Historical Context

The concept of unpermissioned correlation emerged from decades of privacy research in digital identity systems, building on foundational work in:

Anonymous credentials research (1980s-1990s): Early cryptographic protocols like David Chaum's blind signatures demonstrated that credential systems could provide unlinkability between credential issuance and presentation. However, these systems often failed to address correlation risks that arose from:

• Credential content itself containing correlatable attributes
• Presentation contexts providing sufficient metadata for tracking
• Verifiers collecting and analyzing presentation patterns over time

Privacy-enhancing technologies (2000s): As digital identity systems proliferated, researchers identified multiple correlation vectors:

• Identifier correlation: Persistent identifiers enabling trivial tracking across contexts
• Attribute correlation: Unique or quasi-unique attribute combinations enabling re-identification
• Behavioral correlation: Usage patterns and timing information enabling statistical linkage
• Contextual correlation: Environmental metadata (location, device, network) enabling association

Verifiable credentials evolution (2010s): The W3C Verifiable Credentials specification acknowledged correlation risks but provided limited technical mechanisms to prevent them. Traditional approaches included:

• Pairwise identifiers: Using different identifiers for each relationship
• Minimal disclosure: Revealing only necessary attributes
• Zero-knowledge proofs: Proving properties without revealing underlying data

However, these approaches often failed to address contextual linkability - the condition where verifiers provide enough context at the point of capture to enable statistical correlation with existing datasets, even when the credentials themselves use privacy-preserving techniques.

KERI's Approach

KERI and ACDC address unpermissioned correlation through a comprehensive architectural approach that combines cryptographic primitives, protocol design, and governance frameworks:

Graduated Disclosure Architecture

ACDCs implement graduated disclosure mechanisms that enable progressive revelation of information based on contractual agreements:

1. Compact disclosure: Initial presentations reveal only SAID commitments rather than full content, minimizing information leakage while maintaining cryptographic verifiability

2. Partial disclosure: Selected sections of ACDCs are expanded while others remain as SAIDs, enabling context-specific revelation without exposing the complete credential graph

3. Selective disclosure: Individual attributes within ACDCs can be independently disclosed using cryptographic commitments, preventing correlation between disclosed and undisclosed attributes within the same credential

4. Full disclosure: Complete credential details are revealed only after contractual protections are established

Private ACDC Architecture

Private ACDCs incorporate high-entropy UUID fields (≥128 bits) that function as salty nonces, making the SAID of the ACDC resistant to rainbow table attacks. This prevents verifiers from:

• Pre-computing possible ACDC SAIDs to identify credential types
• Correlating compact disclosures across presentations through SAID matching
• Building databases of credential SAIDs for tracking purposes

The UUID field transforms each ACDC into a unique cryptographic commitment that cannot be correlated without access to the full credential content, even if the schema and attribute structure are publicly known.

Contractually Protected Disclosure

ACDCs integrate chain-link confidentiality mechanisms that establish legal frameworks governing correlation:

• Ricardian contracts: Machine-readable legal clauses embedded in the rules section of ACDCs specify permitted uses of disclosed information
• Downstream liability: Contractual obligations flow to all subsequent recipients, creating legal recourse for unpermissioned correlation
• Graduated contractual protection: More sensitive disclosures require stronger contractual commitments before revelation

This approach recognizes that technical mechanisms alone cannot prevent all correlation - legal frameworks provide complementary protection by establishing consequences for unauthorized correlation activities.

Non-Correlatable Identifier Architecture

KERI's AID (Autonomic Identifier) system enables:

• Ephemeral identifiers: Controllers can create disposable AIDs for single-use or limited-context interactions
• Delegated identifiers: Hierarchical delegation enables context-specific identifiers without exposing root identity
• Multi-signature identifiers: Threshold signing schemes prevent correlation through signing key reuse patterns

Unlike traditional DID systems that often rely on persistent identifiers anchored to blockchains (creating permanent correlation vectors), KERI AIDs can be created and managed without any ledger registration, eliminating a major source of unpermissioned correlation.

Witness and Watcher Architecture

KERI's witness and watcher infrastructure provides correlation resistance through:

• Distributed verification: No single party observes all credential presentations
• Promiscuous mode watchers: Validators can independently verify credentials without relying on centralized registries that enable tracking
• Ambient duplicity detection: The network detects malicious behavior without requiring correlation of legitimate activities

Practical Implications

Use Cases and Benefits

Healthcare credentials: A patient presenting medical credentials to different providers should not enable those providers to correlate the presentations and build a comprehensive medical history without the patient's explicit consent. ACDC's graduated disclosure enables:

• Initial presentation of compact credentials proving eligibility
• Progressive revelation of specific medical attributes as needed
• Contractual protections preventing providers from sharing or correlating information

Financial services: A business presenting different financial credentials (credit rating, bank account verification, tax status) to various service providers should control whether those presentations can be correlated. Private ACDCs with UUIDs prevent:

• Service providers from building comprehensive financial profiles
• Third-party data brokers from aggregating presentations
• Unauthorized credit scoring based on presentation patterns

Supply chain verification: Manufacturers presenting product authenticity credentials to distributors, retailers, and consumers should control correlation to prevent:

• Competitive intelligence gathering through presentation tracking
• Unauthorized market analysis based on credential flows
• Supply chain mapping without authorization

Employment verification: Job applicants presenting credentials to multiple employers should prevent:

• Employers from tracking application patterns
• Recruitment platforms from building comprehensive applicant profiles
• Discrimination based on presentation history rather than qualifications

Trade-offs and Limitations

Verification efficiency vs. privacy: Preventing correlation often requires:

• Multiple credential presentations rather than reusing a single credential
• Additional cryptographic operations for selective disclosure
• More complex verification protocols

This creates tension between user experience (simple, fast verification) and privacy protection (correlation resistance).

Contextual information leakage: Even with perfect cryptographic unlinkability, correlation may occur through:

• Timing patterns (presentations occurring in temporal proximity)
• Network metadata (IP addresses, geolocation)
• Behavioral patterns (interaction sequences, response times)
• Environmental context (device fingerprints, browser characteristics)

ACDC's contractual protections address these vectors by establishing legal obligations, but technical enforcement remains challenging.

Legitimate correlation needs: Some scenarios require authorized correlation:

• Fraud detection systems need to identify suspicious patterns
• Regulatory compliance may mandate transaction monitoring
• Service providers may need to link multiple credentials for authorization

ACDC's graduated disclosure enables these scenarios through explicit contractual agreements, but distinguishing legitimate from unpermissioned correlation requires governance frameworks beyond the protocol itself.

Ecosystem coordination: Preventing unpermissioned correlation requires:

• Verifiers respecting contractual obligations
• Issuers designing credentials with privacy considerations
• Holders understanding disclosure implications
• Governance frameworks establishing norms and enforcement

The technical architecture provides tools, but ecosystem adoption determines effectiveness.

Relationship to Other Privacy Concepts

Unpermissioned correlation intersects with several related privacy concepts:

Contextual linkability: The condition where sufficient context enables correlation even with privacy-preserving credentials. ACDC addresses this through contractual protections that govern context collection and use.

Correlation: The general concept of establishing relationships between data elements. Unpermissioned correlation specifically addresses unauthorized instances.

Privacy: The broader ability to control information disclosure. Unpermissioned correlation represents a specific privacy violation where disclosure control is circumvented through unauthorized association.

The ACDC specification recognizes that preventing unpermissioned correlation requires a defense-in-depth approach combining:

• Cryptographic unlinkability (private ACDCs, selective disclosure)
• Protocol design (graduated disclosure, non-correlatable identifiers)
• Legal frameworks (chain-link confidentiality, Ricardian contracts)
• Governance structures (ecosystem norms, enforcement mechanisms)

This comprehensive approach acknowledges that no single technical mechanism can prevent all correlation - effective privacy protection requires coordinated technical, legal, and social measures.

• Separate verification logic from data storage to prevent aggregation
• Implement access controls preventing cross-context correlation queries
• Audit correlation activities for compliance with contractual terms
• Provide holders with visibility into how their credentials are used