Nobody Is Planning the Surveillance State. We're Building It Anyway.
You've probably seen the memes. China gives every citizen a "social credit score," and if it drops too low the state won't let you buy a train ticket, book a hotel, or send your kids to a good school. It's the plot of a Black Mirror episode, except it's real, and it's coming for the rest of us next.
Here's the problem with that story: the score doesn't exist. Not the way you've been told. And while we've all been busy laughing at a version of China that was mostly invented in the West, our own governments have quietly started assembling something that worries me more — not a score that shames you, but a single digital identity that becomes the key to your entire life. Here's the twist: in China, the state sat down and designed its system on purpose. In the West, no one is designing the whole thing at all. It's assembling itself, one reasonable convenience at a time — and that turns out to be much harder to stop.
In this article we'll separate the China surveillance myth from the reality, look at what China actually built, and then follow the same architecture as it takes shape across the US, the UK, and Europe — right now. And by the end you'll be able to spot the exact moment it's happening near you. Start with the myth almost everyone believes.
The Score That Doesn't Exist
Let's start with the thing everyone gets wrong, because it matters.
The idea of a single, all-seeing China social credit system — one number that rates your worth as a citizen and governs everything you're allowed to do — is, in the words of the people who actually study it, a myth. MERICS, Europe's leading China research institute, put it about as plainly as an institute ever does: "such a score simply does not exist." Their assessment is that the real system is "lowly digitalized, highly fragmented, and primarily focuses on businesses."
You don't have to take one source's word for it. Jeremy Daum is a senior fellow at Yale Law School's Paul Tsai China Center, based in Beijing, and he translates the actual Chinese regulations for a living. His verdict on what social credit is really for: it "has always developed largely as a tool for regulating business to ensure compliance with existing legal obligations." Company tax records, product-safety violations, environmental compliance — that's the beating heart of it. Not a citizen score.
So where does the myth come from? Real things got stitched together into a fake one. China ran some local scoring pilots in the early 2010s — towns like Rongcheng deducting points for jaywalking — but many were criticised even inside China and quietly wound down. There's a real court blacklist that bans people from flights and high-speed rail — but it targets debtors who defied a court judgment, not low-scorers. Western coverage fused these fragments into one dystopian dashboard that was never actually there.
Here's why this matters, and it's the whole point of this piece: while we were arguing about a system that doesn't exist, we stopped paying attention to the one that does. Because China did build something — just not the thing you were shown. And it's cleverer than the myth.
What China Actually Built (And It's Smarter Than the Myth)
In July 2025, China launched a national online identity system — a state-run "cyberspace ID." And when you read the actual law rather than the headlines, it's more elegant, and more concerning, than the cartoon.
Under the system, when you log in to a platform — WeChat, Taobao, whatever — the company doesn't see your identity documents. The regulation is explicit that these ID tokens "do not contain explicit identification information but correspond to the identity information of natural persons." In plain English: the platform sees an anonymous code. It's genuinely more private toward the company.
But follow the thread. Somebody has to hold the map that connects that anonymous code back to the real you. That somebody is the state — specifically the Ministry of Public Security and the Cyberspace Administration, the bodies that run the system. So the design quietly does two things at once: it blinds the corporations, and it gives the government a single point through which your banking, your messaging, your browsing, and your payments can all be linked back to one identity.
That's the part worth sitting with. The myth imagined a lurid scoreboard. The reality is the opposite — no dashboard, no visible number, nothing that looks dystopian at all. Just an identity layer that makes every citizen linkable from one central point, administered by the state's security and internet regulators.
The honest limit
This is the architecture as written into law. It doesn't prove the state is live-monitoring everyone's browsing today — even the Washington Post notes the new ID probably doesn't hand over your browsing history on its own, at least not yet. The danger isn't that the machine is already running at full tilt. It's that the lever now exists, and levers get pulled.
"Voluntary" Is How It Always Arrives
Now here's the move you need to learn to spot, because you're going to see it again — at home.
These systems tend not to arrive as compulsory. That would trigger resistance, and everyone involved knows it. So they arrive as optional, convenient, and free. China's cyberspace ID is, on paper, entirely voluntary — the law even guarantees that platforms "shall ensure that users who do not use Network Numbers … enjoy the same level of services." MERICS's warning is simply that, in practice, "voluntary" schemes have a way of becoming mandatory-in-all-but-name once enough big services quietly build them in as the default. Watch for that pattern, because it's the one that repeats.
If you think that's a China problem, watch what's happening across the West right now.
In Europe, the EU is rolling out its Digital Identity Wallet. The European Commission's own position is that member states must "provide EU Digital Identity (eID) Wallets to citizens by the end of 2026." Now, to be precise — using the wallet is voluntary for citizens; no one is forced to carry one. But the regulation obliges banks and major online platforms to accept it, and the EU's stated ambition is to get most Europeans onto a wallet by 2030. That's the distinction that matters: the wallet isn't mandatory, but the infrastructure is being pushed into exactly the places where daily life happens first — and each of those places is a reason to reach for it.
In the UK, you can watch the "voluntary" drift happen in real time — and it happened in 2025. In September, the government announced a digital ID that its own Parliamentary committee recorded as "mandatory for proving right to work in the UK." Then something encouraging happened: people pushed back, and it worked. Per that same committee, the government "abandoned the mandatory element of the policy" and repositioned it as a helpful tool for accessing public services. So democratic resistance can win — that's real, and worth holding onto. But notice what the retreat was from: the word "mandatory" got dropped; the digital-ID project itself did not. The backlash moved the label, not the infrastructure. That's the pattern in miniature.
In the US, the same substrate is being laid, just under different names — and here I want to be careful, because the American version is easy to overstate. REAL ID, whose federal enforcement finally began on 7 May 2025, is often held up as the American national-ID moment. It isn't, really: it's a standard for a physical card you show at the airport, and it doesn't track your browsing. The more telling development is quieter. State driver's licenses are moving into Apple and Google Wallets as digital credentials — Apple and state DMVs have now added them across more than a dozen states, built on the international mobile-ID standard (ISO 18013-5). On its own, a phone version of your license is just convenient. But it's also the first brick of a digital identity layer, in a country that spent decades insisting it would never build a national ID. Nobody announced "we're building one." They shipped the pieces and called each piece a convenience.
AI Turns Watching Into Predicting
Here's the multiplier that changes everything, and it's the part where the doom-mongers accidentally have a point.
An identity layer makes your life linkable. On its own, that's just filing. But here's how the two halves of this story connect: AI is only as good as the data you feed it, and prediction needs clean, connected data — this person, these payments, these messages, this location, all tied to one verified identity. A unified digital ID is exactly what turns a messy pile of separate records into that clean, linked dataset. The ID supplies the connected picture; the AI supplies the inference. The old model of surveillance was reactive — somebody watches the footage after something happens. Put those two halves together and it flips from reactive to predictive: anticipating behaviour before it occurs, at a scale no human watch-room could ever manage.
The most rigorous work on this is Steven Feldstein's AI Global Surveillance Index for the Carnegie Endowment for International Peace. Even in its 2019 baseline, he documented "seventy-five out of 176 countries" actively using AI surveillance — facial recognition, smart-city systems, predictive policing. Chinese firms "particularly Huawei, Hikvision, Dahua, and ZTE" are the leading global suppliers, which means Western cities are frequently running Chinese-built surveillance too.
But the finding that should stop you is this one: Feldstein reports that "51 percent of advanced democracies deploy AI surveillance systems" — a higher rate than in closed autocracies. Let that land. This is not a story about a faraway authoritarian state. Liberal democracies are among the heaviest users of exactly this technology. The tools that make population-scale monitoring easy don't care what kind of government installs them.
So how does a free society — one with elections, courts, and a free press — end up building the machinery of a surveillance state? Not on purpose. And that turns out to be the most dangerous way it could happen.
Why Nobody Planning It Is the Whole Danger
So stack the three pieces up. A unified digital identity that's quietly becoming unavoidable. AI that turns linkable data into prediction. And an export market that spreads the capability everywhere, democracies included.
Here's the crucial distinction. In China, the state designed this — it legislated the ID system into being, top-down and on purpose. In the West, no one is designing the whole thing. The individual pieces are absolutely planned: a government plans its eID regulation, a company plans its fraud-detection AI, a DMV plans its wallet credential. What nobody planned, debated, or voted on is the combination — the way those separate, reasonable systems quietly converge into one architecture. Each piece arrived as a convenience: a faster login, a fraud check, a way to prove your right to work, a smarter camera. Every step had a sensible reason. Add them together and you get something that, in another country's hands, we'd call a surveillance state.
The insight in one line
A plan can be debated and defeated. A drift is much harder to fight — because at no point does anyone feel they've crossed the line.
And here's the uncomfortable thing I keep coming back to: because nobody planned the whole thing, there was never a single moment to vote on it. No bill titled "The Surveillance State Act" to oppose. No line in the sand. It assembles itself out of a hundred individually-reasonable defaults, and that's precisely why it faces so little resistance.
And it's worth being honest about the temperature here, because this topic attracts a lot of heat. The alarming version — that this machine is already switched on and watching everything you do — isn't true, and claiming it is only makes the real concern easier to dismiss. The accurate version is less dramatic and, I think, more useful: the pieces are real, they're being assembled now, and the West is not a spectator to it.
Which means the real question was never "is it being built?" It's whether you'll recognise it happening in time to do anything about it. So let me show you exactly what to look for.
What to Actually Watch For
I don't want you to come away from this frightened. I want you to come away able to see it, because a thing you can name is a thing you can push back on. So here's what to watch:
- When the opt-out quietly disappears. The moment a service that was "your ID is optional" becomes "there's no other way to do this," the voluntary phase is over. Watch for the non-ID option getting slower, clunkier, or removed. And watch the language that justifies it — "keeping children safe," "fraud prevention," "age assurance," "right to work," "safety," "seamless access," "verified user." Each is reasonable on its own — and "keeping children safe" is the hardest of all to argue against, which is exactly why it's so often the one that opens the door. Together they're the on-ramp.
- When acceptance becomes a mandate. "You don't have to use it" and "but every bank, employer and platform must accept it" is how a voluntary ID becomes a de-facto one without anyone voting for it.
- When you hit algorithmic friction. This is the one you can actually feel. It's the day your access to a service is paused, flagged, or denied — "your account is under review," "additional verification required" — by an automated system tied to your identity, with no human you can reason with. That's the identity layer and the AI layer wired together, and you'll notice it because it happens to you.
And there's a real fork in the road here worth understanding, because not all digital ID is the same. There's a version where the credential lives on your device, you decide exactly what to reveal (proving you're over 18 without handing over your name and address, say — the technology genuinely allows this), and no central party logs every use. And there's the version where a central authority holds the key and sees every time you use it. Same idea, opposite consequences. The technology can go either way — which one we get is a governance choice, and governance choices only get made when enough people are paying attention. So it's worth knowing the good version exists, because that's the thing to actually demand.
That's the whole reason I wrote this. The surveillance state nobody is planning only gets built if nobody's watching it being built. So watch.
Sources
This article is built on primary sources. Where a claim relies on a specific document, we've quoted it directly.
- MERICS (Mercator Institute for China Studies) — China's social credit score: untangling myth from reality
- Jeremy Daum, China Law Translate (Yale Law School Paul Tsai China Center) — Keeping track of social credit
- China Law Translate — Measures on the National Online Identity Authentication Public Service (translation of China's 2025 cyberspace-ID law)
- European Commission — European Digital Identity (eIDAS) Regulation
- UK Parliament, Home Affairs Committee — report on the UK digital ID proposal (HC 986)
- US Department of Homeland Security / TSA — REAL ID final rule (federal enforcement from 7 May 2025)
- Steven Feldstein, Carnegie Endowment for International Peace — The Global Expansion of AI Surveillance
Digital ID & Surveillance FAQ
Is China's social credit system real?
Not in the way the memes suggest. There is no single national score that rates every citizen and controls their life. The leading Western researchers who study it — MERICS and Yale's Jeremy Daum — say the system is fragmented and primarily aimed at regulating businesses, not ranking individuals. The all-seeing citizen score is a myth.
Does China have a social credit score for individuals?
No unified one. Some local scoring pilots ran in the early 2010s (and were mostly wound down), and there is a real court blacklist that bans debtors who defied a judgment from flights and high-speed rail. But those are separate, narrow mechanisms — not one number governing everyone's life.
What is a digital ID or the EU Digital Identity Wallet?
A digital ID is a government-backed identity credential you use to prove who you are online and access services. The EU Digital Identity Wallet is the European version: every member state must offer one to citizens by the end of 2026. Using it is voluntary, but banks and major platforms are obliged to accept it.
Is digital ID mandatory in the UK, US or EU?
Officially, no — in all three it is framed as voluntary. But the infrastructure is being built regardless. The UK announced a digital ID 'mandatory for right to work' in September 2025, then dropped the word 'mandatory' after backlash while keeping the project. The EU wallet is voluntary to hold but mandatory for institutions to accept. In the US, mobile driver's licenses are spreading through Apple and Google Wallets.
Can the government see everything I do with a digital ID?
It depends entirely on the design. In a centralised model — like China's cyberspace ID — the state holds the key that can link your separate activities to one identity. In a decentralised model, the credential lives on your device, you control what you reveal, and no central party logs every use. The technology can go either way; which one you get is a governance choice.
How is AI used in surveillance?
AI shifts surveillance from reactive to predictive — from watching footage after an event to anticipating behaviour before it happens, at population scale. Per the Carnegie Endowment, 51% of advanced democracies already deploy AI surveillance systems. A unified digital identity makes this far more powerful, because it supplies the clean, linked data that predictive AI needs.
About the Author
Nathan House, Founder & CEO of StationX
Nathan House has 30 years of hands-on cybersecurity experience and is Cambridge-educated, holding CISSP, CISA, CISM, OSCP, CEH, and SABSA. He founded StationX in 1999 — one of the UK’s first cybersecurity companies — and has secured £71 billion in UK mobile banking transactions and the London 2012 Olympics, advising clients including Microsoft, Cisco, BP, Vodafone, and VISA. He authored the world’s most popular cybersecurity course — a #1 Udemy bestseller taken by over 500,000 students — and was named Cyber Security Educator of the Year 2020, AI Security Educator of the Year, and a UK Top 25 Security Influencer 2025. A DEF CON speaker and featured expert on CNN, Fox News, NBC, and the BBC, Nathan leads StationX’s training of more than half a million students worldwide.