Data shared – control gone? Not with EmpowerID

Self-Sovereign Identity (SSI) allows personal data to be shared in a targeted manner. But once the data has been handed over, control is over. The data can be stored, duplicated or passed on by the recipient. The EmpowerID project is developing a solution in which the user retains full control. The data can not only be updated but also withdrawn if necessary. This has advantages for both sides: Users retain control, and recipients always work with reliable, up-to-date information – completely without local data storage.

Electronic identities following concepts of Self-Sovereign Identity (SSI) are on the rise. They differ from traditional, federated identities in two fundamental ways (see also Centralised or decentralised identity? – SocietyByte):

1. Personal data is stored locally in a wallet instead of centrally with an identity provider. This reduces the risk of data leaks, as identity providers are often attractive targets for hackers.
2. By storing the data locally with the holder, the issuing and usage processes are decoupled. The identity provider hands over the confirmed data to the user once. The identity provider is then no longer involved in the usage processes, so the user has more control over their data and can track who they have transferred which data to and when.

One problem remains: Once a user shares their data with a service or system, control is over. As soon as the recipient has received the data, they can continue to use it as they wish – in accordance with the legal requirements and their terms of use. They can store it in their systems, change it, duplicate it and also pass it on. This is completely non-transparent for the user – regardless of whether they have a traditional identity or SSI.

In the EmpowerID project, an interdisciplinary research team from BFH, together with the Geneva-based company NGSENS, is developing concepts to give users more control. They combine existing technologies such as verifiable credentials (VC), BBS signatures and tokenization, inspired by the principles of the Payment Card Industry Data Security Standard (PCI DSS). The aim is to develop an initial prototype that demonstrates the feasibility and benefits.

A Verifiable Credential (VC) is a signed data package that contains confirmed statements about one or more subjects, e.g. a person, and is issued by an issuer.

The BBS signature scheme[1] enables proof of ownership of a signature (via zero-knowledge proof), whereby any subset of the signed messages can be selectively disclosed.

Tokenization is a method of data exchange in which the original sensitive data is replaced by non-sensitive placeholders, so-called tokens.  The recipient can process the tokens (e.g. for authorization, analysis, etc.) without seeing nor storing the real data.

Both sides benefit

The envisaged solution is not only advantageous for the data owner, who has better control and the possibility to have his data automatically deleted after the business relationship has ended or to revoke it.

Companies in particular benefit from always having up-to-date data from customers or suppliers, as data quality and up-to-dateness are a constant problem in traditional ERP or CRM solutions. The ability to manage only tokens instead of sensitive data reduces compliance problems and increases data security.

Obligation to report in tourism

The following example demonstrates the use of EmpowerID: A hotel guest uses a QR code to pass their data from their wallet to the hotel’s token vault via a secure connection. The hotel only receives a token that does not contain any sensitive information, but it can be used to access the data stored in the token vault. In accordance with the reporting obligation, the hotel now forwards this token to the relevant authorities. The relevant authorities can use the token to access the data stored in the token vault if necessary and within the legal retention obligation, e.g. tracing and investigating criminals and searching for missing persons. The advantages are obvious: the hotel does not have to store and manage any registration information but still fulfills its obligation to register and can also use the current address data of its guests for marketing (if they have given their prior consent). This also applies to the authorities. Hotel guests can be sure that their data will only be used for the intended purposes and will be automatically deleted after the statutory retention period.

Outlook

The EmpowerID concepts and the prototype will be further developed as part of an Innosuisse project and expanded into a B2B/B2C/B2G platform “GDPR as a Service” to enable more efficient collaboration between citizens, businesses and authorities in Switzerland. Another idea that is to be pursued in the future is the introduction of a payment barrier that can be used to restrict access to data in a controlled manner, reversing the current concept where users pay for the use of a service with their data.

[1] V. Kalos, T. Looker, A. Whitehead und M. Looder, «The BBS Signature Scheme,» 07.07.2025. [Online]. Available https://datatracker.ietf.org/doc/draft-irtf-cfrg-bbs-signatures/09/  .