Google's Zero-Knowledge Proofs for Age Assurance

Google's Zero-Knowledge Proofs for Age Assurance

Zero-Knowledge Proofs Enable Privacy-Preserving Age Verification

Google is leveraging Zero-Knowledge Proof (ZKP) technology to address the growing demand for age assurance online. This approach allows a user to prove they meet a specific age requirement (e.g., "over 18") without sharing their exact date of birth, government ID, or other personally identifiable information (PII) with the service provider.

By decoupling the verification of age from the disclosure of identity, ZKPs aim to reduce the risk of data breaches and limit the amount of personal data collected by websites and apps during the age-gating process.

Technical Implementation and Privacy Goals

The primary goal of this implementation is to provide a technical safeguard against the over-collection of data. In traditional age verification, users often upload a photo of a government ID, which reveals not only their age but also their full name, address, and ID number. ZKPs change this flow by providing a cryptographic proof that a trusted third party has verified the age, and the service provider only receives a "yes/no" answer regarding the the age requirement.

Community Critique and Privacy Concerns

Despite the privacy-preserving nature of ZKPs, the technical community on Hacker News has raised significant concerns regarding the broader implications of this technology.

The "Slippery Slope" of Government Attestation

A major concern is that government-backed age verification could evolve into a general-purpose identity system. Users argue that if government attestation becomes the standard for visiting adult sites, it could eventually expand to all substantive web content, including educational resources like Wikipedia.

If you need personalized government attestation to visit a site, then the government has the ability to dynamically deny and rescind your individual access to any site that adopts age verification... Seldom has a slippery slope been so slippery.

Centralization and Trust

Critics argue that the role of the "facilitator" (in this case, Google) may create a new central point of failure or surveillance. There is a suspicion that while the service provider doesn't see the PII, the entity managing the ZKP process still possesses the most information about the user's identity and browsing habits.

Zero-knowledge seems to be a bit of an oversell here... And the facilitator (Google) arguably has access to the most information out of any of the parties involved.

Potential for Abuse and Biometric Creep

Some users suggest that ZKPs alone are insufficient to prevent fraud (such as sharing a proof token). This could lead to a requirement for continuous biometric verification to ensure the person holding the token is the actual authorized user, further eroding privacy.

Socio-Political Implications

There is a broader debate on whether a technical solution like ZKP is appropriate for a socio-political problem. Some argue that age assurance is a global necessity to protect minors from harmful content, while others view it as a tool for government censorship or a way for companies to create "walled gardens" for children to serve them targeted advertisements more effectively.

Sources