Pseudonymity for Personal Data Stores: Pseudonymous WebIDs and Decentralized Identifiers

Abstract

Personal Data Stores like Fedora and Solid let users become data holders, controlling their personal data and Web interactions through interoperable standards. Pseudonyms protect privacy during data sharing while still allowing holders to later prove their true identity, making them key privacy-enhancing tools. However, pseudonyms are rarely tackled in existing decentralized personal data sharing standards. In this paper, we present, analyze, and evaluate pseudonymity methods within Solid – a maturing set of personal data sharing standards – applied to a job application use case. This use case consists of three flows: a pseudonym generation flow, a diploma verification flow using that pseudonym and data minimization using the Verifiable Credential standard, and a Proof of Ownership identity binding between the pseudonym and the user’s true identity. We compare two pseudonym generation solutions: a Solid-native solution that depends on an external party to lease (Web-resolvable) pseudonyms, and a solution that leverages a static resolving method (DID:Key) to generate ephemeral pseudonyms. The data flow diagrams, and STRIDE and LINDDUN analysis indicate that static identifiers are better for pseudonymous use cases, as they avoid reliance on external parties. The requirement validation show both solutions meet most needs, though the WebID solution remains observable and the DID:Key solution lacks support for deleting or managing pseudonyms. With this pseudonymity work, we aim to provide a next step to combine personal data storage incentives with Wallet incentives (such as those put forward by the EUDI).