Experimenting with attribute-based credentials

Max Kortlander

Two pilots from the DECODE project are being developed and tested in the Netherlands that make use of attribute-based credentials to help people have more control over the data they share.

First of all, what are 'attribute-based credentials'?

Attribute-based credentials are a way to have a trusted party 'vouch' for you in a situation where you don’t want to give away any more information than is absolutely necessary. Imagine this scenario: I might want to buy alcohol through an online webstore that requires me to prove that I am over 18 years old. Rather than upload an image of my ID card (which contains my full name, my address, my precise date of birth, social security number, my height, and photo), I could have a trusted party (for example, a government agency) issue me a shareable certificate that confirms 'yes, this person is over 18'. I could then share this credential (instead of my ID), with the vendor to prove that I am old enough to buy alcohol. With attribute-based credentials, the issuing and sharing of 'credentials' like these can take place online.

How does this work in real life?

With 'Claim Verification 18+', the City of Amsterdam prototyped a passport box and mobile web app that allow users to upload passport data from the RFID-chip (inside the physical passport) onto their phone. A physical box scans the passport’s chip, and then creates a QR code that the phone can scan using the DECODE web app. Once scanned, the app allows the user to share certain credentials without sharing personal data—as is the case in the example above, a user can generate and share a valid credential based on their passport data, proving they are over 18, for example, without sharing their actual age or date of birth. In addition to age, this proof of concept can also verify a person’s name and gender.

In a separate pilot, Amsterdam partners are working with GebiedOnline to integrate a system of attribute-based credentials into their website. GebiedOnline is a community-owned, member-based cooperative—it is an online platform that allows local people, groups, and organizations to see events in their neighbourhood, share news, borrow things, and meet people. DECODE partners are working with GebiedOnline to enable their users to have granular control over the data they share on the site by integrating IRMA (a platform that supports the use of attribute-based credentials) into the GebiedOnline website.

Why isn’t this being implemented more widely?

It is. While we were exploring and discussing the technical possibilities of DECODE technology, we realized that a lot of value was being generated by educating citizens, public administrations, and developers about concrete methods to increase data privacy and control. We have held a series of workshops in cities across the Netherlands who are interested in applying DECODE values in their own local context. We also developed a set of articles, videos, tools , and recommendations to help anyone who is interested get a grip on this subject.

Meanwhile, DECODE pilot partners in Barcelona are also experimenting with attribute-based credentials using the city’s digital democracy platform, Decidim, to allow citizens to sign petitions anonymously while still being verified based on authentication requirements like their place of residence. In another Barcelona pilot, DECODE partners are exploring how data from citizen sensing can be encrypted and shared anonymously, with citizens being in control of what information is shared with whom, and under what conditions.

Where do I find out more?

Want to read more?

Want to be active?

Find us at this year’s WeMakeTheCIty Festival in Amsterdam, stay tuned to Waag’s events page for upcoming events or follow DECODE’s events, news, and more.

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No. 732546.


About the author