Blog

Are National eID Cards Violating Your Privacy?

Clarifying eID misconceptions: eID cards and SSI offer similar privacy levels. eID is a verifiable credential controlled by you, not revealing excessive personal data.

9 Sep
,
2020
2 May
,
2025
# min read
Secure digital privacy concept with padlock and binary code background

There’s a lot of confusion around electronic identity (eID), especially when it comes to privacy concerns. People often conflate different technologies—national eID cards, self-sovereign identity (SSI), digital identity wallets—and assume they function in the same way or carry different privacy implications. Let’s clear up some common misconceptions.

What is an eID?

An eID is a type of verifiable credential issued by a trusted authority (typically a government). You, the user, control it. Websites and apps may request it to verify your identity, and upon verification, receive some identity data embedded in the credential (e.g., your name or ID code).

Types of eID tokens include:

  • National ID cards (smart cards, often used as passport alternatives)
  • USB cryptosticks or security tokens
  • SIM cards with embedded certificates
  • Secure mobile apps (e.g., Mobile-ID, Smart-ID)

Is eID a Privacy Risk Compared to SSI?

From a privacy perspective, there’s no fundamental difference between using an eID issued by a government and a self-sovereign identity solution if both are implemented with privacy-respecting cryptographic standards.

In both cases:

  • The credential is under your control
  • You decide when and where to use it
  • Service providers only receive the data you choose to share

What About Government Databases?

Your personal information (medical records, taxes, family, etc.) already exists in government systems. Whether or not you have an eID does not change the government's ability to read this data—regulations determine that access, not your possession of an ID card.

However, without a secure eID, you can't access this data yourself, and you can’t verify who accessed your records. That’s the real difference.

Is a Unique Personal Code Constitutional?

Yes. Every government needs a reliable way to distinguish citizens. Without a unique identifier, imagine being mistakenly arrested because someone with your name committed a crime, or someone draining your bank account by impersonating you.

The use of personal codes is standardized. For example, ETSI EN 319 412-1 defines identity structures like:

  • PNOEE-38112086027
    (PNO = Personal Number, EE = Estonia, followed by the identifier)

Other supported types:

  • PAS – Passport number
  • IDC – National ID card number
  • TIN – Tax Identification Number

What Data Is Collected When You Get an eID?

Getting an eID card or token does not mean giving the government any new data.

You provide:

  • The same basic identity info you'd give for a passport or national ID
  • Possibly biometric info for physical identity proofing (not for electronic ID use)

To issue an electronic credential, the minimum required is:

  • Personal code
  • Full name (optional but common)

That’s it. No additional data is collected just because the credential is electronic.

Does the Government Log Every Time I Use My eID?

No. Like SSI, most eID systems allow offline or privacy-preserving usage.

There are two main ways your eID can be verified:

  1. CRL (Certificate Revocation List) – The verifier downloads a list of revoked certificates. No contact with the issuer is needed. Usage is private.
  2. OCSP (Online Certificate Status Protocol) – The verifier asks the issuer in real-time whether your certificate is valid. The issuer could log the verifier’s IP and timestamp.

OCSP is useful for fraud prevention. For example, if your card is stolen and you block it, any further use attempts will fail in real-time.

How Much Data is Revealed When Logging In?

Very little. Typically:

  • First name
  • Last name
  • Unique personal code (which may include birthdate or gender in some countries)

What is not revealed:

  • Fingerprints
  • Facial image
  • Address
  • Height, weight, eye or hair color
  • Any biometric data

This is comparable or better than many SSI solutions.

Real Certificate Example

To show there’s no secret data involved, here’s a live certificate extracted from an Estonian ID card:

$ cat 38112086027.pem
-----BEGIN CERTIFICATE-----
MIIFwDCCA6igAwIBAgIQOMm/0JR7zi1aArcEgjE3PTAN...
-----END CERTIFICATE-----

Using openssl, we can inspect its contents:

$ openssl x509 -in 38112086027.pem -text -noout

You’ll see:

  • Subject Name: PALA,MARGUS,38112086027
  • Issuer: ESTEID-SK 2015
  • Public Key info
  • No sensitive personal data

This certificate structure follows ETSI and X.509 standards, as required across the EU.

Final Thoughts

Fear about eID often stems from misunderstanding. When used correctly, eID technologies are privacy-respecting, secure, and empowering. They are not surveillance tools, and don’t give governments new powers they didn’t already have.

On the contrary, eID allows you to:

  • See who accessed your government-held data
  • Access digital services securely
  • Prove your identity online with minimal data disclosure

More latest articles

See all news
See all news
Businesswoman using digital signature on tablet in modern office setting
31 Jan
,
2025
28 Apr
,
2025
eSignatures

Legal Clarity for eSignatures: Insights from an ECJ Ruling

Read article
Diia.Signature digital service by eID Easy, showcasing secure electronic signatures for document signing and user authentication.
28 Jan
,
2025
3 Apr
,
2025
eSignatures
Announcements

eID Easy First to Bring Ukraine’s Diia.Signature to the EU for Legally Valid Signing

Read article