Yoti Icon

Yoti

United for a safer internet with OSTIA

United for a safer internet with OSTIA

We’re honoured to be one of the founding members of the Online Safety Tech Industry Association (OSTIA), a new UK industry body dedicated to tackling online safety.  The group brings together advisory bodies and tech companies in a shared goal of making the internet safer and hopes to provide a voice of hope by offering solutions to address key issues in a complex debate so often focused on what can’t be done. With support from the National Crime Agency, GCHQ, the Home Office, NSPCC, the group will serve as a forum for companies working on potential solutions and create collective influence on policy, regulation and broader support for the sector.  Our Scotland Lead, Gordon Scobbie, sits on the board on behalf of Yoti and has long been committed to safeguarding and online safety issues. After operating at every level in UK policing from constable to chief officer, he saw first-hand the scale of online grooming and sexual abuse. He now steers our work with the Scottish Improvement Service and is Deputy Chair of the Board of Trustees on the Marie Collins Foundation (MCF).  We caught up with Gordon to hear about what this means for the future of online safety.    How did OSTIA come about?   The group came out of a 2019 roundtable event that explored online harms, run by Edinburgh-based security firm Cyan Forensics and public sector startup body Public, and chaired by Joanna Shields.  We collectively realised that we had broad agreement between those attending the roundtable that there was a need for smaller technology companies involved in online safety to have a louder voice and the best way to achieve this would be to act collaboratively and collectively.  Several members of this initial roundtable session continued this work and OSTIA was born, being launched in March 2020.   What does OSTIA hope to achieve?  We are committed to making the internet a safer place to be and believe that the tech industry has a lot to offer right now to get us closer to that goal. The UK is a world leader when it comes to innovative technology in this space, and with many small, agile companies at the forefront. Through our collective voice, we want to make sure solutions are known and deployed to help keep people safe online. Our involvement with DCMS has been really helpful in raising awareness of the availability of innovative safety tech and through engagement with regulators such as OFCOM. We’re raising greater awareness in this area of what we are currently capable of implementing, and where this is (and is not) being actively deployed. What perspective or expertise do you add to the group?   My background spans 33 years in the UK police force, and in the later stages of my career, I was the National Chief Police Lead for social media and online engagement. I’ve spent the last 8 years in the commercial world, working for technology companies spanning global corporations to smaller start ups. I have a solid understanding of how technology can help keep people safe online and know firsthand the ways it could be used to support law enforcement in the difficult job they have.   What role can Yoti play?    We are a company that puts privacy, consent and data security at the heart of everything we do and we believe technology holds the key to protecting young and vulnerable online. Our digital identity app and age estimation technology are incredible tools that are already being used to keep communities safe on social media, dating sites and sharing economy platforms. Through OSTIA, we hope to further the discussion around online safety with our knowledge in the space and provide practical solutions that can be put into place today to mitigate some of the harms which exist online. Alongside other industry leaders and experts, we’re excited to provide answers to the often unanswered question of what can we do to protect people online. In many cases, the technology has been built. It’s time to use it.

4 min read
Reinforcing our commitment to protecting children from online harms by joining the Point de Contact association

Reinforcing our commitment to protecting children from online harms by joining the Point de Contact association

We are delighted to announce we have been accepted into the Point de Contact association to help the fight against abuse and inappropriate online content. Point de Contact was created in 1998 to contribute to the fight against illegal content on the internet and facilitate the reporting of child sexual abuse material (CSAM). Point de Contact is also a member of the French Monitoring Committee for protecting children from online pornography and has been supported by successive European Commission programs. Point de Contact is a founding member of INHOPE – the International Association of Internet Hotlines which unites over 40 countries worldwide in fighting child sexual abuse material (CSAM). Point de Contact coordinated the White Paper entitled Child sexual abuse material and online terrorist propaganda | Tackling illegal content and ensuring staff welfare. The French reporting hotline has also been adapting the reporting of suspected illegal content to new digital uses and younger generations, with a mobile app (iOS, Android) and “next gen” reporting add-ons, available across browsers.  At Yoti, we already provides age checking services to a broad range of online businesses and organisations including social networks Yubo and GoBubble, non-profit organisations such as NSPCC Childline, and age-restricted goods providers like Jägermeister. We trust that joining the Point de Contact brings our robust age checks to more platforms and businesses with a shared interest in protecting children online. Point de Contact’s President Jean-Christophe Le Toquin said “We are thrilled to have Yoti on board as a new member. Safety by design and age verification tools are part of the solution to advance child online protection. The impact equation for us is always innovation for better protection.” Robin Tombs, CEO of Yoti said “We’re delighted to join Point de Contact and bring our ready-made solutions to members, platforms and their users. We’re a global leader in the innovative use of age checking technology – having done over 330 million age checks in the last 18 months, helping online providers deliver age-appropriate content and services while promoting privacy and boost security.” Yoti is offering our ID and age verification through the free Yoti app, as well as AI-powered age estimation technology, Yoti Age Scan. Yoti helps individuals and organisations know who they’re dealing with and meets internationally recognised standards and accreditations including; the UK’s BBFC, Germany’s FSM, PAS (Publicly Available PAS 1296:2018 Age Checking), as well SOC2 for secure data management. 

2 min read
Successfully completing HIPAA Compliance Readiness Assessment

Successfully completing HIPAA Compliance Readiness Assessment

We are delighted to confirm we have received a HIPAA compliance readiness report from an independent auditor.  This gives us and our clients comfort that Yoti fulfils all requirements in the HIPAA Security Rules and the Privacy Rules. As Yoti has been built from day one with security and privacy at its core, we only needed to explain our architecture and control environment to our independent assessors, Corporate Prime Solutions. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was created to modernise the flow of healthcare information, and set out how personally identifiable information is maintained. Our HIPAA compliance, combined with our ISO27001 and SOC2 (type 2) compliance, mean organisations and consumers can be sure our data controls and protections are legitimate.

1 min read
Building a secure credential management platform

Building a secure credential management platform

Over the last ten years, we have seen a massive trend to digitalise everything that fits in your wallet. Credit cards, identity cards, keys, and even your scribbled-down passwords – digital wallets offer the ability to store an encrypted digital version of your credentials on your phone. But why stop at what fits in your wallet? What if you could keep all of your data secure and only share what’s strictly necessary with third parties? The potential for digital credentials has never been stronger than right now in the coronavirus crisis. Issuing third-party credentials to a citizen’s phone could hold the answer to the health passports that have been much discussed as key to getting society back on its feet again. But before we get ahead of ourselves, let’s look at what issuing third-party credentials looks like from a technical standpoint.   Structures, standards and protocols In order for data to be understood and interoperable across systems and products, some standards need to be implemented to ensure the data is structured and exchanged in a compatible way. You also want this data to come with a high level of assurance that the information belongs to the holder. Let’s look at some of the more technical components of what this might look like.   Data structure standards X509 certificates Standardised by the ITU-T (International Telecommunications Union), X509 certificates have been around for quite some time and power many widely-adopted internet protocols, such as HTTPS. They are also used in national identity cards and government digital signatures.   W3C Verifiable Credentials W3C verifiable credentials are much newer and were only standardised November last year. Verifiable credentials represent statements made by an issuer in a tamper-evident and privacy-respecting manner. They are more web-friendly than certificates and more specific to credential use cases.   Yoti’s data structure At Yoti, we use X509 certificates and our own open data structures, which can be mapped onto other data models such as W3C verified credentials through an extension to our SDKs. We are working towards enabling this to be done natively too. A helpful way of understanding how we deal with different data structures and standards in the Yoti app is comparing it to a Swiss Army knife that can support multiple data models which can coexist together. All data items are secured with Yoti technology, ready to be exchanged following the integration party’s supported set of standards. Identity data exchange protocols The section above addressed some of the data structures standards available, but this data is not very useful unless its exchanged in a secure way. Some widely-adopted identity protocols and standards that Yoti supports through our partner Forgerock are: SAML – OASIS Security Association Markup Language Oauth2 Open ID Connect – OIDC However, many of these standards don’t yet cover some of the more sophisticated privacy and security capabilities that we have built into our platform, such as: the use of Hardware Security Modules (HSM) ; mobile secure elements and Trusted Execution Environments (TEE); biometric authentication; QR code based multi-factor login/authentication; and anonymous selective disclosure for data exchange minimisation.   Anti-spoofing technology Anti-spoofing technology is fundamental in order to give the necessary assurance that a digital certificate belongs to the holder. There are many different anti-spoofing mechanisms that can be used, which offer differing levels of assurance.   A digital hologram A dynamic pattern that changes continuously with the movement of the device can be useful for a first glance. However, being able to challenge the validity of the digital credential by scanning it with a trusted device is what ultimately provides the evidence that the data hasn’t been tampered with.   A challenge QR code A live QR code can be scanned by a trusted device to authenticate the validity of the credential. Our digital ID cards harness both a ‘digital hologram’ and a QR code. Biometric binding Some credentials need to be linked to a biometric to ensure they are not transferred to the wrong subject. When this subject is a person, this check can be carried out by simply looking at someone’s face and comparing it to a photo. In an unmanned scenario, such as at the self-checkout, an automated, anti-spoofing method is necessary to ensure that the credential belongs to the individual. Here, facial recognition technology is used with a liveness test, which takes a scan of a person’s face in order to verify they’re a real person. This anti-spoofing technology is very effective at detecting presentation attacks, such as pictures, videos and masks. ISO provides a framework for this type of technology assessment on ISO/IEC 30107-1:2016 and some NIST-approved testing laboratories certify compliance with them.   Covid credentials and health passports As illustrated through our NHS staff digital ID cards, Yoti is uniquely positioned to issue secure, verifiable credentials to the public at scale through our digital identity app. We have applied to join the Covid Credentials Initiative (CCI), a collaboration of more than 60 organisations working to deploy verifiable credential solutions to tackle the coronavirus crisis. We invite anyone working in this area to get in touch at covid19@yoti.com and join us to help enable society to return to normal in a safe, controlled and privacy-preserving way.

5 min read
Assured Advice for Yoti digital age assurance from Trading Standards

Assured Advice for Yoti digital age assurance from Trading Standards

Limit contact and contagion during COVID-19. Prove your age with Yoti’s contactless ID app and age estimation technology. Yoti’s privacy preserving solutions are compatible with Association of Convenience Stores (ACS) Assured Advice guidance for age-restricted goods including knives, lottery tickets and tobacco products. This is now reinforced by updated Assured Advice from the Primary Authority team for Yoti, based at Buckinghamshire and Surrey Trading Standards.  This means that people can purchase these items with Yoti’s contactless ID app and age estimation solutions. The business and consumer are protected – legally and from the contagion risks that come with traditional ID checks.   The growing age verification challenge for retailers Selling age-restricted items responsibly has never been easy but it’s getting harder. More needs to be done to protect retail staff working at the frontline of the Covid-19 crisis. Retailers are defying self containment to keep us supplied. Sadly, reports of attacks on people at the frontline of help have been reported and follow an unfortunate trend.    More restricted items, more attacks A recent British Retail Consortium report stated 115 shop employees are assaulted each day. The ACS Crime Report 2019 also highlighted that “enforcing age restricted sales” and preventing “alcohol sales” are among the top three reasons for rising attacks.  There are over 150 items that require age verification in UK stores including alcohol, knives, nicotine, as well crackers, party poppers and deodorants. All fall under different laws that require retailers to show they try to prevent underage sales.    AV checks for alcohol in the backdrop of social distancing And then there’s alcohol which carries its own Mandatory Licencing Conditions (MLC). Written in 2014, it states that an ID must contain an individual’s photo, name, DOB and have a holographic mark or UV feature to be AV eligible for alcohol sales offline – all the features seen on fake IDs readily available online. You can use a Yoti digital ID to buy alcohol online at www.jagershop.co.uk. But you can’t buy that same bottle of Jagermeister in the physical world using Yoti due to the MLC. Still, you could use Yoti to buy a knife, cigarettes, medicines, crossbows or hazardous acids.    Removing friction  Age checks make up for 50% of all interventions at the self-checkout and the average waiting time for staff to reach and review a customer idea is  63 seconds, bringing delays for everyone.  Traditional ID checks are near impossible to handle safely and securely if we want to avoid the risk of contact and contagion during social distancing. With this in mind, it’s time for the government to move to review the MLCs in this time in order to make supermarkets a safer place for consumers and staff.  Following assessment of Yoti’s identity verification processes, their Assured Advice includes a number of key factors that should give retailers high confidence in Yoti’s ability to help them meet their legal obligations. These include: Yoti is ISO/IEC 27001 certified and has been since 2015. Yoti has received a ‘clean’ SOC 2 Type 2 report from a leading professional services firm. The Yoti App was certified under the ‘Age Check Certification Scheme’, to provide Electronic Identification Verification Technology (e-IDVT) to issuers of ‘PASS’ (Proof of Age Standards Scheme) cards in the UK; Age Scan and the Yoti App were certified to the BBFC’s Age Verification Certification standards. The Yoti App and Yoti Age Check Cards use a number of specialist and qualified staff in face comparison and document authenticity examination. This is undertaken in a ‘Security Centre’. The Yoti App and Yoti Age Check Cards authenticates data cryptographically on the document chip where that is possible. The Yoti App and Yoti Age Check Cards verify identity documents with the issuing authority where that is possible. Yoti deploys the use of biometric technology for secure verification and authentication of users. Yoti’s Age Verification Methods in more detail Age Scan Yoti Age Scan is a mature technology that uses advanced AI to estimate people’s age. It deletes the image and returns an estimated age to the retailer. Given the accuracy of Yoti Age Scan, we recommend 25 as a buffer to prevent underage sales. The mean absolute error across ages, genders and skin tones is ± 2.67 years. In addition, under 0.15% of 14 to 17 year olds are estimated to be over 25 by Yoti Age Scan as shown in our whitepaper. Yoti ID app The Yoti app is a free app that lets businesses securely verify and authenticate their customers in seconds. Yoti verifies the identity of individuals using a combination of leading AI technology and our expert security staff. An individual with a Yoti can then digitally identify themselves online and in-person in a way that is simple, safe and secure. Yoti is a global, trusted identity platform that accepts over 240 forms of identification, including passports, driving licences and national IDs, from over 180 countries. Yoti promotes data minimisation and user privacy – with Yoti unable to access, mine or sell their data for marketing purposes. For age checks. A shopper is presented with a QR code on an ePOS screen or via a Yoti Age Check card, which they scan using the Yoti app. This prompts an age check request which the consumer accepts to share their age.  Our integrated ePOS solution tells the retailer the customer is 18+. Or Yoti Age Check cards prompts their Yoti app to display a digital ‘passport quality’ image of the consumer along with an animating security symbol and timestamp for the retailer to observe.  It’s a modern solution that fights the age old AV problems for both retailers and consumers. Boosting speed and security while limiting contact and contagion.  For more information contact covid19@yoti.com

5 min read
Overcoming the drone accountability challenge with identity-linked drones

Overcoming the drone accountability challenge with identity-linked drones

80 percent of UK citizens would support more widespread adoption of drones if there was a mechanism to provide increased safety, security and monitoring. These are the findings from The Cellular-connected Drones report, written by WPI Economics for Vodafone, which calls for commercial and public sector drones to be fitted with SIM cards to give them cellular network connectivity. This would mean drones could be flown beyond the “visual line of sight” of their operators, which is stipulated by current rules. Drones have significant positive use cases for hard-to-reach areas, such as delivering time-critical medical supplies, inspecting infrastructure, responding to emergency situations and disabling mines, amongst others. However, they are feared by the public. Yoti Business Executive Derek has an alternative solution. Below he makes the case for identity-linked drones, originally posted earlier this month on TechUK.  ***** The benefits of drones  The identifiable use cases for drones continue to expand with technology advancements, maturity, and accessibility. Drones can de-risk manual tasks, such as working at height, save time within operational processes and drive cost efficiencies, all whilst contributing to a reduced carbon footprint. So, when there is such potential benefit to the public why are we experiencing growing resistance? The identifiable use cases for drones continue to expand with technology advancements, maturity, and accessibility. Drones can de-risk manual tasks, such as working at height, save time within operational processes and drive cost efficiencies, all whilst contributing to a reduced carbon footprint. So, when there is such potential benefit to the public why are we experiencing growing resistance?    Why are people resistant to drones? We’ve all heard stories, or experienced ourselves, the unsettling feeling of a drone flying overhead whilst you have no idea of its purpose or intention. Contributing to this feeling are headlines of international airports being severely disrupted due to rogue drones, such as the 2018 Gatwick case that affected around 1,000 flights. The Gatwick incident was particularly concerning for the public as two drone enthusiasts were incorrectly arrested (eventually released) and the search closed without identifying and arresting the pilot responsible. Post this event, two-thirds of the public said they trust drones less – and understandably so.   How do we win over the public? Winning over public sentiment is essential to the rise and acceptance of drones. Educating the public is starting to be addressed, however with their justified concerns around privacy and accountability, education alone is not enough. Instead, proper regulation and real accountability must be enforced. Regulators like the US Federal Aviation Authority (FAA) and the UK Civil Aviation Authority (CAA) have made a start. They are proposing flight rules, zoning regulations, drone registration and essentially a visible license plate on each drone. A step in the right direction, but the thought of people bringing out binoculars to catch a moving drone’s license plate makes me laugh. The private sector has been working on this themselves. DJI, for example, released AeroScope a few years ago to help identify drone types and flight status – but still didn’t manage to come up with a way to accurately identify the pilot. Without real-time pilot identification, public trust won’t be achieved.  The technology to make this possible is available today. With a pilot’s identity linked to signal emitting from the drone, in a similar manner to an aircraft transponder, authorities can be assured as to who is in control.   How would a digital identity be linked to a drone? There are a range of digital identity wallets (phone applications) available that enable individuals to create a verified and reuseable digital version of their government-issued ID. The digital ID allows for the consumption of verified attributes from third parties, such as the consumption of a flyer ID on passing an online test.  Prior to flight, an individual will use their identity wallet to, in essence, ‘log into’ the drone and pass the associated flier ID, linked to their unique biometrics.    The benefits of identity-linked drones Remote ID With identity-linked drones and remote ID tools, the authorities will see a continuous readout of drone flyer ID’s, in the same way as ATC read squawks today. The flyer ID remains anonymous until such time that a drone breaches regulations, is integrated and linked back to a specific individual for further action.   Insurance There is a growing market for drone insurance, such as Flock. Insurance may cover the pilot flying but questions remain around whether the insured pilot is really the one in control – not just your friend taking it for a spin. If insurance companies could confidently say the correct person is controlling the drone, then premiums could come down, making drone insurance more affordable.    How to make this a reality? This will require cooperation between regulators, drone manufacturers, technology innovators, and governments alike. Linking real pilot identities to drones is essential to a valuable remote ID system. Bundle this together with appropriate flight zoning regulations, I am confident that public acceptance of drones will rise and finally allow everyone to reap the benefits drones bring.

5 min read