Spotify picks Yoti for age verification, estimation amid UK’s OSA growing pains

Spotify has implemented age assurance in the form of facial age estimation and ID verification with face biometrics, both from Yoti, to comply with the UK’s Online Safety Act.

Users who are not estimated to be 18 years of age or older will have the option to complete age verification with an ID scan and selfie biometrics. Those who are unable to confirm their age with the system will face account deactivation, and eventually deletion.

In the event of an inaccurate age estimation that the user does not follow by performing age verification, the account will be deactivated, but the user will have 90 days to reactivate it and go through verification with an ID document.

Spotify does not require users to complete age assurance to use the app, but rather if they access certain content or features, “like Music videos that are labeled as 18+ by rightsholders.” Once an age check has been triggered, however, the user will have to prove they are at least 13 years old to comply with Spotify’s age minimum.

Age assurance checks up, along with VPN use and investigations

Yoti told Biometric Update that it’s traffic grew by 25 percent when the OSA took effect last Friday, and the following day as well.

Similarly, the number of age checks OneID is carrying out has spiked to a million per day, with more than 2 million new users signing up for the service. The company says the rollout of age verification technology is “a real-world test of its resilience, reliability, and, most importantly, how secure it makes the user feel.”

The number of age checks each day has increased by 5 million, according to figures from Age Verification Providers Association (AVPA) Executive Director Iain Corby reported by The Guardian.

Not all sites are complying, however. Investigations into 34 pornographic websites operated by four companies have been opened by Ofcom for allegedly failing to comply with their age checking responsibilities under the OSA.

The regulator already has ongoing active investigations of a suicide discussion forum, 4Chan, seven file-sharing services a pornographer and a “nudify” site operator.

Virtual private network use has also spiked, as people in the UK attempt to bypass age checks. Four VPN apps are in the top five for free downloads from the Apple App Store, and Proton, the most popular of them, reporting downloads have jumped by 1,800 percent.

Breach fears and a demand for repeal

Civil society advocates and members of the public are displeased, but some of the objections raised draw equivalencies that indicate a lack of understanding about how the technology works.

The Consumer Choice Center warns of a “global cost” to the OSA. The organization’s Head of Emerging Technology Policy James Czerniawski refers to the increase in VPN use and the data breach including selfies and photos of government-issued ID documents at “dating safety” app Tea as evidence of “some of the serious challenges presented by age verification online.”

The Tea breach illustrates the risk of “hard identity verification,” Czerniawski argues, though he avoids mentioning that unlike Tea, online service providers typically do not store the data collected for third-party age checks, or that some of the methods accepted by Ofcom do not involve identity verification.

The organization’s UK Country Associate Mike Salem claims that “it’s only a matter of time” before authorities begin discussing banning VPNs.

“If the government wants to have a positive impact in keeping kids safe online, it starts with making sure it’s enforcing existing laws already on the books,” Czerniawski says, apparently meaning laws other than those concerning age restrictions for access to goods and services.

Potentially even worse than the personally identifying data breached by Tea are over a million direct messages, some of which contain highly personal information about unfaithful spouses, past abortions, phone numbers and social media handles, HackerNoon reports.

The Center for Democracy & Technology also refers to the Tea breach, which CDT’s Kate Ruane says will become the norm due to the proliferation of age assurance laws around the world.

“When apps collect sensitive identifying information like users’ images or drivers’ licenses to comply with age verification laws, they risk this kind of breach, which endangers privacy, safety, and dignity,” Ruane argues.

But “this kind of breach” was enabled by the startup that operates Tea breaking its commitments to delete user verification data, and instead storing it insecurely, which Business Insider reports has sparked two class-action lawsuits.

If people using age assurance software find that they are making the same mistakes, lawsuits will follow.

In the meantime, a petition demanding the government repeal the OSA has surpassed 455,000 signatures as of Thursday morning, far beyond the 100,000 necessary to trigger consideration for a debate in parliament.

“The Government has no plans to repeal the Online Safety Act, and is working closely with Ofcom to implement the Act as quickly and effectively as possible to enable UK users to benefit from its protections,” says the response from the Department for Science, Innovation and Technology.

Article Topics

age verification  |  biometric age estimation  |  biometrics  |  face biometrics  |  facial age estimation (FAE)  |  Ofcom  |  OneID  |  Online Safety Act  |  selfie biometrics  |  UK  |  UK age verification  |  VPN (virtual private network)  |  Yoti