EU Digital ID Wallet Specification Faces Privacy Vulnerabilities, Researchers Warn

Summary

Security researchers have identified significant privacy and security gaps in the EU's proposed digital identity wallet specification, arguing that the current implementation cannot deliver the privacy protections it claims. The critique, raised through an issue in the official specification repository, highlights problems with unlinkability guarantees—the ability to prevent tracking users across different services—particularly around how attestation providers handle age verification data. The researchers note that without mandatory zero-knowledge proof (ZKP) presentation, there remains a substantial risk of data leaks and collusion between attestation providers and relying parties, potentially allowing users to be tracked across transactions. The findings suggest that the current specification lacks explicit restrictions on trackable attributes and data retention policies that would prevent misuse or accidental exposure of personal information.

• The specification lacks explicit requirements limiting the maximum set of attributes allowed in age verification attestations, leaving room for abuse

Editorial Opinion

While the EU's ambition to create a privacy-preserving digital identity framework is commendable, these technical critiques highlight the gap between privacy aspirations and implementation reality. The reliance on organizational best practices rather than cryptographic guarantees for privacy is a common weakness in digital identity systems. Mandatory zero-knowledge proofs should be considered essential rather than optional to ensure that privacy protections are enforceable by design rather than by policy alone.