pith. sign in

arxiv: 2605.17347 · v1 · pith:NJKNM4EYnew · submitted 2026-05-17 · 💻 cs.CY · cs.CV· cs.LG

Position: Age Estimation Models Do Not Process Biometric Data

Nikita Marshalkin This is my paper

Pith reviewed 2026-05-19 23:19 UTC · model grok-4.3

classification 💻 cs.CY cs.CVcs.LG
keywords age estimationbiometric dataprivacy regulationsface verificationneural networksidentity discriminationGDPRBIPA
0
0 comments X

The pith

Age estimation models do not process biometric data because they cannot identify individuals.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper tests whether neural networks that guess age from photos handle biometric data in the regulatory sense. It runs 14 age estimation models through three face verification benchmarks and finds their accuracy sits orders of magnitude below the level needed to pick out one person from another. If correct, this means age estimators avoid the consent rules, statutory damages, and high-risk classifications that apply to systems capable of identification. The work therefore urges researchers to disclose what their models can actually do and asks regulators to separate fleeting computation from stored identity templates.

Core claim

Age estimation models cannot identify individuals. When 14 separate age estimators were evaluated on three standard face verification benchmarks, their performance remained orders of magnitude below identification thresholds, showing that identity-discriminative representations do not arise inside these networks during inference.

What carries the argument

Face verification benchmarks applied to age estimation networks to check whether identity-discriminative signals appear during inference.

If this is right

  • Age estimation systems would not trigger consent obligations tied to biometric identification.
  • Regulators could classify age estimators separately from template-based recognition tools.
  • Developers could avoid storing identity templates while still estimating age.
  • Transparency reports should include whether a model meets identification thresholds.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The same benchmark test could be applied to other attribute predictors such as gender or expression models.
  • Future rules might focus on measurable output capability rather than input type alone.
  • Repeating the evaluation on newer or larger models would provide a direct check on the result.

Load-bearing premise

That the chosen face verification benchmarks can detect any identity information the age model might process and that missing identification thresholds equals not processing biometric data under current legal definitions.

What would settle it

An age estimation model that reaches identification-level accuracy on one of the same face verification benchmarks used in the study.

Figures

Figures reproduced from arXiv: 2605.17347 by Nikita Marshalkin.

Figure 1
Figure 1. Figure 1: Age estimation pipeline. A face image enters, intermedi￾ate representations form transiently during inference, and only the predicted age exits. The regulatory question: do those transient intermediate representations constitute biometric data? these representations exist only transiently and are never exposed; only the predicted age is output. If those repre￾sentations contain identity-discriminative info… view at source ↗
Figure 2
Figure 2. Figure 2: Sample pairs from face verification benchmarks. Each row shows a genuine pair. (a) LFW: in-the-wild images with varying quality. (b) AgeDB-30: same individual across a 30-year age gap. (c) CFP-FP: frontal and profile views. is applied, embeddings are L2-normalized, and cosine sim￾ilarity is computed between pairs. Average pooling is a minimal transformation that preserves identity information if present bu… view at source ↗
Figure 3
Figure 3. Figure 3: shows FNMR across model layers on LFW for age estimation models. All models start near 95% FNMR in early layers. Some improve in later layers: the Commercial Age Estimator reaches 27% FNMR, FairFace 57%. Others show minimal improvement: SSR-Net and Age Estimation PyTorch remain above 90% FNMR throughout. Even the best age estimation layer remains far above the 5% FNMR requirement and two orders of magnitud… view at source ↗
read the original abstract

When a neural network estimates someone's age from a photograph, does it process biometric data? The answer depends on whether identity-discriminative representations arise within the network during inference, a question that may seem trivial to ML researchers but triggers consent requirements under GDPR, statutory damages under BIPA, or high-risk AI classification under the EU AI Act. Yet no regulatory guidance addresses it. This position paper provides empirical evidence: 14 models evaluated across 3 face verification benchmarks show age estimators fall orders of magnitude short of identification thresholds. Age estimation models cannot identify individuals. We call on researchers to provide transparency about what systems store and can do, and on regulators to distinguish transient processing from template storage.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper claims that age estimation neural networks do not process biometric data under frameworks such as GDPR, BIPA, and the EU AI Act. It supports this by reporting that 14 age-estimation models evaluated on three face-verification benchmarks perform orders of magnitude below identification thresholds, from which it concludes that no identity-discriminative representations arise during inference. The position paper calls for greater transparency about model capabilities and for regulators to distinguish transient processing from template storage.

Significance. If the empirical results and the sufficiency of the chosen benchmarks hold, the work supplies concrete, falsifiable measurements that could inform regulatory guidance on whether age-estimation systems trigger biometric consent or high-risk classification requirements. The provision of results across 14 models and three benchmarks is a strength that moves the discussion beyond purely definitional arguments.

major comments (2)
  1. [Empirical evaluation / Results] The central inference—that sub-threshold performance on the three face-verification benchmarks demonstrates the absence of any identity-discriminative representations—depends on the assumption that standard 1:1 verification protocols are sensitive enough to reveal such representations if they exist. The manuscript does not appear to report auxiliary probes (e.g., multi-layer embeddings, clustering, or training of auxiliary identity classifiers) that would test this assumption directly.
  2. [Discussion / Regulatory implications] The mapping from “falling orders of magnitude short of identification thresholds” to the regulatory conclusion that the models “do not process biometric data” requires explicit justification against the precise statutory language (GDPR Art. 4(14), BIPA §15, EU AI Act Annex III). The current text equates non-identification with non-processing without addressing whether transient, non-template representations could still qualify as biometric data under those definitions.
minor comments (2)
  1. [Abstract] The abstract states results from 14 models on 3 benchmarks but does not report the specific verification thresholds, statistical tests, or exclusion criteria used; these details should be summarized in the abstract for a position paper.
  2. [Throughout] Notation for the three benchmarks and the exact performance metric (e.g., EER, AUC, or rank-1 accuracy) should be defined at first use and kept consistent across tables and text.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for their constructive and detailed feedback on our position paper. We address each major comment below, providing clarifications on our empirical approach and regulatory analysis, and note revisions made to the manuscript.

read point-by-point responses

  1. Referee: [Empirical evaluation / Results] The central inference—that sub-threshold performance on the three face-verification benchmarks demonstrates the absence of any identity-discriminative representations—depends on the assumption that standard 1:1 verification protocols are sensitive enough to reveal such representations if they exist. The manuscript does not appear to report auxiliary probes (e.g., multi-layer embeddings, clustering, or training of auxiliary identity classifiers) that would test this assumption directly.

    Authors: We maintain that the standard 1:1 face verification protocols employed are the most direct and established method for assessing the presence of identity-discriminative representations, as these benchmarks are specifically designed and widely used to measure whether embeddings support individual distinction. The orders-of-magnitude shortfall observed consistently across 14 models and three benchmarks provides robust evidence that such representations are not arising. While auxiliary probes such as clustering or auxiliary identity classifiers could offer supplementary data, they are not required to support our inference given the scale of the performance gap; any identity information sufficient for identification would be expected to manifest on these primary benchmarks. We have added a short explanatory paragraph in the revised manuscript justifying the sufficiency of the chosen evaluation protocol. revision: partial

  2. Referee: [Discussion / Regulatory implications] The mapping from “falling orders of magnitude short of identification thresholds” to the regulatory conclusion that the models “do not process biometric data” requires explicit justification against the precise statutory language (GDPR Art. 4(14), BIPA §15, EU AI Act Annex III). The current text equates non-identification with non-processing without addressing whether transient, non-template representations could still qualify as biometric data under those definitions.

    Authors: We agree that greater precision strengthens the regulatory claims and have revised the discussion section accordingly. We now explicitly reference GDPR Article 4(14), which defines biometric data as personal data resulting from technical processing relating to physical characteristics 'which allow or confirm the unique identification of that natural person'. Our empirical results demonstrate that the models do not allow or confirm unique identification. Parallel mappings are provided for BIPA §15 and EU AI Act Annex III, with emphasis that the statutory focus is on identifiability rather than any facial feature processing. We further clarify that transient representations lacking identifiability—as shown by the benchmark results—fall outside these definitions, distinguishing them from template storage. revision: yes

Circularity Check

0 steps flagged

No circularity: central claim rests on direct empirical measurement against external benchmarks

full rationale

The paper advances its position through empirical evaluation of 14 age-estimation models on three independent face-verification benchmarks, reporting that performance falls orders of magnitude below identification thresholds. This constitutes external, falsifiable evidence rather than any derivation, fitted parameter, or self-citation that reduces to the paper's own inputs by construction. No load-bearing step equates a result to its premise via definition or renaming.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The central claim depends on a domain assumption about the legal and technical definition of biometric processing rather than on free parameters or new entities.

axioms (1)
  • domain assumption Identity-discriminative representations must arise during inference for an age estimation model to be considered processing biometric data under GDPR, BIPA, and EU AI Act.
    This definitional premise connects the benchmark results to the regulatory conclusion and is not derived within the paper.

pith-pipeline@v0.9.0 · 5636 in / 1255 out tokens · 74102 ms · 2026-05-19T23:19:31.485509+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

40 extracted references · 40 canonical work pages

  1. [1]

    FedAffect: Few-shot federated learning for facial expression recognition,

    An, X., Zhu, X., Gao, Y., Xiao, Y., Zhao, Y., Feng, Z., Wu, L., Qin, B., Zhang, M., Zhang, D., and Fu, Y. Partial FC : Training 10 million identities on a single machine. In 2021 IEEE/CVF International Conference on Computer Vision Workshops (ICCVW), pp.\ 1445--1449, 2021. doi:10.1109/ICCVW54120.2021.00166

    work page doi:10.1109/iccvw54120.2021.00166 2021

  2. [2]

    Opinion 3/2012 on developments in biometric technologies

    Article 29 Working Party . Opinion 3/2012 on developments in biometric technologies. https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2012/wp193_en.pdf, 2012. WP193

    work page 2012

  3. [3]

    FaceLib : Detection, age gender estimation & recognition

    Ayobi, S. FaceLib : Detection, age gender estimation & recognition. https://github.com/sajjjadayobi/FaceLib, 2020

    work page 2020

  4. [4]

    H., Madotto, A., Wei, C., Ma, T., Zhi, J., Rajasegaran, J., Rasheed, H

    Bolya, D., Huang, P.-Y., Sun, P., Cho, J. H., Madotto, A., Wei, C., Ma, T., Zhi, J., Rajasegaran, J., Rasheed, H. A., Wang, J., Monteiro, M., Xu, H., Dong, S., Ravi, N., Li, S.-W., Dollar, P., and Feichtenhofer, C. Perception encoder: The best visual embeddings are not at the output of the network. In The Thirty-ninth Annual Conference on Neural Informati...

    work page 2026

  5. [5]

    Cam\'eras augment\'ees pour estimer l'\^age dans les bureaux de tabac : la CNIL pr\'ecise sa position

    CNIL . Cam\'eras augment\'ees pour estimer l'\^age dans les bureaux de tabac : la CNIL pr\'ecise sa position. https://www.cnil.fr/fr/cameras-augmentees-pour-estimer-lage-dans-les-bureaux-de-tabac-la-cnil-precise-sa-position, 2025. Position statement on AI age estimation cameras in tobacco shops

    work page 2025

  6. [6]

    Arcface: Additive angular margin loss for deep face recognition

    Deng, J., Guo, J., Xue, N., and Zafeiriou, S. ArcFace : Additive angular margin loss for deep face recognition. In 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pp.\ 4685--4694, 2019. doi:10.1109/CVPR.2019.00482

    work page doi:10.1109/cvpr.2019.00482 2019

  7. [7]

    Guidelines 3/2019 on processing of personal data through video devices

    EDPB . Guidelines 3/2019 on processing of personal data through video devices. https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-32019-processing-personal-data-through-video_en, 2020. Version 2.0, adopted 29 January 2020

    work page 2019

  8. [8]

    The French SA fines Clearview AI EUR 20 million

    EDPB . The French SA fines Clearview AI EUR 20 million. https://www.edpb.europa.eu/news/national-news/2022/french-sa-fines-clearview-ai-eur-20-million_en, 2022. European Data Protection Board announcement of CNIL decision

    work page 2022

  9. [9]

    Guidelines 05/2022 on the use of facial recognition technology in the area of law enforcement

    EDPB . Guidelines 05/2022 on the use of facial recognition technology in the area of law enforcement. https://www.edpb.europa.eu/system/files/2023-05/edpb_guidelines_202304_frtlawenforcement_v2_en.pdf, 2023. Version 2.0, adopted 26 April 2023

    work page 2022

  10. [10]

    Statement 1/2025 on age assurance

    EDPB . Statement 1/2025 on age assurance. https://www.edpb.europa.eu/our-work-tools/our-documents/statements/statement-12025-age-assurance_en, 2025

    work page 2025

  11. [11]

    European Commission . Commission implementing decision ( EU ) 2019/329 laying down the specifications for the quality, resolution and use of fingerprints and facial image for biometric verification and identification in the Entry/Exit System (EES) . https://eur-lex.europa.eu/eli/dec_impl/2019/329/oj, 2019

    work page 2019

  12. [12]

    Digital omnibus regulation proposal

    European Commission . Digital omnibus regulation proposal. https://digital-strategy.ec.europa.eu/en/library/digital-omnibus-regulation-proposal, 2025

    work page 2025

  13. [13]

    Regulation ( EU ) 2016/679 of the European Parliament and of the Council ( General Data Protection Regulation )

    European Parliament and Council . Regulation ( EU ) 2016/679 of the European Parliament and of the Council ( General Data Protection Regulation ). https://eur-lex.europa.eu/eli/reg/2016/679/oj, 2016

    work page 2016

  14. [14]

    Regulation ( EU ) 2024/1689 laying down harmonised rules on artificial intelligence ( AI Act )

    European Parliament and Council . Regulation ( EU ) 2024/1689 laying down harmonised rules on artificial intelligence ( AI Act ). https://eur-lex.europa.eu/eli/reg/2024/1689/oj, 2024

    work page 2024

  15. [15]

    FIDO biometrics requirements

    FIDO Alliance . FIDO biometrics requirements. https://fidoalliance.org/specs/biometric/requirements/, 2025. Version 4.1, January 2025

    work page 2025

  16. [16]

    Policy statement of the Federal Trade Commission on biometric information and section 5 of the FTC act

    FTC . Policy statement of the Federal Trade Commission on biometric information and section 5 of the FTC act. https://www.ftc.gov/legal-library/browse/policy-statement-federal-trade-commission-biometric-information-section-5-federal-trade-commission, 2023

    work page 2023

  17. [17]

    Deep residual learning for image recognition,

    He, K., Zhang, X., Ren, S., and Sun, J. Deep residual learning for image recognition. In 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR), pp.\ 770--778, 2016. doi:10.1109/CVPR.2016.90

    work page doi:10.1109/cvpr.2016.90 2016

  18. [18]

    B., Mattar, M., Berg, T., and Learned-Miller, E

    Huang, G. B., Mattar, M., Berg, T., and Learned-Miller, E. Labeled faces in the wild: A database for studying face recognition in unconstrained environments. In Workshop on Faces in 'Real-Life' Images: Detection, Alignment, and Recognition, Marseille, France, 2008. Erik Learned-Miller and Andras Ferencz and Fr\'ed\'eric Jurie. URL https://inria.hal.scienc...

    work page 2008

  19. [19]

    Regulatory sandbox final report: Yoti

    ICO . Regulatory sandbox final report: Yoti . https://ico.org.uk/for-organisations/advice-and-services/regulatory-sandbox/previous-participants/2022/, 2022. Exit date: April 2022

    work page 2022

  20. [20]

    Biometric data guidance: Biometric recognition

    ICO . Biometric data guidance: Biometric recognition. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/lawful-basis/biometric-data-guidance-biometric-recognition/, 2024

    work page 2024

  21. [21]

    Biometric information privacy act, 740 ILCS 14

    Illinois General Assembly . Biometric information privacy act, 740 ILCS 14. https://law.justia.com/codes/illinois/chapter-740/act-740-ilcs-14/, 2008

    work page 2008

  22. [22]

    InsightFace : 2d and 3d face analysis project

    InsightFace . InsightFace : 2d and 3d face analysis project. https://github.com/deepinsight/insightface, 2018

    work page 2018

  23. [23]

    ISO/IEC 19795-1:2021 -- information technology -- biometric performance testing and reporting -- part 1: Principles and framework

    ISO/IEC . ISO/IEC 19795-1:2021 -- information technology -- biometric performance testing and reporting -- part 1: Principles and framework. https://www.iso.org/standard/73515.html, 2021

    work page 2021

  24. [24]

    ISO/IEC 27566-1:2025 -- information security, cybersecurity and privacy protection -- age assurance systems -- part 1: Framework

    ISO/IEC . ISO/IEC 27566-1:2025 -- information security, cybersecurity and privacy protection -- age assurance systems -- part 1: Framework. https://www.iso.org/standard/88143.html, 2025

    work page 2025

  25. [25]

    Facial recognition: Italian SA fines Clearview AI EUR 20 million

    Italian Garante . Facial recognition: Italian SA fines Clearview AI EUR 20 million. https://www.gpdp.it/web/guest/home/docweb/-/docweb-display/docweb/9751362, 2022

    work page arXiv 2022

  26. [26]

    Efficient attention: Attention with linear complexities

    K\"arkk\"ainen, K. and Joo, J. FairFace : Face attribute dataset for balanced race, gender, and age for bias measurement and mitigation. In 2021 IEEE Winter Conference on Applications of Computer Vision (WACV), pp.\ 1547--1557, 2021. doi:10.1109/WACV48630.2021.00159

    work page doi:10.1109/wacv48630.2021.00159 2021

  27. [27]

    Silent-face-anti-spoofing

    Minivision Technology . Silent-face-anti-spoofing. https://github.com/minivision-ai/Silent-Face-Anti-Spoofing, 2020

    work page 2020

  28. [28]

    AgeDB : The first manually collected, in-the-wild age database

    Moschoglou, S., Papaioannou, A., Sagonas, C., Deng, J., Kotsia, I., and Zafeiriou, S. AgeDB : The first manually collected, in-the-wild age database. In 2017 IEEE Conference on Computer Vision and Pattern Recognition Workshops (CVPRW), pp.\ 1997--2005, 2017. doi:10.1109/CVPRW.2017.250

    work page doi:10.1109/cvprw.2017.250 2017

  29. [29]

    NIST special publication 800-63-4: Digital identity guidelines

    NIST . NIST special publication 800-63-4: Digital identity guidelines. https://pages.nist.gov/800-63-4/, 2025. Supersedes SP 800-63-3

    work page 2025

  30. [30]

    Ofcom fines porn company £1 million for not having robust age checks

    Ofcom . Ofcom fines porn company £1 million for not having robust age checks. https://www.ofcom.org.uk/online-safety/protecting-children/ofcom-fines-porn-company-1million-for-not-having-robust-age-checks, 2025

    work page 2025

  31. [31]

    Age-gender-prediction: Vision transformer for facial analysis

    Sahoo, A. Age-gender-prediction: Vision transformer for facial analysis. https://huggingface.co/abhilash88/age-gender-prediction, 2025. ViT-based model trained on UTKFace dataset

    work page 2025

  32. [32]

    M., Chellappa, R., and Jacobs, D

    Sengupta, S., Chen, J.-C., Castillo, C., Patel, V. M., Chellappa, R., and Jacobs, D. W. Frontal to profile face verification in the wild. In 2016 IEEE Winter Conference on Applications of Computer Vision (WACV), pp.\ 1--9, 2016. doi:10.1109/WACV.2016.7477558

    work page doi:10.1109/wacv.2016.7477558 2016

  33. [33]

    Serengil, S. I. DeepFace : A lightweight face recognition and facial attribute analysis framework. https://github.com/serengil/deepface, 2018

    work page 2018

  34. [34]

    V., Seitzer, M., Baldassarre, F., Oquab, M., Jose, C., Khalidov, V., Szafraniec, M., Yi, S

    Sim \'e oni, O., Vo, H. V., Seitzer, M., Baldassarre, F., Oquab, M., Jose, C., Khalidov, V., Szafraniec, M., Yi, S. E., Ramamonjisoa, M., Massa, F., Haziza, D., Wehrstedt, L., Wang, J., Darcet, T., Moutakanni, T., Sentana, L., Roberts, C., Vedaldi, A., Tolan, J., Brandt, J., Couprie, C., Mairal, J., Jegou, H., Labatut, P., and Bojanowski, P. DINOv3 . Tran...

    work page 2026

  35. [35]

    Onfido, I

    Sosa v. Onfido, I. Sosa v. onfido, inc. 600 F. Supp. 3d 859 (N.D. Ill. 2022), 2022

    work page 2022

  36. [36]

    Sumsub identity verification platform

    Sumsub . Sumsub identity verification platform. https://sumsub.com, 2026

    work page 2026

  37. [37]

    PyTorch Image Models

    Wightman, R. PyTorch Image Models . https://github.com/rwightman/pytorch-image-models

    work page

  38. [38]

    SSR-Net : A compact soft stagewise regression network for age estimation

    Yang, T.-Y., Huang, Y.-H., Lin, Y.-Y., Hsiu, P.-C., and Chuang, Y.-Y. SSR-Net : A compact soft stagewise regression network for age estimation. In Proceedings of the Twenty-Seventh International Joint Conference on Artificial Intelligence, IJCAI-18 , pp.\ 1078--1084. International Joint Conferences on Artificial Intelligence Organization, 2018. doi:10.249...

    work page doi:10.24963/ijcai.2018/150 2018

  39. [39]

    CoCa : Contrastive captioners are image-text foundation models

    Yu, J., Wang, Z., Vasudevan, V., Yeung, L., Seyedhosseini, M., and Wu, Y. CoCa : Contrastive captioners are image-text foundation models. Transactions on Machine Learning Research, 2022. URL https://openreview.net/forum?id=Ee277P3AYC

    work page 2022

  40. [40]

    Age estimation pytorch

    yu4u. Age estimation pytorch. https://github.com/yu4u/age-estimation-pytorch, 2019. PyTorch implementation for age estimation using APPA-REAL dataset

    work page 2019