Yoti brings selfie age verification to Instagram in US pilot
London-based identity and biometrics firm Yoti has partnered with Instagram to provide face-based age verification for users in the U.S. in certain circumstances as part of a pilot. Vouching has also been added, alongside the existing ID upload route.
Instagram and Facebook have 13 as the minimum age for users, higher in countries where local law requires it. Proving identity has always been a problem and Instagram has been using AI to develop a general understanding of age based on behavior and links to Facebook accounts, but admits children get around these.
This new pilot applies only to the U.S. and only to users attempting to edit their date of birth in account settings from currently under 18 to an age over 18. This will trigger the need to verify their age through Yoti’s facial analysis, having their age (not necessarily date of birth) vouched by three contacts already confirmed as over 18 and not already vouching for someone else, or via the existing option of uploading identity documents or similar.
The approach is unlikely to appear in Europe where companies cannot collect data on users until they are 16. Yet even the U.S. cut off of 13 will mean those under that age and already account holders could be undergoing facial analysis if claiming to be 18 or over. For example, German authorities have approved Yoti products for giving access to 16+ web content.
The new facial analysis route for Instagram begins a video selfie process where users are asked to make simple movements to camera such as turning left or right. An image from the video shared with Yoti, but no biographic details accompany it. Yoti analyses the facial features and returns an age estimate to Instagram.
There is no mention of parental consent and it is not clear what happens if the age estimate is below 13 or minimum age in the user’s jurisdiction, as the pilot is focused on determining whether a user is over 18.
Yoti deletes the image as soon as it completes the age estimation, the company confirmed to Biometric Update. There are no specifics for the deletion time at the Meta end, but for the ID upload route, any document shared is deleted within 30 days. It is also not clear what if any information is shared back to other Meta-based accounts linked to the holder.
“It’s testament to the robustness of our technology that one of the biggest companies in the world is choosing to use our solutions,” Chris Field, CMO at Yoti told Biometric Update via email. “Hugely exciting!”
Yoti’s May 2022 white paper on its products states its face estimation is performed by a neural network trained for facial age estimation.
“Our technology is accurate for 6 to 12 year olds with a mean absolute error (MAE) of 1.36 years and of 1.52 years for 13 to 19 year olds. These are the two age ranges regulators are most focused upon in order to ensure that under 18s do not have access to age restricted goods and services.”
Its other measure is True Positive Rate (TPR), the probability that an actual positive will test positive, such as an 18-year-old is correctly estimated to be under 23, notes the white paper.
“Our True Positive Rate for 13-17 year olds being correctly estimated as under 23 is 99.65 percent. This gives regulators a very high level of confidence that nobody underage will be able to access adult content. Our TPR for 6-11 year olds being correctly estimated as under 13 is 98.91 percent.”
There are in the region of 120 million Instagram users in the U.S., according to Statista, predicted to reach 127 million in 2023. Over two thirds of global users are 34 or under, with 8.9 percent in the 13 to 17 category.
There are key differences between Instagram accounts for users above or below 18. For those deemed minors, accounts default to private accounts which means adults who are not followed by the account user cannot send them messages. It also limits what types of advertising can be sent to minors. Account holders registered as adults and wanting to change their age to below 18 already have to show ID.
As the Wall Street Journal uncovered last year, Facebook (now Meta) already knew how toxic Instagram is for young users, particularly teen girls. The new age verification steps do not tackle the mechanisms which deliver harmful content to young users.
The euCONSENT scheme is trialing a system for embedding age verification – with parental control for children – into users’ web browsers to allow smooth access to websites and counts Yoti among its partners.
Article Topics
age verification | AI | biometrics | digital identity | face biometrics | facial analysis | Instagram | Meta | pilot project | selfie biometrics | social media | Yoti
I am not sure it is accurate to report that “The approach is unlikely to appear in Europe where companies cannot collect data on users until they are 16″.
Under GDPR, children under ages between 13 and 16 (it varies between EU Member States) cannot give consent under Article 8 to their data being processed without their parent or legal guardian’s consent as well. BUT consent is only one lawful basis for processing personal data.
The UK Information Commissioner went as far as to issue a formal legal opinion that when processing data for the purposes of age assurance, this is permitted on the basis of the public interest.
In any case, an age estimation algorithm does not actually process any personal data. Biometric data is defined differently in different laws, but the common factor is that you are identified or authenticated through your unique physical characteristics or behaviour. Under GDPR, biometric data is special category data and the GDPR definition of biometric data is:
‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data”.
Age estimation using facial analysis doesn’t involve the processing of special category data: since the data that is processed cannot be used to allow or confirm the unique identification of a person, it is not classified as biometric data, let alone special category data. Therefore, only the principles under Art 5, and the lawful bases under Art 6, apply to the processing of data for age estimation. There’s no need for explicit consent to process the data.
Recital 51 makes clear the position on photographs:
“The processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person”.
Age-estimation technology via facial analysis works by estimating the age of a face based on a photo of that face. This can be considered biometrics as per the general definition, given it is an analysis of physical features. It does not though identify or authenticate the individual, it only estimates an age. Therefore it is not legally special category biometric data under GDPR.