Filings are due to the Federal Trade Commission (FTC) today as part of its review of the Children’s Online Privacy Protection Act (COPPA) and the COPPA rule that the FTC devised and enforces. I didn’t have time to pen as much as I wanted, but I did submit a short filing to the agency in the matter based on some of my previous work both with Berin Szoka and on my own. Here’s the executive summary for my filing:
It goes without saying that the Children’s Online Privacy Protection Act (COPPA) is complicated law and rule. When considering the rule and proposals to amend it, it is easy to get lost in the weeds and ignore the bigger picture. That would be a mistake. There are broader, more important questions that need to be asked as part of the Federal Trade Commission’s effort to expand this regulatory regime. These questions involve not only the costs of increased regulation for online business interests, but the impact of expanded regulation on market structure, competition, and innovation. More importantly, these questions cut to the core of whether the public (including children) will be served with more and better digital innovations in the future. There is no free lunch. Regulation—even well-intentioned regulation like COPPA—is not a costless exercise. There are profound trade-offs for online content and culture that must always be considered.
Whatever one thinks about the effectiveness or sensibility of the COPPA regulatory model for the Web 1.0 world, it is clear that the regime is being strained by the unforeseen realities of the Web 2.0 world of hyper-ubiquitous connectivity and user-generated content creation and sharing. The digital genie cannot be put back in the bottle. While COPPA may continue to have a marginal role to play in this rapidly evolving world, that role will likely be increasingly limited by the inherent realities of the information age.
Entire filing can be found on the Mercatus website, on SSRN, or via Scribd [Also embedded below in a Scribd reader.] Continue reading →
Yesterday, the Federal Trade Commission (FTC) hosted an all-day workshop on “Protecting Kids’ Privacy Online,” which looked into the Children’s Online Privacy Protection Act of 1998 (COPPA) and challenges posed to its enforcement by new technological developments. The FTC staff did a nice job bringing together and moderating 5 panels worth of participants, all of whom had plenty of interesting things to say about the future of COPPA. But I was more struck by what was not said yesterday. Namely, there was:
- ZERO explanation of the supposed harms of advertising, marketing, and data collection. Advertising-bashing is an old sport here in Washington, so I guess I should not have been surprised to hear several panelists yesterday engaging in teeth-gnashing and hand-wringing about advertising, marketing, and the data collection methods that make it possible. But this grousing just went on and on without any explanation by the critics of the supposed harms that would result from it.
- ZERO appreciation of the benefits of advertising, marketing, and data collection. Not once yesterday — NOT ONCE — did anyone pause to ask what it is that makes all these wonderful online sites, services and content free (or dirt cheap) to consumers. Everyone at this show was guilty of the “manna fallacy” (that all this stuff just falls magically to Earth from the Net Gods above). Well, back here in the real world, something has to pay for all those goodies, and that something is advertising and marketing, which are facilitated by data collection! Or would you like to pay $19.95 a month for each of those currently free sites and services? Yeah, I didn’t think so.
Continue reading →
What Unites Advocates of Speech Controls & Privacy Regulation? [pdf]
by Adam Thierer & Berin Szoka
The Progress & Freedom Foundation,
Progress on Point No. 16.19
Anyone who has spent time following debates about speech and privacy regulation comes to recognize the striking parallels between these two policy arenas. In this paper we will highlight the common rhetoric, proposals, and tactics that unite these regulatory movements. Moreover, we will argue that, at root, what often animates calls for regulation of both speech and privacy are two remarkably elitist beliefs:
- People are too ignorant (or simply too busy) to be trusted to make wise decisions for themselves (or their children); and/or,
- All or most people share essentially the same values or concerns and, therefore, “community standards” should trump household (or individual) standards.
While our use of the term “elitism” may unduly offend some understandably sensitive to populist demagoguery, our aim here is not to launch a broadside against elitism as
Time magazine culture critic William H. Henry once defined it: “The willingness to assert unyieldingly that one idea, contribution or attainment is better than another.”[1] Rather, our aim here is to critique that elitism which rises to the level of political condescension and legal sanction. We attack not so much the beliefs of some leaders, activists, or intellectuals that they have a better idea of what it in the public’s best interest than the public itself does, but rather the imposition of those beliefs through coercive, top-down mandates.
That sort of elitism—elitism enforced by law—is often the objective of speech and privacy regulatory advocates. Our goal is to identify the common themes that unite these regulatory movements, explain why such political elitism is unwarranted, and make it clear how it threatens individual liberty as well as the future of free and open Internet. As an alternative to this elitist vision, we advocate an empowerment agenda: fostering an environment in which users have the tools and information they need to make decisions for themselves and their families. Continue reading →
Whenever I pen anything about the dangers of age verification mandates for the Internet and social networking sites, I always point to Federal Trade Commission (FTC) reports about rising identity theft complaints. For the ninth year in a row, identity theft was the number one consumer complaint to the agency.
Now, imagine how much worse this problem could get if government mandated that everyone had to be “verified” before they were allowed to visit a social networking site, however that ends up being defined. Such a mandate would exponentially increase the amount of personal information — especially credit card information — that was available to identity thieves. Age verification advocates often ignore this problem when making the case for regulation.
Worse yet, much of the information that would be made available via such mandates would be personal information about children, which makes for a very attractive target for identity thieves since those records are rarely checked until the kids get much older and start applying for things. At least most adults typically learn they have been the victim of ID theft shortly after it occurs, allowing them to take steps to deal with the situation. With kids, their records could be milked for years by bad guys without them or their parents ever knowing it.
What would it take to create a more secure Internet? That’s what John Markoff explores in his latest New York Times article, “Do We Need a New Internet?” Echoing some of the same fears Jonathan Zittrain articulates in his new book The Future of the Internet, Markoff wonders if online viruses and other forms of malware have gotten so out-of-control that extreme measures may be necessary to save the Net. Compared to when cyber-security attacks first started growing over 20 years ago, Markoff argues that:
[T]hings have gotten much, much worse. Bad enough that there is a growing belief among engineers and security experts that Internet security and privacy have become so maddeningly elusive that the only way to fix the problem is to start over.
Like many others, Markoff fingers anonymity as one potential culprit:
The Internet’s current design virtually guarantees anonymity to its users. (As a New Yorker cartoon noted some years ago, “On the Internet, nobody knows that you’re a dog.”) But that anonymity is now the most vexing challenge for law enforcement. An Internet attacker can route a connection through many countries to hide his location, which may be from an account in an Internet cafe purchased with a stolen credit card. “As soon as you start dealing with the public Internet, the whole notion of trust becomes a quagmire,” said Stefan Savage, an expert on computer security at the University of California, San Diego.
Consequently, Markoff suggests that:
A more secure network is one that would almost certainly offer less anonymity and privacy. That is likely to be the great tradeoff for the designers of the next Internet. One idea, for example, would be to require the equivalent of drivers’ licenses to permit someone to connect to a public computer network. But that runs against the deeply held libertarian ethos of the Internet.
Indeed, not only does it run counter to the ethos of the Net, but as Markoff rightly notes, “Proving identity is likely to remain remarkably difficult in a world where it is trivial to take over someone’s computer from half a world away and operate it as your own. As long as that remains true, building a completely trustable system will remain virtually impossible.” I’ve spent a lot of time writing about that fact here and won’t belabor the point other than to say that efforts to eliminate anonymity for the entire Internet would prove extraordinarily intrusive and destructive — of both the Internet’s current architecture and the rights of its users. There’s just something about a “show-us-you-papers,” national ID card-esque system of online identification that creeps most of us out. That’s why I spend so much time fighting age verification mandates for social networking sites and other websites; it’s the first step down a very dangerous road.
But what if we could apply such solutions in a narrower sense? That is, could we create more secure communities within the overarching Internet superstructure that might provide greater security? Markoff starts thinking along those lines when he suggests…
Continue reading →
This week, I have been up at Harvard University participating in another meeting of the Internet Safety Technical Task Force (ISTTF), of which I am a member. The ISTTF was organized earlier this year pursuant to an agreement between 49 state attorneys general (AGs) and social networking giant MySpace.com. A group of experts from academia, non-profit organizations, and industry were appointed to the Task Force, which is charged with evaluating the market for online child safety tools and methods and issuing a report on the matter to the AGs at the end of this year. ISTTF members have been meeting privately and publicly in both Cambridge, MA and Washington, D.C. The Task Force has been very ably chaired by John Palfrey, co-director of Harvard’s Berkman Center for Internet & Society.
Although the ISTTF is looking at a wide variety of tools and methods associated with online child protection (ex: filters, monitoring tools, educational campaigns, etc.), many of the AGs who crafted the agreement with MySpace that led to the Task Force’s formation have made it clear that they are
most interested in having the ISTTF evaluate age verification / online verification technologies. In fact, at the start of this week’s session at Harvard Law School, AGs Martha Coakely of Massachusetts and Richard Blumenthal of Connecticut both spoke and made it abundantly clear they expect the Task Force to develop age and identify-verification tools for social networking sites (SNS). AG Blumenthal said we need to deal with “the dangers of anonymity” and repeated his standard line about online age verification: “If we can put a man on the moon, we can make the Internet safe.” [Of course, putting a man on the moon took hundreds of billions of dollars and a decade to accomplish, but never mind that fact! Moreover, one could also argue that if we can put a man on the moon we can cure hunger, AIDS, and the common cold, but some things are obviously easier said than done. Finally, putting a man on the moon didn’t require all Americans or their kids to give up their anonymity or privacy rights in order to accomplish the feat!]
On many occasions here before, I have outlined various questions and reservations about proposals to mandate online age verification. Last year, I also published a lengthy white paper on the issue and hosted a lively debate on Capitol Hill [transcript here] about this. I also have discussed age verification in my book on parental controls and online child safety. [Braden Cox also talked about his experiences up at Harvard this week here, and CNet’s Chris Soghoian had a brutal assessment of this week’s proposals on his “Surveillance State” blog.]
In this essay, I will discuss the new fault lines in the debate over online age verification and outline where I think we are heading next on this front. I will argue:
- There is now widespread understanding that it is extraordinarily difficult to verify the ages and identities of minors online using the methods we typically use to verify adults. Because of this, age verification proponents are increasingly proposing two alternative models of verifying kids before they go online or visit SNS…
- First, for those who continue to believe that we must do whatever we can to verify kids themselves, schools and school records are increasingly being viewed as the primary mechanism to facilitate that. This raises two serious questions: Do we want schools to serve as DMVs for our children? And, do we want more school records or information about our kids being accessed or put online?
- Second, for those who are uncomfortable with the idea of verifying kids or using schools, or school records, to accomplish that task, parental permission-based forms of authentication are becoming the preferred regulatory approach. Under this scheme, which might build upon the regulatory model found in the Children’s Online Privacy Protection Act of 1998 (COPPA), parents or guardians would be verified somehow and then would vouch for their children before they were allowed on a SNS, however defined. But how do we establish a clear link between parents and kids? And will parents be willing to surrender a great deal more information (about themselves and their kids) before their kids can go online? And, is it sensible to use a law that was meant to protect the privacy and personal information of children to potentially gather a great deal more information about them, and their parents?
- It remains very unclear how either of those two verification methods would make children safer online. Indeed, that could actually make kids less safe by compromising their personal information and creating a false sense of security online for them and their parents.
- It is highly unlikely the Internet Safety Technical Task Force will be able to reach consensus on this complicated, controversial issue. A small camp will likely flock to the sort of proposals mentioned above. Another, larger camp (including me) will flock to education-based approaches to child safety as well increased reliance on other parental empowerment tools and strategies, industry self-regulatory efforts, social norms, and better intervention strategies for troubled youth. But the age verification debate will go on and, as was the case over the past two years, the legal battleground will be state capitals across America, with AGs likely pushing for age verification mandates regardless of what the Task Force concludes.
Continue reading if you are interested in the details.
Continue reading →
The Technology Liberation Front is the tech policy blog dedicated to keeping politicians' hands off the 'net and everything else related to technology.