I've been telling people for years now not to engage with systems such as these. Some say I'm just being paranoid. But a growing number concerningly reply with either "So? What are they gonna do with it?" or "They already have it, it doesn't matter." Normal people either don't know the dangers present or they don't understand that stopping the flow hurts the machine. And they want neither to know or understand. Apathy or the desire for convenience cannot adequately explain why.
If a city hires a cop who openly accepts bribes, it's a problem for city hall. If they tolerate crooked cops, they are rightly painted as being corrupt as well.
If a government mandates age verification and tolerates companies like Yoti as enforcers of their law, it's exactly the same thing. If politicians aren't willing to see that new laws are enforced with integrity, then these corrupt politicians are the problem and need to face the consequences.
The third-party list on page 12 is not small. The real-time api architecture creates a live, per-query link between a specific user event and every broker in the chain. Batch transfers or delta shares would break that linkage. Zero-knowledge proofs (also mentioned in the study) can prove age without handing anyone a name, document, or photo.
There's no reason Aristotle or Veratad should see who the underlying requestor is. Yoti should receive the verification request, strip the context, make the request - that's it. The fact that it isn't structured that way and they are tagging on additional metadata suggests per-query economics, which creates a direct incentive to route more verifications through more parties, exactly backwards from data minimization. I'm not going to call it a rev share, but the architecture is consistent with one.
Probably worth mentioning that I just did a very informal and quick review of identity/age verification providers because of payment provider requirements. Yoti came up as one of the more privacy focused (relatively) lower friction options because they only require a face scan and try to estimate age based on that. They may do more but that is as far as my research got.
We are definitely entering the era of stupidity.
Who wrote that article hasn't read the paper, just asked some AI to scan it and fudge up an eye catching article.
The article claim things that are not in the paper, that are actually false, the paper does state the face image is actually encrypted on the client side and never says that is shared with third parties. If you prompt your AI with enough bias and ask it to read a technical paper, then this is what happens.
And given no one bothers to check facts there you go, everyone screaming against a legit company that is just doing its job.
The paper itself reports that Yoti has given an amicus brief in a US court where they just stated that age verification can be done in a privacy preserving way (which seems to be what they do, they have nothing to gain from keeping data). I wonder if that is why they are after Yoti so badly now.
The fact this letter takes aim at something the paper doesn't say is pretty damning. The paper alledges that a series of high entropy identifying metadata about the users system is passed to a very large amount of third parties, including the site being visited, and that has potential to link the real identity of the user to the site they are verifying with.
Yoti's letter then gets angry that "face" data is not passed to third parties. That is not what is alleged.
Not to mention the repeated veiled threats about how they "could" sue academics investigating their systems.
Hey Mindwipe, 100% agree the paper doesn't say that face data is passed to third parties, but then the techexplore article from those universities DOES.
That article is the one that this whole thread started on, strangely you are ignoring that.
What's pretty damning is that you make it appear like you know the paper but you claim things that the paper doesn't claim. In the exact same style of those who wrote the article, interesting.
You claim that
"The paper alledges that a series of high entropy identifying metadata about the users system is passed to a very large amount of third parties"
That is FALSE, the paper doesn't say that, it actually says that the high entropy metadata is sent to Yoti servers, actually encrypted with client side keys on top of TLS which makes it impossible for any third party to even read it.
Reporting here extract from the paper:
---
Once the user’s face is properly aligned, the SCM collects and processes a significant amount of data that is sent to Yoti’s servers. In particular, it collects the photo captured from the user’s camera and telemetry, including significant high-entropy browser and device metadata (see Table 2). It also includes data about the camera’s properties, the FPS of the camera stream, and metrics about download and processing times.
The SCM uses some cryptography, which we briefly describe here before returning to its implications in Section 5.5.3. If the image encryption setting is enabled (as it is by default), the SCM encrypts the captured image using AES-GCM with a key and initialization vector (IV) derived in the browser. Similarly, the telemetry and metadata collected is also encrypted under AES-GCM in the browser.
---
Then you claim
"including the site being visited, and that has potential to link the real identity of the user to the site they are verifying with."
Which perfectly highlights the issue, as it seems like you might have gotten that from the Abstract section of the paper.
The great thing is that the paper itself disproves all of that when you read all the details. And anyone can find out that the key section where there is actual sharing of data with third parties (not the visiting site) is when the credit card check method is used for example. Which is pretty inevitable, to do a credit card check you need to use a payment provider which will have to process the data necessary to do that.
15 comments
[ 5.1 ms ] story [ 43.7 ms ] threadPeople need to learn to distrust such systems and exposing failings such as this one is a good way to do it.
We aren't going to be free of this stuff until the average Joe's mom hear of "forced age verification" and associate it to "unsafe".
The rest of the IEEE Symposium on Security and Privacy papers are listed at https://sp2026.ieee-security.org/accepted-papers.html
As far as device fingerprinting goes, this is pretty tame, compared to what something like chatgpt does: https://www.buchodi.com/chatgpt-wont-let-you-type-until-clou...
The far more concerning part are your pictures/document scans getting sent to them.
If a government mandates age verification and tolerates companies like Yoti as enforcers of their law, it's exactly the same thing. If politicians aren't willing to see that new laws are enforced with integrity, then these corrupt politicians are the problem and need to face the consequences.
There's no reason Aristotle or Veratad should see who the underlying requestor is. Yoti should receive the verification request, strip the context, make the request - that's it. The fact that it isn't structured that way and they are tagging on additional metadata suggests per-query economics, which creates a direct incentive to route more verifications through more parties, exactly backwards from data minimization. I'm not going to call it a rev share, but the architecture is consistent with one.
An open letter to Georgia Institute of Technology and University of California, Irvine requesting retraction and correction of false statements
https://www.yoti.com/blog/open-letter-to-georgia-institute-o...
Yoti's letter then gets angry that "face" data is not passed to third parties. That is not what is alleged.
Not to mention the repeated veiled threats about how they "could" sue academics investigating their systems.
It is absolutely incredibly sus as a letter.
What's pretty damning is that you make it appear like you know the paper but you claim things that the paper doesn't claim. In the exact same style of those who wrote the article, interesting.
You claim that "The paper alledges that a series of high entropy identifying metadata about the users system is passed to a very large amount of third parties"
That is FALSE, the paper doesn't say that, it actually says that the high entropy metadata is sent to Yoti servers, actually encrypted with client side keys on top of TLS which makes it impossible for any third party to even read it.
Reporting here extract from the paper: --- Once the user’s face is properly aligned, the SCM collects and processes a significant amount of data that is sent to Yoti’s servers. In particular, it collects the photo captured from the user’s camera and telemetry, including significant high-entropy browser and device metadata (see Table 2). It also includes data about the camera’s properties, the FPS of the camera stream, and metrics about download and processing times.
The SCM uses some cryptography, which we briefly describe here before returning to its implications in Section 5.5.3. If the image encryption setting is enabled (as it is by default), the SCM encrypts the captured image using AES-GCM with a key and initialization vector (IV) derived in the browser. Similarly, the telemetry and metadata collected is also encrypted under AES-GCM in the browser. ---
Then you claim "including the site being visited, and that has potential to link the real identity of the user to the site they are verifying with."
Which perfectly highlights the issue, as it seems like you might have gotten that from the Abstract section of the paper.
The great thing is that the paper itself disproves all of that when you read all the details. And anyone can find out that the key section where there is actual sharing of data with third parties (not the visiting site) is when the credit card check method is used for example. Which is pretty inevitable, to do a credit card check you need to use a payment provider which will have to process the data necessary to do that.