The physical ID we've carried for a century has an underrated privacy feature: it's dumb. When a bartender checks your driver's license to confirm you're over 21, they also see your full name, exact birth date, home address, and license number — but they see it for two seconds and forget it. There's no record. The card doesn't phone home. Nobody learns that you were at that bar that night. The oversharing is real, but it's bounded by human memory and the absence of a data trail.
A digital ID can be dramatically better than this — or dramatically worse. It can be engineered to reveal only "over 21: yes" and nothing else, leaving no record anywhere. Or it can be built so that every verification pings a government server, creating a timestamped log of everywhere you proved your identity. Same use case, opposite privacy outcomes. The deciding factor is the cryptography underneath.
Selective Disclosure: Prove One Fact, Not All of Them
Selective disclosure means revealing exactly one attribute from a credential without exposing the rest. The canonical example is age: a venue needs to know you're over 21, not your birth date, address, or name. A well-designed digital ID lets you respond to "are you over 21?" with a cryptographic "yes" that the venue can verify came from a legitimately issued license — while learning nothing else.
This is built on cryptographic techniques closely related to zero-knowledge proofs. The credential is issued as a bundle of individually signed attributes, and the holder can present a proof about a subset — or even a derived predicate like "age ≥ 21" — without disclosing the underlying value. The verifier checks the issuer's signature and the proof, and is mathematically convinced of the claim without seeing the data behind it.
When evaluating any digital ID system, ask: "When I prove I'm over 21, does the verifier learn my birth date?" If yes, the system has no selective disclosure and is privacy-worse than the plastic card it replaces. If no, it's doing the cryptography right.
Unlinkability: Don't Let Presentations Be Correlated
The second property is subtler and, arguably, more important. Unlinkability means that two separate uses of your ID can't be tied together as belonging to the same person.
Suppose your digital license presents the same fixed identifier or the same static signature every time you use it. The bar on Friday, the pharmacy on Saturday, and the airport on Sunday now each hold a token that points to the same you. Aggregate those — or compel the issuer to — and you've reconstructed a movement and behavior profile from what felt like isolated identity checks. This is the metadata problem in a new costume: the individual disclosures are minimal, but their correlation is the whole story.
Strong systems defeat this with cryptography that produces a fresh, uncorrelatable presentation each time — so two verifiers comparing notes cannot tell whether they served the same person or two different people. The competing credential formats differ sharply here. Some standardized formats, in their basic profiles, produce presentations that are linkable unless additional measures are layered on; others are explicitly designed around unlinkability from the ground up. This is one of the genuinely contested technical debates in the digital identity standards world right now, and it's not settled.
The "Phone-Home" Problem
There's a third axis that sits above the cryptography: does verification require contacting the issuer in real time?
In an offline-capable design, your phone hands the verifier a signed credential, and the verifier checks the issuer's signature locally using a published public key. The government learns nothing about when or where you used your ID. In a phone-home design, every verification contacts a central service to validate the credential — which hands the issuer a real-time log of your identity checks. The first is a privacy-preserving architecture; the second is, functionally, a tracking system, regardless of how good the selective disclosure is.
A digital ID that calls home on every use turns identity verification into location history. The cryptography protecting the payload is irrelevant if the act of verifying is itself the surveillance.
Comparing the Possibilities
| Property | Plastic card | Weak digital ID | Strong digital ID |
|---|---|---|---|
| Selective disclosure | No (shows all) | Often no | Yes |
| Unlinkable uses | Yes (no data trail) | No | Yes |
| Works offline | Yes | Sometimes | Yes |
| Issuer learns usage | Never | Often | Never |
Coercion and the "Just Show the Whole Thing" Risk
Even a technically excellent wallet faces a human-layer problem: a verifier can simply demand more than they need. The cryptography lets you prove "over 21" alone, but if the doorman insists on seeing your full credential and you have no leverage to refuse, selective disclosure is moot. Good policy has to back the good engineering — verifiers should be legally restricted to requesting the minimum attribute their use case justifies, and wallets should make over-asking visible and refusable. Several digital identity frameworks now write data-minimization requirements into law for exactly this reason, though enforcement remains the open question.
What to Watch For
If a digital ID becomes available to you, evaluate it on these questions rather than on convenience:
- Can it prove single facts? Age, residency, or license validity in isolation — not a full data dump.
- Does it work offline? Local signature verification means no usage log at the issuer.
- Are presentations unlinkable? Look for explicit unlinkability claims, not just "encrypted."
- Who can compel the records? If usage data exists anywhere, assume it can be subpoenaed under your jurisdiction's data retention rules.
- Is it mandatory? A voluntary digital ID alongside the physical card preserves choice; a mandatory one removes the analog fallback entirely.
The Broader Principle
Digital identity is the clearest large-scale test of a principle privacy engineering has held for decades: minimize what's disclosed, and make what is disclosed uncorrelatable. It's the same logic behind sealed sender in messaging and differential privacy in analytics — reveal the answer, not the data; prevent the pieces from being stitched back into a profile.
At Haven we apply the same reasoning to communication: an account proves you're a legitimate user without the system accumulating a correlatable record of who you talk to and when. Whether the technology serves you or watches you is never decided by the marketing. It's decided by whether the people who built it chose to minimize, or chose to collect.