Complexity, lack of standards holding back confidence in Zero-Knowledge Proofs
Zero-Knowledge Proof (ZKP) cryptography has been hailed as a solution for preserving the privacy of personal information during identity verification and age assurance, offering interoperability while helping digital IDs stay compliant with data privacy laws. The technology is currently being explored in jurisdictions such as the European Union, Australia and the U.S.Not everyone, however, is confident in the promise of ZKPs, with experts such as university researchers and digital rights advocates warning that the cryptographic technology still has plenty of room for improvement.The practical implementation of ZKPs is “still very complex and lacks standardization,” according to a paper published by a team of researchers from the University of Luxembourg, University of Münster and the University of Milan.Applying ZKPs could help digital IDs such as the European Digital Identity (EUDI) Wallet achieve strong data protection as mandated by GDPR and eIDAS. This includes data minimization, storing only the minimum amount of personal data necessary for a specific purpose, and unlinkability, ensuring that different transactions cannot be linked to a single digital ID.“However, achieving widespread implementation of these technologies requires overcoming technical and regulatory hurdles,” says the paper, published by the Internet Policy Review in late July.Standardization bodies, legal frameworks and technological solutions should be evolving in tandem to ensure data protection. Despite a promising future, the ZKPs are unlikely to be ready for the launch of the EUDI Wallet in 2026, the research concludes.Digital IDs need more than ZKPsOther experts believe that the technology should not be pushed forward without proper protections in place: A private-centric digital ID is more than just ZKPs, according to the Electronic Frontier Foundation (EFF).One of the promises of ZKPs is that they can easily solve the privacy aspects of sharing ID attributes. The technology strengthens user privacy by allowing a relying party to confirm one piece of information about a user, such as age, without revealing other data, such as name or address.One thing that ZKPs don’t do, however, is ensure that verifiers do not ask for too much information. They also do not prevent websites or applications from collecting other kinds of observable personally identifiable information, such as an IP address or other device.“ZKPs are a great tool for sharing less data about ourselves over time or in a one-time transaction,” says the organization. “But this doesn’t do a lot about the data broker industry that already has massive, existing profiles of data on people.”Age verification is better with ZKPsThe debate about privacy protection tech is becoming increasingly important as more countries introduce age verification mandates.ZKPs still require standardization and additional testing to help move beyond the proof-of-concept phase. Despite this, the industry should embrace them as the future of age verification tech, according to the Open Technology Institute (OTI) at the New America think tank.The organization sets out four recommendations for policymakers and industry players in the age verification space to make the most out of the technology. This includes determining what entities can and cannot request age verification.“Policymakers will need to determine which methods of age assurance are appropriate when some form of age-gating may be necessary but strict age verification is not required,” says the organization, noting that age assurance is accepted by the UK’s Ofcom guidance.Regulators should also determine which entities can serve as trust anchors and third-party facilitators, as well as the governance mechanisms and requirements. Another task is to establish shared standards and protocols for ZKP age verification.Finally, the industry should ensure that user privacy and security is protected throughout the age verification process, both at the policy level and at the technical level, it concludes.
