Yoti, a prominent digital age verification service integrated into major platforms including PlayStation, Meta, and TikTok, is facing significant scrutiny following a report titled "Papers, Please: A First Look at Age Verification on the Web." The research, conducted by the Georgia Institute of Technology and the University of California, Berkeley, was presented on May 18 at the IEEE Symposium on Security and Privacy.
The findings indicate that Yoti collects high-resolution telemetry from user devices, including OS version strings, available RAM, connection types, and CPU architecture. Researchers concluded that this granular data is not "necessary in estimating the age of a user" and warned that the information is sufficiently unique to facilitate the "unpermissioned tracking of the user’s device."
Beyond the scope of age verification, the report highlights privacy risks involving the sharing of user data with "less user-visible fourth parties." Investigators specifically identified the payment processor Stripe as a recipient of this telemetry. According to the paper, Stripe collected data that could potentially identify a user's device while simultaneously scraping information from the first-party websites where the age check was initiated.
In response to the publication of these findings, researchers stated that Yoti claimed to have resolved the issue regarding Stripe’s access to first-party website data. However, the researchers noted they were unable to independently verify that this fix was implemented or that previously collected data had been purged from the system.
According to Kotaku, Yoti characterized the data leak as a "bug," a response that has prompted further questions regarding how the service manages the private information of its millions of users. The software is currently utilized by an estimated 60 percent of global websites that implement age verification protocols, raising concerns about the scale of data collection occurring under the guise of security and compliance.
