Tweet
In 2023, the Entertainment Software Ratings Board (ESRB) announced that they were working on a tool that would use facial recognition to verify a person's age. The ESRB had partnered with a digital identity firm, Yoti, along with SuperAwesome to create this age verification technology. The ESRB already caught a lot of rightfully deserved shit for that announcement when it was made last year.
Thankfully, the Federal Trade Commission (FTC) announced today that they have rejected the ESRB's application to use the tool. A blog posted by the FTC on Friday, March 29, says that they are denying the ESRB's application for the technology. The FTC denied the application with a vote of 4-0, saying that they have received over 350 comments on the technology before it went to vote.
Complaints provided to the FTC say that people were opposed to the application over concerns for privacy, protections, accuracy, and deepfakes. The few that supported the application said that they felt it had "sufficient privacy guardrails" in place.
The FTC's decision ultimately came down to the Children's Online Privacy Protection Act (COPPA).
The applicants in 2023 requested approval for the use of “Privacy-Protective Facial Age Estimation” technology, which analyzes the geometry of a user’s face to confirm that they are an adult.
Under the COPPA Rule, online sites and services directed to children under 13, and those that have actual knowledge they are collecting personal information from children under 13, must obtain parental consent before collecting, using, or disclosing personal information from a child. The rule lays out a number of acceptable methods for gaining parental consent but also includes a provision allowing interested parties to submit new verifiable parental consent methods to the Commission for approval.
Under the COPPA Rule, online sites and services directed to children under 13, and those that have actual knowledge they are collecting personal information from children under 13, must obtain parental consent before collecting, using, or disclosing personal information from a child. The rule lays out a number of acceptable methods for gaining parental consent but also includes a provision allowing interested parties to submit new verifiable parental consent methods to the Commission for approval.
The ESRB argues that their facial recognition technology would not exactly determine a person's age but rather that it would estimate the age. They claim that they would not store the data after the analysis was concluded.
However, the application filed by the ESRB last year says that the procedure for verifying a person's age would upload the data to Yoti's servers. Specifically, a person would have to take a photo of themselves. The system would first verify that there is a human face in the frame and then upload the photo and data to Yoti's servers for age estimation.
The issues over the ESRB's proposed tool are similar to some of the issues and complaints people have with new laws requiring government-issued ID to visit porn sites. There are the obvious concerns over how secure the data is once it's uploaded to these sites. There is also the issue of privacy, especially when it comes to the "collection of large pools of children's biometric data by private companies, with no governance structures in place." In short, these sorts of verification are a privacy nightmare for young and old alike and should not be tolerated by anybody.
The FTC says that even though the current proposal was denied, the ESRB is free to re-file the application in the future. The ESRB has not stated when, or if, they will re-file.
I wonder how this conflicts with GDPR, i don't want anyone taking my picture outside of public CCTV.