The range of state-approved systems for age verification (AVS) has been enriched by a particularly controversial offer. The Commission for Youth Media Protection (KJM), an organ of the state media authorities, recently gave a positive rating to the GiroIdent youth protection solution from the Schufa subsidiary finAPI as an access concept for closed user groups in telemedia. This means that the user’s name, address and date of birth can be checked online by logging into their online banking once and comparing them with the database at the credit agency.
Age control on websites about the Schufa
For age control on websites that offer services only for adults, the customer is redirected to a secure website of the fintech company when using GiroIdent youth protection. “There he logs into his online banking and finAPI compares the name of the customer with the name of the account holder,” explains the company, which the British open banking provider Yapily wants to take over. If the data match, the older Schufa AVS Q-Bit released by the KJM in 2005 is queried.
With Q-Bit, the credit agency takes advantage of the fact that around three-quarters of the 62 million German citizens stored with it have already presented their ID when opening an account. The affiliated banks and credit institutions have already carried out the face-to-face age verification required by the KJM. However, this AVS initially required additional software to allow queries to the Schufa database.
Sales manager of the Schufa subsidiary sees possible uses
With GiroIdent youth protection, the confirmation of the identity of the customer and the already carried out ID check should be simplified. “The process only takes a few seconds,” advertises finAPI for the approach. An order or the activation of the desired content can be done “quickly and at the same time legally secure” in accordance with the youth protection law (JuSchG) of the federal government and the youth media protection state treaty of the states (JMStV).
GiroIdent youth protection is available as a so-called white label solution. The design can be individually adapted to that of the respective shop or provider. Peter Hiekmann, sales manager at the Schufa subsidiary, also points out other possible uses: The age check can be easily combined with payment solutions from finAPI such as payment by online transfer or real-time transfer in one process.
“More Attack Surface and metadata wasn’t possible, was it?”
Data protectionists have long complained that Schufa is opening up more and more data sources. In view of the release of the new finAPI solution, the programmer Bianca Kastl now warns of enormous attack surfaces: “More attack surface and metadata was not possible, was it?” She asks worriedly on Twitter. Other users point out that access data for banks should not actually be passed on. However, the OAuth protocols for a standardized interface with dynamic access options might be used here.
GiroIdent is also available in other variants, in which a customer or business partner logs into their online banking via the finAPI bank interface and allows a look at their account. The name given is compared in real time with the first name and surname of the account holder and, in the plus version, with the date of birth, address and deceased dates. The result should be a secure verification of the name information and fraud prevention.
Excessive data usage ‘the new standard’
The whole thing is reminiscent of finAPI’s Check Now project, which made the headlines last year. This should make it possible for customers to get fixed-term contracts, such as a mobile phone contract, even with an otherwise poor credit rating. The current account and a score calculated using the account data should serve as a basis. Data protectionists protested because there was the option of additional data use. The Schufa spoke of a pure test that would not be continued in this form.
Overall, the KJM has meanwhile approved 95 concepts or modules for AVS. Such systems would thus “become the new standard”, says KJM chairman Marc Jan Eumann happily. As of this week, this includes for the first time three AVS, which work without ID papers solely with biometric age determination using machine learning. These are the solutions Facial Age Estimation from KYC AVC, Age Verification from Ondato and Yoti from the company of the same name.
Facial data and fingerprints for age estimation
The KJM explains that these techniques have been trained by the variety of artificial intelligence (AI) to estimate the age of a person using biometric features such as facial data and fingerprints. In order to take into account “that some young people look older than they are”, a buffer of five years has been set. People would have to be automatically recognized as at least 23 “in order to get access to the content rated from 18 years of age”. System-side control functions also make it impossible to trick “age verification with still images”.
The background is that, according to the JMStV, certain content that is harmful to young people may only be distributed in telemedia if the provider ensures through closed user groups that only adults have access to it. Furthermore, content that impairs development can only be presented in a legally compliant manner if the service provider uses technical means to ensure that children and young people of the affected age group do not usually notice it.