Zero-Knowledge Proof - A Game Changer for Customer Data Security

in #identity5 years ago

Identity verification poses a challenge to businesses. Confirming that customers are who they say they are by implementing 'Know Your Customer' ( KYC) processes is an accepted way to serve customers, limit fraud and comply with anti-money laundering regulations. At the same time, collecting personally identifiable information creates new headaches as data privacy regimes such as GDPR and CDPR come into force. Moreover, rich sets of personal data are targets for hackers and increase business risk.

The solution to these challenges may require a counterintuitive approach: stop collecting information altogether. Significantly, both Privacy-by-Design and the GDPR are driving data minimalization. Blockchain-based digital identity systems that apply a technique called zero-knowledge proof let businesses verify information about a customer without ever receiving that information. With zero-knowledge proof, businesses can minimize the collection of personal data and reduce both the burden and the risks that holding personal data creates.

The perils of collecting identity data


Consider the case of Thai telecom company iTruemart which earlier this year was revealed to have thousands of scans of its customer's ID cards, drivers licenses and passports stored on an unsecured cloud server - essentially available for anyone to see.

The company only became aware of its error when alerted to it by 'white hat hacker' and software security consultant Niall Merrigan. "There was no security at all protecting the files," he says. Even after Merrigan contacted the company nothing was done to address the issue, and it was only after journalists were informed that iTruemart acted to close the breach.

While it is true that better security measures could have protected iTruemart customers, it is also true that the only guaranteed way to avoid data theft is to never possess the data in the first place.

Complete, sound - but no knowledge


A zero-knowledge proof lets one party, the verifier, confirm that something about another party, the prover, is true without learning anything else about the prover. A vineyard, for example, may need to verify someone is old enough to visit its website. Often, such sites have requested the visitors' dates of birth to calculate their ages. Of course, there is no way to prove the visitors have told the truth.

More importantly, the vineyard has collected personally identifiable data and under most data privacy regulations having done that its managers must now set policies for storing, protecting, using and deleting the data. In addition, the visitors must have a way to change, hide or delete their data.

In reality, the vineyard does not need to know its visitors' dates of birth or even their ages. All the company needs is a way to trust visitors' answers when it asks, "are you old enough to enter the site?"

Three aspects of the zero-knowledge system provide trust in a nearly data-free process:

Completeness: A verifier can trust that an honest prover's statement is true. Our vineyard can trust visitors who truthfully say they are old enough.

Soundness: A verifier will almost always know when a dishonest prover's statement is false. The vineyard will detect a lie and trust that the visitor is truly underage.

Zero-Knowledge: The prover can trust that the verifier learns nothing beyond the fact the statement is true. The vineyard only knows, yes or no, whether the visitors are old enough to visit the website.

How does Zero-Knowledge Proof work?


To continue our analogy, let's assume the vineyard is already connected to an identity system that verifies personal information. On demand, the digital identity system could transmit the date of birth in a unique encrypted form called a hash. That hash cannot be altered to claim an earlier date of birth or unencrypted to reveal the actual date of birth.

When presented with the vineyard's question "are you older than 18?", the visitor's identity system combines the answer "yes" with the hash to calculate another number called a "proof". We will skip the maths, but that proof can only be the answer to the vineyard's question.

The vineyard's website receives the proof, the "yes". More maths use the proof and the "yes" to reverse the proof calculation. Provided the result matches the hash, the vineyard has the confirmation it needs.

The visitor does not have the time or the supercomputing power to alter the identity system's data, allowing the vineyard to trust the results. At the same time, the visitors have stronger trust in the vineyard which never collects their ages or dates of birth.

Zero-Knowledge Proof minimalizes personal data


Perhaps most importantly, the vineyard only needs to record the "yes" answer. To extend our analogy to the data breach at iTruemart mentioned earlier, a blockchain-based identity verification system using zero-knowledge proof would eliminate the need for identity card scans.

Businesses could trust the integrity of identity confirmations and their provenance in trusted sources. Rather than recording identity documents, businesses simply apply the GDPR principle of data minimalization to record the verification itself. In the process, business will reduce the burden — and the risks — of recording excessive personal data.

Ultimately, a zero-knowledge proof system such as those being developed by Sphere Identity and others will benefit businesses that:

  • Need to verify information without compromising customer privacy
  • Are focused on minimising the burden of storing private customer data
  • Want to provide an easy, form-free way for customers to share verified information
#data #security #blockchain
5 years ago in #identity by
$0.36
  • Past Payouts $0.36, 0.00 TRX
  • - Author $0.28, 0.00 TRX
  • - Curators $0.09, 0.00 TRX
6 votes
Reply 0

Coin Marketplace

STEEM 0.30
TRX 0.12
JST 0.033
BTC 64093.86
ETH 3123.80
USDT 1.00
SBD 3.94