E-scooter fatality shows gap in remote ID check process for age restrictions
The unfortunate death of a 12-year old boy in England has highlighted the difficulties with enforcing age restrictions using remote processes, and raised the possibility that biometric authentication may be more widely needed.
The e-scooter rented by the youth was supposed to be restricted to riders 18 years and above, but a 14-year old friend of the boy transferred an account with e-scooter rental company Voi to him using a verification code sent to the mobile device it was created on, the BBC reports.
Onfido provides face biometrics for identity verification during the onboarding phase, but the subsequent verification of the device for account-sharing, and lack of authentication for each rental transaction, created a gap exploited with deadly consequences.
Then-Chief Product Officer Kevin Trilli said when the trial was launched that identity verification was critical for “preventing the service from being exploited and misused by those that are not eligible during these important trials.”
The family of the boy who died has told the court that facial recognition should be implemented in a way that ensures users are old enough.
“We are aware of an incident involving one of our partner customers,” an Onfido representative wrote to Biometric Update in an email. “Onfido currently provides identity verification for onboarding at account creation for legitimate users of that partner customer, but not authentication services.”
“Trust is at the core of what we do at Onfido, and we take security extremely seriously. Although working with our customers and partners to maintain the highest security levels is a priority, it’s important that every business adopts best practice, such as using biometric verification as two-factor authentication, to minimise risk.”
Voi says it will review the process for renting its e-scooters to consider further measures.
“This is a tragic accident and our thoughts are with the family of Mustafa at this very distressing time,” a Voi spokesperson wrote in an email to Biometric Update.
“People under the age of 18 cannot legally access our scooters. We have an extra ID verification check in place over and above Department for Transport requirements, to prevent misuse of our e-scooters by people younger than 18 years old.
“We will review the conclusions of the coroner and work with the Department for Transport to see if there is anything more we and the industry can do to ensure underage people aged do not ride e-scooters.”
The company also points out in the email that the incident is the sole underage fatality out of more than 125 million journeys made on its e-scooter.
Putting the brakes on underage riders
Even the implementation of selfie biometrics for every rental transaction may not have worked, given the effort that went into avoiding the restrictions, Biometrics Institute CEO Isabelle Moeller says.
“Biometrics can be used for access control and to verify a person’s identity, but what happens after a scooter is released to a ‘legitimately verified’ individual using facial recognition technology?” Moeller writes in an email. “It doesn’t sound like the face recognition that is technologically practical today would have prevented this particular case. The identity of the person who rides the scooter is beyond reasonable control, unless technology is installed that constantly monitors renters. Is the introduction of facial recognition the best way to achieve the desired outcome given the privacy impacts, and that it presents only a partial solution to this problem?
“There are so many different use cases for biometrics, and before implementing or adapting any biometrics system, a robust process to establish whether biometrics are the best way forward is essential. Systems must only be used in ways that are consistent with the law and that respect people’s privacy. At the Biometrics Institute our best practice tools help organisations assess the risks of using biometrics so they can develop strategies for managing those risks.
“Our Good Practice Framework (GPF) does just that. Universal in application, it can assist someone with even a limited knowledge of biometrics in procuring, upgrading or expanding a system, providing an overview of what they need to consider. And it’s underpinned by the Three Laws of Biometrics that state biometric systems should be designed, built, introduced and operated with policy first, followed by process and only then, technology. When looking at selfies and digital onboarding, there are key issues to consider which our Digital Onboarding and Biometrics paper outline. And just because we can introduce new innovations, without due diligence that does not mean we should.”