Proof of Humanity Should Be Behavioural

Iris captures a body. Behaviour captures a person.

The profile is no longer proof

Open a GitHub profile and the first layer looks easy to read.

Name. Photo. Bio. Follower count. A few pinned repositories. A sentence about what the person builds.

The surface can be cleaned up in an afternoon. Once generative AI became ordinary, it could be manufactured even faster. Bios. Photos. Engagement. Voice. Face. The snapshot layer started generating itself.

Then scroll to the contribution graph.

Not because green squares prove virtue. They do not. A commit can be trivial. A streak can be gamed. Public work can disappear when private work begins. But the graph points at a different kind of signal: recurrence across calendar time.

Its value is not that it judges the work perfectly. Its value is that it makes time visible.

A profile says what someone claims to be, but a behavioural archive shows whether they kept showing up.

That is the missing layer: behavioural intelligence over time.

Not intelligence as surveillance. Not a platform guessing who you are from the outside. Intelligence as a narrow reading of source-backed patterns: what repeated, what stopped, what returned, and what endured long enough to mean something.

The useful part is not any single commit. It is the dense months. The blank months. The return after silence. The project that kept getting touched after everyone else stopped looking.

Ryan Dahl is a useful public example. He created Node.js, stepped away from its center of gravity, and years later returned publicly with Deno. The broader pattern shows up whenever a founder, executive, or maintainer is reduced to a title while the older technical record still tells another story. The gap does not make the archive less useful. It makes it more honest: the record includes the work, the absence, the role change, and the return.

The same archive can tell the opposite story too. Someone with no software degree, no inherited title, and no old technical reputation can now build a visible shipping history as they learn, use AI where it helps, and keep returning to the work. The archive is not only a record of credentials decaying. It is also a record of competence becoming legible before institutions have a name for it.

This is where the “taste is the new skill” claim becomes useful, but only if it is grounded. In an AI-assisted market, raw output gets cheaper and credentials lag behind the work. Taste starts to matter more: what someone chooses to build, what they ignore, what they refine, what they return to, what they ship when the tool can generate almost anything.

But taste cannot just be another profile claim. It has to leave a trail.

The gap is part of the record.

The proof was not in the snapshot. It was in the accumulated cost of time.

A scan proves presence, not continuity

That is why I keep thinking about iris scans, AI agents, and the missing credential layer underneath both. World makes the biometric route concrete: one capture, proof of human, verified for the internet. AI makes the limitation obvious: a surface can now be generated faster than it can be trusted.

Stand in front of a sensor. Prove you are not a machine. Receive a credential. One scan. Human.

It solves one question and leaves the harder one open.

A scan can prove a body arrived. It is weaker at proving the person is still here, still active, and still connected to the pattern the credential claims.

World’s route is biometric: privacy-preserving iris verification through the Orb, issued as proof of human. That can be useful at the presence layer, it is useful in its own ways, but in an AI-assisted world, it has flaws beneath the surface.

A body, scanned once, receives a credential. But the proof stays thin.

The harder question is whether the account on the other end still has continuity with the person who earned it, still connected to source-backed patterns over time.

Iris can answer: was a body here?

Continuity asks whether a life is still running, and in what way.

Biometrics are useful at the presence layer. They are weaker as a claim about ongoing continuity, especially once accounts, agents, and credentials can be gamed around the edges.

Iris captures a body. Behaviour captures a person.

Time did not collapse

The old surface signals got weaker because the surface became cheap.

AI can fake a profile in a second. It is harder and more expensive to fake years of listening history, GitHub commits across a decade, or a running record logged across three winters.

Not impossible. Harder.

The cost includes calendar duration, recurrence, and provenance.

One thing did not collapse.

Time.

Who has this person been, before and after?

Sustained behaviour is the signal that still has to pay a time cost.

The shape is an integral

This is the shape I keep coming back to:

identity = ∫ behaviour · dt

The proof is not the event. The proof is the accumulation.

One run proves almost nothing. Eighteen months of activity says more.

One commit proves almost nothing. A project that keeps being touched across years says more.

One stream proves almost nothing. Years of listening, saving, skipping, replaying, and finding early says more.

One transaction proves almost nothing. A pattern across time says more.

The same logic travels across markets. Code history can matter to teams hiring builders. Health history can matter to races, sponsors, insurers, or communities if the user chooses the exchange. Music history can matter to artists, venues, labels, and discovery products. Purchase history can matter to merchants and loyalty markets. Attendance and social participation can matter to communities that need to know who actually showed up.

Not because any market deserves the whole person. Because different markets already value different behaviours, and today most of that value is captured by the platform that holds the archive.

The record is already being written.

The missing layer is the way to measure across time.

The reader should be narrow

The reader should not be another platform that owns the archive.

It should be closer to a private calculator.

It reads source-backed events under the user’s control. It computes a pattern locally, or in a user-controlled environment. Then it emits only the narrow answer needed for a specific exchange.

Not the full archive of their data.

A bounded claim proving a consistent pattern across time to match the query.

The queries change by market:

builder: has this person shipped and maintained real projects over time?

runner: has this person sustained enough activity to qualify for this race, sponsor, or community?

taste: has this person demonstrated trained attention inside this scene, sound, product category, or culture?

early fan: was this person listening before the breakout?

customer: has this person created enough value to deserve access, status, or better terms?

member: has this person actually shown up for the community?

The first worked example can stay simple: active runner, 18-month window, threshold met.

A race sponsor, community, marketplace, or platform does not need routes, heart rate, exact dates, sleep history, or the full Apple Health archive. It can ask a smaller question:

Does this person have a current running-continuity credential?

The answer can be yes, no, or tied to a tier.

The same pattern applies elsewhere. A hiring team does not need a full private repo history to ask for a maintenance-continuity proof. An artist does not need the whole listening archive to recognize early fandom. A merchant does not need the full bank statement to know whether a customer has earned a better exchange.

The data archive stays private.

The proof travels only when the user decides the exchange is worth it.

What has to be trusted

The raw events still need provenance. Privacy tech can hide the archive. It cannot make a fake archive true.

That is why the source chain matters.

The hard version needs source attestations from Apple Health, Spotify, GitHub, the bank, or the wearable - not a user-exported screenshot pretending to be proof.

The local reader should not ask the user to upload the archive. It should ask trusted sources for attestations, compute the pattern under user control, and emit a narrow credential.

The archive is the source. The proof is the negotiated translation.

The older internet already had simple versions of this. LinkedIn can verify a workplace claim through an organization email. Early Facebook used a Harvard.edu address as a narrow gate. Crude, but useful: a source-backed proof that meets one criterion without proving the whole person.

Something like:

active runner

18-month window

activity in enough months to satisfy the claim

refreshed monthly

expires unless renewed

The verifier should not receive the life. It should only receive the answer it needs.

Source event → source attestation → local reader → narrow credential → verifier query.

Privacy proof is not truth by itself.

The proof should decay

A behavioural proof should not live forever.

If the signal stops, the credential should expire. If the pattern changes, the answer should refresh. If the user no longer wants to expose the proof, it should be revocable.

A one-time biometric credential wants permanence.

A behavioural credential should stay current.

Both matter in their various ways but continuity has to keep earning itself.

The inversion

The current data economy runs one direction.

User produces. Platform aggregates. Platform sells inferred audiences back to someone else. The user becomes raw material.

Behavioural proof points the other way. The user holds the pattern. The archive remains private. A bounded proof leaves only when the user chooses.

Today, platforms read the archive for the advertiser, the marketplace, the recruiter, the label, the merchant, or whoever is paying to query the user from the outside.

The inversion is the user deciding which proof, if any, should travel back into the market.

The full archive does not have to move. The narrow answer does.

The closing move

Proof of humanity should not stop at presence. The sharper question is continuity: whether you are still being one.

The first question can be answered once.

The second has to be answered again and again.

A body can be captured once.

A person has to keep showing up proving consistency over time.

The snapshot answers the right question once to get through the door. The integral answers the right one across time.

Method / sources

World describes World ID as a digital proof of human for the internet, with Orb-based iris verification used to establish unique humanness. I am treating that as useful presence infrastructure, not as proof of behavioural continuity. The essay’s center is not a World takedown; it is the missing layer after presence: source-backed behavioural credentials that can answer narrower questions over time.

Ryan Dahl is used here as a public software example: creator of Node.js, later returning publicly with Deno. The broader founder/executive line is intentionally general: a public title is not the same as a complete behavioural record. The claim is not that public GitHub proves anyone’s whole working life. It is that public technical records can show work, absence, role change, and return without pretending to be a complete biography.

The reverse-pattern claim is also bounded. GitHub crossed 100 million developers in 2023; GitHub’s 2024 Octoverse reported public generative-AI projects up 98% year over year and contributions to those projects up 59%; Stack Overflow’s 2024 Developer Survey reported that 62% of respondents were already using AI tools in development. That does not mean AI creates instant senior engineers. It supports the narrower claim that AI-assisted coding and online upskilling can make visible proof-of-work easier to accumulate before a traditional credential catches up.

“Behavioural intelligence over time” is used here in the narrow sense: a user-controlled reading of source-backed patterns across time, not a surveillance score or platform-owned profile.

The market-query examples are illustrative. I am not claiming that Apple Health, Spotify, GitHub, banks, venues, merchants, communities, or wearables already expose a finished standard for this. A real system would need source-backed attestations, a user-controlled reader, and a narrow credential that answers one verifier question without exporting the full archive.