On August 21, 2023, PRIVO submitted these comments in connection with the application for a new verifiable parental consent (“VPC”) method submitted by the Entertainment Software Rating Board (“ESRB”), Yoti Ltd, and Yoti (USA) Inc. (“Yoti”), and SuperAwesome Ltd. (“SuperAwesome”).
The proposed method uses automated facial age estimation in place of other VPC methods provided for in the COPPA Rule, such as print and sign forms, credit/debit card transactions, telephonic or video calls with trained staff, and verification against government issued identification. PRIVO believes that while age estimation can be a good tool in some use cases, age estimation alone, is not sufficient to be considered “reasonably calculated, in light of available technology, to ensure that the person providing consent is the child’s parent.”
Introduction
There is a necessary tension between data minimization and verifiable parental consent. While other authorities may strike the balance between the two in a way that favors data minimization, COPPA and the FTC’s COPPA Rule require more than the mere verification of anonymous adults to allow them to permission children to publicly chat, share information, and receive behavioral advertising. Some commenters find fault with others of the VPC methods already accepted under COPPA, and some claim they are out of date or excessively burdensome. However, these methods appropriately require that an adult take affirmative action to associate themselves with the child, and create a data trail that deters faking. Examples of these data trails include the existence of a signed form, an unfamiliar credit card charge on the parent’s statement, or evidence that the asserted parent (1) actually does exist and (2) existed prior to the request for parental verification. That is, already-issued government ID or already-existing know-your-customer banking, employment, health care or educational institution relationships provide greater evidence of the existence of actual, pre-existing human than mere anonymous age estimation does, and thus disincentivizes anyone from using their information and associating it with fraudulent transactions. Accordingly, PRIVO disagrees with the AVPA’s conclusion in its comments in this proceeding that the proposed method is better than those already enumerated in the COPPA Rule, or approved by existing Safe Harbors with experience processing parental consent.
The risks that fast, frictionless, anonymous age estimation of adults presents are not theoretical. The anonymity that the method provides, its data minimization, is the very aspect of it that invites its misuse. Aristotle International Inc., in its comments in this proceeding, foresees a potential “cottage industry” of adults willing to have their faces scanned for hundreds or thousands of children in exchange for a small payment. PRIVO has this same concern and more. More than the cottage industry envisioned in Aristotle’s comment, PRIVO foresees that children who cannot make a Venmo or other real currency payment might promise to transfer in-game currency or articles to the adult who vouches for them to get into the game where those virtual items will be earned. Thus, it is clear that the incentives for adults to assist unrelated children in circumventing parental consent do exist and ways of paying for the service are accessible to children. However, if the child is unable to pay this debt back through the game as promised, the adult might suggest other ways that they can do so, leaving the child vulnerable to the adult’s manipulation. Indeed, the anonymity of the method creates the risk of pedophiles or other bad actors using the method to permission many children onto sites precisely so that they can groom them entirely out of parental view.
Other, less nefarious scenarios also exist in which the method would allow circumvention of parental consent and rights. The child might create a new email for their parent, receive the email from the operator and simply bring their device to their parent asking the parent to look at the camera, explaining that it is merely a game or app that will give an answer as to whether they are older or younger than 25. The parent will not have received the emailed disclosures or any other notice that by placing their face into the field, they have given their child access to essentially the entire Internet.
Alternatively, the parent of a child’s friend or classmate, or a temporary caregiver such as a nanny or babysitter, may be unaware of specific limits a parent has set for their child’s online activities and obligingly agree to have their face scanned so that both children can play on the same site or service during a playdate. Or, worse, these other adults may know of and disagree with the limits placed on the child, but, knowing that there will be no record of who permissioned the child onto the site, intentionally circumvent the parent’s wishes.
And, while the proposed method’s live testing is said to deter the use of static photographs children might proffer in an effort to trick the system, there is a real risk of deep fakes. In the child space, a single, successful deep fake created by one child or teen, for profit or just to see if they can do it, could be sold or passed around friend groups and schools and used repeatedly to permission numerous child accounts with no accountability for where the deep fake even originated.
Thus, prioritizing the minimization of the “parent’s” biometric data, results in a verification method that is not any stronger than Email Plus. It is a method that may be able to strengthen Email Plus, but alone, it does not provide the level of verification needed for one-on-one live chat, public sharing, behavioral advertising and online profiling across services (1). It does not prevent the creation of “mega-parents,” as Aristotle dubs them, or pedophile mills, as PRIVO fears. Nor, does it do anything to assist in complying with operators’ obligation to re-verify adults who seek to access their purported child’s data as required by the COPPA Rule.
It must also be remembered that this method, if approved, would be used in the child-directed sites and services space. This means that the age estimation will be initiated by the child, not the adult. A different set of considerations apply when an adult walks to the checkout stand with a bottle of wine or case of beer and submits to a facial scan, then when a child initiates the process. In PRIVO’s experience, children will attempt to circumvent any parental verification method. They regularly go so far as to call the customer service telephone line attempting to pass for adults. Thus, it must be expected that they will insert their own faces into the frame and attempt to trick the system. They may even be entertained by trying to see the answer they get back from what they perceive as nothing more than a fun app. This means that the operator will be processing child data prior to the parent receiving any disclosures, indeed, without the parent ever being alerted to the child’s attempt. Child’s face, even for age estimation purposes, is not one of the pieces of information that operators are allowed to collect directly from a child in the parental verification process.
Responses to Questions Asked
1. Is this method already covered by existing methods enumerated in 16 CFR 312.5(b)(2)? No.
2. If this is a new method, provide comments on whether the proposed parental consent method meets the requirements for parental consent laid out in 16 CFR 312.5(b)(1). Specifically, the Commission is looking for comments on whether the proposed parental consent method is reasonably calculated, considering available technology, to ensure that the person providing consent is the child's parent. No. It provides less evidence that would possibly allow the next step of relationship verification and is prone to misuse that could lead to a false sense of security.
3. Does this proposed method pose a risk to consumers' personal information, including consumers' biometric information? If so, is that risk outweighed by the benefit to consumers and businesses of using this method? Yes, this method proposes a risk to consumers’ personal information because the data is taken back to the Yoti servers, rather than processed on device. In addition, child data is at risk because children will use the method and their data will also be taken back to the server. This risk is not outweighed by the benefit to consumers and businesses of using the method because, as stated herein, the method is not materially stronger than the Email Plus method and will lead to more false VPC transactions which will result in greater disclosure of child data on the Internet.
4. Does this proposed method pose a risk of disproportionate error rates or other outcomes for particular demographic groups? If so, is that risk outweighed by the benefit to consumers and businesses of using this method? To the extent that a child does not have a willing or able parent or guardian to use one of the existing methods, the FTC should open an inquiry and PRIVO would welcome the ability of parents to delegate to other reasonable adults.
Conclusion
The application itself notes that FTC approval of this method is not necessary. The ESRB as a Safe Harbor can approve it for use by its members by itself. FTC approval, however, makes the method more marketable and acceptable to parents. The VPC approval mechanism was not intended to provide the FTC’s stamp of approval on individual companies’ business plans. Nor is it intended to make it easier, faster, and more frictionless to get the same imperfect level of VPC as existing methods that some criticize. It is not enough to compare the method to the existing ones and say that it is no more flawed than they are. The intent of this regulatory process was to encourage innovation and for operators to use advances in technology to find better ways to confirm that the consenting adult is the child’s parent. Instead, the method proposed promises the rapid-fire creation of millions of federated child online IDs on N tier number of sites and services, all decoupled from the permissioning adult’s data. It retreats from the attempting to establish parental relationship.
More than just being at odds with COPPA and the needs of children under 13, if approved by the FTC, the method will become a model for state-level or other regulatory schemes. Many of those seek to address the needs of children up to 18 years of age. These regulatory schemes might not have the same sort of process as was written into COPPA that requires periodic review of the effectiveness of existing methods and the availability of newer and stronger ones. Once written into these other regulatory schemes, they may well become entrenched.
PRIVO welcomes and expects derogation of less effective methods over time, but to date, no method has been removed from the approved list. In part, that is because the solutions that COPPA seeks and the job it has assigned the FTC are not easy. But, simply because they are not easy, does not mean they are not worthwhile.
PRIVO's complete comments submitted to the FTC can be viewed here.
Footnote:
(1) Furthermore, even where age estimation is an appropriate and beneficial service, there are other third-party providers of that service that are more privacy enhancing because, unlike Yoti, they do not take the data back to their servers for processing.