Comment by rockskon

3 days ago

I find claims of any technology being able to simultaneously validate your age while "respecting privacy" to be suspect at best. Even if the technology could work in theory, it would be built on top of an ecosystem designed around an ecosystem hell-bent on monetizing info about you.

16 comments

rockskon

Reply
jazzyjackson  3 days ago

Zero knowledge proofs can perform expressions that check values within a JSON tree without exposing any of those values to the requesting party, for instance "year of birth < 2005" can return true or false without returning the person's numeric birth year. Essentially the requesting party has the holder of the credential perform a computation, the result is guaranteed to be the result of each and every instruction over a target data structure (only knowing the hash and signature chain of the credential, so for instance your government issued id can be signed by your secretary of states public key)

Estonia has a really interesting government issued public key infrastructure where users can validate their identity with their physical ID card and a USB reader (maybe it's NFC by now?) but I don't think I've heard of the above scheme used in practice, just sat through a presentation at the internet identity workshop.

  • Eddy_Viscosity2  3 days ago

    But the verifying party can still track you because they can (and absolutely will) log who the requester was and when it was requested. The site might not know who you are, but the government will now have a record of all your 'adult web activity'.

    • tzs  3 days ago

      In the ZKP system Europe will be using and I believe in the one Google has developed when you verify your age to a site the communication is only between your device and the site.

      The only information the site gets that they don't get when you login now without any kind of age verification (other than something like clicking "I am 18+") is that you have a government issued ID that says you are 18+.

      If their logs without age verification are insufficient to reveal who you are if they get turned over to the government then the logs with age verification will also be insufficient.

      4 replies →

  • rockskon  3 days ago

    Zero knowledge proofs based on too little information are trivial to abuse.

    To combat this, you need to have it based off of more and more personal info....which is at odds with the privacy-preservation goal.

    Sadly when it comes to age assurance, Zero knowledge proofs are little better than marketing.

    • ekr____  3 days ago

      In this case the ZKPs are tied to a private key stored in a secure element in the phone, so effectively they are tied to control of the device where the original credential was enrolled.

      5 replies →

  • TiredOfLife  2 days ago

    That's just a regular EU ID card.

    It has the same capability as showing passport and face to somebody.