Online Age Checks Create a Pointless Privacy Risk

New cybersecurity research indicates that one of the world’s leading age verification providers collects and shares highly sensitive personal data—including facial photos and device fingerprints—with third parties.

The research also reveals that most websites that require age verification don’t enforce the policy.

The findings come from a new paper that researchers from the Georgia Institute of Technology and the University of California, Irvine (UC Irvine) will present at this week’s IEEE Symposium on Security and Privacy conference in San Francisco.

The research team examined Yoti, a London-based company that provides age-verification services for an estimated 60% of websites that require it. Its client list includes Meta, OnlyFans, Sony PlayStation, and TikTok.

The research team determined that the process Yoti uses to verify a person’s age broadcasts the person’s personal information to third- and fourth-party companies.

When a bartender checks an ID, they quickly verify a customer’s date of birth and identity before serving them. Companies like Yoti that employ digital age verification claim their products function the same way, but in a completely private manner. 

That analogy has justified laws passed in 25 U.S. states — comprising more than 40% of Americans — mandating the use of digital age verification to gate access to social media and adult online content.

However, by measuring online age verification, researchers reveal that the reality of these systems is far from ideal. The study found that most sites covered by these laws do not appear to enforce age verification. 

When sites comply, they force users to use third-party age-verification services like Yoti, which collect and share highly sensitive data with other third parties.

“There have been laws passed and court cases settled on the promise that these companies are incentivized to keep users’ data private” said Assistant Professor Michael A. Specter at the School of Cybersecurity and Privacy. “We found that reality is starkly different.”

Digital age verification laws are being considered by other legislative bodies to bar minors from social media sites. The problem, Specter and his colleagues argue, is that current methods of age verification are ineffective and create new privacy risks.

“In legal arguments, there have been comparisons to these services acting like a bartender checking IDs,” said Specter. “However, what is really happening is the bartender is making photocopies of the patron’s license and sending it to their food vendors.”

According to the researchers, the data is then sent to credit card companies, IP geolocation services, and data brokers. The researchers found that the information being shared can be used to identify and track devices. For example, a single verification attempt may transmit a user’s facial image, IP address, and device fingerprint to credit card companies.

Aside from privacy concerns, researchers note that differing state policies could lead to what they call the Balkanization of the U.S. web. In other words, users may have access to different parts of the internet depending on the state they are in. This will potentially limit the free exchange of ideas and information.

According to Assistant Professor Harry Oppenheimer of the Jimmy and Rosalynn Carter School of Public Policy, users are already accustomed to experiencing the internet differently across countries. However, this may signal the beginning of similar fragmentation within the United States.

“We are going to start seeing comparable differences between U.S. states,” said Oppenheimer. “Users in some states will now have to go through additional steps to access information. Close your laptop in New York before a flight to Dallas and try to load the same web page—now you see two different results.”

“We also observed age verification deployed on websites accessed from New York, which has no law requiring verification,” said Associate Professor Paul Pearce of UC Irvine’s Department of Computer Science.

“We don’t know why these sites are deploying such verification—it could be a move to limit liability or simplify operations. Regardless, it points to an emerging threat for the open Internet where restrictive laws from some states could impact the entire country and beyond.”

“This is why we can’t have nice things,” Specter added.

The study, Papers Please: A First Look at Age Verification on the Web, was led by Georgia Tech Ph.D. student Shreyas Minocha, undergraduate Isaac Sheridan, and Oppenheimer, Pearce, and Specter. It is part of the proceedings of the 47th IEEE Symposium on Security and Privacy and will be presented in San Francisco on May 20.