Tag Archives: age estimation

Oh, Joel (Texas Porn and Georgia Social Media)

The definitive summary on U.S. age assurance for adult content and social media as of today (June 27, 2025) has already been written at Biometric Update.

And I confess that if I were Joel R. McConvey, I would have unable to resist the overpowering temptation to dip my pen in the inkwell and write the following sentence:

“But as age checks become law in more and more places, the industry will have to weigh how far it can push – or pull out.”

But McConvey’s article does not just cover the Supreme Court’s decision on Texas HB 1181’s age verification requirement for porn websites—and Justice Clarence Thomas’ statement in the majority opinion that the act “triggers, and survives, review under intermediate scrutiny because it only incidentally burdens the protected speech of adults.”

What about social media?

The Biometric Update article also notes that a separate case regarding age assurance for social media use is still winding its way through the courts. The article quotes U.S. District Judge Amy Totenberg’s ruling on Georgia SB 351:

“[T]he act curbs the speech rights of Georgia’s youth while imposing an immense, potentially intrusive burden on all Georgians who wish to engage in the most central computerized public fora of the twenty-first century. This cannot comport with the free flow of information the First Amendment protects.”

One important distinction: while opposition to pornography is primarily (albeit not exclusively) from the right of the U.S. political spectrum, opposition to social media is more broad-based. So social media restrictions are less of a party issue.

But returning to law rather than politics, one can objectively (or most likely subjectively) debate the Constitutional merits of naked people having sex vs. AI fakes of reunions of the living members of Led Zeppelin, the latter of which seem to be the trend on Facebook these days.

Minority Report

But streaking back to Texas, what of the minority opinion of the three Supreme Court Justices who dissented in the 6-3 opinion? According to The Texas Tribune, Justice Elena Kagan spoke for Justices Sonia Sotomayor and Kentanji Brown Jackson:

“But what if Texas could do better — what if Texas could achieve its interest without so interfering with adults’ constitutionally protected rights in viewing the speech HB 1181 covers? The State should be foreclosed from restricting adults’ access to protected speech if that is not in fact necessary.”

If you assume age verification (which uses a government backed ID) rather than age estimation (which does not), the question of whether identity verification (even without document retention) is “restricting” is a muddy one.

Of course all these issues have little to do with the technology itself, reminding us that technology is only a small part of any solution.

When Robocars Eliminate Identity

From the Department of Unintended Consequences: different countries approach identity proofing in different ways. But what happens when the underlying assumptions disappear and make some identity proofing methods obsolete?

Identity proofing in the United States

In the United States, the primary public identity document for citizens and non-citizens is the driver’s license. These government identity documents, issued by individual states and territories, satisfy a variety of uses, including driving, buying alcohol, boarding a plane or entering a federal facility (eventually), or purchasing something.

There are two other common identity documents in the United States:

  • The passport. But not everybody has one.
  • The Social Security card. But this is like your underwear; you don’t show it to everybody.

So our de facto identity card in this country is the driver’s license, or an equivalent ID document issued by a motor vehicle agency. Even though driver’s licenses are used for a ton of purposes that have nothing to do with driving, the entire ecosystem for these IDs is driven by the needs of drivers.

Which is a smart idea, because just about everybody needs a driver’s license.

Right?

What I’m reading

I read a number of WordPress blogs, and one of the ones that I read has the title “The Last Driver License Holder…

The abstract for the blog completes the sentence and clarifies it.

…is already born. How Waymo, Tesla, Zoox & Co will change our automotive society and make mobility safer, more affordable and accessible in urban as well as rural areas.

It’s certainly a provocative statement, especially if you’re a recent college graduate who just joined the California DMV and thought you were set for life. You’re not.

Even if the author’s conclusion is a complete exaggeration, we need to entertain the possibility that driverless automobiles may eventually improve so much that people won’t even need a driver’s license, except for the cranky few that want them.

Assume that the majority of people own driverless cars at some point in the future, and that these support complete automation with no driver intervention. Imagine the ripple effects:

  • The government motor vehicle agencies, who will be more than busy certifying the road worthiness of new automobiles, will start wondering why they are spending so much time issuing these IDs that no one uses.
  • Other agencies at the state and federal level, eager to expand their operations and budgets, will start asking why the motor vehicle agencies are the ones in charge of IDs, and why they should be providing IDs instead.
  • While the agencies fight this out, private companies that provide adult services such as alcohol, prostitution, pornography, and buying gardening implements will have to figure out how to ensure their customers are old enough for these services. Perhaps they will be forced to turn to age estimation because the person at the counter never bothered to get a driver’s license.

So now half the people don’t bother to get IDs, yet they still need IDs.

Now what?

Identity Verification for Nevada Sex Workers

(Part of the biometric product marketing expert series)

There is a lot of discussion about identity verification for people working in certain jobs: police officers, teachers, financial professionals, and the like.

With one exception.

One job that isn’t frequently discussed in the identity verification world is that of a sex worker. Primarily because sex workers usually don’t undergo identity verification for employment, but identity checks for criminal proceedings.

With a few exceptions. 

In portions of Nevada sex work is legal. But it is heavily regulated. So there are laws in places like Carlin, Nevada that govern prostitute registration and work cards. Among other things:

  • Applicants are fingerprinted and are also required to submit a recent photo.
  • Applicants must provide their birth name and all subsequent “names or aliases used.”
  • Three years of residence addresses and employment information.
  • The applicant criminal record “except minor traffic violations.”
  • “A waiver of release of medical information,” since the nature of the work involves the possibility of transmission of communicable diseases. And you thought being a nuclear power plant worker was dangerous!

Presumably the fingerprints are searched against law enforcement databases, just like the fingerprints of school teachers and the other newer professions.

Why?

“The chief of police shall investigate, through all available means, the accuracy of all information supplied by the prostitute on the registration form.”

Included in the investigation:

  • Controlled substance criminal convictions.
  • Felony convictions.
  • Embezzlement, theft, or shoplifting convictions.
  • Age verification; you have to be 21.

As you can see, the identity verification requirements for sex workers are adapted to meet the needs of that particular position.

But…it takes two to tango.

Brothel clients need to be at least 18 years old.

But I don’t know if Nevada requires client age verification, or if age estimation is acceptable.

From https://www.instagram.com/share/_mMj2BVRh.

Replacing Underage Age Estimation With Underage Age Verification

Why do we have both age verification and age estimation? And how do we overcome the restrictions that force us to choose one over the other?

Why age verification?

As I’ve mentioned before, there are certain products and services that are ONLY provided to people who have attained a certain age. These include alcohol, tobacco, firearms, cannabis, driver’s licenses, gambling, “mature” adult content, and car rentals.

There’s also social media access, which I’ll get to in a minute.

So how do you know that someone purchasing one of these controlled products or services has attained the required age?

One way is to ask the purchaser to provide their government identification (driver’s license, passport, whatever) with their birthdate to prove their age.

This is known as age verification. Provided that the ID was issued by a legitimate government authority, and provided that the ID is not fraudulent, this ID provides ironclad assurance that you are 18 years old or 21 years old or whatever the requirement is.

But let’s return to social media.

Why age estimation?

If you’re Australian, sit down for a moment before I share the following fact.

There are jurisdictions in the world that allow kids as young as 13 years old to access social media.

However, these wild uncontrolled jurisdictions face a problem when trying to determine the ages of their social media users. As I noted almost two years ago:

How many 13 year olds do you know that have driver’s licenses? Probably none.

How many 13 year olds do you know that have government-issued REAL IDs? Probably very few.

How many 13 year olds do you know that have passports? Maybe a few more (especially after 9/11), but not that many.

So how can you figure out whether Bobby or Julie is old enough to open that social media account?

One way to do so is by using a technique called age estimation, which looks at facial features and classifies people by their estimated ages.

The only problem is that while age verification is accurate (assuming the ID is legitimate), age estimation is not:

So if a minor does not have a government ID, and the social media firm has to use age estimation to determine a minor’s age for purposes of the New York Child Data Protection Act, the following two scenarios are possible:

An 11 year old may be incorrectly allowed to give informed consent for purposes of the Act.

A 14 year old may be incorrectly denied the ability to give informed consent for purposes of the Act.

So what do you do?

How to perform underage age verification

Biometric Update points out that there is an free alternative for underage people ages 13-15 in the United Kingdom—the CitizenCard. These cards are issued in four categories:

  • ’18+’ for adults
  • ’16-17′ for those aged 16 to 17
  • ’13-15′ for children aged 13 to 15
  • ‘Under 13’ for younger children
From https://www.citizencard.com/.

“OK,” you may say, “but so what? Anybody can print a card that says anything they want, like Alabama’s John Wahl did. Why should anyone accept the CitizenCard?”

Well…people, um, trust it.

CitizenCard is the only non-profit, UK-wide issuer of police-approved proof of age & ID cards….

CitizenCard was founded in 1999 and is governed by representatives from the National Lottery operator Allwyn, the Co-op, Ladbrokes & Coral owner Entain and the TMA.

CitizenCard…is the longest-established and the largest issuer of Home Office-endorsed PASS-hologram ID cards in the UK with more than 2.5 million issued.

[CitizenCard] is audited by members of the Age Check Certification Scheme on behalf of PASS to ensure that the highest standards of UK data protection, privacy and security are upheld and rigorous identity verification is carried out.

So one could argue that you don’t need age estimation in the UK, because there is a well-established way to VERIFY ages in the UK.

However, there are other benefits to age estimation, including the fact that estimation is frictionless and doesn’t require you to pull out a card (or a smartphone) at all.

How Does k-ID Perform Age Assurance?

I was encouraged to check out k-ID, a firm that tracks age compliance laws on a global basis. It also lets companies ensure that their users comply with these laws.

How? The company explains.

“Age assurance refers to a range of methods and technologies used to estimate, verify or confirm someone’s age. Different countries allow different methods, but here are a few commonly used by k-ID…”

The following methods are then listed:

  • Face Scan: Your age is estimated by completing a video selfie
  • ID Scan: Your age is confirmed by scanning a government-issued ID
  • Credit Card: Confirm you’re an adult by using a valid credit card

Note that k-ID’s age assurance methods include age estimation (via your face), age verification (via your government ID), and age who-knows-what (IMHO, possession of a credit card proves nothing, especially if it’s someone else’s).

But if k-ID truly applies the appropriate laws to age assurance, it’s a step in the right direction. Because keeping track of laws in hundreds of thousands of jurisdictions can be a…um…challenge.

(Old Enough picture from Imagen 3)

Age Estimation is Challenging

(Part of the biometric product marketing expert series)

Two Biometric Update stories that were published on March 27, 2025 reminded me of something I wrote before.

One involved Paravision.

An announcement from Paravision says its biometric age estimation technology has achieved Level 3 certification from the Age Check Certification Scheme (ACCS), the leading independent certification body for age estimation. The results make it one of only six companies globally to receive ACCS’s highest-level designation for compliance.

San Francisco-based Paravision’s age estimation tech posted 100 percent precision in Challenge 25 compliance, with 0 subjects falsely identified as over 25 years old. It also scored a 0 percent Failure to Acquire Rate, meaning that every image submitted for analysis returned a result. Mean Absolute Error (MAE) was 1.37 years, with Standard Deviation of 1.17.

Now this is an impressive achievement, and Paravision is a quality company, and Joey Pritikin is a quality biometric executive, but…well, let me share the other story first, involving a Yoti customer (not Yoti).

Fenix responded that it set a challenge threshold at 23 years of age. Any user estimated to be that age or younger based on their face biometrics is required to use a secondary method for age verification.

Fenix had set OnlyFans challenge age, it turns out, at 20 years old. A correction to 23 years old was carried out on January 16, and then Fenix changed it again three days later, to 21 years old, Ofcom says.

Now Biometric Update was very clear that “Yoti provides the tech, but does not set the threshold.”

Challenge ages and legal ages

But do challenge thresholds have any meaning? I addressed that issue back in May 2024.

Many of the tests used a “Challenge-T” policy, such as “Challenge 25.” In other words, the test doesn’t estimate whether a person IS a particular age, but whether a person is WELL ABOVE a particular age….

So if you have to be 21 to access a good or service, the algorithm doesn’t estimate if you are over 21. Instead, it estimates whether you are over 25. If the algorithm thinks you’re over 25, you’re good to go. If it thinks you’re 24, pull out your ID card.

And if you want to be more accurate, raise the challenge age from 25 to 28.

NIST admits that this procedure results in a “tradeoff between protecting young people and inconveniencing older subjects” (where “older” is someone who is above the legal age but below the challenge age).

You may be asking why the algorithms have to set a challenge age above the lawful age, thus inconveniencing people above the lawful age but below the challenge age.

The reason is simple.

Age estimation is not all that accurate.

I mean, it’s accurate enough if I (a person well above the age of 21 years) must indicate whether I’m old enough to drink, but it’s not sufficiently accurate for a drinker on their 21st birthday (in the U.S.), or a 13 year old getting their first social media account (where lawful).

Not an official document.

If you have a government issued ID, age verification based upon that ID is a much better (albeit less convenient) solution.

(Kid computer picture by Adrian Pingstone – Transferred from en.wikipedia, Public Domain, https://commons.wikimedia.org/w/index.php?curid=112727.)

(Fake driver license picture from https://www.etsy.com/listing/1511398513/editable-little-drivers-license.)

Age By Gesture?

(Churchill image public domain)

And I thought tongue identification was weird.

Biometric Update reported that the Australian government is evaluating a solution that estimates age by gestures.

At first thought I didn’t get it. Holding two fingers up in the air could be a 1960s peace hand gesture or a 1940s victory hand gesture.

Obviously I needed to give this a second thought. So I went to Needemand’s page for BorderAge. This is what I found.

« L’internaute doit simplement effectuer 3 mouvements de la main et l’avant-bras devant la caméra de son écran (ordinateur, tablette, smartphone). En quelques secondes, il/elle vérifie son âge sans dévoiler son identité. »

Help me, Google Translate; you’re my only hope.

“The Internet user simply has to make  3 movements of the hand and forearm  in front of the camera on their screen (computer, tablet, smartphone). In a few seconds, he/she verifies his/her age without revealing his/her identity.”

The method is derived from a 1994 scientific paper entitled “Rapid aimed limb movements: Age differences and practice effects in component submovements.” The abstract of the paper reads as follows:

“Two experiments are reported in which younger and older adults practiced rapid aimed limb movements toward a visible target region. Ss were instructed to make the movements as rapidly and as accurately as possible. Kinematic details of the movements were examined to assess the differences in component submovements between the 2 groups and to identify changes in the movements due to practice. The results revealed that older Ss produced initial ballistic submovements that had the same duration but traveled less far than those of younger Ss. Additionally, older Ss produced corrective secondary submovements that were longer in both duration and distance than those of the younger subjects. With practice, younger Ss modified their submovements, but older Ss did not modify theirs even after extensive practice on the task. The results show that the mechanisms underlying movements of older adults are qualitatively different from those in younger adults.”

So what does this mean? Needemand has a separate BorderAge website—thankfully in English—that illustrates the first part of the user instructions.

From http://www.borderage.com/.

I don’t know what happens after that, but the process definitely has an “active liveness” vibe, except instead of proving you’re real, you’re proving you’re old, or old enough.

Now I’m not sure if the original 1994 study results were ever confirmed across worldwide populations. But it wouldn’t be the first scheme that is unproven. Do we KNOW that fingerprints are unique?

Another question I have regards the granularity of the age estimation solution. Depending upon your use case and jurisdiction, you may have to show that your age is 13, 16, 18, 21, or 25. Not sure if BorderAge gets this granular.

But if you want a way to estimate age and preserve anonymity (the solution blocks faces and has too low of a resolution to capture friction ridges), BorderAge may fit the bill.

How Bredemarket Adopts Your Point of View

The video embedded in my “Where is ByteDance From?” blog post included an interesting frame:

“So depending upon your needs, you can argue that”

This frame was followed by three differing answers to the “Where is ByteDance From?” question.

But isn’t there only one answer to the question? How can there be three?

It all depends upon your needs.

Who is the best age estimation vendor?

I shared an illustrative example of this last year. When the National Institute of Standards and Technology (NIST) tested its first six age estimation algorithms, it published the results for everyone to see.

“Because NIST conducts so many different tests, a vendor can turn to any single test in which it placed first and declare it is the best vendor.

“So depending upon the test, the best age estimation vendor (based upon accuracy and or resource usage) may be Dermalog, or Incode, or ROC (formerly Rank One Computing), or Unissey, or Yoti. Just look for that “(1)” superscript….

“Out of the 6 vendors, 5 are the best. And if you massage the data enough you can probably argue that Neurotechnology is the best also. 

“So if I were writing for one of these vendors, I’d argue that the vendor placed first in Subtest X, Subtest X is obviously the most important one in the entire test, and all the other ones are meaningless.”

Are you the best? Only if I’m writing for you

I will let you in on a little secret.

  • When I wrote things for IDEMIA, I always said that IDEMIA was the best.
  • When I wrote things for Incode, I always said that Incode was the best.
  • And when I write things for each of my Bredemarket clients, I always say that my client is the best.

I recently had to remind a prospect of this fact. This particular prospect has a very strong differentiator from its competitors. When the prospect asked for past writing samples, I included this caveat:

“I have never written about (TOPIC 1) or (TOPIC 2) from (PROSPECT’S) perspective, but here are some examples of my writing on both topics.”

I then shared four writing samples, including something I wrote for my former employer Incode about two years ago. I did this knowing that my prospect would disagree with my assertions that Incode’s product is so great…and greater than the prospect’s product. 

If this loses me the business, I can accept that. Anyone with any product marketing experience in the identity industry is guaranteed to have said SOMETHING offensive to most of the 80+ companies in the industry.

How do I write for YOU?

But let’s say that you’re an identity firm and you decide to contract with Bredemarket anyway, even though I’ve said nice things about your competitors in the past.

How do we work together to ensure that I say nice things about you?

That’s where my initial questions (seven, plus some more) come into play.

My first seven questions.

By the time we’re done, we have hopefully painted a hero picture of your company, describing why you are the preferred solution for your customers—better than IDEMIA, Incode, or anyone else.

(Unless of course IDEMIA or Incode contracts with Bredemarket, in which case I will edit the sentence above just a bit.)

So let’s talk

If you would like to work with Bredemarket for differentiated content, proposal, or analysis work, book a free meeting on my “CPA” page.

CPA

The NIST Test You Choose Matters

(Baby smoking image designed by Freepik)

As I’ve mentioned before, when the National Institute of Standards and Technology (NIST) tests biometric modalities such as finger and face, they conduct each test in a bunch of different ways.

One of the ramifications of this is that many entities can claim that they are “the best, according to NIST.”

For example, when NIST released its first version of the age estimation tests, 5 of the 6 participating vendors scored first in SOME category.

But NIST doesn’t do this just to make the vendors happy. NIST does this because biometrics are used in many, many ways.

Let’s look at recent age estimation testing, which currently tests 15 algorithms rather than the original 6.

Governments and private entities can estimate ages for people at the pub, people buying weed, or people gambling. And then there’s the use case that is getting a lot of attention these days—people accessing social media.

Child Online Safety, Ages 13-16 (in my country anyway)

When NIST conceived the age estimation tests, the social media providers generaly required their users to be 13 years of age or older. For this reason, one of NIST’s age estimation tests focused upon whether age estimation algorithms could reliably identify those who were 13 years old vs. those who were not.

By Adrian Pingstone – Transferred from en.wikipedia, Public Domain, https://commons.wikimedia.org/w/index.php?curid=112727.

Which, by the way, basically means that the NIST age estimation tests are useless in Australia. After NIST started age estimation testing, Australia passed a law last month requiring social media users to be 16 years old or older.

Returning to America, NIST actually conducted several different tests for the 13 year old “child online safety” testing. I’m going to focus on one of them:

Age 8-12 – False Positive Rates (FPR) are proportions of subjects aged 8 to 12 but whose age is estimated from 13 to 16 (below 17).

This covers the case in which a social media provider requires people to be 13 years old or older, someone between 8 and 12 tries to sign up for the social media service anyway…AND SUCCESSFULLY DOES SO.

You want the “false positive rate” to be as low as possible in this case, so that’s what NIST measures.

Results as of December 10, 2024

The image below was taken from the NIST Face Analysis Technology Evaluation (FATE) Age Estimation & Verification page on December 10, 2024. Because this is a continuous test, the actual results may be different by the time you read this, so be sure to check the latest results.

From https://pages.nist.gov/frvt/html/frvt_age_estimation.html as of December 10, 2024.

As of December 10, the best performing algorithm of the 15 tested had a false positive rate (FPR) of 0.0467. The second was close at 0.0542, with the third at 0.0828.

The 15th was a distant last at 0.2929.

But the worst-tested algorithm is much better on other tests

But before you conclude that the 15th algorithm in the “8-12” test is a dud, take a look at how that same algorithm performed on some of the OTHER age estimation tests.

  • For the age 17-22 test (“False Positive Rates (FPR) are proportions of subjects aged 17 to 22 but whose age is estimated from 13 to 16 (below 17)”), this algorithm was the second MOST accurate.
  • And the algorithm is pretty good at correctly classifying 13-16 year olds.
  • It also performs well in the “challenge 25” tests (addressing some of the use cases I mentioned above such as alcohol purchases).
I think they’re over 13. By Obscurasky – Own work, Public Domain, https://commons.wikimedia.org/w/index.php?curid=7776157.

So it looks like this particular algorithm doesn’t (currently) do well with kids, but it does VERY well with adults.

So before you use the NIST tests as a starting point to determine if an algorithm is good for you, make sure you evaluate the CORRECT test, including the CORRECT data.

It’s My Birthday Too, Yeah

Here’s what I said:

Basically, the difference between “recognition” and “analysis” in this context is that recognition identifies an individual, while analysis identifies a characteristic of an individual….The age of a person is another example of analysis. In and of itself an age cannot identify an individual, since around 385,000 people are born every day. Even with lower birth rates when YOU were born, there are tens or hundreds of thousands of people who share your birthday.

Here’s what ilovemyqa said on Instagram:

Enter your age. 17. User with this age already exists.
From https://www.instagram.com/p/C7qb5S9p8Tc/?igsh=MzRlODBiNWFlZA==.