The ZKProof Community

UK GOV Digital Identity Consultation - DEADLINE 15th Sept

The UK Government is planning to implement a new digital identity system for the purpose of enabling citizens to verify their identities for KYC purposes.

The UK Gov have ZERO knowledge about technology or how to go about using it the right way.

The proposal as it stands is to open up government databases to private companies and let them make money from the data.

This will be a privacy disaster.

Does any expert on here have a suggestion to maximise privacy using a ZKP system?

I would like to see a government controlled ZKP verification service that allows third parties to confirm ID with citizen consent.

Also, a system where the citizen can verify their ID themselves and provide a proof to the third party.

I do not want private data companies like credit bureaus having access to confidential citizen data supplied by the government. With ZKP there is no need for that.

If you care about privacy, please respond to the consultation here:

If you have any ideas, please post here for discussion.

If the UK does this the right way, other countries will follow suit.

3 Likes

Copy-pasted the the questions, for your reference:

Questions on needs and problems

  1. Do you think digital identity checking will be a way to help meet the common needs of
    individuals and organisations referenced above? What other ideas or options would help?
  2. What are the economic or social benefits or costs from developing a digital identity system
    in the UK which meets these needs? Can you provide examples?
  3. What are the costs and burdens of current identity verification processes?
  4. How should we ensure inclusion, especially for individuals with thin files?
  5. What currently prevents organisations from meeting the needs stated above?
  6. Where do you see opportunities for a reusable digital identity to add value to services?
    Could you provide examples?
  7. What are the building blocks essential to creating this trust? How should the environment
    be created to enable this trust – for example, what is the role of open standards (identity,
    technical, operational, business implementation, design requirements for consumer privacy
    and protection)?
  8. How does assurance and certification help build trust?
  9. How do we ensure an approach that protects the privacy of users, and is able to cover a
    range of technologies and respond appropriately to innovation (such as biometrics)?
  10. How do we ensure digital identities comply with the Human Rights Act and ensure people
    with protected characteristics are able to participate equally?
  11. How should the roles, responsibilities and liabilities of players in the digital identity market
    be governed and framed to enable trust?
  12. What’s the best model to set the “rules of the road” to ensure creation of this trusted
    market?
  13. Who do you think should be involved in setting these rules?
  14. Do you think government should make government documents and/or their associated
    attributes available in a digital form, which could be used to help assure identity?
  15. i) For what purposes should government seek to further open up the validity checking of
    government-issued documents such as passports?
    ii) How should this be governed to ensure protection and citizen control of data?
    iii) What should the cost model be?
  16. i) For what purposes should government seek to further open up the attributes (such as
    age of citizens) that it holds for verification?
    ii) How should this be governed to ensure protection and citizen control of data?
    iii) What should the cost model be?
  17. What’s the role of legislation and statutory regulation to grow and enforce a secure,
    privacy-centric and trusted digital identity market?
  18. What legislation and guidance requires updating to enable greater use of digital
    identities?
  19. What else should government do to enable the wider use of digital identity?
  20. How could digital identity support the provision of local government services (including
    library cards and concessionary travel)?
  21. What is the private sector’s role in helping to create a trust model (based on the criteria
    for trust in section 5), and how should they remain involved in its long-term sustainability (for
    example funding, helping create the rules of the road)?

With a note:

We also actively encourage you to include any comments you have
on overarching issues such as diversity, digital exclusion, privacy and ethics in the
relevant section or woven into your response to a particular section.

Please provide your response in ODT, DOCX, PDF or similar text format (no more than
2000 words) and send to digital-identity-cfe@culture.gov.uk by 11:59pm BST on
Sunday 15th September 2019.

We’ll also be holding events with industry and civil society groups during this process to
explore the issues in more detail. If you’d like to take part in these, please email your name,
organisation and area of interest to digital-identity-cfe@culture.gov.uk by 2 August 2019.

1 Like

My reply will probably be as follows (apologies for diplomatic answers):

  1. What are the costs and burdens of current identify verification processes?
  • There are many ‘strict compliance’ laws regarding attributes of individuals, such as:
    • age
    • residency status
    • address history
    • eligability for services
  • Most efforts to verify these attributes are needlessly duplicated
  • Often repeatedly, even within the same department / service
  • Provide more than enough information for fraudsters to assume our identities
  1. How should we ensure inclusion, especially for individuals with “thin files”?
  • A consistent identifier is better than none, as long as it is biologically unique…
  1. What currently prevents organisations from meeting…
  • We are complacent with e-mailing and CC’ing all the necessary PII required by law, it is SOP.
  • Data protection laws are… comedic. A major cognitive and technological shift is necessary.
  • SOP should be the ‘Zero Trust’ doctrine.
  1. What are the building blocks essential to creating this trust?
  • Openness in intent is primary, in conjunction with a scientific, mathematic and/or
    crypgraphic proof which guarantees that the ‘intended boundaries’ cannot be exceeded.
  1. Who do you think should be involved in setting these rules?
  • Any involvement from ‘entrenched’ companies such as FCA registered credit rating agencies
    should be considered with high levels of suspicion; their vested interests are profit-motivated.
  1. For what purposes should [the] government seek to further open up the attributes (…) that it holds for verification?
  • Elective and verifiable disclosure of specific attributes must be preferred over excessive
    information sharing (which would allow third-parties to confirm, and profit from, knowledge of any attribute).
  1. What’s the role of legislation and statutory regulation to grow and enforce a secure, privacy-centric and trusted digital identity market?
  • To ensure that personal information sovereignty is protected, at a fundamental level,
    in a way which keeps a hand on the bridle of commercial exploitation…
  • (e.g. those Experian e-mails, because I had no choice but to implicitly accept their ToS,
    even though a large number of their terms are non-enforceable in any UK court…)
1 Like

Thanks for the reply. I hope you send it.

Passports presented in person are already a good ID but does is not so easy for remote or instant verification.

All that is needed is a digital ID service that will work for those 2 purposes.

Is it possible to hash government data into a system that attributes can be verified against without possible release of data not already known by the verifier?

That would be a simple system that protects privacy but with no need for credit data companies to get involved at all.

I am not a fan of biometrics but is it possible to have zero knowledge biometric attributes?

I would think it is a problem because of variation everytime an attribute is captured from a live person. Matching approximately a biometric model is OK but ZK data must match exactly?

1 Like

Great reply @HarryR
I attended the round table in London last week and conveyed similar points.
The bottom line is that there should no longer be a need to distribute or replicate data so freely for verification purposes.

Adi

1 Like

Great point @zkp about “ZK data” that “must” match exactly in the context of “slightly changing” biometric and “templates” stored in databases.
Sure one can prove a relation about biometric that would mean current data “is similar enough”.
Another problem is, the exact relation behind “template matching” is generally considered a secret, probably learned with statistical analysis.
(Shameless mode) I would point to 2008/357 preprint on approximate matching and “short tandem repeat” model. I do believe this could be a useful application of proper technology, and would help to make it happen.