Selective Disclosure for JWTs: How to Keep Your Data Close and Your Privacy Closer
The way we manage identity online is changing, and it's long overdue. For years, we've trusted third-party organizations to handle our data, often giving away more information than needed in the process. This not only compromises the privacy of users but also opens up more opportunities for the misuse of personal data, loss of integrity and breakdown of trust in the systems we rely on every day.
Decentralized identity offers a new and better approach to managing identity data online. Here at Curity, we’ve been talking for quite some time about how it has the potential to transform how we think about and manage digital identity. Here, I will focus on one of the technologies - Selective Disclosure for JWTs (SD-JWTs) - that allows us to address the challenge of putting control back in the hands of users.
Avoiding the Mistakes of the Past
One of the biggest issues with current identity systems, even offline, is that they share more information than necessary. Imagine you want to prove you’re over 14 to enter a concert without a legal guardian. In order to do so, you have to provide a full government ID containing not only your date of birth and a photo, but also a given name, place of birth, height, eye color etc. (depending on the local ID requirements). None of this extra information is needed, but you're forced to share it.
A similar scenario happens online all the time. When signing up for digital services like food delivery apps, you might be asked to provide more data than is actually needed, like your date of birth, gender and social media accounts, when all the service may need is basic confirmation of your eligibility or identity.
This tendency to overshare is a lingering issue, one that, in my view, has remained unaddressed for far too long. With Selective Disclosure for JWTs, a format that enables the selective disclosure of hidden claims in a signed JSON Web Token (JWT), there’s a way to break free from this pattern. It allows you to provide only the information that's necessary - no excess, no compromise.
How Selective Disclosure for JWTs Works
Selective Disclosure for JWTs (SD-JWT) is a technology designed to address the problem of oversharing. It allows users to selectively reveal portions of a digital credential without sharing the full set of personal information. SD-JWT operates by embedding pieces of information in the JWT structure, enabling selective presentation of individual attributes.
Here’s how it works in practice:
Let’s say your digital credential includes five pieces of information about you - your name, date of birth, address, gender, and membership status in an organization. If a service only needs to verify one of these details - for instance, your membership status - you can disclose just that one piece of information while keeping the rest private.
The magic lies in how SD-JWT works alongside hash-based selective disclosure. When the JWT is created, the details you might want to disclose in the future are hashed and embedded into the token. This ensures that, even though the full credential contains multiple attributes, only the hashes are stored in the credential, and you control which hashed elements to reveal. When you decide to share specific information, only the relevant part of the hash is disclosed, making it verifiable without exposing other personal details.
Another feature of SD-JWT is key-binding. If enabled, you must unlock a key before you can use the SD-JWT. Only you and no one else should be able to unlock the key. Consequently, SD-JWTs mitigate identity fraud, keeping your digital identities safe.
Real Life Use Cases of SD-JWTs
SD JWTs offer various real-life use cases for industries where privacy, data minimization, and controlled access to specific pieces of information are critical. Here are just a few industries that can benefit from SD-JWTs:
Financial Services: Customer Onboarding and KYC (Know Your Customer)
SD-JWTs allow customers to selectively share only the data needed for compliance, such as proof of income, age, or address, while keeping other irrelevant personal details private. This helps banks streamline onboarding while reducing data handling risks and improving trust.
Healthcare and Health Insurance: Medical Data Sharing and Insurance Claims
SD-JWTs enable patients to share specific pieces of their medical records, like lab results or prescribed medications, required for a particular treatment or insurance claim without exposing diagnosis or other medical data. This ensures compliance with privacy regulations, while improving patient confidence in digital healthcare services and making sure confidentiality is preserved.
Retail and E-commerce: Loyalty Programs and Personalized Discounts
Consumers can share only the relevant information (e.g., proof of university enrollment or retired status) required to access promotions without revealing other personal details like age or location, preserving privacy and reducing the amount of data collected and stored by businesses.
Government and Public Sector: e-Government Services
Citizens should be able to share just the relevant data (e.g., proof of residency or income level) for a given service without revealing unnecessary personal information. SD-JWTs help reduce the risk of over-sharing data, comply with GDPR-like regulations, and increase trust in digital government services.
Everyone’s a Winner
SD-JWTs are crucial building blocks for decentralized identity systems. They enable your users to stay in control - and that’s a good thing for everyone. Users decide what information to share, knowing they’re not overexposing themselves. This not only enhances user trust, but also reduces your organization’s burden to store and handle unnecessary data, minimizing compliance risks and the potential for data breaches.
The ability to share just the right amount of information is necessary and inevitable, benefiting both the growing number of privacy-conscious users and organizations interested in catering to them.
