Age Verification Providers Association's Techdirt Profile
|
About Age Verification Providers Associationhttps://www.linkedin.com/in//company/age-verification-providers-association/ |
|
|
About Age Verification Providers Associationhttps://www.linkedin.com/in//company/age-verification-providers-association/ |
Response
The laws in the UK, EU and Australia will be requiring online age assurance; the method is not specified so consumers will have a choice between traditional age verification and the newer age estimation techniques. Obviously if age assurance ceases to protect most children from most harmful content, conduct, contact and contracts for most of the time, then its value would be questioned and policymakers may change their plan. But most children will not have the time, capability and resources to use sophisticated evasion techniques, and counter-measures will continue to respond to new attacks.
Don't let the perfect be the enemy of the good
Thanks for all these comments. The aim of the Age Appopropriate Design Code Act is to reduce the amount of harm suffered by children when they go online. That may be through contact, content, conduct or even contracts they sign. This does not require perfection - a solution which ensured a user was AT ALL TIMES over 18, for example, would require permanent monitoring, with minute-by-minute checks they'd not gone for a glass of water and been replaced by a 4 year-old. Literally no-one is advocating for that. Policy makers are simply looking for ways to reduce the currently unmitigaged risk to minors of exposure to harms. That will require some friction in the process - just as it's annoying to have to find your license before you can buy a six-pack. But the store owner does not then follow you home to check you don't hand a can to your daughter - that check at the point of sale is considered enough by society to stop her simply buying the beer herself. So yes there will be some inconvenience to adults. But the alternative is to treat everyone online as if they might be a child, and that's not a great outcome.
Access
If the processing of the age verification takes place on your device, so the software operates locally not on a server, then the only person with access to your personal data is you. There would be no third-party access using that form of technology
Does facial age estimation use personally identifible data (PII)?
In a word, no. The process requires only a basic mapping of facial features which would never be sufficient to identify the subject of the image. It is only enough to feed the artificial intelligence algorithms to compare the figures to those from thousands of other images used as training data. Facial recognition is different, and requires far more data to uniquely identify an individual, whether they are alone or in a crowd.
Data protection
We must trust others with our data in life all the time - banks with our financial info; Facebook with our vacation photos; our health insurers with our medical situation. Most of these are regulated to some degree, and at least face commercial pressure to take good care of our data. In Europe, there is GDPR which offers a higher level of data protection and has probably made people more comfortable with sharing their data. The California Bill includes minimum standards for age assurance technology including the requirement not to abuse data used in the age checking process. In addition to the law, we advocate for audit, certification, international standards (eg BSI PAS 1296:2018) and, through admissions' procedures for interoperability networks, further controls on which providers are able to operate - and the larger sites which use their services will do their own due diligence.
Sharing
It is. But so is sharing an adult magazine or handing a young child a bottle of liquor. Technology does not absolve adults from their own social responsibilities. But it can help them meet them without the need to supervise their kids online activities 24/7
Would swearing count as harmful to kids?
In all our discussions with lawmakers and regulators around the world, swearing has never come up as being considered potentially harmful to the mental well-being of children. Frankly, there are far bigger fish to fry - such as information on how to kill yourself, or self-harm and sites advocating anorexia. Not to mention the risks from online communications between bad adults and children which online age assurance will help platforms spot and prevent. We also don't expect TechDirt to have a large underage readership so it would be pretty low down the list of regulator's priorties.
Shared devices and accuracy
Thanks for raising these points. There can be an assumption that online age checking should only go ahead if we can find the perfect way to ensure 100% of underage access is prevented. EU, Australian and UK laws have so far taken a more pragmatic approach - stop most kids see most innappropriate content most of the time. So we do not need to let the perfect be the enemy of the good. Of course, you can log into a porn site, leave your PC open and your 8 year old can then take over. How is that different from Dad leaving a copy of an adult magazine on the coffee table for his kids to find? Tech will never prevent that; or if it does, it would require a disproportionate level of inconvenience to all users so would not be tolerated. Estimation is proven to be getting more and more accurate by the day. +/- 1.5 years mean average error has been proven in testing, for example. You can of course reserve such AI for checking that people look over 25 instead of 18, which would reduce to a handful the numbers of those under 18 who pass such a test. And there are extensive antispoofing mechanisms so false beards, or filtered photos do not fool the tech.
liveness checks
For some higher risk use cases, the age check may involve a liveness test where the user must take several selfie photos or record a short video saying phrases requested by the provider. Passive liveness technology has further reduced the effort required by the user - do look into that. But we should emphasise this is often far more than is needed if the regulatory requiremment is defined as "children should not normally be able to access adult content" for example.
Interoperability and scope
Thanks for raising these points. You may know that in the EU, we suffer from "cookie popups" on almost every site we visit where we have to click to agree to accept cookies. We know how tiresome these are, and they only require a single click to clear. So it has been obvious to everyone involved in online age checks that it needs to have minimal impact on user experience. Already, for many sites such as those where you buy alcohol etc. users create accounts and just do an age check once at that point. But for surfing the web more generally, the European Commission has funded the development of interoperability, throught the euCONSENT project, allowing users to verify their age once, and then re-use that check many times across the Internet. How often you need to prove it is still the same user who did the check is a matter for the services themselves and their regulators. Some low risk uses might only check every three months - higher risk situations might double check it is still you each time you make a purchase. That could be as simple as entering a PIN. Unless techdirt carries content that is potentially harmful to kids, it woud not need to apply age assurance. If some content is potentially harmful, this could be put in a sub-section of the site where adult users who wish to access it would use an age check - but probabably the same one they did 3 weeks ago when downloading a new 18 rated video game.
MindGeek is NOT an age verification provider
Thanks for setting out your concerns about the ADCA so clearly. First, we want to reassure you and your readers generally about anonymity. The purpose of the online age verification sector is to allow users to prove their age to a website, WITHOUT disclosing their identity. This can be achieved in a number of ways, but primarily through the use of independent, third-party AV providers who do not retain centrally any of your personal data. Once they have established your age or age-range, they have no need (and under EU GDPR law, therefore no legal basis) to retain your personal data. In fact, the AV provider may not have needed to access your personal data at all. Age estimation based on facial analysis, for example, could take place on your own device, as can reading and validating your physical ID. And the AV provider then only tells the sites you are accessing "yes" or "no" as to whether you meet their age requirement. The provider also retains no records of which sites each user visits. You suggest that Mindgeek's AgeID product makes them an AV provider. This is not accurate. The age checks are carried out by independent third-party AV providers. AgeID (which they have discontinued in any case) was a federated login system, allowing you to re-use an age check completed for the first MindGeek owned website you access, on any of their many other websites. This is less necessary today, as AV providers, through an EU-funded project www.euCONSENT.eu have created general interoperability. So the check you do today to order wine for delivery can be used tomorrow to confirm access to an adult site. There is plenty of information on our website www.avpassociation.com and we would be pleased to address any other concerns you may have. But rest assured, technology is smart - it can do almost anything you want it to - and proving your age online without disclosing your full identity is not beyond its capabilities.