eIDAS2, the European Digital Identity Wallet, and the GDPR (Part II)

Avatar photo By SAHEL SolutionsOn
CategoriesEUDI Ecosystem

Privacy Challenges and the Struggle to Ensure Unlinkability in a Connected Digital World

The implementation of the European Digital Identity Wallet under the eIDAS2 regulation introduces not only innovation but also significant challenges in data protection and user privacy. These challenges are especially complex when trying to balance security, usability, and privacy — three goals that often conflict with each other in digital identity systems.

A major concern arises around the principle of unlinkability, a privacy property explicitly mandated by eIDAS2, which aims to prevent different transactions or data points from being connected and attributed to a single individual.

Threats to Unlinkability: A Hidden Risk in Digital Wallets

Despite eIDAS2’s ambition to guarantee strong privacy protections, including unlinkability, technical and structural weaknesses remain — particularly within the evolving Architecture and Reference Framework (ARF).

Key Privacy Questions Raised:

  1. Could credential issuers (government or private) track a user’s activities — even in real time — when using the wallet to access public or private services?
  2. If a user reveals minimal information (e.g., being of legal age or a student) across different services, could those services or issuers still link all actions to the same user and build a behavioral profile?

The answers to these questions depend heavily on:

  • The final design choices of the ARF,
  • The technical implementation of the wallet,
  • The use of privacy-enhancing technologies (PETs).

The Importance of Unlinkability in Digital Identity

Unlinkability is a foundational concept in privacy-preserving systems. It ensures that:

  • No single party can track, correlate, or profile an individual based on their credential use,
  • Different service providers (Relying Parties or RPs) cannot recognize that interactions come from the same user,
  • Credential issuers cannot observe where and how their credentials are used.

This concept is closely related to:

  • Unobservability: The inability of the credential issuer to detect the time, place, or context in which a credential is used.
  • Multi-show unlinkability: Prevents any party from linking multiple presentations of the same credential across sessions or services.
  • Full unlinkability: Ensures that even if issuers and service providers collude or are compromised, they cannot reconstruct a user’s identity or activity history.

Concrete Examples of Linkability Risks

Let’s explore how linkability might occur, despite intentions to preserve privacy:

1. Credential Signatures and Unique Identifiers

Digital credentials (e.g., age verification tokens) are often validated using cryptographic signatures. These signatures — even when used in selective disclosure formats like ISO mDL or SD-JWT — can act as persistent identifiers across services.

Even if a user reveals only partial information (like their age), the signature remains the same, allowing both the RP and issuer to trace repeated use of the credential — across websites, apps, and service types (e.g., alcohol stores, gambling platforms).

This undermines multi-show unlinkability and makes surveillance or profiling possible.

2. Revocation Mechanisms Enabling Tracking

Revocation is essential for security — allowing credentials to be invalidated if compromised. However, the revocation process itself can become a vector for tracking if:

  • RPs contact the issuer or a central authority to verify validity,
  • Timestamped checks correlate multiple credential uses to the same user,
  • Issuers log these verification events.

Even if issuers don’t see exact attributes, they might learn when and where a user interacted with a service — breaking unobservability.

3. Issuer-RP Collusion or Data Breaches

The most serious privacy risk arises when both the issuer and Relying Party either:

  • Collaborate intentionally to share credential data,
  • Or are compromised by a third party (e.g., in a data breach).

In these cases, combined metadata, even from anonymous transactions, can be used to re-identify users and create detailed behavioral profiles. This shows why full unlinkability is critical — even in adversarial or compromised environments.

Current Gaps in the Architecture and Reference Framework (ARF)

While eIDAS2 mandates unlinkability, the ARF (still under development and under review until end of 2025) lacks a clear, unified approach to ensure this property across all technical layers.

Although 23 topics are being discussed within the ARF — several of which address unlinkability — the framework’s current recommendations, such as supporting ISO mDL and SD-JWT, may fall short. These formats rely on cryptographic signatures that don’t change across uses, making it difficult to achieve unlinkability in real-world implementations.

Privacy-Preserving Alternatives and Their Challenges

A number of privacy-enhancing technologies (PETs) could offer better protection:

  • Randomized or blind signatures: Prevent reuse of the same cryptographic fingerprint.
  • Zero-knowledge proofs (ZKPs): Allow users to prove eligibility (e.g., over 18) without revealing identity or exact credentials.
  • Anonymous credentials: Such as those based on Idemix or U-Prove, designed to prevent linkability by default.
  • Accumulator-based revocation: Verifies credential validity without online communication between RPs and issuers.

However, these solutions raise important questions:

  • Are these technologies mature enough to be standardized across the EU?
  • Can they be supported by existing hardware, such as smartphones?
  • Will they remain usable and scalable for both citizens and issuers?

Significant research, development, and standardization efforts are still needed before these privacy-first technologies can be broadly adopted and certified.

Usability vs. Privacy: A Delicate Tradeoff

To mitigate linkability, some community proposals suggest:

  • Issuing short-lived credentials (valid for one or a few uses),
  • Limiting revocation checks to credentials with longer validity periods (>24h),
  • Reducing frequency or necessity of issuer-RP interactions.

While promising in theory, these approaches can cause:

  • Usability burdens (e.g., managing multiple short-term credentials),
  • Higher costs for issuers and users,
  • Incomplete protection in certain threat models.

Thus, usability, cost, and privacy must be balanced carefully — and not sacrificed at the expense of another.

Getting Unlinkability Right is Critical

The success of eIDAS2 and the EUDI Wallet hinges on the trust of EU citizens. That trust will not be earned by promises alone, but through technical designs and governance frameworks that enforce unlinkability, unobservability, and user control.

While eIDAS2 promotes privacy on paper, the practical implementation via the ARF and executing regulations will determine if those values are protected or undermined. Without strong safeguards, digital identity could become a new vector for mass surveillance rather than empowerment.

To prevent this, the EU and its Member States must invest in:

  • Privacy-by-design technologies,
  • Robust legal oversight,
  • Transparency, and
  • A citizen-first approach to digital identity infrastructure.

Only then can Europe build a digital future where privacy and innovation go hand in hand.

SSI & EUDI News and updates

Subscribe to our blog with articles, news, and information about everything happening in the world of SSI and the EUDI wallet ecosystem.