With a high prevalence of online misinformation and an epidemic of scams, the issue of whether to trust what we see has never been more important.
While a lot has been written on how to evaluate facts written by others, in this issue we're going to look at things the other way - how we can prove facts about ourselves to other people.
What is the future of proof in the 21st century, and how will technology help us?
The problem of oversharing data
Let’s start with an example of being asked for ID when attempting to buy drinks in a bar. In this scenario, the traditional approach is to hand over an acceptable form of proof for inspection by the bartender – a driving license, maybe. The document contains both proof it’s you (your photo) and your age (your date of birth). By seeing both elements on the same document, the bartender can verify that you are of the legal age to be served.
There are two problems with this approach. Firstly, many physical forms of documentation are easy to counterfeit or costly to secure, which means that the proofs are not always reliable or practical. Secondly, as a customer you’re revealing far more to the bartender than is necessary: your name, your address – even your date of birth is more information than is strictly required to assert whether you’re over 18.
Information leakage and fraud
Now in a bar environment, you might not care; revealing this kind of information about yourself probably has limited utility to a bartender, and they can use other situational information to corroborate your age. But an increasing number of our transactions take place online, where the problems of fraud due to counterfeit and information leakage are huge. In the first six months of 2021, the UK saw an increase in identity fraud cases of 11%.
How can we ensure that when we are required to prove something, we can securely and reliably reveal just enough information to prove what we need (thus minimising the risk of fraud), while also ensuring that the information we do reveal is trusted by the verifier?
The rise of zero-knowledge proof
Fortunately, there are several emerging technologies and algorithms for doing this, which are set to change the way we perform all kinds of interactions - both online and offline. One of the key concepts is zero-knowledge proof, which can validate the authenticity of information without actually having the information to hand. In our bar example, imagine if there was a mutually trusted authority who can reveal, with a simple yes or no, whether a given person was over 18.
Zero-knowledge proofs are increasingly used in digital identity systems. They cover a plethora of use-cases, from checking the validity of educational qualifications to ensuring that people have been vaccinated against COVID-19.
How zero-knowledge proof keeps information safe
Identity documents in these systems have holders, issuers, and verifiers. The holders of identity (for example, you or me) can have facts - also known as verifiable credentials - about them published by issuers, the correctness of which can be subsequently checked by verifiers.
Be part of something bigger, join BCS, The Chartered Institute for IT.
For example, a fact about Alice could be that she's a doctor. The fact was issued by her medical college, and it can be independently checked when she applies for a job at a hospital, who may only want to know if she's qualified or not. On the other hand, Bob could be trying to enter a venue that requires proof of a COVID-19 vaccination; his healthcare provider's app could provide him with a one-time use QR code that allows the venue to use with a verification service to see if he's been vaccinated - without revealing any personal information, even to the verifier.
Using zero-knowledge proof technology
Verifiers can ensure that both the identities of the holders are correct, and that the verifiable credentials were published by the issuer and are still valid. The identities themselves can be stored on a public, decentralised ledger such as a blockchain, which helps avoid any single points of trust.
To the holder, these systems should be no more complicated to use than existing systems - for example, by presenting a document when checking into a venue. But crucially the information revealed is both verifiable by a third-party and minimal.
None of these systems can be perfect, as they provide technical solutions to what are in many cases social problems. For example, if proof of my identity ultimately comes from an ID or token on my phone, the system can only be as secure as the phone that is being used to assert it. But these emerging systems do go a long way to ensuring that when asked for proof of something in the future, we can do so in a way that, compared to existing technology, is much more trustworthy and is less susceptible to fraud.