RE: more on Age Verification Technology

["David Farber" <dave () farber net>]

_______________ Forward Header _______________
Subject:        RE: [IP] more on Age Verification Technology
Author: "Lin, Herb" <HLin () nas edu>
Date:           10th February 2005 2:29:26 pm

 

For IP

Dave -

I appreciate Vin McLellan's description of the technology involved, and
I'm happy to stipulate that there are a number of biophysical markers
for age, and that bone scans are one of the most important.  For
example, it is well known that bone plates fuse in the skull at the end
of puberty (indeed, that's considered by some physicians as a *marker*
of the biological end of puberty).

But our conclusions about age verification technologies in the context
of the report remain valid.  If you read the report (Chapter 13), you'll
find that we distinguish between age verification systems that are (a) a
subset of an age-verification infrastructure that can be used for
broader purposes, or (b) deployed by vendors of sexually explicit
material.  We did not see any demand for (a) because we could not see
what would be the broader purposes, and we could not see any age
verification technologies that would be deployable by vendors.  That is
still true, the technologies in question (bone scanning and the like)
not withstanding.

The other major point is that when the "Youth Pornography and the
Internet" report was written, we *did* know about bone scans-and they
are mentioned in an accompanying workshop report ("Technical, Business,
and Legal Dimensions of Protecting Children from Pornography on the
Internet: Proceedings of a Workshop").  But as Andy Sullivan noted in
his earlier post, the technology won't work for keeping kids out of porn
sites, or any other application in which you need a hard "under 18/over
18" bright line.

This point is fundamental, and is based on two separate threads.  First,
no sensible person would believe that there is a biomarker that can
distinguish between someone who is 17 yrs and 364 days old and the same
person 2 days later.  Second, the stochastic nature of biological
development means that different people mature at different rates, even
if there are biomarkers of age.  It is a LEGAL matter that the
under-18/over-18 line exists and that it exists for all citizens - it's
not a biological matter. 

I will speak from personal experience here.  My 10 year old daughter is
physically underdeveloped for her age, and suffers from a shortage of
growth hormone production.  Her bone age--as measured by ultrasound and
read by qualified specialists--lags her chronological age by at least 2
yrs (though her mom and I hope that gap is narrowing over time).
Because they are using the same biomarkers, the bone scanners of
I-mature will not be able to detect THAT difference between
chronological and biological age-and it is chronological age that is the
relevant age for legal purposes.

Finally, the I-mature site does claim to be able to make "an absolute
distinction between adults [18 and older] and children [13 and
younger]."  But as their website readily admits, there are 3 categories,
not two - the middle range of 13 to 18.  All people whose bioscans are
intermediate between "adults 18 and over" and "children 13 and younger"
will fall into that middle category.  The problem is that the legal
issues of minors viewing sexually explicit material do not distinguish
between the two youngest categories.  Some might argue that they should,
but they do not.

It is also of particular significance to the debate over sexually
explicit materials and minors that it is people in this middle age group
that are likely to be the most highly motivated to seek out such
materials.  Children 13 and younger are less likely to seek it out, and
there the problem is likely to be more related to accidental or
inadvertent exposure.  Children 13 and younger are also more likely  to
pay attention to parental guidance and instruction.

So, as a practical matter, the people who are seeking a solution to the
problem of exposing minors to sexually explicit material need to find
good ways to distinguish between adults and this MIDDLE group, not
between adults over 18 and children under 18.  Thus, even if the
technical claim of being able to distinguish between adults over 18 and
children under 13 is valid, that claim is irrelevant to the real problem
at hand - distinguishing between adults and teenagers.  That problem, of
course, is much harder to solve, for reasons given above.

I'm prepared to believe that those identified through bone scan as adult
will [probably] be legal adults.  But as the case of my daughter
suggests, the technology will fail to identify some legal adults as
adult-her I-mature bone scan is likely to identify her as 16 when she is
in fact 18.  Therein lies the rub, and the reason that we said that age
verification technologies were not likely to work for the purpose of
keeping minors away from sexually explicit material while allowing
adults relatively free access.  We said that there were "no foreseeable
technological 'silver bullets' or single permanent solutions to be
crafted," and nothing in the I-mature announcement changes that
conclusion.


Herb Lin

Senior Scientist

NRC

co-editor of Youth Pornography and the Internet

available at http://books.nap.edu/catalog/10261.html

 

 


===


Hi Dave,



In answer to Herb Lin's query about i-Mature's Age Group Recognition
(AGR) technology, I would refer him to the inventors' European Patent
Office filing <http://tinyurl.com/4le9t <http://tinyurl.com/4le9t> > for
more details about this intriguing age-verification technology than is
currently available on the i-Mature

website: <http://tinyurl.com/4le9t <http://tinyurl.com/4le9t> >.



The EPO offers a copy of the inventors' US patent application for a
sensor-based access control device that can measure how far along a body
is in its physical development cycle and then use that biometric to
distinguish children from adults.


(Took me all of two minutes to dig up the online EPO patent data, which
offers an intriguing, if necessarily incomplete, overview of a variety
of biological metrics and forensic techniques which can be used to
differentiate between children and adults. Shame on those who cry scam
and offer FUD so blithely.)



If CSI fans or any student of forensic anthropology might naively
presume that this biometric has been used for years, technocrats and
public policy mavens should at least approach the prospect of a viable
age-verification technology with an open mind. (Most, I trust, do --
despite cynicism about its "silver bullet" aura in some circles.)

i-Mature's AGR system is based, in its current implementation, on a
non-intrusive sonic scan of finger bone joints to determine the degree
of ossification (growth) of the bone, relative to the potential for bone
growth (the "open" epiphyseal plate at the end of a bone.) Reviewing the
patent application, it doesn't seem rash for i-Mature to claim, as it
does in its much-maligned website, success in achieving its goal of
developing a biometric technology that allows it to make "an absolute
distinction between adults [18 and older] and children [13 and
younger]."

At the Congressional Internet Caucus' exhibition last night -- and in
the RSA booth at the big RSA Conference next week -- i-Mature and RSA
will demo the AGR prototype and collect feedback on potential
applications and issues of concern.  RSA hopes that this will reopen the
public policy discussion on age-verification technology, which some feel
was precipitously closed by the government experts who declared -- in
the seminal NRC study, "Youth, Pornography, and the Internet,"
<http://tinyurl.com/6b3ru <http://tinyurl.com/6b3ru> >,  that Dr. Lin
and Dick Thornburg co-edited in 2002 -- that biometrics could not, for
the foreseeable future, offer any effective means for determining age.

Naysaying the future of an active  technology is always fraught with
risk.

The AGR biometric is captured, according to the patent application, when
"the presence, absence, or thickness of a bone growth plate in a finger
phalanx of the user is sensed and/or measured." A reference table is
then used to correlate this growth-plate biometric to standard human
development patterns, to determine if the individual scanned is a child
or an adult.

For the finger bone,  according to the inventors' review of medical and
forensic literature, "an open epiphyseal plate is detectable up to the
age of 12.5 years for girls, and 14 years for boys.  At the age of 14.5
years for girls and 16.5 years for boys, only in about 2.5 percent of
the population is an open epiphyseal plate detectable in the phalanges."
The patent application refers to similar correlations for other bones in
the hand, wrist, leg, and foot.

"Thus," declare the inventors, "one can assume that in 97.5 percent of
all children, the lowest threshold for the "open" growth-plates is at
age 12.5 and the highest threshold for "closed" growth-plates is at age
18" -- although for some long bones, like the leg tibia, the growth
plate may remain open until age 20.  The AGR team decided to develop its
table of correlation for the middle finger of a hand.

This AGR technology will doubtless have to prove itself and submit both
its forensic foundation and any final implementation to critical review
before it is widely accepted -- but this isn't black magic. No one is
claiming that this technology can, like some carnival swami, declare a
date of birth or offer a horoscope, but i-Mature does persuasively claim
to effectively distinguish between between a still-developing child and
a fully-grown adult.

Needless to say, if this becomes accepted as a viable biometric, there
are a host of complex and intriguing public policy issues associated
with how and where such a technology can or should be used. Or can or
should be required.

> What's the nature of the RSA connection?



What I know about the i-mature technology is all from public sources,
but -- as a consultant to RSA -- I have been party to some internal RSA
discussions about the joint R&D agreement that RSA concluded in
Barcelona last fall with the i-Mature team.

RSA Labs has been working with the AGR inventors for about four months,
after they approached RSA Chief Scientist Burt Kaliski to suggest a
joint R&D effort.  RSA Labs has several similar agreements with leading
developers of what are deemed to be "emerging technologies."  R&D
collaborations such as this have led to useful new privacy and security
tech, like RSA's RFID blocking tag <http://tinyurl.com/5k3mr
<http://tinyurl.com/5k3mr> >, but there is no product commitment
involved.

The RSA/i-Mature agreement merely calls for RSA to offer its specialized
expertise in secure architectural design and crypto implementation to
the AGR development team as they explore the potential of their
innovative breakthrough in biometric scanning and classification.
Predictably, RSA -- best known for its commercial cryptography, its
SecurID tokens, and its Identity and Access Management software -- is
also interested exploring the long-term potential of this technology in
both layered multi-factor authentication systems and innovative new
authorization schemes which may not require proof of a user's legal
identity.

Core implementation issues for AGR -- as with any biometric-based
authorization scheme -- involve striking the appropriate balance between
false positives and false negatives for a given application environment.

Technically, the AGR technology also has many of the security and design
issues common to biometric authentication systems -- integrity,
liveliness, timeliness, avoidance of replay, etc. -- but RSA Labs has
worked on these problems for many years.

(In a library, to take a slightly-flammable example dear to the hearts
of many on IP, access to an unrestricted Internet terminal may today
involve an administrative decision based on documentation -- birth
certificate, driver's license, school ID -- and personal contact.  If
i-Mature's AGR were used, those access decisions might be largely left
to the sensor, but a few ARG rejections might still be appealed and
require an administrative decision for an justifiable exception.)

The AGR application is unusual -- perhaps the first of its kind -- in
that it proposes to use a real-time sensor to determine an age-based
authorization, but this design also allows the developers to avoid the
complications typically associated with biometric enrollment and secure
database interactions.

As to the inventors' target price for their future product, I'll leave
that for them to debate with the helpful Mr. Burt, SCC's  PR manager.


Suerte,

            _Vin



Vin McLellan

The Privacy Guild

Chelsea, MA USA






-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/