Pretty much all of the conference over the last few days. When we're talking about wallets, most people pretty much think of adults as using these, but anyone has a guess as to the percentage of the people who are online today that are actually under the age of 18. How many of our online users, any guesses?
Well, it's 30%. So 30% of all of the people online are actually under 18. And frequently they're in all of those sites and areas where we don't want them or don't expect them to be. And this is creating quite a problem for many platforms and many organizations because you can't legally enter into a contract in many situations under the age of 18. So there's risks in certain terms of contract content, contact conduct for minors and across the world, governments have really different views as to what you can and should be doing at different ages.
So there's an age of digital consent and an age of biometric consent, which is really variable around the world. So about a decade ago in the, in the gambling arena was the first area which really started to look at both K-Y-C-A-M-L and age checking at the point of accessing gambling and wind forward over this last decade. You have huge Swedes of regulation referring to what is age appropriate. So the Digital Services Act specifically looks at age appropriate design, as does the better Internet for Kids strategy in Australia.
Similarly, they've got a whole RAF regulation coming through under the eSafety Commissioner in the uk. The Online Safety Act is requiring platforms to know the age of their users and design in an age appropriate fashion on the back of the age appropriate design code. There's 144 res coming through or being battled with arm wrestling in the US at different states which refer to age, either for social media, for adult content or age appropriate design codes.
So how can platforms and organizations deal with this? That's what we're going to look at. And my role is at yoti Regulatory and Policy.
We do do a raft of other things other than age. So we do do reusable identity, one-off identity, e-signatures, anti spoofing credentials, but we're not gonna talk about those. We're just gonna focus on age. I've taken part in the standards development for age assurance since 2018. So first of all, there was a publicly available specification. The IEE age assurance spec was voted in last week and there's an ISO going through and an Etsy underway. So lots happening in this area, but where is our AI approaches? And then some of the other approaches around age assurance, where are they deployed?
So there's a whole range of different sectors through from government level, what is the age of a victim and perpetrator in CSA through to dating sites, working with MU dating, the largest Muslim dating site, social media, immersive environments, EdTech, but also retail, physical retail and e-commerce and adult sites.
So yeah, both on devices in epos, electronic point of sale, you've got things coming through that are starting to be on handsets. And then very much the vast bulk is on a SaaS basis.
So these are just a range of organizations that we are working with globally through from social media sites, gaming, gambling, retail, adult, and this is growing. We are one of the age verification providers, association members. I serve as the on the executive of that group. Well over a billion age checks undertaken in this last year. And how are they happening?
Well, a whole range of different ways for the people on the planet that own an ID document and are over 18 lots and lots of different options. So from an ID document, as everybody knows here, it could be a one-off identity verification check where just the data minimized over 18 is shared, could be the reusable apps.
Then there could be other sources.
However, then you're looking at what is the authentication? If somebody's putting the credit card, is it your kid that's got that from your wallet With a mobile phone network operator at the moment, there's not great external review as to how many mobile network operators know who is an adult and who actually is a child because most of the contracts are paid for by the parents or the handsets are handed down and that transition could happen anywhere in the contract. So there's question marks as to whether re authentication should be required. There's new methods coming through.
How long is a social media account, what else are you doing online? What other things clues are are are being picked up on as well as access to EID systems, access to open banking, where they exist and specifically biometrics. The one I'm gonna talk a little bit more about is the facial age estimation.
And that is the one that we're finding is take having the most take up from platforms, but classically a whole range of different options will be offered.
And if you think choice for the consumer is super important, really very much so in this area, you need to offer consumers a range of options. And we would always suggest that relying parties do AB testing and check what works in each jurisdiction for the demographic that they're looking at. Really different if you're talking about dating in Brazil versus gaming in in Japan. So you have to look at the range of options and through one portal normally access a whole range of them. The ID verification, obviously everybody here is, is aware of how that works.
The reusable apps, again, no need for much detail obviously sometimes they want a selfie liveness check and that can be obviously incorporated in the flow.
Sometimes you also need to do an e-signature augmented by one of these checks. So for content upload, for example, for adult content platforms, there are regs that have been brought in by the payment processes that you need to get an e-signature and an age check at the point of upload, plus those of six other people that might be in the content to meet the regulations a little bit more. Now on the facial age estimation.
So this crucially isn't a facial recognition, a liveness detection and then pixel level analysis of a face placing it in a frame. Crucially no pre-registration needed. And this has actually been reviewed most recently by NIST who's done a global benchmark of facial age estimation technologies. You're probably all aware of the benchmark they've done over the last few years with facial recognition. Last year they consulted, set up a totally new track on facial age estimation and just last week longer awaited the full results have been published.
We have a white paper on this where we publish specifically the mean absolute errors, false positives, false negatives, two positives, two negatives, standard deviations, the full shebang. And we do that from age six to age 70. But roughly you are talking about one to one and a half years of accuracy for your six to 18 year olds and two to four years for your sort of 18 upwards because we look after ourselves more or less well as we age, depending on lifestyle, et cetera, et cetera.
But what we do find is when you offer this range of methods, irrespective of whether it's dating or gaming or gambling or e-commerce or adult, that what we're seeing was quite counterintuitive of that whole range of methods. We thought that people would go if they had a reusable app with that or with one of the identity based solutions.
But by far and above, over 80% given a range of methods at the moment, are picking this one, which isn't always the highest revenue earner. But anyway, you have to go with what consumers want. It's very scalable. Takes about a second.
So this is how you're building it. Lots of images with face with month and year of birth, no other details, not date, not the exact date but month and year of birth. And then what the AI is doing is first of all that liveness detection, then looking back at all of the previous images, computing a result and crucially, instantly deleting the image. And what obviously is important for regulators is, is that external review that the image instantly deleted and the review of the accuracy, the false positive, false negative layers. But this is really scalable.
For example, for gaming companies we might be doing in in the millions per week of these tens of millions per day at at peaks, for example, in the Christmas gaming period, really, really high crucially. And the future of privacy forum has helped when many, many journalists get this totally wrong and think, oh, this is a facial recognition, central honeypot of data. It is just that detection and characterization. It's not a one-to-one or a one-to-many facial recognition.
How do we get our data set?
Well, as I described at the beginning, we are one of the reusable digital identity providers founded in 2014. So we've got over 15 million people that have set up a reus of digital id. We've been able to have a flow where people can opt out when they set up their app or subsequently from data collection. And through that we have these charts which are in the white paper. There's another one coming out in probably another three or four weeks. And we're always looking at what can we improve?
So if you look at the six to 13 year olds, that's probably the one where people thought, ah, this isn't going to be as accurate, but look you're under one year for the 11 year olds. Some of the demographics and we're continually looking at how do you make it balanced.
NIST is also looking at not just the Fitzpatrick tone scale, but also using country code as a proxy for skin tone, stroke, ethnicity. So that's one of the new innovations that vendors like ourselves will also be looking at. But how do you explain that clearly to the public?
It's quite simple to show that sort of gradation, but actually saying, well this is what it's like in Korea versus Iceland versus Mexico is a bit harder for people to understand. So we'll probably do both in our next white paper and then give summaries across the board of of accuracy the the slides will be uploaded and if anyone wants them after happy to to send them.
So a use case, a meta has rolled this out globally for when people are changing their age for under 18 to over 18. Similarly with Facebook dating, another example would be Lego that uses it for parental consent.
Are you over 25 and old enough to give verifiable present or consent? They call it a video selfie, but essentially it's the exact same thing. Somebody's just looking at the camera, takes about a second and gives the age result. Sometimes we need buffers. If you look at something that is regulated and in a country it's illegal to access it over a certain age given the fact it's an estimation technique, what regulators look at as well, what is proportionate at 18, if the accuracy is one to one and a half years and we wanna be really conservative, maybe we'll put the bar at 23 or 25.
The UK home office following the studies we did in supermarkets with the big supermarkets have said, we're probably gonna start at 30, we're gonna be really conservative, but anyone over 30 upwards at the self checkout can look, scan and go straight through.
And that for the supermarket is a big advantage rather than having everybody waiting to show their physical id. Those that are 18 to wherever the buffer kicks in could scan a code and share from a reusable wallet and over 18 and the rest that choose could have both options. The facial age estimation or scanning the code.
We've integrated this with NCR since about 2018 and quite a few of the big vendors for electronic point of sale. But the buffer comes down to the sector and the use case. So in Germany here we went through the regulatory body, the KJM and the FSM. So and the median bureau here in Germany, they set buffers for either three or five years for access to adult content.
Also important obviously is how good is the liveness detection, looking at that capture but also looking at could there be modification.
So looking at anti injection and we're hopeful that in the upcoming standards they'll go to this degree of granularity. However, we could be in a strange world where there's an absolute precision of what's being done here, but still the kid is is showing the dad's credit card. So it could be that there's a lot more scrutiny for this approach versus the traditional ones. These are the things that are being worked through by industry. So with facial age destination we would say you obviously need to have a liveness check. You should have it independently tested.
You've gotta think whether or not it needs a buffer and also have the anti injection attack to get to a higher level of assurance. And these are the things that we are reviewing with the expert groups that are looking at where should the levels be, what should the false positives, the false negatives be?
But obviously each element you need to have some some degree of control. But as everyone that works in identity knows, you look at an identity document and in some countries you might have three to 5% of fraudulently obtained genuines in circulation.
So a document also is not a hundred percent perfect. So if you're looking at something with a document, you also need to have a selfie match, you need to do a document authenticity check, you need to do the liveness. So what we've tried to do over this period is explain to regulators. It's not just anything with a document is great. Anything that's come from a mobile phone company is great.
You've got to look under the hood and see what's the granularity underneath in terms of getting to a higher level of assurance And these, this is what's being worked through in the international standards groups.
There was also a summit in Manchester, a global age summit. All the materials from there are available online regulators from about 40 countries around the world, representatives from vendor companies, relying parties.
So yeah, it was the first global summit. We've done a one pager on A PDF that we find super useful. There was somebody earlier that said, what can you show in one page to tell the story? So that's what we've tried to do here, which you show that there are a range of methods, but self declaration, basically that ship has sailed. Just ticking a box.
Yes, I'm over 13, yes, over 18. Even doing the basic maths to say when your date of birth was probably a 6-year-old with one year of maths education could work out how to work out. You need to be over 18. Sometimes people think, oh, the parent can assert.
Well we know there's a lot of peer pressure and a lot of parent pressure. So it's a mute point in different jurisdictions. Whether the parent can state the age of the child and avoid it being the child, pretending to be the parent asserting the age document verification.
And then the other methods and what we try and explain there is that summary of you have to look under the hood. Yes, you might say it's zero friction to self declare, but actually is there any assurance there versus some of the other methods, be it document or age. You can get both of those to a higher level and it's up to each regulator to decide what they want. Hopefully referring to the standards that we've all been working on, there are lots of different groups around the world looking at this. So the FSMI mentioned here in Germany, in France there's WAN of contact.
We've got an online safety tech industry association, an age verification providers association. There's an audit body that's UCAS certified in the UK that's done, done a lot of work on on both building the standards and documents around this. You've got bodies such as Tech Coalition in the US that are working with lots of vendors and have their own working group. We protect Global Alliance, similarly Family Online Safety Institute. So there's lots of organizations around the world looking at what's happening in this area.
This was a, an extract from a report by Off Con where they tried to work out you know, what is state of the art. So voice is something where it could be one of the techniques coming through. I heard somebody yesterday talking about nasal cavity and voice projection. Maybe you could do additional authentication on top of the, of an email open banking and what they're trying to work out and be shared across the global online safety regulators network is what is good enough and what is high and what is low.
And they, I would say that's still happening. The EU working group ought to come to a conclusion that should have been ready for the DSA launch and it wasn't quite there. This is the link if you look for the NIST report and there you can see a number of vendors, you can see how that fate FATE testing program came out just last week.
And yeah, overall I think where everybody's looking at in this industry is is this mature and there are now probably about 40 or so different vendors.
The first standard is out, the next ones are coming, yes, lots of global organizations are adopting, some are building their own. Google recently also had a facial age estimation reviewed and that is available publicly the the end result of the test. There are one or two audit bodies coming through. We've had the first example of a benchmarking. There is a trade body. There has been some research. So liminal in the US has done some research on this. You've got various bodies on the privacy community and others.
And if you look at the regulators a lot from Ocom, a lot from the ICO, the canal in France, the ED, the European Data Protection Body is about to come up with something more in the US state by state.
You've got quite a few different states opining on this area in Australia, you've got a large body of work coming through from the eSafety commissioner. So regulatory review is kicking in. Germany's probably got the longest time period of work in this area and the KGM has issued a KGM Rasta with over 100 approaches for age assurance.
What they haven't done then is look at how it's actually installed and seen how is an organization using it in practice And that can conformity assessment I think will be the next stage. So yeah, that's pretty much a whistle stop tour. I dunno how we are for time and if there's any questions. Well thank
You Julie. That was
A very insightful session.
We have maybe time for two questions.
Yes,
I'll be back.
Thank you. Would it be fair to say that in countries where we have, you know, good coverage of EID or I'm from Scandinavia and you know for instance in Denmark, every one down to the age of 13 carriers, their ID and they use it all the time online it's called mid id like Bank I in Sweden, would we not, I guess we wouldn't really need the facial because you can always fall back to this. Is that a fair assessment that
So it's interesting but we know that the one of the biggest rises is the zero to tens.
So what a lot of people are looking at is be it at the chip level, be it at the handset level, be it at the headsets, how do you know that it's your 5-year-old that's put on the headset versus the 18-year-old or the parent and the family. So how we deal with the miners and even the under thirteens is quite important. We've seen in Singapore speaking with Sing Pass that actually when they've surveyed the public even that does have a sing pass wallet, what they've said to them is, hmm, I have some areas of my private life I don't want to use my sing pass for.
So I think it will be very culturally specific, but we've got a lot of under thirteens that are online and how do we support them? How do we create those age appropriate spaces?
Yeah, no just to comment on that, when you go to porn site you probably don't want to use your bank card on to to access that. So, but I was thinking have you come across any sort of reverse age where like you have a teenage forum, you want to keep the old guys after it and second question, like a continuous check that you know, you don't put your kid in front of it and then a parent walking in afterwards.
Absolutely. So one of the first examples of that was ubo, which is a social media platform that has a 13 to 17 area and an 18 plus.
They don't want the 5-year-old or the 55-year-old in the teens area. So they on the waterfall method will use first of all the facial age estimation for triage. People close to the edge who or could complain that they should be in a different area are then given the option of, you know, three or four reusable ID one off upload, da da dumb. And then at the, if they say they haven't got anything, it might be a an on-camera video I ident type thing with parent or whatever go through customer support.
But, and then to your second point, sorry, I've forgotten that one continues. Yes. So this point of re authentication is really interesting and what is proportionate?
So recently we had the case of A BBC journalist with a visitor to the household and both of them let a 15-year-old sign up with one credit card someone else's face to OnlyFans in the uk and they published an article. But what the OnlyFans then went back to the regulator and said, well, do you want us to do monthly checks, yearly checks? What do you want in terms of authentication?
'cause this was two adults who knowingly colluded who actually should have known better than really wanting a 15-year-old setting up an account on OnlyFans. I mean the regulator hasn't issued anything publicly about that. But you know, whilst we don't get older, the risk, as you say of somebody else taking over the account is interesting. So in the standards groups, they're thinking that in some use cases it might be every six or 12 months, but accounts are quite common in say the adult area. And that's something the regulators haven't quite decided on.
With the interoperable token network that we're currently piloting, would they say a token could last only from six at night to two in the morning or would they say a token could last for 48 hours? So all of these approaches can be tokenized and interoperable, but only if the regulators come up with how long can they last. So those are discussions and it's a a very good point.
Okay, so just to touch on that point, logging into a website, a porn site with the ang, nobody would like to do that, but I wouldn't want to use facial scans either. What I want would be the EID derived serial knowledge proof instead.
But, so that's just a comment on that. But my question is what about deep defects? Isn't deep defects just making this impossible in the future?
So to your first point act, absolutely.
There's, there's a review at the moment looking at how can the interoperable network include that zero knowledge element and how can you have, you know, basically a middle broker that deals with that. So that's being looked at by the EU pilot at the moment. The first stage of that was EU consent one. The second stage is age aware, looking at that tokenized data, minimized looking on device. But choice is the thing that we found. So across the world you will have people that will or won't be comfortable with different methods.
So in general, the rule of thumb most vendors are taking is offering four or five different options and by jurisdiction working out what, what, what people like and deep fakes. Absolutely that anti injection enjoyment is, is really crucial. And that is the arms where the arms wall that in every area everyone is facing. But at the moment there is, there is an on the liveness detection, you've got some N to conformity testing, but it's not really good enough to look across the board. And that's one of the things that the standards group's looking at as well. Thank you. Thank you Julie.
Tremendous.
