2023 mistakes an IP address for a passport

Opening Claim

Forcing real ID onto all internet traffic is presented as a child safety control. It is not a control. It is the relocation of an unsolved identity problem from the application layer to the network layer, where the binding between a person and a connection is weaker, not stronger. The framing sells assurance. The mechanism delivers exposure.

The proposal rests on one assumption: that an internet connection can be tied to a verified human being. It cannot. At the network layer, the identifier available for that binding is the IP address. An IP address identifies a route to a machine. It does not identify a person, an intent, or an account. The 2023 framing treats the address as if it were a passport. It is closer to a return label on a parcel that anyone can write, reroute, or reuse.

State the operational position plainly. A control that cannot reliably identify its subject cannot enforce policy against that subject. If the identifier is spoofable, every decision built on top of it inherits that weakness. Mandating identity does not remove the weakness. It mandates that every system now depends on it. You have not added a boundary. You have declared an untrusted signal to be trusted and required everyone to act on it.

The Original Assumption

The assumption underneath real ID for all traffic is that the identifier a system observes maps one to one to an accountable human. That assumption is older than the modern internet and it was never true. IP was built to move packets between machines. It addresses reachability. It does not address attribution. The protocol answers where do I send this, not who is asking. Binding identity to it is binding identity to a delivery path, not to a person.

Several conditions break the one to one mapping, and they are standard, not exotic. Carrier grade NAT places thousands of users behind a single public address, so one identifier maps to many people at the same moment. Dynamic allocation reassigns an address over time, so one identifier maps to different people across a day. VPNs, proxies, and Tor present an exit address that is not the origin, so the observed identifier is by design not the source. The identifier the policy wants to anchor to is many to many with real humans. You cannot enforce a per person rule on a per route signal. The math does not resolve, and no mandate changes the math.

The second part of the assumption is that adding an identity checkpoint at the front door changes who gets through. Identity verification at one layer says nothing about the trust of the layers beneath it. If the transport is spoofable, a verified ID is a clean credential sitting on top of an untrusted channel. The attacker does not argue with the checkpoint. The attacker controls the channel that feeds it. Verifying the visitor at the door does not help if the hallway behind the door accepts anyone. Layered security fails when a lower layer can forge the input the upper layer trusts.

What Changed

What changed in 2023 was not technical capability. The change was intent: a push to enforce identity verification across all internet traffic under a child protection mandate. The infrastructure did not gain a new ability to bind connections to people. The policy simply declared that it must, on a system that was never built to do it. Capability did not move. Expectation did.

The real shift is in the scope of the trust assumption. Identity verification was an application concern. You authenticate to a specific service, and that service is accountable for checking you and for the blast radius when that check fails. Pushing verification to all traffic universalizes a weak binding instead of strengthening it. You do not get one strong identity layer. You get the same unreliable network identifier promoted to load bearing everywhere, and every service downstream now trusts it by default. A single weak signal, enforced universally, becomes a single point of failure enforced universally.

The change also rewrites the economics for the attacker. The moment an identifier is mandated to represent a real, verified person, that identifier becomes worth stealing, renting, and spoofing. The objective stops being evade the control and becomes become a trusted identity. That is a more durable position. Account takeover, identity resale, and proxying through verified endpoints become the path of least resistance, because the control now does the attacker’s vouching for them. The problem is not eliminated. It is moved to a higher value target and handed a larger blast radius. If a system allows an identity to be assumed, it will be assumed by someone it was not issued to.

Mechanism of Failure

The enforcement loop is simple and that is the problem. A connection arrives. The system reads the identifier available to it. The identifier is the IP address, or under the mandate, a verified ID bound to that address at the network layer. The system checks the identifier against a policy and permits or denies. The failure is located in the read step, not the check step. The value the system reads is supplied by the path, not produced by the person. The enforcement point treats a value it received as a value it verified. Those are not the same operation, and the system cannot tell them apart because the only thing it measured is the route. Observable behavior confirms the gap. The same identifier returns different subjects at the same moment under carrier grade NAT, and the same person returns under different identifiers across dynamic reassignment and VPN exits. The control resolves none of this, because routes are all it can see.

Under a universal mandate the system also loses the ability to fail safely. Before the mandate, a service that could not identify a subject had the option to deny, degrade, or hold. That is a defensive default. The mandate removes it. By declaring that a verified identity must exist on every connection, the policy configures every downstream system to assume the binding is valid rather than to test it. The system is now built to accept the signal, not to challenge it. The observable result is direct. A connection presenting a borrowed or forged verified identity is processed identically to a legitimate one, because nothing after the first checkpoint re-checks the binding. Verification happened once, at a layer that cannot observe the human, and every system after that point trusts the outcome by default.

The mechanism pays the forger. The attacker does not need to defeat the ID check. The attacker needs to arrive on a connection the check already trusts, and the tools that produce that condition are standard and named in the facts. Proxies, VPNs, Tor exits, shared CGNAT space, and reassigned dynamic addresses each present an identifier that is not the origin. The control reads the presented identifier as the subject. Stated as one sentence: the system enforces against what it was shown, and the subject chooses what to show. That is not a flaw in a specific deployment. It is the behavior of binding a per person rule to a per route signal. The mandate does not change which party controls the value. It only raises the number of systems that act on it.

The Same Failure, Other Systems

The mechanism has a fixed shape. A system trusts an origin-claimed identifier as proof of identity while the party being identified controls the value of that identifier. Wherever that shape appears, the same failure appears, for the same reason, with no new domain knowledge required to predict it.

Caller ID is the shape in the telephone network. The network presents a calling number to the receiving end. The receiving system, and the human behind it, treat that number as the identity of the caller. The originating side sets that number and can set it to any value. The outcome is observable in every voice phishing operation that displays a bank’s number and is answered as the bank, because the only thing checked is the presented identifier. The identity field is supplied by the subject being identified, and the consuming system trusts the field instead of testing the binding. Email shows the identical shape. A message arrives carrying a sender value. Systems and readers treat that value as the sender. The value is written by the party sending the message. Without an independent binding, the displayed sender is whatever the sender entered.

Request headers that claim an original client address are the same shape again. A backend reads a header asserting the client identity and makes access decisions on it. The header is set upstream and, when the path is not strictly controlled, can be set by the client itself. In each case the identifier presented by the request is consumed as the truth about the request. Generalize the pattern from the mechanism alone. Every one of these failed because identity was inferred from a value the subject can set, at a layer that cannot observe the subject. Real ID for all traffic is this pattern declared mandatory and universal. Requiring that the value exist does not change who sets it. It only guarantees that more systems will act on a value the subject controls, and that the value is now labeled verified when they do.

Operator Position

Identity is the boundary. A boundary you cannot verify is not a boundary. It is an assumption with a label on it. Real ID for all traffic does not create a verifiable boundary. It declares the existing unverifiable signal to be the boundary and orders every system to enforce against it. That is not added control. That is removed doubt about a signal that earned the doubt. The framing sold a checkpoint. The mechanism delivers a forgeable token promoted to load bearing everywhere at once.

State what must now be true for any identity control to function. The binding between subject and connection must be testable at the point of enforcement. The identifier must not be settable by the subject being evaluated. Trust in the binding must be re-validated continuously, not asserted once at a front door and carried forward. The 2023 proposal satisfies none of these conditions on the identifier it relies on. Whether any version of it could satisfy them on IP is not confirmed, and absence of that confirmation is a condition, not a detail to fill in. Until those conditions hold, the control identifies a route and calls it a person.

Forcing identity does not produce identity. It produces a higher value target wearing the word verified, with a larger blast radius, enforced across every service that now defers to it. Stolen, rented, and proxied identities become the normal traffic of the system, because the system vouches for them by default. The child safety framing does not survive contact with the mechanism. A control that cannot reliably identify its subject cannot enforce any policy against that subject, including the one it was sold to deliver. If a system allows an identity to be assumed, it will be assumed by someone it was not issued to. Build for that condition, or do not call it a control.