> On the other hand: Are you willing to pay hundreds of millions for developing the biggest data leak in human history
The comment you are replying to was talking about ZKP based systems. In those systems you don't show any identity information to the websites that you are trying to prove your age to.
Those systems can be made leak proof by making the party that you have to show identification to be some party that already has your identity information. For example it can be the government agency that issues your driver's license.
But these systems then are trivial to bypass by a person that publishes their private key for others to use as impersonation. If the site can't determine if the same id is used for multiple requests, they can't prevent it. And if the gov isn't able to see which site is requesting the data, neither can it.
Systems like the EU's digital identity wallet use hardware-based security. The private keys are generated by the secure element in your smartphone or something equivalent on a smart card, and any operations that need the keys during a verification are done in that secure element.
IIRC the new EU spec doesn't actually require using "secure elements" that could limit the user, only says they should be used if present. It shouldn't be hard to find some device where the hardware isn't present or is insecure to extract the keys from.
Or people could just proxy requests to the device, even with a reasonable rate limit in place, one donor could provide access for over a dozen people each day.
The comment you are replying to was talking about ZKP based systems. In those systems you don't show any identity information to the websites that you are trying to prove your age to.
Those systems can be made leak proof by making the party that you have to show identification to be some party that already has your identity information. For example it can be the government agency that issues your driver's license.