No Tracking

Building Trust Through Architecture

February 19, 2026

#PrivacyInPracticeCA

Introduction: Architecture as Commitment

The strongest privacy protection comes from architectures that make tracking technically difficult or impossible. Policies can change; architecture is more durable. Organizations can violate policies; well-designed architecture enforces constraints automatically.

The 2022 FPT Joint Resolution was explicit: digital identity systems must not allow tracking or tracing of individuals across services.[1] This principle recognizes that the mere possibility of tracking can chill behaviour and undermine trust, even if tracking never actually occurs.

This article examines anti-tracking architecture in Canadian digital trust and identity: where provincial wallets get it right, what tracking risks remain in the broader ecosystem, and what all stakeholders can do to build systems worthy of public trust.

Understanding the Tracking Threat

To appreciate anti-tracking architecture, we must first understand what tracking means in the context of digital trust and identity, and why it matters.

What Tracking Looks Like

Tracking in digital trust and identity takes several forms:

• Transaction surveillance: Recording when, where, and how often individuals use their credentials. A system that logs every time you verify your age could create a detailed record of your activities, which bars you visit, which dispensaries you patronize, and which age-restricted websites you access.
• Correlation attacks: Linking transactions across services to build profiles. Even if individual services do not share data directly, common identifiers can enable third parties to correlate activity. A unique identifier shared across multiple services could indicate that the same person visited all of them.
• Behavioural analysis: Inferring sensitive information from transaction patterns. Research has demonstrated that even anonymized data can reveal sensitive information through pattern analysis. Someone who visits a pharmacy weekly may be managing a chronic condition. Someone who visits specific locations at specific times reveals their routine.

Why Tracking Matters

Tracking creates several distinct concerns:

• Surveillance chilling effects: Research has shown that when people know or believe they are being watched, they change their behaviour.[2] This chilling effect can be harmful even when no adverse action follows, because it constrains freedom before any harm occurs.
• Discrimination risk: Profiles built from tracking data can enable discrimination. Employers, insurers, landlords, and others may make decisions based on inferred characteristics that individuals never chose to disclose.
• Power asymmetries: Tracking concentrates information, and therefore power, in the hands of those who operate tracking infrastructure. This asymmetry can disadvantage individuals in their interactions with institutions.
• Function creep: Data collected for one purpose tends to expand to other uses, a well-documented phenomenon in surveillance and technology studies.[3] Data collected for fraud prevention can serve as input for marketing targeting. Location data collected for service optimization can become surveillance infrastructure.

What Canadian Wallets Are Getting Right

Canada’s provincial wallet implementations demonstrate a genuine commitment to anti-tracking in their architectural design.

BC Wallet: Government Cannot Track Private Transactions

British Columbia’s documentation states clearly: “No one, other than the party you’re interacting with, knows when or how you’re using BC Wallet.”[4] This architectural commitment has profound implications.

When a British Columbian uses BC Wallet to verify their age at a private business, the provincial government does not learn of the transaction. There is no central log of wallet usage. There is no database recording which credentials were presented where. The government issued the credential, but has no visibility into how it is used.

This architecture represents a deliberate choice. BC could have designed a system that logged all transactions for fraud prevention, for usage analytics, for any number of plausible justifications. Instead, they chose an architecture that makes such logging impossible. Privacy protection is enforced through technical design and policy commitments.

Alberta Wallet: Issuers Cannot Monitor Credential Use

Alberta similarly emphasizes architectural anti-tracking. Alberta’s documentation states: “Only you know where and when information is shared. Issuers are not able to track or monitor where digital documents are used.”[5] The Alberta Wallet fact sheet further confirms: “The Alberta Wallet does not collect any location information, and your activity within the Alberta Wallet is not tracked.”[6]

This “issuer blindness” is technically significant. Traditional credential verification typically involves checking with the issuer and creating a record of when and where credentials are verified. Alberta’s architecture breaks this link. Verifiers can confirm credentials are valid without the issuer learning that verification occurred.

The result is a credential system in which the individual controls the information flow. The government knows what credentials it issued, but not how they are used. Verifiers know that credentials are valid, but they do not know what other verifiers have seen. Only the individual has complete visibility into their own credential usage.

Technical Implementation

Both BC and Alberta achieve anti-tracking through cryptographic architecture:

• Decentralized storage: Credentials are stored on user devices rather than in central databases. There is no central repository for querying transaction history.
• Unlinkable presentations: Credential presentations are designed to prevent correlation. Different presentations of the same credential cannot be linked without the credential holder’s cooperation.[7]
• Minimal disclosure: Selective disclosure capabilities mean that even verifiers receive only the specific attributes they need, limiting the data available for tracking.[8]

These architectural choices are fundamental to the system design. Retrofitting anti-tracking onto a surveillance-capable architecture is far more difficult than building it in from the start.

The Ecosystem Challenge: Privacy Beyond the Wallet

Privacy-protective wallets function within broader ecosystems. The strength of the wallet architecture does not guarantee privacy when the ecosystem includes tracking-capable components. Understanding these ecosystem risks is essential for comprehensive privacy protection.

Third-Party Services

Many identity verification flows involve multiple service providers working together: identity proofing, fraud detection, analytics, and payment processing. Each touchpoint in this chain represents both an opportunity to extend privacy protections and a point at which those protections must be maintained. 

Consider the full chain: a business verifies age using BC Wallet, while separately relying on fraud detection, analytics, and payment services. BC Wallet protects the credential presentation. The opportunity, and the challenge, is ensuring that each service in the chain maintains a comparable level of privacy protection. 

This is an area where DIACC members and the broader ecosystem can lead by example. Organizations that evaluate their service chains to track risks and work with their partners to address them strengthen the entire ecosystem.

Relying Party Practices

Verifiers, the businesses and services that request credential verification, have their own data practices. A verifier that logs every verification request creates tracking data even when the wallet prevents credential tracking.

Consider a retailer that uses BC Wallet for age verification but logs each verification event with the transaction record. Even though BC Wallet prevented the government from seeing the transaction, the retailer has created a record of every age verification—which customers visited, when, and what they purchased.

Responsible verifiers minimize logging and implement retention limits. But the wallet architecture cannot enforce verifier behaviour. It can only limit what information verifiers receive. This creates a shared responsibility: wallet providers design for privacy, and verifiers implement practices that honour it.

Analytics and Measurement

Organizations reasonably want to understand how their services are used. Analytics platforms that measure user behaviour can create tracking infrastructure even when not designed for surveillance purposes.

The line between legitimate analytics and surveillance tracking is not always clear. Aggregate usage statistics may be benign; granular, individual-level tracking may not. Organizations should make thoughtful decisions about which measurements are genuinely necessary and implement analytics approaches that serve legitimate needs without enabling surveillance.

Privacy-preserving analytics techniques exist: differential privacy, aggregation, sampling, and other approaches that provide insights without individual-level tracking. Organizations committed to anti-tracking should evaluate these alternatives.

Network-Level Observation

Even when applications protect privacy, network-level observation can reveal information. IP addresses, timing patterns, and traffic analysis can enable tracking even when application data is protected.

An observer who can see network traffic may be able to determine that a particular IP address connected to an age verification service at a particular time, revealing information even though the verification itself was private.

Comprehensive privacy protection requires attention to both network and application privacy. This is an area of ongoing technical development, with approaches like VPNs, Tor, and encrypted DNS providing varying levels of protection.

What Anti-Tracking Requires: A Comprehensive View

Genuine anti-tracking requires attention across the entire ecosystem.

Unlinkability

Different transactions should not be linkable unless the individual chooses to link them. This requires careful attention to identifiers, session management, and correlation vectors.

Implementation: Use one-time or per-context identifiers. Avoid persistent identifiers that enable correlation. Design verification protocols that prevent verifiers from linking presentations.

Issuer Blindness

Credential issuers should not learn when or where credentials are used. Verification should not require “calling home” to the issuer.

Implementation: Use cryptographic verification that does not require issuer involvement—store verification capability in the credential itself. Design credential formats that support independent verification.

Minimal Logging

Logs should be minimized and retained for the shortest necessary period. Every log entry is potential tracking data.

Implementation: Define clear logging purposes and retention limits. Implement automated deletion. Regularly audit what is being logged.

Ecosystem Coordination

Anti-tracking protections should extend to relying parties, third-party services, and analytics platforms. Wallet-level protection alone is insufficient.

Implementation: Establish ecosystem-wide anti-tracking standards. Include anti-tracking requirements in trust framework certifications. Monitor ecosystem practices.

The Business Case for Anti-Tracking

Anti-tracking architecture serves legitimate business interests.

• Customer Trust: Customers increasingly recognize the importance of tracking and the value of services that protect their privacy. Organizations that demonstrate anti-tracking architecture can gain a competitive advantage by building trust.
• Reduced Liability: Data that is not collected cannot be breached, subpoenaed, or misused. Anti-tracking architecture reduces the data available to attackers and limits organizational liability.
• Regulatory Positioning: Privacy regulations are becoming stricter globally. Organizations that build anti-tracking architecture now position themselves well for future regulatory requirements.
• Simplified Compliance: Anti-tracking architecture simplifies compliance with data protection requirements. Less data means fewer obligations for notice, access, correction, and deletion.

Private Sector Leadership Opportunity

Private sector organizations have a significant opportunity to lead on anti-tracking. While provincial wallets have established an architectural standard, the broader ecosystem requires private-sector commitment to match those practices.

Identity Verification Providers

Identity verification providers occupy a critical position in the ecosystem. They sit between credential holders and relying parties, with visibility into verification transactions. How they handle this visibility has significant privacy implications.

Providers should minimize transaction logging, implement verifier blindness where possible, and provide clear documentation of anti-tracking measures. Leading providers are differentiating themselves through privacy-protective architecture, recognizing that customer trust creates competitive advantage.

Financial Institutions

Banks and other financial institutions should evaluate their verification logging practices. KYC requirements mandate verification, but do not require indefinite retention of verification transaction data.

Financial institutions that minimize logging can reduce their own risk while protecting customer privacy. They also position themselves well for evolving regulatory expectations around data minimization.

Technology Companies

Technology companies building identity-related services should incorporate anti-tracking by design. Product decisions made now will shape tracking capabilities for years to come. It is far easier to build privacy protection into the initial architecture than to retrofit it later.

Companies should evaluate their position in the broader ecosystem. A privacy-protective service that feeds data to tracking-capable third parties may undermine its own privacy commitments.

DIACC’s Position and Commitments

DIACC recognizes provincial leadership on anti-tracking architecture. BC and Alberta have demonstrated that privacy-protective design is achievable at scale. Their architectural choices offer a compelling model for the broader ecosystem. 

We invite private sector participants to build on this foundation by exploring how these principles can be applied within their own contexts:

• Logging minimization: Organizations should log only what is genuinely necessary and implement clear retention limits.
• Correlation prevention: Systems should be designed to prevent cross-service correlation of user activity.
• Third-party accountability: Organizations should ensure that the third-party services they use comply with anti-tracking standards.
• Transparency: Organizations should clearly document their anti-tracking measures and make this documentation available to users.

The Pan-Canadian Trust Framework already includes privacy as a fundamental requirement across all components. DIACC will continue working with the Trust Framework Expert Committee to ensure that anti-tracking considerations are appropriately addressed as the framework evolves.[9]

We also commit to monitoring ecosystem developments and transparently sharing our observations, including both promising practices and areas where the ecosystem can improve, through our publications, events, and member engagement. When concerns arise, we will engage directly with stakeholders before speaking publicly.

The Vision: An Ecosystem Worthy of Trust

The goal is a digital trust and identity ecosystem where tracking is architecturally difficult and where the default is privacy.

This vision requires thoughtful architecture, appropriate constraints, and sustained commitment from all stakeholders. The technical foundations exist. What remains is widespread implementation.

Provincial wallets have shown what is possible. The challenge now is to extend the anti-tracking architecture across the ecosystem, to third-party services, relying parties, analytics platforms, and all components that touch identity transactions.

DIACC is committed to this extension. Canadians deserve digital trust and identity systems that respect their privacy by design. We will work with our members and the broader ecosystem to make this vision a reality.

Next Week

Article 5 examines The Security Paradox: Protecting Trust and Identity Through Smart Architecture
How distributed architectures protect both security and privacy without creating honeypot databases.

Footnotes:

[1] Federal, Provincial and Territorial Privacy Commissioners and Ombuds with Responsibility for Privacy, Joint Resolution on Digital Identity, September 20–21, 2022, St. John’s, Newfoundland and Labrador. The resolution states: “Personal information in an identity ecosystem should not be used for purposes other than assessing and verifying identity or other authorized purpose(s) necessary to provide the service. Ecosystems must not allow tracking or tracing of credential use for other purposes.”

[2] Penney, J. W. (2016). “Chilling Effects: Online Surveillance and Wikipedia Use.” Berkeley Technology Law Journal, 31(1), 117–182. This study found statistically significant declines in Wikipedia traffic to privacy-sensitive articles following the NSA/PRISM surveillance revelations, demonstrating measurable behavioural changes even without direct adverse action.

[3] Koops, B.-J. (2021). “The Concept of Function Creep.” Law, Innovation and Technology, 13(1), 29–56. Koops defines function creep as “an imperceptible and therewith contestable change in a data-processing system’s proper activity.”

[4] Province of British Columbia, BC Wallet. The website states: “No one, other than the party you’re interacting with, knows when or how you’re using BC Wallet. This confidentiality is a core part of the technology behind BC Wallet.”

[5] Government of Alberta, Alberta Wallet and Mobile Health Card Fact Sheet, August 29, 2025. The fact sheet states under “Benefits of digital documents”: “Confidentiality: Only you know where and when information is shared. Issuers are not able to track or monitor where digital documents are used.”

[6] Government of Alberta, Alberta Wallet and Mobile Health Card Fact Sheet, August 29, 2025. The fact sheet states: “The Alberta Wallet does not collect any location information, and your activity within the Alberta Wallet is not tracked.”

[7] World Wide Web Consortium (W3C), Data Integrity BBS Cryptosuites v1.0, W3C Candidate Recommendation. The specification states: “By ‘unlinkable,’ we mean that the cryptographic information in the derived proofs cannot be linked to other proofs nor the original signature. This implies that a verifier cannot determine whether a holder has presented the same credential before (with a different proof instantiation), nor can they assert some type of identity.”

[8] BC Digital Trust, Verifiable Credentials for People. The website states: “Only some parts of a credential can be presented to a verifying organization, further protecting privacy—for example, proving you’re over 19 rather than revealing your date of birth.”

[9] Pan-Canadian Trust Framework, PCTF Privacy Final Recommendation V1.2. DIACC. The framework states: “Privacy is a fundamental requirement of digital identity interactions. As such, all participants in the Pan-Canadian Trust Framework (PCTF) have a responsibility to follow privacy-respecting practices.”

The Privacy Scorecard

A practical tool for measuring digital identity services against the FPT privacy principles. Assess your organization’s implementation across architecture, policy, user experience, and ecosystem coverage. It is not a compliance checklist or legal advice. Use it to spark conversation, explore unfamiliar concepts, and identify areas worth digging into further.

Access the Privacy Scorecard

Follow the Series