VPNs and zero knowledge proof systems are vulnerable to traffic analysis (based on packet size and timestamps) and there's almost no cure.
Mullvad is the only VPN I know of that has a mode that normalizes all packets to the same size (going into the VPN) and sends fake packets that don't get sent as real traffic. But that's only obfuscation and, at low traffic or high bandwidth (videos) or with sufficient heuristics, it can be beaten.
The US has basically zero regulation on selling this data. I can imagine a world where within a couple decades the US has one of the largest blackmail crisis ever seen, as foreign governments target civil workers. Or, I guess, at this point, the US government against the "undesirable" party within this administration.
It really depends on the implementation around it, how a user conducts themselves, and what data you can buy. While there is zero knowledge inside the proof, its use creates a side channel that reveals information.
For instance: The relying party server needs to call the auth server on novel users. Thats a new, unavoidable indicator!
How large are token batches and how long do they last? Will the implementation force them to wait a time period between redemption and use?
A bad implementation means the user IP will talk to the A server, then it will contact the RP server, who will contact the A server. Because this happens once per connection (or 60 minutes in this bill) and takes maybe a few hundred milliseconds. there's not going to be a huge number of candidates to have to sort through. And that's just the handshake.
Oh, that's my bad, I re-read the privacy pass protocol to brush up and it does use signing without requiring the RP to necessarily make another call to the original approver server. I also see there's been work on hidden witness ZKP, so the RP may not even know who approved a given token.
Very cool! Always happy to be proven wrong with cool tech!
Mullvad is the only VPN I know of that has a mode that normalizes all packets to the same size (going into the VPN) and sends fake packets that don't get sent as real traffic. But that's only obfuscation and, at low traffic or high bandwidth (videos) or with sufficient heuristics, it can be beaten.
The US has basically zero regulation on selling this data. I can imagine a world where within a couple decades the US has one of the largest blackmail crisis ever seen, as foreign governments target civil workers. Or, I guess, at this point, the US government against the "undesirable" party within this administration.