A user attempting to complete PlayStation Network age verification using a GrapheneOS device has shared an email from Yoti — Sony's third-party age verification partner, claiming the device had been automatically flagged for suspicious activity and reported to authorities. The incident sparked significant backlash across privacy communities and raised questions about how age verification systems treat users of privacy-focused operating systems.

Don't use X? View this post on Xcancel

What Happened

The incident began when a user tried to verify their age on PlayStation Network using the Yoti system on a device running GrapheneOS, the privacy-hardened Android fork. After multiple verification attempts failed, the user contacted Yoti support and received a written response stating that Yoti automatically flags devices running GrapheneOS due to what the company described as "past security concerns."

According to the email, such instances are automatically reported to both the authorities and Yoti's internal security team. The user's account was described as having been flagged for suspicious activity, and the support ticket was closed without resolution.

"Due to past security concerns, Yoti automatically flags multiple verification attempts and any devices running GrapheneOS. These instances are automatically reported to both the authorities and our security team." — Yoti Technical Support email

The user's reply, sent via Proton Mail, summed up the reaction from much of the privacy community: "Reported to authorities because of GrapheneOS? Are you serious?"

What is GrapheneOS? GrapheneOS is a free, open-source, privacy-hardened Android operating system developed by a Canadian nonprofit. It removes Google dependencies, hardens memory allocation against exploits, and gives users greater control over app permissions and network connections. It is widely used by journalists, security researchers, activists, and privacy-conscious individuals. Using it is entirely legal.

GrapheneOS Responds: "Fearmongering"

GrapheneOS responded publicly to the incident, firmly dismissing the framing that using their OS constitutes suspicious or reportable behavior.

"This is fearmongering based on customer support making ridiculous claims to someone. There's nothing illegal about using GrapheneOS and the customer support is nearly certainly making it all up to get the person to go away so the ticket can be considered closed." — GrapheneOS

GrapheneOS added that it was unlikely the company had done anything to specifically detect or ban GrapheneOS at a technical level, suggesting the more probable explanation is that Yoti's system detects the absence of a standard Google Mobile Services environment, which could affect any non-Google Android device, rather than GrapheneOS specifically. The project described the support agent's behavior as a "power trip" intended to scare the user into dropping the ticket.

Technical note: GrapheneOS does not include Google Mobile Services by default, though users can optionally install a sandboxed version. Age verification apps that rely on Google's attestation infrastructure or device fingerprinting may fail or behave unexpectedly on any de-Googled Android device — not only GrapheneOS.

Who Is Yoti and Why Is It Used by PlayStation?

Yoti is a London-based digital identity and age verification company whose tools are integrated into a wide range of platforms including PlayStation Network, TikTok, and Meta. Sony began rolling out mandatory age verification for PlayStation Network users in the UK and Ireland in 2026, driven by requirements under the UK Online Safety Act, which took effect in August 2025.

UK players were required to verify their age using one of three methods offered through Yoti: a mobile phone number check, a facial scan using Yoti's AI estimation technology, or a government-issued ID. Failure to complete verification by the June 2026 deadline meant losing access to voice chat, party chat, text messaging, and other social features on both PS5 and PS4.

Yoti markets itself as a privacy-first age verification provider, though the company's record has attracted scrutiny from regulators and security researchers. In March 2026, Spain's data protection authority AEPD fined Yoti approximately €950,000 across three separate GDPR violations, including storing facial scan images longer than declared to users, processing biometric data without a valid legal basis, and using a consent flow with a pre-ticked box for research and development data use.

Security researchers have also flagged that Yoti's app submits device-level identifiers including advertising IDs, IP addresses, and hardware information to third-party trackers including Google Firebase and Adjust, without clear prior consent, a tension with the company's stated privacy-first positioning.

Yoti's privacy record: Spain's AEPD fined Yoti €950,000 in March 2026 for GDPR violations including improper biometric data retention, invalid consent mechanisms, and excessive data storage periods. The fine covered its Digital ID app, the same technology used for PlayStation age verification.

Wider Context: Age Verification and Privacy-Hardened Devices

The incident reflects a growing tension between government-mandated age verification systems and users who run non-standard operating systems for legitimate privacy and security reasons. As more platforms are legally required to integrate age verification, driven by laws in the UK, EU, US states, and Brazil, the technical implementations of those systems are increasingly being built around assumptions of standard consumer device environments.

For users on GrapheneOS, CalyxOS, or other de-Googled Android builds, this can result in verification failures, compatibility errors, or — as this incident suggests, active flagging by systems that treat the absence of Google infrastructure as inherently suspicious.

GrapheneOS itself has previously stated it will never implement age verification requirements and will remain usable by anyone worldwide without requiring personal identification, even if that means the OS cannot be sold in certain regulated markets.

"GrapheneOS will remain usable by anyone around the world without requiring personal information, identification or an account." — GrapheneOS statement, March 2026

The broader community reaction was swift. On forums including Lemmy, Hacker News, and Reddit's r/privacy, users questioned whether any age verification system that treats privacy-conscious behavior as suspicious could genuinely claim to be privacy-first, and called on Sony to clarify its position on Yoti's handling of non-standard devices.

Hacker News skepticism: Some commenters on Hacker News raised questions about whether the email screenshot could have been edited before posting, and noted that a legitimate security system would not typically reveal the specific technical reason a user was flagged, as doing so would expose detection methods. The authenticity of the email has not been independently verified.

No Official Statement from Sony or Yoti

As of the time of publication, neither Sony nor Yoti has issued an official public statement specifically addressing the GrapheneOS flagging claim. Yoti has previously stated in other contexts that it does not share personal details with the organizations requesting age checks, though the incident described here concerns Yoti's own internal handling rather than data sharing with Sony.

DigitalEscapeTools has not independently verified the contents of the email screenshot. The story will be updated if either company issues a formal response.

Sources

This article was written by DigitalEscapeTools based on publicly available screenshots, community forum posts, and reporting available at the time of publication. The email screenshot has not been independently verified.