean genealogy, the Andong Kim clan registry, was compiled in 1476.^[1] But the practice of keeping genealogies began far earlier. From the Goryeo period, the ruling class recorded their lineages, and when Joseon succeeded Goryeo, the Neo-Confucian family order grew stronger and genealogy became even more consequential. In 1412, the Joseon royal house compiled the Seonwon-nok, a registry of royal descent, as a means of justifying succession through bloodline.^[1]

Among the yangban nobility, genealogical records served two key functions. First, they proved social status. To sit for certain examinations or to take official posts, one had to demonstrate yangban ancestry — and genealogy was that proof. Second, they governed marriage. Joseon society prohibited marriage between people of the same surname and clan, and genealogies were consulted to verify that a prospective spouse’s family was of appropriate standing.^[1]

In China, genealogical records served a similar role. The Chinese jiāpǔ (family genealogy) originated in the imperial court, spread to the literati class during the Song dynasty, and by the Ming and Qing periods ordinary commoners had begun compiling them as well. Chinese genealogies could run to hundreds of volumes and were sometimes used to claim descent from a particular emperor. In Japan, the keizu (genealogical chart) of samurai households functioned as documents proving feudal allegiances and land ownership.^[3]

This system, however, had a structural weakness. Genealogical records were ultimately words on paper. If someone could change those words, they could change their bloodline itself.

As Joseon entered its later period, genealogy forgery became increasingly rampant. The Japanese invasions of 1592–1598 and the Manchu invasion of 1636–1637 shattered state administration and destroyed countless originals of household registers and genealogical records. Taking advantage of the chaos, newly wealthy commoners and lower-status people began purchasing or forging genealogies to pass themselves off as yangban.^[1] By the 18th century, genealogy forgery had become an almost open practice. As a result, by the time the class system was formally abolished at the end of the 19th century, a substantial portion of the population claimed yangban ancestry. The proportion of yangban, which had been less than 10% of the population barely a century or two earlier, exceeded 70% in some regions by certain estimates.^[1]

This reveals a paradox. In a society where bloodline determined status, the record of bloodline was paradoxically susceptible to falsification. Blood, they said, cannot lie — but the documents recording blood could lie quite effectively.

Numbers Replace People — Modern National ID Systems

As the 20th century arrived, governments across East Asia introduced new methods of identity management. Where genealogy had defined individuals through their families, the modern state defined them through numbers.

In Korea, the origin of the modern ID system dates to 1962. The Resident Registration Act, promulgated on May 10th, aimed at enabling the state to track the residence of every citizen.^[4] The stated rationale was efficient population management during post-Korean War reconstruction, but the political context also matters. Enacted shortly after the Park Chung-hee government came to power, the resident registration system was also intertwined with national security logic — specifically, preventing North Korean infiltrators.^[4]

The resident registration number, initially 12 digits, was revised to 13 digits in 1975. The first six digits represent the date of birth; the first digit of the remaining seven indicates gender and birth century, followed by a regional birth code, registration sequence number, and check digit.^[4] As this number was linked first to the resident registration card, and later to every administrative service — taxes, healthcare, finance, telecommunications — the resident registration number became the very means by which Koreans exist within society.

The pattern of a number being used far beyond its original purpose, as in Korea’s case, has repeated itself in country after country — just as we saw with the United States Social Security number in Part 2.

China’s case had a different origin. China’s hùkǒu (household registration) system, as discussed in Part 1, is a tradition stretching back to antiquity, but the modern Chinese Resident Identity Card (居民身份证) was first issued in 1985. Initially a simple paper ID, a second-generation card was rolled out nationwide from 2004.^[5] The second-generation card contains a contactless IC chip; when scanned, it automatically retrieves the holder’s name, gender, ethnicity, date of birth, address, 18-digit ID number, and digital photo.^[5]

Japan took a different direction. The My Number (マイナンバー) system introduced in 2015 assigned a 12-digit number to every resident for use in taxation, social security, and disaster response.^[6] Yet the uptake of the My Number Card was sluggish for years — 25% as of March 2021, reaching 40% by October of that year only thanks to a large-scale government points-incentive scheme. Among Japanese citizens, there was deep-seated distrust of the government’s integrated management of personal information.^[6] This illustrates how the same numbering system can be received in entirely different ways depending on culture and history.

The Body as ID — The Age of Biometrics

The fingerprint technology we examined in Part 2 gradually made its way into national identity documents as well. But the decisive moment that established biometrics as the standard for international travel documents was the terrorist attack of September 11, 2001.

When it emerged that some of the 19 hijackers had entered the United States using false identities, governments became obsessed with making travel documents impossible to counterfeit.^[7] The International Civil Aviation Organization (ICAO) had already been studying ways to incorporate biometric data into travel documents since 1998. But after 9/11, this work accelerated dramatically.

ICAO adopted Doc 9303, the international standard for biometric electronic passports, in 2003.^[7] Under these standards, an electronic passport contains a microchip with the holder’s facial image stored digitally. Fingerprint and iris data are optional, but the facial photograph data is mandatory.

Malaysia issued the world’s first biometric passport in 1998, and Belgium was the first country to issue an electronic passport fully compliant with ICAO specifications in 2004.^[7] The pace of adoption then quickened rapidly. By 2008, 60 countries were issuing electronic passports; by mid-2019, more than 150 countries were following ICAO standards. Approximately 1 billion electronic passports are currently in circulation worldwide.^[7]

While electronic passports have revolutionized border control, facial recognition and fingerprint scanning are spreading rapidly for domestic identity verification. Automated passport gates at airports, smartphone unlocking, bank app logins — the body is replacing the password. But when the body becomes the password, the password cannot be changed. If a fingerprint is compromised, a new fingerprint cannot be issued.

One Billion Fingerprints — India’s Aadhaar and the Digital Identity Experiment

The most ambitious experiment in the history of identity registration began in India in 2009.

At that time, India had no single national ID system. Indians carried separate documents for each purpose — taxes, food rations, gas connections, voting. These documents were not connected to one another, and hundreds of millions of India’s poor had no proper identity documentation at all. Government subsidies were leaking away through layers of middlemen.^[2]

The Unique Identification Authority of India (UIDAI), established by the government, began issuing a 12-digit biometric identity number called Aadhaar — a Hindi word meaning “foundation.” The enrollment process collects ten fingerprints, iris photographs from both eyes, and a facial photograph.^[2] This data is stored in a central database and matched in real time whenever authentication is required.

The scale is staggering. Within the first five years, 600 million people enrolled; as of May 2023, more than 99.9% of India’s adult population holds an Aadhaar number.^[2] Total enrollment has surpassed 1.3 billion. It is the world’s largest biometric identity database.

Aadhaar’s effects have been real. Government statistics report that after the introduction of Aadhaar-linked direct benefit transfers in the cooking gas subsidy scheme, fraudulent or duplicate registrations were eliminated, saving billions of dollars.^[2]

But criticism has been substantial. Iris recognition failure rates have been notably high among the elderly and manual laborers, and deaths from being unable to receive subsidies as a result have been reported. The story of an elderly farmer whose fingerprints had worn away illustrates how biometric systems can exclude people with unreliable bodies from the system.^[2] India’s Supreme Court ruled in 2018 that the Aadhaar Act was constitutional only for specific purposes. The conclusion was that making Aadhaar authentication mandatory for private companies was unconstitutional.^[2]

The Estonian Model — An Experiment in a Trustworthy Digital State

On the other side of the globe, Estonia — a small country of 1.3 million people — is running a different kind of digital identity experiment.

Estonia went all-in on building a digital state after gaining independence from the Soviet Union in 1991. It introduced a national electronic identity card (e-ID) in 2002, and since then almost all public services — tax filing, access to medical records, voting, company registration — have moved online.^[8]

In 2014, it launched the world’s first e-Residency program, which grants digital identity to non-residents.^[8] Even without living in Estonia, one can establish an Estonian company, use digital signatures, and access the EU financial system. On December 1, 2014, British journalist Edward Lucas became the first e-resident. By the end of 2023, more than 135,000 people from 181 countries had become Estonian e-residents, and the Estonian companies they had founded numbered over 27,000.^[8]

The core of the Estonian model is transparency and control. Every citizen can check a log of who accessed their data and when. If a government official looks up a citizen’s information without authorization, a record is created — and that record is grounds for punishment. The difference between “the state has the data” and “citizens can see their own data” is what defines the Estonian model.

The European Union is moving in this direction as well. The eIDAS 2.0 regulation, which entered into force in May 2024, requires all EU member states to provide a standardized digital identity wallet system by 2026.^[9] Identity information stored in this wallet cannot be shared with third parties without the user’s consent, and information that has already been shared can be later withdrawn.

The Shadow of Surveillance — Digital Identity and the Boundary of Control

Digital identity technology clearly offers convenience. But it is equally clear that the same technology can be used for entirely different purposes.

China’s social credit system is often described in Western media in ways that misrepresent it. The image of a single unified numerical score assigned to every Chinese citizen is widely held, but the reality is closer to a collection of scattered systems operated by local governments and individual ministries — not a centrally integrated system.^[10] Yet that does not make the substantive concerns disappear.

The 2014 State Council document “Planning Outline for the Construction of a Social Credit System (2014–2020)” set a goal of building a system to track the creditworthiness and legal compliance of companies and individuals.^[10] Sanctions such as bans on air and train travel and restrictions on luxury hotel use have been implemented in practice. As of 2020, the system handled data on 103 million individuals and 22.74 million companies.^[10]

On a broader scale, facial recognition technology is being widely deployed for surveillance of public spaces. Facial recognition systems connected to cameras installed throughout cities can identify individuals in real time. Whether this serves public order and safety or serves to control dissidents and ethnic minorities is a matter of perspective. International human rights organizations have pointed to the surveillance apparatus targeting Uyghurs in Xinjiang as a case showing how biometric technology can be repurposed as a tool of control directed at specific groups.^[10]

This is a repetition of history from Part 2. The “J” stamp on Jewish passports in Nazi Germany, the ethnicity entry in Soviet internal passports, the pass laws of apartheid South Africa — the meaning of identity verification technology is always determined by the system operating it. Digital identity is no exception.

In 1949, George Orwell depicted in his novel Nineteen Eighty-Four a world where telescreens surveilled every citizen around the clock and the Party redefined even individual identity. What Orwell feared was not any particular technology. It was the structure by which the state reduces citizens’ very existence to data, and uses that data as a means of control. The novel’s protagonist, Winston Smith, bore the number 6079. The number came before the name. Orwell wrote the novel shortly after he had directly witnessed the Soviet internal passport system and the Nazi identity-marking apparatus. It was fiction — but the warning grew from real observation.

Self-Sovereign Identity — Can I Prove Who I Am Without the State?

For thousands of years, proving one’s identity has required a third party. The king’s seal, the family genealogy, the state’s database — one’s identity has always been held and managed by someone other than oneself.

With the emergence of blockchain technology, a different possibility has entered the discussion: the concept of Self-Sovereign Identity (SSI), which came into serious focus around 2015.^[11] The core idea is simple. I manage my own identity information directly, and I present only the information that is needed, to the party that needs it, selectively.

Technically, it is built on two elements: Decentralized Identifiers (DIDs) and Verifiable Credentials (VCs).^[11] Consider proving legal drinking age. Today, showing a national ID card exposes your date of birth, home address, and full name all at once. Under an SSI system, it would be possible to present only the verifiable fact that “this person is of legal drinking age” — without disclosing the specific date of birth or address.

The World Wide Web Consortium (W3C) has adopted the Verifiable Credentials (VC) standard as a formal international standard, and Decentralized Identifiers (DIDs) are nearly at the same stage.^[11] The EU’s eIDAS 2.0 digital identity wallet has incorporated much of this philosophy.

Of course, how well self-sovereign identity will function in reality remains to be seen. For a blockchain-based identity system to practically replace state-issued identification, there are many technological, legal, and social barriers to overcome. Above all, being able to “prove” an identity only means something if there is a counterparty who trusts that proof. Without trust in the system, technology cannot function.

From Blood to Pixels — What Has Not Changed

From Part 1, when Nehemiah in 445 BC passed through a gate carrying a letter from the king, to Part 2, when Bertillon dissected criminals’ bodies into measurements — and now to this era of opening airport gates with iris scans and accessing bank accounts with fingerprints.

The forms of identity verification have kept changing. From the king’s seal to bronze tablets, from bronze tablets to paper, from paper to photographs, from photographs to fingerprints, from fingerprints to irises, from irises to numbers in a database.

Yet something has not changed. The power relationship between those who seek to verify identity and those who must be verified. Across thousands of years, identity verification systems have generally been created by the powerful to track the less powerful. Rome’s military discharge certificate was for non-citizens. Joseon’s hopae identity tag weighed more heavily on commoners than on yangban. Nazi Germany stamped “J” on Jewish passports; apartheid required only Black people to carry passes.

The Joseon commoner who forged a genealogy, the elderly Indian who could not receive subsidies because he was not enrolled in Aadhaar, the Japanese citizen increasingly excluded from administrative services without a My Number card — all of them are people standing before the question: “Who are you?”

As technology becomes more sophisticated, the cost of failing to answer that question also grows. An identity that the system does not recognize becomes equivalent to one that does not exist. Whether the medium is genealogy, a database, or an iris scan.

The most important question is not a technological one. Who operates the system, for whom it is operated, and what responsibility it bears toward those left outside the system — this is the oldest question the history of identity documents has left us.

Previous article: Part 2: When the State Began Recording Faces