Thoughts from our CEO

profile picture Rachael Trotman 9 min read
Thoughts from our CEO, Robin Tombs - November 2024

In this blog series, our CEO Robin Tombs will be sharing his experience, whilst focusing on major themes, news and issues in the world of identity verification and age assurance.

This month, Robin chats about why Yoti facial age estimation is not easy to spoof, the UK Government’s Draft Statement of Strategic Priorities for online safety, the rise of AI voice cloning and the importance of supplementary codes for digital identity.

 

Facial age estimation is not easy to spoof

There was understandable scepticism from Rachel Burden and some listeners on BBC Radio 5 Live breakfast this month about how facial age estimation can be so accurate at estimating the age of say 16 year olds and whether it will be easy to spoof.

According to the US National Institute of Standards and Technology (NIST), Yoti has the most accurate facial age estimation at estimating the age of 13-16 year olds. And the Age Check Certification Scheme (ACCS), who the Australian Government has just awarded the lead role in the upcoming Australian Age Assurance Trials, recently certified Yoti’s facial age estimation model as having a Mean Absolute Error (MAE) of just over 1 year when estimating a diverse group of male and female 18 year olds.

Yoti’s own accuracy rates show a MAE for 16 year olds of 0.9 years when tested on a diverse set of 10,283 anonymised faces with verified age. So it’ll be easy for 100% of adults to use facial age estimation to prove they’re over 13.

Over the last six years, we’ve done over 700 million privacy-preserving age checks for some of the world’s biggest social media, vaping, gaming, adult content and dating brands. Every single image was instantly deleted once the age was estimated.

It’s very difficult for a young child or teenager to spoof or trick Yoti facial age estimation by presenting photos of adults, or even smart techy teens to beat our service with injection attacks. It’s also simple for businesses to do a surprise facial age estimation check – a further step to help protect underage users.

Understandably no one sounds dumb claiming some kids will be able to get around some laws, including age verification, but over time it will become clear to a very wide audience that beating world-class facial age estimation is very difficult.

There will be lots more independent testing of facial age estimation over the coming weeks and months, including the Australian Age Assurance Trials, after which it will be hard to doubt the accuracy of this technology.

Given how many global vendors and age check methods have already been tested by ACCS over the last 4 years, the Australian Government is clearly very serious about optimising these age trials, the results of which are likely to have a global regulatory impact.

 

UK Government publishes their Draft Statement of Strategic Priorities

This month, the UK Government published their Draft Statement of Strategic Priorities for online safety. Reading the priorities, it is clear the Government’s mood music has changed regarding online safety and they expect Ofcom to enforce the Online Safety Act promptly and effectively.

Over recent months, lots of child safety advocates have been warning that Ofcom doesn’t look like it will be swift and rigorous in enforcing its duties and powers to protect children from online harm. More recently the new Government has added its voice to those concerns.

Both before and after Melanie Dawes, CEO of Ofcom, bizarrely told Radio 4 in July 2024 that facial age estimation doesn’t work very well on children, Yoti has been explaining that facial age estimation can be highly effective for preventing most under 13s from accessing 13+ websites and apps, without teenagers needing to submit ID documents.

When challenged on the CEO’s claim, Ofcom provided no scientific evidence to support it. By the end of 2024, there will be compelling independent evidence that facial age estimation is highly effective for 13+/- age gating with further evidence captured during the Australian Age Assurance Trials in early 2025.

What we didn’t expect was the news this month that Peter Kyle has activated the Government’s special powers under section 172 of the Online Safety Act (OSA) to set Ofcom five strategic priorities. The first priority is ensuring safety is baked into platforms in order to prevent online harms such as suicide, self harm and violence. After a relatively short consultation period, the Government can designate the statement and Ofcom must explain within 40 days how it will adhere to the statement.

The Telegraph reports that “this will mean rigorous enforcement of the over 13 age limit from next year, with millions of underage children being stripped of their social media accounts if necessary.”

Kyle said tech firms claim the technology is not yet available to provide the highly effective age checks required to enforce the 13+ limits required under the OSA but that he’s confident age checks can be made more robust.

There is a lot more to digest in the Government’s Draft Statement of Strategic Priorities for online safety, such as beefed up powers to prevent initiate image abuse whereby companies will need to proactively use software to prevent unconsented intimate images being published rather than just being taken down after being flagged.

 

AI voice cloning outpacing the law

Since 2021, Yoti has been briefing our customers on the rise of deepfakes and AI cloning, and that it would not be long before it would become very difficult for most people to spot deepfake voices and videos.

Yoti clients have been protected from deepfake selfie attacks presented to a screen using our MyFace liveness service for many years. In January 2022 we added protection against injection attacks when we released our patented SICAP (Secure Image Capture And Processing) service.

Yoti MyFace with SICAP ensures the selfie captured from an individual looking into their phone or laptop camera is the selfie used for an age or identity check – including a facial age estimation or matched to an ID document ensuring the correct account holder is presenting the document.

Yoti SICAP is one of very few injection attack detection services that is tested in the wild 24×7 by ethical hackers through a bounty programme. This programme is independently operated by leading IT network security business HackerOne.

Independent testing is hugely reassuring to our customers because it:
removes their need to engage internal or external specialists to test SICAP for weaknesses
gives small and large customers confidence that they are well protected against deepfakes

Many people – including David Attenborough as reported in The Guardian – reading the press this year understandably are worried that quite soon no-one will be able to trust whether individuals in a video are genuine or deepfakes.

But it’s not all doom & gloom – there are some great businesses who are investing in technology to protect against deepfakes.

 

The importance of supplementary codes

The Office for Digital Identities and Attributes (OfDIA) published a good blog on the importance of supplementary codes. These codes will give those that rely on digital identity services reassurance that specific extra requirements have been followed. For instance, this might be to meet specific regulatory compliance or government guidance in certain sectors.

OfDIA defines supplementary codes as “sets of rules that codify these extra requirements so far as they relate to digital verification. This means services can be certified as fulfilling them alongside the rules in the main trust framework.”

The codes are written by OfDIA in collaboration with expert stakeholders and then independently certified against, just like the core Digital Identity & Attributes trust framework (DIATF).

The first three codes (introduced in April 2022) and developed in collaboration with the Home Office & Disclosure and Barring Service (DBS) with input from ID providers and industry, enable digital right to work, right to rent and criminal record checks to be completed remotely. The impact of these three codes has been huge. Hundreds of thousands of these quicker, more convenient and cheaper checks are being completed every month in a competitive market by 50 ID providers, on behalf of many thousands of businesses. At Yoti alone, we complete over 100,000 of these digital identity checks every month.

OfDIA clarifies that supplementary codes will not be needed for every use case or sector. The trust framework sets stringent rules and builds in flexibility to meet the needs across most sectors of the UK economy.

For example, an online marketplace could use a certified digital ID to complete identity checks on sellers. This type of identity check is clearly higher than a platform simply asking a seller for a copy of their ID document (which could easily be fake, fraudulent or tampered with).

But there are some big regulated sectors in the UK where a supplementary code would unlock significant benefits for customers and businesses, and make identity and financial fraud much harder.

The finance sector is a prime example. They need a code to cover remote ID checks within eKYC and AML. At the moment the FCA has been mute on the use of UK Government certified reusable digital IDs within KYC processes, despite DIATF being live and proven for two and half years. Today, businesses can still ask customers for a photocopy or picture of a driving licence, but this method is open to spoofing.

Regulatory consistency together with a few smart supplementary codes is a low cost way for the new UK Government to unleash more innovation and competition. This will increase choice and convenience for citizens, businesses and drive down costs.

With the Online Safety Act starting to be enforced in 2025, Ofcom has clearly stated reusable digital IDs and facial age estimation can be highly effective age checks. And these age methods can be used online for any age-restricted products. But despite the clear science, neither method can be used to buy alcohol in licensed premises and neither may be recognised methods in the new Tobacco and Vapes Bill.

By the end of 2025, millions of adults will have proved their age using facial age estimation or a reusable Digital ID. But age checking regulations across industries may still be glaringly inconsistent.

Keep reading

An image of Dorothy Gordon, who is smiling at the camera. The accompanying text says "Meet the Guardians: Dorothy Gordon".

Meet the Guardians: Dorothy Gordon

At Yoti, our Guardian Council is an independent board of advisors, helping us to navigate the complex world of identity. We spoke with our newest Guardian, Dorothy Gordon, to find out what drew her to our Guardian Council.   1) Why did you decide to join Yoti’s Guardian Council? I found the concept of a Guardian Council really engaging. It’s not often that companies attempt such a thing – inviting people from outside the company to help ensure they’re acting in a trustworthy and transparent way. There are many social enterprises out there that say that they’re doing something

7 min read
Young girl looking at smartphone

Yoti responds to the Draft Statement of Strategic Priorities for online safety

This week, Peter Kyle, Secretary of State for the Department of Science, Innovation and Technology, published a letter of proposed strategic priorities for online safety. We welcome the draft statement, which highlights the five areas the government believes should be prioritised for creating a safer online environment. These areas are: safety by design, transparency and accountability, agile regulation, inclusivity and resilience, and technology and innovation. Peter Kyle also made a strong statement that when the Online Safety Act comes into force, Ofcom will have his full support and will expect them to be assertive. He said, “The powers that

8 min read
An image of Robin with accompanying text that reads "Thoughts from our CEO, Robin Tombs, October 2024".

Thoughts from our CEO

In this blog series, our CEO Robin Tombs will be sharing his experience, whilst focusing on major themes, news and issues in the world of identity verification and age assurance. This month, Robin gives a summary of the upcoming legislation for online porn in France, responds to Ofcom’s claims that facial age estimation is not effective for under 13s, and looks at the upcoming Digital Information and Smart Data Bill.   French regulator introduces age checks for online adult content Big news this month that Arcom, the French regulator responsible for online porn, has announced the date that platforms

8 min read