Comment by hoppp

4 days ago

Its not really possible to know.

the system is valid zkp but any of the services in practice can still collect personally identifiable information from their users.

There is also nothing stopping the attestor to collude with the site you want to access, to reveal information about you.

If you are controlling the middle part of the zkp (or at least can validate it), then identification should not be possible through the zkp even if the attestor and and site collude with each other (they could maybe collude based on some other information, like IP address or browser fingerprinting, ofc).

  • I think if google provides the attestation and they also provide a client side dependency for the site, then they can collect all the data they want.

    Also, nothing stops a site from having a flow like: 1. Please enter your age 2. Verify that it's correct using a proof

    The zkp is valid as far as the tech is concerned but the sites can still do whatever they want.

    • Yeah, if the entities share data they'll share data, but ZKPs give a way to, in principle, verify that they cannot link two parts of that together by doing the verification. I'm not sure I understand your flow example though. If they ask you to enter an age, but will accept a zkp that you're over 18, then you could enter any age over 18 in the first part and they would have no way of knowing.