more on Age Verification Technology

[David Farber <dave () farber net>]

------ Forwarded Message
From: Vin McLellan <vin () TheWorld com>
Date: Thu, 10 Feb 2005 06:00:00 -0500
To: David Farber <dave () farber net>
Cc: <HLin () nas edu>, <bkaliski () RSAsecurity com>
Subject: Re: PR Newswire - Age Verification Technology

Hi Dave,

In answer to Herb Lin's query about i-Mature's Age Group Recognition (AGR)
technology, I would refer him to the inventors' European Patent Office
filing <http://tinyurl.com/4le9t> for more details about this intriguing
age-verification technology than is currently available on the i-Mature
website: <http://tinyurl.com/4le9t>.

The EPO offers a copy of the inventors' US patent application for a
sensor-based access control device that can measure how far along a body is
in its physical development cycle and then use that biometric to
distinguish children from adults.

(Took me all of two minutes to dig up the online EPO patent data, which
offers an intriguing, if necessarily incomplete, overview of a variety of
biological metrics and forensic techniques which can be used to
differentiate between children and adults. Shame on those who cry scam and
offer FUD so blithely.)

If CSI fans or any student of forensic anthropology might naively presume
that this biometric has been used for years, technocrats and public policy
mavens should at least approach the prospect of a viable age-verification
technology with an open mind. (Most, I trust, do -- despite cynicism about
its "silver bullet" aura in some circles.)

i-Mature's AGR system is based, in its current implementation, on a
non-intrusive sonic scan of finger bone joints to determine the degree of
ossification (growth) of the bone, relative to the potential for bone
growth (the "open" epiphyseal plate at the end of a bone.) Reviewing the
patent application, it doesn't seem rash for i-Mature to claim, as it does
in its much-maligned website, success in achieving its goal of developing a
biometric technology that allows it to make "an absolute distinction
between adults [18 and older] and children [13 and younger]."

At the Congressional Internet Caucus' exhibition last night -- and in the
RSA booth at the big RSA Conference next week -- i-Mature and RSA will demo
the AGR prototype and collect feedback on potential applications and issues
of concern.  RSA hopes that this will reopen the public policy discussion
on age-verification technology, which some feel was precipitously closed by
the government experts who declared -- in the seminal NRC study, "Youth,
Pornography, and the Internet," <http://tinyurl.com/6b3ru>,  that Dr. Lin
and Dick Thornburg co-edited in 2002 -- that biometrics could not, for the
foreseeable future, offer any effective means for determining age.

Naysaying the future of an active  technology is always fraught with risk.

The AGR biometric is captured, according to the patent application,
when  "the presence, absence, or thickness of a bone growth plate in a
finger phalanx of the user is sensed and/or measured." A reference table is
then used to correlate this growth-plate biometric to standard human
development patterns, to determine if the individual scanned is a child or
an adult.

For the finger bone,  according to the inventors' review of medical and
forensic literature, "an open epiphyseal plate is detectable up to the age
of 12.5 years for girls, and 14 years for boys.  At the age of 14.5 years
for girls and 16.5 years for boys, only in about 2.5 percent of the
population is an open epiphyseal plate detectable in the phalanges." The
patent application refers to similar correlations for other bones in the
hand, wrist, leg, and foot.

"Thus," declare the inventors, "one can assume that in 97.5 percent of all
children, the lowest threshold for the "open" growth-plates is at age 12.5
and the highest threshold for "closed" growth-plates is at age 18" --
although for some long bones, like the leg tibia, the growth plate may
remain open until age 20.  The AGR team decided to develop its table of
correlation for the middle finger of a hand.

This AGR technology will doubtless have to prove itself and submit both its
forensic foundation and any final implementation to critical review before
it is widely accepted -- but this isn't black magic. No one is claiming
that this technology can, like some carnival swami, declare a date of birth
or offer a horoscope, but i-Mature does persuasively claim to effectively
distinguish between between a still-developing child and a fully-grown
adult.

Needless to say, if this becomes accepted as a viable biometric, there are
a host of complex and intriguing public policy issues associated with how
and where such a technology can or should be used. Or can or should be
required.

> What's the nature of the RSA connection?

What I know about the i-mature technology is all from public sources, but
-- as a consultant to RSA -- I have been party to some internal RSA
discussions about the joint R&D agreement that RSA concluded in Barcelona
last fall with the i-Mature team.

RSA Labs has been working with the AGR inventors for about four months,
after they approached RSA Chief Scientist Burt Kaliski to suggest a joint
R&D effort.  RSA Labs has several similar agreements with leading
developers of what are deemed to be "emerging technologies."  R&D
collaborations such as this have led to useful new privacy and security
tech, like RSA's RFID blocking tag <http://tinyurl.com/5k3mr>, but there is
no product commitment involved.

The RSA/i-Mature agreement merely calls for RSA to offer its specialized
expertise in secure architectural design and crypto implementation to the
AGR development team as they explore the potential of their innovative
breakthrough in biometric scanning and classification. Predictably, RSA --
best known for its commercial cryptography, its SecurID tokens, and its
Identity and Access Management software -- is also interested exploring the
long-term potential of this technology in both layered multi-factor
authentication systems and innovative new authorization schemes which may
not require proof of a user's legal identity.

Core implementation issues for AGR -- as with any biometric-based
authorization scheme -- involve striking the appropriate balance between
false positives and false negatives for a given application environment.
Technically, the AGR technology also has many of the security and design
issues common to biometric authentication systems -- integrity, liveliness,
timeliness, avoidance of replay, etc. -- but RSA Labs has worked on these
problems for many years.

(In a library, to take a slightly-flammable example dear to the hearts of
many on IP, access to an unrestricted Internet terminal may today involve
an administrative decision based on documentation -- birth certificate,
driver's license, school ID -- and personal contact.  If i-Mature's AGR
were used, those access decisions might be largely left to the sensor, but
a few ARG rejections might still be appealed and require an administrative
decision for an justifiable exception.)

The AGR application is unusual -- perhaps the first of its kind -- in that
it proposes to use a real-time sensor to determine an age-based
authorization, but this design also allows the developers to avoid the
complications typically associated with biometric enrollment and secure
database interactions.

As to the inventors' target price for their future product, I'll leave that
for them to debate with the helpful Mr. Burt, SCC's  PR manager.

Suerte,
            _Vin

Vin McLellan
The Privacy Guild
Chelsea, MA USA



------ End of Forwarded Message


-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/