# Data Portability and Proofs ## The Problem with Data Silos Today's digital world locks your data behind system boundaries: * **Identity verification** locked in each platform. Every new service requires re-verification, even though you've already proven who you are. * **Professional credentials** are only verifiable by calling the issuing institution. No certificate, just gatekeepers. * **Work history** vanishes when you change agencies. Your timesheet approvals, signed-off work, and performance records don't follow you. The common thread: **you don't own portable proof of these facts**. You own access to systems that claim these facts are true. ## What Zipwire Attest Changes Today Zipwire Attest and ProofPack introduce something fundamentally different: **portable, verifiable identity proofs** that move across system boundaries without losing integrity or authorship. ### The Core Difference A **cryptographic proof** is self-contained evidence that: * Proves a fact (like your age or identity) without requiring the original system's permission * Maintains its integrity through cryptographic signatures * Can be verified by anyone, anywhere, at any time * Doesn't leak more information than necessary (selective disclosure) This is different from a PDF certificate or a screenshot. Those can be forged. A cryptographic proof **cannot be altered without detection**. ### What's Available Now With **Zipwire Attest**, you can get blockchain attestations for: * **Identity verification** - Verified once via government-approved Yoti checks * **Age thresholds** - IsThirteen, IsFourteen, IsSixteen, IsEighteen, IsTwentyOne * **Proof of personhood** - IsAHuman attestation * **AML clearance** - HasClearAML status These attestations are portable. Once verified, you can use them across any Web3 platform supporting EAS (Ethereum Attestation Service). ## Structural Optionality Data portability combined with cryptographic signatures creates what we call **structural optionality**: you're not forced to trust the incumbent custodian of your data. ### What This Means in Practice #### You Can Re-Use Verified Data * Verified once by Zipwire through government-approved Yoti checks * Use that attestation across any Web3 platform supporting EAS (Ethereum Attestation Service) * No need to verify your identity repeatedly for every new service * Move between platforms without losing your verified identity #### You Control Disclosure * Share only your date of birth with an age-restricted service (ProofPack reveals only that field) * Share nationality verification without revealing your full passport * Share AML clearance status without exposing the underlying checks * Different proofs for different contexts - you choose what to reveal #### Future: Work History Portability Switch agencies and your attested work history, signed timesheets, and client approvals remain yours (coming with Zipwire Approve integration). ## How ProofPack Enables Portability ProofPack is Zipwire's portable proof format. It's a standardized, cryptographically-signed document that contains: ### Three Verification Layers 1. **JWS Envelope** - Cryptographic signatures prove the document hasn't been tampered with 2. **Blockchain Attestation** - On-chain record on Base blockchain (via EAS) proves Zipwire verified the underlying data 3. **Merkle Tree Structure** - Enables selective disclosure (reveal only specific fields) ### Key Properties * **Portable**: ProofPacks are JSON files. Download them, email them, store them locally. * **Verifiable Anywhere**: Anyone can verify a ProofPack using open-source tools and blockchain queries. * **Privacy-Preserving**: Only the fields you choose to reveal are included in the proof. * **Tamper-Evident**: Any modification breaks the cryptographic signatures. * **User-Editable**: Download the JSON and hand-edit to create custom selective disclosures. The JWS envelope becomes invalid, but the Merkle tree remains covered by the blockchain attestation. * **AI-Verifiable**: ChatGPT and Claude can read the JSON, validate the Merkle tree structure, and guide you to verify the attestation on [Base EAS Scan](https://base.easscan.org/). For technical details, see [Proof Verification](https://docs.zipwire.io/zipwire-attest/proof-verification). ## Upcoming: Attested Work History and Approvals Zipwire is extending the power of portable proofs beyond identity verification to **work history** and **approvals**. ### Attested Timesheets Imagine a world where: * Your signed-off timesheets are **cryptographically attested** * The approver's signature is **verifiable on-chain** * You can **prove hours worked** without accessing your old agency's system * Future employers can **verify your work history** through portable proofs This is coming with Zipwire Approve integration. ### Proof of Work Done Timesheet approvals today are trapped in agency systems. Tomorrow: * **Portable approval records** - Approver signatures become blockchain attestations * **Verifiable work history** - Prove to future clients that you delivered (and they paid) * **Professional reputation** - Build a portable record of successfully completed assignments ### How It Works 1. **Worker submits timesheet** via Zipwire Approve 2. **Approver signs off** via WhatsApp or web interface 3. **Approval becomes a blockchain attestation** (on Base via EAS) 4. **Worker receives ProofPack** - portable proof of the approved work 5. **Worker shares ProofPack** with future clients, agencies, or lenders This transforms approvals from **internal system records** to **portable professional credentials**. ## Real-World Benefits ### For Individuals (Available Now) * **Age-restricted services** - Prove you're old enough without revealing your exact age or full ID * **Web3 platforms** - Use your identity attestation across any EAS-compatible service * **Proof of personhood** - Demonstrate you're a unique human without revealing personal details * **AML compliance** - Share clear AML status with platforms that require it * **Privacy control** - Choose exactly what information to reveal in each context ### For Contract Workers (Coming Soon) * **Prove income** to lenders without accessing old agency systems * **Demonstrate track record** to new clients with verifiable approvals * **Maintain work history** across multiple agencies and job transitions * **Control your narrative** with selective disclosure (share only relevant projects) ## Example: Safety-Critical Industries Industries with regulatory requirements for **recent experience** and **certified work history** face particularly acute portability challenges. ### Aviation Maintenance Aircraft maintenance engineers must prove: * Recent experience on specific aircraft types * Currency on critical tasks (engines, avionics, structural work) * Valid certifications and type ratings * Sign-offs on safety-critical maintenance **Current reality**: Paper logbooks, manual verification, lost history when changing employers. **With attested work records**: Each maintenance sign-off becomes a verifiable ProofPack. Prove currency on Boeing 787 avionics work without contacting three previous MROs. Regulators verify credentials without phone calls. Insurance decisions based on cryptographic proof rather than paper trails. Similar patterns exist in nuclear power, medical device manufacturing, pharmaceutical production, and other fields where "who did what, when, and were they qualified?" matters for safety and compliance. ## Trust Chains and Verification ProofPack proofs aren't isolated claims - they're part of verifiable trust chains linking back to authoritative sources. For details on how trust chains work and how to verify them, see: * [Proof Verification](https://docs.zipwire.io/zipwire-attest/proof-verification) - Technical verification details * [Trust Chain Verification](https://docs.zipwire.io/zipwire-attest/proof-verification#trust-chain-verification) - How attestations link to authorities like NIST ## Privacy and Security ### What's Not Portable * **Your private keys** - Never leave your wallet * **Unencrypted documents** - Only cryptographic hashes are on-chain * **More data than you authorize** - Selective disclosure is enforced cryptographically ### What Is Portable * **Cryptographic proofs** - Merkle tree structures proving specific facts * **Attestation references** - Blockchain attestation UIDs for verification * **Revealed fields only** - You control exactly what data is in each ProofPack ### Data Deletion Even with portable proofs, you maintain control: * **Delete documents** from Zipwire's encrypted storage at any time * **Attestations remain** on blockchain for verification (they're just hashes, not personal data) * **ProofPacks remain valid** even after deleting source documents For more details, see [Privacy and Security](https://docs.zipwire.io/zipwire-attest/privacy-and-security). ## Technical Standards and Interoperability Zipwire uses open standards for maximum portability: ### Blockchain Standards * **EAS (Ethereum Attestation Service)** - Industry standard for on-chain attestations * **Base Network** - Low-cost Layer 2 blockchain from Coinbase * **EIP-1271 and ERC-6492** - Smart wallet signature standards ### Cryptographic Standards * **JWS (JSON Web Signature)** - IETF standard for signed JSON documents * **Merkle Trees** - Well-understood cryptographic data structure * **ES256K and RS256** - Industry-standard signature algorithms ### Developer Integration * **NPM packages** - `@zipwire/proofpack` and `@zipwire/proofpack-ethereum` * **Open specification** - Full ProofPack format documented on GitHub * **AI/LLM-friendly** - Structured JSON format for automated verification ## The Complications (And How We Address Them) ### Attack Surface **Problem**: Portable data creates new risks (data exfiltration, context collapse, injection attacks). **Our Approach**: * Selective disclosure limits what can be exfiltrated * JWS signatures prevent injection of forged proofs * Revocable attestations allow invalidation of compromised proofs ### Format Agreement **Problem**: Portable data is only useful if the receiving system understands it. **Our Approach**: * Use industry standards (EAS, JWS) * Open specification for ProofPack format * Compatibility with entire Web3 ecosystem via EAS ### Consent and Re-Use **Problem**: Does portability imply consent to re-use? **Our Approach**: * Each ProofPack is created for a specific purpose (nonce-based) * Users explicitly generate each proof * Revocable attestations allow withdrawal of consent ### Fraud Vectors **Problem**: Forged portable records could be injected into other systems. **Our Approach**: * Blockchain attestations provide unforgeable source-of-truth * Trust chains allow verification back to known authorities * Revocation mechanisms allow invalidation of fraudulent attestations ## The Future: Horizontal Approval Traces With attested approvals from Zipwire Approve, we enable **horizontal approval traces** across organizations: * **Worker submits timesheet** to Agency A * **Client approver at Company B** signs off via WhatsApp * **Approval becomes blockchain attestation** linking worker, agency, client, and timesheet hash * **Worker uses ProofPack** to prove delivery to Agency C for next contract * **Agency C verifies** the approval chain without contacting Agency A or Company B This is **portable reputation** built on cryptographic proofs, not locked in proprietary systems. ## Comparison: Traditional Identity Verification vs. Zipwire Attest | Feature | Traditional Verification | Zipwire Attest + ProofPack | | -------------------- | ------------------------------------- | ------------------------------------------------------- | | **Data Location** | Locked in each platform's system | Portable, user-controlled | | **Verification** | Requires system access or phone calls | Cryptographic, self-verifying | | **Re-verification** | Required for every new platform | Verify once, use everywhere | | **Permission** | Need provider's cooperation | No permission needed | | **Portability** | Not portable between platforms | Cryptographically-signed JSON | | **Privacy** | All-or-nothing (full ID document) | Selective disclosure (age only, nationality only, etc.) | | **Longevity** | Lost if platform shuts down | Verifiable as long as blockchain exists | | **Interoperability** | Platform-specific | Open standards (EAS, JWS) | | **Trust Model** | "Trust the platform's database" | "Verify the cryptographic proof" | ## GDPR and Data Portability Rights Zipwire's approach aligns with GDPR's "right to data portability" (Article 20): * **Machine-readable format** - ProofPacks are structured JSON * **User-controlled** - You decide what to export and when * **Portable to other services** - ProofPacks work across any EAS-compatible platform * **No vendor lock-in** - Your attestations exist on public blockchain Additionally, GDPR's "right to erasure" (Article 17) is supported: * Delete documents from Zipwire's storage at any time * Only cryptographic hashes remain on-chain (not personal data under GDPR) For data retention policies, see [Attestations, Privacy, Timing, and Data Deletion](https://docs.zipwire.io/fundamentals/security/attestations-privacy-timing-data-deletion). ## Getting Started ### For Individuals 1. **Register at Zipwire Attest** - Self-service, no business account needed 2. **Connect your wallet** - EOA or Smart Wallet (e.g., Coinbase Smart Wallet) 3. **Verify your identity** - Government-approved Yoti verification 4. **Receive attestations** - Blockchain attestations on Base via EAS 5. **Generate ProofPacks** - Create portable proofs for specific use cases See [Getting Started with Zipwire Attest](https://docs.zipwire.io/zipwire-attest/zipwire-attest). ### For Developers 1. **Install ProofPack SDK** - `npm install @zipwire/proofpack @zipwire/proofpack-ethereum` 2. **Integrate verification** - Use SDK to verify ProofPacks in your application 3. **Query EAS attestations** - Verify on-chain attestations on Base 4. **Build workflows** - Create applications that accept portable proofs See [Proof Verification](https://docs.zipwire.io/zipwire-attest/proof-verification) for technical integration details. ### For Contract Workers (Coming Soon) 1. **Use Zipwire Approve** - Track time, submit timesheets 2. **Get approvals via WhatsApp** - Approvers sign off remotely 3. **Receive attested approvals** - Blockchain attestations of signed timesheets 4. **Build portable work history** - ProofPacks of completed assignments Watch for announcements about attested timesheet approvals. ## Related Resources * [Data Ownership in Zipwire](https://docs.zipwire.io/overview/data-ownership-in-zipwire) - How Zipwire protects your data across all products * [Privacy and Security](https://docs.zipwire.io/zipwire-attest/privacy-and-security) - Security measures and privacy guarantees * [Proof Verification](https://docs.zipwire.io/zipwire-attest/proof-verification) - Technical details on verifying ProofPacks * [Attestation Schemas](https://docs.zipwire.io/zipwire-attest/attestation-schemas) - Available attestation types and their uses * [Understanding Merkle Trees and Proofs](https://docs.zipwire.io/fundamentals/security/understanding-merkle-trees-and-proofs) - How selective disclosure works ## Key Takeaways 1. **Data portability + cryptographic proofs = structural optionality** - You're not locked into custodian systems 2. **ProofPack is the portable proof format** - Cryptographically-signed, blockchain-attested, selectively-disclosable 3. **Trust chains are verifiable** - Trace attestations back to authoritative sources 4. **Upcoming: attested work history** - Approved timesheets become portable professional credentials 5. **Open standards ensure interoperability** - Works across Web3 ecosystem via EAS **The power shift**: From "the system says it's true" to "here's cryptographic proof it's true."