Hello again! It’s good for you to phone home on occasion. It absolutely makes sense that ET wanted to phone home. But if government-issued digital IDs are allowed to phone home, they will expand the surveillance state.

Why cryptographers and privacy advocates are worried about the EU’s digital identity wallet

The next time you renew your driver’s license or passport, it may come with some new features: a link that sends information to the government every time a vendor scans the ID, and a switch the government can use to wipe all your identifying information at will.

Whether you want these capabilities—or trust that the government knows what it's doing when it comes to preserving your privacy—for millions of people living in the European Union, they’re already in use, part of large-scale pilot tests of the Digital Identity Wallet program, which the European Commission could roll out to the its 500 million citizens by the end of 2026.

The bloc has called the project “Europe’s answer to the challenges of identification.” The new digital ID wallet, which will include a credential that allows holders access to both public and private services that require a government ID, is supposed to make it easier for citizens of EU member states to do things like open a bank account and travel. In the long run, it’s meant to contain credentials like driver's licences, educational certificates, medical records, and proof of insurance.

Digital versions of your government ID may seem like a logical extension of the Google and Apple wallets people already use on their phones to hold things like credit cards and tickets.

And the European Commission seems to be pushing this narrative. “Citizens should be able to carry their digital identity with them across the EU, moving seamlessly across borders without ever losing control of their data, with privacy and security at the heart of the project,” reads the text on its website for the digital ID program.

But cryptographers say the technical design of the wallet the EU is piloting has flaws that could make it easier for governments to spy on holders—or worse, turn off the wallet and render the credentials in it useless.

And they’ve recommended that the EU go back to the drawing board.

Unlinkability

The laws and regulations that led to the EU’s Digital Identity Wallet pilots are not themselves problematic from a privacy standpoint. The regulation mandating the wallet, known as eIDAS (electronic Identification, Authentication, and Trust Services), states that an ID system should let users remain pseudonymous and keep their sensitive personal information “unlinkable,” to technically prevent issuers from surveilling users by connecting that information to all the times and places they scan the credential.

“But that is just the law. The law says what should be done but not how,” Anja Lehmann, a cryptography professor at the University of Potsdam, lamented in March during a talk focused on the EU Digital ID project at the Real World Cryptography conference in Bulgaria.

The cryptography community has developed the capabilities necessary to make digital IDs that are, in fact, unlinkable to transaction data and other information related to a user’s activity. Those technologies include zero-knowledge proofs and other forms of advanced cryptography.

The system the EU is testing doesn’t take advantage of these tools, however. Details are scant, but sources familiar with the process tell Project Glitch that the technical design for the EU wallet seems to have been formulated largely behind closed doors by a small group of people at SPRIN-D—an agency in the German government that describes itself as an incubator for disruptive innovation.

Share

“We’ve been researching unlinkable forms of hashing and ways of passing data for years and they're just doing something we could have done 20 years ago,” said one cryptographer who asked not to be named due to sensitivities around their work status in the EU.

Kim Hamilton Duffy, executive director of the Decentralized Identity Foundation, calls the EU pilots “an attempt to capture and print new standards [for digital ID].” According to the regulation, such standards “are supposed to be influenced by self-sovereign identity or decentralized identity, which has in mind the idea that: ‘I hold my credentials, I control who I share them with, and I consent to any additional sharing,’” she said.“But the current approaches are violating almost all of these principles.”

A “phone home” feature and a kill switch

To begin with, as Lehmann explained during her talk in March, the wallet lets the issuer link the holder’s transactions to their ID by deploying a feature that “phones home” to the issuer’s server every time it’s scanned.

This means if you were to use your wallet to, say, verify that you are old enough to buy a bottle of wine or get into a club, there’s a chance the government could receive that information from the vendor, record it, and use it to surveil you. This problem has been flagged by civil liberties groups in the US, too, with the same design embedded in mobile driver’s licenses, or “mDLs,” that some states are now issuing.

“When you hand over your mDL, you are handing over a 100% trackable token,” says Manu Sporny, CEO of Digital Bazaar, a company developing digital identity technology and technical standards. Sporny is also the chairman of several initiatives at the World Wide Web Consortium, which develops standards for open-source technology.

The design of the EU’s ID wallet would also give the governments the power to turn off the wallet at will. Think about all the places where you have to show your ID. What if your government had the power to render your ID card useless, perhaps as punishment for something you wrote on social media? What if it simply switched your wallet off by accident? “If you have a government-issued credential and you have no choice but to put it in a government-issued digital wallet, that is a very bad outcome,” Sporny says.

Sporny says what’s needed is a “truly open wallet infrastructure”—not one in which the government wallet is the only option. “Fundamentally, the individual should have a right to choose which organization is holding their most private information,” Sporny adds.

In June of 2024, Lehmann and 15 other cryptographers published feedback on the EU Digital Identity Wallet project. “We do not see a way to fix the proposed solution to meet all the privacy features as required by the regulation,” they wrote. “We believe that a larger redesign is in order.”

“We can see now that there’s not a good understanding of how security and privacy can coexist and can coexist in different shapes,” Lehmann said in her talk this year.

It’s not too late

There are ways the EU could change course before its wallet is rolled out en masse. Sporny says one path for future consideration is a single-use identity credential system.

“Think of it as an over-age token, or something of that nature,” he says. It would work similarly to how today’s credit cards do. “So when you use a credit card today, your credit card is tokenized—either on your phone, or the second you tap your card,” he says. This is what keeps your credit card number safe. “The number is never sent over the wire; it’s just an authorization.”

There is already a standard for this sort of single-use credential technology. It’s deployed in the US under the name TruAge and is used to standardize age verification when people show their ID for age-restricted products at more than 150,000 convenience stores around the country.

But implementing this technology would call for infrastructure similar in scale to the vast networks built and operated by credit card companies like Visa and Mastercard. That would be expensive to operate smoothly.

Lehmann and her 15 co-authors have recommended a different technical design, based on a so-called BBS signature—an emerging standard for employing zero-knowledge proofs that prioritizes unlinkability.

BBS builds on digital signature technology, which lets a user holding a private cryptographic key sign a message so that anyone who holds the corresponding public key can verify it. The BBS scheme makes it possible for a user to sign multiple messages. Someone who has a signature and messages (various personal data points) can selectively produce zero-knowledge proofs that reveal selected pieces of information while keeping the rest of their personal data secret.

Despite being a cryptographer-approved approach, however, there’s another obstacle to adoption: No EU governments are currently allowed to use it. BBS signatures would have to be added to the EU’s list of approved cryptographic technologies.

Updating the list before the broad rollout of the EU ID system is not beyond the realm of possibility. The EU has solicited comments on the potential usage of zero-knowledge cryptography for the wallet, and plans to consider the responses in August.

In the absence of a turnaround in the wallet’s technical specifications, another way to deal with the threats to civil liberties posed by the EU’s digital ID system would be to make policies designed to neutralize those threats. Member states could promise that they will not use the “phone home” feature, for example.

Hamilton Duffy would rather the technical design keep things private on its own. “There’s this more baked-in notion of trusting governments in the EU. So people might be more OK with relying on the idea of policy versus tech,” she says. “But a lot of us elsewhere don’t trust our government.”—Lucy Harley-McKeown

Share

Follow us on Twitter and Bluesky—or get corporate with us on LinkedIn.