Podcasts
Caveat
Ep 276
Caveat 9.4.25
Ep 276 | 9.4.25

Two seconds to safer online spaces.

Show Notes
Transcript

[ Music ]

Dave Bittner: Hello, everyone. And welcome to "Caveat," N2K CyberWire's privacy, surveillance, law, and policy podcast. I'm Dave Bittner and joining me is my cohost Ben Yelin from the University of Maryland Center for Cyber Health and Hazard Strategies. Hey there, Ben.

 

Ben Yelin: Hello, Dave.

 

Dave Bittner: On today's show Ben discusses some unintended consequences of age verification laws. I've got a look at the government's recent acquisition of a stake in Intel. And later in the show my conversation with Elad Schindler. He's a product manager at AU10TIX. We're going to be discussing the company's recently launched child safety age assurance risk and readiness assessment. While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover please contact your attorney. All right, Ben. Why don't you kick things off for us this week? What do you have for us?

 

Ben Yelin: So there is a new phenomenon sweeping the globe and it is age verification laws for naughty websites.

 

Dave Bittner: Naughty websites. Okay.

 

Ben Yelin: There are a lot of examples in the United States. There was a Supreme Court case that we talked about relating to a Texas age verification law. The Supreme Court upheld that as constitutional. It wasn't unduly restrictive on first amendment rights. Mississippi in the U.S just passed a pretty harsh age verification law.

 

Dave Bittner: Right.

 

Ben Yelin: And then there's our friends in the United Kingdom which have passed the extremely controversial Child Online Safety Act which has everybody up in arms. And one of the provisions of that act is an age verification provision. So there are a couple of ways that a person can show verification according to this law. As relevant here you can upload a picture of yourself. Maybe it's your driver's license or a government photo issued ID. And they have an AI system that can predict what age you are based on the picture they are looking at. That's basically what's relevant to our discussion. It's somewhat burdensome. If you don't want people to know that you've gone to a website giving that website a picture of your face might not be the best course of action.

 

Dave Bittner: Right.

 

Ben Yelin: Now for most of these we're talking about adult websites, pornography, that sort of thing.

 

Dave Bittner: Yeah.

 

Ben Yelin: But at least in Texas and Mississippi we've seen age verification laws applied to things like social media, and there's where you could see a big impact on free speech.

 

Dave Bittner: Right.

 

Ben Yelin: So the U.K also has this agency off comm which is their communications regulator enforcing compliance. If sites -- even if these sites are not located in the U.K, don't comply with the provisions of the law, they could be fined up to 18 million pounds or 10% of global revenue which is significant. We're talking about DDPR level numbers here in terms of consequences for non compliance.

 

Dave Bittner: Europe don't mess around when it comes to fines.

 

Ben Yelin: Exactly. I know they're still in Europe technically in the continent even though we've been through our Brexit process. So there's been your expected push back from the tech industry. I think the companies and privacy advocates like the Electronic Frontier Foundation have argued that this could lead to surveillance like practices. If these systems aren't secure and they're collecting people's faces then the fact that these people have visited these websites could make them liable to blackmail. I have your face. I saw that you used it to log in to Porn Hub. I would love to share that with your employer lest you give me $1 million.

 

Dave Bittner: Well, but you think about how this could make it easier for people who do those kind of extortion phishing campaigns. We've seen for years they have those campaigns where they say, "Hey, I saw you being naughty. I hacked in to your webcam."

 

Ben Yelin: Yep.

 

Dave Bittner: And I saw you being naughty.

 

Ben Yelin: Pay me X amount in Bitcoin.

 

Dave Bittner: Right. So I could see them altering that and saying, "Hey, we got the photo of yourself that you uploaded to the naughty site and unless you send us money we'll expose you that way." So I can see it lending -- what do you call it? Legitimacy to those kinds of scams.

 

Ben Yelin: Yeah. Definitely. And then there's people who the law's not necessarily intended to inhibit, but are suffering the consequences of these types of laws. So there's an app, I've never heard of it, called Tea Dating Advice, a U.K app where women anonymously reviewed their dates with men and apparently there was a cyber attack that exposed thousands of women's selfies and driver's license photos which the site had requested using the same technology to ensure that the users were actually women and not men giving themselves good reviews. I wouldn't put it past us men.

 

Dave Bittner: Right.

 

Ben Yelin: The other thing that's going on here we talked in the context of these laws about using a VPN. That's one element of it. The fact that you now have these laws in the U.K and also in some U.S states I would worry that eventually you're going to run out of places to VPN yourself in to. There are always going to be places, but that is a temporary workaround. The other unintended consequence here though is that people are increasingly going to websites that do not have robust age verification procedures either because they're off the beat websites, they're copycat websites that aren't the big adult companies, and they don't care about potential fines because they are seeing such a remarkable influx of customers.

 

Dave Bittner: I see.

 

Ben Yelin: So the "Washington Post," and we took an article from them this week, they gathered U.K visitor estimates over the past year for 90 of the largest porn sites as ranked by a market intelligence firm. They used a VPN to appear online as a U.K user and they checked which sites verified a user's age. 14 sites in those top 90 did not do an age check and all 14 of those have seen a major boost in traffic from U.K users. So one explicit pornographic site saw an increase of 350,000 users compared to this time last year.

 

Dave Bittner: Wow.

 

Ben Yelin: So it ends up rewarding the companies that are not complying with the law and punishing the companies that are attempting to comply with the statute.

 

Dave Bittner: Right.

 

Ben Yelin: I think from the U.K's perspective, and I'm sure these U.S states their governments would say the same thing is these are just growing pains of a new regulatory regime. We still want to have a way to make sure that minors are not accessing these websites. Obviously that is a very noble goal, but I think as we're working through these we see that there are these unintended consequences and I think policy makers have to take those seriously.

 

Dave Bittner: Do we think that these websites that are allowing folks in without the age verification are they housed in places that consider themselves outside of the reach of U.K law?

 

Ben Yelin: They might think that, but they're not. As long as you have a customer base in the U.K you are within the long arm of the U.K statute.

 

Dave Bittner: I guess I'm just thinking of let's say they're hosted in Russia and Russia doesn't have an agreement with the U.K for any sort of reciprocity legally. What are they going to do? You know? What's the U.K going to do?

 

Ben Yelin: Probably are not going to be able to enforce it. I mean they might try to take down some of these sites. That has happened in some circumstances in other countries where entire websites are taken down. There's usually a backlash to that. Who knows what that would be like? If people are willing to come forward and start protesting because they lost their favorite pornography website.

 

Dave Bittner: Yeah.

 

Ben Yelin: But, you know, we saw that in Brazil when they temporarily shut down X Twitter that there was a public outcry that this is something that was inhibiting free speech. So that's certainly a possibility that it could be from a country like Russia or China where there's no extradition treaty. Well obviously. I guess this isn't criminal law anyway. But the company's never going to comply because they know their government will not allow them to face that liability.

 

Dave Bittner: Right.

 

Ben Yelin: So I think -- I think that's certainly a valid concern.

 

Dave Bittner: See what I would like to see and I don't know if it's inevitable or not, but in a similar way to how technology like face ID works, right, where your ID -- the image of your face is securely stored in this case on an iPhone.

 

Ben Yelin: Right.

 

Dave Bittner: It's in a secure enclave. It is separated from the rest of the system.

 

Ben Yelin: Apple does not have access to it.

 

Dave Bittner: Apple doesn't have access to it. The system doesn't have access to it. All the system can do the OS can ask a question to face ID and say, "Is this the person that we want it to be?"

 

Ben Yelin: Right.

 

Dave Bittner: And face ID either says yes or no. But the system can't ask face ID for the picture.

 

Ben Yelin: Right.

 

Dave Bittner: It just doesn't work that way. So I think a similar kind of thing for these ID systems would be great where I verify who I am to my mobile device through my driver's license or whatever and then it's just up to the website, whatever it is, whether it, you know, they're selling me alcohol or porn or anything else we don't want kids to have access to. All it does is ask the question. Is this user of age? And the -- and my device either says yes or no. Doesn't tell them how old I am. Just says, "Yes. This person is in this case over 21 let's say." You think that's practical?

 

Ben Yelin: I do. I mean I guess I'm not sure. Maybe you have a better answer than I do on this. Exactly how the technology works. Because you're not just verifying a document. You're not just verifying that a person is who they say they are. They're using some type of AI through facial recognition to determine whether that person is an adult. And the reason that's important is I don't know if you remember from college, Dave, but a lot of people have fake forms of identification. I know. It may look, appear, as if they are real, but are not actually real.

 

Dave Bittner: Yes.

 

Ben Yelin: So this is a workaround around that and do you solve that problem by having the system that you just described?

 

Dave Bittner: Right. Well, yeah. I mean that's a different problem. Right? You know.

 

Ben Yelin: It is.

 

Dave Bittner: Yeah. Well, Ben, lucky for us our guest this week is Elad Schindler. He's from a company called AU10TIX. And they do this kind of technology. They develop the technology that estimates your age.

 

Ben Yelin: Well, that is fortuitous.

 

Dave Bittner: Right? Right? So we will get all the details about that because I have to say going in to the interview I was a little skeptical, but we'll get in to that later in the show when the time comes. But it is an interesting technology. But back to the main question about whether or not your phone could handle this. You'd have to have some kind of system that would on the back end verify that your driver's license is your driver's license. But for -- like here in Maryland we have e driver's licenses. Right? So why couldn't the system just tie in to that? If that is a legitimate recognized legal form of identification on our mobile device, let's go with that.

 

Ben Yelin: Yeah. I mean I guess some people would say, "I don't have that form of identification. Why do I need it? I'm not planning on driving. I just want to use -- " But, you know, I think policymakers might say, "That's a minimal inhibition on people accessing these websites." You don't have a completely unfettered right. Even if you consider something like this free speech like minor barriers to access this is essentially what the Supreme Court said cannot be construed as major inhibitions on the first amendment.

 

Dave Bittner: Right. I mean if I walk in to my local newsstand and I want to buy a copy of "Playboy" magazine and I'm 18 and a half years old --

 

Ben Yelin: And you look young.

 

Dave Bittner: And I'm young looking.

 

Ben Yelin: They're going to run your driver's license.

 

Dave Bittner: Right.

 

Ben Yelin: Yeah.

 

Dave Bittner: And their -- that's they're required to do so. Right?

 

Ben Yelin: I think so. Yeah. I mean the one thing that changes this from a buying a "Playboy" at a newsstand scenario is the other sites that can just pop up who are hostile to enforcement. It would be the equivalent of like, "All right. That liquor store checks ID so we're going to open 10 other makeshift liquor stores in a 5 block radius and we will catch all the underage drivers who want to buy alcohol, but don't have ID to do so." You can do that on the internet, but you can't do that in that context. And one porn industry blog post which I'm not reading, I swear to God, estimated that thousands of clones of popular pornographic websites have already been stealing content and are soon to be massively rewarded by taking over this market share. And I just don't think any policymakers want this to happen. So there has to be some fix. But just given how free the internet is to create things and how long it takes to detect new copycat websites, they might just constantly be chasing their own tails on this. And is it worth having these laws if you're going to end up with these unexpected consequences?

 

Dave Bittner: So I guess the notion is, you know, pornography is legal. We have these companies --

 

Ben Yelin: If you're an adult yep.

 

Dave Bittner: Yeah. We have these companies who are in good faith trying to offer these sorts of things according to the law, according to the rules, but they're getting an end around done to them by the companies that have a little more moral flexibility let's say.

 

Ben Yelin: Nice euphemism there. Yeah. I mean it is funny. Like it ends up punishing entities who really care about being the legitimate porn sites and will respond to negative news coverage by making policy changes. There are a lot of companies who don't care at all about that and are just looking for eyes. And those are the companies that are pretty much successfully evading those laws and capturing a lot of customers who with good reason don't want to put their face through the porn hub portal.

 

Dave Bittner: Yeah. Well, how do you think it's going to play out?

 

Ben Yelin: I think as we've seen more states consider these laws in the United States and certainly we are seeing that, I think Wyoming and South Dakota are considering similar laws, I think states have to start thinking about different types of enforcement mechanisms or whether it's increasing resources in the attorney general's -- attorneys general offices to root out these copycat websites and to protect against the leak of this type of information. I think enforcement has to change in order to effectuate the original goal of the law which is to protect adults' privacy, but to make that it's only adults accessing these websites. And I'm not sure exactly what those changes would look like, but I think given that we now know about these unintended consequences states are going to have to get more creative in tamping down the illegal copycats who are trying to evade the system and undermine the intent of the law.

 

Dave Bittner: Yeah. There's a big hubbub right now about the Mississippi law affecting Mastodon. Mastodon.

 

Ben Yelin: Your favorite site.

 

Dave Bittner: Yeah. A big social network, but it's federated which means there isn't one central location that everything flows through. So it's more like email. Right? Where you have an email provider and the email providers talk to each other and that's how email works. And that's kind of how this social network works. It's very Twitteresque. But the challenge is Mississippi's law requires age verification even for social media sites and --

 

Ben Yelin: That's a big step.

 

Dave Bittner: Right. And how do you handle that with a federated system? You know, imagine again if your email -- if email had to verify the age of every person sending you email how do you manage that?

 

Ben Yelin: Yeah. I mean that's a major burden. I don't know what's going to happen with that Mississippi law because it does introduce elements that were not present in the Texas law. You know, the Texas law was about inhibitions on free speech for accessing adult content. And when we get in to age verification for social media I think that's a different animal entirely because I think the free speech interests are greater. And I don't know exactly how that's going to turn out in Mississippi. But it's not just going to be Mastodon. I think all of the tech companies are very concerned about that type of law.

 

Dave Bittner: Yeah. Absolutely. All right. Well, we will have a link to that story in the show notes. We will be right back after this quick word from our sponsor. [ Music ] My story this week comes from the folks over at Lawfare. This is the legal basis for government stakes in private firms. You know where we're going here, Ben.

 

Ben Yelin: I do. The Trump Bernie Sanders favorite policy that we're going to talk about.

 

Dave Bittner: Yeah. So on August 22 President Trump announced that the U.S had taken just under a 10% stake in Intel. Intel is going through some challenges right now. They're not the market leader that they once were when it comes to manufacturing chips and designing chips and so on and so forth. But the president has made the case that it is in our nation's best interest to support Intel because they are the -- I think the only manufacturer of silicon chips --

 

Ben Yelin: In the U.S.

 

Dave Bittner: In the U.S. And so that I think is the justification, please correct me if I'm wrong, for taking this 10% stake in the company. But let me just rewind a little bit, Ben. Like what was your initial response to hearing about this policy shift?

 

Ben Yelin: Oh, my initial response was trolling people and saying like, "Hey, comrade. We've -- we are all united in government ownership of private business." No. I -- my first instinct was that it was funny that a Republican president was taking a government stake in a private company. I mean I think that at least on its surface seems hypocritical. I have to say the more research I've done -- this is going to be a hot take. I'm not sure how awful an idea it is. I mean there are always downsides to the government owning business or any equity stake in a business.

 

Dave Bittner: Right.

 

Ben Yelin: You know, we've seen how entities like Fannie and Freddie have worked out, if they're over reliant. But we have seen instances where the government has come in and taken a stake in companies to help revive them in the interests of national security slash economic power. And the auto companies is the best example. I mean we took a stake in a good portion of them through the bailout in late 2008, early 2009. And we did revitalize the American auto industry. And that was an initiative started under President George W Bush. You know, I'm not sure if the 9.9% equity stake is the proper way to do this, but I do think there is something worthy about the goal that if we are going to be investing taxpayer resources in to this, which the CHIPS Act allows, through things like loans and grants that the taxpayers should get a portion of the return. Like I do think there's some logic in that.

 

Dave Bittner: And strange bedfellows here as you mentioned. Bernie Sanders is all in on this.

 

Ben Yelin: Yeah. That was very funny because like all these people who work for the Heritage Foundation and other pro Republican organizations are all of a sudden sharing an opinion about socializing a private company with Bernie Sanders.

 

Dave Bittner: Yeah.

 

Ben Yelin: I actually kind of like to Bernie Sanders' credit he is very literally interested in policy matters which I find almost charming. Like he's not letting the fact that this is a Trump policy determine whether he thinks this is a good policy. It's just he does believe that U.S taxpayers if we're going to be supporting large private companies with incentives, grants, tax breaks, etcetera, that we should receive a portion of the benefits. And it's like a consistent position of his. So I'm not really surprised that he agreed with President Trump on this. Like this is a -- Bernie calls himself a democratic socialist. Like this is a rather socialist policy because it is interfering in the private market to effectuate the public good in the eyes of the government that has done this.

 

Dave Bittner: Right. Yeah. It certainly raised eyebrows when President Trump did this. As you say, because it's in -- I think the hot take is it is -- it runs so contrary to all of the rhetoric, you know decades of rhetoric, of social takeovers. You know, the fear of social takeover by Democrats. And here we are.

 

Ben Yelin: And it's the -- it is the prototypical example of the government picking winners and losers.

 

Dave Bittner: Yeah.

 

Ben Yelin: Which a lot of these people have railed against for years. Now in this circumstance it's different than even investing in like one solar company which the Obama administration did controversially a decade or so ago because there are a lot of solar companies so you really are picking and choosing among them in the United States. I've been hassled by a bunch of people trying to sell me solar panels.

 

Dave Bittner: [Laughs] yes.

 

Ben Yelin: But if it is true that Intel is the only company manufacturing chips in the United States they do have a special status in that respect. Otherwise we would be purchasing our chips from China and there are geopolitical reasons that we don't want to do that. So I think it is somewhat different. We're not picking Intel over an American company to invest in. We are picking Intel over international companies which is frankly on brand with what President Trump has tried to do with his economic policy. It is an American first economic policy.

 

Dave Bittner: Yeah. I mean you could see that there is a legit national security interest in having that capability alive and well here stateside.

 

Ben Yelin: Absolutely. The other thing that's interesting here is legal risks and challenges. So normally I think you would see a lawsuit here from a competitor saying that this is an improper equity arrangement. "We were unfairly denied grants." This is something that's not authorized in the statute. If there are no other U.S manufacturers who are similarly situated in that they produce chips it's going to be really hard for anybody to establish standing in a court of law for this case because they will not be able to assert in a way that will stand up in court that they themselves are being affected by this unfair competitive disadvantage. The courts and the government would just say, "Well, you need to get a permanent place in the chips market and then maybe we'd give all of our government goodies to you and maybe your company could have 10% owned by the U.S taxpayer."

 

Dave Bittner: Right.

 

Ben Yelin: But there are no companies who would do that, meaning litigation is unlikely to succeed. I think we could see some and certainly this is something that's controversial. I follow like a lot of libertarian leading economists who are just apoplectic about this, more so even than they were about President Trump's trade policy.

 

Dave Bittner: Right.

 

Ben Yelin: But so yeah. There are a lot of angry people. I don't think that this is the type of thing that will necessarily be stopped in the court of law.

 

Dave Bittner: Yeah. So there -- the folks who are upset about this it's sort of the philosophical thing that this is not the type of thing the federal government should be doing.

 

Ben Yelin: Right. That any time you have federal government involvement in a private market it is a distortion and it is a market inefficiency. Even a lot of libertarians would admit that like there are some circumstances in which the government has to get involved because it would never be profitable for a private company to do certain things that are in the public interest.

 

Dave Bittner: Right.

 

Ben Yelin: I think what the Trump administration would argue is chips is just like those other areas where you would have market failures because if we're not manufacturing them in the United States we're vulnerable to Chinese or whatever manipulation. Or arbitrary price shocks because they've decided to stop exporting chips to the United States. And that is a real vulnerability. So I can certainly see the philosophical underpinning of it. But yeah. The libertarian critique here is basically we've been saying since Ronald Reagan ascended the steps of the capital in 1981 that government involvement in business is antithetical to freedom and liberty and here we have the government taking a 10% interest in a big American company. Like that is it's a big deal.

 

Dave Bittner: What about the way that President Trump handled this? I mean he kind of had Intel over the barrel, didn't he?

 

Ben Yelin: Yes. He did. I mean he is the one who controls the purse strings of having that U.S investment through the provisions of various laws including the CHIPS Act which was a bipartisan bill CHIPS and Sciences Act passed under President Biden which allows the government to offer financial assistance to incentivize U.S domestic production of semiconductors. So that's the stick that President Trump held, that like "We control the purse strings."

 

Dave Bittner: Right.

 

Ben Yelin: "And it's my administration through the department of commerce that's going to be making these investments." So we could just decide not to make these investments right now. We can invest in a different company. Or I'm willing to have you come to the table and have a conversation and maybe we can work out something where the U.S taxpayer is getting a return on their investment. And he chose to play hardball here.

 

Dave Bittner: Yeah.

 

Ben Yelin: Art of the deal. Is this the most pro Trump segment I've ever done?

 

Dave Bittner: I think it may be.

 

Ben Yelin: I know. A new record.

 

Dave Bittner: That's right. Wow.

 

Ben Yelin: I'm not even sure I actually think this is a good policy. I just I do see the philosophical argument for it. And I do think like it's certainly a legitimate position that if we're going to be investing so much money in to these companies then we should be getting a portion of the returns. Like I do think there's something fundamentally fair about that as a prospect.

 

Dave Bittner: Yeah. And I understand the need to prop up a company like Intel for national security. You know, who's going to make the chips to go in our fighter jets?

 

Ben Yelin: Right.

 

Dave Bittner: We need somebody stateside to do that.

 

Ben Yelin: We don't want one of our geopolitical foes to be making it and we'd be overly reliant on them and trusting them to have the chips that we put in our war planes. Like I think the national security interests are self evident at that point.

 

Dave Bittner: I agree. All right. Well, we will have a link to that story from the folks over at Lawfare Media. Of course we would love to hear from you. If there's something you'd like us to cover on the show you can email us. It's caveat@n2k.com. We're going to take a quick break. We'll be right back after this message. [ Music ] And we are back. Ben, I recently had the pleasure of speaking with Elad Schindler. He is a product manager with AU10TIX and they recently launched a child safety age assurance risk and readiness assessment. It's a report covering the stuff that you talked about in your story today. They actually provide this technology and it's fascinating for me. I learned a lot in this interview about how exactly it works. So here's my conversation with Elad Schindler.

 

Elad Schindler: We saw that there's increasing regulation regarding keeping minors outside of online environments that were not designed at the beginning to have minors in their platforms. For example social media platforms, gaming, e-commerce [inaudible 00:30:56] also selling age restricted goods. And for their own protection there is a regulation all over the world especially now in the U.K, but also we see it in Australia, we see it in the U.S in several states, we see it in France to keep minors out of these platforms. And the regulator is very strict about it so we see this trend and increasing more and more.

 

Dave Bittner: So what sort of risks or harms are these rules designed to prevent for the -- both for the kids and for the companies that handle the user data?

 

Elad Schindler: So the most simple -- so the most simple answer is that underage children should not access content that is restricted. So it can be social media in some countries. It can be gambling. It can be buying alcohol, e-commerce. So that's the purpose of these laws, to keep them out of it. That's the main thing. And we're in AU10TIX and we saw this struggle of companies to verify these users in a frictionless way meaning that until now most of the age verification flows were including ID, were uploading your ID. We see all the data, make sure that the user is above 18, 21, 16, whatever it is in the country that they are from, and that's the flow. But for especially younger, for younger ages, the flow has to be frictionless because we see a lot of drops when user been asked to pull their ID. Also we're only trying to verify the ID of -- the age of the user. We don't need all the details on the ID. So for that we came up with a product that verifies your age with biometrics check and that do it in the most frictionless way with capturing your selfie and imagine like a face ID in Apple which is super simple. We have a response time of less than 2 seconds and accuracy which is super high because of our IDF AI technology. And for creating the most frictionless experience there is and especially for the younger ages which don't have the patience to wait to upload to capture the documents on the phone, the front of the document to capture, the back of the document to wait 8 to 10 seconds processing. And so for that we came with --

 

Dave Bittner: Yeah. So how do you go from someone uploading basically a selfie to being able to respond with confidence that they're within a certain age range?

 

Elad Schindler: So that's a very good question that we face a lot. How you can be that accurate, how it can be that fast to make sure that it's a frictionless experience. What we do is we implementing our web application, our SDK, within our custom UI to make sure the look and feel is exactly the same as any social media company like Tik Tok or Snapchat or whatever it is, and the user will feel comfortable to upload their selfie. What we do is letting the user know, "You are about to upload now your selfie." We're capturing it and helping to capture it. So we're connecting to the camera. We're letting the user know get closer, go further, and taking only a second to capture your face. After that we're doing an AI and machine learning technology that's analyzing the user's face. And because AU10TIX is completely global we have customers from all over the world getting data from [inaudible 00:34:47] to Europe to U.S and we know how to manage and have accurate results for any gender, age group, or race, and therefore we have very accurate results. Mean absolute error. So our error range is 2.1 meaning that if I'm 26 the AI can give me a range of 28 to 24. And there we're saying to the customers, "Okay." The user finished the biometrics flow. Okay? You can decide if your regulator tells you, "Listen. You have to verify that the user is above 18." And the user according to our checks is between 16 to 23. You can make sure in a more robust way, more friction way like ID. But for most of the users most of the users can do just the biometrics check. Imagine like a face ID flow which is very quick and simple moving on to the finishing the on boarding process. And also you have to remember that these users it's new to them. It's not like that you're going to a payment company or you're going to a trading company and you are very engaged. You upload some files. You answer some questions. You have a very full and exhausting on boarding flow. So you know that you have also ID during the way. But here we have to make sure that the user experience is super fast because imagine that you want to buy alcohol. Okay? And so some company or some of our customers give you a frictionless way which is taking time to capture, taking time to process, and provide you answers. More than two seconds you can say, "I will drop and go to other website."

 

Dave Bittner: So is part of the idea here that we're able to make broad distinctions when there is very little ambiguity that someone is above a certain age range? For example, you know, I'm -- I am well past the age where anyone would ask me for an ID to buy alcohol. So is the notion here that the system can detect that, detect it quickly with high confidence? And so there really isn't any more scrutiny required for someone in my position.

 

Elad Schindler: Correct. Correct. It's very true. And also what is very important here is to make sure that the users feel comfortable. Okay? We always have to remember that when they feel comfortable in the flow they learn quick, they learn fast, and they understand that this is part of the flow. What it will do is part of our UI is explaining then, "Listen. You are about to go through a biometrics check because of regulations meant to keep you safe. The law wanted to keep you safe. And that's why you're doing this flow."

 

Dave Bittner: What happens when someone is very close to one of these thresholds? You know, for example, here in the U.S if I want to buy alcohol I need to be 21. What if I'm 20 and 11 months? Right? My face isn't going to change very much in those few days. What do we do with a situation like that?

 

Elad Schindler: That's a good question. It's a great question. So when we determine that the user is close to the restricted age meaning for example in the U.S like you said 21 and above, let's say 23, what we're doing is asking from them an AI verification or another check like call [inaudible 00:38:21] that we can collect date of birth, checking it in government databases. There are other flows that can help the user to make sure -- to help our customers to make sure that the user is above 18. But we always try to start with the biometrics check because they are easier, they're simpler, they're more simple, and most of the users will have a frictionless flow. So obviously if the user is close to the threshold you'll have to make sure that you are under the regulation and you obtain them and you have to make sure that they will do other solution if they are too close to the threshold because eventually no biometrics check today is too accurate to say, "Okay. He's 21 and that's we are 100% sure that he's 21 or 22. We're 100% sure that it's 22." And there's always some error range and that's very common in this industry, but the focus here, the goal here, is to make sure that for most of the users we can have the frictionless experience under the law of the regulation.

 

Dave Bittner: What happens if someone tries to spoof the system by holding up a photo or putting on a false mustache or something like that?

 

Elad Schindler: That's a great question because AU10TIX we are specialized. We are experts in everything regarding identity fraud. We're running over 154 [inaudible 00:39:43] to make sure that for example the ID of the user is valid regarding selfie. We're running liveness check making sure that the user is capturing a live selfie and not, like you said, holding any picture ID of an adult, for example. Also what we do is making sure that if the user generated in AI a mustache or whatever it is picture that looks holder we catching deep fake. We're detecting deep fake. In over 95%. So the most sophisticated fraud today which is evolving more and more today we're detecting it because we have multiple AI capabilities and to make sure that we have an authentic user that's uploading an authentic selfie or ID.

 

Dave Bittner: So it sounds to me like ultimately compliance is the responsibility of the organization that you're working with, of the platform owners. But this is a way for them to balance convenience with trying to meet some of those regulations.

 

Elad Schindler: Correct. Not everybody -- it's a very good point because it's always we're working with the -- usually with the compliance team and we're working with the product team. The compliance team always wants to make sure that the company is under the regulator and they obtain on the laws and the product team usually wanted to have the frictionless experience. So what we built is a tool to help our customers to understand the laws of the regulation because in every country it's different. And every industry is different. So with few questions we let you know what is the regulation in this country that you work in and for your industry. So we're helping the compliance team and also we're helping the product team to let them know, "Listen. You can have a biometrics check in this kind of country. That's enough." But in some countries you have to have an ID solution. So we built a tool. We launched it. We got a very positive feedback from our customers for helping them to understand the regulation in their industry. [ Music ]

 

Dave Bittner: Ben, what do you think?

 

Ben Yelin: Yeah. Very illuminating. I think it fits perfectly with our first story today.

 

Dave Bittner: Yeah.

 

Ben Yelin: And I was also very interested to hear how this worked. So it was very enlightening.

 

Dave Bittner: I was surprised. It's a little different than I guess my presupposed ideas. So again our thanks to Elad Schindler from AU10TIX for joining us. We do appreciate him taking the time. [ Music ] And that is "Caveat" brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to caveat@n2k.com. This episode is produced by Liz Stokes. Our executive producer is Jennifer Eiben. The show is mixed by Tre Hester. Peter Kilpe is our publisher. I'm Dave Bittner.

 

Ben Yelin: And I'm Ben Yelin.

 

Dave Bittner: Thanks for listening. [ Music ]

Caveat
Podcast Info
HOST(S):
Dave Bittner
Ben Yelin
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Ben Yelin, JD, is the Program Director for Public Policy & External Affairs at the University of Maryland Center for Cyber Health and Hazard Strategies, where he consults public and private entities on homeland security, cybersecurity and emergency management policy. He is also an adjunct faculty member at the University of Maryland Francis King Carey School of Law, where he teaches courses on electronic surveillance and the Fourth Amendment.
Schedule: Wednesdays
Creator: N2K Networks, Inc.