Sign in Subscribe
Humanode 1.0

History of Sybil Resistance in Governance and Economy - Part II

Humanode Core

14 min read
History of Sybil Resistance in Governance and Economy - Part II

By the mid-20th century, governments had built up a decent toolkit for keeping track of who’s who: birth certificates, fingerprints, ID cards, and population registers. But then came computers. And the internet. And suddenly, the challenge wasn’t just stopping someone from claiming two rations; it was keeping bots, sock puppets, and duplicate accounts from flooding systems at a global scale.

In this part, we’ll dive into how the late 20th century and digital era reshaped Sybil resistance from national databases and biometric passports to online identity, CAPTCHA, and the race to prove you’re human in a world full of bots.

Read Part 1 on the History of Sybil Resistance

Late 20th Century

By the mid-1900s, democracies started taking "one person, one vote" seriously,  not just as a slogan, but as a system. Before that, things were kind of wild. In the UK, up until 1950, some folks could legally vote more than once. Own property in multiple places? Graduated from a fancy university? Congrats, you get extra votes. That changed with the Representation of the People Act of 1948, which shut that loophole down and finally made British elections properly one-person-one-vote.

Over in the U.S., the 1960s Supreme Court stepped in with rulings that made legislative districts follow the same rule: one person, one vote. No more letting rural areas with tiny populations have the same voting weight as major cities. Alongside that came voter rolls,  official lists of who could vote,  that poll workers checked off as people cast their ballots. No double voting, no sneaking in as someone else. If your name’s checked, that’s it. You voted.

This was governance-level Sybil resistance in action. Each person’s vote got tied to one identity, one time,  no repeats.

But not every country had the resources to issue ID cards to everyone. So when India,  the world’s biggest democracy,  held elections in 1962, they turned to something simple: ink.

Not just any ink. Indelible ink. Stuff that stains your finger and won’t come off for days or weeks. Once you vote, you get marked. And if you show up at another polling station trying to vote again, that purple finger gives you away instantly.

It worked. And it spread. Countries across Asia, Africa, and the Middle East adopted the practice. In places where documentation was scarce or unreliable, this became the go-to Sybil-resistance tool. You could vote,  but only once. After that, your stained finger said loud and clear: “Already voted.”

In some elections, like Iraq’s in 2005, people proudly showed off their purple fingers,  part badge of honor, part anti-fraud measure.

But ink was just one piece of the puzzle. As the 20th century rolled on, countries started looking for more permanent, foolproof ways to tie a person to a single identity,  not just during elections, but across everyday life.

Post-War IDs: One Card to Rule Them All

After World War II, a lot of nations decided it was time to lock things down with official identity cards. West Germany led the way in 1950 with a mandatory national ID, and before long, countries across Europe, Asia, and Latin America followed. By the 1980s, carrying a government-issued ID,  with your name, photo, personal ID number, and an official seal,  was the standard.

And these cards weren’t just wallet filler. You needed them to vote, open a bank account, apply for jobs, access services,  basically to do anything that involved proving you were you. The goal? Make sure each person can only have one official identity. No double-ups, no ghost accounts, no sneaky duplicates. If someone tried to register twice, the system would catch it.

As tech got better, the cards did too. By the late ’80s, countries like Spain and Singapore started embedding chips in their IDs,  little digital brains that stored your personal data and made forgery a nightmare. These smart IDs were tied directly to national databases, so any mismatch or fraud attempt could be caught instantly.

In short: if indelible ink was the “quick fix” for one-person-one-vote, national IDs became the long-term Sybil resistance strategy,  a baseline for trust in everything from elections to economics.

And once everyone had an ID card in their pocket, the next question was: how do we manage all that identity data at scale? The answer, starting in the 1970s, was simple: computers.

1970s–80s: When Governments Went Digital

With national registries growing fast, governments needed a better way to keep track of who was who,  and spot when someone was trying to be two people at once. So they turned to machines.

In 1977, the U.S. launched a program to digitize public records and link data between agencies, tax departments, and banks. The point wasn’t just efficiency; it was to stop people from cheating the system. If someone tried to claim welfare in two different states or filed taxes under two different names, the databases could now talk to each other and raise a flag.

Other countries were doing the same thing. Civil records, voter rolls, ID registries,  they all started moving from paper files in dusty cabinets to searchable databases on screens. And with that came a big upgrade in Sybil resistance. No more relying on memory or local knowledge. Now, if your details popped up twice in two places, the system could catch it in seconds.

By the 1980s, the idea of “one person, one file” had become the new normal. Identity wasn’t just about what you carried; it was about what the system knew about you, and whether any of it looked suspicious. And just like that, computers became society’s quiet bouncers,  scanning the guest list, checking it twice, and kicking out the fakes.

So now governments had digital records, centralized databases, and ID systems that were hard to fake. But just as things were getting locked down in the physical world... the internet showed up and broke everything open again.

Late 1990s–2000s: Sockpuppets, CAPTCHAs, and the New Digital Sybils

The web was a new frontier,  wild, open, and mostly anonymous. And while that anonymity was exciting, it also meant Sybil attacks had a whole new playground. Forums, chat rooms, multiplayer games, and early social media all started getting swarmed by users with dozens of fake accounts, often called “sockpuppets.”

Some folks used them to argue with themselves and sway conversations. Others used them to cheat, inflate numbers, or spam content. No surprise,  if you could make 10,000 fake accounts with no ID check, Sybil resistance basically fell apart online.

That’s where CAPTCHAs came in.

First rolled out by AltaVista in 1997 (yes, before Google was cool), these “are-you-human?” puzzles were designed to trip up bots. Maybe it was squiggly text, maybe a bunch of blurry traffic lights, but the idea was simple: make sure it’s a real person signing up, not a script hammering ‘Register’ 10,000 times.

By the early 2000s, CAPTCHAs were everywhere,  protecting comment sections, email sign-ups, voting systems, and game accounts. And while they didn’t verify who you were, they at least helped ensure you were a person. For the online world, that was a huge first step in rebuilding some basic Sybil resistance.

The internet made it easy to be anyone or everyone. But CAPTCHAs reminded us that not every “user” should be counted the same.

But just as websites were patching together ways to block bots and sockpuppets, researchers started looking deeper. What if this identity-spamming problem wasn’t just annoying,  but actually a fundamental threat to how decentralized systems work?

2002 – The “Sybil Attack” Gets a Name

Enter 2002, when a Microsoft researcher named John Douceur dropped a paper that pretty much kicked off the modern era of thinking about Sybil resistance. He described something we now call a “Sybil attack”,  when one person pretends to be a bunch of independent identities (or nodes) in a peer-to-peer network. Think of it like a voting room where one person sneaks in wearing 50 different disguises.

The term “Sybil” came from a real-life case involving multiple personalities, and it stuck. What Douceur figured out was brutal but true: in a fully decentralized system, if there’s no cost or friction to creating identities, then anyone can spin up as many as they want and take over.

His paper proved something pretty uncomfortable: unless a system can verify that each identity is unique and independent (or make it expensive to create them), it’s game over. Everything from voting to reputation to trust completely breaks.

This wasn’t just theory. It became the foundation for a whole new wave of research: how do we design systems where one person = one voice, even without a central authority? Proof-of-work, proof-of-stake, social graphs, biometric proofs,  all of that got supercharged after Douceur’s work.

In short, 2002 is when the Sybil problem officially became a thing,  and builders started taking it seriously.

After Douceur lit the Sybil signal in 2002, the race was on: how do you stop one person from pretending to be a hundred? The answer, at least in the early days of crypto, was simple: make it expensive.

Proof-of-Work: Making Fakes Too Costly to Scale

Before Bitcoin was even a thing, some clever folks in the ‘90s were already playing with a concept called proof-of-work. At first, it wasn’t about money; it was actually a spam blocker. The idea? Before you could send an email, your computer had to do a bit of math. Just enough to annoy spammers trying to blast out millions.

Fast-forward to 2009, and Satoshi Nakamoto takes that same logic and bakes it into Bitcoin. Now, instead of proving you’re human with a CAPTCHA, you prove your “identity” by burning electricity to solve math puzzles. One miner = one identity = one shot at earning a block reward.

But here’s the genius part: anyone can mine, but if you want to pretend to be a whole crowd of miners, you better be ready to drop millions (or billions) on hardware and power. No cheap Sybil attack here. The cost scales with the number of identities, so trying to flood the network just burns your money.

Bitcoin’s approach basically said: “You wanna play? Prove it with your energy bill.” And since then, proof-of-work has stood as one of the most battle-tested defenses against fake identities in decentralized finance.

Of course, it’s not the only game in town;  proof-of-stake came along later, saying “stake your coins, not your kilowatts,” but the core idea is the same: make spinning up identities too costly to fake at scale. Whether it’s energy, money, or reputation,  something has to be on the line.

But of course, not every system wants to rely on brute force or burning energy to keep out fakes. Most online platforms aren’t blockchains; they’re communities, marketplaces, and social hubs. So instead of making you solve math puzzles or stake coins, they’ve leaned into a different kind of Sybil resistance: verifying that you are who you say you are.

Real Names, Blue Checks, and the Fight Against Fakes

As the internet grew in the 2000s, so did the number of people trying to game it with fake accounts. And platforms, unsurprisingly, started fighting back.

Early on, Facebook tried to keep things clean by making people use their real names and, at one point, even requiring a school or work email to sign up. The goal? Simple,  one real person, one account. No hiding behind aliases or pretending to be ten different people in the same friend group.

Then came Twitter (now X), and in 2009, it introduced the now-infamous blue checkmark. It wasn’t always about clout; at first, it was just a way to confirm that someone really was who they said they were. Like, if you saw an account claiming to be @elonmusk, you’d want to know it was the real deal and not some Dogecoin grifter with a fake profile pic. That blue check was Twitter’s way of saying, “Yep, we’ve verified this person.”

Beyond that, platforms got more serious. They started using phone number verification (one account per phone), trained machine learning models to sniff out bot behavior, and cracked down on sockpuppet armies that tried to sway votes, spam comments, or rig giveaways.

All these tools,  real-name policies, verified badges, number checks, and behavior analysis became part of the new digital Sybil resistance. They didn’t stop everyone from trying, but they definitely made it harder to fake being someone else (or a dozen someone elses) online.

And then came the big guns, not just email checks, phone numbers, or blue ticks, but real-world identity verification. When platforms and institutions really want to know you're legit, they turn to KYC,  “Know Your Customer.” It’s that thing where you upload your passport, a selfie, maybe a utility bill, and promise you’re not a bot army in disguise. From banks to crypto exchanges, KYC became the go-to for filtering out fake users, especially where money's involved.

But KYC still has its limits. Documents can be stolen. Photos can be faked. Deepfakes exist. So, how do you prove you’re you,  not just someone with borrowed papers?

Enter Biometrics: You Are Your Identity

That’s where biometrics step in: fingerprints, face scans, iris patterns. Stuff that's a lot harder to fake, especially at scale.

The most ambitious rollout? India’s Aadhaar program, launched in 2009. It’s the biggest biometric ID system on Earth, covering over a billion people. Each person gets a unique number linked to their fingerprints and iris scans, which are checked before handing out welfare, subsidies, or SIM cards. One person = one Aadhaar. Try to register again with the same biometrics? Denied.

By the 2010s, e-passports started popping up around the world,  travel documents with embedded chips storing your photo, fingerprints, and personal info. Suddenly, faking a passport wasn’t just a Photoshop job; you’d have to beat encryption and spoof biometrics, which is way out of reach for your average fraudster.

On the digital side, PKI-based digital certificates started getting used for logins in government systems and corporations. Think of them like a cryptographic ID badge. You might have a few if you wear multiple hats (say, employee and board member), but each one is still tied to a unique human and strictly scoped. No room for clone armies.

And in day-to-day life? If you’ve unlocked a phone with your fingerprint or face, you’re part of this shift too. Since Apple dropped Touch ID in 2013, biometric logins have become totally normal,  and they’re a surprisingly solid Sybil defense. No one’s faking your face to access your bank app. At least, not easily.

So yeah, biometrics took the idea of “one person, one identity” and baked it into both government systems and consumer tech. It’s powerful,  but it also raises big questions about privacy, control, and consent, which we’ll come back to later.

So far, we’ve seen governments, platforms, and protocols throw everything from ink-stained fingers to fingerprint scanners at the Sybil problem. But here’s the twist: all of those methods rely on central authorities,  governments issuing IDs, companies verifying documents, and platforms maintaining databases.

But what if you want Sybil resistance without centralization? No government ID. No centralized KYC. Just you, proving you’re a real and unique human,  without giving up your personal data. That’s where things started getting really interesting in the 2020s.

The rise of “proof-of-personhood” in Web3

This new wave of ideas is all about solving the Sybil problem in decentralized networks,  think DAOs, blockchains, airdrops,  where the goal is one-person-one-account, but without trusting any one party to keep the list.

Take Proof of Humanity (launched in 2021). It runs on Ethereum and builds a registry of real people by combining video submissions with peer vouching. You upload a selfie video, someone already verified vouches for you, and once you're in, you can’t register again. It’s like Sybil resistance meets social graph.

Or BrightID, which doesn’t even store personal info. It builds a web of human connections, where the structure of the graph,  not the data itself,  helps prove you're a unique person. The idea: bots can fake emails, but they can't fake relationships.

Then you have Worldcoin, which went all in on hardware: they created a shiny metal orb that scans your iris to issue a unique ID. No two irises are alike, so you get one ID, one person,  in theory. It’s bold, biometric, and definitely controversial, especially when it comes to privacy.

Among these experiments, Humanode stands out for going a different route,  combining biometrics with blockchain consensus in a privacy-preserving, decentralized way.

Launched to tackle the Sybil problem at the core of blockchain governance and finance, Humanode uses cryptobiometrics,  your face becomes your proof of uniqueness, but it’s processed in a Confidential Virtual Machine (CVM), meaning not even the network sees your biometric data. You prove you’re real and unique, without revealing who you are.

The cool part? Once verified, you can actually become a validator node. That’s right,  Humanode is building a chain where one human equals one node equals one vote. No mining rigs. No stake dominance. Just real people securing the network. It’s one of the first serious attempts at building Sybil resistance directly into the infrastructure of a Layer 1 blockchain.

And since it's cross-chain, Humanode Biomapper is now being used on other networks too,  helping airdrops, games, DeFi protocols, and DAOs avoid getting wrecked by fake accounts.

But as the internet grew into a sprawling ecosystem of platforms and services, the problem of fragmented identity became obvious. Managing dozens of usernames and passwords was a mess, so the big tech companies stepped in with a convenient fix: “Log in with Google.” Or Facebook. Or Apple.

One Login (To Rule Them All)

The idea seemed great: use your Google or Facebook login across the web, and avoid creating (and forgetting) a dozen passwords. Suddenly, making a new account is just a click away. But underneath the surface, there’s a massive trade-off:

  • Centralized control: If your primary account gets hacked, it ruins your access everywhere.
  • Big Brother: These platforms track your activity across apps, building massive profiles.
  • Sybil risk: These logins are still centralized. Anyone can create multiple Google accounts, and large companies can abuse their power to manipulate identity at scale.

So while “Login with Google” is great for users, it’s the opposite of robust Sybil resistance: it’s one platform with authority over every identity.

It also didn’t really solve the Sybil problem. People could still create multiple Google or Facebook accounts. It just shifted control of identity to a handful of corporate platforms, without guaranteeing that one person = one account. It made things smoother, but not more secure.

Humanode SRGate and return to decentralized Uniqueness

This is where things start to circle back. Humanode is building something that offers a decentralized login that can be used as a universal pass, but without handing control and power to a single company.

Unlike Google or Facebook logins, SRGate doesn’t rely on an email address or password. It verifies that behind every account is a single human being. Not a face, not a name. Just uniqueness. 

It works by using encrypted biometric proofs and confidential computing. The biometric data never leaves the secure environment. Apps and protocols don’t see your face or identity; they just get a cryptographic signal confirming you’re a real, unique human. One person, one proof. And that proof can be used across different chains and platforms.

SRGate doesn’t hand your identity to any central authority. It doesn’t store your personal data in a corporate vault. It simply ensures that each user interacting with a system is a distinct individual, without revealing who they are.

It’s a modern answer to an old problem: how to stop one person from pretending to be many, without putting someone else in charge of who you are.

Summing Up

This shift, from centralized IDs to decentralized proof-of-personhood,  is a major leap. We’re now seeing the web try to rebuild what small communities once took for granted: knowing who’s real.

The fight against Sybils isn’t over; it’s evolving. As technology grows smarter, so do the attackers. Deepfakes, AI-generated identities, and bot farms are pushing the boundaries of what a fake presence can look like. At the same time, new tools biometrics, cryptography, and zero-knowledge proofs, are being built to push back. There’s no final solution, just an ongoing arms race between those trying to appear as many, and those trying to keep things one-human-one-voice. The history of Sybil resistance is far from finished; it's just stepping into its next chapter.

Sources:

  • Plural Voting – Wikipedia – Information on the abolition of multiple voting rights in the UK by 1950.
  • Election Ink – Wikipedia – Use of indelible ink to prevent double voting, first used India 1962en.wikipedia.org.
  • J. Douceur (2002). “The Sybil Attack.” IPTPS Proceedings – Defined the Sybil attack problem in distributed systems.
  • Nervos (2021). “Understanding Sybil Attacks and Consensus Mechanisms.” – Notes that proof-of-work was the original Sybil deterrence in Bitcoin.
  • B. Ortutay (AP) “Twitter’s blue check: A history of the verification system.” FOX10 News (2022) – On Twitter introducing verified accounts in 2009 after impersonation issues.
  • Kleros (2021). Proof of Humanity docs – Describes a Sybil-proof registry of unique humans using social verification and video submissions.

Sign up for more like this.

Enter your email
Subscribe