Age assurance standards progress towards consensus, away from ‘biometrics’
Age assurance processes like facial age estimation do not require the isolation and processing of personal identifiers, unlike biometric identification. This means that facial age estimation does not necessarily involve “special category data” under GDPR, panelists argued during a presentation at the Global Age Assurance Standards Summit.
The Summit is being held in Manchester, England, and brings together regulators, policy-makers, age verification and estimation providers, businesses offering age-restricted goods and services, and advocates for privacy, child protection and several other related interests.
Age Check Certification Scheme Founder and CEO Tony Allen gave an overview of the ISO/IEC 27566 series of standards, which are currently in development. The standards are at various points in the formulation process, Allen explains, with a steady stream of comments being submitted and considered.
Those on the working groups are considering questions like how to bind a characteristic to an individual, and whether the EU Digital Identity Wallet is a primary or secondary credential.
The ISO 27566 standards family recognizes five levels of confidence, from self-attestation to detailed multi-factor checks. The draft standards define the levels, but do not provide any examples for which is appropriate in a particular situation. One of the challenges attendees are grappling with at the event is how to measure the different levels.
The nuances of accuracy must be measured, Allen points out. If nine out of ten checks are effective, but the tenth is wildly wrong, then the method is not appropriate for some applications.
The preliminary work on the standard is largely complete, including the framework (part 1), but provides little specifically about how age assurance should be carried out. Part 2 covers benchmarks and part 3, which remains in preliminary form, addresses issues around interoperability, technical architecture and use guidelines.
As the standardization process unfolds, it should help guide the work of certification bodies, while also allowing businesses to “describe their product in a way their customers will understand, in a way that’s consistent,” Allen says.
A draft international standard should be ready for publication around April or May of next year.
Age Verification Providers Association Executive Director Iain Corby presented an overview of the euCONSENT project.
euCONSENT is a consortium searching for a method of reusable, interoperable age assurance method, Corby explains. With the conclusion of the grant program that was used to establish the program, the euCONSENT consortium members have formed the euCONSENT ASBL, which holds the euCONSENT project’s intellectual property. An advisory board including trade bodies and academic representatives was established to guide the organization’s work.
“Our academics were particularly skeptical about the age verification industry when we began,” Corby says, noting the risks of teaching children to overshare information online and of age verification becoming a barrier between children and the internet.
Corby describes the process created by euCONSENT as one of “redirection” based on eIDAS, which allows individuals to refer the decisions of bodies approved at the country level to an authority in a different country. The system involves the user accepting a token stored on their device, which can be seen from a shared domain to confirm that an age check with a particular provider has been passed. The subsequent check may or may not involve user authentication.
The two euCONSENT pilots involved children and parents from several EU countries navigating five dummy websites through different age assurance and parental consent providers. The first pilot found user experience challenges, but the “missions” participants were asked to complete were successful in 86 percent of attempts in the second trial, which Corby says is a successful demonstration of the concept.
Parental consent proved difficult to make reusable, but Corby note that existing regulations like the U.S. COPPA applies little focus to ensuring that the adult giving consent is the parent of the child on whose behalf they are interacting. A standard for parental consent may be needed.
Biometrics vs Anthropometrics
A discussion at the Summit explored the terms “Biometrics vs. Anthropometric” in the context of ISO/IEC 27566. The difference between the two may need to be considered by regulators, participants say.
Biometrics are “unique measurable biological traits for identification,” whereas anthropometrics are “physical body measurements,” according to one.
The question of privacy standards was raised early and often. Special category data is not only confined to that which can be used to identify a person, but also data that can reveal characteristics like ethnicity or health, a representative of Spain’s data protection agency pointed out. If the person or any of these characteristics can be identified, then the regulatory protection applies, whether or not the system being evaluated is intended to reveal them.
Because people’s ears and noses grow differently than other facial features, facial age estimation can rely on those features, in contrast to the data that makes up templates for biometric identification or authentication. Thus, even if a template for age estimation is created and stored, it is not likely to be as useful for extracting the information which would classify it as special category data, one speaker argued.
The discussion turned to whether age assurance standards should differentiate between biometrics and anthropometrics. Multiple speakers said they should, with the absence of a need for stored templates for age estimation being a major reason why.
This raises the question of how the specific age estimation technology is implemented, however.
Standards around image quality and bias could apply in the same, or at least a similar way, because both biometric and anthropometric processes start with the collection of an image.
The concept of a “privacy budget” was raised during the conversation in regards to concepts like the risk of facial data used in processing and then immediately discarded being intercepted.
Ultimately, as one commenter noted, the term “anthropometrics” may have staying power, AVPA Chief Technology Strategist Mark Roberts says, because “the word biometrics has sort of hijacked the potential anonymity that can exist in the space, and we need to backtrack because a lot of people get skittish when it comes to their perceived anonymity being lost.”
Article Topics
Age Check Certification Scheme (ACCS) | age estimation | age verification | anthropometrics | AVPA | biometrics | euCONSENT | Global Age Assurance Standards Summit | ISO standards
Comments