Data associated with [=verifiable credentials=] stored in the -`credential.credentialSubject` field is susceptible to privacy -violations when shared with [=verifiers=]. Personally identifying data, such -as a government-issued identifier, shipping address, and full name, can be -easily used to determine, track, and correlate an [=entity=]. Even -information that does not seem personally identifiable, such as the -combination of a birthdate and a postal code, has very powerful correlation -and de-anonymizing capabilities. +`credential.credentialSubject` field is susceptible to privacy violations when +shared with [=verifiers=]. Personally identifying data, such as a +government-issued identifier, shipping address, and full name, can be easily +used to determine, track, and correlate an [=entity=]. Even information that +does not seem to be personally identifiable, such as the combination of a +birthdate and a postal code, has very powerful correlation and de-anonymizing +capabilities.
@@ -5283,6 +5283,17 @@
+In general, individuals are advised to assume that a [=verifiable credential=], +like most physical credentials, will leak personally identifiable information +when shared. To combat this leakage, the [=verifiable credential=], and the +securing mechanism, need to be specifically designed to avoid correlation. +[=Verifiable credentials=] that are specifically designed to prevent the leakage +of personally identifiable information do exist. Individuals and implementers +are urged to prefer these types of credentials over ones that are not designed +to protect personally identifiable information. +