Historical Context

Contextual linkability emerged as a recognized threat through research demonstrating the failure of traditional privacy protection mechanisms:

K-Anonymity Failures

Traditional privacy protection relied heavily on K-anonymity—the practice of ensuring that disclosed data could not be distinguished from at least K-1 other individuals. However, research demonstrated that K-anonymity is fundamentally broken:

• Linkage re-identification attacks: Merging fully de-identified sparse datasets enables re-identification through quasi-identifier correlation
• Down-coding attacks: Hierarchical anonymization can be reversed through auxiliary data
• Profiling attacks: Machine learning on behavioral metadata (interaction patterns, timing, duration) can re-identify individuals even when traditional identifiers are removed

These attacks revealed that the context of data—not just the data itself—creates exploitable correlation vectors.

Selective Disclosure Limitations

The development of verifiable credentials with selective disclosure capabilities promised enhanced privacy by allowing subjects to disclose only necessary attributes. However, research by Samuel Smith and others demonstrated that selective disclosure mechanisms, including those using zero-knowledge proofs, are vulnerable to contextual linkability attacks.

The critical insight: verifiers control the presentation context. A verifier can structure the disclosure interaction to capture sufficient auxiliary data (device fingerprints, network metadata, behavioral patterns, temporal information) that, when combined with the selectively disclosed attributes, enables re-identification through correlation with existing profiles.

Interaction Profiling

Research on social network anonymization demonstrated that even when all traditional identifiers are removed, interaction metadata alone enables re-identification:

• 2-hop interaction graphs (who communicated with whom, when, for how long) can re-identify over 50% of network members
• Temporal patterns and communication rhythms create unique behavioral signatures
• Deep learning techniques can extract identifying patterns from seemingly anonymous interaction data

These findings established that the context of interactions—not just the content—creates privacy vulnerabilities.

KERI's Approach

KERI and ACDC address contextual linkability through a multi-layered approach that combines cryptographic mechanisms with governance frameworks:

Contractually Protected Disclosure

The primary defense against contextual linkability in the KERI ecosystem is contractually-protected-disclosure. This mechanism recognizes that purely technical solutions are insufficient and establishes legal and contractual frameworks that:

• Restrict context capture: Contractual terms limit what auxiliary data verifiers may collect during disclosure
• Prohibit correlation: Agreements prevent combining disclosed data with external datasets
• Control downstream use: Chain-link confidentiality clauses bind all subsequent recipients
• Enable enforcement: Legal remedies for violations of disclosure terms

This approach acknowledges the PAC Theorem (Privacy-Authenticity-Confidentiality Trilemma): one can achieve any two of these properties at the highest level, but not all three simultaneously. KERI prioritizes authenticity first, confidentiality second, and implements effective privacy (protection against exploitable correlation) rather than absolute privacy.

Graduated Disclosure

ACDC implements graduated disclosure mechanisms that enable progressive revelation of information only after contractual protections are established:

1. Initial compact disclosure: Present only SAIDs (cryptographic commitments) of credential sections
2. Contractual agreement: Establish terms governing use of disclosed information
3. Progressive revelation: Disclose additional details only after agreement to protective terms
4. Full disclosure: Complete attribute revelation occurs only within established contractual framework

This approach minimizes the window during which contextual linkability attacks can occur by ensuring protective agreements are in place before sensitive information is revealed.

Chain-Link Confidentiality

ACDC supports chain-link-confidentiality clauses that create contractual chains binding all downstream recipients:

• Transitive obligations: Each recipient who further discloses information must impose the same protective terms on subsequent recipients
• Legal enforceability: Creates actionable claims against parties who enable contextual linkability through improper correlation
• Governance integration: Aligns with governance frameworks like the vLEI Ecosystem Governance Framework

Minimizing Correlation Vectors

KERI's design minimizes inherent correlation vectors:

• Ephemeral identifiers: Support for non-transferable identifiers enables one-time-use identifiers for specific contexts
• Delegated authorization: Delegation enables context-specific identifiers without exposing root identifiers
• Witness isolation: Witness infrastructure operates independently of disclosure contexts
• OOBI privacy: Out-of-band introductions can be structured to minimize metadata leakage

Ambient Duplicity Detection

KERI's ambient-verifiability and duplicity detection mechanisms operate without requiring centralized correlation:

• Distributed verification: Watchers and witnesses enable verification without creating centralized correlation points
• First-seen policy: First-seen event recording prevents retroactive manipulation without requiring global state
• Promiscuous mode: Watchers operate in promiscuous mode to detect duplicity without being designated by controllers

This architecture enables security and integrity verification while minimizing the creation of centralized databases that could enable large-scale contextual linkability attacks.

Practical Implications

Use Cases and Vulnerabilities

Retail Surveillance: Modern retail environments demonstrate contextual linkability in practice:

• Facial recognition and mobile device ping recognition identify individuals entering premises
• Purchase data is captured in the context of identified presence
• Combined data is sold to third parties for profiling and targeting
• Implicit consent (entering premises) and lack of legal constraints enable exploitation

Even if customers use privacy-preserving payment methods, the contextual identification enables linking purchases to profiles.

Authentication Contexts: When subjects authenticate to services:

• Device fingerprinting captures hardware and software configurations
• Network metadata reveals location, ISP, and connection patterns
• Behavioral biometrics (typing patterns, mouse movements) create unique signatures
• Temporal patterns (when authentication occurs) enable correlation

These contextual factors can enable re-identification even when cryptographically unlinkable credentials are used.

Communication Patterns: During regular browsing and client-server interactions:

• Request timing and frequency create behavioral signatures
• Protocol-level metadata (TLS fingerprints, HTTP headers) enable device identification
• Interaction sequences reveal usage patterns
• Cross-site tracking through contextual correlation

Benefits of Addressing Contextual Linkability

Sustainable Privacy: By recognizing and addressing contextual linkability, KERI/ACDC systems enable sustainable privacy—privacy that persists over time despite the inherently leaky nature of information systems:

• Legal enforceability: Contractual protections provide remedies for privacy violations
• Governance alignment: Integration with governance frameworks creates institutional accountability
• Progressive disclosure: Minimizes exposure during negotiation of protective terms
• Reduced attack surface: Limits auxiliary data available for correlation attacks

Trust in Verifiable Credentials: Addressing contextual linkability is essential for verifiable credential adoption:

• User confidence: Subjects can trust that selective disclosure provides meaningful privacy protection
• Regulatory compliance: Meets data protection requirements (GDPR, CCPA) that address correlation risks
• Ecosystem viability: Prevents privacy-washing where technical privacy claims are undermined by contextual exploitation

Enterprise Risk Management: Organizations benefit from structured approaches to contextual linkability:

• Liability reduction: Clear contractual terms reduce legal exposure
• Reputation protection: Demonstrable privacy protections enhance trust
• Compliance assurance: Governance frameworks provide audit trails

Trade-offs and Limitations

Performance vs. Privacy: Minimizing contextual linkability may require:

• Additional protocol rounds for contractual agreement
• Increased complexity in disclosure workflows
• Higher implementation costs for privacy-preserving infrastructure

Usability Challenges: Progressive disclosure and contractual protections may:

• Increase friction in user interactions
• Require user understanding of privacy implications
• Create abandonment in high-friction scenarios

Enforcement Limitations: Contractual protections depend on:

• Legal system effectiveness in jurisdiction
• Ability to detect violations
• Resources for enforcement actions
• Cross-jurisdictional cooperation

State Actor Threats: As noted in KERI documentation, state actors with unlimited resources are largely out-of-scope for mitigation. Contextual linkability protections focus on effective privacy against commercial exploitation rather than absolute privacy against nation-state surveillance.

Metadata Minimization Limits: Some contextual information is inherent to network protocols:

• IP addresses reveal approximate location
• TLS handshakes leak protocol versions
• Timing information is observable by network intermediaries
• Physical presence creates unavoidable context

Complete elimination of contextual linkability is impossible; the goal is exploitable correlation prevention—making correlation attacks sufficiently difficult, expensive, or legally risky that they are not economically viable for most adversaries.

Implementation Considerations

Governance Framework Integration: Effective protection against contextual linkability requires:

• Clear policies on auxiliary data collection
• Audit mechanisms for compliance verification
• Incident response procedures for violations
• Regular review and updates as attack techniques evolve

User Education: Subjects must understand:

• What contextual information may be captured
• How contractual protections operate
• When to decline disclosure requests
• How to verify protective terms

Verifier Responsibilities: Organizations requesting credential disclosure must:

• Minimize auxiliary data collection
• Implement technical controls preventing correlation
• Establish clear data retention and deletion policies
• Provide transparency about context capture

Ecosystem Coordination: Addressing contextual linkability requires coordination across:

• Credential issuers establishing protective terms
• Verifiers implementing privacy-preserving practices
• Governance bodies defining standards
• Legal frameworks providing enforcement mechanisms

The KERI/ACDC approach recognizes that contextual linkability is a socio-technical problem requiring both cryptographic mechanisms and governance frameworks. Technical privacy protections must be complemented by legal, contractual, and institutional measures to achieve sustainable privacy in practice.

Some contextual information is inherent to network protocols and physical presence—complete elimination is impossible. The approach prioritizes exploitable correlation prevention through a combination of technical minimization and legal/contractual protections.