Wallets and Privacy

I’m on a brief vacation celebrating my 28th anniversary and deep in thought (pic below). What am I thinking of here on the beach? Wallets, Networks, Trust and Privacy.

The Case for Separating Wallets from Identity Providers

As digital identities continue to evolve, one of the most important debates centers around who controls and operates the wallet that holds these identities. Specifically, should wallets be separated from authorities that legally issue “identity”—commonly known as Identity Providers (IdPs)? This issue is particularly relevant in countries like India and Europe, where digital identity initiatives have made significant strides, yet their approaches raise important questions about privacy and control.

India’s UIDAS Model: A Success with Privacy Concerns

India’s Unique Identification Authority of India (UIDAI) has seen tremendous success with its UIDAS system, which has enabled more than 1.3 billion citizens to access government services digitally. However, the model is highly centralized with the government. Every time an individual interacts with a service or validates their identity, the government sees the request. With services like Unified Payments Interface (UPI) linking directly to UIDAI, even payment transactions are monitored by the state. While UIDAS offers convenience and broad access, it comes at the expense of personal privacy, as the government can track all interactions tied to an individual’s identity.

Europe’s eIDAS: Privacy-Focused Federated Model

In contrast, Europe’s eIDAS (Electronic Identification and Trust Services) initiative takes a federated approach, with the wallet holding the credentials and assertions of trust. This method ensures that privacy is maintained, as relying parties (RPs) validate the signature of credentials without obtaining context about the interaction. Essentially, the wallet acts as a secure container, holding verifiable credentials (VC) signed by both identity providers (IdPs) and issuers, allowing users to authenticate across multiple services without revealing unnecessary personal data.

The federated model is closely aligned with the W3C’s Verifiable Credentials (VC) effort, which seeks to standardize the way digital credentials are exchanged and verified online. By ensuring that credentials are decoupled from specific platforms or identity providers, Europe’s model offers consumers more control over their identity, enhancing privacy while ensuring secure transactions.

Wallets as Cross-Domain Trust Containers

The key difference between these two models is the relationship between the wallet and the IdP. In a centralized system like UIDAS, the government essentially operates the identity wallet, tracking every transaction and interaction. In a federated system like eIDAS, the wallet is separate from the IdP and holds the credential in a trusted container that can operate ubiquitously across different platforms and domains.

For instance, credentials such as passports and identity cards need only be signed by the IdP and the credential issuer to be used by any relying party. By binding digital identities to an immutable device (like a mobile phone or a chip card), these credentials can be used securely across various applications, providing both privacy and utility.

Privacy and Consumer Control

In the federated model, privacy is protected because the wallet itself understands the context for interactions, validating digital signatures without exposing personal information to relying parties. This contrasts with centralized models (ie UIDAS/UPI), where a single authority can see all interactions. Additionally, when consumers can control their wallets independently from identity providers, they have more flexibility and autonomy over their digital lives.

The Future of Digital Identity

The trend toward federated models is gaining momentum, and major tech companies like Apple and Google are poised to expand their wallet offerings to include government-issued identities, such as driver’s licenses, passports, and even educational credentials. As these digital identities are increasingly integrated with mobile platforms, the wallets themselves will see significant expansion in use and in UCs, becoming THE essential tools for verifying and asserting trust in digital interactions.

The future of digital identity appears to be leaning toward a model where wallets serve as the trusted container for personal credentials, ensuring privacy and security for users. The decentralized, federated model ensures that consumer privacy remains intact while enabling seamless interaction across services, platforms, and countries. While Google and Apple could operate this model within their domain with no outside assistance, operating across multiple domains requires governance, interoperability, and, monetization (ie for value exchange). These are functions of a network. W3C standards provide the tech of operation, not the legal or financial framework for exchanging VALUE. While the governance and monetization aspects of identity networks are TBD, IMHO Visa and Mastercard as the best placed to deliver (i.e., given their cross-domain footprint).

The biggest unknown? What UCs will be monetized and how? for example I would like to know if my doctor really did get their degree from Johns Hopkins. The credentials will all be available, but will I be charged $0.02 for asking, or will the doctor provide at their cost after service is delivered? or will my insurer do all that for me before they allow the doctor to be part of their plan? In this chain of information exchange and trust who will keep the information and history? Who will have access to my medical information and the subsequent diagnosis? Keeping everything in the “wallet container” that only I can access would be the master. Where else is my information stored with my permission? This is also something I need to track. Every holder of my information could be constrained to the rights I give them to act on it. So many opportunities.

This blog sets up my next one.. the agentic wallet .. I hope no one steals my title before I write the blog.

References:

One thought on “Wallets and Privacy

  1. Another great post. Happy anniversary and enjoy the beach.

    UCs = ? User Context? microController?

    One other key difference that’s worth calling out between centralised and federated model – other than privacy – is security. The last thing you want is one centralised honeypot of information. See also Aadhaar (UIDAI) data breach: https://en.wikipedia.org/wiki/Data_breaches_in_India

    But the flip side is that individuals need to be responsible for securing their own container and its use…

Please Login to Comment.