Comment by rcxdude

4 days ago

As I understand it, ZKPs can prove both those properties. You can get a certificate from whoever is trusted to verify that you're over 18, and then you can use that to generate tokens that only encode the information 'X has verified that I am over 18' without either the original verifier or the entity you are providing it to being able to link that to the original certificate.

See section 2 of this document: https://eudi.dev/2.4.0/discussion-topics/g-zero-knowledge-pr... . If there are any objections that this is not technically feasible to achieve in practice, I would like to know what they are.

(Also, AFAIK, setting up such a thing would comply with any of the age-verification laws that are being proposed around the world. You could even set up this as two arms of the same company and be able to prove to your users that while you've seen all their IDs, you cannot link their usernames to their IDs. This still isn't the best because you're still handling their PII with associated risk of leaks but it's a lot better than anyone is doing ATM)

I think that depends on how do you define PII.

I suspect the ZKP proof or token is practically unique and related to you, so I could be personal data if you use the definition from GDPR.

With ZKP the entity and the original verifier shouldn't be able to match your identity to the ZKP proof or token, but the app on your phone of course can do that.

The app probably will be made some government contractor and there is no technical measure that would prevent them to just share all that data with whoever they want.

  • The app can be open-source and verified to not be sharing extra info, though. Of course if no-one bothers to use the verifiable version of it, then it's all pointless, but this is true regardless (they could also just not use ZKPs).