Yoti challenges academic research, invites independent audit of age assurance platform

Yoti has publicly challenged research presented by academics from the Georgia Institute of Technology and the University of California, Irvine, and invited an independent cybersecurity audit of its age assurance platform in an effort to rebut claims about how it handles user data.

The dispute highlights growing scrutiny of age assurance technologies as governments increasingly require age checks for access to online content and services. It also marks an unusual move by a leading provider, which is responding to criticism not only with public rebuttals but by offering independent verification of its systems.

Researchers presenting at the IEEE Symposium on Security and Privacy argued that Yoti’s age verification process transmits personal information to third- and fourth-party companies, including credit card providers, geolocation services and data brokers.

An article from the blog of Georgia Tech’s College of Computing summarizes: “The researchers found that the information being shared can be used to identify and track devices. For example, a single verification attempt may transmit a user’s facial image, IP address, and device fingerprint to credit card companies.”

Yoti CEO Robin Tombs rejected those claims in an open letter, calling allegations that facial image data is shared with third parties “wholly false.”

Rather than limiting its response to public criticism, Yoti has challenged the researchers to nominate an independent cybersecurity expert to review the company’s technology and verify how user data is handled.

Yoti says claims are ‘wholly false’

“The allegation that Yoti’s age verification platforms transmits facial image data to any third party is wholly false,” says Yoti CEO Robin Tombs, in an open letter that calls for a redaction of the articles in which the claim is made, and a public apology from the two U.S. schools.

“Our systems are built in a way that means we cannot mine or sell data to third parties, and once a security check is complete, we cannot access any user details.”

As such, the company has serious concerns about “multiple statements making claims about our platform that are scientifically and factually incorrect, technically at odds with how our technology actually works, and which were not subject to prior comment by, or consultation with, Yoti.”

Researchers allege data-sharing risks in age verification process

The paper, “Papers, Please: A First Look at Age Verification on the Web,” examines privacy and security implications of online age verification systems, but also extends into broader debates over regulation, censorship and free speech.

The most concrete assertion concerns Yoti’s collection of that “high-entropy data.”

“Yoti collects a significant amount of high-resolution data about the user’s device. It is unclear what the use of this data is, and we note that little information collected here appears to be necessary in estimating the age of a user, assuming that one is doing so purely from the image captured or the user’s ID. We further note that much of what is collected (OS version strings, available RAM, connection type, and CPU architecture) is also gathered by well-known fingerprinting libraries. Along with the user’s IP address, it is likely that this data is uniquely identifiable, allowing for unpermissioned tracking of the user’s device.”

The paper’s conclusion leaps from a critique of Yoti’s privacy policy to the question of compliance. “Our observations paint a concerning picture of privacy and effectiveness of age verification,” it says, setting up what it wants to be a killing blow.

“Compliance is low – only roughly 14 percent of sites self-labeling as adult content perform age verification in states with mandates.”

From there, the technical research paper takes on an unusually political tone. “The censorship risks inherent in age verification and existing cryptographic proposals extend beyond the sites we examine here,” it says. “Without a significant shift in policy direction, age verification suites may eventually control users’ ability to participate in online speech.”

“Regardless of how age verification is balkanizing the U.S. web, our security and privacy analysis of the most common age verification provider has implications for future free speech debates.”

Yoti offers independent review

Yoti argues the researchers mischaracterized how its platform operates and drew conclusions that are unsupported by the evidence presented in the paper. The company says the research conflates device-level telemetry and network data with biometric information and fails to distinguish between different age-assurance methods offered by the platform

It is willing to prove this. In his letter, Tombs invites the two schools to “propose an independent cyber security expert to interrogate our technology freely, with any and all access to it facilitated without restriction (save for any necessary for infrastructure and commercial integrity, or compliance with legal obligations), for the purposes of verifying the security and integrity of our age verification platform, and specifically the protection of users’ data including facial images.”

The disagreement reflects broader tensions surrounding age assurance technologies, which are facing increasing demands for transparency as regulators mandate age checks across online services. As age verification becomes more widespread, providers are likely to face growing pressure to demonstrate through independent testing how biometric and identity data are collected, processed and protected.

Article Topics

age verification  |  biometric data  |  biometrics research  |  data privacy  |  data sharing  |  IEEE  |  Yoti