A case in Spain illustrates how far the debate over age verification on social media and other online platforms has drifted from reality. The Spanish Data Protection Agency (AEPD) recently fined the company Yoti €950,000 for setting up a biometric identity system that, according to the AEPD, breached the GDPR in three ways. Yoti's selfie function alone accounted for €500,000 of the penalty, as it enables the unique identification of an individual and therefore falls under the regulation's special category protections.
The AEPD imposed a further €250,000 fine for storing geolocation data for five years. A third penalty of €200,000 followed over data retention violations. Yoti had been keeping falsified identity data submitted during failed verification attempts beyond its original purpose and using it to train its algorithms. In effect, identity verification attempts that amounted to fraud were repurposed as training material, without the consent of the individuals involved.
Surface-level security
Yoti is an app designed to allow users to verify their age without entering personal data. Founded in London in 2014 by Robin Tombs, the company specialises in artificial intelligence-driven age verification. Yoti's defining feature is that users are not required to provide their date of birth or upload official identification. Instead, the system relies on neural networks trained on millions of data points to estimate age from a single image. Therefore, in theory, a photo is enough to determine how old someone is.
In practice, this technology, once presented as highly secure, is proving inadequate when it comes to robust data protection. The Yoti case also exposes how poorly conceived many proposed age verification regulations are. Governments appear to be attempting to legislate their way out of a problem that may not have a workable solution. This is compounded by the complexity of data protection laws across the European Union, some of which were introduced by the same policymakers now advocating stricter controls.
No good idea goes unpunished
As a result, an innovative company has fallen foul of regulators. Yoti has strongly criticised the AEPD's decision and has lodged an appeal with Spain's Supreme Court. On its website, the company states: 'Importantly, we can reassure our Digital ID app users and clients that no personal data of any app user has been breached or compromised in any way'. Interestingly, in its press release on the investigation, Yoti noted: 'We fully cooperated with the AEPD's information requests, but we were never notified that we were under investigation.'
The broader implication is that countries introducing age verification will need to establish and rely on a system of trusted third-party providers. Neither governments nor tech companies should have access to personal or biometric data. A possible model would involve platforms issuing tokens that confirm a user's age without revealing their identity. Yet even such a system that was accepted globally would present an obvious target, and it would only be a matter of time before an intelligence agency tried to gain access to it. After all, who wouldn't want to get their hands on a database containing the personal data of millions, if not billions, of people, including age, address and biometric data?
The defenceless citizen
The risks are not hypothetical. Last year, Discord disclosed that a similar age verification provider had been hacked. Personal data from around 70,000 users, including official identification documents, was compromised in a single breach. That information is now likely in the hands of cyber criminals. It is just one incident involving a single provider, and such providers are clear targets for state-backed hacking operations.
If a database linking people's real-world identities to their online footprint were to fall into the hands of intelligence agencies or criminals, the consequences would be severe. This is precisely the kind of dataset that foreign intelligence services are desperate to obtain. Beyond the prospect of domestic state surveillance, mandatory age verification could expose citizens to hostile intelligence agencies capable of blackmailing them into espionage and other criminal activities. Aside from the technical challenges, such systems pose an incalculable security risk.