EIC 2025: EUDI Wallet has a data oversharing problem

Many of us are guilty of skimming through privacy policies and accepting browser cookies without putting in the effort to understand where our data will end up. Similarly, many companies are eager to lure unsuspecting users to their services without fully explaining what the consequences for their data might be.

With the arrival of digital identity wallets, that problem may become even more complex as wallets can potentially hold some of our most private information.

At the European Identity and Cloud Conference (EIC) 2025, researcher Henk Marsman laid out the risks of oversharing our data with identity wallets, particularly European Union Digital Identity (EUDI) Wallets, which are expected to be offered to each European citizen starting next year.

According to the eIDAS regulation, the wallet will be under the sole control of the users, giving them full autonomy, independence, freedom and control over their data and where they share it. However, the fact that the user has full control over data also creates this risk of oversharing it, according to Marsman, who is also a principal consultant at Identity and Access Management (IAM) company SonicBee.

“Even though I think I’m an autonomous being and I make informed decisions, I can be quite easily manipulated and influenced by nudging techniques, by dark patterns, or just by a five percent discount,” he says.

The eIDAS legislation promises to protect users against things like cybersecurity risks, cybercrime, identity theft – and manipulation. Marsman has been studying the issue of digital ID wallets and online manipulation at the Delft University of Technology in the Netherlands.

His findings have shown that digital literacy programs can only go so far. Balancing the protection of users while maintaining a smooth digital wallet experience makes it tough to mitigate the risks of oversharing data.

One solution to this problem could be putting the burden on relying parties, service providers that can be everything from governments to banks, universities and pharmacies. eIDAS, however, doesn’t make it completely clear who sets the rules of the ecosystem when it comes to digital platforms.

“If the relying party wouldn’t ask too much, we wouldn’t have this risk,” says Marsman. “One of the challenges with relying parties is that they have a data-driven business model, or at least some of them have, and that is the incentive to get more data off their users.”

Not all digital ID wallet security is the same: Hopae

The European Identity and Cloud Conference, held last week in Berlin, touched upon other issues related to identity security, privacy and governance, including biometric authentication.

Jaehoon Shim, co-founder and CEO of Hopae, the company that built South Korea’s blockchain-based COVID-19 vaccination credential system, shared his thoughts on how companies should prepare to introduce secure identity wallets.

Companies can choose to embed digital ID wallets into existing apps or accept digital IDs and verify them. Many resources already exist for firms to build an eIDAS-compliant wallet, including those from the Open Wallet Foundation.

“To build a secure, EUDI-compliant wallet, it’s not just the app and it’s not just about having data management or networking,” says Shim. “It’s also about crypto key management to ensure you can provide your customers with a high level of assurance.”

Cryptographic key management must store keys in an embedded Secure Element (eSE) or eSIM, an external device, such as smart cards, or a remote hardware security module (HSM). eSE, which provides hardware-based security protection for smartphones, tablets, and other devices, looks like the optimal choice, according to Shim. eSE, however, doesn’t cover 100 percent of user devices as the technology is used by Apple and Samsung.

“Maybe up to 50-60 percent of your users will need to have another method for having this security part, so I would highly suggest coming up with a lot of options,” says Shim.

Martin Kuppinger talks EUDI Wallet business cases

Decentralized identity has six business cases, says Martin Kuppinger, principal analyst and founder of KuppingerCole research.

The list includes well-known uses, such as identification, authentication and signing. But it also lists others, including sponsorships, shared cost model between issuers and verifiers, micro- and nano-payments, business enablement and process improvements, and finally, value-adding apps within the wallet.

“I think currently, the lowest hanging fruit for what we have for now is everything where we improve business processes, where we reduce process costs by attracting verifiable credentials into processes,” says Kuppinger. “This is what the business understands.”

Large banks are currently paying hundreds of millions per year for services such as Know Your Customer (KYC), Anti-Money Laundering (AML) checks and reducing that could be a business case.

Another question is which use cases need a red-ocean strategy, which focuses on building advantages over the competition, or a blue-ocean strategy, which involves creating an entirely new market.

“Think about wallets. Think about services that integrate these wallets that also can bring in other ideas, like passports,” says Kuppinger, adding that passports are global, verifiable identities based on biometrics.

Wallets can add things such as privacy, connect data and share verifiable credentials and then an application can be built around that. A business model can be built on top of finance, travel, or health apps, he explains.

“This is where things really get interesting,” says Kuppinger.

Article Topics

biometric authentication  |  cybersecurity  |  digital ID  |  digital wallets  |  EIC 2025  |  eIDAS  |  EU Digital Identity Wallet  |  Hopae  |  KuppingerCole  |  SonicBee