Facial age estimation spoof, VPN bypass claims called into question

Reports of the defeat of facial age estimation technology may be greatly exaggerated, and UK children have not flocked to VPNs to bypass age checks, according to new research.

An Australian 13-year-old named Isobel says she was able to spoof Snapchat’s age estimation system with a photo of her mother, and she’s heard of someone else using Beyonce’s image, the BBC reported on Sunday. The youth trashed Australia’s planned restrictions on young people using social media as unworkable and ill-advised.

Yoti CEO Robin Tombs called out the responses from Snap Inc and k-ID (one of Snap’s age assurance suppliers, along with bank age verification provider ConnectID) to the report, which did not make clear that biometric liveness detection aligned with ISO/IEC 30107 is considered table stakes for age assurance implementations.

But it turns out the BBC did not share details of the incident it was reporting with Snap or K-ID. When it did, K-ID said Isobel’s tale is “extremely improbable” as its presentation attack detection (PAD) technology can spot still images. The comment is included in an update, but the article does not make clear that it was updated, or what changed.

So did BBC confirm Isobel’s claim? It does not say.

Tombs points out in a separate LinkedIn post that PAD tests against the ISO standard start with photo attacks, and iBeta Level 1 confirmation requires the technology to detect 100 percent of such attacks.

A lack of biometric liveness detection is also the flaw in AVS Group’s age verification process that prevents it from being “highly effective” and earned it a fine growing from a base of £1 million in the UK.

K-ID’s age estimation capability is provided by Privately. Privately CEO Deepak Tewari confirmed to Biometric Update in an email that his company uses both active and passive liveness checks, making it highly unlikely that a user would be able to bypass it with a photo.

The Guardian reports a 15-year-old Australian has also passed an age estimation check on Snapchat.

Tombs notes in a subsequent post that the standard for social media companies is “to make reasonable efforts — but not to 100 percent perfection — to delay access until individuals are 16+.” That means a few social media users who are 14 and 15 will get through, “but they won’t be able to chat on that social media site with most of their same aged friends.”

VPN spike ‘not attributable to children’

VPN use rose significantly in the UK earlier this year, and did so in response to the Online Safety Act so that internet users can evade its restrictions, many said at the time. Not so, according to Childnet, which surveyed UK children and parents in November and found that the change “is not attributable to children.”

The adoption of VPNs by children has stayed fairly consistent over the past year, the survey found. Only 2 percent more children began using VPNs three months prior – as the OSA was taking force – than a year ago. While 16 percent of children say they use VPNs to get around parental controls and 10 percent say they use them to view content that is considered age-inappropriate, the main reasons given are to protect online privacy or watch content available only in other geographies.

Childnet CEO Will Gardener notes on LinkedIn that Internet Matters drew similar conclusions from a report with different methodology.

Article Topics

age verification  |  Australia  |  Australia age verification  |  biometric liveness detection  |  biometrics  |  facial age estimation (FAE)  |  presentation attack detection  |  spoofing  |  VPN (virtual private network)