In this blog series, our CEO Robin Tombs will be sharing his experience, whilst focusing on major themes, news and issues in the world of identity verification and age assurance.
There’s been a lot about facial age estimation this month, with Robin talking about its use by Meta in Australia as well as our facial age estimation demo site. He also chats about Yoti’s NIST assessment and how Digital IDs can be used to combat fraud.
Meta introduces facial age estimation in Australia
We’re delighted Meta is rolling out Yoti’s facial age estimation on Facebook, starting in Australia. Taking a selfie to prove age is easy and inclusive. It’s also proved very effective globally on Instagram at preventing teens from materially misrepresenting their age.
Explaining our facial age estimation demo site
A journalist claimed to their readers that they had tricked Yoti’s facial age estimation by presenting a stock photo of a 10-year-old that was age-filtered to look much older. They claimed that Yoti’s technology could not recognise it was not a live face. They claimed that this could be used to allow a child to buy a knife online.
Lots of Yoti’s existing and potential customers have used this demo to check how well our facial age estimation works and to estimate the ages of differently aged individuals (with consent). To enable this testing, we remove anti-spoofing – also known as liveness – so that we can provide estimated ages for photos presented to the camera. Yoti makes this very clear to users of the demo.
Though the journalist has since removed this article, it’s worth explaining this a little more. Whenever Yoti captures faces to estimate age for businesses, we always use either our own proprietary world-class iBeta certified NIST Level 2 Presentation Attack Detection software, or world-class third-party software from FaceTec, Inc. or ID R&D. Both of these have been certified to the same NIST Level 2 performance. Some of our customers perform liveness checks independently and just submit the facial image to Yoti for age estimation.
Since January 2022, Yoti has also used its patented injection attack detection software, known as SICAP (Secure Image CAPture). SICAP helps to prevent more sophisticated bad actors from injecting a facial image to bypass the camera and have that image age estimated, instead of the actual face looking into the camera. Since March 2024, HackerOne has been running a bounty programme (current reward = $1,000) to reward ethical hackers who successfully beat Yoti’s SICAP service.
Although it may appear very easy to beat our anti-spoofing detection software on the demo, Yoti clearly states that “there is no anti-spoofing enabled on this demo site”.
Digital IDs to combat data hacking
If confirmed by Ticketmaster, 560 million customers’ data is a massive hack by ShinyHunters with a price tag of $500,000. That’s a data price of $0.0009 per customer (prior to any discount negotiation by fraud gangs if they buy all the customer data).
The data includes the customer’s name, date of birth, address, email address and mobile phone number. That’s the data for 1 in 10 internet users, though this’ll be heavily skewed to 1 in 4 of the approximately 2 billion people, most of whom are over 16 and could afford to buy tickets for popular events across the world over the last few years.
Personally identifiable information (PII) knowledge-based database ID checks are increasingly vulnerable to ID fraud. With hacks going back many years, fraudsters are able to build up histories of individuals by matching their data across multiple hacks across the last 1 to 10 years.
Reusable digital ID wallets, such as Yoti, where live faces captured on camera are matched to chip passports, driving licences and national IDs (or preferably ID credentials issued by governments) are the future.
Reusable digital IDs will be a nightmare for many fraudsters as businesses can recognise from their fraud stats which reusable digital IDs are high quality and most trusted. They can then nudge their customers to use those most trusted digital IDs.
Regulators will start to allow businesses to retain audit evidence that they completed a check. However, they will not be required to, or potentially mandated not to, store the details from passports, driving licences and national IDs. Verified names will be sufficient for many customers to interact with many regulated businesses – unless they need to prove their age or receive a home delivery 🙂
NIST’s assessment of Yoti’s facial age estimation
It’s been a bit lonely over the last 5.5 years for Yoti. We’ve been publishing our facial age estimation (FAE) results by year from ages 6 to 70. But with no independent testing, it’s challenging to provide the much-needed trust that we’ve been accurately marking our homework. The National Institute of Standards and Technology (NIST) have just published independent results for 6 FAE vendors, all tested on the faces of 11 million individuals.
Our current December 2023 facial age estimation white paper reports a mean absolute error (MAE) of 2.7 across ages 6-70. NIST measured the MAE of Yoti’s algorithm, submitted in September 2023, as a world-class 2.7 across 18-24, and a world-leading 2.0 for ‘visa’ style images for ages 6-17. This is the critical age range for effective over/under age 13 age gating and over/under age 18 age gating.
We welcome that other leading ID and biometrics businesses such as ROC and Incode have been tested as also offering world-class FAE. Parents, businesses and regulators need a competitive age assurance market with independent testing of FAE algorithms to ensure they are effective and fair.
Five years ago, quite a few otherwise smart people dismissed our FAE as “fake science” or said that we could not be trusted to measure our performance accurately. Some still don’t get that facial age estimation can be completed without performing facial recognition.
NIST makes it super clear that they “distinguish facial age estimation (AE) from face recognition (FR). AE analyses one face to produce an estimate of age. FR is concerned with who is in an image. The two techniques employ different algorithmic machinery for these two purposes”. This anonymity point is super important because there are still opponents of age checks, particularly in the US, who are trying to persuade courts that age checks require identification.
We’re grateful to the hundreds of businesses, large and small, over the last 5 years, who through a combination of due diligence and trust in Yoti, chose to use Yoti FAE to effectively check over 18s.
It’s really good news going forward that NIST can provide the trusted FAE vendor results the global market needs to accelerate the adoption of this important safety tech.
