Digital ID Verification through Tea App May Jeopardize User Data, Providing Opportunities for Misuse | Yet Another Argument for Opposing Digital ID Implementation
The data breach at the women-centric dating app Tea, which exposed tens of thousands of selfies and government-issued IDs, serves as a stark warning about the dangers of digital ID verification. The app, which marketed itself as creating a safer dating ecosystem by weeding out imposters and creeps through ID-based gatekeeping, left its Firebase server open to anyone with a link.
The Tea data breach involved the collection of 72,000 images, selfies, and IDs, which were stored in an open Firebase bucket. Despite the breach, the app remains active on the App Store and Google Play, with no executives resigning or regulators intervening.
The incident underscores the idiocy of digital ID verification as a privacy safeguard. The data breach at Tea was not due to a masterful hack, but because it left the front door open and taped the key to the welcome mat.
The UK's Online Safety Act, a new legislation, mandates sweeping age verification, requiring users to hand over their ID to participate in various internet platforms. However, this centralisation of priceless identity data in systems vulnerable to breaches could lead to the repetition of similar incidents. If implemented widely, the Online Safety Act could turn every minor app and niche site into a potential surveillance node, similar to Tea's data breach.
The potential risks and consequences of the Act include privacy concerns, possible exclusion or inconvenience for users, and challenges related to data security and effectiveness. Users must prove their age through methods like facial scans, official ID (passport, driver's license), bank or mobile provider checks, or email-linked utility bills. Although there are safeguards designed to verify age without storing personal data or revealing identity, critics worry that requiring digital ID could expose users to unwanted data collection, tracking, or surveillance risks.
For example, verification processes might involve third-party services like Yoti, raising concerns about how biometric and personal data are handled. Age verification requirements have been described as unpopular and could create barriers for people who do not possess acceptable ID or discomfort with biometric systems, potentially limiting access to legal content. This could disproportionately affect vulnerable groups, including young adults without official ID or those wary of sharing personal information online.
Despite robust checks, users might attempt to bypass restrictions using VPNs or other technical means. However, VPNs may not guarantee anonymity due to multiple tracking technologies (IP address, GPS, cookies, device fingerprinting), thus complicating enforcement.
By requiring proof of age to access a wide range of online services—including social media, search engines, and adult content—there is concern that the Act imposes governmental control over what content users can legally access, potentially affecting free expression and access to valuable information for younger or privacy-conscious users.
Online services in scope face significant obligations, with heavy fines (up to 10% of global revenues) or court blocks if they fail to comply. This may lead platforms to adopt stricter controls or alter services, impacting user experience and content availability.
The government and regulator Ofcom state that age checks must confirm age securely and proportionally without unnecessary collection of personal data, using techniques such as facial age estimation that do not store images. However, privacy advocates remain concerned about the potential for data misuse or insufficient safeguards.
In summary, the UK's Online Safety Act age verification requirements introduce risks related to privacy infringements, user access difficulties, circumvention attempts, and greater regulatory control over online content, balanced against aims to better protect minors from harmful material. The Tea data breach serves as a reminder of the importance of proper data security measures in the digital age.
[1] Privacy International. (2021). Age verification: A privacy minefield. Retrieved from https://www.privacyinternational.org/campaigns/age-verification
[2] The Guardian. (2021). VPNs may not guarantee anonymity online, warn experts. Retrieved from https://www.theguardian.com/technology/2021/mar/08/vpn-may-not-guarantee-anonymity-online-warn-experts
[3] Open Rights Group. (2021). Online Safety Bill: A threat to free speech and privacy. Retrieved from https://www.openrightsgroup.org/ourwork/issues/online-safety-bill
[4] Big Brother Watch. (2021). Online Safety Bill: A threat to privacy and free speech. Retrieved from https://bigbrotherwatch.org.uk/2021/03/23/online-safety-bill-a-threat-to-privacy-and-free-speech/
[5] The3rdi. (2021). Online Safety Bill: A threat to privacy and free expression. Retrieved from https://the3rdi.org/2021/03/23/online-safety-bill-a-threat-to-privacy-and-free-expression/
- The Tea incident shows that digital ID verification may compromise privacy, as it centralizes sensitive data in systems that are susceptible to breaches, much like the potential risks posed by the UK's Online Safety Act's age verification requirements.
- With the Online Safety Act, users could be required to provide a digital ID, raising concerns about possible data-and-cloud-computing security issues, like those evident in the Tea data breach, as well as the potential for increased surveillance and limitations on free expression.
