This post explores thoughts from the Divvi Up engineers working on this topic.
Traditionally, our most authoritative and reliable identity documents are pieces of paper issued by governments, like driver's licenses or passports. But as more and more of our essential interactions, including our dealings with those same governments, move into the digital realm, there's a growing need for government issued credentials to include a digital component that is usable on the Internet. There's also an opportunity for governments to ensure that these digital credentials use state of the art safety mechanisms to prevent privacy abuses of the sort that have become all too common online.
We have been following the development of the EU's digital identity wallet regulations. This initiative aims to enable the use of digitally signed credentials in day-to-day transactions, while ensuring that users maintain control over their own identities, when and how they are used, and the related privacy impacts.
In this scheme, persons would hold a digital wallet which is capable of making promises (called attestations) about the bearer to a relying party, the companies and agencies that request credentials from users. The wallet can selectively attest to the minimal facts required in the current interaction instead of disclosing the bearer's name, photo, birthdate, home address and everything else about them. For example, minors might be forbidden from using social media in some jurisdictions. The social network's app or website could query the wallet to see if the user is over 18 without learning anything else about that person.
This is a nice privacy feature, but it still admits a risk of relying parties asking for more attestations than is necessary, which they can then use to fingerprint and track users even if they can't learn their name.
We might then decide that the government issuer should be required to approve a relying party's queries to user wallets. But this would create new privacy problems: we wouldn't want governments to learn which websites or apps users are authenticating to, as that could leak sensitive information like the user's location, habits or membership in groups. It may also be necessary to allow authentication in offline settings, where neither the wallet nor the relying party is able to reach the issuer's server. For example, you might be tagging into public transit at a remote bus stop where there is no WiFi or cell network coverage.
So we can't enforce reasonable usage in real time. Then we might try restricting which attributes a given relying party is permitted to query from wallets, which could be enforced by wallets without the issuer being in the loop. In the EUDI scheme, this is called a registration certificate. It is issued by governments, and lists what sort of credentials the relying party may request, and for what purpose the information will be used. But according to recently-passed regulations, relying parties will not be required to obtain a registration certificate to request digital credentials.
If we can't prevent relying parties from asking for more information than is necessary, then maybe we can mitigate this privacy risk after the fact by enabling regulators to detect such practices. While relying parties may not have registration certificates that list what information they can request, they still have to show the wallet an access certificate, which identifies the relying party. Thus, each user's wallet has a partial view of what the relying parties are asking for in practice, and if they opt to share this information, they can help their state's privacy regulators fill this blind spot.
So what's missing is a mechanism for anonymous telemetry to be uploaded from digital wallets to regulators. Fortunately, modern cryptography provides us with a solution: private aggregation using multi-party computation (MPC). MPC is a class of techniques in which computations over private data are spread out over multiple, non-colluding servers such that none of them can learn anything except the output of the computation. If the output is an aggregation over many contributions from many wallets, then it won't reveal anything about any individual user's activities, but it will let regulators learn about relying parties engaging in risky or abusive behavior across many users.
The Distributed Aggregation Protocol, developed by the Internet Engineering Task Force's Privacy Preserving Measurement working group, makes private aggregation in MPC practical, at scale, today. Our own Divvi Up service is available to act as one of the non-colluding aggregators in such a scheme, and Janus, our open source DAP implementation, can be used by any organization wishing to privately gather telemetry.
If DAP were applied in this digital identity context, digital wallets would log queries they receive, attributing them to the relying party identified by the access certificates. At some regular interval, or the next time a network connection is available, the wallet would upload a histogram where each bucket contains the number of times a given relying party queried a given user attribute. These histograms would then be split into two halves, each uploaded to one of the two DAP aggregators. These could be operated by governments issuing wallets, privacy regulators, NGOs or any pair of trustworthy, non-colluding entities. Governments issuing wallets to their citizens would have control over which aggregators are used. And of course since the user-controlled wallet is responsible for uploading the reports, the user could simply opt out of telemetry altogether.
This post is a case study in how novel cryptography, open standards and open source software can be used to build a more private Internet without compromising on utility and scalability. But these benefits do not come for free: they are more expensive to operate and great care must be taken when deploying them to ensure the promised safeguards are effective. What makes the problem of digital identity so interesting is that among the various actors involved in building the Internet, governments are uniquely well positioned to mandate safety mechanisms that otherwise would never get built. This transition is a rare opportunity to use exciting new technologies to make the Internet safer for huge numbers of people, and to raise the bar for the design of future systems. A little extraordinary ambition is called for.