Selective Disclosure Technology Protects Privacy in EUDI Wallets

EUDI Wallets implement selective disclosure allowing users to share only necessary information, not entire documents.

The Privacy Problem with Traditional Digital Identity

Traditional identity verification operates on an all-or-nothing model. When you show your physical ID card to buy age-restricted goods, the cashier sees not just your age but also your full name, exact date of birth, home address, photo, and often your national identification number. In the digital world, this over-disclosure problem is even more pronounced. Uploading a scan of your passport for online account verification gives the receiving party access to every piece of information on the document, far more than they actually need.

This systemic over-sharing of personal data creates significant privacy risks. Each time personal information is shared, it becomes a potential target for data breaches. The history of large-scale data leaks from companies that collected far more identity data than they needed demonstrates the real-world consequences of this approach. Selective disclosure addresses this fundamental problem by enabling cryptographic proofs that reveal only the minimum information necessary for any given transaction.

How Selective Disclosure Works in EUDI Wallets

The EUDI Wallet implements selective disclosure through two complementary technical approaches, depending on the presentation context. For online (remote) credential presentations, the system uses SD-JWT (Selective Disclosure JSON Web Tokens), a standard developed through the Internet Engineering Task Force (IETF). For proximity-based (in-person) presentations, the ISO/IEC 18013-5 mdoc format provides equivalent selective disclosure capabilities.

In the SD-JWT approach, when a credential is issued to a user's wallet, each individual claim (such as name, date of birth, address, nationality) is separately hashed and included in the signed credential. When the user needs to present the credential, they can choose which specific claims to reveal. The revealed claims are accompanied by the original hashes, allowing the verifier to confirm that the disclosed information is genuinely part of the original signed credential without seeing the undisclosed claims. The issuer's signature covers the entire credential, so even selectively disclosed subsets carry full cryptographic authenticity.

For practical illustration, consider a person's national ID credential containing their full name, date of birth, nationality, address, national ID number, and photo. When buying alcohol online, the relying party requests age verification. The wallet presents only the "over_18: true" attribute derived from the date of birth, along with cryptographic proof that this attribute is part of a genuine, government-issued credential. The shop receives absolute certainty that the buyer is of legal age without learning their name, exact age, address, or any other personal details.

Beyond Selective Disclosure: Predicate Proofs and Zero-Knowledge

Selective disclosure reveals specific individual attributes. But some scenarios require even more privacy-preserving approaches. This is where predicate proofs and zero-knowledge proof (ZKP) techniques come into play within the EUDI Wallet ecosystem. A predicate proof allows the wallet to prove that a value meets a certain condition without revealing the value itself.

For example, rather than revealing a person's exact income (or even an income bracket), a predicate proof can demonstrate that the person's income exceeds a minimum threshold required for a loan application. The bank receives a cryptographic guarantee that the income requirement is met, without learning the actual figure. Similarly, age verification can be performed as a predicate proof showing "birth_date is before 2008-02-14" rather than disclosing the actual birth date, providing even stronger privacy than attribute-level selective disclosure.

The European Commission's Architecture and Reference Framework (ARF) specifies support for these advanced privacy-enhancing technologies, recognizing that different use cases require different levels of privacy protection. The wallet implementation supports a spectrum from full credential presentation (when the user consents and the context requires it, such as applying for a passport) through selective attribute disclosure (sharing only specific fields) to predicate proofs (proving conditions without revealing values).

Legal Framework and Data Minimization Requirements

The selective disclosure capabilities of EUDI Wallets are not merely a technical feature but are deeply embedded in the legal framework governing the system. The eIDAS 2.0 regulation, working in conjunction with the General Data Protection Regulation (GDPR), establishes strict rules about data minimization in digital identity transactions. Article 5a of the revised eIDAS regulation explicitly states that relying parties shall not request more data than necessary for the specific service being provided.

This legal requirement creates an enforceable obligation for every organization that verifies EUDI Wallet credentials. A nightclub verifying age cannot request the patron's home address. A car rental company confirming a valid driving license cannot access the renter's medical information. A hotel checking nationality for regulatory purposes cannot request the guest's national ID number. Violations of these data minimization requirements carry significant penalties under both eIDAS 2.0 and GDPR, creating strong incentives for relying parties to request only what they genuinely need.

The wallet user interface plays a important role in enforcing these principles. Before any credential presentation, the EUDI Wallet displays exactly which data fields the relying party is requesting, along with the stated purpose. The user sees a clear breakdown and can approve or reject the request. If a relying party requests data that seems excessive for the stated purpose, the user can decline and report the request. National supervisory authorities will monitor patterns of excessive data requests and can take enforcement action against relying parties that systematically over-request information.

Preventing Tracking and Ensuring Unlinkability

One of the most sophisticated privacy challenges in digital identity systems is preventing user tracking across different transactions. Without proper safeguards, a unique identifier in a credential could allow different relying parties to correlate their records and build complete profiles of a user's activities. The eIDAS 2.0 regulation specifically addresses this concern with strong anti-tracking provisions.

EUDI Wallets implement unlinkable presentations through several mechanisms. First, the wallet provider (whether a government app or approved private provider) is architecturally prevented from learning which credentials the user presents to which relying parties. The wallet operates on a fully decentralized model where credentials are stored locally on the user's device, and presentations happen directly between the wallet and the relying party without any intermediary server involvement.

Second, credential presentations are designed to be unlinkable across different verifiers. When the same credential is presented to two different relying parties, the cryptographic presentations are structured so that the two verifiers cannot determine whether they received proofs from the same underlying credential. This is achieved through techniques including randomized presentation tokens and batch-issued attestations that provide multiple unlinkable instances of the same credential.

Third, the regulation prohibits issuers from receiving information about where and when their credentials are used. A government that issues a national ID credential cannot learn that the citizen used it at a particular bar on a particular evening. This architectural separation between issuance and verification is fundamental to the privacy design of the entire EUDI Wallet system, ensuring that the move to digital identity does not create a surveillance infrastructure.