Wrote initial Privacy Considerations

[selfissued]

TBD -> actual text!

[Sakurann]

I don't think this is sufficient.... even as a starting point....

[danielfett]

These are some things I can come up with that we should discuss in this section:

• The Issuer needs to make choices about selectively disclosable claims (and should do so carefully)
• Multiple credentials can be linkable. Batch issuance solves this potential privacy issue, but only when used correctly
• An issuer normally should not learn where a user uses a credential. The wallet should take care to not include information in the authorization request that may leak this information in an ad-hoc issuance scenario (e.g., a "state" value that contains clear-text session information or a redirect_uri that is encoding this information).
• There's a potential for leaking information about the wallet to third parties when a wallet reacts to a credential offer that was sent to its custom scheme. An attacker may send such requests, wait for the wallet to react (e.g., retrieve metadata about the "issuer" which in reality is an attacker server) and therefore learn which wallet is installed (e.g., by observing specific headers). This should be avoided, e.g., by requiring user interaction with the wallet before reacting to the offer. Note that this is not covered by Section 12.2.

[paulbastian]

As the Privacy section is still not there for ID-1, in my opinion it would look better to leave it open and add a more thorough/completed version for the next ID-2.

[peppelinux]

@selfissued below a markdown table with the articles taken from the revision text of the eIDAS regulation that can be relevant for the privacy considerations in the current specs.

Article	Description
Art. 6a.7	The users shall be in full control of the use of the European Digital Identity Wallet and of the data in their European Digital Identity Wallet. The provider of the European Digital Identity Wallet shall not collect information about the use of the wallet which are not necessary for the provision of the wallet services, nor shall it combine person identification data and any other personal data stored or relating to the use of the European Digital Identity Wallet with personal data from any other services offered by this provider or from third-party services which are not necessary for the provision of the wallet services, unless the user has expressly requested it. Personal data relating to the provision of European Digital Identity Wallets shall be kept logically separate from any other data held by the provider of European Digital Identity Wallets.
Art. 6a.4a	Member State shall inform users, without delay, of any security breach that may have entirely or partially compromised their European Digital Identity Wallet or its content and in particular if their European Digital Identity Wallet has been suspended or revoked pursuant to Article 6da.
Art. 6a.7b	The technical framework of the European Digital Identity Wallet shall: a) not allow providers of electronic attestations of attributes or any other party, after the issuance of the attestation of attributes, to obtain data that allows for tracking, linking, correlating or otherwise obtain knowledge of transactions or user behaviour unless explicitly authorised by the user. b) enable privacy preserving techniques which ensure unlinkability, where attestation of attributes do not require the identification of the user.
Art. 6da	Where European Digital Identity Wallets provided pursuant to Article 6a or the validation mechanisms referred to in Article 6a(5), or the electronic identification scheme under which the wallets are provided, are breached or partly compromised in a manner that affects their reliability or the reliability of other European Digital Identity Wallets, the providing Member State shall, without undue delay, suspend the provision and the use of the European Digital Identity Wallet. The Member States where concerned Wallets were provided shall inform the affected users, the single points of contact designated pursuant to Article 46c, the relying parties and the Commission accordingly.
Recital 6	Personal data related to the provision of European Digital Identity Wallets should be kept logically separate from any other data held by the provider. This amending Regulation should not prevent providers of European Digital Identity Wallets to apply additional technical measures contributing to protection of personal data, such as physical separation of personal data relating to the provision of Wallets from any provision of Wallets from any other data held by the provider. Without prejudice to Regulation (EU) 2016/679, this amending Regulation further specifies the application of principles of purpose limitation, data minimisation, and data protection by design and by default.
Recital 6b	Member States should integrate different privacy-preserving technologies, such as zero knowledge proof, into the EDIW. These cryptographic methods should allow a relying party to validate that a given statement based on the person’s identification data and attestation of attributes is true, without revealing any data this statement is based on, thereby ensuring the privacy of the user.
Recital 8	Relying parties should comply with the safeguards offered by Articles 35 and 36 of Regulation (EU) 2016/679, in particular by performing data protection impact assessments and by consulting the competent data protection authorities prior to data processing where data protection impact assessments indicate that the processing would result in a high risk.
Recital 11c	The use of the wallet free of charge should not result in the processing of data beyond what is necessary for the provision of wallet services. This Regulation should not allow processing of personal data stored in or resulting from the use of the European Digital Identity Wallet by the provider of the European Digital Identity Wallet for other purposes than the provision of wallet services. To ensure privacy, EDIW providers should ensure unobservability by not collecting data and not having insight into the transactions of the users of the Wallet. This means that the providers should not be able to see the details of the transactions made by the user. However, in specific cases based on the previous explicit consent of users for each of those specific cases, and in full accordance with GDPR, providers of EDIW could be granted access to the information necessary for the provision of a particular service related to the Wallet.
Recital 28	The request for information to the EUDIW user should be necessary and proportionate with the intended use case and in line with the principle of data minimisation and ensure transparency over which data is shared and for what purpose
Art. 6a.7c	Any processing of personal data carried out by the Member States or on their behalf by bodies or parties responsible for the provision of the European Digital Identity Wallets as electronic identification means shall implement appropriate and effective measures and be able to demonstrate the compliance of processing activities with Regulation (EU) 2016/679. Member States shall be allowed to introduce national provisions to further specify the application of such rules.

[awoie]

LGTM, an improvement to the current status.

[Sakurann]

@cobward made a comment that a lot in the section feels like it is about verification, not issuance.

[Sakurann]

@yaromin

[Sakurann]

please capitalize terms, endpoints, etc.

[decentralgabe]

looks great

[cobward]

LGTM apart for one typo

[Sakurann]

I started reviewing this PR, but there was so much more that I believe needs to be added to be actionable to the implementers and convey to the readers how serious we are about privacy, so prepared an alternative PR #244. would appreciate the review.

[Sakurann]

it is not clear who needs to obtain consent from the end-user - issuer? wallet?
release is not really the term we have used in VCI.

[Sakurann]

what "second or third order effects" do you mean? it is not actionable without details.

[Sakurann]

it feels like the warning against correlation and minimal disclosure are being mixed up.

[Sakurann]

PR #244 merged