Most children don’t have IDs, and age-estimation technology errs by years
Lawmakers continue to propose new bills that would require social media companies and app stores to segment users by age and obtain parental consent for minors. Laws like Utah’s new App Store Accountability Act and an identically named piece of federal legislation are being pushed across the country. Other bills, such as the Rhode Island Social Media Regulation Act, would require specific social media sites to verify user age.
The goal of these bills is to restrict minors’ use of social media and other apps by enabling parents to either consent to or revoke their child’s use of these services. Unfortunately, these proposals fail to account for the difficulty of verifying—or even estimating—a child’s age online.
No effective age-verification solutions for younger users currently exist, and there are real barriers to verifying parental consent. As in past posts from this series, we will examine these issues briefly and explain the main problems with each proposed solution.
Many children don’t have (and can’t get) government identification
The first issue is that many proposals attempt to age-gate social media by requiring users to upload government documents to prove their age. The laws themselves (or the accompanying regulations) often specify the need for a government ID card, and therein lies the first problem: Children generally don’t have government IDs and often can’t obtain them to begin with. For example, in Washington, D.C. only those aged 15 or older can acquire a limited purpose non-driver identification card; in New Jersey and Massachusetts, the minimum age is 14.
Additionally, fewer teens are choosing to get driver’s licenses. A study by the Congressional Research Service (CRS) found that just over 1 percent of 14- and 15-year-olds, 2 percent of 16-year-olds, 43 percent of 17-year-olds, and 60 percent of 18-year-olds have a driver’s license. The CRS was unable to find similar data for non-driver ID cards. This suggests that a significant number of young legal adults would be unable to access social media under these bills. And this is no small First Amendment problem—if the bills go into effect, millions of adults could be denied access to a popular medium for sharing and receiving speech.
Existing age-estimation technology is inaccurate
The second issue is that some proposals allow for age-estimation technology, which uses biometric means (e.g., face scans) to estimate user age. Unfortunately, these methods are plagued with inaccuracies, often failing particularly badly where it matters most: along the margins of age and age categories. Authors of an ongoing National Institute of Standards and Technology (NIST) study evaluating existing age-estimation algorithms go so far as to say, “[W]e do not have any evidence (yet) that an age-verification classifier can outperform a regression-like estimator on the same task.” (Regression-like estimators estimate user age broadly, whereas classifiers attempt to pinpoint an exact age—a key distinction between the two.)
Notably, the Federal Trade Commission (FTC) voted unanimously to deny applications by the Entertainment Software Rating Board, Yoti, and SuperAwesome for use of a new verifiable parental consent mechanism under the Children’s Online Privacy Protection Rule. The FTC’s rejection letter specifically cites comments in the Federal Register that “raised concerns about privacy protections, accuracy, and deepfakes.”
Various legislation attempts to treat minors differently according to age—an approach that presents particular problems when it comes to age-estimation technology. While it’s important to recognize developmental differences between 10-year-olds and 17-year-olds, the algorithms will fail significantly when attempting to differentiate minors aged 18 and over from those aged 16 to 17, 13 to 15, and under 13. According to the NIST study, even Yoti—the best age-estimation software currently available—has an average error of 1.0 years, while other software options err by 3.1 years on average. Yoti demonstrates a true positive rate of 0.57 for children aged 13 to 16, which means it can correctly place someone in that age range slightly more than half the time—only somewhat better odds than flipping a coin.
This error is understandable in that the task isn’t an easy one—after all, we’re talking about differentiating between months (or even days) of life. But if age verification were required by law, 19- and 20-year-olds would routinely be classified as underage, requiring parental consent to use social media and/or other apps. Even as the technology evolves, a fraction of a percent of error can still amount to millions of people needing to use a different verification method.
Other proposed documents can’t accurately convey age, identity, or familial relationships
Legislators have also suggested using Social Security numbers (SSNs) to establish age and identity under these bills; however, SSNs can’t confirm identity, age, or familial relationships. The absence of photographs on Social Security cards means minors can easily use someone else’s SSN to access apps. Additionally, although SSNs are commonly used as identifiers absent the physical cards, they don’t actually convey identity—which is why synthetic identity fraud is not only possible, but extremely common.
None of these methods can effectively establish parental consent
Every one of these methods fails at providing parental consent for children to access social media or other apps. As already explored in this series, ensuring guardians and their children share last names is insufficient, as they may be different due to divorce, foster care, care by a non-parent family member, or something else. Four percent of children don’t even live with their parents. Because most children don’t have government photo IDs, age-estimation technology is flawed, and SSNs can be used fraudulently (and because none of these methods establish familial relationships), all are useless for the purpose of verifying parental consent.
Establishing familial relationships is important to verifying proper parental consent; in fact, the CRS explored the use of birth certificates for this purpose. However, there are two major issues with this method. First, several million Americans lack access to their birth certificate; second, birth certificates alone can’t prove identity because they don’t include a photograph. Unfortunately, there is no obvious way to combine birth certificates and face scans for children without a photo ID. This is a problem because verifying identity is crucial to determining the status of a child’s parent or guardian and ensuring minors can’t use other people’s identities to overcome age-gating.
Some bills, including the federal App Store Accountability Act, simply require that the parental account holder is at least 18 years of age and “affiliated with one or more account of a user or prospective user who is a minor.” While this approach would reduce burdens on everyone involved, it would also allow non-guardian adults to approve a child’s online behavior.
Conclusion
Much of the age verification and estimation debate fails to account for two simple truths: 1) children don’t have government identification; and 2) estimation tools are not quite where they need to be. Lawmakers must grapple with these realities in order to implement sound policy.
This is part of the series “The Fundamental Problems with Social Media Age-Verification Legislation.”