Written Evidence Submitted by Yoti

(C190044)

 

 

 

  1. Yoti owns and operates a free digital identity app and wider online identity platform that allows organisations to verify who people are, online and in person.  This could be using the Yoti identity platform, which allows individuals to share verified information about themselves on a granular basis or it could be using Yoti’s ‘embedded’ services which allow organisations to add an identity verification flow into their website or app.  It could also be using Yoti’s authentication algorithms such as facial recognition, liveness detection and age estimation. 

 

  1. Yoti is a British company, leading the charge in digital identity and remote verification, a team of 250 based in London, with offices in Bangalore, Los Angeles, Melbourne and Vancouver. Yoti has been nominated by the World Economic Forum for its digital identity innovation. There have been over 7 million installs of the Yoti app globally, following our launch in November 2017.  Similarly, over 330 million age checks supporting safeguarding online have been conducted using the Yoti age estimation algorithm since February 2019, across a wide range of online live streaming and ecommerce platforms combatting suspicious activity and grooming. 

 

  1. Yoti holds the ISO 27001 certification and continues to be audited every year.  Further, in November 2019 Yoti was certified to SOC 2 Type 2 for its technical and organisational security controls by a top four auditing company. The SOC 2 standard is an internationally recognised security standard.  Yoti also holds the Age Verification Certificate of Compliance, issued by the BBFC.  Yoti is certified to the publicly available specification PAS:1296 Age Checking.

 

  1. If there are any questions raised by this response, or additional information that would be of assistance, please do not hesitate to contact Yoti

 

  1. Yoti is happy for this evidence to be published.


Yoti would like to comment on the following points from the Call for Evidence:

2. The capacity and capability of the UK research base in providing a response to the outbreak, in terms of:

       advice to government, public bodies and others on managing the outbreak;

 

3. The flexibility and agility of institutions, Government departments and public bodies, and processes to respond appropriately during the crisis including:

       the optimal functioning of regulatory and ethical processes;

       the availability and influence of scientific advice in all Government departments and public bodies—including by departmental Chief Scientific Advisers; and

       the extent to which decisions taken drew on that advice;

 

There has been no guidance to retailers as to how age checking for age restricted goods can safely occur during COVID-19 or review of the impact of age checking on levels of verbal, physical and racial abuse to retail staff, which even before COVID-19 were deemed to be at unacceptable levels. Nor has there been research to ascertain if technology could safely support age checking.

 

We are asking the government as part of regulatory easement to update guidance on age checking and to be informed by the science as to how age checking technology can support accurate age checking in retail environments with the challenges of masks and social distancing and reduce the pressures on retail staff..

 

In the UK, the current mandatory licensing regime for alcohol requires age restricted goods to be manually verified by a physical check of an ID document. To do this properly requires a retailer to handle each document to check for authenticity, and therefore come in close proximity, otherwise fake documents will not be detected. To do this properly undermines social distancing requirements with staff checking many documents per hour.

 

On average, there are around 45m self checkout transactions per week in the UK grocery market, 15% (7m) of which are age restricted. Of these, approximately 70% (5m) are alcohol related and also require, according to the Alcohol Licensing Act, 2003, updated 2014[1], the colleague to check for a hologram or UV feature. For alcohol related items, this means 5-10 million unnecessary close proximity touch points per week that are currently being enforced by the current mandatory licence conditions and the requirement for a hologram or UV feature. This is 5-10m potential staff abuse points, now with the heightened friction of asking people to remove face masks and coverings and use hand sanitising facilities. Given the already well documented evidence of untenable levels of verbal, physical and racial abuse to retail staff[2], this situation deserves all our attention.

 

The average passport document font size is approximately 3mm in height, and UK driving license font is approximately 1.5mm in height. Typographers have set standards to ensure that print is readable, for example the German DIN 1450 Standard on Lettering Legibility[3].  In addition,font size calculators exist that can help in ascertaining the minimum font size required for legibility at different distances.  It has been suggested that the minimum font size required for legibility at 1 metre, using black Helvetica text on a white background and assuming someone with good eyesight in good light) is 8 point, or approximately 3mm font height.  For legibility from 2 meters[4] it is 16 point, or approximately 6mm font height. Therefore, people with 20/20 (i.e. 6/6 or 'normal') visual acuity would be unable to read a UK passport information page at 2 meters, or a UK driving license card at 1 meter or 2 meters. Only circa 75% of the adult population has 20/20 vision (including those who achieve this visual acuity with the use of corrective lenses). Even people with 20/20 vision would find reading a UK passport at 1 meter near the limit of their visual acuity abilities, and may well be unreliable readers at that distance. Furthermore, if a person had visual acuity only as good as UK legal driving standard (i.e. 20/40 or 6/12), as many people do, then they would be unable to read either a passport or a driving license at 1 meter or at 2 meters viewing distance.

 

This would indicate that at either a 2 meter distance (current guidance) or at a reduced 1 meter distance, the average passport document font size is insufficient for a member of staff to be able to accurately ascertain the characters on the document. On the suggestion of removing masks in a closed setting in a retail environment in close proximity, in order to ascertain the age of a customer - this would seem to be in contravention of the guidance to avoid touching the face and a heightened risk factor for both the retail member of staff and the customer.

 

Digital ID and proof of age technology can already be used to check age for the sale of all other age restricted items except alcohol, such as tobacco products, offensive weapons, fireworks and alcohol online. This technology can prevent many unnecessary and potentially dangerous points of contact between staff and customers. It has received Primary Authority Assured Advice, from Trading Standards, and accredited by Secured by Design (Official Police Security Initiative). Yoti is certified to the publicly available specification PAS:1296 Age Checking and meets the recognised GPG45 (Good Practise Guide 45) ‘how to prove and verify someone’s identity’. The German regulator the FSM, following rigorous testing, and the BBFC and both approved these age assurance approaches using a 5 year age buffer. QC Stephen Walsh, Gray’s Inn supports the view that the responsible person should be allowed to rely on technology to make a decision about the age of a customer, see Appendix.

 

The JMSLG (Joint Money Laundering Steering Group) now recognises the same chip passport reading approach as acceptable as a single source of identity for the financial services sector. The States of Jersey and the digital arm of the Scottish Government both use this technology for access to government services. The NHS is using this technology for digital identification and is exploring use of Yoti as an ID and test result process, led by the Government's Diagnostics Innovations Team in the Cabinet Office. A large retailer in the US has successfully completed trials of these age verification approaches, integrated with NCR EPOS machines. Without any marketing, 43% of shoppers chose to use Yoti’s age checking options at the self checkout. Walmart is extending this now to include digital age verification in pick up and drive through locations due to Covid-19.

 

Several leading UK supermarkets want to trial, as was evidenced at the most recent BRC virtual call on this subject. The supermarkets have taken the view to even set the age estimation buffer to 30, giving a threshold of 12 years and a false positive rate of 0.08%[5]. In contrast the average failure rate at test purchase for other age restricted products such as alcohol or tobacco is stated at 15% to 30%[6]. There are no statistics available disclosing the numbers or false acceptance of low cost, fake IDs, by 15-25 year olds who are either too young to qualify for genuine ID or cannot afford a passport or driving license. There is increasing demand internationally for age checking technology, which could be a strong British export; however other countries will ask why has this technology not been reviewed scientifically and embraced in its home market.

 

The BRC and many of its members and techUK are supportive of digital age checking. We understand that the BRC raised this at the recent NRCSG with the Policing Minister, MP Kit Malthouse and his team. We understand that this is being followed up as a matter of urgency.

 

This is urgent now and we would request that this be achieved under the emergency regulations and not wait for changes to the law in the normal course of events. We are asking the government as part of regulatory easement to update this provision, which is not recognised by any other government in the world, and to be informed by the science as to how age checking technology can support accurate age checking in retail environments with the challenges of masks and social distancing.  This should lead to a future review of the interpretation of the Mandatory Licensing Conditions[7], to ensure that a human or responsible person should be able to rely on technology to make a decision about the age of a customer.

 

Appendix

 

Extract from Advice by Stephen Walsh QC supporting the view that the responsible person should be allowed to rely on technology to make a decision about the age of a customer.

 

3 Raymond Buildings, Gray’s Inn 9 November 2017

 

‘The requirement to request identification documents only arises if the customer “appears” to the responsible person to be under 18 years old (if that is how the policy is framed). The word “appear” is not defined in the 2010 Order, nor in the Licensing Act 2003. It is not explained in the Home Office’s guidance.

While the word “appear” could be interpreted to mean solely the way in which the

customer looks (their physical “appearance”) it is, in my view, capable of having a

much broader meaning in the context of this statutory provision which would permit the responsible person to take into account not only the way a customer looks but also other information or evidence which might impact on the responsible person’s assessment of their age and appearance.

 

In summary, I take the view that the word “appear” in para 3(3) should be interpreted to allow a responsible person to take into account a range of evidence and information when assessing whether or not a person “appears” underage. There are good public policy reasons for policy makers (normally employers) to provide responsible persons with assistance in coming to that assessment. Assuming that there is no dispute that the “Yoti app” is a rigorous system for establishing the age of subscribers (which is itself based upon the authentication of nationally recognised identification methods), and that the policy maker has conducted its assessment of the app with due diligence, there appears to be no reason why a policy should not stipulate that responsible persons may take the “Yoti app” into account when carrying out the initial assessment of the appearance of a customer’s age.

 

However if, in all the circumstances (including the successful use of the “Yoti app”), a responsible person determines that it appears to them that the customer is of the relevant age, there would be no requirement to seek identification in the prescribed form. It is my opinion that a policy which so provided would meet the mandatory condition in the 2010 Order.

 

The “core Yoti solution” (the app alone), assuming that it has the strength of security and processes which the leading companies and government agencies identified above believe, would be a powerful and persuasive factor for a responsible person assessing whether an individual “appears to be under 18”. If the responsible person concluded, largely on the basis of the “Yoti app”, that a person “appeared” to be over 18, they would not be required (pursuant to a policy that complied with the 2010 Order), to request any further identification;’

 

 

 

 

 

 

(June 2020)

 

 


[1] https://www.legislation.gov.uk/ukdsi/2014/9780111116906

[2] https://www.acs.org.uk/research/crime-report-2019

[3] https://www.leserlich.info/werkzeuge/schriftgroessenrechner/index-en.php

[4] http://resources.printhandbook.com/pages/viewing-distance-font-size.php

[5] https://www.yoti.com/wp-content/uploads/2020/03/White-Paper-Full-Version-February-2020.pdf Page 20

[6] https://www.gamblingcommission.gov.uk/news-action-and-statistics/News/gambling-commission-highlights-failures-to-stop-children-playing-on-18-pub-gaming-machines

[7]  https://www.legislation.gov.uk/ukdsi/2014/9780111116906