Technical experts have identified critical privacy vulnerabilities in the EU digital ID wallet specification that undermine its privacy promises. The current framework lacks explicit restrictions on Attestation Providers including trackable data in age verification proofs, creating potential surveillance risks despite unlinkability claims.

The specification fails to enforce mandatory zero-knowledge proof presentations, leaving users vulnerable to data leaks and collusion between service providers. Without proper safeguards, both Attestation Providers and Relying Parties could store sensitive identity data beyond necessary sessions, creating persistent tracking mechanisms.

Experts recommend three key improvements: explicit restrictions on trackable attributes, mandatory deletion of attestations after user sessions, and making ZKP presentations mandatory through BBS-like constructions or zk-longfellow approaches. These technical fixes address fundamental design flaws that compromise user privacy in Europe's digital identity system.