eIDAS2, the European Digital Identity Wallet, and the GDPR (Part IV)

Avatar photo By SAHEL SolutionsOn
CategoriesEUDI Ecosystem

Inaccuracy and Non-Repudiation: Hidden Threats to Trust and Privacy in the Digital Identity Framework

 

As the EU progresses toward a future of trusted and secure digital identities with the eIDAS2 regulation, new data protection challenges continue to surface. Among them are two critical threats that often go underexamined: data inaccuracy and non-repudiation.

These threats pose a direct risk not only to user privacy, but also to the reliability of digital transactions and the ability of citizens to safely interact with services across the European Digital Identity ecosystem.

This part of the analysis focuses on two key questions:

  1. Is the digital identity ecosystem reliable enough for service providers (Relying Parties, or RPs) to make accurate decisions based on user credentials?
  2. If I perform a transaction using my wallet in a context that doesn’t legally require audit logging, can I later plausibly deny having done so?

1. The Threat of Inaccuracy: Outdated or Invalid Data Leading to Unjust Outcomes

The first question addresses the reliability of credentials presented by users through the EUDI Wallet. Inaccuracies can arise when:

  • The information in a credential is outdated, incorrect, or incomplete,
  • There are inconsistencies during identity verification (e.g., differences in spelling, transliteration, or identity document formats),
  • Identity verification systems are compromised, or introduce software errors,
  • Malicious actors alter or forge credentials or manipulate backend systems.

Real-World Risk Example:

Imagine a user receives a digital credential from a public authority at age 17, stating:

  • Date of birth: June 2006
  • Derived attribute: age_over_18: False

Later, the user turns 18. The birthdate remains valid, but the derived attribute is now outdated. If the credential is not reissued or updated, and the user tries to access a financial service that requires proof of majority age, the outdated False value will cause the Relying Party to reject the application — a decision made based on obsolete data.

This can lead to:

  • Unfair denial of services,
  • Administrative hurdles for users,
  • Loss of trust in the digital identity system.

Mitigation Strategies:

  • Credential issuers should proactively revoke and reissue credentials when identity attributes change.
  • The wallet itself should alert users when credentials are expired or outdated, helping prevent their use.
  • Relying Parties should validate credentials by checking:
    • Revocation status,
    • Expiration dates,
    • Reports of loss or fraud.

However, some revocation mechanisms, especially those involving real-time communication with the issuer, pose privacy risks — potentially enabling linkability, as discussed in previous parts of this series.

2. The Threat of Non-Repudiation: Losing the Ability to Deny a Transaction

Non-repudiation is a double-edged sword. In high-security contexts (like contracts or digital signatures), it’s a feature. But in privacy-sensitive environments, it becomes a threat when users cannot deny having performed an action — even when denial would be legitimate or protective.

What is at Risk?

When wallet-based transactions create a persistent, verifiable link between:

  • The user’s device (via Wallet Secure Cryptographic Device, WSCD),
  • The credentials used,
  • The time and place of the transaction,

… then the user may lose plausible deniability — even if the transaction occurred in a context not legally required to retain records.

Illustrative Scenario:

A user stores two credentials:

  1. A government-issued identity credential,
  2. A residency certificate issued by a local municipality.

They are required to present both to a Relying Party in order to:

  • Vote in a union election,
  • Donate to a political group,
  • Access a reproductive health clinic.

To prevent fraud, the RP demands a cryptographic proof that both credentials come from the same user and wallet. The wallet generates a non-repudiable signature proving the transaction.

If political or legal conditions shift — for example, under an authoritarian regime — that signature becomes:

  • A permanent forensic record,
  • Evidence tying the user to previous lawful but now criminalized actions,
  • A threat to the user’s safety, autonomy, or freedom.

This example demonstrates that cryptographic integrity can sometimes undermine human rights, especially when privacy and denial are essential.

Root Causes of Non-Repudiation Threats

  • Use of non-randomized signatures in formats like ISO mDL or SD-JWT, which allow linking across uses.
  • Requirement for proof of linkage between credentials and user’s device.
  • Collusion or breach involving issuers, wallet providers, and Relying Parties.

These factors allow adversaries to build incontrovertible records of who did what, where, and when — even without consent.

Consequences:

  • Profiling and surveillance,
  • Coercion or blackmail in sensitive contexts,
  • Stigmatization of marginalized individuals or groups,
  • In extreme cases, threats to physical safety.

Mitigation Strategies

While current proposals include:

  • Short-lived credentials,
  • One-time-use credential batches,

… these may reduce usability and impose operational burdens on both users and issuers.

A stronger approach requires:

  • Anonymous credentials, where identities are cryptographically decoupled from attributes.
  • Zero-Knowledge Proofs (ZKPs), which enable users to prove something is true (e.g., “I live in City X”) without revealing who they are or linking multiple pieces of information.
  • Cryptographic unlinkability, preventing correlation between transactions even under collusion scenarios.

The Role of the ARF: A Blueprint for Trust and Compliance

The Architecture and Reference Framework (ARF) is still under development, with 23 discussion topics to be finalized by late 2025. It must incorporate all technical and governance safeguards to:

  • Detect and prevent inaccuracy threats,
  • Enable credential refresh and expiration alerts,
  • Ensure plausible deniability in privacy-sensitive contexts,
  • Avoid overreliance on signatures that introduce linkability,
  • Align with the full spectrum of GDPR principles, including data minimization, integrity, and purpose limitation.

Privacy Must Survive the Audit Trail

The eIDAS2 framework promises to modernize digital identity across the EU. But as this article has shown, achieving privacy, trust, and legal compliance simultaneously requires careful design and regulation — especially around data accuracy and non-repudiation.

Unless the system is built with safeguards that:

  • Protect users from being misidentified by outdated or false data,
  • Prevent them from being traced, profiled, or punished through immutable records,

… the digital wallet could become a liability instead of a tool for empowerment.

Ensuring the right to plausible deniability, especially in sensitive domains such as health, political expression, or civil rights, is not a luxury — it’s a necessity in any rights-based digital infrastructure.

Future updates to the ARF and related Implementing Acts must reflect this. Otherwise, eIDAS2 risks undermining the very trust and freedom it aims to build.

SSI & EUDI News and updates

Subscribe to our blog with articles, news, and information about everything happening in the world of SSI and the EUDI wallet ecosystem.