|
|
|
|
|
|
by Mindwipe
16 days ago
|
|
|
The fact this letter takes aim at something the paper doesn't say is pretty damning. The paper alledges that a series of high entropy identifying metadata about the users system is passed to a very large amount of third parties, including the site being visited, and that has potential to link the real identity of the user to the site they are verifying with. Yoti's letter then gets angry that "face" data is not passed to third parties. That is not what is alleged. Not to mention the repeated veiled threats about how they "could" sue academics investigating their systems. It is absolutely incredibly sus as a letter. |
|
|
What's pretty damning is that you make it appear like you know the paper but you claim things that the paper doesn't claim. In the exact same style of those who wrote the article, interesting.
You claim that "The paper alledges that a series of high entropy identifying metadata about the users system is passed to a very large amount of third parties"
That is FALSE, the paper doesn't say that, it actually says that the high entropy metadata is sent to Yoti servers, actually encrypted with client side keys on top of TLS which makes it impossible for any third party to even read it.
Reporting here extract from the paper: --- Once the user’s face is properly aligned, the SCM collects and processes a significant amount of data that is sent to Yoti’s servers. In particular, it collects the photo captured from the user’s camera and telemetry, including significant high-entropy browser and device metadata (see Table 2). It also includes data about the camera’s properties, the FPS of the camera stream, and metrics about download and processing times.
The SCM uses some cryptography, which we briefly describe here before returning to its implications in Section 5.5.3. If the image encryption setting is enabled (as it is by default), the SCM encrypts the captured image using AES-GCM with a key and initialization vector (IV) derived in the browser. Similarly, the telemetry and metadata collected is also encrypted under AES-GCM in the browser. ---
Then you claim "including the site being visited, and that has potential to link the real identity of the user to the site they are verifying with."
Which perfectly highlights the issue, as it seems like you might have gotten that from the Abstract section of the paper.
The great thing is that the paper itself disproves all of that when you read all the details. And anyone can find out that the key section where there is actual sharing of data with third parties (not the visiting site) is when the credit card check method is used for example. Which is pretty inevitable, to do a credit card check you need to use a payment provider which will have to process the data necessary to do that.