Yoti, the Age Verification software used by “60 percent” of websites and services that require age verification, including PlayStation, Meta, and TikTok, reportedly “collects significant private information beyond what is strictly necessary to verify age” and even shares said information with “several less user-visible fourth parties,” according to a report from the Georgia Institute of Technology and the University of California.
As spotted by Futurity, the report, titled “Papers, Please: A First Look at Age Verification on the Web,” was recently presented at the IEEE Symposium on Security and Privacy conference on May 18, states that Yoti’s data collection methods “paint a concerning picture of privacy and effectiveness of age verification.”
According to the report, Yoti’s age verification software “collects a significant amount of high-resolution data about the user’s device” during its checks, even though said information does not appear to be “necessary in estimating the age of a user.” This specifically includes information gathered from the device during the age verification process, such as “OS version strings, available RAM, connection type, and CPU architecture.” The report also states that the “uniquely identifiable” information could be used to allow for “unpermissioned tracking of the user’s device.”
However, the most worrying discovery is “that Yoti relies on sharing sensitive user information with several less user-visible fourth parties,” including the payment processor Stripe. The paper notes that Stripe “collects significant telemetry that could likely be used to uniquely identify a device,” which includes information scraped from the first-party website used to verify user’s age via Yoti’s software: “We find that the service collects significant private information beyond what is strictly necessary to verify age, including high-entropy browser and device metadata, and other granular telemetry.”
However, since the report was first published, the researchers behind the paper have stated that “Yoti has indicated that they have fixed the issue with Stripe learning the first-party website,” although the researchers also note that they were unable to confirm the validity of this claim.
That in itself creates a completely separate issue. The fact that said issue was referred to as a “bug” by Yoti isn’t exactly filling me with confidence in the software, and does make me wonder how securely the data users are providing it with is being handled. It also doesn’t explain whether or not the data provided to Stripe has still been retained.
About the Author
