Let’s say a bar wants to check the ages of its patrons, but does not want to use the patron’s physical ID card (in my country, usually a driver’s license).
But a bar cannot perform digital age verification on its own. The bar has to contract with some other entity that knows how to do this.
This freaks some people out…massively.
“New cybersecurity research indicates that one of the world’s leading age verification providers collects and shares highly sensitive personal data—including facial photos and device fingerprints—with third parties.”
The research, conducted by the Georgia Institute of Technology and UC Irvine, focused on one of the big age verification vendors, Yoti.
“The research team determined that the process Yoti uses to verify a person’s age broadcasts the person’s personal information to third- and fourth-party companies….
“According to the researchers, the data is…sent to credit card companies, IP geolocation services, and data brokers. The researchers found that the information being shared can be used to identify and track devices. For example, a single verification attempt may transmit a user’s facial image, IP address, and device fingerprint to credit card companies.”
Yet to my knowledge the researchers did not propose an alternative.
Other than having each entity develop its own age verification system. Perhaps someone like Meta could do that, but Frank’s Bar certainly couldn’t.
Age verification is not unique in terms of data sharing. Third Party and Fourth Party Risk Management vendors encounter these issues all the time. And yes, sometimes companies that have other companies’ data are hacked. That’s why they use TPRM in the first place.
And don’t forget that if you don’t use digital age verification, you’re going to use physical age verification, where the guy behind the bar learns EVERYTHING about you. I don’t think that’s necessarily better.
It’s time to think through the consequences of abandoning technology.
Bredemarket 