On July 27th, The Progress & Freedom Foundation hosted a Capitol Hill panel discussion entitled “Online Child Safety, Privacy, and Free Speech: An Overview of Challenges in Congress & the States.” The event featured remarks from:

• Parry Aftab, Executive Director, WiredSafety.org
• Todd Haiken, Senior Manager of Policy, Common Sense Media
• Jim Halpert, Partner, DLA Piper
• Berin Szoka, Senior Fellow, The Progress & Freedom Foundation

We’ve just released the transcript of the event, which I have also pasted down below the fold in a Scribd document reader. Also, the audio for this event can be heard by clicking below:

Download mp3

Here is the full event description:

Online child safety, privacy, and free speech remain hotly debated issues at both the federal and state level. Bills introduced in Congress to address cyberbullying concerns propose either educational initiatives or a criminalization approach. Access to objectionable content also remains a concern and a new, government-mandated task force is looking into those issues. Meanwhile, state officials, including many state attorneys general, continue to explore age verification mandates for social networking sites and some have considered building on the federal Children’s Online Privacy Protection Act (COPPA) to expand “parental notification” mandates. The Federal Trade Commission (FTC) has recently announced an expedited review of COPPA to see if it is keeping up with new developments. The FTC is also exploring child safety in virtual worlds. New concerns about “sexting,” or the sending of sexual explicit images over mobile devices, has also raised new concerns led some lawmakers to ponder penalties.

How serious are these concerns? Is legislation or regulation needed to address them? What free speech issues are at stake? Should Congress take the lead or leave it to the States to experiment with different models? These and other issues were discussed by a panel of leading experts in the field of online safety and privacy policy.

Transcript PFF Online Child Safety Privacy Hill Event (7-27-2009) http://d.scribd.com/ScribdViewer.swf?document_id=18756666&access_key=key-1blb7az1ag406howibuk&page=1&version=1&viewMode=

I’ve just had a new article published by the American Legislative Exchange Council (ALEC) in which I make the case against “techno-panics,” which refers to public and political crusades against the use of new media or technologies by the young. The article is entitled “Parents, Kids & Policymakers in the Digital Age: Safeguarding Against ‘Techno-Panics‘” and it appears in the July 2009 Inside ALEC newsletter.  This is something I have spent a lot of time writing about here in recent years (See 1, 2, 3, 4, 5) and I finally got around to putting it altogether in a concise essay here.  I have pasted the full text below. [And I just want to send a shout-out to my friend Anne Collier of Net Family News.org, whose work on this topic has been very influential on my thinking.]

“Parents, Kids & Policymakers in the Digital Age: Safeguarding Against ‘Techno-Panics‘” by Adam Thierer

A cursory review of the history of media and communications technologies reveals a reoccurring cycle of “techno-panics” — public and political crusades against the use of new media or technologies by the young.  From the waltz to rock-and-roll to rap music, from movies to comic books to video games, from radio and television to the Internet and social networking websites, every new media format or technology has spawned a fresh debate about the potential negative effects they might have on kids.

Inevitably, fueled by media sensationalism and various activist groups, these social and cultural debates quickly become political debates. Indeed, each of the media technologies or outlets mentioned above was either regulated or threatened with regulation at some point in its history. And the cycle continues today. During recent sessions of Congress, countless hearings were held and bills introduced on a wide variety of media and content-related issues. These proposals dealt with broadcast television and radio programming, cable and satellite television content, video games, the Internet, social networking sites, and much more.  State policymakers, especially state Attorneys General (AGs), have also joined in such crusades on occasion.  The recent push by AGs for mandatory age verification for all social networking sites is merely the latest example.

What is perhaps most ironic about these techno-panics is how quickly yesterday’s boogeyman becomes tomorrow’s accepted medium, even as the new villains replace old ones.  For example, the children of the 1950s and 60s were told that Elvis’s hip shakes and the rock-and-roll revolution would make them all the tools of the devil. They grew up fine and became parents themselves, but then promptly began demonizing rap music and video games in the ‘80s and ‘90s.  And now those aging Pac Man-era parents are worried sick about their kids being abducted by predators lurking on MySpace and Facebook. We shouldn’t be surprised if, a decade or two from now, today’s Internet generation will be decrying the dangers of virtual reality.

These techno-panics are almost always disproportionate to the real risk posed by new media and technology, which typically do not have the corrupting influence on youth that older generations fear.  Parents and public policymakers alike need to remember they were once kids, too, and managed to live through many of the same fears and concerns about media and popular culture. As the late University of North Carolina journalism professor Margaret A. Blanchard once noted: “[P]arents and grandparents who lead the efforts to cleanse today’s society seem to forget that they survived alleged attacks on their morals by different media when they were children. Each generation’s adults either lose faith in the ability of their young people to do the same or they become convinced that the dangers facing the new generation are much more substantial than the ones they faced as children.” And Thomas Hine, author of The Rise and Fall of the American Teenager, argues that: “We seem to have moved, without skipping a beat, from blaming our parents for the ills of society to blaming our children. We want them to embody virtues we only rarely practice. We want them to eschew habits we’ve never managed to break.”

The better response by both parents and policymakers is a measured and balanced approach to children’s exposure to media content and online interactions.  All-or-nothing extremes are never going to work.  In particular, techno-panics are hopelessly counter-productive. “Fear, in many cases, is leading to overreaction, which in turn could give rise to greater problems as young people take detours around the roadblocks we think we are erecting,” argue John Palfrey and Urs Gasser, authors of Born Digital: Understanding the First Generation of Digital Natives. What parents, educators, and policymakers need to understand, they argue, “is that the traditional values and common sense that have served them well in the past will be relevant in this new world, too.”

Most simply, we need to be willing to talk to our kids about the new technologies and cultural developments that shape their generation. When we as parents (or policymakers) do not fully comprehend or appreciate the new-fangled gadget in our kids’ pocket—or whatever they are playing, watching, or listening to on it—instead of engaging in demagoguery and driving a wedge between us and them, we should instead invite them to have a conversation with us about it.  Ask three simple questions to get that conversation started: “What is this new thing all about?”  “Tell me how you use it.”  “Why is it important to you?”  Once you’ve got them talking to you, good ‘ol fashion common sense and timeless parenting principles should kick in. “Do you understand why too much of this might be bad for you?” “Will you please come talk to me if you don’t understand something you’ve seen or heard?” And so on.

In sum, it’s about parental responsibility and rational, measured responses. The “techno-panic” mentality, by contrast, creates distrust and distance between our kids and us. As Anne Collier of Net Family News notes, techno-panics “cause fear, which interferes with parent-child communication, which in turn puts kids at greater risk.”

Parents and policymakers need to engage kids in an ongoing conversation about the technologies du jour—even when we don’t fully understand or appreciate them.

————— [printable Scribd version follows] —————

“Against Techno-Panics” by Adam Thierer, PFF (July 2009 – Inside ALEC) http://d.scribd.com/ScribdViewer.swf?document_id=17392730&access_key=key-2gdkqylyeu5h376buyyi&page=1&version=1&viewMode=

In an earlier post, I mentioned an important new online child safety task force report that has just been released from the “Point Smart. Click Safe.” Blue Ribbon Working Group. It’s a great report and I encourage you to read the whole thing. It was my great pleasure to serve on this task force, and as we started finalizing our conclusions and recommendations, I started thinking about how much of what we were finding and recommending was consistent with what past online safety task forces had also concluded.

By way of background, over the past decade, five major online safety task forces or blue ribbon commissions have been convened to study online safety issues. Two of these task forces were convened in the United States and issued reports in 2000 (“COPA Commission”) and 2002 (“Thornburgh Commission“). Another was commissioned by the British government in 2007 and issued in a major report in March 2008 (“Byron Review“). Finally, two additional online safety task forces were formed in the U.S. in 2008 and concluded their work, respectively, in January (“Internet Safety Technical Task Force“) and July (“Point Smart. Click Safe.“) of 2009. [And yet another task force — the Online Safety Technology Working Group — was recently formed and has now gotten underway.]

In a new PFF white paper, ” Five Online Safety Task Forces Agree: Education, Empowerment & Self-Regulation Are the Answer,” I walk through a chronological summary of each of these past task forces [click on covers of each report below to read them in their entirety] and highlight some of the similar themes and recommendations from them.

Altogether, these five task forces heard from hundreds of experts and produced thousands of pages of testimony and reports on a wide variety of issues related to online child safety. While each of these task forces had different origins and unique membership, what is striking about them is the general unanimity of their conclusions. Among the common themes or recommendations of these five task forces:

• Education is the primary solution to most online child safety concerns. These task forces consistently stressed the importance of media literacy, awareness-building efforts, public service announcements, targeted intervention techniques, and better mentoring and parenting strategies.
• There is no single “silver-bullet” solution or technological “quick-fix” to child safety concerns. That is especially the case in light of the rapid pace of change in the digital world.
• Empowering parents and guardians with a diverse array of tools, however, can help families, caretakers, and schools to exercise more control over online content and communications.
• Technological tools and parental controls are most effective as part of a “layered” approach to child safety that views them as one of many strategies or solutions.
• The best technical control measures are those that work in tandem with educational strategies and approaches to better guide and mentor children to make wise choices. Thus, technical solutions can supplement, but can never supplant, the educational and mentoring role.
• Industry should formulate best practices and self-regulatory systems to empower users with more information and tools so they can make appropriate decisions for themselves and their families. And those best practices, which often take the form of an industry code of conduct or default control settings, should constantly be refined to take into account new social concerns, cultural norms, and technological developments.
• Government should avoid inflexible, top-down technological mandates. Instead, policymakers should focus on encouraging collaborative, multifaceted, multi-stakeholder initiatives and approaches to enhance online safety. Additional resources for education and awareness-building efforts are also crucial. Finally, governments should ensure appropriate penalties are in place to punish serious crimes against children and also make sure law enforcement agencies have adequate resources to police crimes and punish wrong-doers.

The consistency of these findings from those five previous task forces is important and it should guide future discussions among policymakers, the press, and the general public regarding online child safety.  As I note in the paper, the findings are particularly relevant today since Congress and the Obama Administration — including 3 federal agencies (NTIA, FCC, & FTC) are actively studying these issues. So, in light of all that, I hope this short paper can shed some light on the collective wisdom of the past task forces. While more study of online child safety issues is always welcome — including additional task forces or working groups if policymakers deem them necessary — thanks to the work of these five task forces, we now have better vision of what is needed to address online safety concerns.

Five Online Safety Task Forces Agree [PFF – Adam Thierer] http://d.scribd.com/ScribdViewer.swf?document_id=17181137&access_key=key-z6cxfgrjkqaqtxbix&page=1&version=1&viewMode=

Adam Thierer & I have just released a detailed examination (PDF) of brewing efforts to expand the Children’s Online Privacy Protection Act of 1998 to cover adolescents and potentially all social networking sites—an approach we call “COPPA 2.0.”

As Adam explained on Larry Magid’s CNET podcast, COPPA mandates certain online privacy protections for children under 13, most importantly that websites obtain the “verifiable consent” of a child’s parent before collecting personal information about that child or giving that child access to interactive functionality that might allow the child to share their personal information with others. The law was intended primarily to “enhance parental involvement in a child’s online activities” as a means of protecting the online privacy and safety of children.

Yet advocates of expanding COPPA—or “COPPA 2.0″—see COPPA’s verifiable parental consent framework as a means for imposing broad regulatory mandates in the name of online child safety and concerns about social networking, cyber-harassment, etc. Two COPPA 2.0 bills are currently pending in New Jersey and Illinois. The accelerated review of COPPA to be conducted by the FTC next year (five years ahead of schedule) is likely to bring to Washington serious talk of expanding COPPA—even though Congress clearly rejected covering adolescents age 13-16 when COPPA was first proposed back in 1998.

We’ll discuss some of the key points of our paper in a series of blog posts, but here are the top nine reasons for rejecting COPPA 2.0, in that such an approach would:

• Burden the free speech rights of adults by imposing age verification mandates on many sites used by adults, thus restricting anonymous speech and essentially converging—in terms of practical consequences—with the unconstitutional Children’s Online Protection Act (COPA), another 1998 law sometimes confused with COPPA;
• Burden the free speech rights of adolescents to speak freely on—or gather information from—legal and socially beneficial websites;
• Hamper routine and socially beneficial communication between adolescents and adults;
• Reduce, rather than enhance, the privacy of adolescents, parents and other adults because of the massive volume of personal information that would have to be collected about users for authentication purposes (likely including credit card data);

• Would likely be the subject of massive fraud or evasion since it is not always possible to definitively verify the parent-child relationship, or because the system could be “gamed” in other ways by determined adolescents;
• Do nothing to prevent offshore sites and services from operating outside these rules;
• Present major practical challenges for law enforcement officials in the face of such evasion by both domestic users and offshore sites;
• Could destroy opportunities for new or smaller website operators to break into the market and offer competing services and innovations, thus contributing to consolidation of online content and services by erecting barriers to entry; and
• Violate the Commerce Clause of the U.S. Constitution, since Internet activity clearly represents interstate commerce that states have no authority to regulate.

Online child safety — especially the fear of predators lurking on social networking sites (SNS) — continues to spur calls by state and federal lawmakers for regulation.  At first, some federal lawmakers advocated outright bans on SNS in schools and libraries via the Deleting Online Predators Act (DOPA).  Meanwhile, state and local lawmakers — specifically state Attorneys General (AGs) — have been even more vociferous in their calls for regulation in the form of mandatory age verification for social networking sites, which would cover a broad swath of online sites and activities according to their definitions of SNS. But the question that ultimately gets lost in this debate is: Just how much risk do social networking sites really pose for teens?  Which risks are real and which are overblown? And what’s the best way to deal with the risks that we find to be legitimate?

Nancy Willard devotes her life to answering those questions. Willard is one of America’s leading experts on online safety and risk prevention. She runs the Center for Safe and Responsible Internet Use and she is the author of two outstanding books, Cyberbullying and Cyberthreats and Cyber-Safe Kids, Cyber-Savvy Teens.  In my opinion, Willard’s general approach to online child safety is the most enlightened, level-headed, and likely to be effective. That’s because Willard focuses on putting fears in perspective, identifying the actual risks that kids face online, and devising sensible strategies to deal with risks and problems as they are discovered. Her approach is holistic and built upon sound data, targeted risk-identification strategies, and time-tested education and mentoring methods. For my money, it’s the most sensible approach to online safety issues. In fact, when other parents ask me for “just one thing” to read on the topic, I usually recommend Willard’s work — especially her amazing book Cyber-Safe Kids, Cyber-Savvy Teens. And her background in early childhood education, special education for “at risk” children with emotional and behavior difficulties, as well as experience in computer law, means she is uniquely suited to be analyzing these issues.  In sum, this is woman we should all be closely listening to on these issues.

Recently, Willard has been responding to criticisms that state AGs have leveled against the Internet Safety Technical Task Force (ISTTF) and its final report. [Disclaimer: I was a member of the ISTTF.] I’ve already outlined the ISTTF’s work at length here, but the three key takeaways from the report were that:

1. the risk of predation on social network sites has been over-stated; the data suggest that cyber-bullying is the bigger problem on SNS;
2. there is no silver-bullet technical solution to online child safety concerns, and mandatory age verification, in particular, would not make kids safer online but could even create bigger problems in the long-run;
3. education and empowerment are the real keys to keeping kids safer online.

The response from some state AGs to these findings was quite hostile, with some arguing that the ISTTF did not take online risks seriously enough, or that we relied on “outdated and inadequate” data in reaching our conclusions.  Willard addresses those arguments in a new white paper: “Research that is ‘Outdated and Inadequate?’ An Analysis of the Pennsylvania Child Predator Unit Arrests in Response to Attorney General Criticism of the Berkman Task Force Report.”  In this study, she analyzes data from arrest records from Pennsylvania’s Child Predator Unit to determine exactly how these individuals were operating online. Although it’s just one state’s worth of data — that’s all that seems to have been made publicly available in a single database at this time — it can give us a clue to what might be going on out there. The results are illuminating.

Here’s what Willard found:

The search yielded 143 responses. As noted by the Attorney General, 183 predators had been arrested. All of these arrests were described in the press releases dated from March 21, 2005 to January 13, 2009 – thus allowing for a full analysis of the arrests of sexual predators in the state Pennsylvania for the last 4 years by the Attorney General’s Child Predator Unit. The analysis of the arrests that involved predatory actions, excluding the arrests for child pornography, revealed the following:

• Only 8 incidents involved actual teen victims with whom the Internet was used to form a relationship.
  • In 4 of these incidents, teens or parents reported the contact. The other 4 cases were discovered in an analysis of the computer files of a predator who had been arrested in a sting operation. Five of the cases had led to inappropriate sexual contact. The other situations were discovered prior to any actual contact.
• There were 166 arrests as a result of sting activities where the predator contacted an undercover agent who was posing as a 12 – 14 year old, generally a girl.
  • The vast majority of the stings, 144, occurred in chat rooms. Eleven stings occurred through instant messaging. Nine of the arrests failed to specify the location, but the description bore significant similarity to the chat room incidents. One involved an advertisement that had been placed on Craig’s List.
  • There were only 12 reports of predators being deceptive about their age.
  • The descriptions of these chats incidents bear out what the research reviewed by the [ISTTF’s] Research Advisory Board found – that online predators are rarely deceptive about their interests.

Specifically,”Because the attorneys general have been focusing their attention on the social networking sites, MySpace and Facebook,” Willard made sure to give “special attention to any case that mentioned any activity occurring on either of these two sites.” Here’s what she found in that regard:

• One of the incidents involving an actual teen victim, communications took place on MySpace. This was a rearrest of a person who had already been arrested through a sting.
• A police officer who was arrested for sexual abuse of many teens with whom he had interacted with in the line of duty also had a MySpace account with friendship links to teen girl, but there was no assertion that these communications had led to sexual activity.
• One predator in a sting provided the agent with a link to his Facebook page.
• In 5 of the stings that took place in a chat room, reference was made to the fact that the predator had either looked at the teen’s MySpace account or suggested the teen look at his profile.

Importantly, Willard points out, “Despite the establishment of one or more public profiles on MySpace [by the PA Child Predator Unit], there has apparently not been one successful sting operation initiated on MySpace in the more than two years during which these sting profiles have been in existence.”

From these findings, Willard concludes that:

The insight gained through an analysis of the Pennsylvania Attorney General’s press releases on arrests for online sexual predation provide strong support for the validity of the conclusions of the Berkman Research Advisory Board and demonstrate the need for greater collaboration between law enforcement and researchers to address the actual risks to young people from sexual predators online.

In other words, the Pennsylvania data seem to confirm that predation is not as serious of a risk on SNS as some AGs had claimed. “It appears that chat rooms are far less safe than social networking sites and that there is limited inclination and ability of predators to use social networking sites to contact potential teen victims,” Willard notes. Consequently, she argues:

Attention must be paid to the obvious risks related to chat room communications, as well as the risk factors that are being manifested by the young people who may still be frequenting these chat rooms, especially the chat rooms where sexual relations are being discussed. It appears that rather than seek ways to discourage teens from participating in social networking sites, these sites are destinations that should be encouraged as much safe than the alternatives. A focus must be placed on improving the protective features of chat rooms that are frequented by minors.

We need to know more about which chat rooms are in question and why some youth visit those chat rooms. More importantly, how can we develop sensible messages for youth about the dangers of chat rooms that are targeted to adults and adult sexual activity?

But it is vitally important not to lose sight of the big picture here. As Willard summarizes it:

The incidents of online sexual predation are rare. Far more children and teens are being sexually abused by family members and acquaintances. It is imperative that we remain focused on the issue of child sexual abuse – regardless of how the abusive relationship is initiated.

Indeed, volumes of research on child abuse, child predation, and child abduction all point to this same conclusion: Your kids are actually more at risk from known acquaintances — especially family members — than they are from random strangers (including random strangers they might meet online).

Of course, this doesn’t mean we shouldn’t continue to develop sensible educational messages for youth about proper online behavior and how to report legitimate problems or troubling interactions that they experience online. Again, Willard has done this elsewhere and many of us (including those of us involved in the Berkman Center task force) have long been pushing for increased resources for online safety education and media literacy efforts as the first, best step towards improving online youth safety. We need to get AGs and other policymakers to work together with us to get this important task started — now!

Finally, Willard correctly notes that the AGs and other law enforcement agencies need to be willing to release more data like the Pennsylvania AG did such that further analysis of this problem is possible. If the AGs’ primary complaint with the ISTTF report was that the data we used was somewhat dated, then the best solution to that problem is for the AGs and other law enforcement agencies to open up their records to the child safety community so that risk researchers like Willard can get a better feel for what’s going on out there and devise strategies to deal with it.  Unfortunately, there’s still too much horn-locking going on between these communities and, sadly, I think some AGs are using this issue to create an atmosphere of fear for political gain. We need to find ways to communicate actual risks — such as those that kids would face in some specific, adult-oriented chat rooms — without going overboard and making parents and the general public think that there’s a bogeyman on every cyber-corner of the Internet.

[ Further reading: As usual, my friend Anne Collier over at Net Family News.org has done a much better job summarizing an issue than I have. Read her discussion of Nancy Willard’s paper and its implications here.]

The Internet Safety Technical Task Force (ISTTF), which was formed a year ago to study online safety concerns and technologies, today issued its final report to the U.S. Attorneys General who authorized its creation. It was a great honor for me to serve as a member of the ISTTF and I believe this Task Force and its report represent a major step forward in the discussion about online child safety in this country.

The ISTTF was very ably chaired by John Palfrey, co-director of Harvard University’s Berkman Center for Internet & Society, and I just want to express my profound thanks here to John and his team at Harvard for doing a great job herding cats and overseeing a very challenging process. I encourage everyone to examine the full ISTTF report and all the submissions, presentations, and academic literature that we collected. [It’s all here.] It was a comprehensive undertaking that left no stone unturned.

Importantly, the ISTTF convened (1) a Research Advisory Board (RAB),which brought together some of the best and brightest academic researchers in the field of child safety and child development and (2) a Technical Advisory Board (TAB), which included some of America’s leading technologists, who reviewed child safety technologies submitted to the ISTTF. I strongly recommend you closely examine the RAB literature review and TAB assessment of technologies because those reports provide very detailed assessments of the issues. They both represent amazing achievements in their respective arenas.

There are a couple of key takeaways from the ISTTF’s research and final 278-page report that I want to highlight here. Most importantly, like past blue-ribbon commissions that have studied this issue, the ISTTF has generally concluded there is no silver-bullet technical solution to online child safety concerns. The better way forward is a “layered approach” to online child protection. Here’s how we put it on page 6 of the final report:

The Task Force remains optimistic about the development of technologies to enhance protections for minors online and to support institutions and individuals involved in protecting minors, but cautions against overreliance on technology in isolation or on a single technological approach. Technology can play a helpful role, but there is no one technological solution or specific combination of technological solutions to the problem of online safety for minors. Instead, a combination of technologies, in concert with parental oversight, education, social services, law enforcement, and sound policies by social network sites and service providers may assist in addressing specific problems that minors face online. All stakeholders must continue to work in a cooperative and collaborative manner, sharing information and ideas to achieve the common goal of making the Internet as safe as possible for minors.

In sum, education and empowerment are the real keys to keeping kids safer online. We all need to work harder to mentor our children and help them develop the skills and good old fashion common sense to make smart decisions online. Technical tools can supplement — but can never supplant — education, parental guidance, and better mentoring.

Still, this was a task force that primarily came about after state attorneys general (AGs) had been incessantly pressuring social networking sites like MySpace and Facebook to adopt age verification technologies as a solution to online child safety concerns. Specifically, fears about online predators — driven largely by the moral panic whipped up by shows like NBC’s “To Catch a Predator” — prompted calls for mandatory age verification for social networking sites.

So, what did the final ISTTF report have to say about mandatory age verification. Answer: Probably not as much as the AGs were hoping for, and what we did say they may not like to hear.

First, the ISTTF’s Research Advisory Board conclusively proved the primary online safety issue today is peer-on-peer cyber-harassment, not adult predation. Mandatory age verification would do nothing to stop cyberbullying. Indeed, the lack of adult supervision may even exacerbate the problem.

Second, after reviewing various age verification solutions, the ISTTF’s Technical Advisory Board concluded:

Age verification and identity authentication technologies are appealing in concept but challenged in terms of effectiveness. Any system that relies on remote verification of information has potential for inaccuracies. For example, on the user side, it is never certain that the person attempting to verify an identity is using their own actual identity or someone else’s. Any system that relies on public records has a better likelihood of accurately verifying an adult than a minor due to extant records. Any system that focuses on third-party in-person verification would require significant political backing and social acceptance. Additionally, any central repository of this type of personal information would raise significant privacy concerns and security issues.

As a result, our final report concluded that:

The Task Force does not believe that the Attorneys General should endorse any one technology or set of technologies to protect minors online. Instead, the Attorneys General should continue to work collaboratively with all stakeholders in pursuing a multifaceted approach to enhance safety for minors online.

Then, on pages 28-31, we go into more detail about age verification, finding that:

[Age verification] approaches are less effective in the child safety context — in other words, at creating safe environments for minors — than in the context of completing financial transactions or regulating purchases, especially to the extent that identity authentication and age verification focus solely upon adults. The reasons for this include the fact that in the commercial and financial contexts, an adult typically wants to verify his or her identity correctly in order to purchase a product or get access to records. Moreover, when adults purchase regulated items (such as alcohol or tobacco) online, in some cases a second form of age verification occurs when the item is delivered.

The identity authentication and age verification solutions that authenticate or verify only adults could be and are already sometimes used to reduce minors’ access to adult-only sites. Because they do not authenticate or verify minors, however, they cannot be used to create environments for minors that require authentication or verification prior to access. To the extent that an adult nonetheless uses his or her own verifiable information when accessing an environment intended only for minors, these technologies could enhance the ability of Internet service providers and social network sites to exclude that adult. Of course, it seems unlikely that an adult with nefarious purposes would proceed in this manner. Thus, while these types of identity authentication and age verification technologies may be helpful for other purposes, they do not appear to offer substantial help in protecting minors from sexual solicitation.

And there’s far more detail following this passage from the final report, so please read that section for additional discussion.

Again, some AGs may not like to hear all this but these were near-consensus findings of the Task Force. And, if anything, the Task Force probably did not far enough to show why mandatory age verification will not work and how age verification will actually make kids less safe online. In my final statement to the Task Force, this is what I spent my time focusing on. I outlined the dangers of age verification as well as 10 questions about age verification that the AGs must answer if they persist in this pursuit of a technological Holy Grail. I have embedded my entire expanded final statement down below as a Scribd document, but here are the key reasons I believe mandatory age verification represents a dangerous solution to online child safety concerns:

Again, although the Task Force didn’t go quite as far as I would have liked in terms of making clear the dangers associated with mandatory age verification, I think our final report reflects the general skepticism among Task Force members about taking that path or relying too heavily on any single, silver-bullet technical approach to online child safety concerns. Again, this is real progress; a sensible step forward in the discussion about keeping our kids safe online.

I hope policymakers will take a close look at our conclusions and recommendations and take them seriously. We need to stop wasting so much time searching for silver bullets and start getting more serious about how to better mentor our kids so that they can be good — and safe — digital citizens. Education, not regulation, is the key.

Below I have linked to some background essays about the Internet Safety Technical Task Force as well as additional thoughts by fellow task force members or reporters. I’ll add to it as I see new things in coming days.

Additional thoughts / articles about the ISTTF:

• ISTTF director John Palfrey discusses the report on this short podcast with Larry Magid as well as this longer one from the Berkman Center
• ISTTF co-director danah boyd comments on the report on her blog
• ISTTF member Larry Magid of ConnectSafely.org: “Net Threat to Minors Less Than Feared,” CNet News.com
• ISTTF member Anne Collier of Net Family News: “Key Crossroads for Net Safety“
• ISTTF member Stephen Balkam of FOSI featured on an NPR podcast about our work
• ISTTF member John Morris of CDT: “Deconstructing Reaction to Net Safety Task Force Report“
• ISTTF member Marsali Hancock, President of iKeepSafe blog essay about the task force
• AGs respond to report in interview with Emily Steel of the Wall Street Journal: “The Case for Age Verification“
• New York Times article by Brad Stone: “Report Calls Online Threats to Children Overblown“
• Wall Street Journal article by Emily Steel: “No Easy Answer for Protecting Kids Online“
• Associated Press story by Anick Jesdanun: “Panel: Technology Alone Can’t Protect Kids Online“
• Chronicle of Higher Education Wired Campus blog entry by Tracy Mitrano, “Report Weighs the Benefits and Risks of Social Networks,”
• PC World article by Jaikumar Vijayan: “Study Accused of Exaggerating Kids Online Safety“
• PC World blog post by Jaikumar Vijayan: “Are Internet Child Safety Concerns Overblown or Understated?”

Background info:

• an old blog entry of mine about the formation of the task force
• an old paper of mine about the agreement between MySpace and AGs that led to the formation of the ISTTF
• an essay of mine from the ISTTF’s mid-point: “Age Verification Debate Continues; Schools Now at Center of Discussion“
• my big white paper on the dangers of mandatory age verification
• my book: “Parental Controls and Online Child Protection: A Survey of Tools and Methods”
• my final ISTTF statement, which is also embedded below as a Scribd document…

Over the past year, I have been monitoring a very interesting trend with important ramifications for the future of Internet policy. State Attorneys General (AGs) — often in league with the National Center for Missing and Exploited Children (NCMEC) — have been striking a variety of “voluntary” agreements with various Internet companies that deal with child safety concerns or other online issues. These agreements require the companies involved to take various steps to alter site architecture and functionality, commit to stop certain practices, or take steps to block certain users (ex: predators; escort services) or types of content (ex: child porn; online “discrimination”) altogether.

To begin, let me be very clear about one thing: Some of these activities or types of content warrant a law enforcement response. That is certainly the case with child pornography or predation, for example. However, as I will note down below, there is a legitimate question about whether state officials and a non-profit private organization should be crafting legal or regulatory policies to address such concerns for a global medium like the Internet. Regardless, these agreements are creating a new layer of Internet regulation (almost extra-legal in character) that is worthy of exploration.

First, let me itemize some of these recent “voluntary” agreements between Internet companies and the AGs and/or NCMEC:

• MySpace, Facebook & 49 state AGs: On January 14th, 2008, social networking website operator MySpace.com announced an agreement with 49 state Attorneys General (AGs) aimed at better protecting children online. As part their “Joint Statement on Key Principles of Social Networking Safety,” MySpace promised the AGs it would expand online safety tools, improve education efforts, and expand its cooperation with law enforcement. Facebook entered into a similar agreement with the AGs in May. These agreements came after AGs had relentlessly pushed these social networking sites for over a year to adopt age verification techniques to screen site users. Although mandatory age verification was not part of the final agreements, an Internet Safety Technical Task Force (ISTTF) was formed to study online safety tools, including a review of online identity authentication technology. It was clear when the announcements were made that the AGs were very interested in seeing online age verification pursued.
• Various ISPs and New York AG + NCMEC: In June 2008, New York Attorney General Andrew Cuomo pushed several major ISPs to enter into a Memorandum of Understanding (MOU) with NCMEC to address the dissemination of child pornography online.  Under the MOU, the ISPs must use a NCMEC-provided list of URLs supposedly containing child pornographic images to blacklist and block all access to those sites for their users. The agreement also closed off access to Usenet discussion boards on those ISP’s networks.
• Craigslist & California AG + NCMEC: In early November, Craigslist struck an agreement with 40 state AGs as well as NCMEC in which the online classifies operator agreed to take steps to root out certain sexually-themed or “erotic services” listings. See this Ars Technica article for additional details.
• eHarmony & New Jersey AG: Just this past week, the online dating service company eHarmony announced it had struck an agreement with the Attorney General of New Jersey to settle a complaint that a New Jersey resident filed with the state in 2005 alleging that eHarmony violated his rights by not offering a same-sex matching service. The agreement creates some interesting questions, as George Mason University law professor David Bernstein told the Wall Street Journal. The discrimination claim “seems like quite a stretch,” he said, and he said that he is worried it might encourage similar claims. “If you start a dating service for African Americans, do you need one for whites and Latinos? If you have one for Jews, do you need one for Christians and Muslims?” According to the Journal, eHarmony faces a similar discrimination claim in a California court, so we might get answers soon enough.

There are a number of interesting legal and practical questions raised by these agreements:

• “Voluntary” Agreements & the Law: Although typically billed as “voluntary” in nature, it seems highly unlikely that any of the companies involved would have made these concessions without  pressure from the state AGs (and sometimes NCMEC) to do so. How binding are these agreements in light of that? Of course, it is unlikely any of the companies involved would (or could) later challenge the validity or scope of these agreements after they had already signed onto them. But what if a free speech or civil liberties group challenged these agreements in court because of their impact on the Internet, online speech, or a certain group of citizens? Would they have a case? Would they even have standing? Where do they have it?
• Precedent & Applicability: Do such agreements constitute precedents that could be applied in other cases or contexts? Could parties not involved in the original agreements — either because they refused or did not yet exist — eventually be covered by them in some fashion? Do these agreements cover services available in the American but hosted entirely overseas?
• Commerce Clause Issues: Do state Attorneys General have the right to impose such quasi-regulatory regimes on an interstate medium like the Internet? Can 50 state AGs impose uniform laws on the Net without any congressional oversight, as was the case in the MySpace and Craigslist agreements? Conversely, what will the impact be of individual state AGs going their own way, as was the case with the eHarmony agreement? If Congress remains silent on the agreements but a group (ex: a civil liberties group) brings a dormant Commerce Clause case, what are their chances of prevailing in court?
• Accountability & Effectiveness: Will anyone in Congress or a federal agency oversee these agreements? How transparent are these agreements when they are brokered behind closed doors or with NCMEC? Does the Freedom of Information Act (FOIA) apply such that records and information can be made public?  What is the benchmark of success when different states adopt different legal regimes for the Net?

I’m not saying I have any good answers here; I’m just trying to get the questions on the table and get a discussion going. I would appreciate any input on the matter, especially of the legal variety. It strikes me that we are in somewhat uncharted waters here, at least for the Internet. On the other hand, I’m sure there have been state AG-related “voluntary” agreements struck in other industries and contexts in the past that might provide some insight into what, if anything, happens next.

What I find most interesting about these developments is that the state AGs appear to be gradually accomplishing what Congress has not been able to do over the past dozen years: To impose a comprehensive regulatory structure on the Internet. But that emerging regulatory structure is highly fractured and piecemeal in nature, and that troubles me. I am particularly concerned about the long-term impact of a 50-state patchwork approach to online regulation — both for speech and commerce. It’s not like we’re talking about the regulation of a corner newsstand here, after all. This is the Internet, and localized regulation of this national — actually global — platform makes me more than a bit nervous.

In closing, I want to again reiterate that I do not necessarily oppose intervention in any of these cases. However, to the extent such regulations do need to be imposed and enforced, it may make more sense for the process to be federalized and NCMEC’s role nationalized and administered by the Federal Bureau of Investigation or some branch of the Department of Justice. There needs to be greater transparency and accountability when matters of child pornography or predation are at issue, and NCMEC’s lack of FOIA-ability in this regard is problematic. I think NCMEC is a fine organization that does very important work to help protect children, but it is work that involves criminal activities and the collection of evidence that could be used in criminal court proceedings. In light of that — and in light of the expanded law enforcement powers being granted to NCMEC — I believe the time has come to have a serious conversation about whether those powers should continue to be housed in a private, non-profit organization, or if they should be transfered to a federal law enforcement agency. Of course, there could be serious downsides associated with the nationalization of those powers, which also should be considered.

This week, I have been up at Harvard University participating in another meeting of the Internet Safety Technical Task Force (ISTTF), of which I am a member. The ISTTF was organized earlier this year pursuant to an agreement between 49 state attorneys general (AGs) and social networking giant MySpace.com. A group of experts from academia, non-profit organizations, and industry were appointed to the Task Force, which is charged with evaluating the market for online child safety tools and methods and issuing a report on the matter to the AGs at the end of this year.  ISTTF members have been meeting privately and publicly in both Cambridge, MA and Washington, D.C. The Task Force has been very ably chaired by John Palfrey, co-director of Harvard’s Berkman Center for Internet & Society.

Although the ISTTF is looking at a wide variety of tools and methods associated with online child protection (ex: filters, monitoring tools, educational campaigns, etc.), many of the AGs who crafted the agreement with MySpace that led to the Task Force’s formation have made it clear that they are most interested in having the ISTTF evaluate age verification / online verification technologies.  In fact, at the start of this week’s session at Harvard Law School, AGs Martha Coakely of Massachusetts and Richard Blumenthal of Connecticut both spoke and made it abundantly clear they expect the Task Force to develop age and identify-verification tools for social networking sites (SNS). AG Blumenthal said we need to deal with “the dangers of anonymity” and repeated his standard line about online age verification: “If we can put a man on the moon, we can make the Internet safe.”  [Of course, putting a man on the moon took hundreds of billions of dollars and a decade to accomplish, but never mind that fact! Moreover, one could also argue that if we can put a man on the moon we can cure hunger, AIDS, and the common cold, but some things are obviously easier said than done. Finally, putting a man on the moon didn’t require all Americans or their kids to give up their anonymity or privacy rights in order to accomplish the feat!]

On many occasions here before, I have outlined various questions and reservations about proposals to mandate online age verification.  Last year, I also published a lengthy white paper on the issue and hosted a lively debate on Capitol Hill [transcript here] about this.  I also have discussed age verification in my book on parental controls and online child safety. [Braden Cox also talked about his experiences up at Harvard this week here, and CNet’s Chris Soghoian had a brutal assessment of this week’s proposals on his “Surveillance State” blog.]

In this essay, I will discuss the new fault lines in the debate over online age verification and outline where I think we are heading next on this front.  I will argue:

• There is now widespread understanding that it is extraordinarily difficult to verify the ages and identities of minors online using the methods we typically use to verify adults. Because of this, age verification proponents are increasingly proposing two alternative models of verifying kids before they go online or visit SNS…
• First, for those who continue to believe that we must do whatever we can to verify kids themselves, schools and school records are increasingly being viewed as the primary mechanism to facilitate that. This raises two serious questions: Do we want schools to serve as DMVs for our children? And, do we want more school records or information about our kids being accessed or put online?
• Second, for those who are uncomfortable with the idea of verifying kids or using schools, or school records, to accomplish that task, parental permission-based forms of authentication are becoming the preferred regulatory approach. Under this scheme, which might build upon the regulatory model found in the Children’s Online Privacy Protection Act of 1998 (COPPA), parents or guardians would be verified somehow and then would vouch for their children before they were allowed on a SNS, however defined.  But how do we establish a clear link between parents and kids?  And will parents be willing to surrender a great deal more information (about themselves and their kids) before their kids can go online? And, is it sensible to use a law that was meant to protect the privacy and personal information of children to potentially gather a great deal more information about them, and their parents?
• It remains very unclear how either of those two verification methods would make children safer online. Indeed, that could actually make kids less safe by compromising their personal information and creating a false sense of security online for them and their parents.
• It is highly unlikely the Internet Safety Technical Task Force will be able to reach consensus on this complicated, controversial issue. A small camp will likely flock to the sort of proposals mentioned above. Another, larger camp (including me) will flock to education-based approaches to child safety as well increased reliance on other parental empowerment tools and strategies, industry self-regulatory efforts, social norms, and better intervention strategies for troubled youth. But the age verification debate will go on and, as was the case over the past two years, the legal battleground will be state capitals across America, with AGs likely pushing for age verification mandates regardless of what the Task Force concludes.

Continue reading if you are interested in the details.

How We Could Verify Kids, and Why We Should Not Do It

Let’s assume that we want to achieve AG Blumenthal’s “man-on-the-moon” dream of verifying all kids before they go online. How would we do it?  There are really only two solutions: (1) full-blown national ID cards for kids, or (2) tapping school records about kids to somehow age-verify kids (sort of a “National ID card-Lite” scheme).

National ID Cards for Kids

The first scheme is fairly straightforward, but incredibly frightening to those of us who care about civil liberties. Basically, government could demand that all minors be issued the equivalent of a domestic passport or a national ID card. After all, minors aged 14 to 17 are already required to obtain a passport before they travel overseas. Minors under 14 must have both parents or legal guardians appear together to vouch for the child when applying for a passport. Conceivably, government could simply extend this model to incorporate a domestic identification requirement. Once the youngster had been issued such a domestic passport, it could be requested by others — including social networking sites — as proof of age. Sites could cross-reference a government national ID database to verify identity.

Clearly, however, imposing such a solution domestically would raise serious privacy concerns because it would require the collection, retention and processing of sensitive information about children.  Adults are not required to carry such a domestic passport or national ID card, so why should children? Indeed, all the same privacy concerns related to national ID cards for adults would be amplified with children because, as a society, we generally take extra precautions to protect the privacy of minors and their personal information. And a national ID card for kids would need to include a great deal of information about themselves to allow the card to be used by third parties online as an age-verifying tool. Government would need to issue an age-verified identity, user name, and password to every child.

Particularly concerning is the fact that a national ID card for children would require the creation of more government databases and bureaucracy. The potential for “mission creep” then enters the picture in that more tracking of children by government (and others) becomes possible. What other uses might there be for such information? We don’t know, and we probably don’t want to find out.

The costs of setting up and enforcing such a system would be substantial and must also be considered. Although the cost of digital storage continues to fall, we’re talking about potentially massive digital databases here. But the more important cost factor is the human time and effort that would go into  collecting, processing, and organizing such records and databases.

For those reasons, a government-issued ID card or age verification scheme for kids is a nonstarter. It would raise grave privacy concerns, induce public paranoia, probably encourage a great deal of evasion, and require significant government expenditure to enforce. Moreover, a national ID card would do little to prevent youngsters from visiting offshore sites.

Using the Schools to Help Verify Kids

So, let’s work from the assumption that National ID cards for kids is not going to fly as an online identity authentication solution.  The only other realistic scheme would involve getting the schools involved in the process.  Why?  Because to paraphrase Willy Sutton: “That’s where the data is.”  Schools have more information about our children than probably every other institution or organization combined.  They have very detailed records about kids, their ages and much more, which makes schools a logical candidate for participation in a possible age verification system for minors.  But involving schools in any age verification scheme would raise serious privacy concerns and administrative problems.

Depending on how the scheme worked, the administrative burdens imposed on schools could be significant. Someone at each school would have to be in charge of answering phones calls and e-mails from potentially hundreds of website operators looking to age-verify minors. Who will be liable if things go wrong? The school? The school district? An employee in the school’s administrative department who accidentally releases thousands of digital records? And will schools receive the additional funding needed to administer whatever scheme is mandated?

Moreover, if schools are required to create more accessible databases containing personal information about minors, who else besides social networking websites would be given access? Data breaches would become a real concern for both students and schools alike. Such a scheme could run up against federal or state laws. For example, the Family Education Rights and Privacy Act of 1974 makes it illegal to release school records without written permission from parents. Both parents and government officials have long demanded that access to school records be tightly guarded because, as a society, we take the privacy of our children very seriously.

Thus, serious questions remain about the wisdom and practicality of roping the schools into the age verification process. Most schools and school districts are already over-burdened with federal and state mandates and probably wouldn’t like the sound of additional mandates of this variety.  But what if a technology vendor could serve as the middleman and facilitate the easy transfer of some basic data about kids from the school system in an effort to provide digital credentials? That’s probably where we are heading.  Even the most vociferous advocates of age verification for minors must realize how absolutely radioactive this issue could become since school records about our kids are in play here.  Identity theft concerns are already running at an all-time high in our country and the thought of being required to surrender more info about our kids in this environment is not going to go over well with many parents.

But, again, what if we could keep to a minimum the amount of data being transferred about the child to the vendor or the SNS?  Perhaps at the beginning of each school year when a minor is registering they could be given a “secure” digital token or ID number that only associated a grade year (i.e., “sophomore”) with their name, and little or no additional info was included in that token in order to minimize the threat of identity theft or privacy violations.  Of course, the fewer pieces of information contained in that token or credential, the less likely it will be a credible verification tool, or the more likely it is it will be easy to forge or defeat (especially by kids themselves).

Regardless, whether we like it or not — and I do not like it one bit — schools are now at the center of the online age verification debate. It will be very interesting to hear what the educational community itself has to say about this development going forward.  Incidentally, no one from the educational community was present at Harvard this week as these proposals were flying.  Something tells me that school administrators and educational officials aren’t going to look too kindly on proposals that would turn them into the equivalent of a DMV for kids.

How about Parental Permission Slips for Online Verification?

Another potential way to go about online verification is to avoid verifying the kids directly and instead just verify parents (or guardians) and then get them to vouch for their children.  Some age verification advocates are now calling for such parental consent-based forms of child verification.  Specifically, they are now attempting to drive regulation through the prism of the Children’s Online Privacy Protection Act (COPPA) of 1998.

By way of background, COPPA required websites that marketed to children under the age of 13 to get “verifiable parental consent” before allowing children access to their sites. Generally speaking, the goal was to make sure that such websites were not collecting personal information about children without getting parental permission. The Federal Trade Commission (FTC), which is responsible for enforcing COPPA, adopted a sliding scale approach to obtaining parental consent. The sliding scale approach allows website operators to use a mix of the methods to comply with the law, including print-and-fax forms, follow-up phone calls and e-mails, and credit card authorizations. The FTC also authorized four “safe harbor” programs operated by private companies that help website operators comply with COPPA.

In a February 2007 report to Congress about the status of the COPPA and its enforcement, the FTC said that no changes to COPPA were necessary at this time because it had “been effective in helping to protect the privacy and safety of young children online.” In discussing the effectiveness of the parental consent methods, however, the agency also said that “none of these mechanisms is foolproof” and that “age verification technologies have not kept pace with other developments, and are not currently available as a substitute for other screening mechanisms.” This seems to imply that the FTC does not regard COPPA’s parental consent methods as the equivalent of perfect age verification.

Nonetheless, what should be evident here is that COPPA’s parental consent framework could serve as a vehicle for pushing through greater regulation of all social networking sites, not just those sites geared toward kids under 13.   Indeed, we have already seen that proposed at the state level.  For example, in the debate that took place over age verification in the North Carolina statehouse last summer, a parental permission-based verification proposal supported by North Carolina Attorney General Roy Cooper was billed as a way to strengthen and expand the COPPA framework.  (Never mind the fact that COPPA is a federal statute, or that the state of North Carolina is likely barred from regulating Internet speech and commerce thanks to the First Amendment and the Commerce Clause of the Constitution!)

In other words, future age verification mandates could arrive in the form of COPPA amendments, or at least cite COPPA’s regulatory framework as precedent.  Specifically, the proposal would be to: (a) extend COPPA’s coverage to kids up to the age of 18 and then (b) broaden the range of SNS sites that are covered by its parental consent requirements.

There are many problems associated with such a proposal, and I will get to some of them in a moment. But here’s the more interesting question that few have asked: Is COPPA really working?  It is very much unclear to me that COPPA actually works as billed, but to the extent it does, it is likely because of the very limited scale and nature of the operations it covers.  As I have said in my past writing on the issue, there is a direct relationship between the size of a site and the likelihood of success in attempting to verify its users / members. Of course, that is hardly surprising.  But let’s get a little more concrete about why that is important.  Here are the two reasons that I believe the COPPA / parental consent regime has generally worked so far, or at least hasn’t failed miserably:

(1) Many smaller sites charge a fee for admission; and

(2) The functionality of those sites is usually tightly limited. They are closed, walled gardens.

Regarding the first point: Obviously, the more a site charges for access, the more likely it is that the parent / guardian pays attention to what their kid is doing.  Of course, that doesn’t mean a bad guy couldn’t still get into those “verified” environments under false pretenses.  And there’s the problem of minors with access to credit cards.  Moreover, even assuming credit cards worked as an age verification method, there is the more practical question of whether lawmakers have the guts to mandate that every social networking site in the land start charging admission for access.  Since almost all SNSs are free-of-charge today, that is not going to be a very popular mandate!

Nonetheless, for very small, niche-oriented social networking sites geared toward younger kids, credit cards and fees are part of the reason people think COPPA has “worked.”  In essence, it acts as a bit of a roadblock or hassle thrown in the way of access, and that gets parents thinking and talking to the kids about those sites. That is the argument put forward by Denise Tayloe of Privo, one of the four FTC-approved COPPA safe harbor providers.   Ironically, Tayloe has noted that one of the problems associated with the current COPPA regime is that “Children quickly learned to lie about their age in order to gain access to the interactive features on their favorite sites. As a result,” she notes, “databases have become tainted with inaccurate information and chaos seems to be king where COPPA is concerned,” she says.

Despite these problems, Tayloe argues that COPPA serves an important role.  Even though “there is no perfect solution” and it is not possible to completely “stop a child from lying and putting themselves at risk,” Tayloe believes that COPPA “provides a platform to educate parents and kids about privacy.”  Of course, providing a platform to educate parents and kids about online privacy or safety is very important, but it is not necessarily synonymous with strict age verification.  And we don’t really have any idea what level of parent-child interaction COPPA incentivizes.  More importantly, we don’t really have any good data regarding the accuracy of claims made pursuant to COPPA’s requirements regarding the relationship between parents and the kids seeking access to the site.  How many people (kids or adults) were able to gain access under false pretenses? We don’t know.

Nonetheless, the operating assumption here is that by creating an added economic hurdle or barrier to entry (in the form of the hassle of filling out paperwork or forms), COPPA gets some parents (perhaps most?) to put more thought into what their kids are doing online, and that somehow improves online safety in larger scheme of things.  The problem is that that does not necessarily mean that their kids are operating in perfectly “secure” or “verified” environments.  The danger is that – to the extent some “bad guys” are getting on those sites under false pretenses – kids and parents may fall prey to a false sense of security after they are told the site is COPPA-verified.  Of course, COPPA wasn’t put on the books to keep “bad guys” away from kids online; it was about keeping site operators from collecting personal information about kids.

The second reason COPPA has “worked” to a limited degree is that SNS sites geared toward younger kids tightly limit functionality.  In essence, the site administrators “cripple” the sort of functionality we find in SNS sites geared toward older kids.  That fact alone makes these sites far less likely to be subject to fraudulent entry or dangerous interactions.   If I am an older teen or a pervert, why would I ever want to gain access to a site that has nothing more than drop-down menus and a few buttons to click on when interacting with others?  Thus, the primary reason that kids are likely safer in those environments has almost nothing to do with COPPA’s parental consent mechanisms and almost everything to do with the fact that most of the sites it covers are tightly controlled walled gardens with very limited functionality.

With these facts in mind, let’s gets back to the ultimate question: What would happen if we tried to apply COPPA to all social networking sites for kids of all ages? The threshold question that would need to be answered remains the same as it does today: How do we verify the parent-child relationship when someone asserts they are the parent or guardian?  That’s a very thorny question.  But let me just list out the many other questions that everyone is overlooking here:

(1) What sort of mechanisms will need to be put in place to guarantee that the parent or guardian is who they claim to be (for both initial enrollment and subsequent visit authentication)?  Sign-and-fax forms can be easily forged, so credit cards (and perhaps mandatory user fees) will likely become the default solution. A third method, follow-up phone calls, just doesn’t seem practical.  But might lawmakers demand a mix of all of the above?

(2) Regardless, how burdensome will those mandates be for parents / guardians?

(3) And how burdensome will those mandates be for SNS site operators? What kind of compliance costs / legal penalties are we talking about?

(4) Will the barriers to site enrollment become economic in character such that it requires previously free social networking sites to charge admission?

(5) If so, could that be a disadvantage to low-income families / youth?

(6) If compliance costs go through the roof for SNS sites, will this be a recipe for massive industry consolidation in order to comply with the mandates?

(7) Who is collecting the massive databases of information created by such a mandate for all SNS? Who has access to that data? What might government use it for?

(8) Will this new regime be applicable to offshore sites? And will kids flock to offshore sites as a result of such mandates on domestic sites? If some do, how will we stop them?

And so on.  Bottom line: The future of age verification battles will likely be increasingly tied up with COPPA and the question of how well parental permission-based forms of authentication might work. It is unlikely, however, that such a framework could be easily applied on “Internet scale.”  There is a world of difference between something like Disney’s “Club Penguin” and MySpace, Xanga or Bebo.  And with social networking capabilities being integrated into every site and service these days — from CNN.com to Microsoft’s Xbox Live service — one wonders how that will magnify the compliance costs and hassles for all involved.  Are parents really going to be expected to verify themselves and then their kids for every “social networking site” their kids want to visit?  That seems unnecessary, unworkable, and potentially counter-productive.

Finally, the irony of a proposal to expand COPPA in this fashion is that lawmakers would be using a law that was meant to protect the privacy and personal information of children to potentially gather a great deal more information about them, and their parents!  It’s important we not overlook the privacy implications of any effort to expand COPPA to do something it was not originally intended to cover.

Conclusion

It will likely be very difficult for the Technical Task Force to reach consensus on these controversial and complicated issues.  There are many challenging technical, legal, and even philosophical issue in play here.  The problem is that this Task Force is charged with looking at technical solutions and yet most child safety advocates and academics on the Task Force are of the mind that technical solutions are only one part — and probably the smallest part — of the sort of “layered solution” to online child safety that I describe in my book on “Parental Controls and Online Child Protection.” As I argue in that book:

“the best answer to the problem of unwanted media exposure or contact with others is for parents to rely on a mix of technological controls, informal household media rules, and, most importantly, education and media literacy efforts.”

In sum, we need to get serious about talking to our kids about online safety and proper online behavior. Education is the key, and government has a major role to play in that regard in the classroom and through awareness-building efforts. And technical tools that empower parents to better monitor and guide their child’s online experiences can help too. Social networking sites and other online service providers can offer more of those tools and also take additional steps to improve the safety of their sites and encourage a dialog about appropriate and inappropriate online behavior. Again, it’s a multi-layered effort with education and communication at the core of the plan.

It’s not like I am saying anything new here. Indeed, that layered approach was the recommended approach of two previous online safety blue ribbon task force efforts: The 2000 COPA Commission and the 2002 National Academy of Sciences “Thornburgh Commission.” And every major book about online child safety published over the last 5 years has come to the same conclusion.

But that is not likely going to be enough for state attorneys general. There is no other way for me to state this than to just come right out and say it: The AGs are looking for a silver-bullet technical solution to a complex problem they do not fully understand.  And age verification schemes are the technical bullet du jour.

Alas, for all the reasons I have stated here and elsewhere, age verification schemes are likely to fail miserably.  Even if age verification systems worked as billed, it is unlikely that kids would really be any better off.  All the academic research in this field points to a single, inescapable conclusion: The primary danger to kids online is not adult predators, it is other kids.  In particular, it is peer-on-peer harassment and cyber-bullying.   As parents and a society, we have to do more — a lot more — to address that problem.

Age verification schemes, however, aren’t going to help us solve that problem.  Worse yet, by creating the illusion of safety, it could compromise our children’s privacy in the process and create a false sense of security when kids or their parents come to believe they are operating in “trusted” online environments.  For the sake of our children, it is essential we not fall prey to such a fatal conceit.

Facing threats of legal action from New York Attorney General Andrew Cuomo, many ISPs have curbed newsgroup access in the name of fighting child porn. Now, it looks like a big fish is holding out: Comcast.

Good for them. While it’s understandable that other ISPs elected to fold under intense pressure from an overzealous AG with a powerful bully pulpit, Comcast is entirely justified in standing its ground.

It’s not the responsibility of network providers to police their servers for potentially illegal files, as the Communications Decency Act makes clear. The only legal obligation of an ISP is to remove illegal content upon gaining knowledge of its existence on their network. But that hasn’t stopped Cuomo from sending a harsh letter to Comcast threatening to pursue “legal remedies to stop child pornography” if the cable giant doesn’t comply with his terms.

Cuomo wants ISPs to go far beyond merely removing illegal content as it’s discovered. The “voluntary agreement” that New York is pushing on ISPs has already resulted in many providers dropping newsgroup access completely, causing millions of subscribers to lose access to Usenet. Even among users who haven’t been completely cut off from newsgroups, the popular alt.* hierarchy has been disabled, making it nearly impossible to acquire anything larger than text files. The worst part is that the “bad guys” are unaffected by the crackdown on child porn—third-party Usenet servers with uncensored newsgroup access are a dime a dozen these days.

A legal battle with Cuomo might not be cheap, but it’d be worth fighting nevertheless. As I pointed out last month, suppressing speech through so-called “voluntary agreements” likely runs afoul of the First Amendment, and ISPs enjoy immunity under the Safe Harbor provisions of the Communications Decency Act.

Like his notorious predecessor, Andrew Cuomo seems bent on building his image as a crime-fighter through meaningless publicity stunts, even if it means extorting legitimate businesses to the detriment of consumers.

Let’s hope Comcast forces Cuomo to put his money where his mouth is—the future of free speech online may hang in the balance.

The USA Today editorial board published a nasty piece today belittling MySpace.com’s recent efforts to implement more safeguards for its users. Despite the fact that MySpace made over 70 promises to the Attorneys General as part of the agreement–the entire agreement is summarized here–that’s still not good enough for the USA Today’s editorial board, which wants full-blown identity verification before anyone is allowed on a social networking site:

“Even in the absence of a perfect software solution, interim steps are possible. How about using databases of drivers’ licenses to cross-check ages? In more than 20 states, they are public records. The point is, more effective safeguards are needed now, …. MySpace [should be] moving faster to set up age and ID verifications, not just study them.”

Well, where do I begin? I get so frustrated when I see comments like this because it is abundantly clear to me that people don’t think things through when it comes to age verification. As I pointed out in my lengthy PFF report, “Social Networking and Age Verification: Many Hard Questions; No Easy Solutions,” age verification is extremely complicated, and it would be even more complicated in this case because public officials are demanding the age verification of minors as well as adults, which presents a wide array of special challenges and concerns.

What Age Verification Really Is: The Death of Online Anonymity We need to begin by understanding what age verification really is. By definition, mandatory age verification represents an effort to make online anonymity a crime. In simple terms, citizens would be forced to “show their papers” at the door of every website or else run the risk of being denied access–simply because they do not want to surrender their name or age.

Think about what that means. It’s easy to take the benefits of online anonymity for granted. There are millions of people who comment anonymously on blogs like this one every day, or write anonymous book or product reviews on Amazon.com or eBay, or who just chat with others about various topics under the cloak of anonymity. It is a wonderful thing.

Of course, anonymity has some downsides. The downside of people speaking their minds freely is that, well, people will speak their minds freely! And, yes, on occasion, that means some people will talk smack and just generally be jerks while disguising their identities because don’t want to stand by their comments or be accountable for them. But that’s the cost of free expression. If you want to live in a free society and encourage a vibrant exchange of views, there will be times when that means we must defend the right of people to say incredibly silly or even insulting things.

And God knows there are plenty of silly and insulting things being said on social networking sites every second of the day. But there are also countless moments of joy and wonder, when people come together and communicate with each other, or share culture with others in incredibly creative and social-beneficial ways. And, again, a great deal of that communication or culture-sharing is done in a completely anonymous fashion.

For example, as I have mentioned here before, I am fanatical about cars and home theater gadgets. I spend a lot of my free time hanging out at a small social networking site for fellow Lotus car lovers called Lotus Talk. And I also spend a fair amount of time at the amazing AVS Forum, which is the world’s biggest chat board for home theater and A/V stuff. On these sites, thousands of random strangers come into contact every day. We create profiles, we post pictures, we share stories, we talk about life and our passions for cars and A/V gadgets. This is very the essence of social networking. And, for the most past, we are all doing it anonymously. And it is happens everywhere online, every second of every day. Do we really want to make it all illegal?

Practical Considerations: The Complexities of Human Identification OK, so there might be some downsides to making anonymity illegal online. But some critics would say: “So what, we need to make people show their papers at the door of every website–at least for those social networking sites where kids hang out–to make sure kids are safe online.” Well, that’s easier said than done.

At least in theory, the problem that age verification is supposed to solve is to keep older people away from youngsters, at least in certain circumstances. Also, some proponents wish to use age verification to ban preteen access to social networking sites. To accomplish either of those objectives, we must be able to effectively verify everyone’s age by consulting reliable records about those looking to create an account on a social networking site. In other words, when Janie Smith comes to a social networking site for the first time, the site must be able to verify not only that she is Janie Smith, but that she really is as old as she claims to be. But, again, such verifying is easier said than done.

Consider first what is required to verify an adult’s identity. When government officials or even corporations seek to verify someone identify or age, they can rely on birth certificates, Social Security numbers, driver’s licenses, military records, home mortgages, car loans, other credit records, or credit cards.

But even with all those pieces of information, challenges remain. Is the information publicly accessible or restricted by legal or other means? Are all the underlying pieces of information and documentation trustworthy, or have they been manipulated or misreported in some way? Has someone faked his or her identity? And so on. Thus, while the identity authentication systems–both public and private–have improved significantly in recent decades, they still face some inherent challenges and concerns about fraud.

The current concern about “identity theft” demonstrates the complexities and level of difficulty involved in stamping out this problem. Even U.S. passports, which are relatively robust identification documents that contain authentication data, are occasionally forged with success. “It is safe to assume that future age verification efforts will yield failures on par with other identification/authentication mechanisms,” says information security expert Jeff Schmidt, former CEO of Authis, Inc.: “When one considers how frequently college students successfully circumvent age verification requirements in person and with government issued documents, one can begin to grasp the challenges that lie ahead.”

Importantly, we’re talking just about adults here. When the focus of identity verification efforts shifts to minors, the endeavor becomes far more complicated. Minors don’t have home mortgages or car loans. They don’t have military records and most have never worked. Most don’t have driver’s licenses or credit cards either.

Of course, minors do have birth certificates, Social Security numbers, and school records, but both parents and government officials have long demanded that access to those records be tightly guarded. That’s for a very good reason: As a society, we take privacy seriously—especially the privacy of our children. Laws and regulations have been implemented that shield such records from public use, including the Family Educational Rights and Privacy Act of 1974 and various state statutes.

Also, to the extent that age verification of adults works for some websites–online dating services, for example–it is important to realize that in most of those cases the users want to be verified. In that context, identify authentication increases marketability of a user’s “profile,” or it allows him or her to participate more actively in an environment where trust is essential. This fact makes it far more likely that age verification will work because user compliance is driven by market forces, not regulation. That compliance will not be the case when users–especially kids–inherently resist the idea of being age-verified before they go onto certain websites. (We should also not forget that some kids will share their online credentials or passwords with friends.)

It is also important to realize that age verification and background checks are not synonymous. Information security expert John J. Cardillo, President and CEO of Sentinel, a leading authentication firm, argues that:

Most people are ignorant of what we do. They hear the words “check” or “verification” and they assume a full background check will be run on the individual. When this is sponsored by an AG, the chief law enforcement officer of their state, there’s a perception that the criminal background checks are inclusive in whatever they’re proposing. Age verification, on its own, doesn’t indicate whether or not a person is a convicted sex offender. Mandated age verification, as proposed, would allow the hundreds of thousands of offenders… who are over 18, unrestricted access to sites. Worse, it would allow these offenders the ability to vouch for children that might or might not exist. This is where it gets most dangerous. People might assume that “verified” users have undergone some type of vetting, and let their guard down just that little bit the offenders need to exploit. In the case of convicted sex offenders, age verification actually helps them by giving them an additional layer of legitimacy.

This points to the danger of creating a false sense of security online by mandating a solution that doesn’t address the real problem.

Finally, the special challenges raised by the nature of the Internet and online communication must be reiterated. Finding a dependable source of identity or age information and then reliably matching it to someone thousands of miles away on the Internet (perhaps in another jurisdiction, or even another country) is a daunting challenge—made even more difficult by the fact that a remote individual may be actively attempting to subvert the age verification process. Solving this problem necessitates authentication data that are appropriate for online interaction. In the real world, we perform in-person authentication with a photo or physical description; the online world requires a username/password combination, biometric authenticator, or physical security token. An arms-race scenario is obviously at work here, and because a perfect solution is impossible, we must guard against a false sense of security. Lastly, because technology is evolving at such a rapid pace in this area, there is a risk that legislative solutions will become obsolete very rapidly.

In light of those complications, how would government, social networking sites, or anyone else, go about age-verifying minors online?

Do We Really Want National ID Cards for Kids? In the extreme, government could demand that all minors be issued the equivalent of a domestic passport or a national ID card. After all, minors aged 14 to 17 are already required to obtain a passport before they travel overseas. Minors under 14 must have both parents or legal guardians appear together to vouch for the child when applying for a passport. Conceivably, government could simply extend this model to incorporate a domestic identification requirement. Once the youngster had been issued such a domestic passport, it could be requested by others—including social networking sites—as proof of age. Sites could cross-reference a government national ID database to verify identity.

Clearly, however, imposing such a solution domestically would raise serious privacy concerns because it would require the collection, retention and processing of sensitive information about children. Adults are not required to carry such a domestic passport or national ID card, so why should children? Indeed, all the same privacy concerns related to national ID cards for adults would be amplified with children because, as a society, we generally take extra precautions to protect the privacy of minors and their personal information. And a national ID card for kids would need to include a great deal of information about themselves to allow the card to be used by third parties online as an age-verifying tool. Government would need to issue an age-verified identity, user name, and password to every child.

Particularly concerning is the fact that a national ID card for children would require the creation of more government databases and bureaucracy. The potential for “mission creep” then enters the picture in that more tracking of children by government (and others) becomes possible. What other uses might there be for such information? We don’t know, and we probably don’t want to find out.

The costs of setting up and enforcing such a system would be substantial and must also be considered. Although the cost of digital storage continues to fall, we’re talking about potentially massive digital databases here. But the more important cost factor is the human time and effort that would go into to collecting, processing, and organizing such records and databases.

For those reasons, a government-issued ID card or age verification scheme for kids is a nonstarter. It would raise grave privacy concerns, induce public paranoia, probably encourage a great deal of evasion, and require significant government expenditure to enforce. Moreover, a national ID card would do little to prevent youngsters from visiting offshore sites.

Sources of Age Information Thus, if social networking sites are going to age-verify minors, they will likely need to devise or rely on some other, nongovernmental solution. The most commonly proposed solutions typically fall into the following groupings:

(1) Credit cards as approximate age proxies; (2) Driver’s licenses as approximate age proxies or as a source of date of birth; (3) Birth certificates as a source of actual date of birth; (4) Parents or guardians vouching for minors; (5) Schools vouching for minors; (6) Third parties vouching for minors; and, (7) Biological or biometric determination of age.

I won’t summarize all them here since I do so in my longer PFF report on the issue. But let me just point out the deficiencies of the two leading proposals: Credits cards and parents vouching for children.

(1) Credit Cards as Approximate Age Proxies: Credit cards are often viewed by policy makers as the silver bullet solution for age verification. Even though credit card companies typically do not wish their cards to be used as age verification tools, government has advocated their use in that way in the past. But they are not a silver bullet.

“Mere possession of a credit card is not a reliable assertion of identity or age,” argues Jeff Schmidt. Credit cards can be a rough proxy for age on the assumption that only adults over the age of 18 have credit cards, but that assumption is false. Many minors are given credit cards by their parents. Youngsters can borrow or steal credit cards from their parents or others. And Schmidt notes that newly created stored value cards, specifically marketed for use by children, “are in many cases indistinguishable from actual credit cards—both in physical appearance and in the back-end transaction processing systems.” Sentinel’s John Cardillo points out additional reasons why credit cards are not effective age verification tools:

When a card is used for verification purposes, an authorization on that card is run for $1.00 (or less), however a charge isn’t put through. The card typically isn’t reconciled against any database for name and/or age, nor is a signature checked. Because of the insignificant dollar amount, the only thing that’s checked for security purposes, in some instances, is zip code. Anyone who’s ever bought gasoline with a credit card knows this to be true. Our names and ages aren’t checked at the pump. Check your statement online next time you gas up. You’ll see an authorization for $1.00 and the actual charge a few days later. The same merchant banks handle the transactions online. In other words, in most cases, all that’s being verified is that the card account isn’t closed or stolen. Who’s using it is irrelevant.

Moreover, “many parents may feel uncomfortable giving their credit card number online at children’s Web sites where there is no [commercial] transaction involved,” notes a coalition of major commercial organizations, including the American Advertising Federation, American Association of Advertising Agencies, Association of National Advertisers, The Direct Marketing Association, Inc., and Magazine Publishers of America. In a June 2005 filing to the Federal Trade Commission, those organizations noted that “in light of current online scams, heightened concerns about online security, and the rise of such practices as phishing, parents may be reluctant to provide credit card numbers absent a transaction.” But that begs the question: If lawmakers require social networking sites to process a financial transaction to age-verify, is that fair? In particular, is it fair for low-income families? And what about those families that do not possess a credit card?

Finally, the law is not even settled about using credit cards for access to adult-oriented websites. The Child Online Protection Act (COPA) was passed by Congress in 1998 in an effort to restrict minors’ access to adult-oriented websites. The measure provided an affirmative defense to prosecution if a website operator could show that it had made a good faith effort to restrict site access by requiring a credit card, adult personal identification number, or some other type of age-verifying certificate or technology. But the legislation was immediately challenged and has gone to the Supreme Court for review twice. And the law is still being debated in a lower court. Thus, almost 10 years after its initial passage, the legislation remains stuck in jurisprudential limbo after endless legal wrangling about its constitutionality.

Incidentally, COPA established an expert Commission on Online Child Protection to study methods for reducing access by minors to harmful material on the Internet. As part of its final report, the COPA commission said that credit card-based age verification would be completely inappropriate for instant messaging and chat, which were the precursors of social networking. The commission found: “This system’s limitations include the fact that some children have access to credit cards, and it is unclear how this system would apply to sites outside the U.S. It is not effective at blocking access to chat, newsgroups, or instant messaging.”

(2) Parents or Guardians Vouching for Minors: Legislation has been floated in a few states, such as North Carolina, that would make it illegal for a minor to maintain an account or webpage on a social networking site “without the permission of the minor’s parent or guardian and without providing such parent or guardian access to such profile web page.” Similar measures were recently introduced in North Carolina and Connecticut that would require social networking sites not only to obtain parental approval but also take steps to verify that they are the actual parents of the child.

This approach will appeal to many because it can be likened to a parent signing a “permission slip” for a child. Unfortunately, parental permission-based approaches are more complicated for online activities. Because websites are far away from the parents, how is the site operator going to ensure that the person vouching for the child’s age is really the parent or even an adult? Would the verifier mail or fax notarized documents? Those documents can be forged, of course. Mandatory follow-up phone calls would be cumbersome, costly, and potentially viewed as intrusive. And the use of credit cards to satisfy the permission requirement might raise some of the same problems already discussed above.

Despite these potential drawbacks, this was the general framework established by the Children’s Online Privacy Protection Act (COPPA) of 1998, which required websites that marketed to children under the age of 13 to get “verifiable parental consent” before allowing children access to their sites. The Federal Trade Commission (FTC), which is responsible for enforcing COPPA, adopted a sliding scale approach to obtaining parental consent. The sliding scale approach allows website operators to use a mix of the methods mentioned above to comply with the law, including print-and-fax forms, follow-up phone calls and e-mails, and credit card authorizations. The FTC also authorized four “safe harbor” programs operated by private companies that help website operators comply with COPPA.

In a recent report to Congress, the FTC said that no changes to COPPA were necessary at this time because it had “been effective in helping to protect the privacy and safety of young children online.” In discussing the effectiveness of the parental consent methods, however, the agency also said that “none of these mechanisms is foolproof” and that “age verification technologies have not kept pace with other developments, and are not currently available as a substitute for other screening mechanisms.” This seems to imply that the FTC does not regard COPPA’s parental consent methods as the equivalent of perfect age verification.

And the marketplace experience with COPPA so far reflects that conclusion. One of the problems associated with the current COPPA regime is that “Children quickly learned to lie about their age in order to gain access to the interactive features on their favorite sites,” notes Denise G. Tayloe, CEO of Privo, Inc., one of the four FTC-approved safe harbor programs. “As a result, databases have become tainted with inaccurate information and chaos seems to be king where COPPA is concerned,” she says. Parry Aftab of Wired Safety confirms this, noting that: “Preteens quickly learned that if they say they are under thirteen they will be prohibited from using many sites. So they regularly lie about their age everywhere online.”

Despite these flaws, Tayloe argues that COPPA serves an important role. Even though “there is no perfect solution” and it is not possible to completely “stop a child from lying and putting themselves at risk,” Tayloe believes that the law “provides a platform to educate parents and kids about privacy.” Of course, providing a platform to educate parents and kids about online privacy or safety is very important, but it is not necessarily synonymous with strict age verification.

Nonetheless, these permission-based verification schemes might work reasonably well for smaller, closed online communities in which the kids and parents are willing to take the time (and expense) to undertake extensive authentication. For example, smaller social networking sites such as ZoeysRoom.com, Imbee.com, ClubPenguin.com, and Tweenland.com have extremely strict enlistment policies, primarily because they target or allow younger users. As Sue Shellenbarger of the Wall Street Journal explains:

The under-16 sites pose few of the hazards linked to networking sites for older people. The activities range from chats and blogging to creating virtual pets or characters and acting out roles in virtual cities. For a child to register, the sites typically require a parent’s email permission, a parental signature on a permission form, or a parent’s credit card verification. Some limit young children’s interchanges to drop down menus of preapproved words and phrases. Most filter content for inappropriate material and employ live adult monitors who ensure that kids’ conversations don’t stray off course. Some limit chats or blog access to participants who are already preapproved and already known to a child’s family.

Ironically, one can probably safely assume that the kids using such services are not in the high-risk group discussed earlier. The parents who use such services are probably doing a fine job of mentoring their kids and don’t really need to resort to such restrictive solutions. Nonetheless, such highly restrictive “walled garden” approaches do provide parents with greater ease of mind. That’s not necessarily because of the strict enlistment policies so much as the extreme limitations on what kids can do on those sites or with whom they can communicate while online.

But regardless of how well the above-mentioned parental consent schemes work in practice for these smaller, more closed online communities–and some experts, like Cardillo, do question how well they actually work–such solutions lack scalability. Schemes that demand laborious and expensive enrollment requirements, or that greatly limit functionality and interactivity after users sign up, will almost certainly not work for larger social networking sites with a massive community of users. The administrative burdens would be significant for both site operators and parents alike. For example, Parry Aftab notes that COPPA has made it much more difficult for some smaller website operators to staff afloat. “The cost of obtaining verifiable parental consent for interactive communications is very high, estimated at more than $45 per child, and even at that price [consent is] difficult to obtain.”

And because users would sacrifice a great deal of autonomy and functionality once online, many would likely rebel against the system or would seek to subvert it in some fashion. If such a system significantly slows or impedes the creation of new accounts for domestic social networking sites, it will create a perverse incentive for kids to seek other sites with less-restrictive policies, including offshore sites.

Conclusion There are many other issues I haven’t mentioned here that deserve consideration. I’ll just check off a few:

• Assuming we go through with this, who is aggregating all this data? Who has access to the databases? How might that data be used?

• Is all this constitutional? Won’t there be First Amendment or privacy cases brought that endlessly complicate implementation?

• Will kids just flock off-shore to unregulated sites in an effort to reclaim some of the independence they have lost through by surrendering anonymity on U.S.-based sites? What are the consequences of that? Do parents or American policymakers really have any leverage over shady websites operators in Antigua?

• Aren’t there better ways to use our resources? How about focusing our time, energy and resources on educating kids about online risks and deal with these concerns in more constructive ways?

You get the point: Age verification is complicated. Insanely complicated. And it would have enormous costs and profound ramifications for the future of online speech and privacy. We must never forget that government regulation–no matter how well-intentioned–can often have such unintended consequences. It’s a lesson that the USA Today and many others need to heed before they flippantly suggest that age verification is a piece of cake and it’s just a matter of MySpace or someone else throwing a switch to magically make it happen.

Not. That. Simple.

This morning in New York City, social networking website operator MySpace.com announced a major joint effort with 49 state Attorneys General aimed at better protecting children online. (Coverage at CNet, NYT and Forbes). At a joint press conference, MySpace and the AGs unveiled a “Joint Statement on Key Principles of Social Networking Safety” involving expanded online safety tools, improved education efforts, and law enforcement cooperation. They also agreed to create an industry-wide Internet Safety Technical Task Force to study online safety tools, including a review of online identity authentication technology. Generally speaking, the agreement is step forward for online safety. Indeed, many of the principles in the agreement could form a potential model “code of conduct” that other social networking sites could adopt. In a report I authored for the Progress & Freedom Foundation in August 2006, I argued that it was vital for companies and trade associations to take steps such as this to avoid the specter of government regulation or censorship:

All companies doing business online… must show policymakers and the general public that they are serious about addressing [online safety] concerns. If companies and trade associations do not step up to the plate and meet this challenge soon—and in a collective fashion—calls will only grow louder for increased government regulation of online speech and activities. What is needed is a voluntary code of conduct for companies doing business online. This code of conduct, or set of industry “best practices,” would be based on a straight-forward set of principles and policies that could be universally adopted by [a] wide variety of operators…

In particular, this code of conduct proposal called for companies to make specific pledges regarding improved online safety tools, expanded education / media literacy efforts, and ongoing assistance to law enforcement regarding investigations of online crimes.

The Agreement

MySpace responded to this challenge in impressive fashion with its announcement today. The agreement touched upon all of those elements and included the following “Principles of Social Networking” (as described in a MySpace press release):

• Site Design and Functionality: The Principles incorporate safety initiatives that MySpace has already implemented and initiatives it will work to implement in the coming months. Examples of safety features MySpace has in place include reviewing every image and video uploaded to the site, reviewing the content of Groups, making the profiles of 14 and 15 year old users automatically private and protecting them from being contacted by adults that they don’t already know in the physical world, and deleting registered sex offenders from MySpace. Examples of improvements MySpace will make include defaulting 16 and 17 year old users’ profiles to private and strengthening the technology that enforces the site’s minimum age of 14.

• Education and Tools for Parents, Educators and Children. The Principles acknowledge that MySpace has already been devoting meaningful resources to Internet safety education including a new online safety public service announcement targeted at parents and free parental software that is under development. MySpace will explore the establishment of a children’s email registry that will empower parents to prevent their children from having access to MySpace or any other social networking site. In addition, under the Principles MySpace will increase its communications with consumers who report a complaint about inappropriate content or activity on the site.

• Law Enforcement Cooperation. The Attorneys General view MySpace’s cooperation with law enforcement, which includes a 24-hour hotline, to be a model for the industry. The parties will continue to work together to enhance the ability of law enforcement officials to investigate and prosecute Internet crimes.

• Online Safety Task Force. As part of the Principles, MySpace will organize, with the support of the Attorneys General, an industry-wide Internet Safety Technical Task Force to develop online safety tools, including a review of identity authentication tools. While existing age verification and identity products are not an effective safety tool for social networking sites, the Task Force will explore all new technologies that can help make users more safe and secure including age verification. The Task Force will include Internet businesses, identity authentication experts, non-profit organizations, academics and technology companies.

The agreement then goes on—in the form of two appendices—to detail over 70 specific steps that MySpace will take to expand upon these principles. As part of the agreement, MySpace agreed to:

• Implement “age locking” for existing profiles such that members will be allowed to change their ages only once above or below the 18 year old threshold. Once changed across this threshold, under 18 members will be locked into the age they provided while 18 and older members will be able to make changes to their age as long as they remain above the 18 threshold. MySpace will implement “age locking” for new profiles such that under 18 members will be locked into the age they provide at sign-up while 18 and older members will be able to make changes to their age as long as they remain above the 18 threshold.

• Users able to restrict friend requests to only those who know their email address or last name. “Friend only” group invite mandatory for 14 and 15 year olds. “Friend only” group invite by default for 16 and 17 years olds. Users under 18 can block all users over 18 from contacting them or viewing their profile. Users over 18 will be limited to search in the school section only for high school students graduating in the current or upcoming year. Users over 18 may designate their profiles as private to users under 18, and users under 18 may designate their profiles as private to users over 18.

• Change the default setting for 16-17 year olds’ profiles from “public” to “private” and create a closed high school section for users under 18. The “private” profile of a 16/17 year old will be viewable only by his/her “friends” and other students from that high school who have been vouched for by another such student. Students attending the same high school will be able to “Browse” for each other.

• Obtain a list of adult sites on an ongoing basis and sever all links to those sites from MySpace. They will also demand that adult entertainment industry performers set their profiles to block access to all under 18 users and remove all under 18 users from profiles of identified adult entertainment industry performers.

And that just scratches the surface. There is much more to the agreement. In fact, it is difficult to imagine how MySpace could have gone any further to satisfy the online safety concerns raised by AGs or other public policymakers. Indeed, some MySpace users will likely protest that some of the changes go too far. That’s especially clear after reading some of the other technical details of the proposal included in the two appendices.

E-Mail Registry

For example, in the technical appendix summarizing the design and functionality initiatives that MySpace has agreed to consider, they say they will pursue a new “children’s e-mail registry”:

[MySpace will] engage a third-party to build and host a registry of email addresses for children under 18. Parents would register their children if they did not want them to have access to MySpace or any other social networking site that uses the registry. A child whose information matches the registry would not be able to register for MySpace membership.

That proposal might raise some eyebrows since it is unclear how that registry would work and what, if any, privacy / security concerns it might raise. Of course, other critics will argue that such a system will be easily circumvented or tricked. After all, how does MySpace know that the person submitting an e-mail is child’s real parent? And what about multiple e-mail accounts? It’s fairly easy to get a free e-mail account these days. But, if the system somehow did work as billed, it would raise serious questions about who has access to that e-mail registry and how secure the database was.

The agreement also contains a number of restrictions on access by minors to specific types of content, or to other users or groups on MySpace. Viewed in isolation, those restrictions seem fairly reasonable—especially those dealing with access by minors to adult areas (ex: “swingers” clubs or the “Romance and Relationship Forum and Groups”). Taken together, however, the growing list of site restrictions might be viewed by many young users as an impediment to their social networking activities. Many parents and policymakers will like the sound of that, of course. But where might those users go if they are frustrated by the growing number of restrictions imposed on their online activities? This is indicative of the difficult position MySpace finds itself into today: They are piling on additional restrictions and safeguards in the name of online safety to satisfy the concerns raised by many parents and policymakers. But if these initiatives impose too many encumbrances on social networking activity and interactions it could undermine the very purpose of the site and its value to members.

This explains why MySpace is eager to get other social networking sites to adopt policies similar to those found in the agreement it struck with the AGs. Obviously, MySpace would prefer not be the only website stuck with these burdens. Moreover, it probably does not want other sites to have an unfair competitive advantage in terms of more lax operating restrictions. Of course, even if every domestic social networking site adopted stricter policies along the lines of what MySpace agreed to, there will always be offshore alternatives for youngsters to choose from. This is the tricky balance that complicates all debates about online child safety today: How do we create sensible online policies without encouraging kids to operate completely surreptitiously in a “digital underground,” especially shady offshore environments?

Age Verification

Generally speaking, however, MySpace struck the right balance with most of the other proposals in the agreement with the AGs, especially considering the pressure they were under from some policymakers to go much further. In that regard, the agreement with the AGs is especially notable for what it does not include: age verification mandates. The call for an Internet Safety Technical Task Force to study online safety methods and identity authentication tools is a sensible alternative to the rush to mandate age verification, which some AGs have been advocating vociferously over the past two years.

Hopefully the task force will provide critical examination of the issue and not simply begin with pre-ordained conclusions about the wisdom or effectiveness of online age verification techniques and technologies. At the press conference announcing the agreement, however, Attorneys General Roy Cooper of North Carolina and Richard Blumenthal of Connecticut seemed to imply that that the goal of the task force would be to develop and implement a full-blown age verification system for the Internet. “We are going to find and develop online identity authentication tools,” said AG Cooper. And AG Blumenthal reiterated an argument he made ad nauseum last year when he argued that, “if we can put a man on the moon” then we ought to be able to verify the ages of people when they go online. [I first heard AG Blumenthal make this argument when I debated him and AG Cooper at a NCMEC conference two years ago. Here’s the summary of my response that day.]

But it’s just not that simple. As I argued in a lengthy PFF study last year entitled, “Social Networking and Age Verification: Many Hard Questions; No Easy Solutions,” there are no silver bullet age verifications solutions. Online authentication is a complicated, multi-faceted technical issue. And, even assuming we could find a way to make it work, there are many other considerations that must be taken into account, such as the burden it might impose on freedom of speech or individual privacy.

The danger, therefore, is that the AGs have preconceived notions about the wisdom and efficacy of age verification mandates, and that they will either seek to stack the deck on the task force with age verification advocates or pressure the task force to adopt mandatory age verification without thoroughly studying the issue. Again, that would be a serious mistake and it would also likely give rise to legal challenges.

Education & Empowerment

The better approach is to focus on other steps that actually will keep kids safe online. As I have argued in my book on Parental Controls and Online Child Protection: A Survey of Tools and Methods, the best solution to online safety concerns is what I call the “3-E Solution: which stands for “education, empowerment, and enforcement.”

Luckily, there’s a great deal of that included in the MySpace agreement with the AGs. MySpace has pledged to “continue to dedicate meaningful resources to convey information to help parents and educators protect children and help younger users enjoy a safer experience on MySpace.” In particular, MySpace will “engage in public service announcements, develop free parental monitoring software, and explore the establishment of a children’s email registry.”

The importance of education initiatives cannot be overstated. Technical solutions, such as those the AGs clearly favor, will always suffer from inherent limitations and will often be circumvented. Education, by contrast, lasts a lifetime. We need to be teaching our kids how to be good cyber-citizens and how to identify and report legitimate online threats (predators, bullies, scam artists, etc). It is my belief that today’s youth are far more savvy and sensible about these threats than most adults or policymakers give them credit for. Nonetheless, it is important to be vigilant about online safety education and etiquette in an attempt to teach kids—especially more “at-risk” youth who might be susceptible to online threats—basic life lessons about sensible cyberspace behavior and interactions.

Conclusion

Despite the handful of concerns raised above, the MySpace agreement serves as a model for what other social networking companies and online operators could do if they wanted to get more serious about promoting Internet safety. MySpace has done about all it can to be responsive to the demands of parents and policymakers.

Of course, it could be true that no matter how much the company does to improve parental control tools or educate the public, some parents may never take advantage of those tools or information. This remains one of the great mysteries of the parental controls debate: Why is it that so many parents say they want more and better controls and strategies, but when they are made available many of them choose not to use them?

Regardless, if for whatever reason, parents are not taking advantage of these tools and options, their inaction should not be used to justify government regulation as a surrogate for household choice / parental responsibility. Parents have been empowered. It is now their responsibility to take advantage of the tools and controls at their disposal to determine what is acceptable in their homes and in the lives of their children.

MySpace should be applauded for its new statement of principles and its impressive efforts to empower and educate both parents and children about online safety while assisting law enforcement when necessary to root out the real bad guys lurking online.

As Braden mentioned, we were both down in Raleigh, North Carolina this week testifying at a big hearing on mandatory age verification for social networking sites.

It was quite a heated battle. The legislation, SB 132, was supported at the hearing by North Carolina attorney general Roy Cooper, several of his staff attorneys, a couple of NC senate lawmakers, and some folks from Aristotle, a company that claims it has devised a workable age verification solution for social networking purposes. A vote on the proposal was delayed and we’re still awaiting the final outcome.

Down below, I have attached the outline of my remarks in which I argued that age verification mandates would actually make kids less safe online. Here’s why:

1) Age verification is not synonymous with a background check.

• Are citizens being lead to believe that age verification guarantees them perfectly safe online environments? After all, even if the verification process gets the age part of the equation right, it tells us little else about the person being verified.

• Incidentally, what happens when the parent being verified is a predator using their child to create false credentials? Unfortunately, we know that some predators have children.

• This gets to the primary concern in this debate: The very real potential exists that we are creating solutions that inject a false sense of security in parents and children alike.

2) Even assuming we do not encounter problems with the initial sign-up phase and procedures, questions remain about follow-ups and subsequent validations.

• Will parents be asked to fill out and submit paperwork routinely to verify their identity (or their child’s) on an ongoing basis? Will parents be expected to take phone calls from dozens of social networking sites (or call sites themselves) to continue authorization? Will parents tolerate that?

• If the sign-up and subsequent authentication process proves cumbersome and time-consuming, will this encourage kids to search out less trustworthy “underground” or offshore websites?

• How are we going to regulate those offshore sites? Also, could new regulations drive domestic operators offshore?

• In sum, the sheer scale of the Net and online activities greatly complicate the enforcement of age verification schemes, especially those of the parental permission-based variety.

3) Will age verification mandates encourage the rise of an illegal black market in credentials?

• Will kids share or even sell their online credentials, such as their user name and passwords, to others who desire them?

• Certainly kids won’t just stop trying to get onto social networking sites. Are we going to punish kids (or prosecute their parents) for evasion? And, again, will kids look to offshore sites?

4) There are serious privacy issues at stake here, and those issues could give rise to other problems.

• Requiring all parents to be verified before their children can go online will obviously be seen by some parents as intrusive and a potential violation of their privacy.

• If some parents resist such regulations or refuse to submit to such verifications, what will their kids do? Again, it might encourage kids to seek out false credentials of to visit offshore sites.

• Incidentally, who has access to all this new information about parents and children that the government is requiring that social networking operators collect? Do we want online operators creating massive new databases of information about us or our kids if better alternatives exist?

Bottom line: The inherent danger of age verification regulation is that it: • results in unintended consequences or solutions that don’t solve the problems they were intended to address; • creates a false sense of security that might encourage some youngsters (or adults) to let their guard down while online; and • creates potential incentives to push mainstream social networking sites offshore. No matter how bad parents or policy makers think social networking sites are today—and, in reality, the sites are not nearly as bad as they imagine—those sites are infinitely superior to potentially shady offshore websites that are completely unaccountable to U.S. officials. And the domestic sites are more accountable to the general public and are responsive to press scrutiny.

In sum, there are no silver bullet solutions. Instead, we need a multi-prong, layered strategy…

Better approach to online child safety = The “3-E Solution”: Education, Empowerment, and Enforcement

“Education” refers to not only the need for K-12 information literacy efforts but also, more broadly, to the need for comprehensive online safety instruction and awareness-building efforts. Governments at all levels need to take an aggressive role here.

“Empowerment” refers to the importance of providing parents with more and better tools to make informed decisions about media and communications tools in their lives of their children. Government can facilitate these efforts in partnership with industry and non-profit organizations. For example, helping to make parents more aware of Internet monitoring tools and strategies would be one of the most constructive solutions.

“Enforcement” refers to stepped up law enforcement efforts to find and adequately prosecute child predators. It is essential that law enforcement officials receive the resources and training necessary to adequately monitor online networks for predators and to bring them to justice when they are found. For example, law enforcement agencies need sophisticated computer forensic labs and skilled experts to help investigate online crimes. And they need to be trained to conduct proper sting operations to find predators before they harm our children. Finally, much longer prison sentences are needed for child predation.

[For additional information, please see my March study, “Social Networking and Age Verification: Many Hard Questions; No Easy Solutions.”]

In late March, I hosted a congressional seminar entitled “Age Verification for Social Networking Sites: Is It Possible? And Desirable?” I brought together 5 experts in the field to debate the issue, including:

• John Cardillo, President & CEO, Sentinel
• Jay Chaudhuri, Special Counsel to North Carolina Attorney General Roy Cooper
• Raye Croghan, Vice President, IDology, Inc.
• Tim Lordan, Executive Director, Internet Education Foundation
• Jeff Schmidt, CEO, Authis

It was an outstanding discussion and I’m happy to report that the transcript is now available online here. Also, you can listen to the audio from the event here. Also, you can find the big study of mine that we discussed that day here.

Jennifer Medina of the New York Times penned an article yesterday on the debate over social networking fears leading to calls for age verification mandates. She noted that measures are moving in several states that would require social networking sites to age-verify users before they are allowed to visit the sites or create profiles there. But Medina also noted that there are many difficult questions about how age verification would work and how “social networking” would even be defined. (I summarize these questions in my recent PFF report, “Social Networking and Age Verification: Many Hard Questions; No Easy Solutions.”)

Ms. Medina was also kind enough to interview me for the story and she summarizes some of what I had to say in her piece. In a nutshell, I stressed that the most effective way to deal with this problem is to get serious about dealing with sex offenders instead of trying to regulate law-abiding citizens. We need to be locking up convicted sex offenders for a lot longer in this country to make sure they behind bars instead of behind keyboards seeking to prey on our children.

I also stressed the importance of online safety education as part of the strategy here. But my comments on that didn’t make the cut in the story. But you can read my big recent paper on this issue for additional details.

Lisa Lerer of Forbes was nice enough to do a feature story this week about my views on the panic over social networking and the push for age verification of such sites. Her piece is entitled “Why MySpace is a Safe Space,” and begins as follows: “Adam Thierer doesn’t look like much of a revolutionary. But last month he challenged both Washington and conventional wisdom with a fairly radical proposition: Perhaps MySpace and the Internet aren’t so scary for kids, after all.”

I don’t really regard what I’ve been saying in my recent essays or big new PFF study as “revolutionary.” Rather, if you spend any time studying this issue and these sites in a dispassionate, educated way, I think the conclusions I draw seem quite reasonable. Unfortunately, I don’t think many policy makers or critics have spent any serious time on these sites or seriously explored the relative danger of online social networking sites relative to offline social networking places. A classic “moral panic” has developed because of this: An older generation fears a new medium that it does not use or understand.

Anyway, read my discussion with Lisa for more details.

I’m putting the wraps on a big paper on the dangers of mandating age verification for social networking websites. One of the questions I ask in the study is exactly how broadly “social networking sites” will be defined for purposes of regulation? Will chat rooms, hobbyist sites, listservs, instant messaging, video sharing sites, online marketplaces or online multiplayer gaming sites qualify? If so, how will they be policed and how burdensome will age-verification mandates become for smaller sites? Finally, does the government currently have the resources to engage in such policing activities since almost all websites now have a social networking component? I explore these and other questions in my paper.

But now I have another type of site to add to list, and not one that I originally gave much consideration to: online newspapers. Over the weekend, the USA Today relaunched its website, not only to freshen up its look, but also to fundamentally change the ways the site works. According to the editors, the new features of the site will give readers the ability to:

• Scan other news sources directly on USATODAY.com; • See how readers are reacting to stories; • Recommend stories and comments to other readers; • Comment directly on stories; • Participate in discussion forums; • Write reviews (of movies, music and more); • Contribute photos; • Better communicate with USA Today staff.

Other bloggers were quick to note that the newspaper is essentially trying to refashion itself as a social networking site. Some wonder whether a newspaper can really be a social networking site. Others point out that traditional newspaper readers may resist such changes for a variety of reasons. (Don Dodge points out that 92% of reader responses have been negative so far).

But let’s ignore all that for a moment and get back to the question I posed in the title of my post: If USA Today is billing itself as a social networking site–or if others argue that it represents a social networking site–will the company be required to age-verify users before they visit the site?

Well, that depends on how the age verification regs would get written, of course. But one definition has already been suggested under the proposed “Deleting Online Predators Act” (DOPA), which would ban such sites in publicly funded schools and libraries. Under DOPA, “Commercial Social Networking Websites” are defined as any site that: “(a) allows users to create web pages or profiles that provide information about themselves and are available to other users; and (b) offers a mechanism for communication with other users, such as a forum, chat room, email, or instant messenger.”

Keeping that definition in mind, let’s check out some more material from the USA Today’s “Quick Guide to New Features.” Specifically, look at sections on this page about “personal spaces” and “avatars”:

Personal space: When you become a member, we automatically establish a personal profile page. As you interact with the USA Today community, your comments, recommendations and other contributions are automatically appended to your page. Your profile page includes a place for you to upload photos, write a blog, and the ability to send messages to other users. These pages allow readers to get a better sense of the site’s most active contributors. Avatar: Every one of our pages features a spot just for you: up there in the right-hand corner. That’s where you’ll be notified of messages left by other readers. Make yourself at home. Upload a picture of yourself, a funny icon, or choose from our selection of ready-made avatars.

Sounds a heck of lot like a social networking site to me. And if it was defined as such by lawmakers, it could mean that (under DOPA) access to the USA Today would need to be banned in public schools and libraries and that everyone would need to be age-verified before they go on the new USA Today website in their own homes. Welcome to the world of unitended regulatory consequences!

Additional Reading:

“Social Networking Websites & Child Protection: Toward a Rational Dialogue,” by Adam Thierer, Progress & Freedom Foundation Progress Snapshot 2.17, June 2006.

“Is MySpace the Government’s Space?,” by Adam Thierer, Progress & Freedom Foundation Progress Snapshot 2.16, June 2006.