The Vocabulary Is DID; the Architecture Is Not
On June 18, 2026, China's Cyberspace Administration (CAC) published draft "Regulations on Promoting the Interoperability and Interrecognition of Distributed Digital Identity Applications" for public comment, with a deadline of July 18. The document reads like a W3C specification: identifiers, cryptographic keys, verifiable credentials, selective disclosure, verifiable claims. The technical language is borrowed almost verbatim from the Decentralized Identifiers (DID) v1.0 standard, which the W3C formalized as an official Recommendation on July 19, 2022.
The substance, however, diverges in one critical place. The W3C specification defines a DID as "a globally unique persistent identifier that does not require a centralized registration authority." Its design ensures that "the controller of a DID can prove control over it without requiring permission from any other party." In the CAC's draft, individual users must undergo identity verification by public security departments before receiving an identifier. Enterprises register through China's Unified Social Credit Code system. The blockchain infrastructure carrying the credentials is "operated by an authorized unit of the State Internet Information Office." What is distributed is the ledger; what is centralized is the root of trust.
A Genuine Problem, a Contested Solution
Before assessing the governance risks, the problem this framework addresses deserves an honest hearing.
China's existing identity system requires every platform — from WeChat to Taobao to railway ticketing — to collect and store its own copy of users' national ID documents. This produces millions of redundant data repositories, each a breach target. The 2022 Shanghai police leak exposed records on more than one billion people, illustrating the catastrophic scale of centralized data hoarding. A credential model where users hold cryptographic proofs of identity and present only what is needed per transaction — rather than re-uploading ID scans everywhere — is, structurally, a privacy improvement on what it replaces.
The CAC draft also incorporates data minimization requirements and parental consent obligations for users under 18, provisions that align with China's Personal Information Protection Law (PIPL), in force since November 2021. On paper, these elements represent proportionate regulatory design.
What Web ID Already Built
The June 2026 framework does not arrive in a vacuum. It builds on the Web ID system launched nationally in July 2025, itself the product of a 2024 draft that attracted more than 80 platform integrations within weeks — including WeChat, Douyin, Xiaohongshu, and Taobao. Over 6 million users enrolled during the pilot phase alone.
The Web ID assigns each user a "web number" and "web certificate" tied to a real-name record held by public security authorities. MERICS, the Mercator Institute for China Studies, has documented how the system enables authorities to trace every online action across social media, government services, and commerce back to a verified individual — and how deepening integration will "offer less protection to journalists, activists or lawyers" even if they use VPNs, since the identity credential operates below the network layer.
The CAC's distributed framework extends this logic with better cryptographic packaging. The "distributed" element describes how credentials travel between services; the government's authority to revoke them remains fully intact. A state with revocation authority over digital identity credentials — operating simultaneously across every integrated platform — acquires a capability that siloed account deletion systems have never matched.
Human rights observers have not been subtle about this risk. Xiao Qiang of UC Berkeley has described such systems as capable of "directly erasing voices it doesn't like from the internet," characterizing them as "infrastructure of digital totalitarianism." Shane Yi of Chinese Human Rights Defenders has called the broader internet ID regime an escalation of "Beijing's attack on free speech."
eIDAS 2.0: Same Technology, Different Architecture
The EU's eIDAS 2.0 regulation (Regulation 2024/1183, in force May 2024, with European Digital Identity Wallets required across member states by December 2026) deploys the same DID and Verifiable Credentials substrate. The architectural difference is fundamental: credentials reside on user-controlled devices, selective disclosure is mandatory by design, and the regulation prohibits services from requiring wallet-based authentication where alternatives exist. The user is the root of trust, not any state authority.
This comparison matters practically, not just philosophically. The CAC's June 2026 draft explicitly targets cross-geographic interoperability, including international use cases. A mutual recognition arrangement for digital credentials between the EU and China is technically feasible on shared W3C standards. Whether democratic governments will accept Chinese digital identity credentials — knowing they are anchored in public security verification and revocable by state order — is a question this draft forces onto the diplomatic agenda well before any negotiation begins.
What the Comment Period Will and Won't Change
China's regulatory consultation process produces technical refinement more reliably than structural reconsideration. Comments by July 18 are likely to shape credential revocation procedures, interoperability protocol specifications, and handling of overseas Chinese nationals.
What they will not produce is a debate about whether anchoring every identifier in public security verification is compatible with W3C's self-sovereign identity model. That debate is proceeding in standards bodies and democratic legislatures outside China's borders.
The more consequential audience for this draft may be international: W3C working groups finalizing DID v1.1, trading partners designing digital trade corridors, and regulators deciding what cross-border digital identity interoperability with China actually implies in practice. China's reference implementation already operates at a scale no other DID deployment approaches. That weight will be present in every international standards discussion going forward.
The Governance Layer Is the Product
Blockchain infrastructure and verifiable credentials are technically neutral tools. The CAC's framework deploys them competently and addresses a real problem — redundant, siloed identity data — in a technically sophisticated way. The data minimization provisions, if enforced, would represent genuine progress against indiscriminate collection.
But a digital identity system is only as free as the revocation policy of the authority controlling its root trust. China's draft routes that trust through the State Internet Information Office, public security departments, and the Unified Social Credit system — the same institutions that operate the world's most comprehensive content moderation apparatus.
Policymakers evaluating cross-border digital identity recognition, and technologists who assume DID standards are inherently privacy-protective, should read the CAC's June 2026 draft carefully. The vocabulary is decentralized. The governance is not.