Privacy preserving solutions for identity verification (Discord case)

[Int3rN0s]

In the latest WAN show, the guys mentioned the problem regarding privacy when proving your identity in Discord
 

Since it’s been a while since I started learning about Zero Knowledge Proofs, I am curious: If this technology can solve this fundamental problem (proving your identity or any statement without ever giving your information to anyone), why is it not talked about (used) more?

I am still fascinated by the idea that you can preserve your privacy and never reveal the information to others

So if you never send something to somebody, this something will never be leaked

It would be nice to hear your opinion on this

[Woddell]

In order to prove your age you would have to give personal information to someone somewhere in the chain that's reputable enough to say "yes, you're verified to be above the minimum age). I don't know much about "Zero knowledge proofs", but I can't see how that would work in this scenario. 

 

The closest solution I've seen where you could verify without giving up information to the the website is to purchase a verify card from a store (where you'd show them the ID but they wouldn't store it on a system, similar to how one would buy alcohol or other age-restricted items) which would give them a verifiable card to use on the platforms to prove your age. That being said, all that'll happen is people will sell these cards online for a premium and it won't fix the issue. But it's the closest to a solution I can think of. 

[Int3rN0s]

Hmmm, I fully agree about this: "In order to prove your age you would have to give personal information to someone somewhere in the chain that's reputable enough to say "yes, you're verified to be above the minimum age)"

Just a really small deep dive into the nuances of the topic: to prove something, you have to have a commitment to that something. In the case of age, it is a little bit complicated because of the privacy stuff
And of course, the most crucial part is that everybody should trust the one who made the commitment

Bias Disclosure: I have worked on projects that try to solve such problems

In my case, if I were to try to prove to you that I am above 18 years old, I would have to use an ID card or my biometric passport. I believe only those things would have enough trust for you to believe me

It is actually possible to prove your age based on a biometric passport, but I would have to scan it, and ideally develop the app myself, to be 100% sure that my data won't leak anywhere

And so on, and so on. In the end, I would say something like this: Here is a mathematical proof of my age (above 18 years old), and it is based on the biometric passport issued by the country where I am living

And if you believe that a country is not corrupt, it could be convincing enough

Especially if we are living in the same country

 

[Woddell]

Quote

It is actually possible to prove your age based on a biometric passport, but I would have to scan it, and ideally develop the app myself, to be 100% sure that my data won't leak anywhere

This is the problem though, why should I trust your app? In theory, it's possible to do this securely but it doesn't scale as I'd have to trust that your app wouldn't leak the data online. 

Quote

Here is a mathematical proof of my age (above 18 years old), and it is based on the biometric passport issued by the country where I am living

Realistically it would have to contain a unique identifier linked to your passport number (or similar) to ensure you don't verify multiple accounts with the intention to sell them. 

 

This isn't a problem for the companies/governments to solve, it's a problem for parents to solve. Having discussions with your kids and creating an environment where kids are comfortable discussing their online lives and the parent taking an interest would solve 99% of the issues we face. 

[Guest]

Authentication is a squshy subject -- because it has different requirements to different applications.  My friends and neighbors are content to believe that I am who I claim to be; but, the federal government requires a bit more proof.  Ditto for actors that may have to interact withthe federal government on my behalf.

 

E.g., the ultimate PERSONAL identifier is your DNA "signature".  As there are (likely?) no two individuals with the same DNA (in space or time), using a function of your DNA as an identifier is "perfect".  Except, you can't change it!  Ditto for most other biometrics. You can never disavow actions taken by anyone who manages to masquerade as you (imagine quantum computing becoming real enough that it can succcessfully be applied to this problem in a targeted way; or, a flaw in the protocol is discovered).

 

At some level, you must establish (with an authentication authority) your identity to whatever degree of uniqueness and certainty the authority guarantees.  Anyone/thing that relies on that authority can only expect the level of certainty that the authority guarantees. E.g., I can prove that I am "serverfarm" to this site.  But, there's nothing to prohibit me from ALSO being "bigpizza".  And, nothing to prevent me from allowing someone else to masquerade as either of these entities, if I loan them my credentials.  And, no way that I can disavow a post made by "serverfarm" within the authentication guarantees offered, here.

 

In addition to proving human identities, authentication plays an important role in system design.  Historically, we have used "UIDs" and passwords.  But, these are really coarse-grained authentication mechanisms; you either ARE "root" or you AREN'T.  It's not possible (with the standard mechanisms) to grant you SOME of root's permissions without granting you all of them.  Nor can you delegate a power that you have been granted to another agent -- to use on your behalf.

 

In capability-based systems, your identity is linked to a set of, er, "capabilities" that define objects and operations that the capability allows/enables.  So, an actor (human or virtual) can be allowed to edit passwd(5) -- but, prohibited from editing inetd.conf(5).  Or, any other set of fine grained permissions. The approaches taken can vary in their scope and where responsibility for authentication lies -- should the editor take explicit action to verify that I have permission to edit passwd(5)?  Or, should the system act as gatekeeper to prevent me from attempting this if not allowed?  Which is the more "secure" approach (i.e., least likely to fall victim to an implementor's bugs)?

 

If you require authentication for every operation, how do you reduce the cost of that activity without compromising its integrity?

[Int3rN0s]

4 minutes ago, Woddell said:

This is the problem though, why should I trust your app? In theory, it's possible to do this securely but it doesn't scale as I'd have to trust that your app wouldn't leak the data online. 

Yep, you do not have to

If you want, we can continue discussing the topic of trust, but in a nutshell, you either do your own research or use it if you trust somebody who recommended it
 

 

6 minutes ago, Woddell said:

Realistically it would have to contain a unique identifier linked to your passport number (or similar) to ensure you don't verify multiple accounts with the intention to sell them. 

Funny enough, there is a solution for that (UUID based on DG1 hash, or some other unique number, etc.)
 

7 minutes ago, Woddell said:

This isn't a problem for the companies/governments to solve, it's a problem for parents to solve. Having discussions with your kids and creating an environment where kids are comfortable discussing their online lives and the parent taking an interest would solve 99% of the issues we face. 

Yep, unfortunately. IMO, it all boils down to communication between parties

Kinda, the solution is just to talk, or at least try

I am not a parent, but when I was a kid, I would have loved to spend time talking with my parents, because at some point they were the most reliable people for me.

And it is just a hard social problem, so there is not much I can say about it I am not an expert
 

But I would try my best to answer about ZKPs, etc)))

[manikyath]

1 hour ago, Int3rN0s said:

why is it not talked about (used) more?

because the people who should be implementing it are too busy with FAR more important stuff to care about facebook getting your full ID instead of just an age verification because you want to look at boobies.

 

belgium has had e-IDs with card readers that let you do all sorts of verification since 2003. it would literally be trivial to set up a tool that lets users verify with their e-ID and only grant the entity the exact access they need (age)... but since most of the world still relies on a piece of cardboard for person verification most online platforms havent caught up with this.

 

During covid i helped set up a workflow for a customer in the medical sector that had a sudden need to transition from signed pieces of paper to digital documents.. all it took was to carpetbomb the office with card readers and some user manuals... until the developers from india had to sign off documents too... and that's really the reason none of this has taken off at any scale: you'd need to either have a worldwide compatible solution, or you need every platform to support about 100 different solutions.

[Int3rN0s]

5 minutes ago, serverfarm said:

Authentication is a squshy subject -- because it has different requirements to different applications.  My friends and neighbors are content to believe that I am who I claim to be; but, the federal government requires a bit more proof.  Ditto for actors that may have to interact withthe federal government on my behalf.

Based on attitude, and what your motivation is

Kinda, sometimes I can agree with the leakage of my personal information, of course, if I gain some benefits from it (I am OK to "leak" my personal information to the government to receive its support)

 

8 minutes ago, serverfarm said:

E.g., the ultimate PERSONAL identifier is your DNA "signature".  As there are (likely?) no two individuals with the same DNA (in space or time), using a function of your DNA as an identifier is "perfect".  Except, you can't change it!

There are different levels of privacy, as well as different levels of security

 

So, maybe it is OK to use lower security if it does not matter that much to you personally

 

10 minutes ago, serverfarm said:

If you require authentication for every operation, how do you reduce the cost of that activity without compromising its integrity?

(Just a big summary of my take on those problems)
 

If you want to be more meticulous about your data, you have to research it and apply it in your life; you have to put in some effort
 

But, if you do not want to research the topic, all you are left with is trust
 

For example, I trust that the food in the supermarket near me is not poisoned, and even if it was, I could do nothing about it (maybe call the police, or something to solve such issue, not sure)

 

[Int3rN0s]

8 minutes ago, manikyath said:

you'd need to either have a worldwide compatible solution, or you need every platform to support about 100 different solutions.

Yep, and I would add that there is a need for user interest
 

So, if an end customer does not like your solution, and is even angry about the additional restrictions that you have implemented, they could decide not to use the product, or just be very angry about the new stuff (even though you tried to care about their privacy)

But, if there is no example, no push, everything will stay the same

Until airplanes were invented, ICAO (International Civil Aviation Organization) did not exist, but now they do, and they standardized the way of verifying your identity when you fly across countries

And I believe that because of their efforts, we can benefit from not needing a visa when we fly to another country (of course, there is diplomacy involved, but technology is also important)

[manikyath]

3 minutes ago, Int3rN0s said:

Yep, and I would add that there is a need for user interest

there isnt a need for user interest, there is a need for legal requirements for platforms to be paired up with legal solutions for problems.

 

if your solution requires an end user to have any sort of opinion on it, you've failed.

[wasab]

You can totally verify identity while giving up on privacy. Bitcoins and crypto algorithms manage to solve such issues. 

[Int3rN0s]

5 minutes ago, manikyath said:

if your solution requires an end user to have any sort of opinion on it, you've failed.

But who should care about the user data if not the user themselves?

It is easy to say that the government should be responsible for something and enforce some actions on companies such as Discord to help resolve the problem

But in reality, only if somebody cares (the user themselves) and pushes the topic hard enough will it ever be heard of and resolved in the first place

This is why I actually created the topic, so everybody could at least get to know what ZKP is and try to imagine a world where it can be a solution to the Discord case

In summary, if this topic had not been mentioned on the WAN show, I would not have created the thread in the first place, and I share the concern that Luke mentioned about phishing. I believe that to mitigate it, we should not create an environment where you are forced to share personal information, and one of the solutions happens to be ZKPs

[Int3rN0s]

7 minutes ago, wasab said:

You can totally verify identity while giving up on privacy. Bitcoins and crypto algorithms manage to solve such issues. 

Probably... not sure here, at least I have never heard of anything other than using ZKPs
 

For sure, they solved the problem of data integrity, data access, and censorship (you can post a message in Bitcoin using OP_RETURN, and even the most powerful government won't be able to delete it after a few minutes, provided enough time passes)

But there was no direct solution for identity verification

[wasab]

10 minutes ago, Int3rN0s said:

Probably... not sure here, at least I have never heard of anything other than using ZKPs
 

For sure, they solved the problem of data integrity, data access, and censorship (you can post a message in Bitcoin using OP_RETURN, and even the most powerful government won't be able to delete it after a few minutes, provided enough time passes)

But there was no direct solution for identity verification

we can do an age verification technology that can scientifically determine your age via a DNA sample. Build a digital device to verify that and then tie DNA to each account. Problem solved. 

 

In fact, I can see the dollar signs for selling these devices. 

[Int3rN0s]

4 minutes ago, wasab said:

we can do an age verification technology that can scientifically determine your age via a DNA sample. Build a digital device to verify that and then tie DNA to each account. Problem solved. 

Why can't I use your DNA for identity verification? (What are safeguards?) All I need to steal your identity is the device and your DNA

Also, any bio info is much more sensitive than some ID in the passport, so you will have to be even more concerned about security, etc., to make sure nothing is leaked

In the end of the day, the most secure way to share sensitive information is not to share it

[manikyath]

27 minutes ago, Int3rN0s said:

But who should care about the user data if not the user themselves?

the user's data isnt the issue, oddly. the problem is that there's a (probably necessary) push towards age verification on online platforms. the only reason this becomes a user data problem is because we have no means of doing age verification that does not involve personal information. solve the problem of age verification, and you've solved the problem of user data.

[wasab]

11 minutes ago, Int3rN0s said:

Why can't I use your DNA for identity verification? (What are safeguards?) All I need to steal your identity is the device and your DNA

Also, any bio info is much more sensitive than some ID in the passport, so you will have to be even more concerned about security, etc., to make sure nothing is leaked

In the end of the day, the most secure way to share sensitive information is not to share it

This is like asking why can't I use your username and password for my online banking. The idea is to safeguard these personal devices. I did not say to make them very accessible and insecure. 

 

No, the device will only verify your age via your DNA. No other information is capable of being shared on such devices. 

 

Holy shit, I need to quickly develop and patent this before someone else does before me. 

[Int3rN0s]

7 minutes ago, manikyath said:

solve the problem of age verification, and you've solved the problem of user data.

There are solutions for that (using ZKP for that particular case), but any of them could, in one way or another, complicate the system overall
 

Sometimes it is not needed (e.g., on this forum)
 

Sometimes it is mandatory to prevent certain types of activities on a specific problem (Discord case)
 

But would it solve the root of the problem? No.

IMO, children would just migrate to another platform, so it's just a tough problem to solve. There is no tech solution that would solve the problem of human interaction

So, in my case, I'm just kind of showing off ZKP, and kind of excited that it could make life easier in some situations

[Int3rN0s]

2 minutes ago, wasab said:

Holy shit, I need to quickly develop and patent this before someone else does before me. 

Yep
 

 

3 minutes ago, wasab said:

No, the device will only verify your age via your DNA. No other information is capable of being shared on such devices. 

Could you guarantee that I won't use someone else's DNA instead of mine?
 

With usernames and passwords, they are kind of temporary, but with DNA, once it is leaked, you cannot change your DNA easily; there is no reset button

[wasab]

1 minute ago, Int3rN0s said:

Yep
 

 

Could you guarantee that I won't use someone else's DNA instead of mine?
 

With usernames and passwords, they are kind of temporary, but with DNA, once it is leaked, you cannot change your DNA easily; there is no reset button

You just have to quickly associate your DNA with an account that you own before someone else could use it i guess. We can have this done at birth like obtaining a birth certificate. 

[Int3rN0s]

3 minutes ago, wasab said:

You just have to quickly associate your DNA with an account that you own before someone else could use it i guess. We can have this done at birth like obtaining a birth certificate. 

Then I would wait for PoC

[Caroline]

It's not a matter if it'll leak, it's a matter of WHEN it'll leak, because it will happen at some point.

 

There's no 100% safe system, not even cold storage is 100% safe as an operator would still have access to it, and you can corrupt him by means of bribing or extortion. If you get rid of the operator then it's still prone to the evil maid attack.

 

If you let an automated program manage the keys that program could still be corrupted by altering its code or hacking, so it's still not safe. Even with cryptographic seals.

 

Smart cards are an easier alternative but they'd have to be insanely complex in order to deter cloning as much as possible, I'm thinking what the evilest authoritarian state/panstate would do when it comes to internet, I'm against all means of identity verification when it comes to online services, except perhaps for banking or healthcare purposes.

 

They're easing the average population into fingerprints, retinal and facial scans nowadays so it won't be as abrupt for them when the time comes, crawling before walking, this tech is still in diapers as there's no single standard that's error free now, for example facial scanners that require you to perform certain actions with your face, like smiling, don't work too well with old or poor people, as they have no teeth, or they're crooked.

 

DNA, maybe, if you have the monopoly of power you can do whatever you want, same for implants. No database entry = no food, it'll all come down to that after all.

[Donut417]

2 hours ago, manikyath said:

but since most of the world still relies on a piece of cardboard for person verification most online platforms havent caught up with this

The problem is in counties like the US where ID theft is a serious problem. Many people are not comfortable sharing that info. In cases where ID had to be verified, many times you would just take a picture of your State ID or Driver's License. 

[Guest]

2 hours ago, Int3rN0s said:

Kinda, sometimes I can agree with the leakage of my personal information, of course, if I gain some benefits from it (I am OK to "leak" my personal information to the government to receive its support)

In most cases, there is no inherent need for personal information to be shared/leaked/divulged.  If an authentication authority vouches for my identity, then you shouldn't need any information beyond that.  Especially as there is no guarantee that I am providing accurate information!

 

E.g., I routinely make up birthdates -- none of which coincide with my actual date of birth.  What do you care?  How can you tell if I am giving you an accurate date -- without my providing a certified credential (passport, driver license, birth certificate, etc.) that you recognize as being authoritative?  Granted, if I said I was 18 and looked 50, you might challenge me.  If I said I was 21 (legal age to consume alcoholic beverages, here) and I looked 15, you would likely challenge me as there are legal consequences if you serve me and I am not "of age".

2 hours ago, Int3rN0s said:

There are different levels of privacy, as well as different levels of security

 

So, maybe it is OK to use lower security if it does not matter that much to you personally

The problem is that once information is released, you can't reclaim it.  And, in places like the US, there are few legal constraints on how it is shared ("Did you read the EULA?")

 

Also, the value you place on the information may change, over time -- as your attitude changes and societal changes alter the risk associated with those disclosures.  E.g., when I was a kid, you would send in "box tops" from breakfast cereal, along with your birthdate, to receive some silly little toy.  As a kid, the toy is far more valuable than the disclosure of your birthdate.  But, that data resides "somewhere" and can't be purged, now -- long after the toy is gone and forgotten.

2 hours ago, Int3rN0s said:

If you want to be more meticulous about your data, you have to research it and apply it in your life; you have to put in some effort

Sadly, you may not have a practical remedy in this regard -- other than to not engage in the activity that is trying to acquire that data from you.  (again, the US is pretty bad on protections; the EU seems far more assertive in this regard)

 

What most people don't realize is how much data "leaks", even from things that seem innoculous.

 

E.g., it is common practice (US) to use the last 4 digits of your 9 digit social security number (SSN) as an authenticator -- the theory being that no one could GUESS them, accurately.  But, this is used so commonly that it exists in a multitude of databases -- credit card companies, utilities, doctors, gummit agencies, etc.  You are reliant on each of them to safeguard that data.  Because there are no/few authentication agencies, they have to store it (likely in cleartext as most systems are developed naively and require literal comparison for validation).  As such, any breach of their database exposes ALL of this data.

 

A smarter way of doing things would be for you to submit a (one-way) hash of this information to them and let them verify that hash.  As such, if the hash is leaked, the data is still secure.

 

Additionally, a ZIP code (geographic locality) plus a 4 digit identifier (from your SSN) effectively uniquely identifies you -- to ANYONE!  As the ZIP is easily obtained (based on your address -- often something that you have provided OR is available in many open databases, phone books, property records, etc.) and the last 4 of SSN is so ubiquitous, you have NO anonymity with that tuple used as an identifier/authenticator!  In much the same way that a website can "fingerprint" your browser to identify individual visitors (add an IP and it's a lead-pipe cinch!)

 

People who rely on cell phones are, of course, identified by their phone number (it's YOUR phone, right?).  When wandering through a store, the MAC of their phone allows the store to track their visits and movement through the store, etc.

 

Point being, it is difficult to "hide" -- your identity, information, presence, activities, etc.

 

[I took a personal interest in this in school.  A course -- "The social and economic impacts of computing on society" -- addressed these issues (decades ago!).  As part of the curriculum, we were given our professor's credit card statements for the preceding summer.  We were then tasked with deducing how he spent it, the composition of his family, any pets, etc.  It was remarkably easy to do -- in an era when credit card usage wasn't as ubiquitous as it is, presently!

 

Sorry, youngsters; you're screwed!  (because Big Data can draw all sorts of correlations and make deductions about you based on information AND RELATIONSHIPS that you didn't realize existed!)

 

 

[Guest]

28 minutes ago, Caroline said:

It's not a matter if it'll leak, it's a matter of WHEN it'll leak, because it will happen at some point.

This is a consequence of "old thinking" mindset; folks who want to HAVE all that data.  And, then be responsible (to the extent that the law requires) for maintaining it's accuracy as well as privacy.

 

Why does my doctor need my medical records?  If I am not in his physical presence, he is almost certainly not looking at them!  So, instead of him having to purchase and maintain a system to securely and accurately keep that data -- and, wonder if it is "up to date" given that I may see other doctors or health care providers -- why not just let ME carry it with me (thumb drive or other portable medium) and bring it into his office when I visit.  He can then update MY copy of the records -- the ONLY copy -- and leave it to me to safeguard it (physically as well as not disclosing the passphrase).

 

Why does a service provider have to verify my cleartext information by visually comparing it to what they have on file?  Why can't they just submit my information to a database and have the database confirm it is correct, or not?  Why do I have to provide information to an automated/virtual attendant... and THEN have to repeat the information to a human operator?  Why can't THEIR attendant do whatever is needed with that information (e.g., look up my account history) and keep the private data, private?

 

All of these security measures will fall apart when quantum computing comes online.

31 minutes ago, Caroline said:

they'd have to be insanely complex in order to deter cloning as much as possible

Part of my $WORK is designing products that are "hard to copy" -- because you often have a few megadollars tied up in their development and don't want a counterfeiter to quickly and easily benefit from your efforts.  This is only practical when there are significant consequences (e.g., legal) to a counterfeiter (or, his customers) for getting caught with a counterfeit product.

 

If no one wants your product -- or, it is trivial to create fromn scratch -- then the cost of the effort to protect it is hardly worthwhile.

 

But, as things increase in value (e.g., an identity!), it becomes more attractive to find ways of counterfeiting.  Such an "identity token" would have to be retrieved and revalidated, often, to make it's security practical; if a bogus token can exist in the wild for a long period of time, there is no way of detecting it and revoking it.