APIs that facilitate access to verifiable claims about identity,
such as the proposed Digital Credentials API,
are starting to be developed and deployed.
A large number of jurisdictions are starting
to create digital identity systems for their citizens.
The Federated Identity Working Group
includes an API for issuing and presenting digital credentials
as a chartered deliverable.
This API follows a three-party model
where the primary actors are the issuer, holder, and verifier;
as defined in [VC-DATA-MODEL-2.0].
Digital credential APIs provide a convenient way
for websites to access proof of legal identity.
This convenience leads to a range of implications for privacy,
as noted in a recent objection
to the formation of the Federated Identity Working Group [OBJECTION].
The TAG believes that the addition of government-issued digital credentials
to the web has great potential to cause the harms listed in the objection:
- Increased sharing of personal data
and corresponding reduction of privacy
due to reduced friction for sharing such data.
- Increased centralization of trust on the Web.
- Increased restriction of the ability
to publish, view, and participate on the Web,
and corresponding fragmentation of the Web as a whole.
- Reduction of user agency and perpetuation of existing societal power imbalances.
- Expansion of use cases such as age verification
where credentials may be requested or required inappropriately or coercively,
raising concerns about government or platform overreach.
The report produced by the W3C Council [COUNCIL-REPORT]
also acknowledged these problems
and recommended
that these concerns be addressed in the work of the Working Group.
This document provides a more thorough exploration
of these issues.
The TAG believes that the addition of government-issued digital credentials to the web
has great potential for harm.
The benefits of digital credentials
must be aligned with the web user's needs.
Following our established principles for privacy,
this includes providing people the tools to understand and control
how their personal information is collected and used.
A browser —
or user agent —
plays an essential role
in mediating these types of requests
and ensuring that people have agency.
The web should not become a platform that demands identity documents
in the course of its normal operation.
Use of credentials should be exceptional,
only when required,
and always on a person's own terms.
The TAG therefore encourages people integrating digital credentials with the web?
to pay special attention to the societal impact of digital credentials.
W3C specifications need to do more than raising awareness of risks
and trade-offs that arise from designs.
The design of systems can affect how they operate
in ways that has a meaningful impact on how people live.
Designs that empower people can help reduce the potential for harm.
There are multiple reasons that a site might seek to ask for proof of legal identity.
Often, there are multiple reasons that a site seeks to identify a visitor.
Motivations that tend to produce user-beneficial outcomes include:
- Obtaining some means of holding a person accountable
for a range of abusive behavior.
- Avoiding impersonation,
especially for social media accounts of prominent individuals or organizations.
- Legal mandates,
such as know-your-customer regulations common to financial services.
These uses are not necessarily directly felt
by people who are required to present credentials,
but they can provide a societal benefit
that outweighs the costs to individuals.
Each of these still carries the potential for abuse.
There are also motivations
for which requesting identification is not justified
and those that are outright harmful to end user interests:
- Distinguishing between visits from real people and visits from bots,
which might need to be handled specially.
- Personalization,
such as being able to appear more friendly by greeting a person by their name.
- Tracking,
which takes identity presented to multiple contexts
and links that activity to a single person.
That is, while at least some of these goals are beneficial,
the use of identity documents is not appropriate.
Any benefits are not justified by the cost
that people pay in terms of losing their ability to control
the identity they present
[PRIVACY-PRINCIPLES].
Other goals are inherently objectionable.
Once someone has provided legal identity,
sites are technically able to use identifiers in any way they choose.
Technical privacy protections that might be implemented in a browser cannot help.
Legal protections might apply to misuse of identifying information,
but that depends on effective detection and enforcement.
Tracking practices are moving away from largely hidden mechanisms —
like cookies —
to systems that require the use of stable identifiers.
Once identifying information is provided,
sites might then assume that they have consent to use identifiers
for a range of purposes.
Of course, without a viable alternative,
any consent to use identifiers is a fiction.
Perhaps the most serious consequence of obtaining an identifier
is that sites are then able to trade information
across any contexts where a person has provided that same identifier,
online or offline.
The resulting profiles are then used for many purposes
including advertising, credit ratings, and market analysis.
The TAG regards unsanctioned tracking as unacceptable
and has advocated for technical measures that curtail these practices.
The TAG has also unequivocally
condemned cross-site cookies and called for browsers to disable them.
Technical measures to prevent tracking are consistent
with the TAG's documented principles for privacy.
These principles articulate why privacy is essential to maintaining personal autonomy.
The same high-level principles are shared
by the many jurisdictions that have implemented data protection legislation.
The goal of data protection is to protect a person's rights over how data about them is used.
Absent the ability to request legal identity,
sites might ask for other identifiers,
like an email address, credit card, mailing address, or phone number.
Those identifiers could offer more privacy options, to varying degrees.
For instance, email services can provide temporary or site-specific aliases
to enable the creation of context-specific addresses on demand.
Similar aliasing is achievable
for other types of identifiers that are in common use,
though it can be both significantly harder and more expensive.
No such flexibility is possible when it comes to legal identity.
Legal mandates to use official documentation is not new.
The use of government credentials
to conduct business with governments
or where business comes with obligations to governments is not new.
In many cases, sites only ask because they are legally obligated to.
Widespread availability of credentials
and improved ease of use
can lead to cases where credentials are requested
when they might otherwise not be.
A streamlined process for providing verifiable identity
reduces the cost of requesting and providing that information.
In turn, this will make sites that would otherwise not ask for information
choose to take advantage of reduced friction to make a request.
Though increasing friction might not be worthwhile,
other mechanisms might be used to disincentivise requests for legal identity.
A method that might alter the costs for site operators in other ways
is described in 6.2 Authorizing Sites.
Normalizing the practice of providing identity credentials to websites
risks serious harm.
Providing any form of external identity information needs to be an exceptional process.
For example, it is entirely inappropriate to use government-issued credentials
as a login credential,
even if credentials are used during account creation.
In India,
the Aadhaar national identity scheme
was introduced as a way to better enable access to government services,
like health, welfare, and food assistance.
Though the legislation
originally included the option for Aadhaar to be used by non-government actors,
that provision
(Section 57)
was ruled unconstitutional by the Supreme Court in 2018 [AADHAAR-VERDICT].
In 2025,
the Indian government has enabled wide use of Aadhar for any entity,
expanding the set of recognized reasons
to include "promoting ease of living for residents".
As a result,
the roughly 1 billion Indian participants in the Aadhaar program
are potentially subject to surveillance through the use of their unique 12 digit identifier,
which links fingerprints and iris scans to name and other personal details.
Despite Aadhar use being optional in law,
even prior to this change,
refusals to do business were widespread in employment
and other non-government interactions.
A number of government services soon
made Aadhaar use mandatory [AADHAAR-MANDATORY].
This further highlights the need for accountability,
but also demonstrates that there are strong incentives
that motivate the use of legal identity where it is available.
Privacy therefore depends on having an equivalently strong countervailing force.
A number of governments have chosen to mandate the use of age verification
for access to certain online services.
The TAG is not confident that age verification is even appropriate ([SUPPRESS]),
but we are waiting for the outcome of the upcoming [AGE-WS] workshop
before taking a firm position.
Different jurisdictions vary in how they require age verification,
but a common theme is to place the responsibility on the service provider
(the website, in the web's context).
The presentation of government-issued credentials
is often recognized as an acceptable age verification method;
in other cases, government credentials are one of a set of acceptable methods.
Even if privacy concerns around surveillance are mitigated
(see 3.1 Tracking with Legal Identity and 3.2 Tracking Inherent to Credential Formats),
the use of credentials in this setting creates another way in which
people might become accustomed to providing their identity documents.
Online services that have real-name policies
are justifiably controversial.
The use of legal identity provides very different social dynamics
when compared with pseudonymous
or anonymous systems.
Insistence on use of legal identity inevitably excludes certain people,
which can be for a range of reasons:
- Sites that only recognize credentials from local authorities
could unjustly exclude people from out of town,
either temporarily or permanently.
- People might wish to remain anonymous
for any reason,
including fear of harm to their reputation or person.
- People might temporarily lose access to credentials
because of a lost personal device
or temporary disability.
- People might be completely unable to obtain or use credentials
due to factors outside their control.
- Systems that include the ability to revoke credentials
can be abused by attackers
to forcibly exclude people.
In some cases,
such as Aadhaar (4.1 Case Study: Aadhaar),
laws could recognize the risk that people might not be able to present a credential
and forbids discrimination against those who do not.
However, what matters is whether refusal is respected in practice.
Even if laws only permit the use of digital credentials as a convenience,
there is a risk that no alternative means of access to services are provided.
This leads to exclusion.
It should not be possible to refuse service to a person
based on their refusal or inability to provide a digital credential.
This is aligned with such principles
as not revealing when assistive technologies are in use
or non-retaliation.
Any website that requests legal identifiers
needs to decide which legal identities it accepts.
The easiest way to do this is to trust the issuers of credentials
that are most-used among visitors
and distrust the rest.
Another way might be to choose government-issued credentials
from jurisdictions in which the site has a legal presence.
This risks centralization of trust in the most-used credentials
and makes it hard for any new authority to become trusted.
Centralizing trust in a limited set of authorities
can lead to a fragmented web,
where access depends on which authorities
a site or user is willing, or able, to work with.
Choosing a limited set of issuers risks marginalizing people
who are unable to obtain credentials that will be accepted.
This could undermine the global and open nature of the web.
For example, a visitor, migrant, or refugee
may not be able to — or may not feel safe to — use credentials
from their country of origin.
Especially where major platforms only recognize a narrow set of issuers,
or only recognize issuers tied to a specific jurisdiction.
The implementation of identity verification is complex.
Sites might choose to delegate to external services to manage the process.
It is possible that a limited number of service providers
will be capable of implementing the technical and legal process
of gathering and validating credentials.
This is presently the case for payments infrastructure,
which has high degrees of consolidation.
Centralized control provides opportunities to use —
or, depending on perspective, abuse —
the power it confers to advance political goals.
For instance, centralized control over access to payments infrastructure
has been used to refuse business
from sex work,
legal drugs,
and video games.
Open standards and implementations can help
reduce this risk of capture.
Designing systems and standards to minimize any structural bias
that might lead to market consolidation is better.
Sites seek to obtain and use identity for multiple reasons; see 3. Uses for Identity Information.
While the universality of a generic solution is appealing,
each use case might require a different type of solution.
Different solutions can have dramatically different privacy characteristics.
The properties of different approaches need to be understood and matched to needs.
A possible data minimization approach might choose to use selective disclosure,
so that people can choose what is disclosed to sites.
Such a system can accept the linkability risks
of a simple selective disclose approach (see 3.2 Tracking Inherent to Credential Formats)
on the basis of the need for identifying information.
Other systems might instead avoid identifying information,
but rely on linkability as an essential feature,
because it might be used to trace bad actors when necessary.
A system that seeks to authorize based on certain traits —
such as a system to authorize access to online gambling,
something that might be restricted by age or past history of susceptibility —
might be better suited to a zero-knowledge system
that provides strong unlinkability.
Use cases are diverse.
There is no single approach
that can adapt to all use cases.
For a web API, like digital credentials,
this is challenging,
because such APIs need to serve a range of purposes.
The suggestions in the following sections address common issues.
There are some use cases —
such as age-based restrictions on content access (see 4.2 Age Verification) —
that might benefit from a wholly different approach.
Many uses of digital credentials will rely on asking people to make a decision
about whether to authorize the use of the credential.
User agents need to help their users understand what information is disclosed
to enable an informed choice.
It is challenging to design a system
that can accurately and comprehensibly convey the details
of what people are being asked to approve
given the potential diversity of uses.
Communicating the implications can be particularly difficult
when credentials are linkable
or reveal metadata, such as the issuer identity.
Developing a better understanding of what is appropriate
for a given situation
will take time.
Developing the necessary understanding of different uses of new technology —
and then evolving norms to handle those situations —
is not something that can be rushed.
Deployment is.
The architecture specified in the European Union’s digital identity eIDAS regulation
envisions not only the issuance of digital credentials to individuals,
but also the explicit authorization of the businesses and service providers
who request those credentials.
These business or government entities
must be registered and approved by identity issuers,
before they are granted permission to access the system.
These entities are then only able to request the information they received approval for.
This design is intended to ensure that businesses and agencies cannot request arbitrary personal data,
and that their ability to do so is constrained, transparent, and subject to oversight.
This depends on having a system for transparency [EIDAS2]:
relying parties should provide information regarding the data that they will request,
if any, in order to provide their services and the reason for the request.
Verifiable transparency mechanisms contribute to accountability
by making it possible for users to understand who is asking for what,
and under what legal authority.
This safeguard mitigates against some of the risks associated with digital credentials.
Transparency depends on people who review use
for proportionality, user control, and other risks,
especially overuse (4. Overuse of Identity).
Nevertheless, we recommend that the specification authors
look to such mechanisms as a guide for mitigating risk of overuse.
The exclusion risk to people
who might be unable to obtain a credential (see 5.1 Centralization of Trust)
is not always a problem that needs to be addressed through system design.
For instance,
when interacting with a government
there are cases where it is appropriate to limit credentials
to those issued by that government.
Systems that do not have these constraints
can be designed to recognize a more diverse set of issuers,
offering sites no discretion in what they recognize.
That way, organizations that help displaced people
participate in society,
such as UNHCR
or MSF,
might be recognized as valid issuers
for cases that do not include a need to identify an issuer.
This might include credentials that include claims about inherent traits of a person,
such as their name, appearance, age (4.2 Age Verification),
or even personhood (Personhood credentials: Artificial intelligence and the value of privacy-preserving tools to distinguish who is real online).
Individuals with more than one nationality,
when traveling across international borders,
have the choice of which credential (passport) to present.
For example, a person is generally required to present a passport
for the country they entering if they are a citizen of that country,
even if they hold other passports.
When entering a country in which they do not hold citizenship,
individuals with multiple nationalities have the choice of asserting
whichever nationality is more convenient.
The systems that support digital passport credentials
need to ensure that these choices remain viable
as credentials move to the digital domain.
In particular,
it is vital that national authorities are not able to query or enumerate
what credentials may exist
and equally important that end users remain in control
of what information is provided.
Any credential system needs to carefully consider
what might happen if someone is unable to authenticate or they refuse to.
A protection that might protect people who cannot provide a credential,
for any reason,
might be to artificially induce a non-trivial failure rate
even where credentials are available and valid.
This might ensure that sites do not come to assume
that all users are equally able to produce a credential
and so build systems to handle failures.
Any choice to induce such failures needs to be balanced
against the potential for fallback mechanisms
to be considerably less private.
A wallet application acts as its user's agent.
It tells its user what information is being requested,
guides them toward making an informed choice about what to present,
and then handles the technical side of presenting and proving the chosen credentials.
We expect a variety of wallets to be implemented.
These will serve many different purposes,
and some will hold far less sensitive information than government credentials.
However, the role of wallets as user agents on the web is untried.
As our community develops norms for how wallets should behave,
it's appropriate for other user agents in the ecosystem to
be cautious about how much to trust the wallets.
Over time, we expect these other UAs to re-evaluate the need for extra safeguards,
as wallets prove that they can be
effective advocates for the interests of their users.