Interesting People mailing list archives
more on Age Verification Technology
From: David Farber <dave () farber net>
Date: Thu, 10 Feb 2005 07:57:25 -0500
------ Forwarded Message From: Vin McLellan <vin () TheWorld com> Date: Thu, 10 Feb 2005 06:00:00 -0500 To: David Farber <dave () farber net> Cc: <HLin () nas edu>, <bkaliski () RSAsecurity com> Subject: Re: PR Newswire - Age Verification Technology Hi Dave, In answer to Herb Lin's query about i-Mature's Age Group Recognition (AGR) technology, I would refer him to the inventors' European Patent Office filing <http://tinyurl.com/4le9t> for more details about this intriguing age-verification technology than is currently available on the i-Mature website: <http://tinyurl.com/4le9t>. The EPO offers a copy of the inventors' US patent application for a sensor-based access control device that can measure how far along a body is in its physical development cycle and then use that biometric to distinguish children from adults. (Took me all of two minutes to dig up the online EPO patent data, which offers an intriguing, if necessarily incomplete, overview of a variety of biological metrics and forensic techniques which can be used to differentiate between children and adults. Shame on those who cry scam and offer FUD so blithely.) If CSI fans or any student of forensic anthropology might naively presume that this biometric has been used for years, technocrats and public policy mavens should at least approach the prospect of a viable age-verification technology with an open mind. (Most, I trust, do -- despite cynicism about its "silver bullet" aura in some circles.) i-Mature's AGR system is based, in its current implementation, on a non-intrusive sonic scan of finger bone joints to determine the degree of ossification (growth) of the bone, relative to the potential for bone growth (the "open" epiphyseal plate at the end of a bone.) Reviewing the patent application, it doesn't seem rash for i-Mature to claim, as it does in its much-maligned website, success in achieving its goal of developing a biometric technology that allows it to make "an absolute distinction between adults [18 and older] and children [13 and younger]." At the Congressional Internet Caucus' exhibition last night -- and in the RSA booth at the big RSA Conference next week -- i-Mature and RSA will demo the AGR prototype and collect feedback on potential applications and issues of concern. RSA hopes that this will reopen the public policy discussion on age-verification technology, which some feel was precipitously closed by the government experts who declared -- in the seminal NRC study, "Youth, Pornography, and the Internet," <http://tinyurl.com/6b3ru>, that Dr. Lin and Dick Thornburg co-edited in 2002 -- that biometrics could not, for the foreseeable future, offer any effective means for determining age. Naysaying the future of an active technology is always fraught with risk. The AGR biometric is captured, according to the patent application, when "the presence, absence, or thickness of a bone growth plate in a finger phalanx of the user is sensed and/or measured." A reference table is then used to correlate this growth-plate biometric to standard human development patterns, to determine if the individual scanned is a child or an adult. For the finger bone, according to the inventors' review of medical and forensic literature, "an open epiphyseal plate is detectable up to the age of 12.5 years for girls, and 14 years for boys. At the age of 14.5 years for girls and 16.5 years for boys, only in about 2.5 percent of the population is an open epiphyseal plate detectable in the phalanges." The patent application refers to similar correlations for other bones in the hand, wrist, leg, and foot. "Thus," declare the inventors, "one can assume that in 97.5 percent of all children, the lowest threshold for the "open" growth-plates is at age 12.5 and the highest threshold for "closed" growth-plates is at age 18" -- although for some long bones, like the leg tibia, the growth plate may remain open until age 20. The AGR team decided to develop its table of correlation for the middle finger of a hand. This AGR technology will doubtless have to prove itself and submit both its forensic foundation and any final implementation to critical review before it is widely accepted -- but this isn't black magic. No one is claiming that this technology can, like some carnival swami, declare a date of birth or offer a horoscope, but i-Mature does persuasively claim to effectively distinguish between between a still-developing child and a fully-grown adult. Needless to say, if this becomes accepted as a viable biometric, there are a host of complex and intriguing public policy issues associated with how and where such a technology can or should be used. Or can or should be required.
What's the nature of the RSA connection?
What I know about the i-mature technology is all from public sources, but -- as a consultant to RSA -- I have been party to some internal RSA discussions about the joint R&D agreement that RSA concluded in Barcelona last fall with the i-Mature team. RSA Labs has been working with the AGR inventors for about four months, after they approached RSA Chief Scientist Burt Kaliski to suggest a joint R&D effort. RSA Labs has several similar agreements with leading developers of what are deemed to be "emerging technologies." R&D collaborations such as this have led to useful new privacy and security tech, like RSA's RFID blocking tag <http://tinyurl.com/5k3mr>, but there is no product commitment involved. The RSA/i-Mature agreement merely calls for RSA to offer its specialized expertise in secure architectural design and crypto implementation to the AGR development team as they explore the potential of their innovative breakthrough in biometric scanning and classification. Predictably, RSA -- best known for its commercial cryptography, its SecurID tokens, and its Identity and Access Management software -- is also interested exploring the long-term potential of this technology in both layered multi-factor authentication systems and innovative new authorization schemes which may not require proof of a user's legal identity. Core implementation issues for AGR -- as with any biometric-based authorization scheme -- involve striking the appropriate balance between false positives and false negatives for a given application environment. Technically, the AGR technology also has many of the security and design issues common to biometric authentication systems -- integrity, liveliness, timeliness, avoidance of replay, etc. -- but RSA Labs has worked on these problems for many years. (In a library, to take a slightly-flammable example dear to the hearts of many on IP, access to an unrestricted Internet terminal may today involve an administrative decision based on documentation -- birth certificate, driver's license, school ID -- and personal contact. If i-Mature's AGR were used, those access decisions might be largely left to the sensor, but a few ARG rejections might still be appealed and require an administrative decision for an justifiable exception.) The AGR application is unusual -- perhaps the first of its kind -- in that it proposes to use a real-time sensor to determine an age-based authorization, but this design also allows the developers to avoid the complications typically associated with biometric enrollment and secure database interactions. As to the inventors' target price for their future product, I'll leave that for them to debate with the helpful Mr. Burt, SCC's PR manager. Suerte, _Vin Vin McLellan The Privacy Guild Chelsea, MA USA ------ End of Forwarded Message ------------------------------------- You are subscribed as lists-ip () insecure org To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- more on Age Verification Technology David Farber (Feb 10)