The UK Government is planning to implement a new digital identity system for the purpose of enabling citizens to verify their identities for KYC purposes.
The UK Gov have ZERO knowledge about technology or how to go about using it the right way.
The proposal as it stands is to open up government databases to private companies and let them make money from the data.
This will be a privacy disaster.
Does any expert on here have a suggestion to maximise privacy using a ZKP system?
I would like to see a government controlled ZKP verification service that allows third parties to confirm ID with citizen consent.
Also, a system where the citizen can verify their ID themselves and provide a proof to the third party.
I do not want private data companies like credit bureaus having access to confidential citizen data supplied by the government. With ZKP there is no need for that.
If you care about privacy, please respond to the consultation here:
If you have any ideas, please post here for discussion.
If the UK does this the right way, other countries will follow suit.
Copy-pasted the the questions, for your reference:
Questions on needs and problems
Do you think digital identity checking will be a way to help meet the common needs of
individuals and organisations referenced above? What other ideas or options would help?
What are the economic or social benefits or costs from developing a digital identity system
in the UK which meets these needs? Can you provide examples?
What are the costs and burdens of current identity verification processes?
How should we ensure inclusion, especially for individuals with thin files?
What currently prevents organisations from meeting the needs stated above?
Where do you see opportunities for a reusable digital identity to add value to services?
Could you provide examples?
What are the building blocks essential to creating this trust? How should the environment
be created to enable this trust â for example, what is the role of open standards (identity,
technical, operational, business implementation, design requirements for consumer privacy
and protection)?
How does assurance and certification help build trust?
How do we ensure an approach that protects the privacy of users, and is able to cover a
range of technologies and respond appropriately to innovation (such as biometrics)?
How do we ensure digital identities comply with the Human Rights Act and ensure people
with protected characteristics are able to participate equally?
How should the roles, responsibilities and liabilities of players in the digital identity market
be governed and framed to enable trust?
Whatâs the best model to set the ârules of the roadâ to ensure creation of this trusted
market?
Who do you think should be involved in setting these rules?
Do you think government should make government documents and/or their associated
attributes available in a digital form, which could be used to help assure identity?
i) For what purposes should government seek to further open up the validity checking of
government-issued documents such as passports?
ii) How should this be governed to ensure protection and citizen control of data?
iii) What should the cost model be?
i) For what purposes should government seek to further open up the attributes (such as
age of citizens) that it holds for verification?
ii) How should this be governed to ensure protection and citizen control of data?
iii) What should the cost model be?
Whatâs the role of legislation and statutory regulation to grow and enforce a secure,
privacy-centric and trusted digital identity market?
What legislation and guidance requires updating to enable greater use of digital
identities?
What else should government do to enable the wider use of digital identity?
How could digital identity support the provision of local government services (including
library cards and concessionary travel)?
What is the private sectorâs role in helping to create a trust model (based on the criteria
for trust in section 5), and how should they remain involved in its long-term sustainability (for
example funding, helping create the rules of the road)?
With a note:
We also actively encourage you to include any comments you have
on overarching issues such as diversity, digital exclusion, privacy and ethics in the
relevant section or woven into your response to a particular section.
Please provide your response in ODT, DOCX, PDF or similar text format (no more than
2000 words) and send to digital-identity-cfe@culture.gov.uk by 11:59pm BST on
Sunday 15th September 2019.
Weâll also be holding events with industry and civil society groups during this process to
explore the issues in more detail. If youâd like to take part in these, please email your name,
organisation and area of interest to digital-identity-cfe@culture.gov.uk by 2 August 2019.
My reply will probably be as follows (apologies for diplomatic answers):
What are the costs and burdens of current identify verification processes?
There are many âstrict complianceâ laws regarding attributes of individuals, such as:
age
residency status
address history
eligability for services
Most efforts to verify these attributes are needlessly duplicated
Often repeatedly, even within the same department / service
Provide more than enough information for fraudsters to assume our identities
How should we ensure inclusion, especially for individuals with âthin filesâ?
A consistent identifier is better than none, as long as it is biologically uniqueâŚ
What currently prevents organisations from meetingâŚ
We are complacent with e-mailing and CCâing all the necessary PII required by law, it is SOP.
Data protection laws are⌠comedic. A major cognitive and technological shift is necessary.
SOP should be the âZero Trustâ doctrine.
What are the building blocks essential to creating this trust?
Openness in intent is primary, in conjunction with a scientific, mathematic and/or
crypgraphic proof which guarantees that the âintended boundariesâ cannot be exceeded.
Who do you think should be involved in setting these rules?
Any involvement from âentrenchedâ companies such as FCA registered credit rating agencies
should be considered with high levels of suspicion; their vested interests are profit-motivated.
For what purposes should [the] government seek to further open up the attributes (âŚ) that it holds for verification?
Elective and verifiable disclosure of specific attributes must be preferred over excessive
information sharing (which would allow third-parties to confirm, and profit from, knowledge of any attribute).
Whatâs the role of legislation and statutory regulation to grow and enforce a secure, privacy-centric and trusted digital identity market?
To ensure that personal information sovereignty is protected, at a fundamental level,
in a way which keeps a hand on the bridle of commercial exploitationâŚ
(e.g. those Experian e-mails, because I had no choice but to implicitly accept their ToS,
even though a large number of their terms are non-enforceable in any UK courtâŚ)
Passports presented in person are already a good ID but does is not so easy for remote or instant verification.
All that is needed is a digital ID service that will work for those 2 purposes.
Is it possible to hash government data into a system that attributes can be verified against without possible release of data not already known by the verifier?
That would be a simple system that protects privacy but with no need for credit data companies to get involved at all.
I am not a fan of biometrics but is it possible to have zero knowledge biometric attributes?
I would think it is a problem because of variation everytime an attribute is captured from a live person. Matching approximately a biometric model is OK but ZK data must match exactly?
Great reply @HarryR
I attended the round table in London last week and conveyed similar points.
The bottom line is that there should no longer be a need to distribute or replicate data so freely for verification purposes.
Great point @zkp about âZK dataâ that âmustâ match exactly in the context of âslightly changingâ biometric and âtemplatesâ stored in databases.
Sure one can prove a relation about biometric that would mean current data âis similar enoughâ.
Another problem is, the exact relation behind âtemplate matchingâ is generally considered a secret, probably learned with statistical analysis.
(Shameless mode) I would point to 2008/357 preprint on approximate matching and âshort tandem repeatâ model. I do believe this could be a useful application of proper technology, and would help to make it happen.