Identity Disclosure Risks in the Digital Wallet Ecosystem
As the European Union accelerates its push toward a secure and unified digital identity system through the eIDAS2 Regulation, new data protection challenges emerge, especially regarding user identification and anonymity. These challenges become particularly complex when trying to reconcile three often conflicting goals: functionality, security, and privacy.
While the regulation aims to uphold data protection and user privacy, it is critical to ask:
Can I use my digital wallet to anonymously prove certain attributes — such as being a student, over 18, or a member of an organization, without revealing my full identity? And if not, who could identify me, and how?
The Risk of Overidentification: When Too Much Is Revealed
In the digital wallet ecosystem, identification threats occur when any actor, credential issuer, Relying Party (RP), or wallet provider, learns the user’s real identity inappropriately or unnecessarily. This risk is context-dependent:
- In border control or regulated financial services, full identification and authentication are required.
- In age verification or membership checks, only specific attributes are necessary, and anonymity should be preserved.
When users are identified beyond necessity, known as overidentification, privacy is compromised. This can happen either:
- Directly, when an RP demands full identification when it’s not needed.
- Indirectly, through improper linking of pseudonymous or anonymous transactions with identifiable information.
Safeguards Against Overidentification
To combat overidentification, eIDAS2 and the wallet framework include several mechanisms:
1. Use Limitations and RP Registration
Relying Parties must register with their home Member State, explicitly declaring:
- The intended use of the wallet,
- Which data attributes will be requested,
- Why those data are necessary.
They are legally prohibited from requesting any data beyond what is registered, reinforcing the GDPR principle of data minimization.
2. Real-Time User Alerts and Transparency
Wallets are required to:
- Check the RP’s registration in real time,
- Notify users if unexpected data are being requested (e.g., asking for a full name when only age is needed),
- Allow the user to refuse the transaction.
This empowers users to make informed decisions and helps avoid manipulation or subtle data overreach.
3. Pseudonym Support
Users can generate local, per-service pseudonyms within the wallet:
- RPs cannot reject pseudonyms unless required by law,
- Pseudonyms must be service-specific and non-reusable across RPs to avoid tracking,
- The user’s real identity should only be disclosed when strictly necessary (e.g., for legal KYC purposes).
These pseudonyms, combined with selective disclosure, help implement privacy by design and by default.
The Dangers of Indirect Identification Through Data Correlation
A particularly concerning risk emerges when RPs and credential issuers collude to correlate data. Even if neither party knows the full picture individually, data-sharing or data breaches can allow them to reconstruct the user’s identity.
Case Example: From Anonymous Age Verification to Real Identity
Scenario:
- A user holds a digital driver’s license (PID) containing their name, date of birth, and address, issued by a government authority.
- The issuer stores cryptographic identifiers like signatures, hashes, and salts tied to that identity.
Use Case 1:
The user accesses RP A, an online adult content platform. Only a “proof of age >18” is required. The wallet performs selective disclosure, revealing just that attribute. However, cryptographic elements — like the issuer’s signature — remain part of the credential.
Use Case 2:
Later, the user registers at RP B, a regulated financial service, which requires full identification (e.g., name and birthdate) for KYC compliance. The same digital credential (or a credential from the same batch) is used.
Risk:
RP A and RP B share the unique cryptographic values with the issuer. Since the issuer knows which values correspond to each identity, it can:
- Link the anonymous transaction at RP A with the fully identified one at RP B.
- Build a profile of the user’s online behavior — e.g., combining adult content access with financial activity.
This results in a breach of anonymity and expectation of privacy, even though selective disclosure was used.
Selective Disclosure Alone Is Not Enough
While selective disclosure is a core feature of digital wallets, it does not guarantee privacy unless combined with:
- Unlinkability safeguards (as discussed in Part II),
- Pseudonymization, and
- Strict separation of identifiable and non-identifiable data.
Without these, even “anonymous” interactions can become part of a re-identification puzzle that actors in the ecosystem can piece together.
Other Vectors of Identification Risk
Several design decisions beyond disclosure mechanisms can expose users to identification threats:
- Transaction logs: If wallets store metadata like IP addresses or timestamps, these could be used for profiling.
- Disclosure policies (EDP): If default settings are permissive or unclear, users may unknowingly reveal more than intended.
- Credential-device linkage: If credentials are tied to a device, losing the device or exposing it could lead to identity leaks.
- Combined credential presentations: Presenting multiple credentials together could allow RPs to infer more than any single one reveals.
The Role of the ARF and the Path Forward
The Architecture and Reference Framework (ARF) must address all these risks. It is still under development, with 23 discussion points actively being reviewed through end of 2025. These will shape:
- Technical specifications,
- Privacy and security safeguards,
- User rights enforcement mechanisms.
To be compliant with the GDPR and true to the values of digital dignity and freedom, the ARF must:
- Embed strong privacy-by-design standards,
- Define limits on data collection and use,
- Prohibit any form of silent or unnecessary identification.
Identity Must Be a Right, Not a Risk
The eIDAS2 Regulation represents a bold vision for Europe’s digital future. But if anonymity and pseudonymity cannot be reliably ensured — especially in low-risk scenarios like age verification, citizens may lose trust in digital identity systems altogether.
The digital wallet must not become a tool for surveillance, but rather a shield for autonomy. It is essential that the final ARF and accompanying technical implementations integrate every possible safeguard to:
- Prevent overidentification,
- Guarantee user choice,
- Support anonymous and pseudonymous use,
- Ensure true separation between identity and activity.
This is not just a technical challenge, it is a civil rights issue for the digital age.