Open in app

Sign in

Write

Sign in

Can businesses avoid data collection with zero-knowledge proof?

Sphere Identity
Sphere Identity
Published in
4 min readAug 15, 2018

Identity verification poses a challenge to businesses. Confirming that customers are who they claim (KYC) is the only way to serve customers, limit fraud or start to comply with anti-money laundering regulations. At the same time, collecting personally identifiable information creates new headaches as such data privacy regimes as GDPR and CDPR come into force. Moreover, rich sets of personal data are targets for hackers and increase business risk.

The solution to these challenges may require a counterintuitive approach: stop collecting information altogether. Significantly, both Privacy-by-Design and the GDPR are driving data minimization.

Blockchain-based digital identity systems that apply a technique called zero-knowledge proof let businesses verify information about a customer without ever receiving that information. With zero-knowledge proof, businesses can minimalise the collection of personal data and reduce both the burden and the risks personal data create.

The Perils of Collecting Identity Data

Consider a recent case in which identity verification data may have been hacked. In March, scans of national identification cards were found on the website of True, Thailand’s second-largest mobile company. “There was no security at all protecting the files,” Reuters quoted security researcher Niall Merrigan. True’s security lapse exposed the personal information of more than 11,000 customers.

Proper security measures would have protected True’s customers. However, the only guaranteed way to avoid data theft is to never possess the data in the first place.

Complete, Sound but no Knowledge

A zero-knowledge proof lets one party, the verifier, confirm that something about another party, the prover, is true without learning anything else about the prover.

A vineyard, for example, may need to verify someone is old enough to visit its website. Often, such sites have requested the visitors’ dates of birth to calculate their ages. Of course, there is no way to prove the visitors have told the truth.

More importantly, the vineyard has collected personally identifiable data. Under most data privacy regulations, managers must now set policies for storing, protecting, using and deleting the data. The visitors must have a way to change, hide or delete their data.

In fact, the vineyard does not need to know visitors’ dates of birth or even their ages. All the company needs is a way to trust visitors’ answers when it asks, “are you old enough to enter the site?”

Three aspects of the zero-knowledge system provide trust in a nearly data-free process:

Completeness: A verifier can trust that an honest prover’s statement is true. Our vineyard can trust visitors who truthfully say they are old enough.

Soundness: A verifier will almost always know when a dishonest prover’s statement is false. The vineyard will detect a lie and trust that the visitor is truly underage.

Zero-Knowledge: The prover can trust that the verifier learns nothing beyond the fact the statement is true. The vineyard only knows, yes or no, whether the visitors are old enough to visit the website.

How Does Zero-Knowledge Proof Work?

To continue our analogy, let’s assume the vineyard is already connected to an identity system that verifies personal information. On demand, the digital identity system could transmit the date of birth in a unique encrypted form called a hash. That hash cannot be altered to claim an earlier date of birth or unencrypted to reveal the actual date of birth.

When presented with the vineyard’s question “are you older than 18?”, the visitor’s identity system combines the answer “yes” with the hash to calculate another number called a “proof”. We will skip the maths, but that proof can only be the answer to the vineyard’s question.

The vineyard’s website receives the proof, the “yes”. More maths use the proof and the “yes” to reverse the proof calculation. Provided the result matches the hash, the vineyard has the confirmation it needs.

The visitor does not have the time or the supercomputing power to alter the identity system’s data, allowing the vineyard to trust the results. At the same time, the visitors have stronger trust in the vineyard which never collects their ages or dates of birth.

Zero-Knowledge Proof Minimalises Personal Data

Perhaps most importantly, the vineyard only needs to record the “yes” answer. To extend our analogy to the data breach at True mentioned earlier, a blockchain-based identity verification system using zero-knowledge proof would eliminate the need for identity card scans.

Businesses could trust the integrity of identity confirmations and their provenance in trusted sources. Rather than recording identity documents, businesses simply apply the GDPR principle of data minimalisation to record the verification itself. In the process, business will reduce the burden — and the risks — of recording excessive personal data.

Is zero-knowledge proof right for your business?

A zero-knowledge proof system will benefit businesses that:

  • Need to verify information without compromising customer privacy
  • Are focused on minimising the burden of storing private customer data
  • Want to provide a easy, form-free way for customers to share verified information

Sphere Identity creates blockchain-based identity systems that hand control of identity back to individuals while streamlining customer sign-ups for business.

Sign up for updates from Sphere Identity by clicking here.

Data Security
Ecommerce
Digital Identity

--

--

Sphere Identity
Sphere Identity

Written by Sphere Identity

157 Followers
Editor for

A global digital identity solution that streamlines onboarding for businesses while also valuing each individual’s privacy and security.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams