Zero knowledge proofs reveal their utility for age verification and beyond: Aztec

A research report from Aztec examines the potential in zero-knowledge proofs (ZKP) for privacy preserving online age assurance.

Making a “Case for Zero-Knowledge Proofs to Prove Your Age, Not Your Identity,” the report argues that the answers to the age assurance question “lie not in passing laws that curtail civil liberties, which require service providers to monitor all website/internet traffic or require users to upload personal data to usually unsecured databases, but in novel, technological solutions.”

ZKPs, it says, offer the dual advantage of “enabling robust identity verification while safeguarding personal information.” Which, it says, sets the tech apart from biometrics-based tools, which, “while advanced, are not foolproof and can sometimes misidentify users.”

“Traditional age-verification methods also inherently conflict with data minimisation principles and raise significant risks to an individual’s data privacy and security,” says the report.

Cryptography with ZKPs, on the other hand, “allows one party (the prover) to prove to another party (the verifier) that a statement is true without revealing any additional information beyond the validity of the statement itself.”

What’s described is in line with the double blind age assurance methods that the French Data Protection Authority (CNIL) now requires adult content sites to offer. And, indeed, CNIL “recently acknowledged ZKI as a privacy-friendly model for online age verification.”

But, says Aztec, it’s not just online porn sites that ZKPs are good for. “ZKPs can potentially revolutionise many other domains, from gaming (by enabling trustless games that require privacy, such as poker) to democracy (by enabling quick and anonymous but cryptographically secure and verifiable voting),” the report says.

“ZKPs and ZKIs also offer unparalleled flexibility/interoperability in their deployment, making them suitable for both offline and online applications as well as interoperable between the Web2 and Web3 worlds.” They can be applied for both in-person age verification for retail sales of age restricted goods like alcohol and vapes, and online, where they can be “seamlessly integrated into digital platforms and services, providing a streamlined and privacy-preserving age verification process for accessing restricted content or services.”

The report runs down a few services that are already making use of ZKPs – for instance, Anon Aadhaar, which allows Aadhaar ID holders to prove their Indian residency without revealing any private data, and OpenPassport, which enables applications to check their users are humans with a few lines of code.

“Integration into existing systems is straightforward,” Aztec says; “for example, zkPassport provides APIs and SDKs that enable developers to incorporate ZKPs into their applications. Service providers can verify the cryptographic proofs without storing or processing any personal data, ensuring compliance with privacy regulations such as EU GDPR.”

And “protocols such as Verifiable Credentials (VCs) and Decentralized Identifiers (DIDs) are increasingly adopting ZKPs to enhance privacy and security in identity verification processes.”

“As the digital landscape continues to evolve, adopting ZKIs will be crucial in ensuring secure, private, and compliant interactions across various platforms and services. These innovative cryptographic technologies are the future of online age verification and digital identity management, paving the way for a more secure and privacy-first internet.”

Google’s embrace of ZKPs could be a step forward, or just more monitoring

As endorsements go, Google is a pretty big one, and the Silicon Valley giant has integrated ZKPs for private age verification. In a comment on LinkedIn, digital ID authority Jim Hartsema says “users can now prove they meet age requirements without a way to link the age back to your identity” – so-called “unlinkability.”

He calls it “a big leap forward for digital identity and privacy preserving tech.”

However, some in the comments aren’t so sure, with one suggesting, “let’s wait to see the technical and legal implementation,” since, “I don’t see anywhere that Google will not track your activity when using ZKP.” Hartsema himself concedes that “Google has long been regarded as the ‘KING’ of data collection, known for harvesting every possible data point from its users with or without consent.”

Article Topics

age verification  |  Aztec  |  data privacy  |  digital identity  |  identity management  |  zero knowledge