Skip to main content

Privacy Concerns

When using the e-Wallet for credential presentation and verification, users should understand the privacy implications of different credential types and their usage patterns. The wallet supports two distinct types of credentials, multiple use and single use, each with fundamentally different privacy characteristics that users and relying parties need to consider.

e-Boks ID

The e-Boks identity credential, while designed with privacy in mind (in the form of selective disclosures), does have some theoretical traceability vectors that users should be aware of. Because the most common use case is sharing Personally Identifiable Information, the privacy impacts of using revocation lists and reusing credentials multiple times is an accepted risk.

Each identity credential includes a revocation index that allows the issuer (e-Boks) to theoretically correlate presentation events across different relying parties. Although the credential uses SD-JWT technology for selective disclosure, allowing users to reveal only necessary attributes, the underlying credential identifier remains consistent across all presentations.

The current implementation reuses the same issued Verifiable Credential for presentations, which means that the same cryptographic identifier and revocation index appear in every presentation. This design choice prioritizes implementation simplicity and reduces server load, but makes it possible for relying parties to link multiple presentations together.

Different presentations of the same credential can theoretically be linked together in order to create a full profile of you, either using the kid (Holder Key ID) or using the Credential Revocation Index. Source (CC BY 4.0): Anja Lehmann & socialhack EU's Digital Identity Systems...

This tracking capability exists primarily for legitimandate purposes, including revocation management and compliance with eIDAS 2.0 requirements. While the theoretical possibility of correlation exists, it's important to understand that this functionality is designed to support the security and regulatory compliance of the digital identity ecosystem rather than for surveillance purposes.

e-Boks Anonymous Age ID

In stark contrast to identity credentials, the e-Boks anonymous age verification credential provides absolute privacy protection through its architectural design. Each age verification request generates a completely independent proof that cannot be correlated with other verifications, ensuring that even if the same user verifies their age multiple times with different services, these events cannot be connected by any party, including e-Boks itself.

When using batches of single-use credentials, it is no longer possible to correlate two presentations using the kid (Holder Key ID). BUT if a revocation mechanism is used, then the Relying Party (RP) and Identity Provider (IdP) could collude to reveal your identity. This type of system includes IdP-RP unlinkability. Source (CC BY 4.0): Anja Lehmann & socialhack EU's Digital Identity Systems...

The credential contains no persistent identifiers that could link presentations together, operating on a zero-knowledge architecture where only the minimum required information. A simple confirmation that the user meets a specific age threshold is revealed without exposing actual age, birthdate, or any identifying information. This design makes it near impossible to track users across different age verification scenarios.

Revocation of Age Credentials / Comparison with AltID

dewa has deliberately avoided adding revocation support for age credentials in order to protect user privacy. Other Age Credentials, notably AltID's "Aldersbevis", include a known identifier in the form of the Revocation Mechanism, that could theoretically be used to de-anonymize the age verification.

If the IdP (Credential Issuer) stores the key ID, or other form of identifier (revocation index), it could theoretically correlate every presentation with the user's identity. This type of system does not have IdP-RP unlinkability. Source (CC BY 4.0): Anja Lehmann & socialhack EU's Digital Identity Systems...

Relying Party Privacy Considerations

Organizations accepting credentials from the e-Wallet should implement privacy-conscious practices that align with the wallet's privacy-preserving design. This means requesting only the minimum attributes necessary for the specific use case and avoiding the creation of systems that could correlate anonymous age verifications with identity data obtained from other sources, which would undermine the privacy protections built into the credential system.

Relying parties should also implement privacy-preserving audit logging practices that capture necessary compliance information without unnecessarily retaining personal data that could be used to reconstruct user behavior patterns over time.

User Control and Transparency

The e-Wallet empowers users with comprehensive control over their credential presentations and provides clear transparency about data sharing. Users receive explicit consent requests that clearly indicate what data is being requested and shared before any credential presentation occurs. For identity credentials, users maintain selective disclosure control, allowing them to choose which specific attributes to reveal from their credentials rather than sharing everything.

The wallet maintains a transparent presentation history, showing users exactly when and where their credentials were presented, enabling them to monitor their digital identity usage. Additionally, users retain revocation rights, allowing them to revoke credentials when privacy concerns arise or when they no longer wish to use specific services.

Best Practices for Privacy Protection

To maximize privacy protection while using the e-Wallet, users should prioritize anonymous age credentials whenever only age verification is required, reserving identity credential usage for scenarios that genuinely require full identity verification. Regular credential renewal can help minimize long-term tracking risks associated with identity credentials, while monitoring presentation logs helps users detect unexpected or suspicious verification requests that might indicate unauthorized attempts to access their credentials.

Additional resources