Unlinkability is the property that prevents an observer from determining whether two actions, items, or identities are related to the same person. In digital identity systems, unlinkability ensures that credential presentations cannot be correlated across different verifiers, different times, or different contexts, even by parties with significant resources and motivation to do so.
Why unlinkability matters
Every time you present a credential, you create a data point. Without unlinkability protections, these data points can be connected to build a comprehensive picture of your movements, activities, and relationships. Over time, patterns emerge: where you go, what you buy, who you associate with, and what services you use.
Physical credentials offer natural unlinkability. When you show a plastic driver's license at different locations, there's no automatic record linking those presentations. Each interaction is independent. Digital systems must work deliberately to preserve this property rather than creating the detailed audit trails that computers naturally produce.
Unlinkability is enshrined in some privacy frameworks as a fundamental requirement. Utah Code § 63A-16-1202, for example, mandates privacy protections including limits on reuse/sharing of “records of use,” and a requirement that use be free from “surveillance, visibility, tracking, or monitoring.” This strongly aligns with unlinkability goals.
Dimensions of unlinkability
Unlinkability has several dimensions, each presenting different technical challenges:
Across verifiers: Preventing correlation when the same credential is presented to different organizations. Pairwise identifiers address this by ensuring each verifier receives a unique pseudonymous identifier.
Across presentations: Preventing correlation when the same credential is presented multiple times to the same verifier. This requires techniques such as single-use tokens or cryptographic blinding, which make each presentation appear fresh.
Across credentials: Preventing correlation when different credentials about the same person are presented. If a driver's license and professional license share the same underlying identifier, they can be linked even if presented separately.
From issuers: Preventing the issuing authority from learning when and where credentials are used. Some architectures reduce issuer involvement during presentation, limiting opportunities for correlation, depending on system design.
Limits of technical controls
Technical measures can prevent correlation within the credential system, but cannot control factors outside that system. Surveillance cameras might capture faces. IP addresses might reveal locations. The actual information shared, names, addresses, and birthdates, can itself enable linkage if multiple verifiers collect the same attributes.
For this reason, unlinkability requires both technical controls and policy enforcement. Credential systems must mandate privacy-preserving proof types. Wallets must default to minimal disclosure. Verifiers must be restricted from requesting excessive attributes. Technical controls make policies enforceable, while policies ensure protections are applied consistently.
The privacy foundation
Unlinkability is foundational to privacy-preserving digital identity. Without it, the convenience of verifiable digital credentials comes at the cost of pervasive surveillance. With it, people can prove what they need to prove while maintaining the contextual boundaries that physical credentials naturally provide.
Want to keep learning?
Subscribe to our blog.
