Privacy evaluation of the European Digital Identity Wallet's Architecture and Reference Framework

ABELLÁN ÁLVAREZ, Iván; HÖLZMER, Pol; SCHÖNRICH-SEDLMEIR, Johannes

doi:10.1016/j.cose.2025.104707

Download

Article (Scientific journals)

Privacy evaluation of the European Digital Identity Wallet's Architecture and Reference Framework

ABELLÁN ÁLVAREZ, Iván; HÖLZMER, Pol; SCHÖNRICH-SEDLMEIR, Johannes

2026 • In Computers and Security, 160

Peer Reviewed verified by ORBi

Permalink
https://hdl.handle.net/10993/66335

DOI
10.1016/j.cose.2025.104707

Files (1)Send to Details Statistics Bibliography Similar publications

Files

Full Text

Privacy_evaluation_of_the_European_Digital_Identity_Wallet_s_Architecture_and_Reference_Framework.pdf

Publisher postprint (3.88 MB)

Download

All documents in ORBilu are protected by a user license.

Send to

RIS BibTex APA Chicago Permalink X Linkedin

Details

Keywords :

Cybersecurity; Data minimization; European Digital Identity Wallet; Privacy threat modeling; Unlinkability

Abstract :

[en] Digital identity wallets promise significant advancements in digital identity management by offering users a high degree of convenience, security, and control over their data disclosure. However, there is also criticism regarding their privacy guarantees, especially when used in regulated use cases that require high levels of assurance on the correctness and binding of a legal identity. In this paper, we present a comprehensive privacy model and analysis of one of the most prominent digital wallets – the European Digital Identity Wallet (EUDIW) – as specified by the Architecture and Reference Framework (ARF) and the eIDAS 2.0 regulation. We employ a suite of qualitative privacy risk assessment methods to systematically map and evaluate information flows in three key use cases. Our analysis identifies multiple privacy risks – including linkability, identifiability, and excessive attribute data disclosure – and reveals that although the ARF is designed to comply with privacy-by-design principles, inherent design choices, such as the reliance on SD-JWT and mDOC data formats, as well as the concept of a Wallet Unit Attestation (WUA), retain risks to user privacy. Building on our findings, we then highlight how advanced Privacy-Enhancing Technologies (PETs), such as (general-purpose) Zero-Knowledge Proofs (ZKPs), can reduce or mitigate some of these risks.

Research center :

Interdisciplinary Centre for Security, Reliability and Trust (SnT) > FINATRAX - Digital Financial Services and Cross-organizational Digital Transformations
NCER-FT - FinTech National Centre of Excellence in Research

Disciplines :

Computer science

Author, co-author :

ABELLÁN ÁLVAREZ, Iván ^✱; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > FINATRAX

HÖLZMER, Pol ^✱; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > FINATRAX

SCHÖNRICH-SEDLMEIR, Johannes ; University of Münster > Department of Information Systems

^✱ These authors have contributed equally to this work.

External co-authors :

yes

Language :

English

Title :

Privacy evaluation of the European Digital Identity Wallet's Architecture and Reference Framework

Publication date :

January 2026

Journal title :

Computers and Security

ISSN :

0167-4048

Publisher :

Elsevier Ltd

Special issue title :

Security and Regulation: Cybersecurity, Privacy, and Trust

Volume :

160

Peer reviewed :

Peer Reviewed verified by ORBi

Focus Area :

Security, Reliability and Trust

Additional URL :

https://www.sciencedirect.com/science/article/pii/S0167404825003967

FnR Project :

FNR13342933 - DFS - Paypal-fnr Pearl Chair In Digital Financial Services, 2019 (01/01/2020-31/12/2024) - Gilbert Fridgen
FNR16326754 - PABLO - Privacy-preserving Tokenisation Of Artworks, 2021 (01/06/2022-31/05/2025) - Gilbert Fridgen
FNR16570468 - NCER-FT - 2021 (01/03/2023-28/02/2025) - Gilbert Fridgen

Funders :

FNR - Luxembourg National Research Fund
Luxembourg's Ministry for Digitalisation

Funding number :

13342933; 16326754; 16570468

Funding text :

This research was supported in part by Luxembourg's Ministry for Digitalisation, PayPal, and the Luxembourg National Research Fund (FNR) (PEARL grant reference 13342933, PABLO grant reference 16326754, NCER-FT grant reference 16570468). For the purpose of open access and in fulfillment of the obligations arising from the grant agreements, the authors have applied a Creative Commons Attribution 4.0 International (CC BY 4.0) license to any Author Accepted Manuscript version arising from this submission. The authors acknowledge the use of Grammarly's generative AI features to enhance the clarity, grammar, and coherence of their writing by refining sentence structure.

Available on ORBilu :

since 12 November 2025

Statistics

Number of views

128 (15 by Unilu)

Number of downloads

185 (3 by Unilu)

More statistics

Scopus citations^®

Scopus citations^®
without self-citations

OpenCitations

OpenAlex citations

WoS citations^™

Bibliography

Agarwal, Sushant, Developing a structured metric to measure privacy risk in privacy impact assessments. Privacy and Identity Management. Time for a Revolution?, vol. 476, 2016, Springer International Publishing, Cham, 141–155 http://link.springer.com/10.1007/978-3-319-41763-9_10.
Allegrezza, Silvia, European strategies against money laundering: A critical overview of current and future enforcement. Crijns, Jan, Haentjens, Matthias, Haentjens, Rijnhard, (eds.) The Enforcement of EU Financial Law, first ed. Hart Studies in Commercial and Financial Law, 2022, Hart Publishing, Oxford http://www.bloomsburycollections.com/book/the-enforcement-of-eu-financial-law.
Babel, Matthias, Sedlmeir, Johannes, Bringing data minimization to digital wallets at scale with general-purpose zero-knowledge proofs. 2023, 10.48550/arXiv.2301.00823 arXiv:2301.00823 [cs].
Badertscher, Christian, Banfi, Fabio, Diaz, Jesus, What did come out of it? Analysis and improvements of DIDComm messaging. Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security, 2024, 4732–4746, 10.1145/3658644.3690300.
Baum, Carsten, Blazy, Olivier, Camenisch, Jan, Hoepman, Jaap-Henk, Lee, Eysa, Lehmann, Anja, Lysyanskaya, Anna, Mayrhofer, René, Montgomery, Hart, Nguyen, Ngoc Khanh, 2024. Cryptographers’ Feedback on the EU Digital Identity's ARF. Technical Report, https://files.dyne.org/eudi/cryptographers-feedback-june2024.pdf.
Beltrán, Marta, Calvo, Miguel, A privacy threat model for identity verification based on facial recognition. Comput. Secur., 132, 2023, 103324, 10.1016/j.cose.2023.103324.
Ben Sasson, Eli, Chiesa, Alessandro, Garman, Christina, Green, Matthew, Miers, Ian, Tromer, Eran, Virza, Madars, Zerocash: Decentralized anonymous payments from bitcoin. 2014 IEEE Symposium on Security and Privacy, 2014, 459–474, 10.1109/SP.2014.36.
Bernstein, Greg, Sporny, Manu, Data integrity BBS cryptosuites v1.0. 2025 https://www.w3.org/TR/vc-di-bbs/.
Bertram, Magdalena, Richter, Maximilian, Margraf, Marian, Achieving third-party deniability in signature-based credential systems. 2024 IEEE 48th Annual Computers, Software, and Applications Conference, COMPSAC, 2024, IEEE, Osaka, Japan, 2327–2333, 10.1109/COMPSAC61105.2024.00374.
Bichsel, Patrik, Camenisch, Jan, Dubovitskaya, Maria, Enderlein, Robert R., Krenn, Stephan, Krontiris, Ioannis, Lehmann, Anja, Neven, Gregory, Paquin, Christian, Preiss, Franz-Stefan, Rannenberg, Kai, Sabouri, Ahmad, An architecture for privacy-ABCs. Attribute-Based Credentials for Trust, 2015, Springer International Publishing, Cham, 11–78, 10.1007/978-3-319-14439-9_2.
Bichsel, Patrik, Camenisch, Jan, Dubovitskaya, Maria, Enderlein, Robert R., Krenn, Stephan, Lehmann, Anja, Neven, Gregory, Preiss, Franz-Stefan, Cryptographic protocols underlying privacy-ABCs. Attribute-Based Credentials for Trust, 2015, Springer International Publishing, Cham, 79–108 https://link.springer.com/10.1007/978-3-319-14439-9_3.
Bijwe, Ashwini, Mead, Nancy R., Adapting the Square Process for Privacy Requirements Engineering: Technical Report., 2010, Carnegie Mellon University, Software Engineering Institute's Digital Library, 10.1184/R1/6571826.v1.
Bitansky, Nir, Canetti, Ran, Chiesa, Alessandro, Goldwasser, Shafi, Lin, Huijia, Rubinstein, Aviad, Tromer, Eran, The hunting of the SNARK. J. Cryptology 30:4 (2017), 989–1066, 10.1007/s00145-016-9241-9.
Bochnia, Ricardo, Richter, Daniel, Anke, Jürgen, Self-sovereign identity for organizations: requirements for enterprise software. IEEE Access 12 (2024), 7637–7660.
Boneh, Dan, Boyen, Xavier, Shacham, Hovav, Short group signatures. Franklin, Matt, (eds.) Advances in Cryptology – CRYPTO 2004 Lecture Notes in Computer Science, 2004, Springer, Berlin, Heidelberg, 41–55, 10.1007/978-3-540-28628-8_3.
Bowe, Sean, Chiesa, Alessandro, Green, Matthew, Miers, Ian, Mishra, Pratyush, Wu, Howard, ZEXE: Enabling decentralized private computation. 2020 IEEE Symposium on Security and Privacy, SP, 2020, 947–964, 10.1109/SP40000.2020.00050.
Brickell, Ernie, Camenisch, Jan, Chen, Liqun, Direct anonymous attestation. Proceedings of the 11th ACM Conference on Computer and Communications Security, 2004, ACM, Washington DC USA, 132–145, 10.1145/1030083.1030103.
Calo, M. Ryan, The boundaries of privacy harm. Indiana Law J., 86(3), 2011, 33 https://www.repository.law.indiana.edu/ilj/vol86/iss3/8.
Camenisch, Jan, Kohlweiss, Markulf, Soriente, Claudio, An accumulator based on bilinear maps and efficient revocation for anonymous credentials. International Workshop on Public Key Cryptography, 2009, Springer, Berlin, Heidelberg, 481–500, 10.1007/978-3-642-00468-1_27.
Camenisch, Jan, Lysyanskaya, Anna, Signature schemes and anonymous credentials from bilinear maps. Franklin, Matt, (eds.) Advances in Cryptology – CRYPTO 2004 Lecture Notes in Computer Science, 2004, Springer, Berlin, Heidelberg, 56–72, 10.1007/978-3-540-28628-8_4.
Camenisch, Jan, Van Herreweghen, Els, Design and implementation of the idemix anonymous credential system. Proceedings of the 9th ACM Conference on Computer and Communications Security, 2002, ACM, Washington, DC USA, 21–30, 10.1145/586110.586114.
Cavoukian, Ann, et al. Privacy by design: The seven foundational principles. IAPP Resour. Cent., 2021.
Chen, Liqun, Urian, Rainer, DAA-A: Direct anonymous attestation with attributes. Conti, Mauro, Schunter, Matthias, Askoxylakis, Ioannis, (eds.) Trust and Trustworthy Computing, Vol. 9229, 2015, Springer International Publishing, Cham, 228–245 https://link.springer.com/10.1007/978-3-319-22846-4_14.
Christl, Wolfie, 2017. Corporate Surveillance In Everyday Life. How Companies Collect, Combine, Analyze, Trade, and Use Personal Data on Billions. Technical Report.
Cloud Signature Consortium, Architectures and protocols for remote signature applications. 2023 https://cloudsignatureconsortium.org/wp-content/uploads/2023/04/csc-api-v2.0.0.2.pdf.
CNiL, Privacy impact assessment (PIA): Methodology (how to carry out a PIA). 2015 https://www.cnil.fr/sites/cnil/files/typo/document/CNIL-PIA-1-Methodology.pdf.
Cohen, Julie E., Examined lives: Informational privacy and the subject as object. Stanf. Law Rev., 52(5), 2000, 1373, 10.2307/1229517.
Crawford, Kate, Schultz, Jason, Big data and due process: Toward a framework to redress predictive privacy harms. Boston Coll. Law Rev. 55:1 (2014), 93–128.
Davie, Matthew, Gisolfi, Dan, Hardman, Daniel, Jordan, John, O'Donnell, Darrell, Reed, Drummond, The trust over IP stack. IEEE Commun. Stand. Mag. 3:4 (2019), 46–51.
De Montjoye, Yves-Alexandre, Radaelli, Laura, Singh, Vivek Kumar, Pentland, Alex “Sandy”, Unique in the shopping mall: On the reidentifiability of credit card metadata. Science 347:6221 (2015), 536–539, 10.1126/science.1256297.
Debes, Heini Bergsson, Giannetsos, Thanassis, 2023. RETRACT: Expressive designated verifier anonymous credentials. In: Proceedings of the 18th International Conference on Availability, Reliability and Security.
Degen, Konrad, Teubner, Timm, Wallet wars or digital public infrastructure? Orchestrating a digital identity data ecosystem from a government perspective. Electron. Mark., 34(1), 2024, 50, 10.1007/s12525-024-00731-1.
Delignat-Lavaud, Antoine, Fournet, Cédric, Kohlweiss, Markulf, Parno, Bryan, Cinderella: Turning shabby X. 509 certificates into elegant anonymous credentials with the magic of verifiable computation. 2016 IEEE Symposium on Security and Privacy, SP, 2016, IEEE, San Jose, CA, USA, 235–254, 10.1109/SP.2016.22.
DeMarco, Tom, Structured analysis and system specification. Broy, Manfred, Denert, Ernst, (eds.) Software Pioneers, 2002, Springer Berlin Heidelberg, Berlin, Heidelberg, 529–560 https://link.springer.com/10.1007/978-3-642-59412-0_33.
Deng, Mina, Wuyts, Kim, Scandariato, Riccardo, Preneel, Bart, Joosen, Wouter, A privacy threat analysis framework: supporting the elicitation and fulfillment of privacy requirements. Requir. Eng. 16:1 (2011), 3–32, 10.1007/s00766-010-0115-7.
Desmoulins, Nicolas, Dumanois, Antoine, Kane, Seyni, Traoré, Jacques, Making BBS anonymous credentials eIDAS 2.0 compliant. 2025 https://eprint.iacr.org/2025/619.
Dixon, Lucas, Ristenpart, Thomas, Shrimpton, Thomas, Network traffic obfuscation and automated internet censorship. IEEE Secur. Priv. 14:6 (2016), 43–53, 10.1109/MSP.2016.121.
Doerner, Jack, Kondi, Yashvanth, Lee, Eysa, Shelat, Abhi, Tyner, LaKyah, Threshold BBS+ signatures for distributed anonymous credential issuance. 2023 IEEE Symposium on Security and Privacy, SP, 2023, IEEE, San Francisco, CA, USA, 773–789, 10.1109/SP46215.2023.10179470.
Ebadi Ansaroudi, Zahra, Sharif, Amir, Sciarretta, Giada, Antonio Marino, Francesco, Ranise, Silvio, Secure and reliable digital wallets: A threat model for secure storage in eIDAS 2.0. Data and Applications Security and Privacy XXXIX, 2025, Springer Nature Switzerland, Cham, 271–289, 10.1007/978-3-031-96590-6_15.
Englehardt, Steven, Reisman, Dillon, Eubank, Christian, Zimmerman, Peter, Mayer, Jonathan, Narayanan, Arvind, Felten, Edward W., Cookies that give you away: The surveillance implications of web tracking. Proceedings of the 24th International Conference on World Wide Web, 2015, International World Wide Web Conferences Steering Committee, Florence Italy, 289–299, 10.1145/2736277.2741679.
Ernstberger, Jens, Lauinger, Jan, Elsheimy, Fatima, Zhou, Liyi, Steinhorst, Sebastian, Canetti, Ran, Miller, Andrew, Gervais, Arthur, Song, Dawn, SoK: Data sovereignty. 2023 IEEE 8th European Symposium on Security and Privacy, EuroS&P, 2023, IEEE, Delft, Netherlands, 122–143, 10.1109/EuroSP57164.2023.00017.
ETSI, Electronic Signatures and Trust Infrastructures (ESI); Analysis of Selective Disclosure and Zero-Knowledge Proofs Applied to Electronic Attestation of Attributes: RTR/ESI-0019476v121 TR 119 476., 2024, ETSI https://www.etsi.org/deliver/etsi_tr/119400_119499/119476/01.02.01_60/tr_119476v010201p.pdf.
European Commission, Commission Implementing Regulation (EU) 2015/1502 of 8 September 2015 on setting out minimum technical specifications and procedures for assurance levels for electronic identification means pursuant to Article 8(3) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market (Text with EEA relevance). 2015 https://eur-lex.europa.eu/eli/reg_impl/2015/1502/oj/eng.
European Commission, European digital identity. 2019 https://commission.europa.eu/strategy-and-policy/priorities-2019-2024/europe-fit-digital-age/european-digital-identity_en.
European Commission, COMMISSION STAFF WORKING DOCUMENT Accompanying the document REPORT FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL on the evaluation of Regulation (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market (eIDAS). 2021 https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52021SC0130.
European Commission, eID: Offers digital services capable of electronically identifying users from all across Europe. 2021 https://ec.europa.eu/digital-building-blocks/sites/digital-building-blocks/sites/display/DIGITAL/eID.
European Commission, European digital identity wallet architecture and reference framework (v1.5). 2021 https://github.com/eu-digital-identity-wallet/eudi-doc-architecture-and-reference-framework/tree/v1.5.0.
European Commission, Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL amending Regulation (EU) No 910/2014 as regards establishing a framework for a European Digital Identity. 2021 https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52021PC0281.
European Commission, Commission Implementing Regulation (EU) 2024/2979 of 28 November 2024 laying down rules for the application of Regulation (EU) No 910/2014 of the European Parliament and of the Council as regards the integrity and core functionalities of European Digital Identity Wallets. 2024 https://eur-lex.europa.eu/eli/reg_impl/2024/2979/oj/eng.
European Commission, Commission Implementing Regulation (EU) 2024/2981 of 28 November 2024 laying down rules for the application of Regulation (EU) No 910/2014 of the European Parliament and the Council as regards the certification of European Digital Identity Wallets. Off. J. Eur. Union, 2024 http://data.europa.eu/eli/reg_impl/2024/2981/oj.
European Commission, Commission Implementing Regulation (EU) 2024/2982 of 28 November 2024 laying down rules for the application of Regulation (EU) No 910/2014 of the European Parliament and of the Council as regards protocols and interfaces to be supported by the European Digital Identity Framework. Off. J. Eur. Union, 2024 http://data.europa.eu/eli/reg_impl/2024/2982/oj.
European Commission, Implementing Regulation (EU) 2024/2977 of 28 November 2024 laying down rules for the application of Regulation (EU) No 910/2014 of the European Parliament and of the Council as regards person identification data and electronic attestations of attributes issued to European Digital Identity Wallets. Off. J. Eur. Union, 2024 http://data.europa.eu/eli/reg_impl/2024/2977/oj.
European Commission, European digital identity wallet architecture and reference framework - Privacy risks and mitigation. 2025 https://github.com/eu-digital-identity-wallet/eudi-doc-architecture-and-reference-framework/blob/main/docs/discussion-topics/a-privacy-risks-and-mitigations.md.
European Parliament and Council of the European Union, Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC. Off. J. Eur. Union, 2014, 73–114 http://data.europa.eu/eli/reg/2014/910/oj.
European Parliament and Council of the European Union, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). Off. J. Eur. Union, 2016, 1–88 http://data.europa.eu/eli/reg/2016/679/oj.
European Parliament and Council of the European Union, Regulation (EU) 2024/1183 of the European Parliament and of the Council of 11 April 2024 amending Regulation (EU) No 910/2014 as regards establishing the European Digital Identity Framework. Off. J. Eur. Union, 2024 http://data.europa.eu/eli/reg/2024/1183/oj.
Farrell, Stephen, Tschofenig, Hannes, Pervasive Monitoring Is an Attack: Request for Comments RFC 7258., 2014, Internet Engineering Task Force https://datatracker.ietf.org/doc/rfc7258.
Frigo, Matteo, shelat, abhi, Anonymous credentials from ECDSA. 2024 https://eprint.iacr.org/2024/2010.
García-Rodríguez, Jesús, Krenn, Stephan, Bernal Bernabe, Jorge, Skarmeta, Antonio, Beyond selective disclosure: Extending distributed p-ABC implementations by commit-and-prove techniques. Comput. Netw., 248, 2024, 110498, 10.1016/j.comnet.2024.110498.
Garfinkel, Simson L., De-Identification of Personal Information: Technical Report NIST IR 8053., 2015, National Institute of Standards and Technology NIST IR 8053. https://nvlpubs.nist.gov/nistpubs/ir/2015/NIST.IR.8053.pdf.
Goldwasser, Shafi, Micali, Silvio, Rackoff, Charles, The knowledge complexity of interactive proof systems. SIAM J. Comput. 18:1 (1989), 186–208, 10.1137/0218012.
Group, European Digital Identity Cooperation, European digital identity wallet architecture and reference framework - Zero knowledge proof. 2025 https://github.com/eu-digital-identity-wallet/eudi-doc-architecture-and-reference-framework/blob/main/docs/discussion-topics/g-zero-knowledge-proof.md.
Hölzmer, Pol, Sedlmeir, Johannes, Imeri, Adnan, A taxonomy of modern user-centric identity management: From theory to practice. ECIS 2025 Proceedings, 2025 https://aisel.aisnet.org/ecis2025/datamgmt/datamgmt/8.
Hornung, Gerrit, Schnabel, Christoph, Data protection in Germany I: The population census decision and the right to informational self-determination. Comput. Law Secur. Rev. 25:1 (2009), 84–88.
Hyperledger, AnonCreds specification. 2017 https://github.com/hyperledger/anoncreds-spec.
International Organization for Standardization, Information security, cybersecurity and privacy protection — Requirements for attribute-based unlinkable entity authentication. 2021 https://www.iso.org/standard/72018.html.
International Organization for Standardization, Personal identification — ISO-compliant driving licence — Part 5: Mobile driving licence (mDL) application. 2021 https://www.iso.org/standard/69084.html.
Iyengar, Jana, Thomson, Martin, QUIC: A UDP-Based Multiplexed and Secure Transport: Request for Comments RFC 9000., 2021, Internet Engineering Task Force https://datatracker.ietf.org/doc/rfc9000.
Jasserand, Catherine, Law enforcement access to personal data originally collected by private parties: Missing data subjects’ safeguards in directive 2016/680?. Comput. Law Secur. Rev. 34:1 (2018), 154–165, 10.1016/j.clsr.2017.08.002.
Jørgensen, Kim Peiter, Beck, Roman, Universal wallets. Bus. Inf. Syst. Eng. 64:1 (2022), 115–125, 10.1007/s12599-021-00736-6.
Joseph, David, Misoczki, Rafael, Manzano, Marc, Tricot, Joe, Pinuaga, Fernando Dominguez, Lacombe, Olivier, Leichenauer, Stefan, Hidary, Jack, Venables, Phil, Hansen, Royal, Transitioning organizations to post-quantum cryptography. Nature 605:7909 (2022), 237–243, 10.1038/s41586-022-04623-2.
Kaaniche, Nesrine, Laurent, Maryline, Belguith, Sana, Privacy enhancing technologies for solving the privacy-personalization paradox: Taxonomy and survey. J. Netw. Comput. Appl., 171, 2020, 102807, 10.1016/j.jnca.2020.102807.
Katz, Jonathan, Digital Signatures. 2010, Springer US, Boston, MA, 10.1007/978-0-387-27712-7.
Krishnamurthy, Balachander, Wills, Craig E., On the leakage of personally identifiable information via online social networks. ACM SIGCOMM Comput. Commun. Rev. 40:1 (2010), 112–117, 10.1145/1672308.1672328.
Larsen, Benjamin, El Kassem, Nada, Giannetsos, Thanassis, Krontiris, Ioannis, Vasileiadis, Stefanos, Chen, Liqun, Achieving higher level of assurance in privacy preserving identity wallets. 2023 IEEE 22nd International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom, 2023, IEEE, Exeter, United Kingdom, 1049–1059, 10.1109/TrustCom60117.2023.00146.
Lepore, Cristian, Laborde, Romain, Eynard, Jessica, Aligning eIDAS and trust over IP: A mapping approach. Proceedings of the 19th International Conference on Availability, Reliability and Security, ARES ’24, 2024, Association for Computing Machinery, New York, NY, USA, 1–9, 10.1145/3664476.3670919.
Liu, Zengrui, Iqbal, Umar, Saxena, Nitesh, Opted out, yet tracked: Are regulations enough to protect your privacy?. Proc. Priv. Enhancing Technol. 2024:1 (2024), 280–299, 10.56553/popets-2024-0016.
Lodderstedt, T., Yasuda, K., Looker, T., OpenID for verifiable credential issuance - draft 15. 2024 https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html.
Looker, Tobias, Bastian, Paul, Bormann, Christian, OAuth 2.0 Attestation-Based Client Authentication: Internet-Draft draft-ietf-oauth-attestation-based-client-auth-04., 2024, Internet Engineering Task Force https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/04/.
Luna, Jesus, Suri, Neeraj, Krontiris, Ioannis, Privacy-by-design based on quantitative threat modeling. 2012 7th International Conference on Risks and Security of Internet and Systems, CRiSIS, 2012, IEEE, Cork, Ireland, 1–8, 10.1109/CRISIS.2012.6378941.
Lyon, David, Surveillance, Snowden, and Big Data: Capacities, consequences, critique. Big Data Soc., 1(2), 2014, 2053951714541861, 10.1177/2053951714541861.
Marco, Giuseppe De, Marino, Francesco Antonio, Maria, Andrea De, Bridging eIDAS 2.0 legal requirements and technical solutions. Sciarretta, Giada, Pernpruner, Marco, (eds.) Proceedings of the 2nd International Workshop on Trends in Digital Identity (TDI 2024), Rome, Italy, April 9, 2024 CEUR Workshop Proceedings, vol. 3863, 2024, CEUR-WS.org, Rome, Italy, 18–30 https://ceur-ws.org/Vol-3863/paper2.pdf.
Mayer, Jonathan, Narayanan, Arvind, Stamm, Sid, Do Not Track: A Universal Third-Party Web Tracking Opt Out: Internet Draft draft-mayer-do-not-track-00., 2011, Internet Engineering Task Force https://datatracker.ietf.org/doc/draft-mayer-do-not-track-00.
Moher, D., Liberati, A., Tetzlaff, J., Altman, D.G., Preferred reporting items for systematic reviews and meta-analyses: the PRISMA statement. BMJ, 339(1), 2009, 8, 10.1136/bmj.b2535.
Mozilla, Last chance to fix eIDAS: Secret EU law threatens Internet security. 2023 https://last-chance-for-eidas.org/.
Nyst, Carly, Falchetta, Tomaso, The right to privacy in the digital age. J. Hum. Rights Pr. 9:1 (2017), 104–118, 10.1093/jhuman/huw026.
Obar, Jonathan A., Oeldorf-Hirsch, Anne, The biggest lie on the Internet: ignoring the privacy policies and terms of service policies of social networking services. Inf. Commun. Soc. 23:1 (2020), 128–147, 10.1080/1369118X.2018.1486870.
OECD, Report on the Implementation of the OECD Privacy Guidelines: OECD Digital Economy Papers 361., 2023, OECD https://www.oecd.org/en/publications/report-on-the-implementation-of-the-oecd-privacy-guidelines_cf87ae8f-en.html.
Oetzel, Marie Caroline, Spiekermann, Sarah, A systematic methodology for privacy impact assessments: a design science approach. Eur. J. Inf. Syst. 23:2 (2014), 126–150, 10.1057/ejis.2013.18.
OpenID Connect, Self-issued OpenID provider v2 - draft 13. 2023 https://openid.net/specs/openid-connect-self-issued-v2-1_0.html.
Pallas, Frank, Koerner, Katharina, Barberá, Isabel, Hoepman, Jaap-Henk, Jensen, Meiko, Narla, Nandita Rao, Samarin, Nikita, Ulbricht, Max-R., Wagner, Isabel, Wuyts, Kim, et al. Privacy engineering from principles to practice: A roadmap. IEEE Secur. Priv. 22:2 (2024), 86–92.
Penney, Jonathon W., Chilling effects: Online surveillance and wikipedia use. Berkeley Technol. Law J., 31(1), 2016, 117, 10.15779/Z38SS13.
Pfitzmann, Andreas, Dresden, T.U., Hansen, Marit, 2010. A Terminology for Talking About Privacy by Data Minimization: Anonymity, Unlinkability, Undetectability, Unobservability, Pseudonymity, and Identity Management. Technical Report, https://dud.inf.tu-dresden.de/literatur/Anon_Terminology_v0.34.pdf.
Podda, Emanuela, Hölzmer, Pol, Amard, Alexandre, Sedlmeir, Johannes, Fridgen, Gilbert, The impact of zero-knowledge proofs on data minimisation compliance of digital identity wallets. 2025 https://policyreview.info/articles/analysis/impact-zero-knowledge-proofs.
Potential, Large scale pilot (LSP) - potential - for European digital identity. 2023 https://www.digital-identity-wallet.eu/.
Ramos Fernández, Raül, Evaluation of trust service and software product regimes for zero-knowledge proof development under eIDAS 2.0. Comput. Law Secur. Rev., 53, 2024, 105968, 10.1016/j.clsr.2024.105968.
Ramos Fernández, Raül, Regulatory options for integrating zero-knowledge proofs into the European Digital Identity Wallet. Int. Rev. Law Comput. Technol., 2024, 1–24, 10.1080/13600869.2024.2398915.
Rescorla, Eric, The Transport Layer Security (TLS) Protocol Version 1.3: Request for Comments RFC 8446., 2018, Internet Engineering Task Force https://datatracker.ietf.org/doc/rfc8446.
Rescorla, Eric, Oku, Kazuho, Sullivan, Nick, Wood, Christopher A., TLS Encrypted Client Hello: Internet Draft draft-ietf-tls-esni-25., 2025, Internet Engineering Task Force https://datatracker.ietf.org/doc/draft-ietf-tls-esni-25. Num Pages: 53.
Robles-González, Antonio, Parra-Arnau, Javier, Forné, Jordi, A LINDDUN-Based framework for privacy threat analysis on identification and authentication processes. Comput. Secur., 94, 2020, 101755, 10.1016/j.cose.2020.101755.
Rogaway, Phillip, The Moral Character of Cryptographic Work. 2016, USENIX Association, Austin, Texas, USA, 48.
Rosenberg, Michael, White, Jacob, Garman, Christina, Miers, Ian, Zk-creds: Flexible anonymous credentials from zkSNARKs and existing identity infrastructure. 2023 IEEE Symposium on Security and Privacy, SP, 2023, 790–808, 10.1109/SP46215.2023.10179430.
Sedlmeir, Johannes, Huber, Jasmin, Barbereau, Tom, Weigl, Linda, Roth, Tamara, Transition pathways towards design principles of self-sovereign identity. ICIS Proceedings, 2022, AIS eLibrary, Copenhagen, Denmark, 17 https://aisel.aisnet.org/icis2022/is_implement/is_implement/4.
Sedlmeir, Johannes, Smethurst, Reilly, Rieger, Alexander, Fridgen, Gilbert, Digital identities and verifiable credentials. Bus. Inf. Syst. Eng. 63:5 (2021), 603–613.
Sharif, Amir, Ansaroudi, Zahra Ebadi, Sciarretta, Giada, Pöhn, Daniela, Mollaeefar, Majid, Hommel, Wolfgang, Ranise, Silvio, Protecting digital identity wallet: A threat model in the age of eIDAS 2.0. Risks and Security of Internet and Systems, 2025, Springer Nature Switzerland, Cham, 89–106, 10.1007/978-3-031-89350-6_6.
Shostack, Adam, Threat Modeling: Designing for Security. 2014, John wiley & sons.
Sindre, Guttorm, Opdahl, Andreas L., Templates for misuse case description. Proceedings of the 7th International Workshop on Requirements Engineering, Foundation for Software Quality, REFSQ’2001, Vol. 27, 2001, ACM, Switzerland, 35–49.
Slamanig, Daniel, Privacy-preserving authentication: Theory vs. practice. Privacy and Identity Management. Generating Futures, Vol. 705, 2025, Springer Nature Switzerland, Cham, 3–28 https://link.springer.com/10.1007/978-3-031-91054-8_1.
Soghoian, Christopher, An end to privacy theater: Exposing and discouraging corporate disclosure of user data to the government. Minn. J. Law Sci. Technol. 12:1 (2011), 191–237 https://scholarship.law.umn.edu/mjlst/vol12/iss1/8.
Solove, Daniel J., A taxonomy of privacy. 2005 https://papers.ssrn.com/abstract=667622.
Solove, Daniel J., Privacy self-management and the consent dilemma. Harv. Law Rev., 126(7), 2013, 24.
Sporny, Manu, Longley, Dave, Chadwick, David, Verifiable credentials data model v1.1. 2022 https://www.w3.org/TR/2022/REC-vc-data-model-20220303/.
Sporny, Manu, Longley, Dave, Chadwick, David, Steele, Orie, Verifiable credentials data model v2.0. 2024 https://www.w3.org/TR/vc-data-model-2.0/.
Tanenbaum, Andrew, Wetherall, David, Computer Networks. 2011, Pearson, Boston.
Terbu, Oliver, Fett, Daniel, Campbell, Brian, SD-JWT-Based Verifiable Credentials (SD-JWT VC): Internet-Draft draft-ietf-oauth-sd-jwt-vc-08., 2024, Internet Engineering Task Force https://datatracker.ietf.org/doc/draft-ietf-oauth-sd-jwt-vc/08/.
Terbu, O., Lodderstedt, T., Yasuda, K., Looker, T., OpenID for verifiable presentations - draft 22. 2024 https://openid.net/specs/openid-4-verifiable-presentations-1_0-22.html.
Toulmin, Stephen E., The Uses of Argument. second ed., 2003, Cambridge University Press, Cambridge https://www.cambridge.org/core/product/identifier/9780511840005/type/book.
Tsakalakis, Niko, Stalla-Bourdillon, Sophie, O'Hara, Kieron, Data protection by design for cross-border electronic identification: Does the eIDAS interoperability framework need to be modernised?. Privacy and Identity Management. Fairness, Accountability, and Transparency in the Age of Big Data, Vol. 547, 2019, Springer International Publishing, Cham, 255–274 https://link.springer.com/10.1007/978-3-030-16744-8_17.
Unit, DistriNet Research, Privacy threat trees booklet. 2011 https://downloads.linddun.org/linddun-trees/report/v240118/tree.pdf.
Utz, Christine, Degeling, Martin, Fahl, Sascha, Schaub, Florian, Holz, Thorsten, (Un)informed consent: Studying GDPR consent notices in the field. Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, CCS ’19, 2019, ACM, New York, NY, USA, 973–990, 10.1145/3319535.3354212.
Veseli, Fatbardh, Olvera, Jetzabel Serna, Pulls, Tobias, Rannenberg, Kai, Engineering privacy by design: lessons from the design and implementation of an identity wallet platform. Proceedings of the 34th ACM/SIGAPP Symposium on Applied Computing, 2019, ACM, Limassol Cyprus, 1475–1483, 10.1145/3297280.3297429.
Vimercati, Sabrina de Capitani di, Foresti, Sara, Quasi-identifier. Encyclopedia of Cryptography and Security, 2011, Springer, Boston, MA, 1010–1011 https://link.springer.com/rwe/10.1007/978-1-4419-5906-5_763.
Wairimu, Samuel, Iwaya, Leonardo Horn, Fritsch, Lothar, Lindskog, Stefan, On the evaluation of privacy impact assessment and privacy risk assessment methodologies: A systematic literature review. IEEE Access 12 (2024), 19625–19650.
Waite, David, Jones, Michael, Miller, Jeremie, JSON web proof. 2025 https://datatracker.ietf.org/doc/draft-ietf-jose-json-web-proof/.
Weigl, Linda, Barbereau, Tom, Fridgen, Gilbert, The construction of self-sovereign identity: Extending the interpretive flexibility of technology towards institutions. Gov. Inf. Q., 40(4), 2023, 101873.
Wen, Hongbo, Stephens, Jon, Chen, Yanju, Ferles, Kostas, Pailoor, Shankara, Charbonnet, Kyle, Dillig, Isil, Feng, Yu, 2024. Practical security analysis of {Zero-Knowledge} proof circuits. In: 33rd USENIX Security Symposium. USENIX Security 24, pp. 1471–1487.
Wohlin, Claes, Guidelines for snowballing in systematic literature studies and a replication in software engineering. Proceedings of the 18th International Conference on Evaluation and Assessment in Software Engineering, EASE ’14, 2014, ACM, New York, NY, USA, 1–10, 10.1145/2601248.2601268.
World Wide Web Consortium, Bitstring status list v1.0. 2025 https://www.w3.org/TR/vc-bitstring-status-list/.
Wright, David, Raab, Charles, Privacy principles, risks and harms. Int. Rev. Law Comput. Technol. 28:3 (2014), 277–298, 10.1080/13600869.2014.913874.
Wuyts, Kim, Scandariato, Riccardo, Joosen, Wouter, Empirical evaluation of a privacy-focused threat modeling methodology. J. Syst. Softw. 96 (2014), 122–138, 10.1016/j.jss.2014.05.075.
Zuboff, Shoshana, Big other: Surveillance capitalism and the prospects of an information civilization. J. Inf. Technol. 30:1 (2015), 75–89, 10.1057/jit.2015.5.