Selective disclosure in the identity wallet: How users share the data that is really needed
Name, date of birth, address, email address, passwords, tax records, or payroll – all this sensitive user data is stored by companies in huge databases to identify individuals for digital services.
Although companies have long applied limits to employees’ access to such data (in accordance with the principle of “least privilege”), the centralization of personal data increases the risk of cyberattacks. We have seen this time and again in prominent examples of data breaches in which millions of records are leaked at once.
This is because, in this kind of setup, a single data leak or targeted attack can put all digital identities contained in the system at risk. Additionally – and despite GDPR and other regulations – central storage increases the risk that personal data will be misused for commercial purposes that the user has not agreed to in advance.
Self-sovereign identity with the help of identity wallets
In the future, self-sovereign identity (SSI) will provide a solution to this challenge. It gives users back control over their own data – without it being able to be manipulated, duplicated or stolen.
A central component of this architecture is the concept of the digital identity wallet that the EU is currently working on. These wallets will enable every citizen to regain control over their own digital identity and how it can be used. But how exactly will this be implemented?
As it stands today, a user can enter a record into a service provider’s system (e.g., an e-commerce platform, a mobility provider, or a travel provider) and in the process they are agreeing – intentionally or not – that the entire record may be used by the provider for the service.
There is no mechanism in place to determine which attributes of the data set are necessary to perform a particular service, but this will change in the future, thanks to the wallet technology.
Confirmation of personal attributes without disclosure of all data
With the help of the wallet, the user can limit the disclosure of his data to those attributes that are necessary for the provision of the service, e.g., a user’s legal age or a successfully completed university degree.
This selective disclosure enables an individual to share parts of a larger data set. For example, a user who wants to access an online sports betting site will no longer have to provide their exact date of birth to prove that they are over 18. Instead, they can share the attribute “legal age/18+” from their identity wallet because this information has already been verified elsewhere.
This is usually where the concept of Zero Knowledge Proof (ZKP) comes into play. ZKP is a cryptographic security protocol that makes it possible to prove the authenticity of an attribute (e.g., legal age) about a person.
What makes it special is that the authenticity check can be performed without having to reveal the actual value of the data (e.g., date of birth). In the event of a data leak at the company, no personal user data, such as date of birth, can be leaked because, in this model, the company never had that data.
ZKP protocols are among the most secure in the world when it comes to protecting the privacy of users of online services. Thanks to ZKPs, the use of personal identity data can be significantly restricted.
As a result, the model goes far beyond the principle of data minimization, which has often been difficult to adhere to in practice – or is deliberately not adhered to by individual companies so they can keep the generated data sets as large and extensive as possible for marketing purposes.
Alternative approaches to attribute verification
In addition to the ZKP protocols, two other procedures are often being discussed for the implementation of selective disclosure: One is “just-in-time issuance”, i.e., the issuance of the attribute is requested as needed, and the other is the principle of the “trusted witness”.
- Just-in-time issuance, i.e., the request for verification of the attribute from the issuing party, requires an extremely high availability of the issuer, which must be able to deliver information on the authenticity of the attribute to many people at any time and, if necessary, simultaneously. This leads to an extremely high infrastructure load for the issuer. In addition, this model often eliminates an important part of the anonymity of the process, since the issuer knows which services the user of the identity wallet uses through the direct request of the service provider (e.g., a sports betting platform).
- Another alternative approach, that of the “trusted witness”, shifts the problem described above to another party. In this model, the issuer no longer has to be highly available and does not gain insight into the services used by the user, but instead a third, extremely trustworthy party, the “witness”, is needed to take over these functions and act as an intermediary between the issuer and the trusting party (i.e., the service provider).
As you can see, in both alternative procedures described above, there is a lot of pressure on the infrastructure of the issuer and the “witness”, respectively. This slows down the verification of the attribute significantly, especially under high request load. Both models can also be classified as less secure than the ZKP protocols, since they give the parties involved more insight into the identity data.
Data sovereignty thanks to decentralized storage
Currently, the personal data of every citizen is stored in private and public databases. With the identity wallet, they will be decentralized, with individuals able to manage them on their own smartphone.
The user thus becomes the sovereign of their data and can consciously decide to share it without fear of it falling into the wrong hands. Thanks to selective disclosure functions, the user regains control over their digital life, personal data and the dissemination of this data.