GraphenOS user flagged by age verification company Yoti, same company that is partnering with PlayStation for their age verification, and were reported to the authorities (allegedly)
According to the user, they tried to verify their age to get into the PlayStation network
Which failed 10 times, costumer support was contacted
"Due to past security concerns, Yoti automatically flags multiple verification attempts and any devices running GrapheneOS. These instances are automatically reported to both the authorities and our security team."
Translation: "Due to past security concerns, Yoti automatically flags multiple verification attempts as well as any device running GrapheneOS. These cases are automatically reported to the authorities as well as to our security team."
“The user had provided their real identity documents. They hadn't bypassed anything. It's Yoti's system that appears to have failed to process them.”
“GrapheneOS restricts camera and biometric APIs. A scan that works on stock Android can fail in a loop on GrapheneOS. The repeated failure isn't fraud. It's a technical incompatibility.”
“It's a hardened open-source Android OS, used by journalists, lawyers, security researchers, and people like you and me who care about their security.”
“But for Yoti, using it is enough to classify you as a suspect. On what grounds?
Either Yoti actually reports someone, somewhere, for using a legal OS. Or it's boilerplate language designed to scare.
In either case, it's a problem.”
“If it's real: no text requires an age verification provider to report to law enforcement a user detected on GrapheneOS. It's a unilateral policy with no identifiable legal basis.
If it's a bluff: threatening a user with a fictional legal procedure is an unfair business practice in most jurisdictions.”
This reveals that people using alternative OS are going to be treated as suspicious
“At every step, we'll be told it's for security, for the children, for fighting fraud, for compliance. But in the end, the result will be the same: the user seeking to protect themselves will have to justify it, while the fully trackable user will be considered normal.”
“If Yoti confirms this practice, we will need to ask on what legal basis this reporting rests, which authorities are the recipients, what data is transmitted, how many users are affected, how long this information is retained, and what remedies are offered to falsely reported individuals.
And if Yoti does not confirm it, we will need to explain why its support was able to write such a thing to a user.”