Yoti says no biometric data in age estimation tech, takes issue with UK ICO opinion
At issue is compliance with the UK GDPR regulation, which classifies biometric data as “special category data,” and sets stringent controls on its use, especially when collected from children.
Yoti says its technology “does not create or use biometric facial geometry,” referring readers to a white paper the company produced on how age estimation can be performed in a way that preserves the subject’s anonymity. The algorithm does not identify the user in initial or subsequent submissions, or recognize when an image is submitted from a person who has been through the process before, according to the post.
This means that Yoti’s age estimation does not involve special category data, in the company’s opinion, and that of external lawyers the company sought opinions from.
An explainer video produced by South Africa’s Be in Touch details the process Yoti’s technology uses, and the difference between facial analysis and facial recognition. The same difference also applies to 1:1 matches, as in biometric facial authentication.
Yoti also published a blog post earlier this month arguing that its sophisticated age estimation methods provide a better, anonymity-protecting method than the ID document and selfie biometric checks often used for online verifications.
ICO opinion paper
The UK Information Commissioner’s Office (ICO) published an opinion paper on ‘Age Assurance for the Children’s Code,’ which states that age estimation “may” be based on biometric data. The ICO later clarifies that age estimation may use biometric data to uniquely identify an individual, in which case it counts as special category data. The Children’s Code, also known as the Age Appropriate Design Code, provides a statutory code of practice for providers of online services likely to be accessed by children.
The ICO also states that the privacy protections of biometrics-based age estimation could be improved with rigorous data minimization and purpose limitation techniques.
Biometrics could still be allowed for age estimation under the “substantial public interest” clause in Article 9 of the UK GDPR, so long as conditions for the “safeguarding of children” in Section 10 are met.
Yoti “cautiously welcomes the Opinion,” but complains that it “does not clearly explain when age estimation uses biometrics” or when it does not. According to the biometrics and age estimation provider, the ICO missed an opportunity to make clear that data processed is only special category data if it is collected for the purpose of identifying someone.
The company particularly objects to a statement in the ICO paper’s Annex 2, which generalizes about the accuracy of all age estimation technologies, saying “There is little evidence for the effectiveness and accuracy of these emerging approaches.”
The ICO’s guidance concludes that age estimation technology is an important tool for mitigating online risks, and has launched a call for evidence as it works with OFCOM and other government bodies to work towards a coherent set of regulations and best practices for protecting children online.