ISO/IEC 27565 published

ISO/IEC 27565:2026 is a brand new ISO27k standard on Zero-Knowledge Proofs. It explains how to go about collecting and verifying personal information for various legitimate purposes without 'over-collecting' i.e. requiring and gathering additional information beyond that strictly needed for the stated purpose - verifying whether a statement or claim is or is not true.

Age verification is a common example. A new law in Australia, for instance, prohibits youngsters from accessing and using ten specific social media services. To comply with the Online Safety Amendment (Social Media Minimum Age) Bill 2024, those services need to check that their users are old enough (meaning at least 16 years of age). However, since the law does not require the services to verify their users' actual birthdays, doing so might be considered unnecessarily intrusive if they insisted on obtaining users' birthdates [caveat: I Am Not A Lawyer, and this is just an informational blog, not legal advice].

A specified ZKP protocol could allow users to convince the social media suppliers that they are 'at least 16' without having to disclose their actual age or birthdate, or being required to provide information that could be linked unambiguously to sources of additiona personal informatin (the 'unlinkability' property).

At the same time, properly designed and implemented ZKP could provide the social media companies with sufficient assurance to satisfy their compliance obligation to verify users' asserted age-sufficiency.

The standard discusses different ZKP methods including "public coin interactive ZKP", formally defined as "interactive zero-knowledge proof (ZKP) where the verifier’s messages are uniformly random and independent of the prover’s messages". Non-interactive cryptographic methods are also described.

Read more about the new standard here on this website and at ISO.org