Age estimation gets OK from Spanish regulator as part of ‘cumulative’ approach

How to use “probabalistic or estimative methods” such as age estimation for personal data processing while complying with the GDPR? Spain’s Agencia Española de Protección de Datos (AEPD) aims to answer that question in a post on its blog, as age estimation, age assurance and digital identity tools become integrated into more and more processes.

“From recommendation systems that suggest relevant products or content to targeting solutions that cluster users given their predicted features or preferences, probabilistic methods are at the heart of many of the current digital services and applications,” says the post.

False negatives, false positives and prediction errors are risks, no matter how small. “Using probabilistic methods to process personal data may lead to non-compliance with the GDPR, particularly in terms of the accuracy principle and meeting the requirements to pass an effectiveness test successfully,” says the post.

But probabilistic methods as part of a larger system are okay, as long as “data processing is executed with the operations required to detect and manage the inaccuracies or errors produced by probabilistic operations in specific cases.”

That said, AEPD goes into detail on the National Institute of Standards and Technology’s (NIST) first public report from the FATE Age Estimation and Verification (AEV) track.

“The results obtained with six different solutions show how accuracy and effectiveness are strongly influenced by algorithm, gender, image quality, region of birth, age itself, and interactions between those factors,” it says. “There is no uniformly better algorithm, and algorithms behave differently across all these factors.”

So, can safeguards to protect children from being exposed to certain content, services, contracts or goods on the Internet be based exclusively on facial age estimation? “The most likely answer would be no.” But users partially rely on age estimation and probabilistic methods? “A case-by-case evaluation should always be necessary,” says AEPD, “but if the rest of the principles and obligations included in the GDPR are met, the most likely answer would be yes – as one more operation in the context a data processing that fulfils the specified purpose of accurate and effective age assurance.”

VerifyMy urges Ofcom to adopt the Spanish view on age estimation

VerifyMy turns its lens on the AEPD in its own blog post, “Bridging the gap: How Spain’s AEPD are navigating age assurance in the digital age.” Noting that digital regulators are often hampered by creaky statutes that are ill-adapted to the online world and its rapid pace, it calls the EU’s GDPR “a unique example of a law that was created specifically for the digital environment,” and says it is “interesting to track how well it copes with advances in technology.”

Lauding the AEPD’s blog and its argument for biometric technologies, particularly age estimation, as a “great example of how the law can keep pace with innovation.” VerifyMy concedes that “on the face of it, GDPR presents a problem for estimation, as the law requires that if a company is going to hold personal data, it has a duty to ensure it is accurate and to correct errors.”

Yet while age estimation is probabilistic, methods are now considered to be highly accurate; VerifyMy notes its own certification by the Age Check Certification Scheme to EAL level 3, “the highest possible for age estimation.” The firm urges Ofcom to look closely at the Spanish regulator’s stance on a “cumulative approach” that includes age estimation and a backup option.

“We hope Ofcom takes note of this, as their current proposal for enforcing minimum ages for social media to prevent children under 13 from opening accounts decided against requiring any age assurance.”

Biometrics Institute Congress to host talk on online safeguards for children

In October, representatives from Meta, Ofcom, NIST and other organizations will gather at the Biometrics Institute Congress in London to discuss the latest threats, best practices and how biometrics can safeguard children.

“Face analysis technology has the potential to make a significant impact in protecting vulnerable individuals,” says Isabelle Moeller, CEO of the Biometrics Institute. “However, it’s essential to approach this with caution, continuously test the technology across age groups and populations, and prioritize privacy and ethical considerations.”

A recent Biometrics Institute On the Pulse Conversation hosted execs from Yoti, Unissey, Incode and Jumio to discuss the latest advancements in face analysis for age assurance.

WaPo reporter brings fears about age assurance to podcast

In an episode of the Marketplace podcast, Washington Post tech reporter Drew Harwell doubles down on his recent article suggesting age assurance providers are shady operators simply because their brand names are unfamiliar to most.

Responding to a question about the “little cottage industry” that has spring up around age verification, Harwell says “these are companies you’ve never heard of. There’s Yoti, Incode, VerifyMyAge. They’re all basically middlemen. Companies like Facebook and Instagram and TikTok will pay these contractors to run the age check. I think one thing that people are a little unnerved by is that these are companies that are not household names that are now this very important, you know, verification layer, where they’re the ones getting a scan of your face or your ID, and you don’t really know exactly what they’re doing with the data besides what they promise.”

Among arguments that “there’s a lot of bad stuff on social media, but also for 15-year-olds in this country, it’s a place where they talk to their friends, where they learn about their world, where they catch up on the news, where they, you know, get involved with politics and organizing,” one absolute certainty emerges from the shadows: Harwell could learn more about the companies he reports on by reading Biometric Update.

Article Topics

AEPD  |  age verification  |  biometrics  |  Biometrics Institute  |  digital identity  |  Face Analysis Technology Evaluation (FATE)  |  face biometrics  |  facial age estimation (FAE)  |  GDPR  |  VerifyMy