PlayStation Age Verification Privacy Concerns

A recent report highlights significant privacy concerns with Yoti, the age verification software used by PlayStation, citing excessive data collection and sharing with third parties. The software gathers high-resolution device data and shares sensitive information with less visible fourth parties, sparking worries over user tracking. PlayStation players are advised to be cautious with the personal data they provide during age verification processes.

Introduction to the Concerns

A disturbing report from the Georgia Institute of Technology and the University of California, presented at the IEEE Symposium on Security and Privacy conference on May 18, has shed light on alarming privacy issues related to Yoti, the age verification platform utilized by approximately 60% of websites requiring age checks, including prominent names like PlayStation, Meta, and TikTok. The study, titled "Papers, Please: A First Look at Age Verification on the Web," reveals that Yoti's methods not only collect substantial private user information beyond the necessities for age verification but also share this data with several less transparent fourth parties.

For PlayStation users, this raises immediate concerns about the security and privacy of the personal data provided during the age verification process. Given the widespread use of Yoti, the implications are far-reaching, affecting not just gamers but any individual using services that rely on this software for age verification. The primary worry is whether the data collected is strictly necessary for verifying age or if it serves other, potentially invasive purposes.

Data Collection Beyond Necessity

The report meticulously outlines how Yoti's age verification software accumulates a significant amount of high-resolution data about the user's device. This includes, but is not limited to:

OS version strings
The amount of available RAM
Connection type
CPU architecture

Critics argue that such detailed device information is not required for estimating a user's age, leading to speculation about its actual use. Moreover, the uniquely identifiable nature of this collected data poses a significant risk, as it could facilitate unpermissioned tracking of the user's device across different platforms.

This level of data collection has serious implications for user privacy. By gathering such specific device information, Yoti (and by extension, the services using Yoti) could potentially track users' behavior across the web, even when they are not actively using the verified service. This violates the principle of data minimization, a core data protection concept that dictates collecting only the information necessary to achieve the intended purpose—in this case, age verification.

Sharing with Less Visible Third Parties

Perhaps the most alarming revelation is Yoti's practice of sharing sensitive user information with several less user-visible fourth parties, notably including the payment processor Stripe. According to the paper, Stripe collects substantial telemetry that could uniquely identify a device. This includes scraping information from the first-party website where the age verification via Yoti's software takes place. The researchers emphasize that Yoti gathers "significant private information beyond what is strictly necessary to verify age, including high-entropy browser and device metadata, and other granular telemetry."

The involvement of Stripe and other unnamed parties introduces a layer of complexity regarding data handling and security. Users are often unaware of these secondary transactions of their data, highlighting a lack of transparency in the age verification process. The fact that Yoti referred to the issue with Stripe as a "bug" and claimed it has been fixed (without independent confirmation) only adds to the uncertainty surrounding the secure handling of user data.

Response and Uncertainty

Following the report's publication, Yoti acknowledged the issue with Stripe and indicated that it has been resolved. However, the researchers were unable to verify this claim, leaving a cloud of uncertainty over whether the fix adequately addresses the privacy concerns. Moreover, the status of the data previously shared with Stripe—and potentially other parties—remains unclear, raising questions about data retention policies and the long-term implications for user privacy.

This situation underscores the need for heightened transparency and stricter regulation of data collection practices in age verification services. Users of platforms like PlayStation, who may not fully comprehend the extent of data sharing involved, are particularly vulnerable. As the digital landscape evolves, ensuring that privacy is prioritized alongside functionality is crucial for maintaining user trust.

Implications for PlayStation Users and Beyond

The findings of this report have broad implications for the gaming community, especially those using PlayStation and other services reliant on Yoti. It emphasizes the importance of being mindful of the data provided during age verification and the potential for unintended consequences of such data collection. For PlayStation, addressing these concerns promptly is essential to reassure its user base about the privacy and security of their personal information.

Beyond the gaming sector, this issue reflects a broader challenge in the digital age: balancing the need for age verification with the right to privacy. As more services integrate age verification tools, the demand for transparent, privacy-centric solutions will only grow. Initiatives that prioritize data minimization and user consent are likely to gain favor as awareness of these issues increases.