Verifier collusion occurs when two or more verifiers combine information they've collected from the same credential holder to build a more complete picture of that person than either could construct alone. This represents one of the most significant privacy risks in digital identity systems, and one that well-designed systems must actively prevent.
The risk of data combination
Digital identity systems are built on the principle of minimal disclosure: you should only share the information necessary for a specific interaction. When you enter a bar, you prove you're over 21, not your name, address, or birthdate. When you apply for a job, you prove your qualifications, not your medical history.
The problem arises when verifiers collaborate. Each verifier may collect only the minimum data they need, but if they share information with each other, they can reconstruct far more than the credential holder ever intended to reveal.
Consider a practical example. A person uses their mobile driver's license to verify identity for a job application, sharing their name and proof of work authorization. Later, they use the same credential to access health records with their insurance provider, sharing proof of identity and policy number. If the employer and insurer could combine their records, they might infer private information that the individual never consented to share, such as medical treatments, upcoming family leave, or pre-existing conditions that could influence hiring or employment decisions.
This cross-context correlation undermines the privacy protections that selective disclosure is supposed to provide. Even though each individual transaction shared only necessary information, the combination reveals far more.
How collusion happens
Verifier collusion can occur through several mechanisms. Direct data sharing between organizations, whether through formal agreements or informal exchanges. Data brokers who aggregate information from multiple sources. Security breaches that expose verification records. Even seemingly innocuous correlations, such as using the same identifier across multiple verifiers, can facilitate linkage.
The risk increases as verifiable digital credentials become more widely used. The more transactions that occur, the more data points exist for potential correlation. Without technical safeguards, the convenience of digital identity could create unprecedented opportunities for surveillance and profiling.
Technical safeguards: pairwise identifiers
One effective protection against verifier collusion is the use of pairwise pseudonymous identifiers. Instead of presenting the same identifier to every verifier, the credential holder's wallet generates a unique identifier for each verifier relationship.
The identifier shown to a health insurer would be entirely different from the one used for an employer. Even if these organizations compared notes, they couldn't match records because they have no common identifier to correlate. The technical design makes linkage infeasible.
Policy and technology together
Technology alone cannot fully prevent collusion. A determined adversary with access to sufficient data points might still find ways to correlate records through alternative means, such as biometric matching, address correlation, or timing analysis.
Effective protection requires combining technical controls with policy measures. Privacy-by-design approaches embed safeguards into system architecture from the start. Data minimization policies restrict what verifiers can collect and retain. Legal frameworks establish consequences for unauthorized data sharing. Certification requirements ensure verifiers comply with privacy obligations.
Together, these technical and policy guardrails reduce the risks of profiling, tracking, and discriminatory decision-making that verifier collusion could enable.
Want to keep learning?
Subscribe to our blog.
