Print

Digital identity wallet

Author: Massimo Attoresi

A Digital Identity Wallet (DIW) is an application that allows the secure storage, management, and sharing of personal identification data, credentials and other pieces of information, often called “attributes”, relating to the owner of that virtual wallet. Think of it as a digital version of your physical wallet, but instead of holding tangible items like cash or credit cards, it holds digital attributes. Digital identity wallets can exist in various forms, including mobile apps, browser extensions, or even dedicated hardware devices.

DIW content can vary from unique alphanumeric identifiers and natural identification data, such as first and second name, address, birth date and place, to elements such as driving licences, credentials to access places (e.g. a sport facility) and resources (e.g. public transports), certifications, debit/credit cards etc., including digital currencies. A DIW can potentially contain any kind of digital content related to that individual. In that regard, DIW can feature functionalities similar to those of a Personal Information Management System.

Parties that guarantee their authenticity and integrity usually release DIW attributes. For example, an accredited authority may issue a professional certificate, a competent public administration may issue a driving license, or a library may issue credentials allowing people to access its resources and borrow items.

In a nutshell, a DIW can be used to identify and authenticate an individual or to authorise that individual to access a resource against the same party that issued the attributes or against a third party (also called “relying party”).

The trustworthy nature of the attributes released by issuers is usually ensured by the use of a cryptographic “signature” derived from a hierarchy of commonly trusted third parties, traditionally “certification authorities”. Other DIW schemes exists with various technical and governance architectures. For example, “self-sovereign identities” based schemes exist that leverage decentralised identifiers, which are trustworthy globally unique identifiers directly generated and controlled by an individual or organisation. They are used for identification or authentication against other individuals or organisations (e.g. a service provider) without the need of identity service providers, and certificate authorities.

There is a wide spectrum of projects for the use of DIW in the public and private spheres. This is due also to legislative initiatives such as for cross-border electronic identification, authorisation and trust services in the EU (eIDAS), where DIW are planned to foster a variety of use cases, including a possible digital euro currency.

Positive impacts foreseen on data protection:

  • Increase of confidentiality and integrity of personal data

All pieces of information within a DIW are to be provided by their sources with a proof of origin, thus ensuring authenticity (which combines confidentiality and integrity) to any party relying on that information. For example, the natural identifiers of a person can be guaranteed by the civil registry for any third party that requires them.

  • Increase of personal data accuracy

Based on the proof of origin and information integrity safeguards, DIWs can give higher assurance that the pieces of information relating to the owner are accurate and up-to-date. For example, the amount and type of social benefits stored in a DIW can be guaranteed by the public administration issuing those benefits and legitimately updated when necessary. Similarly, individuals will be able to keep up-to-date information on themselves such as interests and preferences, to be directly collected from the DIW and thus always under the user responsibility.

  • Enhanced control for data subjects

In principle, yet depending on the implementation, individuals could be more in control of the data stored in their DIW. Trustworthy personal information can be securely accessed directly in the DIW, based on user’s preferences (when there is no obligation by law). This would avoid unnecessary dissemination in databases of the relying parties. Furthermore, even in circumstances when they are not the providers of the information stored in their DIW, individuals could always be aware of their personal data and of who has access to them.

Negative impacts foreseen on data protection:

  • Increased risk of profiling 

DIWs intrinsically carry individuals’ identification information as well as other pieces of information that could uniquely identify them. In absence of safeguards, this information could be combined by all parties having access to the DIW (providers of identity services in particular but also relying parties) with other information already retained by those parties on the actions performed by the same individual. Furthermore, DIWs can store any possible personal data including sensitive ones, directly or indirectly relating to health, sexual orientation, religious or philosophical beliefs, political opinions, financial situation, family life etc. This accumulation of personal information could encourage both private and public actors’ appetite to exploit this data.  For this reason, DIWs have a high potential to enable profiling of individuals if the features and use of DIWs are not consistent with a privacy by design and by default approach, and if appropriate policies are not in place. Some specific weaknesses enabling profiling are described below.

  • Unnecessary/disproportionate disclosure of personal data

Depending on the implementation, there is a risk that providers of identity services and relying parties access more pieces of information stored in DIWs than what they really are allowed to, based on individuals’ consent or other lawful bases. This can be due to an inadequate policy or design choice, neglecting data minimisation requirements.

  • No data minimisation: abuse of identification instead of authorisation

In certain use cases, it is necessary to identify/authenticate the individuals unambiguously to be able to relate to that individual. The law usually provides for these circumstances. In other use cases, it is only necessary to demonstrate that a specific individual is authorised to access a specific resource, yet it is inappropriate common practice to disclose identification data to that purpose. For example, once registered, to access a library it is sufficient to produce an authorisation, it is not necessary to disclose your identity.

Suggestions for further reading:

 

EDPS related work: