Sign Protocol does one thing right that previous digital identity systems could not do. Using ZK proof and BBS+, which are cryptographic operations that allow proving a statement is true without revealing the original data, the user can prove they are over 18 years old without having to send their date of birth, prove they belong to a region without revealing their full address. Sensitive data does not leave the device. There is no central server to be hacked or leaked. If we only look at the cryptographic layer, this is a very clean design.

This is where I start to see two conflicting issues, both arising from the design of Sign itself.

The first issue lies in what ZK does not protect. Metadata.

In Sign's docs, they recommend that verifiers avoid storing correlatable identifiers and should rotate session IDs to reduce the ability to link data. It sounds good, but this is just a behavioral recommendation, not something enforced by the protocol. A bank using Sign can completely avoid storing dates of birth or addresses, but still log the time of verification, type of credential, IP, device fingerprint, and session ID each time authentication occurs. No need for raw data. Just enough metadata, they can still reconstruct user behavior with high accuracy. This is not a hypothesis. In 2006, AOL released a "anonymous" search dataset, and users were still re-identified just from search patterns, without names or addresses.

ZK proof protects declared data. It does not protect traces of behavior.

But even ignoring the metadata, the bigger problem still lies on the legal side.

The FATF Travel Rule, regulations from the Financial Action Task Force that 200 countries have committed to implementing, require financial institutions to automatically attach identifying information of the sender and recipient for each transaction over $1,000. Not just when requested. It must be there by default, must be shared, must be stored for audit. This design completely contradicts selective disclosure. In 2022, OFAC sanctioned Tornado Cash, not because the code was wrong but because that system could not distinguish between legal transactions and money laundering when privacy is absolute by design. This is the first time in history a smart contract has been punished, not a company or individual but a piece of code. Sign is not Tornado Cash, it has more layers of compliance. But the core logic remains the same: if a system cannot expose information when regulators need it, it is not allowed to operate in a regulated environment.

And this is when everything converges.

Sign is building CBDC and regulated stablecoins for UAE, Thailand, Singapore, all of which are within the FATF framework. A transaction in these systems must simultaneously satisfy two conditions: protect user privacy with ZK proof, and expose the correct identifying information to comply with the Travel Rule. Sign can implement a separate compliance mode for regulated flows, but when compliance becomes the default, disclosure is no longer "selective". It becomes mandatory.

This means that privacy still exists, but is not at the center of the system. Pushed to the periphery, it only operates in contexts that are not legally bound, meaning it does not operate in the very important deployments that Sign is targeting.

I don't think Sign designed it wrong. On the contrary, all three things they chose are correct. ZK selective disclosure is right. Sovereign deployment is right. FATF compliance is mandatory. The problem arises when these three correct things are placed in the same system; the result is no longer privacy in the way users typically understand when they hear about ZK. This is no longer a technical problem. This is a structural problem that no purely technical solution can resolve.

This is not a limitation of technology. This is a limitation of the system that technology is trying to exist within.

Can selective disclosure truly exist in a system where disclosure is a default requirement, or does Sign ultimately have to choose between user privacy and compliance for the sovereign? And if a choice must be made, what is the actual "privacy infrastructure" that the market is valuing?

@SignOfficial $SIGN #SignDigitalSovereignInfra