A headline in the USA Today earlier this week screamed, “Hello, Big Brother: Digital Sensors Are Watching Us.”  It opens with an all too typical techno-panic tone, replete with tales of impending doom:

Odds are you will be monitored today — many times over. Surveillance cameras at airports, subways, banks and other public venues are not the only devices tracking you. Inexpensive, ever-watchful digital sensors are now ubiquitous.

They are in laptop webcams, video-game motion sensors, smartphone cameras, utility meters, passports and employee ID cards. Step out your front door and you could be captured in a high-resolution photograph taken from the air or street by Google or Microsoft, as they update their respective mapping services. Drive down a city thoroughfare, cross a toll bridge, or park at certain shopping malls and your license plate will be recorded and time-stamped. Several developments have converged to push the monitoring of human activity far beyond what George Orwell imagined. Low-cost digital cameras, motion sensors and biometric readers are proliferating just as the cost of storing digital data is decreasing. The result: the explosion of sensor data collection and storage.

Oh my God! Dust off you copies of the Unabomber Manifesto and run for your shack in the hills!

No, wait, don’t. Let’s instead step back, take a deep breath and think about this. As the article goes on to note, there will certainly be many benefits to our increasing “sensor society.”  Advertising and retail activity will become more personalized and offer consumers more customized good and services.  I wrote about that here at greater length in my essay on “Smart-Sign Technology: Retail Marketing Gets Sophisticated, But Will Regulation Kill It First?”  More importantly, ubiquitous digital sensors and data collection/storage will also increase our knowledge of the world around us exponentially and do wonders for scientific, environmental, and medical research.

But that won’t soothe the fears of those who fear the loss of their privacy and the rise of a surveillance society in which our every move is watched or tracked. So, let’s talk about what those of you who feel that way want to do about it.

The Challenge of Information Control

The USA Today quotes some people I know fairly well and have great respect for (Lee Tien, Chris Wolf, & Ryan Calo) raising various concerns but not really offering any specific recommendations. I suspect that it’s only a matter of time before we hear calls for regulation — even bans — of digital sensor / surveillance technologies.  On the other hand, things might unfold the way they did when RFID chips/tags came on the scene.  There was a lot of hysteria then, but things died down and — unless I missed something — no major restrictions on their use were instituted and RFID is in widespread use today.

But the “creepiness” or intrusiveness factor gets ratcheted up a bit with next-gen digital sensor technology, especially because they have become highly decentralized and dirt cheap. Practically every teenager is walking around with a powerful digital “sensor” or surveillance technology in the pocket today.  It’s called their phone.  Except they rarely use it to make calls.  They do, however, use it to record audio and video of themselves and the world around them and instantaneously share it will the planet. They also use geolocation technologies to pinpoint the movement of themselves and others in real time.

Meanwhile, new translation tools and biometric technologies are becoming widely available to average folk. Those of you who have played with Google Goggles on your smartphone know what I am talking about. Incredibly cool stuff, but you can see where it is heading. In a couple of years, we’ll have biometric buttons on our shirts feeding live streams of our daily movements and interactions into social networking sites and databases. We’ll use them to record our days and play them back later, or perhaps to just instantly scan and recognize faces and places in case we can’t remember them using our noggins. As a result, mountains of intimate data we be created, collected, collated, and cataloged on a daily basis. 

And there isn’t much we can do to stop this. As I noted in my essays on “Privacy as an Information Control Regime: The Challenges Ahead, and “The IP & Porn Wars Give Way to the Privacy & Cybersecurity Wars,” today’s information control efforts are greatly complicated by problems associated with (1) convergence, (2) scale, (3) volume, and (4) unprecedented individual empowerment / user-generation of content.  Thus, for better or worse, the information genies — porn, hate speech, spam, state secrets, pirated content, personal information, etc. — are out of their bottles and getting them back in will be an enormous challenge.

Darknet & the Decline of Practical Obscurity

In the context of personal privacy, the net result of all of this — to quote Jim Harper’s excellent 2006 book Identity Crisis — is the “decline of practical obscurity.”  “As practical obscurity declines,” Harper notes, “it becomes more likely that large quantities of data center on identified individuals  will be collected and more likely that it will be shared and used. With large collections if data highly correlated to precise identities, he consequences of being identified are changing.” (p. 163)  Harper rightly notes that may not be all bad. Again, there will be many benefits associated with this. But many others — especially those who are privacy fundamentalists and would have privacy trump most other values — won’t want to hear about possible benefits or trade-offs. It’s pretty much all bad from their perspective.

So, let’s get back to what we want to do about all this. Is “creepiness” enough of a harm to call in the code cops to undo progress?  If so, can we roll back the clock or put this particular technology back in the bottle?  I suppose that, with enough effort, we could.  But I can’t help but think about all the “darknet“-related critiques I’ve heard over the past decade about the futility of efforts to protect intellectual property or use DRM to secure IP against widespread dissemination. As I noted in my essay on “Two Paradoxes of Privacy Regulation,” many of these arguments have been set forth by the same people who now tell us they want to try to bottle up information in this context by “property-tizing” personal information.

But if the darknet critique holds for flows of copyrighted information, why would it not also hold for personal information?  Perhaps there is less incentive to push out personal information across the planet as aggressively as intellectual property, but that doesn’t mean there is no incentive to do so.  Many people will do it voluntarily each and every day when they put the most intimate details (and pictures / videos) of their lives online.  And, as they darknet critique informs us, once the information is out, it’s pretty much game over.

This is one reason why I’ve been mildly entertained by what some privacy regulatory advocates have said recently about “Do Not Track” regulation being able to stop or slow the technological arms race in the privacy arena.  “The header-based Do Not Track system appeals because it calls for an armistice in the arms race of online tracking,” says Rainey Reitman of EFF.  And the always provocative regulatory agitator Chris Soghoian argues that “opt out mechanisms… [could] finally free us from this cycle of arms races, in which advertising networks innovate around the latest browser privacy control.”  These guys should know better. There is no way in hell that Do Not Track would slow the technological “arms race” in this arena. If anything, a Do Not Track mandate will speed up that arms race and potentially just shift attention toward the development of Deep Packet Inspection (DPI) technologies or other, more invasive, forms of tracking.

I suppose they would argue that we’ll turn our attention to those technological developments as they happen, but that would make my point. There will be technological and marketplace responses to efforts to freeze current market structures, norms, and technologies in place. Again, for better or worse, progress happens.  It’s just that privacy advocates aren’t particularly fond of the consequences of technological progress in this regard and want to put a stop to it.  But they will fail.

Hyper-Transparency

At this point, some savvy readers might suspect I have fallen under the spell of David Brin and the vision he set forth in his 1997 book, The Transparent Society. There’s some truth to that, at least as it pertains to the empirical side of his argument. For those who forget his provocative thesis, Brin argued that:

While new surveillance and data technologies pose vexing challenges, we may be wise to pause and recall what worked for us so far. Reciprocal accountability — a widely shared power to shine light, even on the mighty — is the unsung marvel of our age, empowering even eccentrics and minorities to enforce their own freedom. Shall we scrap civilization’s best tool — light — in favor of a fad of secrecy?

Across the political spectrum, a “Strong Privacy” movement claims that liberty and personal privacy are best defended by anonymity and encryption, or else by ornate laws restricting what groups or individuals may be allowed to know. This approach may seem appealing, but there are no historical examples of it ever having worked.  Strong Privacy bears a severe burden of proof when they claim that a world of secrets will protect freedom… even privacy… better than what has worked for us so far — general openness.

Indeed, it’s a burden of proof that can sometimes be met! Certainly there are circumstances when/where secrecy is the only recourse… in concealing the location of shelters for battered wives, for instance, or in fiercely defending psychiatric records. These examples stand at one end of a sliding scale whose principal measure is the amount of harm that a piece of information might plausibly do, if released in an unfair manner. At the other end of the scale, new technologies seem to require changes in our definition of privacy. What salad dressing you use may be as widely known as what color sweater you wear on the street… and just as harmlessly boring.

The important thing to remember is that anyone who claims a right to keep something secret is also claiming a right to deny knowledge to others. There is an inherent conflict! Some kind of criterion must be used to adjudicate this tradeoff and most sensible people seem to agree that this criterion should be real or plausible harm… not simply whether or not somebody likes to keep personal data secret.

As a normative matter, I’m not entirely in league with Brin, but I do think he makes a very powerful case for transparency and openness trumping privacy and secrecy. (And isn’t it a delicious irony of information policy debates that the same crowd that is typically hammering on policymakers about the need for greater “openness” and transparency in all other matters suddenly wants to the opposite when our personal information is brought into the discussion?!)

But where I am entirely in agreement with Brin is with his empirical or practical case for understanding and, to some extent, accepting the world around us.  I wouldn’t necessarily label it the snarky “privacy is dead, just get over it,” but I would think it fair to call this philosophy “privacy is changing, and we need to learn how to live with it.”

Thinking about Concrete Harms & Targeted Solutions to Them

To be clear, I’m not against all forms of “privacy” law or regulation.  When it comes to government surveillance, I think we need more limitations on the State and the ability of public officials to access certain types of information, or act upon it. The key point here is that the solution to State surveillance concerns should not be bans on the technology. We instead need to shackle State actors and tightly delimit their power over our lives—such as by tightening up the Electronic Communications Privacy Act, as the Digital Due Process Coalition proposes, and by creating new protections for locational data, as Sen. Wyden has recently proposed.  And we should do so because the State possesses uniquely coercive powers over our lives and our property.

For privately aggregated data, it’s more complicated. I continue to think we can live with most forms of private data collection and aggregation since there are great benefits for society.  Most of the time, companies are just trying to sell us a more relevant product.  It’s hard for me to see the harm in that.  But there will be certain categories of personal information that will eventually need to be carved out of the mix.  I think health and financial information are the two primary categories in this case. It doesn’t mean we should take extreme steps to limit all data flows associated with them, but we will likely need to take some steps.  And most countries, including the U.S., already have targeted laws dealing with those two categories of personal information.  In this sense, I look at privacy regulation in much the same way I look at censorship.  The general default should be that openness and information sharing are permissible. But in some extreme cases — think child pornography — most of us can agree that the harm is quite tangible and significant enough to warrant repression of that information / content.

These are challenging issues and this is fertile ground for further academic investigation.  I think that we are only beginning to explore and understand the mechanics of information control regimes. As we continue that exploration, especially as we look to significantly broaden regulation of personal information flows, here are some questions for scholars to consider and debate:

• In the context of privacy and personal information, how far should law go to roll back digital progress or try to put the genie back in the bottle?
• Does the “darknet” theory have ramifications for the privacy debate?
• Can or should we have similar information control regimes for privacy, content control, defamation, intellectual property, cybersecurity, etc, or should each problem be treated/regulated differently?
• If, however, we adopt differing regulatory regimes for different classes of information, won’t the most restrictive regime become a model for the others?
• Finally, instead of attempting to stifle all information flows or block new technologies that facilitate information sharing, are we better off — as Brin suggests — channeling our energy in to increasing transparency across the board so that those who hold information about us are forced to reveal what they have or know?  Of course, that will lead some to suggest — as many privacy advocates do today — that we should be given more control over the uses of that information once it is in the wild.  Again, what I am assuming here is that that is increasingly an exercise in futility.

While I was away at Oxford University last week, a USA Today story ran entitled “Online Hate Speech: Difficult to Police… and Define.”  The author, Theresa Howard, was kind enough to call me for comment on the issue before I left and I made two general points in response to her questions about how serious online hate speech was and how we should combat it:

(1) “The Internet is a cultural bazaar. It’s the place to find the best and worst of all human elements on display.” What I meant by that, quite obviously, is that you can’t expect to have the most open, accessible communications platform the world has ever known and not also have a handful of knuckleheads who use it spew vile, hateful, ridiculous comments. But we need to put things in perspective: Those jerks represent only a very, very small minority of all online speech and speakers. Hate speech is not the norm online.  The overwhelmingly majority of  online speech is of a socially acceptable — even beneficial — nature.

(2) “When advocacy groups work together and use the new technology at their disposal, they have a way of signaling out bad speech and bad ideas.” What I meant by that was that the best way to combat the handful of neanderthals out there that spew hateful garbage is to: (a) use positive speech to drown out hateful speech, and (b) encourage websites to self-police themselves or use community policing techniques to highlight hateful speech and encourage the community to fight back.  Importantly, this process is reinforcing.  When online communities “flag and tag” objectionable or hateful content, it is easier for better site policing to occur, for social norms to develop, and for better speech to be targeted at that bad speech.  Moreover, these new tools and methods are helping groups like the Anti-Defamation League and the National Hispanic Media Coalition to better identify hate speech and then channel their collective energy and efforts to unite the rest of the online community against those hateful speakers and sites.

I think this approach makes more sense than calling in governments to police online hate speech through censorship efforts. This is especially the case because, at the margins, “hate speech” can often be tricky to define and, at least in the United States, regulatory efforts could conflict with legitimate free speech rights. Again, the best way to deal with and marginalize such knuckleheads is with more and better speech.  Fight stupidity with sensibility, not censorship.

Today’s USA Today features a debate between the editors and me on the question of the impact media has on children and what should be done about it. Their editorial argues that “Today’s mass media penetrate deeply and quietly, inflicting real damage on young children, an increasing body of research shows.” Specifically, they are referring to a new study commissioned by Common Sense Media (CSM), which claims that a review of 173 studies shows “that a strong correlation exists between greater exposure and adverse health outcomes.”

In my response entitled “Don’t Scapegoat Media,” which appears in its entirety down below the fold, I argue that “Media have long been a convenient scapegoat for the woes of the world,” and that we must be careful not to assume correlation equals causation when surveying the impact of media on kids. After all, I argue, “how do [those studies] account for the other variables that influence youth development, including broken homes, bad parents, socioeconomic status, troubled peer relations, poor schools and so on? And how is media exposure weighted relative to these other influences? Is a beer ad really as much of a negative influence as an alcoholic parent?” Again, read my entire response below. [Of course, even if one assumes some media has an impact on some kids, there are plenty of ways for parents and guardians to take control over the media in their lives, as I have shown in my big book on the subject.]

I was also quoted in this Washington Post article about the new CSM study on Tuesday.

Don’t Scapegoat Media by Adam Thierer 12/4/08

USA Today

Media have long been a convenient scapegoat for the woes of the world. In particular, fears about the influence media might have on our children have often prompted calls for “crackdowns” on speech and expression.

Typically, these fears fade as one generation’s media boogeyman becomes another’s treasured art form. That’s not to say media don’t have an impact on some children. Clearly, media are among many factors that influence culture and behavior.

But what about those other influences? Some studies summarized in the new Common Sense Media (CSM) report suggest a potential link between media exposure and certain social pathologies. But how do they account for the other variables that influence youth development, including broken homes, bad parents, socioeconomic status, troubled peer relations, poor schools and so on? And how is media exposure weighted relative to these other influences? Is a beer ad really as much of a negative influence as an alcoholic parent?

That’s why it’s important to recall a fundamental tenet of all social sciences: Correlation does not necessarily equal causation. Human behavior is complicated and quite difficult to measure “scientifically.” Just defining “media exposure” and “negative health outcomes” is tricky enough; identifying root causes is even more challenging.

The sky hasn’t fallen the way some media critics feared. While childhood obesity is a growing problem, it’s important not to lose sight of the impressive gains we’ve made in other areas, such as falling juvenile violence, teen pregnancy, and youth drug and alcohol abuse. Moreover, even if some media negatively influence some children, that must be balanced against the many ways media inspire and empower.

The authors of the CSM survey are to be commended, however, for avoiding regulatory recommendations and instead focusing on the sensible steps parents, schools, industry and government can take to educate kids and empower families to take control over the media in their lives. More information, increased media options and better mentoring of our children are the prudent approaches.

Faithful readers will recall that, several months ago, I penned a 7-part “Media Metrics” series that took a hard look at the health of the media marketplace. Today, the Progress & Freedom Foundation is releasing a greatly expanded version of these essays that I have put together with my PFF colleague Grant Eskelsen. In this 100-page special report, “Media Metrics: The True State of the Modern Media Marketplace,” we begin by noting that heated debates about the state of the media marketplace continue to rage in Washington, and opinions seem to range from grim to outright apocalyptic. As we note on pg. 1:

Many people—including a large number of legislators and regulators—argue that America’s media marketplace is in a miserable state. Some claim that citizens lack choice in media outlets and that options are just as scarce as ever. Others believe that media “localism” is dead or that many groups or niches go underserved because of a lack of true “diversity” in media. Others argue that the market is hopelessly over-concentrated in the hands of a few evil media barons who are hell-bent on force-feeding us corporate propaganda. And still others say that the quality of news and entertainment in our society has deteriorated because of a combination of all of the above. It all sounds quite troubling, but is any of it true?

After taking an objective look at the true state of America’s media marketplace, we conclude that such pessimism is unwarranted. Indeed, a careful review of the facts reveals that—contrary to what those media critics suggest—we have more media choice, more media competition, and more media diversity than ever before. Indeed, to the extent there was ever a “golden age” of media in America, we are living in it today. The media sky has never been brighter and it is getting brighter with each passing year. We come to this conclusion by looking beyond the rhetoric that has for too long governed debates about media in American and providing a comprehensive look at a variety of media sectors such as audio, video, print and online media. Our survey contains over 70 charts and exhibits illustrating facts and figures on such diverse topics as advertising revenue, company market share, audience trends, and areas of growth in the sector. We will also aim to periodically updated the report to reflect the rapidly evolving media industry.

We encourage readers to provider input about how to improve and expand the report going forward in an attempt to refine and improve the metrics. And we look forward to future debates on this subject–debates that we hope will be guided by facts instead of fanaticism and by evidence instead of emotion. The hyperbolic rhetoric, shameless fear-mongering, and unsubstantiated claims that have driven policy debates in recent years have no foundation in reality and should be rejected as the debate over media policy continues.

This and future installments of “Media Metrics: The True State of the Modern Media Marketplace” will be available on the PFF website at www.pff.org/mediametrics. I have also embedded the entire document below as a Scribd file so that those interested in the topic can peruse the report immediately.

The USA Today editorial board published a nasty piece today belittling MySpace.com’s recent efforts to implement more safeguards for its users. Despite the fact that MySpace made over 70 promises to the Attorneys General as part of the agreement–the entire agreement is summarized here–that’s still not good enough for the USA Today’s editorial board, which wants full-blown identity verification before anyone is allowed on a social networking site:

“Even in the absence of a perfect software solution, interim steps are possible. How about using databases of drivers’ licenses to cross-check ages? In more than 20 states, they are public records. The point is, more effective safeguards are needed now, …. MySpace [should be] moving faster to set up age and ID verifications, not just study them.”

Well, where do I begin? I get so frustrated when I see comments like this because it is abundantly clear to me that people don’t think things through when it comes to age verification. As I pointed out in my lengthy PFF report, “Social Networking and Age Verification: Many Hard Questions; No Easy Solutions,” age verification is extremely complicated, and it would be even more complicated in this case because public officials are demanding the age verification of minors as well as adults, which presents a wide array of special challenges and concerns.

What Age Verification Really Is: The Death of Online Anonymity We need to begin by understanding what age verification really is. By definition, mandatory age verification represents an effort to make online anonymity a crime. In simple terms, citizens would be forced to “show their papers” at the door of every website or else run the risk of being denied access–simply because they do not want to surrender their name or age.

Think about what that means. It’s easy to take the benefits of online anonymity for granted. There are millions of people who comment anonymously on blogs like this one every day, or write anonymous book or product reviews on Amazon.com or eBay, or who just chat with others about various topics under the cloak of anonymity. It is a wonderful thing.

Of course, anonymity has some downsides. The downside of people speaking their minds freely is that, well, people will speak their minds freely! And, yes, on occasion, that means some people will talk smack and just generally be jerks while disguising their identities because don’t want to stand by their comments or be accountable for them. But that’s the cost of free expression. If you want to live in a free society and encourage a vibrant exchange of views, there will be times when that means we must defend the right of people to say incredibly silly or even insulting things.

And God knows there are plenty of silly and insulting things being said on social networking sites every second of the day. But there are also countless moments of joy and wonder, when people come together and communicate with each other, or share culture with others in incredibly creative and social-beneficial ways. And, again, a great deal of that communication or culture-sharing is done in a completely anonymous fashion.

For example, as I have mentioned here before, I am fanatical about cars and home theater gadgets. I spend a lot of my free time hanging out at a small social networking site for fellow Lotus car lovers called Lotus Talk. And I also spend a fair amount of time at the amazing AVS Forum, which is the world’s biggest chat board for home theater and A/V stuff. On these sites, thousands of random strangers come into contact every day. We create profiles, we post pictures, we share stories, we talk about life and our passions for cars and A/V gadgets. This is very the essence of social networking. And, for the most past, we are all doing it anonymously. And it is happens everywhere online, every second of every day. Do we really want to make it all illegal?

Practical Considerations: The Complexities of Human Identification OK, so there might be some downsides to making anonymity illegal online. But some critics would say: “So what, we need to make people show their papers at the door of every website–at least for those social networking sites where kids hang out–to make sure kids are safe online.” Well, that’s easier said than done.

At least in theory, the problem that age verification is supposed to solve is to keep older people away from youngsters, at least in certain circumstances. Also, some proponents wish to use age verification to ban preteen access to social networking sites. To accomplish either of those objectives, we must be able to effectively verify everyone’s age by consulting reliable records about those looking to create an account on a social networking site. In other words, when Janie Smith comes to a social networking site for the first time, the site must be able to verify not only that she is Janie Smith, but that she really is as old as she claims to be. But, again, such verifying is easier said than done.

Consider first what is required to verify an adult’s identity. When government officials or even corporations seek to verify someone identify or age, they can rely on birth certificates, Social Security numbers, driver’s licenses, military records, home mortgages, car loans, other credit records, or credit cards.

But even with all those pieces of information, challenges remain. Is the information publicly accessible or restricted by legal or other means? Are all the underlying pieces of information and documentation trustworthy, or have they been manipulated or misreported in some way? Has someone faked his or her identity? And so on. Thus, while the identity authentication systems–both public and private–have improved significantly in recent decades, they still face some inherent challenges and concerns about fraud.

The current concern about “identity theft” demonstrates the complexities and level of difficulty involved in stamping out this problem. Even U.S. passports, which are relatively robust identification documents that contain authentication data, are occasionally forged with success. “It is safe to assume that future age verification efforts will yield failures on par with other identification/authentication mechanisms,” says information security expert Jeff Schmidt, former CEO of Authis, Inc.: “When one considers how frequently college students successfully circumvent age verification requirements in person and with government issued documents, one can begin to grasp the challenges that lie ahead.”

Importantly, we’re talking just about adults here. When the focus of identity verification efforts shifts to minors, the endeavor becomes far more complicated. Minors don’t have home mortgages or car loans. They don’t have military records and most have never worked. Most don’t have driver’s licenses or credit cards either.

Of course, minors do have birth certificates, Social Security numbers, and school records, but both parents and government officials have long demanded that access to those records be tightly guarded. That’s for a very good reason: As a society, we take privacy seriously—especially the privacy of our children. Laws and regulations have been implemented that shield such records from public use, including the Family Educational Rights and Privacy Act of 1974 and various state statutes.

Also, to the extent that age verification of adults works for some websites–online dating services, for example–it is important to realize that in most of those cases the users want to be verified. In that context, identify authentication increases marketability of a user’s “profile,” or it allows him or her to participate more actively in an environment where trust is essential. This fact makes it far more likely that age verification will work because user compliance is driven by market forces, not regulation. That compliance will not be the case when users–especially kids–inherently resist the idea of being age-verified before they go onto certain websites. (We should also not forget that some kids will share their online credentials or passwords with friends.)

It is also important to realize that age verification and background checks are not synonymous. Information security expert John J. Cardillo, President and CEO of Sentinel, a leading authentication firm, argues that:

Most people are ignorant of what we do. They hear the words “check” or “verification” and they assume a full background check will be run on the individual. When this is sponsored by an AG, the chief law enforcement officer of their state, there’s a perception that the criminal background checks are inclusive in whatever they’re proposing. Age verification, on its own, doesn’t indicate whether or not a person is a convicted sex offender. Mandated age verification, as proposed, would allow the hundreds of thousands of offenders… who are over 18, unrestricted access to sites. Worse, it would allow these offenders the ability to vouch for children that might or might not exist. This is where it gets most dangerous. People might assume that “verified” users have undergone some type of vetting, and let their guard down just that little bit the offenders need to exploit. In the case of convicted sex offenders, age verification actually helps them by giving them an additional layer of legitimacy.

This points to the danger of creating a false sense of security online by mandating a solution that doesn’t address the real problem.

Finally, the special challenges raised by the nature of the Internet and online communication must be reiterated. Finding a dependable source of identity or age information and then reliably matching it to someone thousands of miles away on the Internet (perhaps in another jurisdiction, or even another country) is a daunting challenge—made even more difficult by the fact that a remote individual may be actively attempting to subvert the age verification process. Solving this problem necessitates authentication data that are appropriate for online interaction. In the real world, we perform in-person authentication with a photo or physical description; the online world requires a username/password combination, biometric authenticator, or physical security token. An arms-race scenario is obviously at work here, and because a perfect solution is impossible, we must guard against a false sense of security. Lastly, because technology is evolving at such a rapid pace in this area, there is a risk that legislative solutions will become obsolete very rapidly.

In light of those complications, how would government, social networking sites, or anyone else, go about age-verifying minors online?

Do We Really Want National ID Cards for Kids? In the extreme, government could demand that all minors be issued the equivalent of a domestic passport or a national ID card. After all, minors aged 14 to 17 are already required to obtain a passport before they travel overseas. Minors under 14 must have both parents or legal guardians appear together to vouch for the child when applying for a passport. Conceivably, government could simply extend this model to incorporate a domestic identification requirement. Once the youngster had been issued such a domestic passport, it could be requested by others—including social networking sites—as proof of age. Sites could cross-reference a government national ID database to verify identity.

Clearly, however, imposing such a solution domestically would raise serious privacy concerns because it would require the collection, retention and processing of sensitive information about children. Adults are not required to carry such a domestic passport or national ID card, so why should children? Indeed, all the same privacy concerns related to national ID cards for adults would be amplified with children because, as a society, we generally take extra precautions to protect the privacy of minors and their personal information. And a national ID card for kids would need to include a great deal of information about themselves to allow the card to be used by third parties online as an age-verifying tool. Government would need to issue an age-verified identity, user name, and password to every child.

Particularly concerning is the fact that a national ID card for children would require the creation of more government databases and bureaucracy. The potential for “mission creep” then enters the picture in that more tracking of children by government (and others) becomes possible. What other uses might there be for such information? We don’t know, and we probably don’t want to find out.

The costs of setting up and enforcing such a system would be substantial and must also be considered. Although the cost of digital storage continues to fall, we’re talking about potentially massive digital databases here. But the more important cost factor is the human time and effort that would go into to collecting, processing, and organizing such records and databases.

For those reasons, a government-issued ID card or age verification scheme for kids is a nonstarter. It would raise grave privacy concerns, induce public paranoia, probably encourage a great deal of evasion, and require significant government expenditure to enforce. Moreover, a national ID card would do little to prevent youngsters from visiting offshore sites.

Sources of Age Information Thus, if social networking sites are going to age-verify minors, they will likely need to devise or rely on some other, nongovernmental solution. The most commonly proposed solutions typically fall into the following groupings:

(1) Credit cards as approximate age proxies; (2) Driver’s licenses as approximate age proxies or as a source of date of birth; (3) Birth certificates as a source of actual date of birth; (4) Parents or guardians vouching for minors; (5) Schools vouching for minors; (6) Third parties vouching for minors; and, (7) Biological or biometric determination of age.

I won’t summarize all them here since I do so in my longer PFF report on the issue. But let me just point out the deficiencies of the two leading proposals: Credits cards and parents vouching for children.

(1) Credit Cards as Approximate Age Proxies: Credit cards are often viewed by policy makers as the silver bullet solution for age verification. Even though credit card companies typically do not wish their cards to be used as age verification tools, government has advocated their use in that way in the past. But they are not a silver bullet.

“Mere possession of a credit card is not a reliable assertion of identity or age,” argues Jeff Schmidt. Credit cards can be a rough proxy for age on the assumption that only adults over the age of 18 have credit cards, but that assumption is false. Many minors are given credit cards by their parents. Youngsters can borrow or steal credit cards from their parents or others. And Schmidt notes that newly created stored value cards, specifically marketed for use by children, “are in many cases indistinguishable from actual credit cards—both in physical appearance and in the back-end transaction processing systems.” Sentinel’s John Cardillo points out additional reasons why credit cards are not effective age verification tools:

When a card is used for verification purposes, an authorization on that card is run for $1.00 (or less), however a charge isn’t put through. The card typically isn’t reconciled against any database for name and/or age, nor is a signature checked. Because of the insignificant dollar amount, the only thing that’s checked for security purposes, in some instances, is zip code. Anyone who’s ever bought gasoline with a credit card knows this to be true. Our names and ages aren’t checked at the pump. Check your statement online next time you gas up. You’ll see an authorization for $1.00 and the actual charge a few days later. The same merchant banks handle the transactions online. In other words, in most cases, all that’s being verified is that the card account isn’t closed or stolen. Who’s using it is irrelevant.

Moreover, “many parents may feel uncomfortable giving their credit card number online at children’s Web sites where there is no [commercial] transaction involved,” notes a coalition of major commercial organizations, including the American Advertising Federation, American Association of Advertising Agencies, Association of National Advertisers, The Direct Marketing Association, Inc., and Magazine Publishers of America. In a June 2005 filing to the Federal Trade Commission, those organizations noted that “in light of current online scams, heightened concerns about online security, and the rise of such practices as phishing, parents may be reluctant to provide credit card numbers absent a transaction.” But that begs the question: If lawmakers require social networking sites to process a financial transaction to age-verify, is that fair? In particular, is it fair for low-income families? And what about those families that do not possess a credit card?

Finally, the law is not even settled about using credit cards for access to adult-oriented websites. The Child Online Protection Act (COPA) was passed by Congress in 1998 in an effort to restrict minors’ access to adult-oriented websites. The measure provided an affirmative defense to prosecution if a website operator could show that it had made a good faith effort to restrict site access by requiring a credit card, adult personal identification number, or some other type of age-verifying certificate or technology. But the legislation was immediately challenged and has gone to the Supreme Court for review twice. And the law is still being debated in a lower court. Thus, almost 10 years after its initial passage, the legislation remains stuck in jurisprudential limbo after endless legal wrangling about its constitutionality.

Incidentally, COPA established an expert Commission on Online Child Protection to study methods for reducing access by minors to harmful material on the Internet. As part of its final report, the COPA commission said that credit card-based age verification would be completely inappropriate for instant messaging and chat, which were the precursors of social networking. The commission found: “This system’s limitations include the fact that some children have access to credit cards, and it is unclear how this system would apply to sites outside the U.S. It is not effective at blocking access to chat, newsgroups, or instant messaging.”

(2) Parents or Guardians Vouching for Minors: Legislation has been floated in a few states, such as North Carolina, that would make it illegal for a minor to maintain an account or webpage on a social networking site “without the permission of the minor’s parent or guardian and without providing such parent or guardian access to such profile web page.” Similar measures were recently introduced in North Carolina and Connecticut that would require social networking sites not only to obtain parental approval but also take steps to verify that they are the actual parents of the child.

This approach will appeal to many because it can be likened to a parent signing a “permission slip” for a child. Unfortunately, parental permission-based approaches are more complicated for online activities. Because websites are far away from the parents, how is the site operator going to ensure that the person vouching for the child’s age is really the parent or even an adult? Would the verifier mail or fax notarized documents? Those documents can be forged, of course. Mandatory follow-up phone calls would be cumbersome, costly, and potentially viewed as intrusive. And the use of credit cards to satisfy the permission requirement might raise some of the same problems already discussed above.

Despite these potential drawbacks, this was the general framework established by the Children’s Online Privacy Protection Act (COPPA) of 1998, which required websites that marketed to children under the age of 13 to get “verifiable parental consent” before allowing children access to their sites. The Federal Trade Commission (FTC), which is responsible for enforcing COPPA, adopted a sliding scale approach to obtaining parental consent. The sliding scale approach allows website operators to use a mix of the methods mentioned above to comply with the law, including print-and-fax forms, follow-up phone calls and e-mails, and credit card authorizations. The FTC also authorized four “safe harbor” programs operated by private companies that help website operators comply with COPPA.

In a recent report to Congress, the FTC said that no changes to COPPA were necessary at this time because it had “been effective in helping to protect the privacy and safety of young children online.” In discussing the effectiveness of the parental consent methods, however, the agency also said that “none of these mechanisms is foolproof” and that “age verification technologies have not kept pace with other developments, and are not currently available as a substitute for other screening mechanisms.” This seems to imply that the FTC does not regard COPPA’s parental consent methods as the equivalent of perfect age verification.

And the marketplace experience with COPPA so far reflects that conclusion. One of the problems associated with the current COPPA regime is that “Children quickly learned to lie about their age in order to gain access to the interactive features on their favorite sites,” notes Denise G. Tayloe, CEO of Privo, Inc., one of the four FTC-approved safe harbor programs. “As a result, databases have become tainted with inaccurate information and chaos seems to be king where COPPA is concerned,” she says. Parry Aftab of Wired Safety confirms this, noting that: “Preteens quickly learned that if they say they are under thirteen they will be prohibited from using many sites. So they regularly lie about their age everywhere online.”

Despite these flaws, Tayloe argues that COPPA serves an important role. Even though “there is no perfect solution” and it is not possible to completely “stop a child from lying and putting themselves at risk,” Tayloe believes that the law “provides a platform to educate parents and kids about privacy.” Of course, providing a platform to educate parents and kids about online privacy or safety is very important, but it is not necessarily synonymous with strict age verification.

Nonetheless, these permission-based verification schemes might work reasonably well for smaller, closed online communities in which the kids and parents are willing to take the time (and expense) to undertake extensive authentication. For example, smaller social networking sites such as ZoeysRoom.com, Imbee.com, ClubPenguin.com, and Tweenland.com have extremely strict enlistment policies, primarily because they target or allow younger users. As Sue Shellenbarger of the Wall Street Journal explains:

The under-16 sites pose few of the hazards linked to networking sites for older people. The activities range from chats and blogging to creating virtual pets or characters and acting out roles in virtual cities. For a child to register, the sites typically require a parent’s email permission, a parental signature on a permission form, or a parent’s credit card verification. Some limit young children’s interchanges to drop down menus of preapproved words and phrases. Most filter content for inappropriate material and employ live adult monitors who ensure that kids’ conversations don’t stray off course. Some limit chats or blog access to participants who are already preapproved and already known to a child’s family.

Ironically, one can probably safely assume that the kids using such services are not in the high-risk group discussed earlier. The parents who use such services are probably doing a fine job of mentoring their kids and don’t really need to resort to such restrictive solutions. Nonetheless, such highly restrictive “walled garden” approaches do provide parents with greater ease of mind. That’s not necessarily because of the strict enlistment policies so much as the extreme limitations on what kids can do on those sites or with whom they can communicate while online.

But regardless of how well the above-mentioned parental consent schemes work in practice for these smaller, more closed online communities–and some experts, like Cardillo, do question how well they actually work–such solutions lack scalability. Schemes that demand laborious and expensive enrollment requirements, or that greatly limit functionality and interactivity after users sign up, will almost certainly not work for larger social networking sites with a massive community of users. The administrative burdens would be significant for both site operators and parents alike. For example, Parry Aftab notes that COPPA has made it much more difficult for some smaller website operators to staff afloat. “The cost of obtaining verifiable parental consent for interactive communications is very high, estimated at more than $45 per child, and even at that price [consent is] difficult to obtain.”

And because users would sacrifice a great deal of autonomy and functionality once online, many would likely rebel against the system or would seek to subvert it in some fashion. If such a system significantly slows or impedes the creation of new accounts for domestic social networking sites, it will create a perverse incentive for kids to seek other sites with less-restrictive policies, including offshore sites.

Conclusion There are many other issues I haven’t mentioned here that deserve consideration. I’ll just check off a few:

• Assuming we go through with this, who is aggregating all this data? Who has access to the databases? How might that data be used?

• Is all this constitutional? Won’t there be First Amendment or privacy cases brought that endlessly complicate implementation?

• Will kids just flock off-shore to unregulated sites in an effort to reclaim some of the independence they have lost through by surrendering anonymity on U.S.-based sites? What are the consequences of that? Do parents or American policymakers really have any leverage over shady websites operators in Antigua?

• Aren’t there better ways to use our resources? How about focusing our time, energy and resources on educating kids about online risks and deal with these concerns in more constructive ways?

You get the point: Age verification is complicated. Insanely complicated. And it would have enormous costs and profound ramifications for the future of online speech and privacy. We must never forget that government regulation–no matter how well-intentioned–can often have such unintended consequences. It’s a lesson that the USA Today and many others need to heed before they flippantly suggest that age verification is a piece of cake and it’s just a matter of MySpace or someone else throwing a switch to magically make it happen.

Not. That. Simple.

This morning in New York City, social networking website operator MySpace.com announced a major joint effort with 49 state Attorneys General aimed at better protecting children online. (Coverage at CNet, NYT and Forbes). At a joint press conference, MySpace and the AGs unveiled a “Joint Statement on Key Principles of Social Networking Safety” involving expanded online safety tools, improved education efforts, and law enforcement cooperation. They also agreed to create an industry-wide Internet Safety Technical Task Force to study online safety tools, including a review of online identity authentication technology. Generally speaking, the agreement is step forward for online safety. Indeed, many of the principles in the agreement could form a potential model “code of conduct” that other social networking sites could adopt. In a report I authored for the Progress & Freedom Foundation in August 2006, I argued that it was vital for companies and trade associations to take steps such as this to avoid the specter of government regulation or censorship:

All companies doing business online… must show policymakers and the general public that they are serious about addressing [online safety] concerns. If companies and trade associations do not step up to the plate and meet this challenge soon—and in a collective fashion—calls will only grow louder for increased government regulation of online speech and activities. What is needed is a voluntary code of conduct for companies doing business online. This code of conduct, or set of industry “best practices,” would be based on a straight-forward set of principles and policies that could be universally adopted by [a] wide variety of operators…

In particular, this code of conduct proposal called for companies to make specific pledges regarding improved online safety tools, expanded education / media literacy efforts, and ongoing assistance to law enforcement regarding investigations of online crimes.

The Agreement

MySpace responded to this challenge in impressive fashion with its announcement today. The agreement touched upon all of those elements and included the following “Principles of Social Networking” (as described in a MySpace press release):

• Site Design and Functionality: The Principles incorporate safety initiatives that MySpace has already implemented and initiatives it will work to implement in the coming months. Examples of safety features MySpace has in place include reviewing every image and video uploaded to the site, reviewing the content of Groups, making the profiles of 14 and 15 year old users automatically private and protecting them from being contacted by adults that they don’t already know in the physical world, and deleting registered sex offenders from MySpace. Examples of improvements MySpace will make include defaulting 16 and 17 year old users’ profiles to private and strengthening the technology that enforces the site’s minimum age of 14.

• Education and Tools for Parents, Educators and Children. The Principles acknowledge that MySpace has already been devoting meaningful resources to Internet safety education including a new online safety public service announcement targeted at parents and free parental software that is under development. MySpace will explore the establishment of a children’s email registry that will empower parents to prevent their children from having access to MySpace or any other social networking site. In addition, under the Principles MySpace will increase its communications with consumers who report a complaint about inappropriate content or activity on the site.

• Law Enforcement Cooperation. The Attorneys General view MySpace’s cooperation with law enforcement, which includes a 24-hour hotline, to be a model for the industry. The parties will continue to work together to enhance the ability of law enforcement officials to investigate and prosecute Internet crimes.

• Online Safety Task Force. As part of the Principles, MySpace will organize, with the support of the Attorneys General, an industry-wide Internet Safety Technical Task Force to develop online safety tools, including a review of identity authentication tools. While existing age verification and identity products are not an effective safety tool for social networking sites, the Task Force will explore all new technologies that can help make users more safe and secure including age verification. The Task Force will include Internet businesses, identity authentication experts, non-profit organizations, academics and technology companies.

The agreement then goes on—in the form of two appendices—to detail over 70 specific steps that MySpace will take to expand upon these principles. As part of the agreement, MySpace agreed to:

• Implement “age locking” for existing profiles such that members will be allowed to change their ages only once above or below the 18 year old threshold. Once changed across this threshold, under 18 members will be locked into the age they provided while 18 and older members will be able to make changes to their age as long as they remain above the 18 threshold. MySpace will implement “age locking” for new profiles such that under 18 members will be locked into the age they provide at sign-up while 18 and older members will be able to make changes to their age as long as they remain above the 18 threshold.

• Users able to restrict friend requests to only those who know their email address or last name. “Friend only” group invite mandatory for 14 and 15 year olds. “Friend only” group invite by default for 16 and 17 years olds. Users under 18 can block all users over 18 from contacting them or viewing their profile. Users over 18 will be limited to search in the school section only for high school students graduating in the current or upcoming year. Users over 18 may designate their profiles as private to users under 18, and users under 18 may designate their profiles as private to users over 18.

• Change the default setting for 16-17 year olds’ profiles from “public” to “private” and create a closed high school section for users under 18. The “private” profile of a 16/17 year old will be viewable only by his/her “friends” and other students from that high school who have been vouched for by another such student. Students attending the same high school will be able to “Browse” for each other.

• Obtain a list of adult sites on an ongoing basis and sever all links to those sites from MySpace. They will also demand that adult entertainment industry performers set their profiles to block access to all under 18 users and remove all under 18 users from profiles of identified adult entertainment industry performers.

And that just scratches the surface. There is much more to the agreement. In fact, it is difficult to imagine how MySpace could have gone any further to satisfy the online safety concerns raised by AGs or other public policymakers. Indeed, some MySpace users will likely protest that some of the changes go too far. That’s especially clear after reading some of the other technical details of the proposal included in the two appendices.

E-Mail Registry

For example, in the technical appendix summarizing the design and functionality initiatives that MySpace has agreed to consider, they say they will pursue a new “children’s e-mail registry”:

[MySpace will] engage a third-party to build and host a registry of email addresses for children under 18. Parents would register their children if they did not want them to have access to MySpace or any other social networking site that uses the registry. A child whose information matches the registry would not be able to register for MySpace membership.

That proposal might raise some eyebrows since it is unclear how that registry would work and what, if any, privacy / security concerns it might raise. Of course, other critics will argue that such a system will be easily circumvented or tricked. After all, how does MySpace know that the person submitting an e-mail is child’s real parent? And what about multiple e-mail accounts? It’s fairly easy to get a free e-mail account these days. But, if the system somehow did work as billed, it would raise serious questions about who has access to that e-mail registry and how secure the database was.

The agreement also contains a number of restrictions on access by minors to specific types of content, or to other users or groups on MySpace. Viewed in isolation, those restrictions seem fairly reasonable—especially those dealing with access by minors to adult areas (ex: “swingers” clubs or the “Romance and Relationship Forum and Groups”). Taken together, however, the growing list of site restrictions might be viewed by many young users as an impediment to their social networking activities. Many parents and policymakers will like the sound of that, of course. But where might those users go if they are frustrated by the growing number of restrictions imposed on their online activities? This is indicative of the difficult position MySpace finds itself into today: They are piling on additional restrictions and safeguards in the name of online safety to satisfy the concerns raised by many parents and policymakers. But if these initiatives impose too many encumbrances on social networking activity and interactions it could undermine the very purpose of the site and its value to members.

This explains why MySpace is eager to get other social networking sites to adopt policies similar to those found in the agreement it struck with the AGs. Obviously, MySpace would prefer not be the only website stuck with these burdens. Moreover, it probably does not want other sites to have an unfair competitive advantage in terms of more lax operating restrictions. Of course, even if every domestic social networking site adopted stricter policies along the lines of what MySpace agreed to, there will always be offshore alternatives for youngsters to choose from. This is the tricky balance that complicates all debates about online child safety today: How do we create sensible online policies without encouraging kids to operate completely surreptitiously in a “digital underground,” especially shady offshore environments?

Age Verification

Generally speaking, however, MySpace struck the right balance with most of the other proposals in the agreement with the AGs, especially considering the pressure they were under from some policymakers to go much further. In that regard, the agreement with the AGs is especially notable for what it does not include: age verification mandates. The call for an Internet Safety Technical Task Force to study online safety methods and identity authentication tools is a sensible alternative to the rush to mandate age verification, which some AGs have been advocating vociferously over the past two years.

Hopefully the task force will provide critical examination of the issue and not simply begin with pre-ordained conclusions about the wisdom or effectiveness of online age verification techniques and technologies. At the press conference announcing the agreement, however, Attorneys General Roy Cooper of North Carolina and Richard Blumenthal of Connecticut seemed to imply that that the goal of the task force would be to develop and implement a full-blown age verification system for the Internet. “We are going to find and develop online identity authentication tools,” said AG Cooper. And AG Blumenthal reiterated an argument he made ad nauseum last year when he argued that, “if we can put a man on the moon” then we ought to be able to verify the ages of people when they go online. [I first heard AG Blumenthal make this argument when I debated him and AG Cooper at a NCMEC conference two years ago. Here’s the summary of my response that day.]

But it’s just not that simple. As I argued in a lengthy PFF study last year entitled, “Social Networking and Age Verification: Many Hard Questions; No Easy Solutions,” there are no silver bullet age verifications solutions. Online authentication is a complicated, multi-faceted technical issue. And, even assuming we could find a way to make it work, there are many other considerations that must be taken into account, such as the burden it might impose on freedom of speech or individual privacy.

The danger, therefore, is that the AGs have preconceived notions about the wisdom and efficacy of age verification mandates, and that they will either seek to stack the deck on the task force with age verification advocates or pressure the task force to adopt mandatory age verification without thoroughly studying the issue. Again, that would be a serious mistake and it would also likely give rise to legal challenges.

Education & Empowerment

The better approach is to focus on other steps that actually will keep kids safe online. As I have argued in my book on Parental Controls and Online Child Protection: A Survey of Tools and Methods, the best solution to online safety concerns is what I call the “3-E Solution: which stands for “education, empowerment, and enforcement.”

Luckily, there’s a great deal of that included in the MySpace agreement with the AGs. MySpace has pledged to “continue to dedicate meaningful resources to convey information to help parents and educators protect children and help younger users enjoy a safer experience on MySpace.” In particular, MySpace will “engage in public service announcements, develop free parental monitoring software, and explore the establishment of a children’s email registry.”

The importance of education initiatives cannot be overstated. Technical solutions, such as those the AGs clearly favor, will always suffer from inherent limitations and will often be circumvented. Education, by contrast, lasts a lifetime. We need to be teaching our kids how to be good cyber-citizens and how to identify and report legitimate online threats (predators, bullies, scam artists, etc). It is my belief that today’s youth are far more savvy and sensible about these threats than most adults or policymakers give them credit for. Nonetheless, it is important to be vigilant about online safety education and etiquette in an attempt to teach kids—especially more “at-risk” youth who might be susceptible to online threats—basic life lessons about sensible cyberspace behavior and interactions.

Conclusion

Despite the handful of concerns raised above, the MySpace agreement serves as a model for what other social networking companies and online operators could do if they wanted to get more serious about promoting Internet safety. MySpace has done about all it can to be responsive to the demands of parents and policymakers.

Of course, it could be true that no matter how much the company does to improve parental control tools or educate the public, some parents may never take advantage of those tools or information. This remains one of the great mysteries of the parental controls debate: Why is it that so many parents say they want more and better controls and strategies, but when they are made available many of them choose not to use them?

Regardless, if for whatever reason, parents are not taking advantage of these tools and options, their inaction should not be used to justify government regulation as a surrogate for household choice / parental responsibility. Parents have been empowered. It is now their responsibility to take advantage of the tools and controls at their disposal to determine what is acceptable in their homes and in the lives of their children.

MySpace should be applauded for its new statement of principles and its impressive efforts to empower and educate both parents and children about online safety while assisting law enforcement when necessary to root out the real bad guys lurking online.

As Braden mentioned, we were both down in Raleigh, North Carolina this week testifying at a big hearing on mandatory age verification for social networking sites.

It was quite a heated battle. The legislation, SB 132, was supported at the hearing by North Carolina attorney general Roy Cooper, several of his staff attorneys, a couple of NC senate lawmakers, and some folks from Aristotle, a company that claims it has devised a workable age verification solution for social networking purposes. A vote on the proposal was delayed and we’re still awaiting the final outcome.

Down below, I have attached the outline of my remarks in which I argued that age verification mandates would actually make kids less safe online. Here’s why:

1) Age verification is not synonymous with a background check.

• Are citizens being lead to believe that age verification guarantees them perfectly safe online environments? After all, even if the verification process gets the age part of the equation right, it tells us little else about the person being verified.

• Incidentally, what happens when the parent being verified is a predator using their child to create false credentials? Unfortunately, we know that some predators have children.

• This gets to the primary concern in this debate: The very real potential exists that we are creating solutions that inject a false sense of security in parents and children alike.

2) Even assuming we do not encounter problems with the initial sign-up phase and procedures, questions remain about follow-ups and subsequent validations.

• Will parents be asked to fill out and submit paperwork routinely to verify their identity (or their child’s) on an ongoing basis? Will parents be expected to take phone calls from dozens of social networking sites (or call sites themselves) to continue authorization? Will parents tolerate that?

• If the sign-up and subsequent authentication process proves cumbersome and time-consuming, will this encourage kids to search out less trustworthy “underground” or offshore websites?

• How are we going to regulate those offshore sites? Also, could new regulations drive domestic operators offshore?

• In sum, the sheer scale of the Net and online activities greatly complicate the enforcement of age verification schemes, especially those of the parental permission-based variety.

3) Will age verification mandates encourage the rise of an illegal black market in credentials?

• Will kids share or even sell their online credentials, such as their user name and passwords, to others who desire them?

• Certainly kids won’t just stop trying to get onto social networking sites. Are we going to punish kids (or prosecute their parents) for evasion? And, again, will kids look to offshore sites?

4) There are serious privacy issues at stake here, and those issues could give rise to other problems.

• Requiring all parents to be verified before their children can go online will obviously be seen by some parents as intrusive and a potential violation of their privacy.

• If some parents resist such regulations or refuse to submit to such verifications, what will their kids do? Again, it might encourage kids to seek out false credentials of to visit offshore sites.

• Incidentally, who has access to all this new information about parents and children that the government is requiring that social networking operators collect? Do we want online operators creating massive new databases of information about us or our kids if better alternatives exist?

Bottom line: The inherent danger of age verification regulation is that it: • results in unintended consequences or solutions that don’t solve the problems they were intended to address; • creates a false sense of security that might encourage some youngsters (or adults) to let their guard down while online; and • creates potential incentives to push mainstream social networking sites offshore. No matter how bad parents or policy makers think social networking sites are today—and, in reality, the sites are not nearly as bad as they imagine—those sites are infinitely superior to potentially shady offshore websites that are completely unaccountable to U.S. officials. And the domestic sites are more accountable to the general public and are responsive to press scrutiny.

In sum, there are no silver bullet solutions. Instead, we need a multi-prong, layered strategy…

Better approach to online child safety = The “3-E Solution”: Education, Empowerment, and Enforcement

“Education” refers to not only the need for K-12 information literacy efforts but also, more broadly, to the need for comprehensive online safety instruction and awareness-building efforts. Governments at all levels need to take an aggressive role here.

“Empowerment” refers to the importance of providing parents with more and better tools to make informed decisions about media and communications tools in their lives of their children. Government can facilitate these efforts in partnership with industry and non-profit organizations. For example, helping to make parents more aware of Internet monitoring tools and strategies would be one of the most constructive solutions.

“Enforcement” refers to stepped up law enforcement efforts to find and adequately prosecute child predators. It is essential that law enforcement officials receive the resources and training necessary to adequately monitor online networks for predators and to bring them to justice when they are found. For example, law enforcement agencies need sophisticated computer forensic labs and skilled experts to help investigate online crimes. And they need to be trained to conduct proper sting operations to find predators before they harm our children. Finally, much longer prison sentences are needed for child predation.

[For additional information, please see my March study, “Social Networking and Age Verification: Many Hard Questions; No Easy Solutions.”]

I’m putting the wraps on a big paper on the dangers of mandating age verification for social networking websites. One of the questions I ask in the study is exactly how broadly “social networking sites” will be defined for purposes of regulation? Will chat rooms, hobbyist sites, listservs, instant messaging, video sharing sites, online marketplaces or online multiplayer gaming sites qualify? If so, how will they be policed and how burdensome will age-verification mandates become for smaller sites? Finally, does the government currently have the resources to engage in such policing activities since almost all websites now have a social networking component? I explore these and other questions in my paper.

But now I have another type of site to add to list, and not one that I originally gave much consideration to: online newspapers. Over the weekend, the USA Today relaunched its website, not only to freshen up its look, but also to fundamentally change the ways the site works. According to the editors, the new features of the site will give readers the ability to:

• Scan other news sources directly on USATODAY.com; • See how readers are reacting to stories; • Recommend stories and comments to other readers; • Comment directly on stories; • Participate in discussion forums; • Write reviews (of movies, music and more); • Contribute photos; • Better communicate with USA Today staff.

Other bloggers were quick to note that the newspaper is essentially trying to refashion itself as a social networking site. Some wonder whether a newspaper can really be a social networking site. Others point out that traditional newspaper readers may resist such changes for a variety of reasons. (Don Dodge points out that 92% of reader responses have been negative so far).

But let’s ignore all that for a moment and get back to the question I posed in the title of my post: If USA Today is billing itself as a social networking site–or if others argue that it represents a social networking site–will the company be required to age-verify users before they visit the site?

Well, that depends on how the age verification regs would get written, of course. But one definition has already been suggested under the proposed “Deleting Online Predators Act” (DOPA), which would ban such sites in publicly funded schools and libraries. Under DOPA, “Commercial Social Networking Websites” are defined as any site that: “(a) allows users to create web pages or profiles that provide information about themselves and are available to other users; and (b) offers a mechanism for communication with other users, such as a forum, chat room, email, or instant messenger.”

Keeping that definition in mind, let’s check out some more material from the USA Today’s “Quick Guide to New Features.” Specifically, look at sections on this page about “personal spaces” and “avatars”:

Personal space: When you become a member, we automatically establish a personal profile page. As you interact with the USA Today community, your comments, recommendations and other contributions are automatically appended to your page. Your profile page includes a place for you to upload photos, write a blog, and the ability to send messages to other users. These pages allow readers to get a better sense of the site’s most active contributors. Avatar: Every one of our pages features a spot just for you: up there in the right-hand corner. That’s where you’ll be notified of messages left by other readers. Make yourself at home. Upload a picture of yourself, a funny icon, or choose from our selection of ready-made avatars.

Sounds a heck of lot like a social networking site to me. And if it was defined as such by lawmakers, it could mean that (under DOPA) access to the USA Today would need to be banned in public schools and libraries and that everyone would need to be age-verified before they go on the new USA Today website in their own homes. Welcome to the world of unitended regulatory consequences!

Additional Reading:

“Social Networking Websites & Child Protection: Toward a Rational Dialogue,” by Adam Thierer, Progress & Freedom Foundation Progress Snapshot 2.17, June 2006.

“Is MySpace the Government’s Space?,” by Adam Thierer, Progress & Freedom Foundation Progress Snapshot 2.16, June 2006.