Privacy-preserving facial age estimation
As a parent, one wants young people to thrive and access the best of the online world. But the ease with which very young people can stumble across or access restricted, inappropriate or explicit content concerns me greatly. In my role as Chief Regulatory and Policy Officer, I engage with regulators, businesses, politicians, charities and parents every day. I hear and read stories of young people who have been negatively impacted by what they have seen and experienced online; and see that whilst for many there are positive experiences, it is the vulnerable who are the hardest hit. It’s time for a reset to address how best to support all young people online. Thanks to the introduction of the Children’s Code here in the UK and the recently passed Louisiana Age Verification law and California’s Age Appropriate Design Code Act, we are starting to see positive changes. Along with the much anticipated Online Safety Bill, regulators and companies are now seriously looking at the role age assurance can play in providing children and young people with safer, more positive and age-appropriate experiences. However, some people still think or try to assert that suitable privacy-preserving age assurance methods do not exist. There are some who think the only way to effectively prove our age online is to use an ID document or credit card. This is a truly outdated viewpoint, and simply isn’t true. The people making these statements are stuck in the past. Of course someone might still choose to use an ID document, mobile phone number or a credit card to prove their age online. But not everyone has access to these approaches, and there’s a lot of people who do not feel comfortable sharing this information online. There are now certified privacy-preserving methods which do not require individuals to share personal details like their name, address or passport number. Facial age estimation is one such method, built to give everyone a secure way to prove their age without sharing their name or ID document. It accurately estimates someone’s age from a selfie, and most importantly, as soon as their age has been estimated the image is permanently deleted. There is no central database of images, it is not facial recognition and we are not sacrificing our privacy for convenience. Facial age estimation is being used globally at scale by a wide range of social, gaming, ecommerce, adult, gaming and retail organisations. Platforms like Instagram, Facebook Dating, Yubo and OnlyFans are using facial age estimation to help create age-appropriate experiences. The technology can handle tens of millions of age checks every day, and if required, we can double, triple or even quadruple this. Privacy-preserving facial age estimation is proving to be popular with individuals too. When presented with a choice of using an ID document or facial age estimation to verify their age on Instagram, 81% are choosing to use our technology. Once the age of an individual has been assessed, a platform can act in the best interests of that child or adult. In practical terms that could be to turn off notifications late at night, not allow geolocation tracking, turn off age inappropriate advertising or profiling, provide support which is age appropriate. It becomes possible to prevent children from being contacted by over 18s, or from seeing explicit, inappropriate content. Facial age estimation can play an important role in protecting young people and improving online safety – and it’s already being used everyday to help create age-appropriate experiences. But this is just the beginning. There’s still a long way to go but as a parent, it’s reassuring to know that the technology does exist to protect young people online. I’m very proud to be working for a company that has developed technology which can have such a positive impact in creating a safer digital world.
Our age assurance solutions are approved by German regulators KJM and FSM to protect young people online
We’re excited to announce that The Commission for the Protection of Minors in the Media (KJM) has approved our facial age estimation tool (formerly known as Yoti Age Scan) to be used in the German market to protect young people online. You can read the KJM press release here. This follows our approval from the German Association for Voluntary Self-Regulation of Digital Media service providers (FSM) in 2020, which allowed German people to use digital age estimation and age verification technology for the first time ever to access digital adult content. You can read the FSM seal text here. Positive approval by KJM for our age estimation technology It’s the first time KJM has approved an age assessment tool built using machine learning, heralding it as “an important sign for the future”. Using our age estimation technology, businesses can give customers secure access to age-restricted content without sharing personally identifiable information or an ID document. Dr. Marc Jan Eumann, chairman KJM: “Artificial intelligence is finding its way into almost all areas of our life. There is still great untapped potential here to protect children and young people online. “Yoti Facial Age Estimation” is the first AI age assessment approach that we have approved. We welcome that this tech can be used to protect children and young people.” Under the regulation, businesses must set an age range threshold with a five year buffer. This means that for services which require you to be 18 or over, our technology must recognise a user to be at least 23 years old. Regulatory approval from the FSM for adult content Our facial age estimation tool and Digital ID app have already been approved by the FSM as solutions for proving age on adult content sites in Germany. Citizens accessing adult content will be directed to a page where they can either scan a QR code with their Yoti app to privately share their age attribute, or give access to the camera on their device which will anonymously estimate their age in seconds. The age threshold will be set by the German regulator and will be reviewed periodically. More information on our solution for secure age assurance can be found here. We’ve had brilliant feedback from the FSM’s Martin Drechsler, who believes “the innovative mechanism that Yoti has developed opens up new paths for modern and effective protection of minors in Germany. The approach can also give positive impulses to content providers and open up new ways of cooperation – which we as FSM are happy to support”. In the words of our CEO Robin Tombs, “We have been extremely impressed by the rigorous, scientific review of the FSM and the expert team who have audited our age assurance offerings over the last months. We are delighted to be awarded the Seal of Approval from the FSM to offer our age estimation and age verification solutions for youth media protection in the German market place.” Yoti is delighted to be working with the FSM (The German Association for Voluntary Self-Regulation of Digital Media service providers (FSM e.V.) dedicates itself primarily to youth protection and combatting …). Within the German system of regulated self-regulation introduced by the Youth Media Protection State Treaty (JMStV) in 2003, the FSM is a recognised self -regulatory body for the area of telemedia in Germany. We’re keen to help other regulated markets where age assurance is needed. We look forward to serving adult content providers, wider organisations and consumers in the German market, keeping young people safe and preserving their privacy. In years to come, age estimation AI and digital ID age verification will become globally the most popular, private and trusted way of checking age. Age verification Age verification is a legal requirement for many businesses to ensure they are not selling age-restricted goods or services to minors. In face-to-face transactions, this often involves checking a passport or driving license. Online, it is much harder to carry out robust age checks in a way that doesn’t compromise privacy. Common methods range from asking users to tick a box, enter their date of birth or make a payment with a credit card. The need for robust, privacy-preserving age verification methods in the online space is no more clearly highlighted than in the recent calls to protect young people from accessing adult content sites. As world leaders of identity verification technology, Yoti has developed anonymous age estimation technology that enables people to be age checked without an ID document, and age verification technology through our Digital ID app. Age estimation technology – how it works Our facial age estimation technology allows anyone to be age checked by just looking into a camera on a device. Facial analysis technology creates a biometric template of the face, which it compares to thousands of previous photos it has studied through machine learning and gives an estimated age. We’ve built the solution to be anonymous. Users are not individually identifiable as there is no way to link an image to a person or an identity. We have developed our technology as ethically as possible and communicate openly about how we use biometric technology. We have also shared our approach to age estimation in roundtable sessions with civil bodies and have undertaken an Algorithm Impact Assessment with IEEE Expert Dr Alison Gardner, Keele University. Accuracy The age threshold can be configured by a business in the same way that a “Challenge 30” rule may be operated in a supermarket. The technology has been proven to be much more accurate than humans, estimating 13-19 year olds within circa 1.55 years of accuracy. For more accuracy rates, head to our regularly-updated white paper. Age verification with Yoti Digital ID Those who look under the age threshold will be asked to prove their age with the Yoti app, which enables citizens to create a verified Digital ID with a government-issued ID document and a biometric selfie video. The onboarding process takes up to five minutes and involves a series of checks that Yoti carries out with leading technology and expert security personnel to ensure the document is valid and belongs to the person uploading it. Once verified, users have a reusable digital ID that they can use to verify themselves with businesses and individuals. Thanks to a data minimisation approach, users can share just a verified age, such as “Over 18”, rather than their entire date of birth or ID document. This age token is shared with a site and is valid for up to two weeks. Both parties have an audit trail of exactly what data has been shared and the relying party will have access to anonymised metadata such as “18+ from driving license”. If you’re interested in our age solutions, please get in touch.
Developing age estimation technology to tackle grooming online
Last month, Yoti Guardian Gavin Starks chaired our third stakeholder roundtable on the next proposed stage of the development of our age estimation technology. We brought together fifty five guests from seven countries, including representatives from 5rights, Apps for Good, Be In Touch South Africa, Breck Foundation, Caribou Digital, CyberSafeIreland, Digital Policy Alliance, FSM Germany – Freiwillige Selbstkontrolle Multimedia-Diensteanbieter, GoBubble, IEEE, Interactive Software Federation of Europe, International Committee of the Red Cross, Internet Commission, Internet Watch Foundation, Irish Data Protection Commission, Keele University, KJM German Federal Agency for the Protection of Minors, London School of Economics, Marie Collins Foundation, Media Monitoring Africa, NSPCC, Obidos Consulting, OFCOM, PA Consulting, Parent Zone, Point de Contact France, Public.io, Sprite+, techUK, Thai Government, The Football Association, UK Government Cabinet Office, UK Government Department of Digital, Culture, Media & Sport, UK Information Commissioner’s Office, UKCCIS, UNESCO, War Child, WePROTECT. Roundtables on our age estimation technology We ran our first roundtable ahead of launching age estimation two years ago. The second roundtable introduced the concept of extending our age estimation to a younger demographic. That is now a reality with our age estimation accurate to within approximately ±1.5 years for the 13-25 age group, as you can read in our latest age estimation white paper. During the third roundtable we recapped the journey to date and outlined the current work on age estimation and in particular the two campaigns from our ICO Sandbox work that we launched on Safer Internet Day, 9th Feb, 2021. Safer Internet Day 2021 We’re currently working in the ICO Sandbox with partners including GoBubble child-content moderation SaaS (GoBubbleWrap) and British Esports to extend the range to be able to estimate ages under 13. As part of this work, we have launched two campaigns: 1. Education campaign and video competition Based on the Unicef policy guidance on AI for children, this competition seeks to help young people understand: How age estimation is built, including training, tagging, testing. The ethical considerations, including dataset consent, diversity, transparency, no recognition just analysing an image – when it estimates age) Where the technology can help keep young people safe. Education materials we have developed include: Education Videos explaining AI age estimation under the hood Interactive Game – pit yourself against the computer Video to show what anti-spoofing means Interactive demo – to try it out – have your age estimated Videos of age estimation in use 2. #Share2Protect In parallel via the #share2 protect campaign, we’re offering an opt-in way for parents and young people to support the development of the age estimation by sharing a photo to build a consented data set. The extended AI age estimation approach will support content platforms to meet regulatory requirements, such as the Age Appropriate Design Code, to protect children from unwanted intrusions, inappropriate content and minimise the risk of grooming. We give the final word to those who are supporting this vitally important work. Supported by Our campaign is supported by many key figures in the child online protection space. Lorin LaFave, Founder Breck Foundation: “Keeping children safer online is a collective priority for all of us, from the developing tech solutions to the education of children, parents and schools. By parents safely sharing their children’s photos today for Yoti to create better age verification techniques, children will have a safer and healthier online future.” Tink Palmer, MBE CEO Marie Collins Foundation: “The Marie Collins Foundation fully endorses the #share2protect campaign. We work with the victims of online abuse and know the harm caused to children and young people. This initiative by Yoti needs to receive the full support of parents wherever they live in the world.” John Carr, Online Safety Expert: “We need tech solutions which enable people of all ages to be able to prove their age safely, not just people with ID documents. This work through the ICO Sandbox could support many platforms to meet their obligations.” If you’d like to support the consented development of age estimation, please head to the support age estimation website for more information or get in touch to hear more.
Helping to protect kids this Safer Internet Day and beyond
Ahead of the Age Appropriate Design Code, many companies are looking at how to provide age-appropriate services, messaging, content and, crucially for parents, how to deter grooming. We are working in the ICO Sandbox with partners including child-content moderation SaaS GoBubble (GoBubbleWrap), to further develop our privacy-preserving age estimation technology so that it can accurately estimate the age of children under 13. This vital ICO Sandbox partnership will offer child-centric content moderation with global scalability on a Software as a Service (SaaS) basis. This will include privacy information and accessible parental consent mechanisms, including the option to use age estimation for parental consent. ‘Share to protect’ with Yoti’s privacy preserving age estimation Our age estimation technology can currently estimate the age of 13-25 year olds within 1.5 years of accuracy. But obtaining verified training data for under 13s is hard due to legal barriers, making it tricky to ensure solutions work for children. The ICO is working with Yoti to tackle this challenge and with your help, we can expand our technology to provide leading accuracy and protect 7-12 year olds. Parents can opt in to support the development of our age estimation by sharing a photo of their child to build a consented data set. We’re doing this to support content platforms in meeting regulatory requirements and protect children from unwanted intrusions, inappropriate content and minimise the risk of grooming. More about the tech Yoti age estimation was built to give everyone a secure and private way of proving their age, without revealing any other personal information. All a person needs to do is look into the camera, have their face scanned and their age will be estimated in seconds. The technology is based on a technique known as a neural network, which Yoti has trained to estimate ages using machine-learning AI. We input verified data, including an individual’s photo, month and year of birth, and the system keeps on learning and improving. Is this facial recognition? No, it does not match faces. The technology simply estimates an age from a face without personal details. There’s no image or data held after the check. Helping parents and children understand AI We know that AI technology can be hard to understand, which is why we’re launching our Education Campaign and video competition. Based on the Unicef policy guidance on AI for children, we hope our competition will teach young people about: How age estimation is built, including training, tagging, testing. The ethical considerations, including dataset consent, diversity, transparency and facial recognition versus just analysing an image. Where the technology can help keep young people safe. Lorin LaFave, Founder of the Breck Foundation, strives to educate the digital generation to keep safe online as they play virtual or in real life: “Keeping children safer online is a collective priority for all of us, from the developing tech solutions to the education of children, parents and schools. By parents safely sharing their children’s photos to create better age verification techniques, children will have a safer and healthier online future.” Tink Palmer, MBE CEO Marie Collins Foundation: “The Marie Collins Foundation fully endorses the Share to protect campaign. We work with the victims of online abuse and know the damage caused to children. This initiative by Yoti needs to receive the full support of parents wherever they may live in the world.” John Carr, Online Safety Expert, Secretary of the UK Children’s Charities’ Coalition on Internet Safety and member of the Executive Board of the UK Council for Child Internet Safety: “We need tech solutions which enable people of all ages to be able to prove their age safely, not just people with ID documents. This work through the ICO Sandbox could support many platforms to meet their obligations.” Julie Dawson, Director of Regulatory & Policy at Yoti: “People share photos of their children all the time; we’d encourage them to share a photo to help protect children online. We are delighted to be working with edtech and child safety organisations to provide education materials and we hope to inspire parents to share a photo to improve age estimation for the under 13 age group.”
It’s my health: a global Code of Practice for sharing personal health credentials
As governments across the globe look to ease the restrictive measures placed on individuals during the COVID-19 pandemic, the need for a secure way to share personal health information has become clear. Individuals that present reasonable evidence that they pose a low risk of transmitting the COVID-19 (either they have recovered or have a recent test indicating they’re not currently infected), need a secure and trustworthy way of proving this information in order to return to work, board a flight or return to some specific, limited access venues and activities. We believe that abiding by a Code of Practice is the right approach to ensure that personal health information is shared in a secure, privacy-preserving way, and can be trusted as an accurate representation of an individual’s health status. Code of Practice As such, we have drafted a proposed Code of Practice, which serves as an initial framework for the secure sharing of health data for a range of purposes, including creating a Health Test Credential. The key organisations covered by these standards are those that: test and issue test results or certificates; provide the Health Test Credential; and require information on an individual’s health status. The pillars of the Code are; Trusted identity verification of individuals Trusted and transparent health testing of individuals by authorities Trusted storage of credentials or Health Data Trusted presentation and transfer of Health Test Credentials Privacy requirements Yoti’s COVID-19 Pledge Yoti is uniquely positioned to issue digital credentials to the public at scale through the free Yoti app. We are currently working with the NHS to remotely issue digital staff ID cards and have the system architecture in place to issue third-party credentials from a verified authority. The Yoti app has always been free for individuals and we are also offering as part of our COVID-19 pledge issuing COVID-19 test results to the Yoti app is free for both individuals and verified testing organisations (such as health laboratories, clinics and pharmacists) receiving COVID-19 test results is free for organisations; our API integrations are free for organisations. The Yoti app is currently in English, French and Spanish, and with more languages being added as we grow. Yoti can support the granularity of the specific test results, whether that is detection viral RNA, antigens or antibodies using a swab or blood test, the credential issuer, and the duration of the test result stored securely in the individual’s secure digital wallet. Call for collaboration Given the global nature of the coronavirus pandemic, it is clear that any framework governing the secure share of personal health information must be developed collaboratively. We have drafted what we believe to be the fundamental pillars to ensure that health data is handled securely, for the intended and declared purposes, and is valid, trustworthy and an accurate representation of an individual’s health status. We have shared this draft Code with experts and we welcome more feedback from health organisations and civil society bodies. You can read the full version of the Code of Practice here.
Good Practice Guide (GPG) 45
At the end of 2019, the GPG (Good Practice Guide) 45 was updated by the GDS (UK Government Digital Services). The guidance on how to check and verify someone’s identity now reflects new methods, such as reading the biochip in ID documents, such as an e-passport. The GPG 45 is also technology neutral as it is out-comes focused, rather than process-focused. As a digital identity provider, we help organisations meet low and medium levels of assurance when checking identity, and we can also support organisations that need to meet a high level. We’re looking forward to the imminent publication of the new GPG 44 standard. We have seen a draft and we think it’s an excellent guide for the authentication of users. How does the GPG 45 work? The revised GPG 45 is a very useful practice guide in terms of enabling identity providers to check identity. An identity is a combination of characteristics that identifies a person. A single characteristic is not usually enough to tell one person apart from another, but a combination of characteristics might be. The GPG 45 guidance can help you check the identity of a customer, employee, or someone acting on behalf of a business. By successfully checking someone’s identity, you can be confident that you’ll give the right people access to the right things. The number of synthetic (or made up) and stolen identities being used to commit identity fraud in the UK is growing every year. Some of the most common reasons people or criminal groups commit identity fraud are to access services or benefits they’re not entitled to, steal personal, medical or financial information from other identities, enable organised crime or avoid being detected by the police and other authorities. Checking identities in a consistent way will reduce the chance that one person or service does less effective identity checks than others. This helps protect against identity fraud. It also means that there will be fewer people or services with less effective identity checks that could be targeted by identity fraud. How to check someone’s identity We need to know the ‘claimed identity’ of the person we’re checking. This is a combination of information (such as someone’s name, date of birth and address) that represents the characteristics of whoever a person is claiming to be. When we have this, we can find out if the person is who they say they are. The ‘identity checking’ process under GPG45 is made up of 5 parts: get evidence of the claimed identity; check the evidence is genuine or valid; check the claimed identity has existed over time; check if the claimed identity is at high risk of identity fraud; check that the identity belongs to the person who’s claiming it. Building an identity profile Doing different parts of the identity checking process helps us build up confidence in an identity so we can be sure someone is who they say they are. There’s a score for each part of the identity checking process. How much confidence we have in an identity depends on how many pieces of evidence we can collect, which parts of the identity checking process we do and the scores for each part of the identity checking process. The different combinations of scores are known as ‘identity profiles’. Each identity profile relates to one of the following levels of confidence – low, medium, high or very high. We aim to get a higher level of confidence in someone’s identity if your service is at high risk of identity-related crime. Our confidence in a person’s identity can increase over time if we do extra checks or collect more evidence. Which profile to choose? At Yoti, we focus primarily on low and medium confidence levels, as these are the profiles that most organisations ask for. However, we’re also happy to support organisations looking for high confidence. 1) Low confidence in the person’s identity Compared to not doing any identity checks, having low confidence in the person’s identity will lower the risk of you accepting either synthetic identities or impostors who are not close friends or family of the identity they’re pretending to be. By meeting this identity profile, we know each piece of evidence appears to be genuine, are confident that the claimed identity exists in the real world, have made sure your service has reduced the risks of any known identity fraud associated with the claimed identity and have checked the person going through the identity checking process matches the photo or biometric information that’s shown on the evidence. 2) Medium confidence in the person’s identity Compared to low confidence, having medium confidence in the person’s identity will lower the risk of accepting synthetic identities or accepting impostors who are not close friends or family of the identity they’re pretending to be or who do not look like the identity they’re pretending to be. By meeting this identity profile, we know that very strong evidence of the claimed identity exists, know the evidence is genuine and valid, have checked the claimed identity exists in the real world, have made sure we have reduced the risks of any known identity fraud associated with the claimed identity, be confident the person going through the identity checking process matches either the photo or biometric information that’s shown on the evidence. The revised GPG 45 will accompany a new UK government-backed digital identity trust framework to be issued soon. Once published, we will engage a qualified auditor to assess our compliance.