Tag Archives: age estimation

What Is Your Firm’s UK Online Safety Act Story?

It’s time to revisit my August post entitled “Can There Be Too Much Encryption and Age Verification Regulation?” because the United Kingdom’s Online Safety Bill is now the Online Safety ACT.

Having passed, eventually, through the UK’s two houses of Parliament, the bill received royal assent (October 26)….

[A]dded in (to the Act) is a highly divisive requirement for messaging platforms to scan users’ messages for illegal material, such as child sexual abuse material, which tech companies and privacy campaigners say is an unwarranted attack on encryption.

From Wired.
By Adrian Pingstone – Transferred from en.wikipedia, Public Domain, https://commons.wikimedia.org/w/index.php?curid=112727

This not only opens up issues regarding encryption and privacy, but also specific identity technologies such as age verification and age estimation.

This post looks at three types of firms that are affected by the UK Online Safety Act, the stories they are telling, and the stories they may need to tell in the future. What is YOUR firm’s Online Safety Act-related story?

What three types of firms are affected by the UK Online Safety Act?

As of now I have been unable to locate a full version of the final final Act, but presumably the provisions from this July 2023 version (PDF) have only undergone minor tweaks.

Among other things, this version discusses “User identity verification” in 65, “Category 1 service” in 96(10)(a), “United Kingdom user” in 228(1), and a multitude of other terms that affect how companies will conduct business under the Act.

I am focusing on three different types of companies:

  • Technology services (such as Yoti) that provide identity verification, including but not limited to age verification and age estimation.
  • User-to-user services (such as WhatsApp) that provide encrypted messages.
  • User-to-user services (such as Wikipedia) that allow users (including United Kingdom users) to contribute content.

What types of stories will these firms have to tell, now that the Act is law?

Stories from identity verification services

From Yoti.

For ALL services, the story will vary as Ofcom decides how to implement the Act, but we are already seeing the stories from identity verification services. Here is what Yoti stated after the Act became law:

We have a range of age assurance solutions which allow platforms to know the age of users, without collecting vast amounts of personal information. These include:

  • Age estimation: a user’s age is estimated from a live facial image. They do not need to use identity documents or share any personal information. As soon as their age is estimated, their image is deleted – protecting their privacy at all times. Facial age estimation is 99% accurate and works fairly across all skin tones and ages.
  • Digital ID app: a free app which allows users to verify their age and identity using a government-issued identity document. Once verified, users can use the app to share specific information – they could just share their age or an ‘over 18’ proof of age.
From Yoti.

Stories from encrypted message services

From WhatsApp.

Not surprisingly, message encryption services are telling a different story.

MailOnline has approached WhatsApp’s parent company Meta for comment now that the Bill has received Royal Assent, but the firm has so far refused to comment.

Will Cathcart, Meta’s head of WhatsApp, said earlier this year that the Online Safety Act was the most concerning piece of legislation being discussed in the western world….

[T]o comply with the new law, the platform says it would be forced to weaken its security, which would not only undermine the privacy of WhatsApp messages in the UK but also for every user worldwide. 

‘Ninety-eight per cent of our users are outside the UK. They do not want us to lower the security of the product, and just as a straightforward matter, it would be an odd choice for us to choose to lower the security of the product in a way that would affect those 98 per cent of users,’ Mr Cathcart has previously said.

From Daily Mail.

Stories from services with contributed content

From Wikipedia.

And contributed content services are also telling their own story.

Companies, from Big Tech down to smaller platforms and messaging apps, will need to comply with a long list of new requirements, starting with age verification for their users. (Wikipedia, the eighth-most-visited website in the UK, has said it won’t be able to comply with the rule because it violates the Wikimedia Foundation’s principles on collecting data about its users.)

From Wired.

What is YOUR firm’s story?

All of these firms have shared their stories either before or after the Act became law, and those stories will change depending upon what Ofcom decides.

But what about YOUR firm?

Is your firm affected by the UK Online Safety Act, and the future implementation of the Act by Ofcom?

Do you have a story that you need to tell to achieve your firm’s goals?

Do you need an extra, experienced hand to help out?

Learn how Bredemarket can create content that drives results for your firm.

Click the image below.

Drive content results with Bredemarket Identity Firm Services.

The Imperfect Way to Enforce New York’s Child Data Protection Act

It’s often good to use emotion in your marketing.

For example, when biometric companies want to justify the use of their technology, they have found that it is very effective to position biometrics as a way to combat sex trafficking.

Similarly, moves to rein in social media are positioned as a way to preserve mental health.

By Marc NL at English Wikipedia – Transferred from en.wikipedia to Commons., Public Domain, https://commons.wikimedia.org/w/index.php?curid=2747237

Now that’s a not-so-pretty picture, but it effectively speaks to emotions.

“If poor vulnerable children are exposed to addictive, uncontrolled social media, YOUR child may end up in a straitjacket!”

In New York state, four government officials have declared that the ONLY way to preserve the mental health of underage social media users is via two bills, one of which is the “New York Child Data Protection Act.”

But there is a challenge to enforce ALL of the bill’s provisions…and only one way to solve it. An imperfect way—age estimation.

This post only briefly addresses the alleged mental health issues of social media before plunging into one of the two proposed bills to solve the problem. It then examines a potentially unenforceable part of the bill and a possible solution.

Does social media make children sick?

Letitia “Tish” James is the 67th Attorney General for the state of New York. From https://ag.ny.gov/about/meet-letitia-james

On October 11, a host of New York State government officials, led by New York State Attorney General Letitia James, jointly issued a release with the title “Attorney General James, Governor Hochul, Senator Gounardes, and Assemblymember Rozic Take Action to Protect Children Online.”

Because they want to protect the poor vulnerable children.

By Paolo Monti – Available in the BEIC digital library and uploaded in partnership with BEIC Foundation.The image comes from the Fondo Paolo Monti, owned by BEIC and located in the Civico Archivio Fotografico of Milan., CC BY-SA 4.0, https://commons.wikimedia.org/w/index.php?curid=48057924

And because the major U.S. social media companies are headquartered in California. But I digress.

So why do they say that children need protection?

Recent research has shown devastating mental health effects associated with children and young adults’ social media use, including increased rates of depression, anxiety, suicidal ideation, and self-harm. The advent of dangerous, viral ‘challenges’ being promoted through social media has further endangered children and young adults.

From https://ag.ny.gov/child-online-safety

Of course one can also argue that social media is harmful to adults, but the New Yorkers aren’t going to go that far.

So they are just going to protect the poor vulnerable children.

CC BY-SA 4.0.

This post isn’t going to deeply analyze one of the two bills the quartet have championed, but I will briefly mention that bill now.

  • The “Stop Addictive Feeds Exploitation (SAFE) for Kids Act” (S7694/A8148) defines “addictive feeds” as those that are arranged by a social media platform’s algorithm to maximize the platform’s use.
  • Those of us who are flat-out elderly vaguely recall that this replaced the former “chronological feed” in which the most recent content appeared first, and you had to scroll down to see that really cool post from two days ago. New York wants the chronological feed to be the default for social media users under 18.
  • The bill also proposes to limit under 18 access to social media without parental consent, especially between midnight and 6:00 am.
  • And those who love Illinois BIPA will be pleased to know that the bill allows parents (and their lawyers) to sue for damages.

Previous efforts to control underage use of social media have faced legal scrutinity, but since Attorney General James has sworn to uphold the U.S. Constitution, presumably she has thought about all this.

Enough about SAFE for Kids. Let’s look at the other bill.

The New York Child Data Protection Act

The second bill, and the one that concerns me, is the “New York Child Data Protection Act” (S7695/A8149). Here is how the quartet describes how this bill will protect the poor vulnerable children.

CC BY-SA 4.0.

With few privacy protections in place for minors online, children are vulnerable to having their location and other personal data tracked and shared with third parties. To protect children’s privacy, the New York Child Data Protection Act will prohibit all online sites from collecting, using, sharing, or selling personal data of anyone under the age of 18 for the purposes of advertising, unless they receive informed consent or unless doing so is strictly necessary for the purpose of the website. For users under 13, this informed consent must come from a parent.

From https://ag.ny.gov/child-online-safety

And again, this bill provides a BIPA-like mechanism for parents or guardians (and their lawyers) to sue for damages.

But let’s dig into the details. With apologies to the New York State Assembly, I’m going to dig into the Senate version of the bill (S7695). Bear in mind that this bill could be amended after I post this, and some of the portions that I cite could change.

From https://www.nysenate.gov/legislation/bills/2023/S7695

The “definitions” section of the bill includes the following:

“MINOR” SHALL MEAN A NATURAL PERSON UNDER THE AGE OF EIGHTEEN.

From https://www.nysenate.gov/legislation/bills/2023/S7695, § 899-EE, 2.

This only applies to natural persons. So the bots are safe, regardless of age.

Speaking of age, the age of 18 isn’t the only age referenced in the bill. Here’s a part of the “privacy protection by default” section:

§ 899-FF. PRIVACY PROTECTION BY DEFAULT.

1. EXCEPT AS PROVIDED FOR IN SUBDIVISION SIX OF THIS SECTION AND SECTION EIGHT HUNDRED NINETY-NINE-JJ OF THIS ARTICLE, AN OPERATOR SHALL NOT PROCESS, OR ALLOW A THIRD PARTY TO PROCESS, THE PERSONAL DATA OF A COVERED USER COLLECTED THROUGH THE USE OF A WEBSITE, ONLINE SERVICE, ONLINE APPLICATION, MOBILE APPLICA- TION, OR CONNECTED DEVICE UNLESS AND TO THE EXTENT:

(A) THE COVERED USER IS TWELVE YEARS OF AGE OR YOUNGER AND PROCESSING IS PERMITTED UNDER 15 U.S.C. § 6502 AND ITS IMPLEMENTING REGULATIONS; OR

(B) THE COVERED USER IS THIRTEEN YEARS OF AGE OR OLDER AND PROCESSING IS STRICTLY NECESSARY FOR AN ACTIVITY SET FORTH IN SUBDIVISION TWO OF THIS SECTION, OR INFORMED CONSENT HAS BEEN OBTAINED AS SET FORTH IN SUBDIVISION THREE OF THIS SECTION.

From https://www.nysenate.gov/legislation/bills/2023/S7695

So a lot of this bill depends upon whether a person is over or under the age of eighteen, or over or under the age of thirteen.

And that’s a problem.

How old are you?

The bill needs to know whether or not a person is 18 years old. And I don’t think the quartet will be satisfied with the way that alcohol websites determine whether someone is 21 years old.

From https://www.budlight.com/

This age verification method is…not that robust.

Attorney General James and the others would presumably prefer that the social media companies verify ages with a government-issued ID such as a state driver’s license, a state identification card, or a national passport. This is how most entities verify ages when they have to satisfy legal requirements.

For some people, even some minors, this is not that much of a problem. Anyone who wants to drive in New York State must have a driver’s license, and you have to be at least 16 years old to get a driver’s license. Admittedly some people in the city never bother to get a driver’s license, but at some point these people will probably get a state ID card.

You don’t need a driver’s license to ride the New York City subway, but if the guitarist wants to open a bank account for his cash it would help him prove his financial identity. By David Shankbone – Own work, CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=2639495
  • However, there are going to be some 17 year olds who don’t have a driver’s license, government ID or passport.
  • And some 16 year olds.
  • And once you look at younger people—15 year olds, 14 year olds, 13 year olds, 12 year olds—the chances of them having a government-issued identification document are much less.

What are these people supposed to do? Provide a birth certificate? And how will the social media companies know if the birth certificate is legitimate?

Birth certificate of a B.H. Obama II. From https://obamawhitehouse.archives.gov/sites/default/files/rss_viewer/birth-certificate-long-form.pdf

But there’s another way to determine ages—age estimation.

How old are you, part 2

As long-time readers of the Bredemarket blog know, I have struggled with the issue of age verification, especially for people who do not have driver’s licenses or other government identification. Age estimation in the absence of a government ID is still an inexact science, as even Yoti has stated.

Our technology is accurate for 6 to 12 year olds, with a mean absolute error (MAE) of 1.3 years, and of 1.4 years for 13 to 17 year olds. These are the two age ranges regulators focus upon to ensure that under 13s and 18s do not have access to age restricted goods and services.

From https://www.yoti.com/wp-content/uploads/Yoti-Age-Estimation-White-Paper-March-2023.pdf

So if a minor does not have a government ID, and the social media firm has to use age estimation to determine a minor’s age for purposes of the New York Child Data Protection Act, the following two scenarios are possible:

  • An 11 year old may be incorrectly allowed to give informed consent for purposes of the Act.
  • A 14 year old may be incorrectly denied the ability to give informed consent for purposes of the Act.

Is age estimation “good enough for government work”?

How Unusual Gambling Portals Drive the Need for Age Verification and Estimation

Gambling is becoming acceptable in more and more places.

When I was young, and even when I got older, the idea of locating a pro sports team in Las Vegas, Nevada was unthinkable. In the last few years, that has changed dramatically.

The Roblox “Robux” gambing lawsuit

Well, now that gambling for adults has become more and more acceptable (although adults in my home state of California still can’t gamble by phone), now attention is focusing on child gambling.

Designed by Freepik.

And no, the kids aren’t gambling U.S. currency, according to TechCrunch.

In a new class action lawsuit filed in the Northern District of California this week, two parents accuse Roblox of illegally facilitating child gambling.

While gambling is not allowed on the platform, which hosts millions of virtual games that cater to children and teens, the lawsuit points to third-party gambling sites that invite users to play blackjack, slots, roulette and other games of chance using Roblox’s in-game currency.

From https://techcrunch.com/2023/08/18/roblox-children-gambling-class-action-lawsuit-robux/?_hsmi=271025889

But the gambling sites’ terms of service prohibit underage gambling!

I’m not going to concentrate on Roblox here, but on the other defendants—the ones who actually operate the sites that allegedly allow child gambling.

The lawsuit specifically names RBXFlip, Bloxflip and RBLXWild as participants in “an illegal gambling operation that is preying on children nationwide.” 

From https://techcrunch.com/2023/08/18/roblox-children-gambling-class-action-lawsuit-robux/?_hsmi=271025889

But according to Bloxflip’s Terms of Service, it’s impossible that children can be using the site, because the Terms of Service prohibit this.

By accessing Bloxflip or using the Services, you accept and agree to our website policies, including these Terms of Service, and you certify to us that (i) you are eighteen (18) years of age or older, and are at least the age of majority in your jurisdiction, (ii) you are not a resident of Washington, (iii) you have the legal capacity to enter into and agree to these Terms of Service, (iv) you are using the Services freely, voluntarily, willingly, and for your own personal enjoyment, and (v) you will only provide accurate and complete information to us and promptly update this information as necessary to maintain its accuracy and completeness.

From https://bloxflip.com/terms
From https://bloxflip.com/terms

However, stating a minimum age in your TOS is even less effective than other common age verification methods, such as

  1. Asking your customer to check a box to say that they are over 18 years old.
  2. Asking your customer to type in their birthday.
  3. Requiring your customer to read a detailed description of IRA/401(k) funding strategies and the medical need for colonoscopies. (This would be more effective than the first two methods.)

A better way to verify and estimate ages

As more and more companies are realizing, however, there are other ways to measure customer ages, including a comparison of a live face with a government-issued identification card (driver’s license or passport), or the use of “age estimation” software to ensure that a 12 year old isn’t gambling. (And don’t forget that NIST will test age estimation software as part of its FATE testing.)

Even when the kids aren’t gambling legal currency.

The Great Renaming: FRVT is now FRTE and FATE

Face professionals, your world just changed.

I and countless others have spent the last several years referring to the National Institute of Standards and Technology’s Face Recognition Vendor Test, or FRVT. I guess some people have spent almost a quarter century referring to FRVT, because the term has been in use since 1999.

Starting now, you’re not supposed to use the FRVT acronym any more.

From NIST:

Face Technology Evaluations – FRTE/FATE

To bring clarity to our testing scope and goals, what was formerly known as FRVT has been rebranded and split into FRTE (Face Recognition Technology Evaluation) and FATE (Face Analysis Technology Evaluation).  Tracks that involve the processing and analysis of images will run under the FATE activity, and tracks that pertain to identity verification will run under FRTE.  All existing participation and submission procedures remain unchanged.

From https://www.nist.gov/programs-projects/face-technology-evaluations-frtefate
From https://www.nist.gov/programs-projects/face-technology-evaluations-frtefate

So, for example, the former “FRVT 1:1” and “FRVT 1:N” are now named “FRTE 1:1” and “FRTE 1:N,” respectively. At least at present, the old links https://pages.nist.gov/frvt/html/frvt11.html and https://pages.nist.gov/frvt/html/frvt1N.html still work.

The change actually makes sense, since tasks such as age estimation and presentation attack detection (liveness detection) do not directly relate to the identification of individuals.

Us old folks just have to get used to the change.

I just hope that the new “FATE” acronym doesn’t mean that some algorithms are destined to perform better than others.

By Flemish workshop – https://collections.vam.ac.uk/item/O72702/, Public Domain, https://commons.wikimedia.org/w/index.php?curid=1174021

I Changed My Mind on Age Estimation

(Part of the biometric product marketing expert series)

I’ll admit that I previously thought that age estimation was worthless, but I’ve since changed my mind about the necessity for it. Which is a good thing, because the U.S. National Institute of Standards and Technology (NIST) is about to add age estimation to its Face Recognition Vendor Test suite.

What is age estimation?

Before continuing, I should note that age estimation is not a way to identify people, but a way to classify people. For once, I’m stepping out of my preferred identity environment and looking at a classification question. Not “gender shades,” but “get off my lawn” (or my tricycle).

Designed by Freepik.

Age estimation uses facial features to estimate how old a person is, in the absence of any other information such as a birth certificate. In a Yoti white paper that I’ll discuss in a minute, the Western world has two primary use cases for age estimation:

  1. First, to estimate whether a person is over or under the age of 18 years. In many Western countries, the age of 18 is a significant age that grants many privileges. In my own state of California, you have to be 18 years old to vote, join the military without parental consent, marry (and legally have sex), get a tattoo, play the lottery, enter into binding contracts, sue or be sued, or take on a number of other responsibilities. Therefore, there is a pressing interest to know whether the person at the U.S. Army Recruiting Center, a tattoo parlor, or the lottery window is entitled to use the service.
  2. Second, to estimate whether a person is over or under the age of 13 years. Although age 13 is not as great a milestone as age 18, this is usually the age at which social media companies allow people to open accounts. Thus the social media companies and other companies that cater to teens have a pressing interest to know the teen’s age.

Why was I against age estimation?

Because I felt it was better to know an age, rather than estimate it.

My opinion was obviously influenced by my professional background. When IDEMIA was formed in 2017, I became part of a company that produced government-issued driver’s licenses for the majority of states in the United States. (OK, MorphoTrak was previously contracted to produce driver’s licenses for North Carolina, but…that didn’t last.)

With a driver’s license, you know the age of the person and don’t have to estimate anything.

And estimation is not an exact science. Here’s what Yoti’s March 2023 white paper says about age estimation accuracy:

Our True Positive Rate (TPR) for 13-17 year olds being correctly estimated as under 25 is 99.93% and there is no discernible bias across gender or skin tone. The TPRs for female and male 13-17 year olds are 99.90% and 99.94% respectively. The TPRs for skin tone 1, 2 and 3 are 99.93%, 99.89% and 99.92% respectively. This gives regulators globally a very high level of confidence that children will not be able to access adult content.

Our TPR for 6-11 year olds being correctly estimated as under 13 is 98.35%. The TPRs for female and male 6-11 year olds are 98.00% and 98.71% respectively. The TPRs for skin tone 1, 2 and 3 are 97.88%, 99.24% and 98.18% respectively so there is no material bias in this age group either.

Yoti’s facial age estimation is performed by a ‘neural network’, trained to be able to estimate human age by analysing a person’s face. Our technology is accurate for 6 to 12 year olds, with a mean absolute error (MAE) of 1.3 years, and of 1.4 years for 13 to 17 year olds. These are the two age ranges regulators focus upon to ensure that under 13s and 18s do not have access to age restricted goods and services.

From https://www.yoti.com/wp-content/uploads/Yoti-Age-Estimation-White-Paper-March-2023.pdf

While this is admirable, is it precise enough to comply with government regulations? Mean absolute errors of over a year don’t mean a hill of beans. By the letter of the law, if you are 17 years and 364 days old and you try to vote, you are breaking the law.

Why did I change my mind?

Over the last couple of months I’ve thought about this a bit more and have experienced a Jim Bakker “I was wrong” moment.

I was wrong for two reasons.

Kids don’t have government IDs

Designed by Freepik.

I asked myself some questions.

  • How many 13 year olds do you know that have driver’s licenses? Probably none.
  • How many 13 year olds do you know that have government-issued REAL IDs? Probably very few.
  • How many 13 year olds do you know that have passports? Maybe a few more (especially after 9/11), but not that many.

Even at age 18, there is no guarantee that a person will have a government-issued REAL ID.

So how are 18 year olds, or 13 year olds, supposed to prove that they are old enough for services? Carry their birth certificate around?

You’ll note that Yoti didn’t target a use case for 21 year olds. This is partially because Yoti is a UK firm and therefore may not focus on the strict U.S. laws regarding alcohol, tobacco, and casino gambling. But it’s also because it’s much, much more likely that a 21 year old will have a government-issued ID, eliminating the need for age estimation.

Sometimes.

In some parts of the world, no one has government IDs

Over the past several years, I’ve analyzed a variety of identity firms. Earlier this year I took a look at Worldcoin. While Worldcoin’s World ID emphasizes privacy so much that it does not conclusively prove a person’s identity (it only proves a person’s uniqueness), and makes no attempt to provide the age of the person with the World ID, Worldcoin does have something to say about government issued IDs.

Online services often request proof of ID (usually a passport or driver’s license) to comply with Know your Customer (KYC) regulations. In theory, this could be used to deduplicate individuals globally, but it fails in practice for several reasons.

KYC services are simply not inclusive on a global scale; more than 50% of the global population does not have an ID that can be verified digitally.

From https://worldcoin.org/blog/engineering/humanness-in-the-age-of-ai

But wait. There’s more:

IDs are issued by states and national governments, with no global system for verification or accountability. Many verification services (i.e. KYC providers) rely on data from credit bureaus that is accumulated over time, hence stale, without the means to verify its authenticity with the issuing authority (i.e. governments), as there are often no APIs available. Fake IDs, as well as real data to create them, are easily available on the black market. Additionally, due to their centralized nature, corruption at the level of the issuing and verification organizations cannot be eliminated.

Same source as above.

Now this (in my opinion) doesn’t make the case for Worldcoin, but it certainly casts some doubt on a universal way to document ages.

So we’d better start measuring the accuracy of age estimation.

If only there were an independent organization that could measure age estimation, in the same way that NIST measures the accuracy of fingerprint, face, and iris identification.

You know where this is going.

How will NIST test age estimation?

Yes, NIST is in the process of incorporating an age estimation test in its battery of Face Recognition Vendor Tests.

NIST’S FRVT Age Estimation page explains why.

Facial age verification has recently been mandated in legislation in a number of jurisdictions. These laws are typically intended to protect minors from various harms by verifying that the individual is above a certain age. Less commonly some applications extend benefits to groups below a certain age. Further use-cases seek only to determine actual age. The mechanism for estimating age is usually not specified in legislation. Face analysis using software is one approach, and is attractive when a photograph is available or can be captured.

In 2014, NIST published a NISTIR 7995 on Performance of Automated Age Estimation. The report showed using a database with 6 million images, the most accurate age estimation algorithm have accurately estimated 67% of the age of a person in the images within five years of their actual age, with a mean absolute error (MAE) of 4.3 years. Since then, more research has dedicated to further improve the accuracy in facial age verification.

From https://pages.nist.gov/frvt/html/frvt_age_estimation.html

Note that this was in 2014. As we have seen above, Yoti asserts a dramatically lower error rate in 2023.

NIST is just ramping up the testing right now, but once it moves forward, it will be possible to compare age estimation accuracy of various algorithms, presumably in multiple scenarios.

Well, for those algorithm providers who choose to participate.

Does your firm need to promote its age estimation solution?

Does your company have an age estimation solution that is superior to all others?

Do you need an experienced identity professional to help you spread the word about your solution?

Why not consider Bredemarket? If your identity business needs a written content creator, look no further.