Interesting People mailing list archives
RE: more on Age Verification Technology
From: "David Farber" <dave () farber net>
Date: Thu, 10 Feb 2005 16:26:37 -0500
_______________ Forward Header _______________ Subject: RE: [IP] more on Age Verification Technology Author: "Lin, Herb" <HLin () nas edu> Date: 10th February 2005 2:29:26 pm For IP Dave - I appreciate Vin McLellan's description of the technology involved, and I'm happy to stipulate that there are a number of biophysical markers for age, and that bone scans are one of the most important. For example, it is well known that bone plates fuse in the skull at the end of puberty (indeed, that's considered by some physicians as a *marker* of the biological end of puberty). But our conclusions about age verification technologies in the context of the report remain valid. If you read the report (Chapter 13), you'll find that we distinguish between age verification systems that are (a) a subset of an age-verification infrastructure that can be used for broader purposes, or (b) deployed by vendors of sexually explicit material. We did not see any demand for (a) because we could not see what would be the broader purposes, and we could not see any age verification technologies that would be deployable by vendors. That is still true, the technologies in question (bone scanning and the like) not withstanding. The other major point is that when the "Youth Pornography and the Internet" report was written, we *did* know about bone scans-and they are mentioned in an accompanying workshop report ("Technical, Business, and Legal Dimensions of Protecting Children from Pornography on the Internet: Proceedings of a Workshop"). But as Andy Sullivan noted in his earlier post, the technology won't work for keeping kids out of porn sites, or any other application in which you need a hard "under 18/over 18" bright line. This point is fundamental, and is based on two separate threads. First, no sensible person would believe that there is a biomarker that can distinguish between someone who is 17 yrs and 364 days old and the same person 2 days later. Second, the stochastic nature of biological development means that different people mature at different rates, even if there are biomarkers of age. It is a LEGAL matter that the under-18/over-18 line exists and that it exists for all citizens - it's not a biological matter. I will speak from personal experience here. My 10 year old daughter is physically underdeveloped for her age, and suffers from a shortage of growth hormone production. Her bone age--as measured by ultrasound and read by qualified specialists--lags her chronological age by at least 2 yrs (though her mom and I hope that gap is narrowing over time). Because they are using the same biomarkers, the bone scanners of I-mature will not be able to detect THAT difference between chronological and biological age-and it is chronological age that is the relevant age for legal purposes. Finally, the I-mature site does claim to be able to make "an absolute distinction between adults [18 and older] and children [13 and younger]." But as their website readily admits, there are 3 categories, not two - the middle range of 13 to 18. All people whose bioscans are intermediate between "adults 18 and over" and "children 13 and younger" will fall into that middle category. The problem is that the legal issues of minors viewing sexually explicit material do not distinguish between the two youngest categories. Some might argue that they should, but they do not. It is also of particular significance to the debate over sexually explicit materials and minors that it is people in this middle age group that are likely to be the most highly motivated to seek out such materials. Children 13 and younger are less likely to seek it out, and there the problem is likely to be more related to accidental or inadvertent exposure. Children 13 and younger are also more likely to pay attention to parental guidance and instruction. So, as a practical matter, the people who are seeking a solution to the problem of exposing minors to sexually explicit material need to find good ways to distinguish between adults and this MIDDLE group, not between adults over 18 and children under 18. Thus, even if the technical claim of being able to distinguish between adults over 18 and children under 13 is valid, that claim is irrelevant to the real problem at hand - distinguishing between adults and teenagers. That problem, of course, is much harder to solve, for reasons given above. I'm prepared to believe that those identified through bone scan as adult will [probably] be legal adults. But as the case of my daughter suggests, the technology will fail to identify some legal adults as adult-her I-mature bone scan is likely to identify her as 16 when she is in fact 18. Therein lies the rub, and the reason that we said that age verification technologies were not likely to work for the purpose of keeping minors away from sexually explicit material while allowing adults relatively free access. We said that there were "no foreseeable technological 'silver bullets' or single permanent solutions to be crafted," and nothing in the I-mature announcement changes that conclusion. Herb Lin Senior Scientist NRC co-editor of Youth Pornography and the Internet available at http://books.nap.edu/catalog/10261.html === Hi Dave, In answer to Herb Lin's query about i-Mature's Age Group Recognition (AGR) technology, I would refer him to the inventors' European Patent Office filing <http://tinyurl.com/4le9t <http://tinyurl.com/4le9t> > for more details about this intriguing age-verification technology than is currently available on the i-Mature website: <http://tinyurl.com/4le9t <http://tinyurl.com/4le9t> >. The EPO offers a copy of the inventors' US patent application for a sensor-based access control device that can measure how far along a body is in its physical development cycle and then use that biometric to distinguish children from adults. (Took me all of two minutes to dig up the online EPO patent data, which offers an intriguing, if necessarily incomplete, overview of a variety of biological metrics and forensic techniques which can be used to differentiate between children and adults. Shame on those who cry scam and offer FUD so blithely.) If CSI fans or any student of forensic anthropology might naively presume that this biometric has been used for years, technocrats and public policy mavens should at least approach the prospect of a viable age-verification technology with an open mind. (Most, I trust, do -- despite cynicism about its "silver bullet" aura in some circles.) i-Mature's AGR system is based, in its current implementation, on a non-intrusive sonic scan of finger bone joints to determine the degree of ossification (growth) of the bone, relative to the potential for bone growth (the "open" epiphyseal plate at the end of a bone.) Reviewing the patent application, it doesn't seem rash for i-Mature to claim, as it does in its much-maligned website, success in achieving its goal of developing a biometric technology that allows it to make "an absolute distinction between adults [18 and older] and children [13 and younger]." At the Congressional Internet Caucus' exhibition last night -- and in the RSA booth at the big RSA Conference next week -- i-Mature and RSA will demo the AGR prototype and collect feedback on potential applications and issues of concern. RSA hopes that this will reopen the public policy discussion on age-verification technology, which some feel was precipitously closed by the government experts who declared -- in the seminal NRC study, "Youth, Pornography, and the Internet," <http://tinyurl.com/6b3ru <http://tinyurl.com/6b3ru> >, that Dr. Lin and Dick Thornburg co-edited in 2002 -- that biometrics could not, for the foreseeable future, offer any effective means for determining age. Naysaying the future of an active technology is always fraught with risk. The AGR biometric is captured, according to the patent application, when "the presence, absence, or thickness of a bone growth plate in a finger phalanx of the user is sensed and/or measured." A reference table is then used to correlate this growth-plate biometric to standard human development patterns, to determine if the individual scanned is a child or an adult. For the finger bone, according to the inventors' review of medical and forensic literature, "an open epiphyseal plate is detectable up to the age of 12.5 years for girls, and 14 years for boys. At the age of 14.5 years for girls and 16.5 years for boys, only in about 2.5 percent of the population is an open epiphyseal plate detectable in the phalanges." The patent application refers to similar correlations for other bones in the hand, wrist, leg, and foot. "Thus," declare the inventors, "one can assume that in 97.5 percent of all children, the lowest threshold for the "open" growth-plates is at age 12.5 and the highest threshold for "closed" growth-plates is at age 18" -- although for some long bones, like the leg tibia, the growth plate may remain open until age 20. The AGR team decided to develop its table of correlation for the middle finger of a hand. This AGR technology will doubtless have to prove itself and submit both its forensic foundation and any final implementation to critical review before it is widely accepted -- but this isn't black magic. No one is claiming that this technology can, like some carnival swami, declare a date of birth or offer a horoscope, but i-Mature does persuasively claim to effectively distinguish between between a still-developing child and a fully-grown adult. Needless to say, if this becomes accepted as a viable biometric, there are a host of complex and intriguing public policy issues associated with how and where such a technology can or should be used. Or can or should be required.
What's the nature of the RSA connection?
What I know about the i-mature technology is all from public sources, but -- as a consultant to RSA -- I have been party to some internal RSA discussions about the joint R&D agreement that RSA concluded in Barcelona last fall with the i-Mature team. RSA Labs has been working with the AGR inventors for about four months, after they approached RSA Chief Scientist Burt Kaliski to suggest a joint R&D effort. RSA Labs has several similar agreements with leading developers of what are deemed to be "emerging technologies." R&D collaborations such as this have led to useful new privacy and security tech, like RSA's RFID blocking tag <http://tinyurl.com/5k3mr <http://tinyurl.com/5k3mr> >, but there is no product commitment involved. The RSA/i-Mature agreement merely calls for RSA to offer its specialized expertise in secure architectural design and crypto implementation to the AGR development team as they explore the potential of their innovative breakthrough in biometric scanning and classification. Predictably, RSA -- best known for its commercial cryptography, its SecurID tokens, and its Identity and Access Management software -- is also interested exploring the long-term potential of this technology in both layered multi-factor authentication systems and innovative new authorization schemes which may not require proof of a user's legal identity. Core implementation issues for AGR -- as with any biometric-based authorization scheme -- involve striking the appropriate balance between false positives and false negatives for a given application environment. Technically, the AGR technology also has many of the security and design issues common to biometric authentication systems -- integrity, liveliness, timeliness, avoidance of replay, etc. -- but RSA Labs has worked on these problems for many years. (In a library, to take a slightly-flammable example dear to the hearts of many on IP, access to an unrestricted Internet terminal may today involve an administrative decision based on documentation -- birth certificate, driver's license, school ID -- and personal contact. If i-Mature's AGR were used, those access decisions might be largely left to the sensor, but a few ARG rejections might still be appealed and require an administrative decision for an justifiable exception.) The AGR application is unusual -- perhaps the first of its kind -- in that it proposes to use a real-time sensor to determine an age-based authorization, but this design also allows the developers to avoid the complications typically associated with biometric enrollment and secure database interactions. As to the inventors' target price for their future product, I'll leave that for them to debate with the helpful Mr. Burt, SCC's PR manager. Suerte, _Vin Vin McLellan The Privacy Guild Chelsea, MA USA ------------------------------------- You are subscribed as lists-ip () insecure org To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- more on Age Verification Technology David Farber (Feb 10)
- <Possible follow-ups>
- more on Age Verification Technology David Farber (Feb 10)
- RE: more on Age Verification Technology David Farber (Feb 10)