Yoti presses universities for evidence, weighs legal action over age assurance paper

Yoti has escalated its dispute with academics from Georgia Tech and UC Irvine, sending a second letter pressing the universities to determine whether the researchers can substantiate allegations that its age assurance platform shares users’ facial images and other personal data with third parties.

The UK digital ID company has already asked for a retraction of an academic paper presented at the 47th IEEE Symposium on Security and Privacy, in which researchers claim that Yoti collects and shares highly sensitive personal data including facial photos with third parties. The UK company wrote an open letter to provosts at the Georgia Institute of Technology and UC Irvine, where the authors are based, calling the allegations “wholly false,” and inviting the two schools to bring in an independent cyber security expert to “interrogate our technology freely, with any and all access to it facilitated without restriction,” to independently assess the claims made in the research.

Posting on LinkedIn this week, Yoti CEO Robin Tombs says that a week after sending the letter, the company “heard back that our letter is being reviewed – but nothing more since.”

“Today we have emailed a second letter. The provosts of these two prestigious universities need to show leadership and check if the academics behind that damaging allegation have shared with the universities’ legal teams any credible supporting evidence.”

The new letter expresses concerns that the paper’s “news” has been picked up by large publications, which has “significantly exacerbated the damage caused by the false statements and harm suffered.”

The letter also gestures at deeper legal action in noting that “at least one of the authors of the paper, Shreyas Minocha, also published without restriction what appears to be a reverse engineered copy of our proprietary source code for our Secure Image Capture tool, together with a bypass method.”

“This was done without any contact with us nor giving us the opportunity to fix the bypass.”

The authors, says Yoti, have themselves ignored basic best practices in reporting and ethical hacking; Tombs’ post accuses the academics of trying to “conjure up sizzle” before the IEEE conference.

In short, Yoti has turned the key on its legal apparatus, and is “taking advice on our rights of action” against both schools and the authors of the paper.

Dispute highlights tensions over age assurance scrutiny

The dispute highlights growing tensions between age assurance providers and academic researchers as governments increasingly mandate age checks for online services. Vendors face mounting pressure to demonstrate transparency and withstand independent scrutiny, while arguing that inaccurate or unsupported claims can damage trust in technologies that remain politically and commercially contentious.

The latest exchange follows Yoti’s public offer to submit its technology to an independent cybersecurity review chosen by the universities. To date, neither institution has publicly responded to that proposal.

Yoti continues to invite an independent review of its technology, while the universities have yet to publicly respond to the company’s latest requests. Whether the dispute is resolved through technical review, academic processes or legal action remains unclear.

Article Topics

age verification  |  biometric data  |  biometrics research  |  data privacy  |  data sharing  |  Yoti