We’re flagging something that, if true, should make anyone handing over ID data for online age checks uncomfortable. Yoti, the age verification tool reportedly used by “60 percent” of sites that require age checks — including PlayStation, Meta, and TikTok — is at the center of a new privacy fight, according to Kotaku.
What Was Reported
Per Kotaku, a paper titled “Papers, Please: A First Look at Age Verification on the Web” was presented at the IEEE Symposium on Security and Privacy on May 18. The report, produced by researchers from the Georgia Institute of Technology and the University of California, allegedly found that Yoti “collects significant private information beyond what is strictly necessary to verify age” and that it “collects a significant amount of high-resolution data about the user’s device.”
The researchers call out a number of specific pieces of device metadata that are gathered during Yoti checks, including:
- OS version strings
- Available RAM
- Connection type
- CPU architecture
Those data points are described in the report as “uniquely identifiable” and potentially usable for “unpermissioned tracking of the user’s device.”
The Source & Credibility
We’re basing this on what Kotaku reported after the paper’s presentation. Futurity also reportedly spotted the paper. The research was presented at an established conference — the IEEE Symposium on Security and Privacy — and is attributed to academics at the Georgia Institute of Technology and the University of California, which adds institutional weight to the claims.
Important caveats, if true: the paper alleges that Yoti “relies on sharing sensitive user information with several less user-visible fourth parties”, and explicitly names the payment processor Stripe as one of these fourth parties. The report says Stripe “collects significant telemetry that could likely be used to uniquely identify a device”, and that some of this telemetry was scraped from the first-party site used to run Yoti checks.
Take this with a pinch of salt: the researchers also say that Yoti indicated they have fixed the issue with Stripe learning the first-party website, but the paper’s authors were unable to confirm that claim. That unresolved confirmation is a key detail — the company’s claim of a fix is noted, but not independently verified by the researchers.
What It Could Mean
Allegedly, if the report’s findings hold up under further scrutiny, there are two overlapping problems. First, the collection of high-entropy device and browser metadata during what users expect to be a limited age-check process raises obvious privacy flags. The paper’s wording — that data could be used for “unpermissioned tracking” — is direct on the potential for cross-site or long-term device fingerprinting.
Second, the involvement of third and fourth parties like Stripe in telemetry collection complicates trust. The paper claims that Yoti shares sensitive user information with several less user-visible fourth parties, and that at least one of those parties collects telemetry that could uniquely identify a device. Researchers say Yoti has since indicated a fix for the Stripe issue, but they couldn’t verify the claim.
We’re cautious about leaping to worst-case scenarios — again, take this with a pinch of salt — but the combination of high-resolution device data and third-party telemetry collection is the sort of thing privacy advocates worry about, especially when it’s part of something as common as an age-verification flow.
Short-Term Questions
- Have sites that use Yoti changed their implementation since the paper was presented?
- Was any previously-collected telemetry retained by third parties after the alleged “bug” was fixed?
- Will companies using the service disclose what’s being shared with these fourth parties?
Why This Matters
We’re covering this because age verification sits at a sensitive intersection of identity and access. People hand over identity documents or scans to prove their age; if that process also exposes device fingerprints or feeds telemetry into systems that can uniquely identify devices, the privacy trade-offs are much bigger than most users expect.
Yoti’s apparent market footprint — reportedly used by “60 percent” of sites that require age checks — means the scope is potentially large. If true, the report’s claims merit scrutiny, transparency from vendors and platform partners, and independent verification. We’ll be watching for follow-ups from the researchers, statements from Yoti, and any responses from the platforms named — and we urge readers to take these findings seriously but with measured skepticism until more confirmation appears.
