SSI Policies Implementing Terms of Use to Control VC Disclosure

Stefano Bistarelli, Chiara Luchini and Francesco Santini
Proceedings of the IEEE International Conference on Pervasive Computing and Communications Workshops and other Affiliated Events (PerCom Workshops 2025), Washington DC, USA, March 17-21, 2025.
doi: 10.1109/PERCOMWORKSHOPS65533.2025.00036

Abstract

Physical and digital resources are often governed by "terms of use" which outline the actions that consumers are permitted or prohibited from performing. The resource producer typically enforces these terms and applies them to a wide range of resources, from physical products like games to digital services like websites. In specific scenarios, terms of use may also govern the handling of personal information, for example, enabling a chief executive officer to control the dissemination of employees’ personal and corporate data to prevent unauthorized disclosures. This paper explores the role of terms of use in the context of the Self-Sovereign Identity (SSI) system. Specifically, it aims to establish a model for managing verifiable credentials (VCs) in defined scenarios. To accomplish this, we leverage the terms of use field in VCs to define an access control policy based on the Attribute-Based Access Control (ABAC) model implemented through a smart contract. Additionally, we propose using self-generated VCs to attest to the acceptance of terms of use, offering users a mechanism to provide evidence in potential legal disputes.