Yoti age checks share facial photos and device fingerprints with third parties

gum_wobble

Yeah, well, I mean, ahah, you don't say :)

falsaberN1

There isn't enough noise about this kinda news. People need to learn to distrust such systems and exposing failings such as this one is a good way to do it. We aren't going to be free of this stuff until the average Joe's mom hear of "forced age verification" and associate it to "unsafe".

pmh

The paper is https://mikespecter.com/assets/pdf/AgeVerification.pdf (good on them for linking it) The rest of the IEEE Symposium on Security and Privacy papers are listed at https://sp2026.ieee-security.org/accepted-papers.html

Tanoc

I've been telling people for years now not to engage with systems such as these. Some say I'm just being paranoid. But a growing number concerningly reply with either "So? What are they gonna do with it?" or "They already have it, it doesn't matter." Normal people either don't know the dangers present or they don't understand that stopping the flow hurts the machine. And they want neither to know or understand. Apathy or the desire for convenience cannot adequately explain why.

wmf

Every app shares all data with third parties. The concept of privacy labeling has completely failed and it's time to try a new approach.

gruez

>TABLE 2. USER AGENT METADATA FIELDS (“CLIENT HINTS”) SENT AS PART OF YOTI’S AGE ESTIMATION METHOD As far as device fingerprinting goes, this is pretty tame, compared to what something like chatgpt does: https://www.buchodi.com/chatgpt-wont-let-you-type-until-clou... The far more concerning part are your pictures/document scans getting sent to them.

beloch

If a city hires a cop who openly accepts bribes, it's a problem for city hall. If they tolerate crooked cops, they are rightly painted as being corrupt as well. If a government mandates age verification and tolerates companies like Yoti as enforcers of their law, it's exactly the same thing. If politicians aren't willing to see that new laws are enforced with integrity, then these corrupt politicians are the problem and need to face the consequences.

SwellJoe

Age check is identity theft at scale, mandated by the state. A disaster waiting to happen (and it won't wait long).

internet101010

The third-party list on page 12 is not small. The real-time api architecture creates a live, per-query link between a specific user event and every broker in the chain. Batch transfers or delta shares would break that linkage. Zero-knowledge proofs (also mentioned in the study) can prove age without handing anyone a name, document, or photo. There's no reason Aristotle or Veratad should see who the underlying requestor is. Yoti should receive the verification request, strip the context, make the request - that's it. The fact that it isn't structured that way and they are tagging on additional metadata suggests per-query economics, which creates a direct incentive to route more verifications through more parties, exactly backwards from data minimization. I'm not going to call it a rev share, but the architecture is consistent with one.

unknown_user_84

Probably worth mentioning that I just did a very informal and quick review of identity/age verification providers because of payment provider requirements. Yoti came up as one of the more privacy focused (relatively) lower friction options because they only require a face scan and try to estimate age based on that. They may do more but that is as far as my research got.

shreyasminocha

Lead author here, happy to answer any questions about the study!