arXiv: Credential Disclosure in (EU) Digital Identity Wallets: Privacy Risks and Practical Mitigations

This paper, published on arXiv, analyzes a critical privacy vulnerability in the implementation of digital identity wallets under the updated eIDAS2 regulatory framework. The research identifies that the current technical specifications for EU Digital Identity Wallets can inadvertently disclose more personal data than necessary during authentication and attribute sharing, particularly through metadata leakage and selective disclosure failures. This poses a risk of profiling and surveillance by both relying parties and wallet providers, undermining the principle of data minimization that eIDAS2 is designed to enforce.

The findings directly impact all organizations that will issue, operate, or rely upon EU Digital Identity Wallets, including national governments, banks, telecoms, healthcare providers, and any private sector entity that will accept these wallets for identity verification or service access. Sectors handling sensitive personal data, such as financial services and healthcare, face heightened exposure due to the potential for credential correlation across multiple transactions.

Compliance teams should immediately review their planned or existing wallet implementations against the paper’s identified attack vectors, focusing on selective disclosure mechanisms and metadata handling. They must ensure that technical specifications enforce strict data minimization, implement zero-knowledge proof protocols where possible, and conduct privacy impact assessments specifically addressing credential disclosure risks. Teams should also monitor the European Commission’s upcoming implementing acts for any updated technical standards that address these vulnerabilities.