[beeflet]

>Think about it - the claim is that those systems can prove aspects of someone's identity (eg age), without the site where the proof is used obtaining any knowledge about the individual and without the proof provider knowing where the proof is used.

That is not nessisarially true. There are ZK setups where you can tell when a witness is reused, such as in linkable ring signatures.

Another simple example is blind signatures, you know each unblinded signature corresponds to a unique blind signature without knowing who blinded it.

[raxxorraxor]

The easy solution is the best one. Just don't collect the info. Any problems resulting from that need to be handled differently.

Proven to work and we wouldn't be dependent on untrustworthy identity providers.

[beeflet]

I agree. It is possible, but that does not mean it should be done.

The thing is with such a ZK system you are still collecting and compiling all this data, it's just done by some sort of (government?) notary and there is a layer of anonymity between the notary and the verifier (which they can cooperate to undo).

The real political problem is the concentration of personal information in one place. The ZK system just allows that place (notary) to be separate from the verifier.

[mindslight]

Sure, but making use of that introduces new problems.

Fundamentally it limits a person to one account/nym per site. This itself removes privacy. An individual should be able to have multiple Discord nyms, right?

Then if someone gets their one-account-per-site taken/used by someone else, now administrative processes are required to undo/override that.

Then furthermore it still doesn't prevent someone from selling access to all the sites they don't care about. A higher bar than an activist simply giving it away for free, but still.

[beeflet]

>An individual should be able to have multiple Discord nyms, right?

Yeah, I think so. I mean this is like my 20th hacker news account. I am using my 5th discord account right now.

But at the same time it would be an interesting to see how anonymous yet sybil-proof social media would work out.

I get the feeling that it's already pretty easy to buy and sell fake IDs, so I don't think it would pan out in practice. I also had the same idea as you: if such a system were to exist, you could sell proofs for all the services you don't use.

Usually, these zero-knowlege proofs are backed by some sort of financial cost, not the bureaucratic cost of acquiring an ID. All of these "linkable" ZK proofs are aimed at money systems or voting systems.

In the blind-signature based money systems, a big problem used to be dealing with change; you had to go back and spend your unblinded signature at the signatory to get a new one. In a similar fashion, maybe you could make it so that users could produce a new ZK proof by invalidating an old one? So you could retire an old nym if you get banned, and create a new nym but you could only have one at a time? IDK if that is a reasonable tradeoff.

[mindslight]

> interesting to see how anonymous yet sybil-proof social media would work out.

I agree it could be interesting but on the other hand we see plenty of people posting tripe under their public meatspace nym. The real problem with social media is the centralized sites optimizing for engagement, which includes boosting sockpuppets into view of the average user. So focusing on controlling users continues to ignore the puppetmaster elephants in the room.

I think talking about crypto details is a red herring on this topic though. User controlled computing devices mean that any two people can run software that behaves as a single client, using the credentials of the first person to give access to the second person. The only way to stop this is to make the first person have skin in the game, which is directly contrary to all of the privacy goals.

Chewing on this problem a bit more, it's starting to feel like this "use cryptography prove aspects of your identity without revealing your identity" is actually a bit of a longstanding nerd-snipe. It seems like a worthwhile problem because it copies what we do in meatspace for liquor/stripclubs/gambling/etc. But even the meatspace protocols are falling apart with a lot of places using ID scanners that query (ie log) a centralized database, rather than a mere employee who doesn't really care to remember you (and especially catalog your purchases). The straightforward answer to both is actually strong privacy laws that mandate companies cannot unnecessarily request or store data in the first place. Then some very simple digital protocols suffice to avoid this issue of identity being implied by knowing one mostly-public number.

(FWIW the problem of making change always seemed very simple to me - binary denominations of coins/tokens. I've always thought the statement of it as a problem has more to do with the speed of crypto ops during the period of early ecash research)