> once they've got your face or ID, do they store it?
I work at a place that uses Yoti[0] for age verification and we definitely don't store any facial images[1]. Yoti also claim they don't store any images once they've delivered the age estimation back to the caller[2] (but obviously that's something unverifiable from outside.)
[0] Who provide the facial image age verification for KWS.
[1] Unless the client team have gone rogue and done something weird, I suppose? I can confidently assert that the backend doesn't store them though.
The claim is that the data is "deleted", but there is no way to actually verify it is in fact being deleted (and the chances are data itself might be stored in say AWS which may have its own way of "deleting" data, such as in backups, caches, multiple regions etc (however they have their own legal process which may not allow data to be deleted in the event of a law enforcement request, and there's no way for anyone using the service to understand who is actually handling the data as it passes by their servers, which could be suspectable to interception etc)). Truth is, the data is much too valuable, and is useful for long term storage to know what somebody looked like or who they were when accessing content online. The UK has the RIPA so they could serve a technology notice for data to be retained and prevent disclosure of that fact. Apple was recently involved in such a request to disable advanced data protection, and the UK government is disgusted by E2EE and the very idea they cannot access every piece of data they like on demand, and wanted the entire thing held in secret.
So the reality is, assume everything on the internet is being archived, including any scans you do, and adjust the threat model accordingly. The UK government will absolutely be able to access this information and know all about what you've been doing if you're foolish enough to actually submit legitimate information.
The linked https://www.kidswebservices.com/en-US/privacy-policy#retenti... seems to say they'll keep it all for as long as they want, except for "some information" that you can request to be deleted by emailing them - but no detail on what that covers.
> So the reality is, assume everything on the internet is being archived, including any scans you do, and adjust the threat model accordingly.
OK, but what would the practical conclusion of this be? A lot of services will require those scans to be made. So, just get used to the fact that your face scans will be stored beyond your control?
We are in a community of hackers. There are tools such as VPNs which are effective at bypassing these requirements. That will likely change in a few years as the government will want to crack down on circumvention techniqus. The law is incidious enough to actually suggested that educating people on how to bypass the checks is not allowed - I sincerely hope no court ever upholds that otherwise the very act of education is at threat.
So the end result is using tools such as VPNs or fake videos to bypass the system. Or creating new communities which do not have such restrictions (but they won't be able to be big platforms anymore as they will fall into scope).
So you could have 1000's of smaller bulletin boards. Once they get large enough they'd need to shut down and restart in order to not be within scope.
Alternatively there could be some legal challenges on the way to define the scope of their powers (so far there's not been any enforcement conclusions to challenge, although there are some investigations by OFCOM ongoing)
Are you suggesting that the entire population of the UK switch to using VPNs?
> So you could have 1000's of smaller bulletin boards. Once they get large enough they'd need to shut down and restart in order to not be within scope.
This will work until the moment some actual pedos run some of those small message bords and use it to groom kids and politicians will have the necessary munition to shut down those sorts of exceptions to the law.
Yes, because that's how the internet is designed to work, a VPN just routes packets to another location with the nice side effect of being able to use another IP address.
Countries have tried to enforce censorship but even places like China have gaps that are exploitable if you have the right tools and knowledge.
Everyone should be learning about how to bypass state overreach, it's an obligation of its people.
Have fun doing that if half of your contacts are on there. People didn't quit Facebook after learning what kind of stuff they are doing with their data, I don't see why they would quit now.
Also, I don't know the law in detail, but wouldn't it apply for all online services, no matter how large or small?
It's worth thinking twice about this in a country that is actively censoring mainstream political speech in its media.