FB pixel

Age assurance standards progress towards consensus, away from ‘biometrics’

Age assurance standards progress towards consensus, away from ‘biometrics’
 

Age assurance processes like facial age estimation do not require the isolation and processing of personal identifiers, unlike biometric identification. This means that facial age estimation does not necessarily involve “special category data” under GDPR, panelists argued during a presentation at the Global Age Assurance Standards Summit.

The Summit is being held in Manchester, England, and brings together regulators, policy-makers, age verification and estimation providers, businesses offering age-restricted goods and services, and advocates for privacy, child protection and several other related interests.

Age Check Certification Scheme Founder and CEO Tony Allen gave an overview of the ISO/IEC 27566 series of standards, which are currently in development. The standards are at various points in the formulation process, Allen explains, with a steady stream of comments being submitted and considered.

Those on the working groups are considering questions like how to bind a characteristic to an individual, and whether the EU Digital Identity Wallet is a primary or secondary credential.

The ISO 27566 standards family recognizes five levels of confidence, from self-attestation to detailed multi-factor checks. The draft standards define the levels, but do not provide any examples for which is appropriate in a particular situation. One of the challenges attendees are grappling with at the event is how to measure the different levels.

The nuances of accuracy must be measured, Allen points out. If nine out of ten checks are effective, but the tenth is wildly wrong, then the method is not appropriate for some applications.

The preliminary work on the standard is largely complete, including the framework (part 1), but provides little specifically about how age assurance should be carried out. Part 2 covers benchmarks and part 3, which remains in preliminary form, addresses issues around interoperability, technical architecture and use guidelines.

As the standardization process unfolds, it should help guide the work of certification bodies, while also allowing businesses to “describe their product in a way their customers will understand, in a way that’s consistent,” Allen says.

A draft international standard should be ready for publication around April or May of next year.

Age Verification Providers Association Executive Director Iain Corby presented an overview of the euCONSENT project.

euCONSENT is a consortium searching for a method of reusable, interoperable age assurance method, Corby explains. With the conclusion of the grant program that was used to establish the program, the euCONSENT consortium members have formed the euCONSENT ASBL, which holds the euCONSENT project’s intellectual property. An advisory board including trade bodies and academic representatives was established to guide the organization’s work.

“Our academics were particularly skeptical about the age verification industry when we began,” Corby says, noting the risks of teaching children to overshare information online and of age verification becoming a barrier between children and the internet.

Corby describes the process created by euCONSENT as one of “redirection” based on eIDAS, which allows individuals to refer the decisions of bodies approved at the country level to an authority in a different country. The system involves the user accepting a token stored on their device, which can be seen from a shared domain to confirm that an age check with a particular provider has been passed. The subsequent check may or may not involve user authentication.

The two euCONSENT pilots involved children and parents from several EU countries navigating five dummy websites through different age assurance and parental consent providers. The first pilot found user experience challenges, but the “missions” participants were asked to complete were successful in 86 percent of attempts in the second trial, which Corby says is a successful demonstration of the concept.

Parental consent proved difficult to make reusable, but Corby note that existing regulations like the U.S. COPPA applies little focus to ensuring that the adult giving consent is the parent of the child on whose behalf they are interacting. A standard for parental consent may be needed.

Biometrics vs Anthropometrics

A discussion at the Summit explored the terms “Biometrics vs. Anthropometric” in the context of ISO/IEC 27566. The difference between the two may need to be considered by regulators, participants say.

Biometrics are “unique measurable biological traits for identification,” whereas anthropometrics are “physical body measurements,” according to one.

The question of privacy standards was raised early and often. Special category data is not only confined to that which can be used to identify a person, but also data that can reveal characteristics like ethnicity or health, a representative of Spain’s data protection agency pointed out. If the person or any of these characteristics can be identified, then the regulatory protection applies, whether or not the system being evaluated is intended to reveal them.

Because people’s ears and noses grow differently than other facial features, facial age estimation can rely on those features, in contrast to the data that makes up templates for biometric identification or authentication. Thus, even if a template for age estimation is created and stored, it is not likely to be as useful for extracting the information which would classify it as special category data, one speaker argued.

The discussion turned to whether age assurance standards should differentiate between biometrics and anthropometrics. Multiple speakers said they should, with the absence of a need for stored templates for age estimation being a major reason why.

This raises the question of how the specific age estimation technology is implemented, however.

Standards around image quality and bias could apply in the same, or at least a similar way, because both biometric and anthropometric processes start with the collection of an image.

The concept of a “privacy budget” was raised during the conversation in regards to concepts like the risk of facial data used in processing and then immediately discarded being intercepted.

Ultimately, as one commenter noted, the term “anthropometrics” may have staying power, AVPA Chief Technology Strategist Mark Roberts says, because “the word biometrics has sort of hijacked the potential anonymity that can exist in the space, and we need to backtrack because a lot of people get skittish when it comes to their perceived anonymity being lost.”

Related Posts

Article Topics

 |   |   |   |   |   |   |   | 

Latest Biometrics News

 

BorderAge promises 100% anonymous age assurance with hand gesture modality

Imagine a magician who waves their hands not to conjure a white rabbit, but to provide age assurance without collecting…

 

euCONSENT’s tokenized age verification set for PoC at upcoming age assurance summit

The European Union has its own ideas about how age assurance should be carried out for restricted online services, and…

 

Humanity Protocol launches Humanity Foundation ahead of ‘big moves’

Humanity Protocol, one of the emergent contenders in the market for proof of personhood (PoP), has announced the launch of…

 

J.P. Morgan adds 2 biometric authentication terminals to payments ecosystem

J.P. Morgan Payments (JPM) has announced the release of two new proprietary biometric payments terminals for retail, restaurant and entertainment…

 

Prove acquires reusable digital ID verification firm Portabl

A post on Prove’s blog says the acquisition of digital ID startup Portabl “will enable Prove to enhance its industry-leading…

 

Socure: Nation-state fraud ramping up in 2025

Socure, a leading digital identity verification platform, believes 2025 will be the breakout year for digital identity verification in the…

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Viewed This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events