You can find me in da club, database full of faces… but this ain't privacy watchers' jam

Facial recognition app promises to verify your age to bouncers

By Rebecca Hill


Five clubs in Bournemouth are now accepting ID in the form of an app that verifies who you are through facial recognition – to the disdain of privacy activists.

The town is the first in the UK to accept the digital identity app Yoti, which claims to offer users a safer way to prove they are who they claim to be.

Users sign up to Yoti, which verifies their face and identification, and acts as a trusted third party when the person gets to the club and scans their Yoti app at the door.

Cameo, Halo, Truth, Yates and Walkabout rolled out the tech on Wednesday night.

The first step in the sign-up process is for a user to send a selfie and a live video clip of them saying three words to Yoti, and then use their phone camera to scan their ID, such as a driving licence or passport.

The biz then verifies that the faces match using facial recognition technology, and claims to carry out "additional checks" to ensure the ID is authentic.

Emma Butler, the data protection officer for Yoti, said that not all these checks are automated, and that there is a team of people trained to spot potentially fraudulent docs.

But the biz told The Register that it can't say anymore about those checks in case someone games it – so we don't know, for instance, if the team works with the issuing agencies to guarantee the documents.

Yoti also lays its privacy and security credentials on thick, trotting out phrases like "advanced hybrid encryption" and "secure 'cleanroom'" in its PR puff.

But Alan Woodward, a security researcher at the University of Surrey, said: "If they want the security community to take a look they need to provide a lot more detail.

"Unless they are willing to open it up to such scrutiny I'd suggest anyone thinks twice before entrusting their most valuable ID documents to them. Security through obscurity is no security at all."

However, Yoti is bullish about its security systems, so much so that it points to high-profile hacks like Equifax and Uber as examples of what can go wrong without a new approach.

"Because, despite what the pundits say, the Pandora's Box of personal data can be sealed again," co-founder and CEO Robin Tombs said in a blogpost.

Its answer is to encrypt each piece of information – date of birth, name, address and so on – individually using different 256-bit keys, and store it separately in the biz's UK data centres.

"They can only be retrieved and put back together using the private keys stored on your device," the firm said.

"So, even if our database was breached, hackers would only see a random jumble of data from millions of different users. Just names, dates of birth, genders... nothing to connect them together to create a meaningful profile."

Users need a PIN and their face to log into the app on their phone and Yoti insists it can't access any of its users' data, ever. The ID documents, meanwhile, are stored for seven days while the details are verified.

When they want to get into the club, they choose what type of data to hand over – like date of birth – without having to pass on their name or address at the same time.

They scan a QR code, which shows the bouncer their pic and date of birth and the bouncer checks that picture with the person in front of them. Every time the user hands over some of the information, both parties get a receipt that creates an audit trail.

At this point it's worth noting that some police and licensing authorities now require clubs to keep a record of club-goers, leading to a rise in compulsory ID scanning (no, El Reg hasn't been out in a while, either).

Butler argued that using Yoti means people are handing over less data to the club, because it is limited to the salient points of face and date of birth.

However, privacy activists see the use of facial recognition technology to verify your ID just to get into a club as a step too far.

"This software uses a biometric analysis of its users' faces, creating data that is as sensitive as DNA or fingerprints," said Big Brother Watch.

"The growing prevalence of facial recognition in China has caused great controversy, yet this intrusive technology is now being normalised and trivialised in the UK. We are deeply concerned by such casual use of biometric checks." ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Er, we have 670 staff to feed now: UK's ICO fines 100 firms that failed to pay data protection fee

Enforcing GDPR is expensive work, says watchdog

Campaigners call for immigration exemption in UK's Data Protection Act to be scrapped

Judicial review into law launched

Cambridge Analytica seeks data protection assistant

Jobseeker? You may have heard of it...

Reel talk: You know what's safely offline? Tape. Data protection outfit Veeam inks deal with Quantum

Magnetic strips barrier to ransomware, burble box-flingers

US tech circles wagons as India reviews data protection proposals

Ex-Cisco CEO-chaired lobby leading the charge

IT management software crowd Kaseya buys cloudy data protection crew Spanning

Private equity holdings shuffle

Why, hello Rubrik's Trello: Data protection biz leaves productivity tool open to world+dog

Anyone with URL could see lists of case study projects

Uber hack: EU data protection bods launch taskforce

Justice commissioner slams biz for 'irresponsible' behaviour's Brexiteers warned not to push for divergence on data protection laws

As PM lacks specifics on UK’s desired ‘adequacy-plus’ deal

Big tech wants the ICO on EU data protection board in Brexit fallout

Watchdog keeping voting rights 'huge gain' for marketing sector, say Facebook, Google et al