Comment by tzs
3 days ago
In the ZKP system Europe will be using and I believe in the one Google has developed when you verify your age to a site the communication is only between your device and the site.
The only information the site gets that they don't get when you login now without any kind of age verification (other than something like clicking "I am 18+") is that you have a government issued ID that says you are 18+.
If their logs without age verification are insufficient to reveal who you are if they get turned over to the government then the logs with age verification will also be insufficient.
But this information to the site would be still be a unique identifier wouldn't it? Is so, it will be logged and logs sold to data miners and at some point will be correlated with enough activity to be de-anonymized.
The only extra information the age check adds over the normal information the site gets when you use them is that your age is not under their age limit.
If that's the case what stops me from making a free public service that allows anyone to verify using my ID? Don't they have to log something to ensure that isn't happening?
The ID is cryptographically bound to a hardware security device you provide. In the EU system that will initially be an iOS or Android smart phone with a secure enclave, with support for other security devices like YubiKeys or smart cards coming later.
Briefly, your government gives you a digital ID that is signed with a key that is stored in the hardware security device. To demonstrate some fact to a site, such as "My ID says I'm 18+" your phone and the site use a ZKP to show to the site that (1) you have an ID that confirms that fact, (2) the you have the hardware security device that the ID was issued for, and (3) the hardware security device is unlocked.
You can use your ID to verify for someone else, but because the verification has to use your phone and it has to be unlocked this will be mostly limited to people helping a friend in person get around an age limit.