The Entertainment Software Ratings Board (ESRB) is blasting recent reports that suggest the organization is planning to use facial recognition tech on children, adding that it has no intention of using the technology to take or store selfies of its users.
Yesterday, reports surfaced that the ESRB was partnering with Yoti, a digital identity firm, to use facial estimation tech to check the ages of users. The news quickly spread to multiple outlets, with some worrying that the facial age tech would be used to store photos of underaged users.
However, in a heated statement sent to IGN, an ESRB spokesperson clarified that the tech is not intended to stop children from purchasing or downloading restricted games.
“First and foremost, this application is not to authorize the use of this technology with children. Full stop. Nor does this software take and store ‘selfies’ of users or attempt to confirm the identity of users,” the ESRB told IGN in an email.
“Furthermore, this application makes no mention of using age estimation to prevent children from purchasing and/or downloading restrictively rated video games, nor do we intend to recommend its use in that way.”
The application for approval the ESRB is referring to pertains to Privacy Protective Facial Age Estimation. This new verifiable parental consent mechanism uses facial age estimation tech that analyzes the geometry of a parent’s face to confirm they are an adult. Facial age estimation technology is used to estimate a person’s age based on a selfie taken by the user, but it does not determine or learn the identity or name of the individual. It’s not the same as a facial recognition system, which matches a human face using a digital image or a video still that it cross-checks with a database.
According to the ESRB, children attempting to sign up for a new service such as a website or a video game will be asked to provide a parent or caregiver’s email address. The parent may then be asked to consent to a scan of their face using a front-facing camera, which is then used to “accurately estimate the parent’s age.”
The ESRB reiterated that the technology is not intended to collect data on users or children.
“To be perfectly clear: Any images and data used for this process are never stored, used for AI training, used for marketing, or shared with anyone,” the FTC spokesperson said, “the only piece of information that is communicated to the company requesting [Verifiable Parental Consent] is a ‘Yes’ or ‘No’ determination as to whether the person is over the age of 25. This is why we consider it to be a highly privacy protective solution for VPC.”
The full statement can be found below.
First and foremost, this application is not to authorize the use of this technology with children. Full stop. Nor does this software take and store “selfies” of users or attempt to confirm the identity of users. Furthermore, this application makes no mention of using age estimation to prevent children from purchasing and/or downloading restrictively rated video games, nor do we intend to recommend its use in that way.
As background, ESRB Privacy Certified (EPC) is a COPPA Safe Harbor seal certification program that works with its member companies to help ensure they comply with all relevant privacy regulations in the U.S. and increasingly abroad. While EPC is under ESRB’s self-regulatory umbrella, it operates independently of ESRB’s ratings and enforcement activities.
The Children’s Online Privacy Protection Act (COPPA) – a key privacy regulation in the U.S. passed in 1998 – requires that companies (platforms, games, services, websites, etc.) obtain verifiable parental consent (VPC) before collecting, using, or sharing any personal information from children under the age of 13. In other words, the company already has knowledge that the user is a child typically from an age gate or attempt to register for a game, platform or service. The FTC has previously authorized various methods that companies can use for VPC, including asking for government ID, calling a toll-free number, faxing a consent form, video conferencing, etc. These methods haven’t been updated since 2015. As a COPPA Safe Harbor, EPC has the authority to approve and implement new VPC methods without involving the FTC. That said, EPC takes its role (and its responsibilities to member companies) very seriously and, considering how new the technology is, EPC preferred to obtain approval directly from the FTC through their application process before approving its use by EPC members.
As you can see on pages 3 and 4 of ESRB Privacy Certified’s application, the consent method – and the live facial scans (not facial recognition, which is used to determine identity) – involves confirming if the person who is verifying consent is 25 years or older. When a child attempts to sign up for a new service (website, application, video game, platform, etc.), by U.S. law, they will be prompted to provide a parent’s or caregiver’s email address or other contact information. The parent is then usually sent an email asking them to confirm their consent for the collection of certain data from their child. If the company collecting the data is using Yoti technology, the parent will be asked for their consent and prompted to use their front-facing camera to scan their face (which must be live and in person). Yoti’s technology encrypts the information gathered from the scan, then breaks down portions of this scan to accurately estimate the parent’s age. Our application to the FTC recommends that the age threshold be set at 25 to prevent teenagers or older-looking children from pretending to be a parent.
To be perfectly clear: Any images and data used for this process are never stored, used for AI training, used for marketing, or shared with anyone; the only piece of information that is communicated to the company requesting VPC is a “Yes” or “No” determination as to whether the person is over the age of 25. This is why we consider it to be a highly privacy protective solution for VPC.
Image Credit: da-kuk / Getty Images
Taylor is a Reporter at IGN. You can follow her on Twitter @TayNixster.