{"690376":{"#nid":"690376","#data":{"type":"news","title":"Online Age Checks Create a Pointless Privacy Risk","body":[{"value":"\u003Cp\u003ENew cybersecurity research indicates that one of the world\u2019s leading age verification providers collects and shares highly sensitive personal data\u2014including facial photos and device fingerprints\u2014with third parties.\u003C\/p\u003E\u003Cp\u003EThe research also reveals that most websites that require age verification don\u2019t enforce the policy.\u003C\/p\u003E\u003Cp\u003EThe findings come from a new paper that researchers from the Georgia Institute of Technology and the University of California, Irvine (UC Irvine) will present at this week\u2019s \u003Ca href=\u0022https:\/\/sp2026.ieee-security.org\/\u0022\u003EIEEE Symposium on Security and Privacy\u003C\/a\u003E conference in San Francisco.\u003C\/p\u003E\u003Cp\u003EThe research team examined \u003Ca href=\u0022https:\/\/www.yoti.com\/\u0022\u003EYoti\u003C\/a\u003E, a London-based company that\u0026nbsp;provides age-verification services for an estimated 60% of websites that require it. Its \u003Ca href=\u0022https:\/\/www.yoti.com\/blog\/digital-identity-company-yoti-receives-12-5-million-funding-from-hsbc\/#:~:text=Meta,NSPCC\u0022\u003Eclient list\u003C\/a\u003E includes Meta, OnlyFans, Sony PlayStation, and TikTok.\u003C\/p\u003E\u003Cp\u003EThe research team determined that the process Yoti uses to verify a person\u2019s age broadcasts the person\u2019s personal information to third- and fourth-party companies.\u003C\/p\u003E\u003Cp\u003EWhen a bartender checks an ID, they quickly verify a customer\u2019s date of birth and identity before serving them. Companies like Yoti that employ digital age verification claim their products function the same way, but in a completely private manner.\u0026nbsp;\u003C\/p\u003E\u003Cp\u003EThat analogy has justified laws passed in 25 U.S. states \u2014 comprising more than 40% of Americans \u2014 mandating the use of digital age verification to gate access to social media and adult online content.\u003C\/p\u003E\u003Cp\u003EHowever, by measuring online age verification, researchers reveal that the reality of these systems is far from ideal. The study found that most sites covered by these laws do not appear to enforce age verification.\u0026nbsp;\u003C\/p\u003E\u003Cp\u003EWhen sites comply, they force users to use third-party age-verification services like Yoti, which collect and share highly sensitive data with other third parties.\u003C\/p\u003E\u003Cp\u003E\u201cThere have been laws passed and court cases settled on the promise that these companies are incentivized to keep users\u2019 data private\u201d said Assistant Professor \u003Ca href=\u0022https:\/\/mikespecter.com\/\u0022\u003E\u003Cstrong\u003EMichael A. Specter\u003C\/strong\u003E\u003C\/a\u003E at the \u003Ca href=\u0022https:\/\/scp.cc.gatech.edu\/\u0022\u003ESchool of Cybersecurity and Privacy\u003C\/a\u003E. \u201cWe found that reality is starkly different.\u201d\u003C\/p\u003E\u003Cp\u003EDigital age verification laws are being considered by other legislative bodies to bar minors from social media sites. The problem, Specter and his colleagues argue, is that current methods of age verification are ineffective and create new privacy risks.\u003C\/p\u003E\u003Cp\u003E\u201cIn legal arguments, there have been comparisons to these services acting like a bartender checking IDs,\u201d said Specter. \u201cHowever, what is really happening is the bartender is making photocopies of the patron\u2019s license and sending it to their food vendors.\u201d\u003C\/p\u003E\u003Cp\u003EAccording to the researchers, the data is then sent to credit card companies, IP geolocation services, and data brokers. The researchers found that the information being shared can be used to identify and track devices. For example, a single verification attempt may transmit a user\u2019s facial image, IP address, and device fingerprint to credit card companies.\u003C\/p\u003E\u003Cp\u003EAside from privacy concerns, researchers note that differing state policies could lead to what they call the Balkanization of the U.S. web. In other words, users may have access to different parts of the internet depending on the state they are in. This will potentially limit the free exchange of ideas and information.\u003C\/p\u003E\u003Cp\u003EAccording to Assistant Professor \u003Ca href=\u0022https:\/\/sites.gatech.edu\/hoppenheimer\/\u0022\u003E\u003Cstrong\u003EHarry Oppenheimer\u003C\/strong\u003E\u003C\/a\u003E of the \u003Ca href=\u0022https:\/\/spp.gatech.edu\/\u0022\u003EJimmy and Rosalynn Carter School of Public Policy\u003C\/a\u003E, users are already accustomed to experiencing the internet differently across countries. However, this may signal the beginning of similar fragmentation within the United States.\u003C\/p\u003E\u003Cp\u003E\u201cWe are going to start seeing comparable differences between U.S. states,\u201d said Oppenheimer. \u201cUsers in some states will now have to go through additional steps to access information. Close your laptop in New York before a flight to Dallas and try to load the same web page\u2014now you see two different results.\u201d\u003C\/p\u003E\u003Cp\u003E\u201cWe also observed age verification deployed on websites accessed from New York, which has no law requiring verification,\u201d said Associate Professor \u003Ca href=\u0022https:\/\/pearce.prof\/\u0022\u003E\u003Cstrong\u003EPaul Pearce\u003C\/strong\u003E\u003C\/a\u003E\u003Cstrong\u003E \u003C\/strong\u003Eof UC Irvine\u2019s \u003Ca href=\u0022https:\/\/cs.ics.uci.edu\/\u0022\u003EDepartment of Computer Science\u003C\/a\u003E.\u003C\/p\u003E\u003Cp\u003E\u201cWe don\u2019t know why these sites are deploying such verification\u2014it could be a move to limit liability or simplify operations. Regardless, it points to an emerging threat for the open Internet where restrictive laws from some states could impact the entire country and beyond.\u201d\u003C\/p\u003E\u003Cp\u003E\u201cThis is why we can\u2019t have nice things,\u201d Specter added.\u003C\/p\u003E\u003Cp\u003EThe study, \u003Ca href=\u0022https:\/\/mikespecter.com\/assets\/pdf\/AgeVerification.pdf\u0022\u003E\u003Cem\u003EPapers Please: A First Look at Age Verification on the Web\u003C\/em\u003E\u003C\/a\u003E\u003Cem\u003E,\u003C\/em\u003E was led by Georgia Tech Ph.D. student \u003Cstrong\u003EShreyas Minocha\u003C\/strong\u003E, undergraduate Isaac Sheridan, and Oppenheimer, Pearce, and Specter. It is part of the proceedings of the 47th IEEE Symposium on Security and Privacy and will be presented in San Francisco on May 20.\u0026nbsp;\u003C\/p\u003E\u003Cp\u003E\u0026nbsp;\u003C\/p\u003E","summary":"","format":"limited_html"}],"field_subtitle":"","field_summary":[{"value":"\u003Cp\u003ENew cybersecurity research indicates that one of the world\u2019s leading age verification providers collects and shares highly sensitive personal data\u2014including facial photos and device fingerprints\u2014with third parties.\u003C\/p\u003E\u003Cp\u003EThe research also reveals that most websites that require age verification don\u2019t enforce the policy.\u003C\/p\u003E","format":"limited_html"}],"field_summary_sentence":[{"value":"New cybersecurity research indicates that one of the world\u2019s leading age verification providers collects and shares highly sensitive personal data with third parties and in some cases don\u0027t even enforce the policy.."}],"uid":"36253","created_gmt":"2026-05-19 15:01:23","changed_gmt":"2026-05-19 15:11:59","author":"John Popham","boilerplate_text":"","field_publication":"","field_article_url":"","location":"Atlanta, GA","dateline":{"date":"2026-05-19T00:00:00-04:00","iso_date":"2026-05-19T00:00:00-04:00","tz":"America\/New_York"},"extras":[],"hg_media":{"680309":{"id":"680309","type":"image","title":"Digital-ID.jpg","body":null,"created":"1779203176","gmt_created":"2026-05-19 15:06:16","changed":"1779203176","gmt_changed":"2026-05-19 15:06:16","alt":"A hand holds up a digital identification card. The card has the silhouette of a man wearing a suit and tie. ","file":{"fid":"264556","name":"Digital-ID.jpg","image_path":"\/sites\/default\/files\/2026\/05\/19\/Digital-ID.jpg","image_full_path":"http:\/\/hg.gatech.edu\/\/sites\/default\/files\/2026\/05\/19\/Digital-ID.jpg","mime":"image\/jpeg","size":1508599,"path_740":"http:\/\/hg.gatech.edu\/sites\/default\/files\/styles\/740xx_scale\/public\/2026\/05\/19\/Digital-ID.jpg?itok=M-WXTSUO"}}},"media_ids":["680309"],"groups":[{"id":"47223","name":"College of Computing"},{"id":"1188","name":"Research Horizons"},{"id":"660367","name":"School of Cybersecurity and Privacy"}],"categories":[{"id":"153","name":"Computer Science\/Information Technology and Security"},{"id":"135","name":"Research"}],"keywords":[{"id":"365","name":"Research"},{"id":"187915","name":"go-researchnews"},{"id":"182941","name":"cc-research; ic-cybersecurity; ic-hcc"},{"id":"1404","name":"Cybersecurity"}],"core_research_areas":[{"id":"145171","name":"Cybersecurity"}],"news_room_topics":[],"event_categories":[],"invited_audience":[],"affiliations":[],"classification":[],"areas_of_expertise":[],"news_and_recent_appearances":[],"phone":[],"contact":[{"value":"\u003Cp\u003EJohn Popham\u003C\/p\u003E\u003Cp\u003ECommunications Officer II at the School of Cybersecurity and Privacy\u003C\/p\u003E","format":"limited_html"}],"email":["jpopham3@gatech.edu"],"slides":[],"orientation":[],"userdata":""}}}