Status of this page: DRAFT
This workgroup is trying to address the issue of how an “Alice” using a mobile credential, such as an ISO-compliant mobile Driving License (mDL) can trust that digital identity ecosystem she uses when she gets or uses a mobile credential. It’s not enough that the transactions themselves are secure. Alice should be able to trust not just the person or entity that she gets her mobile credential from (Issuers like driving license departments, schools, health care organisations, and so on). She should have a reasonable expectation that every entity upstream or downstream of her actual transaction will respect her privacy — i.e. only use or share her credentials for purposes related to why she used her mobile credential in the first place. This requires an ecosystem level of interoperable technical protocols and governance. That being
The purpose of Implementor's Guidance is to point organizations in the correct direction for ensuring that their products, processes, or systems for mobile credentials are "Privacy Enhancing". Privacy-enhancing technologies (PET) are technologies that embody fundamental data protection principles by minimizing personal data use, maximizing data security, and empowering individuals.
Guidance
- Information for Providers: Information for organizations that provide software or systems for mobile credentials, such as digital wallets or SDKs
- Information for Verifiers: Information for organizations that verify mobile credentials, and by inference organizations that provide software or services to issuers to enable the verifier to verify mobile credentials.
References:
- ENISA Privacy Enhancing Technologies
- Office of the Privacy Commissioner of Canada: Privacy Enhancing Technologies – A Review of Tools and Techniques
- The Royal Society’s Privacy Enhancing Technologies project
- Wikipedia: Privacy-enhancing technologies