by Andrea O’Sullivan & Adam Thierer

This essay originally appeared on The Bridge on September 25, 2019.

It is quickly becoming one of the iron laws of technology policy that by attempting to address one problem (like privacy, security, safety, or competition), policymakers often open up a different problem on another front. Trying to regulate to protect online safety, for example, might give rise to privacy concerns, or vice versa. Or taking steps to address online privacy through new regulations might create barriers to new entry, thus hurting online competition.

In a sense, this is simply a restatement of the law of unintended consequences. But it seems to be occurring with greater regularity in the technology policy today, and it serves as another good reminder why humility is essential when considering new regulations for fast-moving sectors.

Consider a few examples.

Privacy vs security & competition 

Many US states and the federal government are considering data privacy regulations in the vein of the European Union’s wide-reaching General Data Privacy Regulation (GDPR). But as early experiences with the GDPR and various state efforts can attest, regulations aimed at boosting consumer privacy can often butt against other security and competition concerns.

Consider how the GDPR can be abused to undermine user security—and ultimately (and ironically) privacy itself. At this year’s Black Hat computer security conference, one researcher recently explained how the GDPR’s “right of access” provision—which mandates that companies give users their personal data—can be exploited by malicious actors to steal personally identifiable information. If a hacker is convincing enough, he or she can use “social engineering” to pose as the target and coax companies to divulge the information. Without GDPR’s mandated reporting infrastructure, such an attack would be much harder.

Nor are malicious actors even necessary for the GDPR to undermine security. In 2018, a customer requested their Alexa voice recordings from Amazon. The company sent the data to the wrong person in an apparent case of human error. If mighty Amazon cannot rise to the challenge of error-free GDPR compliance, what hope do smaller outfits have?

Perhaps the biggest story about the GDPR, however, has been its malign effects on competition. After all, the law earned its nickname—the “Google Data Protection Regulation”—for a reason. Titans like Google and Facebook have dominated European ad tech market since the advent of the GDPR because they can shoulder compliance risks in a way that smaller vendors cannot. More ad money has flowed to Google’s coffers as a result.

But the GDPR applies to far more than just ad tech. Ventures as varied as publishing and virtual tabletop dice rollers have been forced to shutter their digital doors rather than risk the wrath of European data authorities.

Similar stories emanate from the US. Illinois’ biometric privacy law, which governs the use of technologies like facial recognition and fingerprint scanning, led to the prohibition of Google’s Arts and Culture app which matched user-submitted photos with a classical work of art. If Google can’t hack it in the Land of Lincoln, how could a potential Google-slayer be expected to do so?

These are just the stories we hear about. A prematurely thwarted venture is unlikely to have a platform to voice their compliance problems. What is clear is that the data privacy laws enacted so far have had predictable negative impacts on security and competition, and that ill-defined “privacy fundamentalism” too often drives ill-fitting policies.

Safety vs. free speech & competition

Content moderation at scale is extremely challenging, especially as it relates to efforts to address “hate speech” and extremist viewpoints. On the one hand, free speech activists argue that onerous private content moderation policies can limit debate and punish certain viewpoints, particularly if a platform is a public default for expression. On the other hand, social justice activists contend that lax private standards can fuel the proliferation of conspiracy theories, radicalization, and violent rhetoric.

Recently, President Trump and some conservative lawmakers have been clamoring for greater regulatory controls of social media platforms in the name of “fairness” and countering supposed anti-conservative bias. Sens. Josh Hawley (R-MO) and Ted Cruz (R-TX), for example, have introduced a bill that would require platforms to submit their content moderation policies to regular regulatory audits. If a platform is deemed to be not “politically neutral,” it will lose its liability protections under Section 230 of the Communications Decency Act.

This is reminiscent of the “fairness doctrine,” a long-standing Federal Communications Commission (FCC) policy that was a thinly-veiled attempt to influence the political content of broadcast programs. Conservatives rightly opposed such government involvement in content decisions in decades past, but with this new effort against technology platforms, many of them are repeating the mistakes of the past.

The history of the actual fairness doctrine serves as a cautionary tale here. Today the fairness doctrine is mostly remembered as an anti-conservative effort because of the attention paid to right-leaning talk radio. Former Kennedy administration official Bill Ruder admitted that their “massive strategy was to use the [fairness doctrine] to challenge and harass right-wing broadcasters, and hope that the challenges would be so costly to them that they would be inhibited and decide it was too costly to continue.”

But as testaments from previous broadcast leaders point out, the fairness doctrine was wielded against both “conservatives” and “liberals” depending on who was in power and what their objectives were. When the Nixon administration took office, they wielded the rule to muzzle broadcasters who criticized the White House. And the FCC also applied the doctrine against The Kingmen’s song “Louie Louie” for its suspiciously unintelligible lyrics.

The tension between policies to promote “safety” and government-protected rights to free speech can be literal, as well. Consider efforts to ban so-called “3-D printed guns.” Defense Distributed and other activists do not 3-D print and sell guns. Rather, they publish the schematics for others to print their own arms online. As with the encryption technologies we will discuss below, such code is probably First Amendment-protected speech, although the applications of the schematics may be considered “dual-use” (meaning with both civilian and military applications.) An outright ban on 3-D printed gun blueprints very clearly antagonizes the right to free speech in the US and could threaten innovation in other open source, peer-to-peer 3D-printed applications.

Safety vs. privacy & security

Efforts to promote “safety” can also too often backfire at the expense of privacy and security.

Perhaps the most dramatic and high-stakes illustration of this principle was the years-long legal drama that pitted law enforcement authorities against computer scientists in the so-called “Crypto Wars.” Although cryptographic technologies that conceal data for privacy or security have been around since the days of ancient Egypt—our own Founding Fathers are known to have communicated using ciphers—in the 20th century, they had mostly been limited to military and academic institutions.

The advent of public-key cryptography made these security techniques more accessible to the public for the first time. This was great news for information security: communications and devices could be made hardened to attacks, and people were given more privacy options. But law enforcement feared that criminals would use cryptography to cover their tracks. Thus, in the name of safety, law enforcement first tried banning cryptography as a dual use technology through munitions export controls. When that failed on First Amendment grounds, policymakers attempted to legislate “backdoors” into encryption protocols that would allow government access.

It is easy to see how outright bans or backdoors for encryption technologies could hurt privacy and security. Obviously, prohibiting the civilian use of a privacy and security technology limits privacy and security. But granting government access into encryption standards would ironically ultimately undermine safety as well. After all, if a government can get into an encryption standard, so might a malicious hacker. Although the “Crypto Wars” seemed settled in the 1990’s, these same debates have been cropping up again as more and more devices have default encryption technologies.

We can also think about mandated reporting requirements intended to promote public safety. Consider the “know your customer” rules imposed on financial institutions. To prevent ills like money laundering and financial fraud, banks and exchanges must keep detailed customer information on file. Yet this ostensibly “pro-safety” rule generates its own security and privacy risks. Banks must manage to responsibly store and protect this valuable customer data, lest their customers’ information get hacked and their identities stolen. This has sadly too often proven too tall an order, and third-party-managed personally identifiable information is exposed to outside parties all the time.

A similar problem arises with efforts to promote child safety online. Consider the debate over MySpace’s age verification efforts in the mid-2000s. Child safety advocates grew concerned over the risks facing children on new social media platforms. Young children lacking awareness of the dangers that could lurk online could unwittingly make friendships with predators posing as other children. So a movement grew to require these new platforms to verify age and identity with a government-provided identification card.

There were obvious technical problems. For starters, children that were young enough to fall under the age verification limit were unlikely to have a government-provided photo identification card. But beyond these simple administrative issues, there was the question of privacy and security. Could Myspace adequately protect the reams of sensitive data from outside breach? Might children actually be put more at danger should those items—which would likely include the children’s address—fall into the wrong hands? And should the government and social media platforms really be in the business of parenting to begin with? Might this actually create a “moral hazard” which leaves parents thinking that online spaces are safer than they actually are?

Tying it all together

In each of these instances, it probably seemed like there was no downside to newly proposed regulations. With time, however, the dynamic effects associated with those policies become evident, and often result in the opposite of what was intended, or the policies led to other problems that supporters did not originally envision.

The nineteenth-century French economic philosopher Frédéric Bastiat famously explained the importance of considering the many unforeseen, second-order effects of economic change and policy. Many pundits and policy analysts pay attention to only the first-order effects—what Bastiat called “the seen”—and ignore the subsequent and often “unseen” effects. Those unseen effects can have profound real-world consequences in the form of less technological innovation, diminished growth, fewer job opportunities, higher prices, diminished choices, and other costs.

Even when defenders of the failed interventions are forced to admit that their well-intentioned plans did not work out as planned, their response is typically of the  we-can-do-better variety. The result is usually just more regulation as one intervention begs another and another. As the Austrian economist Ludwig von Mises taught us 70 years ago in his masterwork, Human Action:

“All varieties of interference with the market phenomena not only fail to achieve the ends aimed at by their authors and supporters, but bring about a state of affairs which—from the point of view of their authors’ and advocates’ valuations—is less desirable than the previous state affairs which they were designed to alter. If one wants to correct their manifest unsuitableness and preposterousness by supplementing the first acts of intervention with more and more of such acts, one must go farther and farther…”

The lesson is clear: paternalistic public policies may sound sensible on the surface, but as Milton Friedman taught us long ago, “One of the great mistakes is to judge policies and programs by their intentions rather than their results. We all know a famous road that is paved with good intentions.”

California’s continuing effort to make the Internet their own digital fiefdom continued this week with Gov. Jerry Brown signed legislation that creates an online “Eraser Button” just for minors. The law isn’t quite as sweeping as the seriously misguided “right to be forgotten” notion I’ve critique here (1, 2, 3, 4) and elsewhere (5, 6) before. In any event, the new California law will:

require the operator of an Internet Web site, online service, online application, or mobile application to permit a minor, who is a registered user of the operator’s Internet Web site, online service, online application, or mobile application, to remove, or to request and obtain removal of, content or information posted on the operator’s Internet Web site, service, or application by the minor, unless the content or information was posted by a 3rd party, any other provision of state or federal law requires the operator or 3rd party to maintain the content or information, or the operator anonymizes the content or information. The bill would require the operator to provide notice to a minor that the minor may remove the content or information, as specified.

As always, the very best of intentions motivate this proposal. There’s no doubt that some digital footprints left online by minors could come back to haunt them in the future, and that concern for their future reputation and privacy is the primary motivation for the measure. Alas, noble-minded laws like these often lead to many unintended consequences, and even some thorny constitutional issues. I’d be hard-pressed to do a better job of itemizing those potential problems than Eric Goldman, of Santa Clara University School of Law, and Stephen Balkam, Founder and CEO of the Family Online Safety Institute, have done in recent essays on the issue.

Goldman’s latest essay in Forbes argues that “California’s New ‘Online Eraser’ Law Should Be Erased” and meticulously documents the many problems with the law. “The law is riddled with ambiguities,” Goldman argues, including the fact that:

First, it may not be clear when a website/app is “directed” to teens rather than adults. The federal law protecting kids’ privacy (Children’s Online Privacy Protection Act, or COPPA) only applies to pre-teens, so this will be a new legal analysis for most websites and apps. Second, the law is unclear about when the minor can exercise the removal right. Must the choice be made while the user is still a minor, or can a centenarian decide to remove posts that are over 8 decades old? I think the more natural reading of the statute is that the removal right only applies while the user is still a minor. If that’s right, the law would counterproductively require kids to make an “adult” decision (what content do they want to stand behind for the rest of their lives) when they are still kids. Third, the removal right doesn’t apply if the kids were paid or received “other consideration” for their content. What does “other consideration” mean in this context? If the marketing and distribution inherently provided by a user-generated content (UGC) website is enough, the law will almost never apply. Perhaps we’ll see websites/apps offering nominal compensation to users to bypass the law.

Goldman also notes that it is unclear why California should even have the right to be regulating the Internet in this fashion. It is his opinion that, “states categorically lack authority to regulate the Internet because the Internet is a borderless electronic network, and websites/apps typically cannot make their electronic packets honor state borders.” I’ve been moving in that direction for the past decade myself since patchwork policies for the Internet — regardless of the issue — can really muck up the free flow of both speech and commerce. I teased out my own concerns about this in my January essay on “The Perils of Parochial Privacy Policies” and argued that the a world of “50 state Internet Bureaus isn’t likely to help the digital economy or serve the long-term interests of consumers.”  Sadly, some privacy advocates seem to be cheering on this sort of parochial regulation anyway without thinking through those consequences. They are probably just happy to have another privacy law on the books, but as I always try to point out not just in this context but also in debates over online child safety, cybersecurity, and digital copyright protection, the ends rarely justify the means. I just don’t understand why more people who care about true Internet freedom aren’t railing against these stepped-up state efforts (especially the flurry of California activity) and calling it out for the threat that it is.

In an essay over on LinkedIn entitled, “Let’s Delete The ‘Eraser Button,'” Stephen Balkam points out another mystery about the new California law: “It’s unclear why this law was even proposed when there exists a range of robust reporting mechanism across the Internet landscape.” Indeed, in this particular case it seems like much of the law is redundant and unnecessary. “What this bill should have been about is education and awareness, about taking responsibility for our actions and using the tools that already exist across the social media landscape,” Balkam says. “Here are three key actions that can already be taken:

Delete – you can take down or delete postings, comments and photos that you have put up on Facebook, Twitter, YouTube and most of the other platforms. Report – anyone can report abusive comments or inappropriate content by others about you or other people and, in many cases, have them removed. Request – you can ask that you be untagged from a photo or that a posting or photo be removed that has been uploaded by someone else. In addition there are in-line privacy settings on many of the leading social media sites, so that you or your teen can choose who sees what.”

Balkam is exactly right. The tools are already there; it’s the education and awareness that are lacking. As I have pointed out countless times here before, there is no need for preemptive regulatory approaches when less-restrictive and potentially equally effective remedies already exist. We just need to do a better job informing users about the existence of those tools and methods and then explain how to take advantage of them. Just adding more layers of law — especially parochial regulation — is not going to make that happen magically. Worse yet, in the process, such laws open the barn door to far more creative and meddlesome forms of state-based Internet regulation that should concern us all.

And now for the really interesting question that I have no answer to: Will anyone step up and challenge this law in court?

There was an important article about online age verification in The New York Times yesterday entitled, “Verifying Ages Online Is a Daunting Task, Even for Experts.” It’s definitely worth a read since it reiterates the simple truth that online age verification is enormously complicated and hugely contentious (especially legally). It’s also worth reading since this issue might be getting hot again as Facebook considers allowing kids under 13 on its site.

Just five years ago, age verification was a red-hot tech policy issue. The rise of MySpace and social networking in general had sent many state AGs, other lawmakers, and some child safety groups into full-blown moral panic mode. Some wanted to ban social networks in schools and libraries (recall that a 2006 House measure proposing just that actually received 410 votes, although the measure died in the Senate), but mandatory online age verification for social networking sites was also receiving a lot of support. This generated much academic and press inquiry into the sensibility and practicality of mandatory age verification as an online safety strategy. Personally, I was spending almost all my time covering the issue between late 2006 and mid-2007. The title of one of my papers on the topic reflected the frustration many shared about the issue: “Social Networking and Age Verification: Many Hard Questions; No Easy Solutions.”

Simply put, too many people were looking for an easy, silver-bullet solution to complicated problems regarding how kids get online and how to keep them safe once they get there. For a time, age verification became that silver bullet for those who felt that “we must do something” politically to address online safety concerns. Alas, mandatory age verification was no silver bullet. As I summarized in this 2009 white paper, “Five Online Safety Task Forces Agree: Education, Empowerment & Self-Regulation Are the Answer,” all previous research and task force reports looking into this issue have concluded that a diverse toolbox and a “layered approach” must be brought to bear on these problems. There are no simple fixes. Specifically, here’s what each of the major online child safety task forces that have been convened since 2000 had to say about the wisdom of mandatory age verification:

2000 – Commission on Online Child Protection (“COPA Commission”)

“[Age verification] imposes moderate costs on users, who must get an I.D. It imposes high costs on content sources that must install systems and might pay to verify I.D.s. The adverse effect on privacy could be high. It may be lower than for credit card verification if I.D.s are separated from personally-identifiable information. Uncertainty about the application of a harmful to minors standard increases the costs incurred by harmful to minors sites in connection with such systems.  An adverse impact on First Amendment values arises from the costs imposed on content providers, and because requiring identification has a chilling effect on access. Central collection of credit card numbers coupled with the “embarrassment effect” of reporting fraud and the risk that a market for I.D.s would be created may have adverse effect on law enforcement.”

2002 – Youth, Pornography, and the Internet (“Thornburgh Commission”)

“In an online environment, age verification is much more difficult because a pervasive nationally available infrastructure for this purpose is not available. […] Note that each of these [age verification] methods imposes a cost in convenience of use, and the magnitude of this cost rises as the confidence in age verification increases.” (p. 63-4)

2008 – Safer Children in a Digital World (“Byron Review”)

“[N]o existing approach to age verification is without its limitations, so it is important that we do not fixate on age verification as a potential ‘silver bullet.’” (p. 99)

2009 – Internet Safety Technical Task Force (ISTTF)”

Age verification and identity authentication technologies are appealing in concept but challenged in terms of effectiveness.  Any system that relies on remote verification of information has potential for inaccuracies.  For example, on the user side, it is never certain that the person attempting to verify an identity is using their own actual identity or someone else’s.  Any system that relies on public records has a better likelihood of accurately verifying an adult than a minor due to extant records.  Any system that focuses on third-party in-person verification would require significant political backing and social acceptance.  Additionally, any central repository of this type of personal information would raise significant privacy concerns and security issues.” (p. 10)

2009 – “Point Smart. Click Safe” Blue Ribbon Working Group

“The task force acknowledges that the issues of identity authentication and age verification remain substantial challenges for the Internet community due to a variety of concerns including privacy, accuracy, and the need for better technology in these areas.”

2010 – Youth Safety on a Living Internet: Repost of the Online Safety and Technology Working Group (“OSTWG“)

“There is no quick fix or “silver bullet” solution to child safety concerns, especially given the rapid pace of change in the digital world. A diverse array of protective tools are currently available today to families, caretakers, and schools to help encourage better online content and communications. They are most effective as part of a “layered” approach to child online safety. The best of these technologies work in tandem with educational strategies, parental involvement, and other approaches to guide and mentor children, supplementing but not supplanting the educational and mentoring roles.”  […] “age verification is not only not effective but not necessarily advisable. There was some evidence presented to the (ISTTF) Task Force that it might actually endanger youth by keeping adult guidance or supervision out of online spaces where peer-on-peer harassment or cyberbullying could occur.” (p. 7, 27)

This makes it clear that there is near-universal consensus that mandatory age verification is not the smart path forward. In my closing statement to the Harvard Berkman Center Internet Safety Technical Task Force, of which I was a member, I actually went even further and argued that mandatory age verification represents a dangerous solution to concerns about online child safety because it:

1. Won’t Work: Mandatory age verification will not work as billed. For the reasons detailed below, it will fail miserably and create more problems than it will solve.
2. Will Create a False Sense of Security: Because it will fail, mandatory age verification will create a false sense of security for parents and kids alike. It will lead them to believe they are entering “safe spaces” simply because someone has said users are “verified.”
3. Is Not a Background Check: Moreover, even if age verification did work as billed, it is important to realize it is not synonymous with a complete background check. In other words, even if the verification process gets the age part of the process right, that tells us little else about the person being verified.
4. Is a Grave Threat to Privacy: Mandatory age verification is dangerous because it would require that even more personal information (about kids, no less) be put online at a time when identity theft and privacy violations continue to be a major concern.
5. Will Seriously Misallocate Resources: Devising and enforcing age verification regulations might also divert valuable time and resources that could be better used to focus on education and awareness-building efforts, especially K-12online safety and media literacy education. Moreover, it might divert law enforcement energy and resources away from policing serious crimes or more legitimate threats to children

I went on to post  “10 Questions about Age Verification that the AGs Must Answer” if they continued their foolish pursuit of this misguided silver bullet (non-)solution. Instead of repeating them all here, I have simply appended my closing statement to this post. [see Scribd embed below].

In closing, I remain convinced that nothing on the ground has changed since back then. All the traditional age verification schemes remain highly flawed, and the more sophisticated age verification systems (tapping school records and using biometric identifiers to create “digital passports,” for example), would have rather obvious downsides and still not likely be effective in practice. In the end, there is simply no substitute for an education and awareness-based approach to online safety that relies on parental mentoring, digital literacy / digital citizenship, and better social norms and self-regulation.  Techno-silver bullets will always fail.

ISTTF Thierer Closing Statement

[UPDATE Feb. 2012: This little essay eventually led to an 80-page working paper, “Technopanics, Threat Inflation, and the Danger of an Information Technology Precautionary Principle.”]

In this essay, I will suggest that (1) while “moral panics” and “techno-panics” are nothing new, their cycles seem to be accelerating as new communications and information networks and platforms proliferate; (2) new panics often “crowd-out” or displace old ones; and (3) the current scare over online privacy and “tracking” is just the latest episode in this ongoing cycle.

What Counts as a “Techno-Panic”?

First, let’s step back and define our terms. Christopher Ferguson, a professor at Texas A&M’s Department of Behavioral, Applied Sciences and Criminal Justice, offers the following definition: “A moral panic occurs when a segment of society believes that the behavior or moral choices of others within that society poses a significant risk to the society as a whole.” By extension, a “techno-panic” is simply a moral panic that centers around societal fears about a specific contemporary technology (or technological activity) instead of merely the content flowing over that technology or medium. In her brilliant 2008 essay on “The MySpace Moral Panic,” Alice Marwick noted:

Technopanics have the following characteristics. First, they focus on new media forms, which currently take the form of computer–mediated technologies. Second, technopanics generally pathologize young people’s use of this media, like hacking, file-sharing, or playing violent video games. Third, this cultural anxiety manifests itself in an attempt to modify or regulate young people’s behavior, either by controlling young people or the creators or producers of media products.

While protection of youth is typically a motivating factor, some techno-panics transcend the old “It’s For the Children” rationales for information control. What all panics share in common, however, is a general desire by the public, media pundits, and policymakers to “do something” to rid ourselves of the apparent menace. Thus, an effort to control the particular content or technology in question is what really defines a true “panic.”

It’s impossible to be scientific about this but there seems to be a cycle of such moral panics or techno-panics at work in our society.  Indeed, looking back over the past few decades, it seems that we experience a new panic roughly every 3 to 5 years. Consider this chronological breakdown of some notable techno-panics since the 1980s on:

• mid-1980s: music lyrics and music videos
• early to mid-1990s: violent video games
• mid- to late 1990s: Internet porn
• late 1990s to early 2000s: browser cookies + kids privacy
• mid-2000: TV & movie violence
• mid- to late 2000: online predators / “stranger danger”
• late 2000s to present: cyberwar
• late 2000s to present: online privacy / web “tracking”

Of course, there were other “mini-panics” that occurred during this stretch and, again, some of them did not involve child safety rationales. There was a brief panic over RFID chips and even the Y2K scare in the late 1990s, for example. Some might argue we also had a bit of panic with copyright and file-sharing back in the early 2000s, and perhaps even one back in the early 1980s when the VCR came on the scene, although that seemed to be more industry-driven. Wireless geo-location and geo-tagging has also been getting more attention recently and still may blossom into a full-blown techno-panic.   And you could make the case that we experienced a different type of techno-panic last year over the supposed “Death of the Web,” although few took that one all that seriously.

Why Do Techno-Panics Pass?

To be clear, there are no clear boundaries with techno-panics.  They do not just suddenly begin and end, and it is impossible to gauge their relative severity since no metric or yardstick exists to measure them against.  Nonetheless, these techno-panics certainly seem to have peaks and valleys in terms of public / political / media attention.

Just a few years ago, for example, the online predator panic reached a fever pitch and “stranger danger” reports were all over the media. As a result, legislation banning social networking sites in publicly funded schools and libraries was introduced, and state attorneys general proposed mandatory online age verification schemes for the Internet to segregate adults and children online. And then, it seems, the fever passed. I couldn’t tell you exactly what week or month it happened — and in many ways some of those fears still exist out there — but it’s clear that the panic about online predation has subsided greatly. I’d like to think that education and awareness helped debunk some of the myths that were fueling that particular panic, just as I’d like to believe that education and awareness helped deflate the fear bubbles that surrounded previous panics.

While I don’t want to entirely discount that possibility, I’m convinced another more cynical explanation may exist: New techno-panics simply crowd-out old techno-panics. There may be several explanations for this:

• Perhaps there is only so much fear-mongering our minds can handle at any given time.
• Perhaps it is becuase the media gets myopically focused on one panic and then hammers it till all the fear has been squeezed out of it such that they have to move on.
• Perhaps it is because a new technology comes along that spooks politicians and the media even more than the previous one they were demonizing.
• Or perhaps all of those factors combine to limit the duration of panics.

Regardless, it seems evident that moral panics and techno-panics have always been with us and will always be with us. From the waltz to rock and roll to rap music, from movies to comic books to video games, from radio and television to the Internet and social networking websites — every new media format or technology spawns a fresh debate about the potential negative effects it might have on society or our kids in particular. An excellent recent report by the U.K. government entitled Safer Children in a Digital World noted that “New media are often met by public concern about their impact on society and anxiety and polarisation of the debate can lead to emotive calls for action.” Indeed, each of the media technologies or communications platforms mentioned above was either regulated or threatened with regulation at some point in its history.

The Cycle is Accelerating but is the Severity of Each Panic Diminished as a Result?

However, it seems like these cycles are now accelerating somewhat.  They peak and fizzle out faster, that is. Perhaps that is a natural outgrowth of the technological explosion we have witnessed in recent years.  Digital innovation is unfolding at a breakneck pace and each new development gives rise to a new set of concerns. Going forward, this could mean we experience more “mini-panics” and fewer of those sweeping “the-world-is-going-to-hell” type panics.

This brings me to the current debate over online advertising, web “tracking,” and personal privacy. What’s interesting about this debate is that, unlike many of the other moral or techno-panics mentioned above, this debate is not being driven by the mantra that “It’s For the Children.”  Today’s privacy panic reflects a more widespread unease with the notion that our digital footprints are somehow being “tracked” for nefarious purposes.  In reality, there isn’t anything nefarious going on here at all. Online sites and service providers are simply using data collection to improve our web experience and better target ads to us in an attempt to cross-subsidize all that wonderful free stuff we enjoy online today. This is truly one of the great pro-innovation, pro-consumer success stories of modern times.  Yet, irrational fears about data collection and targeted marketing have given rise to the second major privacy techno-panic of the past dozen years. (Again, the first privacy-related panic was the “cookie craze” that took place back in the late-90s but then subsided). It is also somewhat ironic that many of the same people and groups who have done yeoman’s work debunking techno-panics in other contexts are driving this modern privacy panic.

I want to make it clear that I am not oblivious to the fact that there are occasionally some legitimate concerns behind some of these moral panics or techno-panics.  For example, I certainly don’t want my young children (ages 9 & 6) viewing hard-core porn, playing extremely violent video games, or even reading graphic comics. And I understand that some forms of personal information are quite sensitive and a legitimate topic for policy discussions.  But, again, these concerns are typically greatly over-hyped, and to the extent that they represent more legitimate concerns, I would argue that education and empowerment-based solutions typically represent a more sensible approach than regulation. Although I sometimes question whether the “harm” that people fear is legitimate, I would hope we could work together to find more sensible ways to address people’s concerns without calling for comprehensive control of the media, content, technology, or the Internet more generally.

Resiliency, Responsibility & Common Sense

Finally, in these discussion, I believe many people overlook the importance of human adaptability and resiliency.  The amazing thing about humans is that we adapt so much better than other creatures. When it comes to technological change, resiliency is hard-wired into our genes.  “The techno-apocalypse never comes,” notes Slate’s Jack Shafer, because “cultures tend to assimilate and normalize new technology in ways the fretful never anticipate.” We learn how to use the new tools given to us and make them part of our lives and culture.  Indeed, we have lived through revolutions more radical than the Information Revolution.  We can adapt and learn to live with some of the legitimate difficulties and downsides of the Information Age. [See my recent book chapter on, “The Case for Internet Optimism, Part 1: Saving the Net From Its Detractors.”]

A healthy does of humility, patience, personal responsibility, and good ‘ol common sense will usually get us through these things. Quite literally, there is no need to panic!

Related Reading

• Techno-Panic Cycles (and How the Latest Privacy Scare Fits In)
• Against Techno-Panics
• Collier on “Why Technopanics are Bad”
• Kids, Media, Commercialism & Moral Panic
• The Next Great Technopanic: Wireless Geo-Location / Social Mapping
• Technopanics and the Great Social Networking Scare
• Sen. Klobuchar Stirs Up Facebook Child Safety Technopanic
• A Rarity: Newspaper Argues Against Techno-panic, Cites Constitution
• Google Street View/Wi-Fi Privacy Technopanic Continues
• Digital Sensors, Darknets, Hyper-Transparency & the Future of Privacy

NetChoice filed comments today with the FCC in its inquiry on Empowering Parents and Protecting Children in an Evolving Media Landscape. PFF’s comments (jointly filed w/ EFF as described in their TLF post) are comprehensive, excellent, and very highly recommended (well done Adam and Berin). I took a narrower approach. My goal was to dismiss age and parental verification as a tool to keep kids safe online:

Teens are very active users of Internet websites. To verify parental consent, parents would have to provide identifying data (most often credit card information) to a myriad of sites and services. This would require private companies to store vast amounts of parents’ personal information and, by doing so, increase customers’ vulnerability to security breaches and identity theft. According to the Berkman study, “there are significant potential privacy concerns and security issues given the type and amount of data aggregated and collected by the technology solutions….” Many online companies have moved away from collecting and storing this type of data for good reason.

Like the comments filed jointly by PFF and EFF, I also asserted that the FCC lacks jurisdiction to regulate online media platforms. Neither the Telecommunications Act of 1996 nor the Children’s Television Act of 1990 provides the Commission with the authority to regulate online media content. Furthermore, if the FCC were to pursue regulation of the Internet in the same manner it regulates broadcast and cable television, we believe there would be serious first amendment implications.

Not sure where the FCC can go with this NOI (at least as it regards the Internet) but that’s the scariness of it all.

Rep. Bart Stupak, (D-MI) recently introduced the ‘‘Online Age Verification and Child Safety Act’’ (H.R. 4059), which would require mandatory online age verification for “any pornographic website accessible by any computer located within the United States to display any pornographic material, including free content that may be available prior to the purchase of a subscription or product.”  The measure does not specify how such verification is to be administered, saying only that “any website or online service” must “establish and maintain a system of internal policies, procedures and controls to ensure that no such material is displayed to any user attempting to access their site without first verifying that the user is 18 years or older.”

In essence, the Stupak bill is the “Son of COPA,” or the Child Online Protection Act of 1998, a law that has been constitutionally tested and come up short during an epic, decade-long legal battle in which it was made clear that mandatory age verification is unwise, unworkable, and unconstitutional under the First Amendment.

COPA sought to make it a crime for someone to “knowingly” place materials online that were “harmful to minors.” The law provided an affirmative defense from prosecution, however, to those parties who made a “good faith” effort to “restrict[ ] access by minors to material that is harmful to minors” using credit cards or age verification schemes. COPA was immediately challenge, however, and a 10-year court battle ensued.  The law was blocked by lower courts because it was too sweeping in effect and because courts held that there were other “less restrictive means” that parents could use to deal with objectionable content — such as Internet filters.

COPA’s decade-long legal battle finally concluded in January 2009 when the U.S. Supreme Court refused to revisit the law.  COPA had already been reviewed by the Supreme Court twice before — in 2002 and 2004.  Thus, a third visit to the Supreme Court by COPA would have been something of a historical development in the world of First Amendment jurisprudence. But with the Supreme Court’s rejection of the government’s appeal in January, lower court rulings stood and COPA remained unconstitutional and unenforceable. The key recent legal battle occurred in the Third Circuit Court of Appeals, which upheld a lower court ruling striking down COPA. The Third Circuit’s full decision is here. And I penned a 3-part series on the lower court ruling by Judge Lowell Reed Jr., senior judge of the U.S. District Court for the Eastern District of Pennsylvania, here, here, and here. Also make sure to check out this summary of COPA’s legal journey that Alex Harris penned last November.

Many, many times here before I have documented my serious ongoing reservations about mandatory age verification.  [In particular, see this lengthy white paper and this event transcript for all the details.]  Moreover, as I pointed out in a recent PFF white paper (“Five Online Safety Task Forces Agree: Education, Empowerment & Self-Regulation Are the Answer“), every major online safety task force that has studied the possibility of mandatory age verification for the Internet has come to the same conclusion: It won’t work, it’s unconstitutional, and it raises serious privacy concerns. Down below the fold I have pulled some of the relevant language from the five online safety task forces that have met since 2000 and considered this issue.  Some of the very best minds in academia, industry, government, and the child safety community sat on these task forces.  And, taken together, these five task forces heard from hundreds of experts and produced thousands of pages of testimony and reports on a wide variety of issues related to online child safety.

I would hope that Mr. Stupak and other lawmakers would heed the warnings about mandatory age verification that these task forces issued.  Read on for brief look at what the experts had to say. And as you do, remember that every dollar spent litigating another misguided attempt to mandate online age verification is another dollar that could be spent on education and empowerment solutions or other law enforcement strategies, all of which could be put in place immediately to make our kids safer online.

2000 – Commission on Online Child Protection (“COPA Commission”)

[Age verification] imposes moderate costs on users, who must get an I.D. It imposes high costs on content sources that must install systems and might pay to verify I.D.s. The adverse effect on privacy could be high. It may be lower than for credit card verification if I.D.s are separated from personally-identifiable information. Uncertainty about the application of a harmful to minors standard increases the costs incurred by harmful to minors sites in connection with such systems.  An adverse impact on First Amendment values arises from the costs imposed on content providers, and because requiring identification has a chilling effect on access. Central collection of credit card numbers coupled with the “embarrassment effect” of reporting fraud and the risk that a market for I.D.s would be created may have adverse effect on law enforcement.[1]

2002 – Youth, Pornography, and the Internet (“Thornburgh Commission”)

In an online environment, age verification is much more difficult because a pervasive nationally available infrastructure for this purpose is not available. […] Note that each of these [age verification] methods imposes a cost in convenience of use, and the magnitude of this cost rises as the confidence in age verification increases.[2]

2008 – Safer Children in a Digital World (“Byron Review”)

[N]o existing approach to age verification is without its limitations, so it is important that we do not fixate on age verification as a potential ‘silver bullet’.[3]

2009 – Internet Safety Technical Task Force (ISTTF)

Age verification and identity authentication technologies are appealing in concept but challenged in terms of effectiveness.  Any system that relies on remote verification of information has potential for inaccuracies.  For example, on the user side, it is never certain that the person attempting to verify an identity is using their own actual identity or someone else’s.  Any system that relies on public records has a better likelihood of accurately verifying an adult than a minor due to extant records.  Any system that focuses on third-party in-person verification would require significant political backing and social acceptance.  Additionally, any central repository of this type of personal information would raise significant privacy concerns and security issues.[4]

2009 – “Point Smart. Click Safe.” Blue Ribbon Working Group

The task force acknowledges that the issues of identity authentication and age verification remain substantial challenges for the Internet community due to a variety of concerns including privacy, accuracy, and the need for better technology in these areas.[5]

[2] Computer Science and Telecommunications Board, National Research Council, Youth, Pornography and the Internet (Washington, DC: National Academy Press, 2002), at 63-4, www.nap.edu/html/youth_internet/

[3] Safer Children in a Digital World: The Report of the Byron Review, March 27, 2008, at 99.  www.dcsf.gov.uk/byronreview

[4] Internet Safety Technical Task Force, Enhancing Child Safety & Online Technologies: Final Report of the Internet Safety Technical Task Force to the Multi-State Working Group on Social Networking of State Attorneys General of the United States, Dec. 31, 2008, at 10, http://cyber.law.harvard.edu/pubrelease/isttf.

[5] www.pointsmartclicksafe.org/report

[NOTE: Follow H.R. 4059 and comment on it over at Washington Watch.]

ATTACHMENT: Final Statement of Adam D. Thierer on Age Verification to the Internet Safety Technical Task Force

ISTTF Thierer Closing Statement http://d1.scribdassets.com/ScribdViewer.swf?document_id=10275410&access_key=key-2arwch33v27rw4obom5&page=1&version=1&viewMode=list

On July 27th, The Progress & Freedom Foundation hosted a Capitol Hill panel discussion entitled “Online Child Safety, Privacy, and Free Speech: An Overview of Challenges in Congress & the States.” The event featured remarks from:

• Parry Aftab, Executive Director, WiredSafety.org
• Todd Haiken, Senior Manager of Policy, Common Sense Media
• Jim Halpert, Partner, DLA Piper
• Berin Szoka, Senior Fellow, The Progress & Freedom Foundation

We’ve just released the transcript of the event, which I have also pasted down below the fold in a Scribd document reader. Also, the audio for this event can be heard by clicking below:

Download mp3

Here is the full event description:

Online child safety, privacy, and free speech remain hotly debated issues at both the federal and state level. Bills introduced in Congress to address cyberbullying concerns propose either educational initiatives or a criminalization approach. Access to objectionable content also remains a concern and a new, government-mandated task force is looking into those issues. Meanwhile, state officials, including many state attorneys general, continue to explore age verification mandates for social networking sites and some have considered building on the federal Children’s Online Privacy Protection Act (COPPA) to expand “parental notification” mandates. The Federal Trade Commission (FTC) has recently announced an expedited review of COPPA to see if it is keeping up with new developments. The FTC is also exploring child safety in virtual worlds. New concerns about “sexting,” or the sending of sexual explicit images over mobile devices, has also raised new concerns led some lawmakers to ponder penalties.

How serious are these concerns? Is legislation or regulation needed to address them? What free speech issues are at stake? Should Congress take the lead or leave it to the States to experiment with different models? These and other issues were discussed by a panel of leading experts in the field of online safety and privacy policy.

Transcript PFF Online Child Safety Privacy Hill Event (7-27-2009) http://d.scribd.com/ScribdViewer.swf?document_id=18756666&access_key=key-1blb7az1ag406howibuk&page=1&version=1&viewMode=

The latest edition (Version 4.0) of my PFF special report on “Parental Controls and Online Child Protection: A Survey of Tools & Methods” is now up.  For those not familiar with the report, it explores the market for parental control tools, rating schemes, education and media literacy efforts, and various other tools, methods, and initiatives aimed at promoting online child safety.  After evaluating that state of this market, I conclude: “There has never been a time in our nation’s history when parents have had more tools and methods at their disposal to help them decide what constitutes acceptable media content in their homes and in the lives of their children.”  Moreover, I believe that the parental controls and content management tools cataloged in the report represent a better, less restrictive alternative to government regulation.

Version 4.0 of the report is now over 250 pages long (up from 200 pages in Version 3.0) and it contains almost 70 exhibits (up from 50), 725 references (up from roughly 500), and numerous updates in all five sections of the book. Major updates have been made to the Internet, social networking, and mobile media sections, reflecting the growing importance of those sectors and issues. Other new sections or appendices have also been added to the report, including:

• a new section examining how many households really need parental control tools;
• a new appendix on the downsides of mandatory parental controls and restrictive default settings;
• a new section on the dangers of “deputizing the online middleman” solution as an approach to solving child safety concerns;
• a new appendix reviewing the findings of 5 past online safety task forces;
• … and much more.

I issue major updates once a year and 1 or 2 minor tweaks during the course of the year to reflect the evolution of the parental control and online child safety marketplace and debate. The report is available free-of-charge on the PFF website, and the previous editions of the report are housed there too in case you want to see how it has evolved over the past couple of years. For those interested in taking a quick look at the report, I have embedded it down below the fold as a Scribd file. Finally, as is always the case, I encourage readers to send me updates and suggestions for how to improve the report and I will incorporate them into future versions.

Maine has just enacted a law severely restricting marketing to kids: the Act To Prevent Predatory Marketing Practices against Minors, summarized by Covington & Burling. Adam and I released a major paper in June about such laws: COPPA 2.0: The New Battle over Privacy, Age Verification, Online Safety & Free Speech. Maine is following the lead of several other states that have tried to expand the Children’s Online Privacy Protection Act (COPPA) of 1998 to cover nost just kids under 13 but adolescents as well and potentially all social networking sites. We discussed at length the problems such laws create, particularly the possibility that large numbers of adults would, for the first time, be subject to age verification mandates before accessing (or participating in) the growing range of sites with social networking capabilities.  This, in turn, would significantly “chill” free speech online by undermining anonymity.

Like COPPA 2.0 proposals in New Jersey (simply extending COPPA to cover adolescents) and Illinois (applying COPPA to most social networking sites), the Maine law tries to build on COPPA’s “verifiable parental consent” requirement for the 13-17 audience as well as those under 13.

On the one hand, the Maine law goes much further than these other COPPA 2.0 proposals. While the original bill was limited to the Internet and wireless communications, the final bill’s scope applies to all communications.  The bill also covers “health-related” information (HRI) as well as “personal information” (PI). On the other hand, the Maine law is thus somewhat narrower than other COPPA 2.0 proposals and COPPA itself in that it applies only to “marketing or advertising products, goods or services.” While COPPA is commonly misunderstood to cover only marketing, it actually covers essentially any “collection” (broadly defined) of personal information from kids for any purpose—including merely giving kids access to communications functionality that might let them share personal information with other users (even if the site itself is not “collecting” that information in the commonly understood sense).

Verifiable parental consent is required for collection of HRI or PI (§ 9552(1)). So far, the Maine law is clearly trying to stick to the basic COPPA model while expanding its application to adolescents, health information and the offline world. (Indeed, the law concludes by authorizing the state AG to bring enforcement actions for violations of COPPA, as COPPA itself allows.) But the Maine law goes much further by banning:

• The transfer of HRI/PI to third parties if it “individually identifies the minor” (§ 9552(2)); and
• The use of HRI/PI “for the purpose of marketing a product or service to that minor or promoting any course of action for the minor relating to a product” (§ 9553).

It’s unclear what either prohibition will mean in practice. Obviously, if the law imposed a complete ban on the use of HRI/PI, there would be no point to obtaining verifiable parental consent in the first place! Thus, the law seems to contemplate that the prohibition on transferring individually identifying information would leave data-collectors free to transfer de-identified data once they’ve obtained verifiable parental consent for the initial collection. I’m no marketing expert but I imagine that Maine legislators were trying to ban the sale of lists that identify individual kids, while allowing the use of de-identified data for, say, analyzing patterns of interests among kids.

It’s less clear what the use-prohibition (§ 9553) actually means. Would it allow kids-oriented marketing based on aggregated de-identified information? If so, what would that actually mean in the real world? Would that be a distinction without a difference by effectively shutting down legitimate marketing most people would find unobjectionable, harmless, or even very helpful? If the law wouldn’t even allow such use of aggregate data, why, again, would any company ever bother obtaining parental consent?

Indeed, the Association of National Advertisers has interpreted this provision as amounting to an outright ban, regardless of parental permission, and points out that the bill:

would seemingly cut off “minors”‘… from being marketed to about colleges and universities, testing services such as the SAT and ACT, test prep services, class rings, among many other potential categories.

ANA vows to “have the law abrogated or modified so that it will not continue to place such extraordinarily broad restrictions on marketers, when the legislature reconvenes” in January—even though the law goes into effect in mid-September. They could challenge the law on a number of grounds in the courts.

While the First Amendment analysis of commercial free speech rights doubtless be complicated, a simpler argument could be brought on Dormant Commerce Clause grounds: Under the Supreme Court’s 1970 decision in  Pike v. Bruce Church, if “the burden imposed . . . is clearly excessive in relation to the putative local benefit, and if the local interest can be promoted by other regulations that have a lesser impact on interstate activities,” the court may strike down a state law that burdens interstate commerce. Indeed, the courts have struck down a number of Internet-related state laws on such grounds.

Insofar as Maine’s law affects online communications, it could be struck down on Dormant Commerce Clause grounds by forcing out-of-state websites to treat users in Maine differently—or to treat all users as if they were in Maine. To some extent, this will depend on how the statute is actually construed. COPPA applies both to knowing collection and to collection through child-oriented sites like Club Penguin (because the operator should know that they are collecting information from a child), but the Maine law applies only to knowing collection. If the statute is narrowly construed, this would mean that only websites that ask user for their age (say, in setting up a social networking profile) would generally be affected. A broader reading might affect websites that are oriented towards, or simply popular among, minors, in which case sites would essentially be forced to age verify all users (as with other COPPA 2.0 proposals). While this seems unlikely given the meaning generally attached to the word “knowing” in American law, even the narrow reading would affect many social networking sites.

The other major unanswered question lies in how broadly the term “individually identifiable information” would be construed. Like COPPA, the Maine law covers all such information, but rather than define this term exhaustively, the laws simply provide a few more specific categories of examples. Maine’s list differs from COPPA’s in that it does not include e-mail addresses, telephone numbers, screen names, or other contact information. But the list does include names, and this is enough to implicate profile-basedsocial networks like Facebook. If construed more broadly, the Maine law could affect other website operators.

In any event, if websites have to try to accomodate Maine’s law, they might have to track user location to ensure that they comply with Maine law.  As we noted in our paper:

If a site relied only on location information provided by the user, adolescents would quickly learn to lie about what state they live in just as children have learned to lie about how old they are to avoid triggering COPPA’s “actual knowledge” requirement.  Alternatively, websites could attempt to determine a user’s location automatically based on their IP address, but such “IP geocoding” is not always accurate and can be subverted by use of a proxy.

Finally, in case you were wondering where this bill came from, here’s the purpose statement for the original bill:

This bill addresses the current practices of persons using the Internet and other wireless communications devices, with or without promotional incentives, to acquire health-related information about minors and then using that information unscrupulously. Under this bill, it is unlawful to solicit or collect health-related information about a minor who is not emancipated without the express written consent of the minor’s parent or guardian, to transfer any health-related information that identifies a minor or to use any of that information to market a product or service to a minor regardless of whether or not the information was lawfully obtained. Unlawful marketing includes promoting a course of action relating to a product.

If a challenge is brought in court, the state will have to be a lot more specific about defining the harm at issue than merely asserting that information is being collected and might be unsed “unscrupulously.” As the Supreme Court declared in the 1993 case of Edenfield v. Fane, the government’s burden in justifying a restrictions on even commercial speech (which is accorded less protection than non-commercial speech):

is not satisfied by mere speculation or conjecture; rather a governmental body seeking to sustain a restriction on commercial speech must demonstrate that the harms it recites are real and that its restriction will in fact alleviate them to a material degree.

In short, this new law raises many legal and practical questions. I’ll be watching closely to see how any effort have the law amended or challenged in court plays out.  I suspect we’ll see more states following Maine’s lead if this law stands in its current form.

The Gawker offers a fascinating discussion of the legal right to anonymity:

“There is clearly a moral case that some people should be able to join the public debate and retain their anonymity,” Tench told Gawker. “And I think this will have a chilling effect. Blogs like this can only exist anonymously, and I imagine that anyone who wanted to set one up is thinking about this case.” As well they should. But the notion that anonymous publishers have a right, in perpetuity, to keep their identities a secret—or that people who learn their identities are honor-bound not to reveal them—is nonsense.

Amen! One can resist, fiercely, government efforts to reduce online anonymity through age verification or identity authentication mandates, as Adam Thierer have argued most recently in our work about efforts to expand COPPA to cover adolescents (“COPPA 2.0,” which would indirectly mandate age verification for large numbers of adults for the first time).  One might even argue that there are moral reasons to resist the urge to out pseudonymous/anonymous bloggers (just as one might avoid outing closeted gays out of respect for their privacy).   But one need not accept the pernicious idea that the government should punish the outing of peusodonymous/anonymous writers, which is simply a restraint on legitimate free speech.

This exchange, cited by the Gawker article, is particularly interesting, and demonstrates how one can distinguish the question of whether outing is “right” or “appropriate” from the question of whether it should be punished by law:

When the National Review‘s Ed Whelan revealed Publius, who writes for Obsidian Wings, to be a professor of law at the South Texas College of Law named John F. Blevins earlier this month, the palpable online outrage forced Whelan to apologize.

Berin recently encouraged me to re-read Thomas Sowell’s The Vision of the Anointed: Self-Congratulation as a Basis for Social Policy, which I hadn’t looked at since I first read it back in 1995 or 96.   I’m glad I did since Sowell’s work has always been profoundly influential on my thinking (especially his masterpiece, A Conflict of Visions) and I had forgotten how useful The Vision of the Anointed was in helping me understand the reoccurring model that drives ideological crusades to expand government power over our lives and economy.

“The great ideological crusades of the twentieth-century intellectuals have ranged across the most disparate fields,” Sowell noted in the book.  But what they all had in common, he argued, was “their moral exaltation of the anointed above others, who are to have their different views nullified and superseded by the views of the anointed, imposed via the power of government.” (p. 5)  These elitist, government-expanding crusades shared several key elements, which Sowell identified as follows:

1. Assertion of a great danger to the whole society, a danger to which the masses of people are oblivious.
2. An urgent need for government action to avert impending catastrophe.
3. A need for government to drastically curtail the dangerous behavior of the many, in response to the prescient conclusions of the few.
4. A disdainful dismissal of arguments to the contrary as either uninformed, irresponsible, or motivated by unworthy purposes.

You can see this model at work on a daily basis today with our government’s various efforts to reshape our economy, but I think this model is equally applicable to debates over social policy and speech control.  In particular, the various “technopanics” I have been writing about recently fit this model. (See 1, 2, 3, 4, 5).  For example, consider how this plays out in the debate over online social networking:

1. Assertion of a great danger to the whole society [online sexual predators], a danger to which the masses of people are oblivious.
2. An urgent need for government action [online age verification or the Deleting Online Predators Act] to avert impending catastrophe.
3. A need for government to drastically curtail the dangerous behavior of the many [must stop kids and adults from being online together on same sites], in response to the prescient conclusions of the few [state Attorneys General].
4. A disdainful dismissal of arguments to the contrary as either uninformed, irresponsible, or motivated by unworthy purposes [basically, child safety researchers and others are told that their research is meaningless and that they should just buzz off].

And I think you can see how the model has played out in other debates, such as efforts to regulate “excessively violent” video games and television.

Or consider how this model plays out on the privacy front:

1. Assertion of a great danger to the whole society [amorphous privacy violations], a danger to which the masses of people are oblivious.
2. An urgent need for government action [“baseline federal privacy regulation”] to avert impending catastrophe.
3. A need for government to drastically curtail the dangerous behavior of the many [stupid people who share information online!], in response to the prescient conclusions of the few [handful of over-zealous privacy advocacy groups].
4. A disdainful dismissal of arguments to the contrary as either uninformed, irresponsible, or motivated by unworthy purposes [basically, any suggestion that the issues are being overblown and that most information-sharing is socially beneficial is dismissed out-of-hand].

Again, it’s all blatant elitism when you get right down to it.  And facts are usually the first casualty of the war.

As Berin mentioned last week, we have a new paper out on proposals to expand the Children’s Online Privacy Protection Act (COPPA) of 1998.   We generically refer to those COPPA-expansion efforts as “COPPA 2.0.” Hence, the title of our paper: “COPPA 2.0: The New Battle over Privacy, Age Verification, Online Safety & Free Speech.”  To recap what Berin already noted, in the name of improving online child safety, some legislators and state attorneys general (AGs) are advocating the expansion of COPPA’s “verifiable parental consent” model of age verification before certain sites or services may collect, or enable the sharing of, personal information for children.

Unlike “COPPA 1.0,” however, which only applied to children under the age of 13, “COPPA 2.0” would apply to all minors up to age 17.  Moreover, the range of sites covered by the new law would generally be expanded to include just about any site or service with social networking functionality.

Since Berin has already summarized our general concerns with efforts to expand COPPA’s “verifiable parental consent” online age verification system to cover more online users and sites, I thought I would focus here on what I believe will be the most controversial (and important) part of our paper — our discussion about how COPPA 2.0 affects the speech rights of both adults and adolescents.

Remember COPA?

To understand why COPPA expansion will raise serious First Amendment issues, we first need to step back and recall the legal battle over the Children’s Online Protection Act (COPA), another 1998 law sometimes confused with COPPA.  Both COPPA and COPA rest on a stratification of users by age, but the approach of the two laws is very different: While COPPA requires age verification if content is “directed at” minors under age 13, COPA would have required that all website operators restrict access to material deemed “harmful to minors” by minors under the age of 17 and therefore requires age verification of all users who attempt to access such content (in order to identify minors). COPPA is focused on certain kinds of potentially harmful contacts while COPA is focused on potentially harmful content.

But by expanding the age range of COPPA to include adolescents, COPPA 2.0 proposals essentially converge with COPA, reaching the same practical consequence: age verification mandates for large numbers of adults as users (not as parents). Only the scope of sites covered by the laws is different: under COPA, sites deemed “harmful to minors,” and, under COPPA 2.0, adolescent-oriented or certain social networking sites. Thus, to the extent that COPPA 2.0 proposals require age verification of adults, they would be subject to constitutional attacks similar to those against COPA.  But COPPA 2.0 proposals would also burden the rights of adults to communicate with adolescents and the free speech rights of adolescents.

Finally, the fact that COPPA (like COPA) applies only to commercial sites would do little to protect it from constitutional attack, because in a world of user-generated content, the commercial nature of a site has little to do with the commercial/non-commercial nature of the speech carried on it. For example, obviously commercial sites like MySpace and Facebook serve as platforms for a wide variety of not-for-profit and political communications.

How COPPA 2.0 Would Impact the Free Speech Rights of Adults

After a decade-long court battle over the constitutionality of COPA, the U.S. Supreme Court in January 2009 rejected the government’s latest request to revive the law, meaning it is likely dead. Three of the key reasons the courts struck down COPA would also apply to COPPA 2.0 proposals.

(1) First, like COPA, COPPA  2.0 would raise burden the speech rights of adults to access information subject to age verification requirements, both by making speech more difficult and by stigmatizing it.  In 2003, the Third Circuit noted that age verification requirements “will likely deter many adults from accessing restricted content, because many Web users are simply unwilling to provide identification information in order to gain access to content, especially where the information they wish to access is sensitive or controversial.” In 2008, in striking down COPA for the third and final time, the Third Circuit approvingly quoted the district court, which had noted that part of the reason age verification requirements deterred users from accessing restricted content was “because Internet users are concerned about security on the Internet and because Internet users are afraid of fraud and identity theft on the Internet.” The district court had held that: “Requiring users to go through an age verification process would lead to a distinct loss of personal privacy” by threatening their anonymity.

By imposing broad age verification requirements, COPPA 2.0 would restrict the rights of adults to send and receive information anonymously just as COPA did. If anything, the speech burdened by COPPA 2.0 deserves more protection, not less, than the speech burdened by COPA: Where COPA merely burdened access to content deemed “harmful to minors” (viz., pornography), COPPA 2.0 would burden access to material by adults as well as minors not because that material is harmful or obscene but merely because it is “directed at” minors! Thus, the content covered by COPPA 2.0 proposals could include not merely pornography, but communications about political nature, which deserved the highest degree of First Amendment protection.

(2) Second, like COPA, COPPA expansion threatens the speech rights of website operators. The necessary corollary of blocking adults from accessing certain content anonymously — and thereby deterring some users from accessing that content — is that COPPA 2.0, like COPA, would necessarily reduce the audience size of websites subject to age verification mandates. Furthermore, such mandates would encourage websites to self-censor themselves to avoid offering content they fear could be considered “directed at” adolescents because doing so might subject them to an age verification mandate — or to legal liability if they fail to implement age verification. The substantial cost of age verification could significantly impact, if not make impossible, the business models of many personal information-collecting (PI) sites, which generally do not charge for content and rely instead on advertising revenues. The Third Circuit cited all of these burdens on the free speech rights of website operators in striking down COPA.

(3) Third, less restrictive alternatives are available to COPPA 2.0, just as they were for COPA.

The Third Circuit drew on the Supreme Court’s 2004 decision striking down COPA on the grounds that “blocking and filtering software is an alternative that is less restrictive than COPA, and, in addition, likely more effective as a means of restricting children’s access to materials harmful to them.” Similarly, parental control software already empowers parents to restrict their kids’ access to PI-collecting sites. (It’s particularly easy for parents to restrict access to the leading social networking sites that seem to be driving so much of the push for COPPA 2.0, so that their kids.)

Thus, the free speech rights burdened COPPA 2.0 proposals are at least as important as those burdened by COPA, and blocking software already empowers parents to restrict their kids’ access to PI-collecting sites, just as it allows parents to restrict access to pornography. Of course, if COPPA 2.0 laws were actually enacted and subject to legal challenge, the outcome of the case would depend largely on the level of constitutional scrutiny involved. COPPA 2.0 advocates might argue that, whatever the rights at stake, a lower level of constitutional scrutiny should apply because COPPA 2.0 does not target a special category of content. If true, this could mean that, although age verification mandates to restrict access to “harmful” material are unconstitutional, far more sweeping mandates restricting access to non-harmful information could be constitutional. Such inconsistency is indeed a perverse consequence of the fact that our First Amendment jurisprudence focuses not on the rights at stake, but on whether a regulation is “content-neutral” in deciding what level of scrutiny to apply—which, in turn, often determines the outcome of the case. But in this case, COPPA 2.0 proposals likely would be subject to strict scrutiny to the extent that they are, like COPA, focused on a certain category of content: that “directed at” adolescents (rather than “harmful to minors”).

Legislators who attempt to escape strict scrutiny by defining the scope of their bill not by its targeted audience but by reference to specific functional capabilities (in the definition of “social networking site”) will likely find that a court will see through such window-dressing: If they recognize that such bills are nonetheless aimed at a certain category of adolescent-oriented content, they will apply strict scrutiny anyway. But even under intermediate scrutiny, COPPA 2.0 proposals would be subject to serious attack.

Minors Have Speech Rights, Too!

In addition, in COPPA 2.0 approaches, the government would restrict the ability of adolescents to access content, not because it could be harmful to them or because it is obscene, but merely because it is “directed to” them. While the First Amendment rights of minors may not be on par with those of adults, adolescents do have the right to access certain types of information and express themselves in certain ways. The Supreme Court has held (in Planned Parenthood of Cent. Mo. v. Danforth) that “constitutional rights do not mature and come into being magically only when one attains the state-defined age of majority.” It remains unclear how an expanded COPPA model might interfere with the First Amendment rights of adolescents, but it is clear that privacy and speech rights would come into conflict under COPPA 2.0, as they do in other contexts.

For example, how might the parental-consent based model limit the ability of adolescents to obtain information about “safer sex” or how to deal with trauma, depression, family abuse, or addiction. Would an abusive father authorize a teen to visit a website about how to report child abuse? Would a parent of an adolescent struggling with their sexual identity let their kid participate in a self-help social networking page for gay and lesbian youth? What rights are at play here and how do we reconcile them?

Maintaining the ability of kids to participate online interactions goes beyond content that most people would recognize as “serious”—from the perspective of both First Amendment values and the education of children. As a recent MacArthur Foundation study of the online youth Internet use concluded:

Contrary to adult perceptions, while hanging out online, youth are picking up basic social and technological skills they need to fully participate in contemporary society. Erecting barriers to participation deprives teens of access to these forms of learning. Participation in the digital age means more than being able to access “serious” online information and culture.

It was at least in part in recognition of such difficult First Amendment questions that Congress removed the requirement in the initial legislative draft of COPPA that would have required PI-based sites to “use reasonable efforts to provide the parents with notice and an opportunity to prevent or curtail the collection or use of personal information collected from children over the age of 12 and under the age of 17.”

Even if parents have an absolute right to block their adolescents’ access to such data, they can already exercise that right by applying strict controls on the computers in their home. COPPA 2.0 proposals go well beyond recognizing this right by setting the default to “parental consent required” for adolescents to access a wide range of content—meaning that parents must “opt-in” on behalf of their children before their children can participate in PI-collecting sites. This, in turn, burdens the ability of adolescents to communicate, because their parents might censor (rightly or wrongly) certain information, or simply fail to understand the technologies involved or to be actively engaged. But whatever the free speech rights of adolescents, if anyone should be interfering with those rights, it should be their parents — not the government.

Some parents may object that, however effective parental control software may be in the home, it does not allow parents to control what their kids’ access outside the home. This argument is understandable on some level, but in the end, it amounts to a demand that roadblocks be put up everywhere for the sake of particularly sensitive parents at the expense of everyone else in society, including potentially huge numbers of adult users — and of online anonymity in general.

But Illinois’s COPPA 2.0 proposal goes even further, not merely expanding COPPA to cover a particular variety of social networking sites, but requiring that such sites “allow the parent or guardian of the minor unrestricted access to the profile webpage of the minor at all times.” Congress considered just such a parental access mandate in the initial draft of COPPA legislation back in 1998, but ultimately removed it from the final version of the legislation, apparently because even some of COPPA’s supporters worried, given the bill’s initial application to the 13-16 age bracket, that “The establishment of a parental right to access all personal information about a teenager may intrude on older minors’ privacy, rather than protect.”

What about Communication between Adolescents & Adults?

Finally, COPPA 2.0 could infringe on the free speech rights of adults to communicate with adolescents online by driving PI-collecting sites to segregate users by age or to attempt to block access by adolescents. The vast majority of adult-minor interactions online are not of a harassing or predatory nature—indeed, they generally involve adults looking to help or assist minors in various ways. As the MacArthur Foundation study cited above concluded:

In contexts of peer-based learning, adults … have an important role to play, though it is not the conventionally authoritative one. In friendship-driven practices, direct adult participation is often unwelcome, but in interest-driven groups we found a much stronger role for more experiences participants to play. Unlike instructors in formal educational settings, however, these adults are passionate hobbyists and creators, and youth see them as experienced peers, not as people who have authority over them. These adults exert tremendous influence in setting communal norms and what educators might call “learning goals,” though they do not have direct authority over newcomers.

A substantial portion of those interactions involve parents talking to their own kids, older and younger siblings communicating with one another, teachers and mentors talking to their students, or even co-workers of different ages communicating. Even when adult-minor communications involve complete strangers, there is typically a socially-beneficial purpose. Think of two people — one an adult and one a minor — debating politics on a discussion board, or creating a Wikipedia entry together. What about a presidential campaign website that involves millions of volunteers of all ages communicating and collaborating to a common purpose? There are countless other examples. How would such interactions be affected by COPPA 2.0? Restricting such interactions would raise profound First Amendment concerns about freedom of speech as well as of association.

In any First Amendment analysis, a court must consider not only the free speech rights at stake and the availability of less restrictive alternatives to regulation, but the governmental interest being advanced. Again, neither COPPA nor the COPPA 2.0 proposals discussed herein (e.g., the New Jersey and Illinois proposals) requires exclusion of older users from a website, nor directly governs the sharing of personal information among users (where that sharing does not also constitute collection by the site itself). But separation of adolescents from adults is likely to be an indirect effect of COPPA 2.0 requirements—as COPPA 2.0 advocates probably realize—because, once PI-collecting sites are required to age-verify users, they will face reputational, political and potentially legal pressure to make interactions between adolescents and children more difficult in the name of “child safety.” More subtly, if PI-collecting site operators have an incentive to avoid being considered “directed at” adolescents, they will also have an incentive to discourage adolescent participation on their site—which achieves a similar result.

Here, one must further ask if attempting to quarantine children from adults (however indirectly) actually advances, on net, a strong governmental interest in child protection. Such a quarantine is unlikely to stop adults with truly nefarious intentions from communicating with minors, as systems designed to exclude participation by adults in a “kids-only” or “adolescents-only” area can be easily circumvented. Given the lack of strong identity records for minors, it’s much easier for an adult to pretend to be a minor than vice versa. The effect of age stratification on truly bad actors is likely to be marginal at best—or harmful at worst: Building walls around adolescents through age-verification might actually make it easier for predators to target teens, since a predator who gains access to a supposedly teen-only site will be less likely to be exposed as a predator by targeting an adult they think is a teen. So for the sake of marginal (if any) gains in child protection, would we not be excluding beneficial interaction between adults and minors?

To hear some of the advocates of COPPA 2.0 talk about how teens currently behave online, one might think that online environments in which adolescents were left to their own devices—imagine a “Teen MySpace” for the 13-17 crowd, walled off from the rest of MySpace—would be far worse, perhaps an online version of Lord of the Flies. These concerns are clearly exaggerated: The critics frequently complain about “the way kids talk to each other these days” while looking at their own past adolescent banter with rose-colored lenses. What is clear is that adolescents (and young adults) behave better in online environments where adults are present, too. Perhaps the best demonstration of this fact has been the uproar from adolescents and young adults that has accompanied Facebook’s explosive growth in popularity among older users in recent months. Many kids hate the idea of adults joining Facebook precisely because the presence of adults encourages kids to “self-regulate” by exercising better judgment and following better netiquette.

Anne Collier, founder and executive director of the child safety advocacy organization Net Family News, Inc. and editor of NetFamilyNews.org and ConnectSafely.org, suggests that the push for “segregation” by age (e.g., creating a teen-only version of Second Life) for safety’s sake is “losing steam” because:

it’s a response to the predator panic teens and parents have been subjected to in U.S. society, not to the realities of youth on the social Web. What nearly a decade of peer-reviewed academic research shows is that peer-to-peer behavior is the online risk that affects many more youth, the vast majority of online kids who are not already at-risk youth offline. Segregating teens from adults online doesn’t address harassment, defamation, imposter profiles, cyberbullying, etc. It may help keep online predators away from kids (even though online predation, or abuse resulting from online communication, constitutes only 1% of overall child sexual exploitation…), which is a great outcome, but it’s not enough unless all that parents are worried about is predators.

Collier discusses the particularly acute problem of “actual or perceived sexual orientation and gender expression,” which the Salt Lake Tribune has noted are “two of the top three reasons secondary school students said their peers were most often bullied at school.” This kind of harassment recently attracted widespread public attention after two 11-year-old boys committed suicide after experiencing anti-gay harassment and bullying at school. Nationwide, “Lesbian, gay, bisexual, transgender and questioning youth are up to four times more likely to attempt suicide than their heterosexual peers.” This child safety risk is painfully real, with anti-gay harassment being only its most obvious form. But “segregating” teens from adults seems likely to aggravate this problem by removing adults from the mix as a potential source of discipline.

Of course, adults play a critical role in disciplining interaction among the 0-12 age bracket, but not as direct participants in on-site interaction. Again, how many adults actually want to use Club Penguin? Instead, parents can supervise what their kids do online through parental control software. Parents could, of course, use that same software to monitor what their adolescent kids do, too. But as kids get older, most parents realize that the training wheels have to come off at some point. Few parents will want to spy on their 17-year old until the day before the kid starts college (or enlists in the military or gets married). But most parents probably would prefer that, if their kids are interacting in an online environment, they think twice about what they do and say online. It is by no means clear that restricting online interaction between teens and adults will serve that end.

Adam Thierer & I have just released a detailed examination (PDF) of brewing efforts to expand the Children’s Online Privacy Protection Act of 1998 to cover adolescents and potentially all social networking sites—an approach we call “COPPA 2.0.”

As Adam explained on Larry Magid’s CNET podcast, COPPA mandates certain online privacy protections for children under 13, most importantly that websites obtain the “verifiable consent” of a child’s parent before collecting personal information about that child or giving that child access to interactive functionality that might allow the child to share their personal information with others. The law was intended primarily to “enhance parental involvement in a child’s online activities” as a means of protecting the online privacy and safety of children.

Yet advocates of expanding COPPA—or “COPPA 2.0″—see COPPA’s verifiable parental consent framework as a means for imposing broad regulatory mandates in the name of online child safety and concerns about social networking, cyber-harassment, etc. Two COPPA 2.0 bills are currently pending in New Jersey and Illinois. The accelerated review of COPPA to be conducted by the FTC next year (five years ahead of schedule) is likely to bring to Washington serious talk of expanding COPPA—even though Congress clearly rejected covering adolescents age 13-16 when COPPA was first proposed back in 1998.

We’ll discuss some of the key points of our paper in a series of blog posts, but here are the top nine reasons for rejecting COPPA 2.0, in that such an approach would:

• Burden the free speech rights of adults by imposing age verification mandates on many sites used by adults, thus restricting anonymous speech and essentially converging—in terms of practical consequences—with the unconstitutional Children’s Online Protection Act (COPA), another 1998 law sometimes confused with COPPA;
• Burden the free speech rights of adolescents to speak freely on—or gather information from—legal and socially beneficial websites;
• Hamper routine and socially beneficial communication between adolescents and adults;
• Reduce, rather than enhance, the privacy of adolescents, parents and other adults because of the massive volume of personal information that would have to be collected about users for authentication purposes (likely including credit card data);

• Would likely be the subject of massive fraud or evasion since it is not always possible to definitively verify the parent-child relationship, or because the system could be “gamed” in other ways by determined adolescents;
• Do nothing to prevent offshore sites and services from operating outside these rules;
• Present major practical challenges for law enforcement officials in the face of such evasion by both domestic users and offshore sites;
• Could destroy opportunities for new or smaller website operators to break into the market and offer competing services and innovations, thus contributing to consolidation of online content and services by erecting barriers to entry; and
• Violate the Commerce Clause of the U.S. Constitution, since Internet activity clearly represents interstate commerce that states have no authority to regulate.

As anyone who has spent time searching for comments on the FCC’s website can tell you, the agency doesn’t exactly have the most user-friendly website.  In the interest of making it easier for others to read the comments that came in last week in the agency’s “Child Safe Viewing Act” Notice of Inquiry, I have compiled all the major comments (those over 3 or 4 pages) and provided links to them below the fold.

Again, this proceeding was required under the “Child Safe Viewing Act of 2007,” which Congress passed last year and President Bush signed last December. The goal of the bill and the FCC’s proceeding (MB 09-26) is to study “advanced blocking technologies” that “may be appropriate across a wide variety of distribution platforms, including wired, wireless, and Internet platforms.”  I filed 150+ pages worth of comments in this matter last week, and here’s my analysis of why this bill and the FCC’s proceeding are worth monitoring closely.

• Association of National Advertisers (ANA)
• AT&T
• Center for Democracy & Technology (Individual Comments)
• CDT (Joint Comments with other Public Interest Groups)
• Children’s Media Policy Coalition
• Coalition for Independent Ratings
• Comcast
• Common Sense Media
• Consumer Electronic Association (CEA)
• CTIA – The Wireless Association
• Cox Communications
• CustomPlay
• Digimarc Corp
• Digital Watermarking Alliance
• Digital Media Association
• Dish Network
• DirecTV
• Entertainment Software Association (ESA)
• Family Online Safety Institute (FOSI)
• Google (+ attachments A, B, C)
• Motion Picture Association of America (MPAA)
• Microsoft
• NAB + NCTA + MPAA (0n TV Guidelines)
• National Cable & Telecommunications Association (NCTA)
• Progress & Freedom Foundation (PFF)
• Sanyo
• Smart Television Alliance
• Sprint-Nextel
• TiVo
• TV Guardian
• TV Watch
• U.S. Telecom Association
• Verizon & Verizon Wireless
• Wi-LAN V-Chip Corp

Today I filed comments with the Federal Communications Commission (FCC) in its proceeding examining the marketplace for “advanced blocking technologies.”  This proceeding was required under the “Child Safe Viewing Act of 2007,” which Congress passed last year and President Bush signed last December. The goal of the bill and the FCC’s proceeding (MB 09-26) is to study “advanced blocking technologies” that “may be appropriate across a wide variety of distribution platforms, including wired, wireless, and Internet platforms.”  My colleagues will no doubt laugh about the fact that I have dropped an absurd 150 pages worth of comments on the FCC in this matter, but I had a lot to say on this topic!  Parental controls, child safety, and free speech issues have been the focus of much of my research agenda over the past 10 years.

In my filing, I argue that the FCC should tread carefully in this matter since the agency has no authority over most of the media platforms and technologies described in the Commission’s recent Notice of Inquiry.  Moreover, any related mandates or regulatory actions in in this area could diminish future innovation in this field and would violate the First Amendment rights of media creators and consumers alike.  The other major conclusions of my filing are as follows:

• There exists an unprecedented abundance of parental control tools to help parents decide what constitutes acceptable media content in their homes and in the lives of their children.
• There is a trade-off between complexity and convenience for both tools and ratings, and no parental control tool is completely foolproof.
• Most homes have no need for parental control technologies because parents rely on other methods or there are no children in the home.
• The role of household media rules and methods is underappreciated and those rules have an important bearing on this debate.
• Parental control technologies work best in combination with educational efforts and parental involvement.
• The search for technological silver-bullets and “universal” solutions represent a quixotic, Holy Grail-like quest and it will destroy innovation in this marketplace.
• Enforcement of “household standards” made possible through use of parental controls and other methods negates the need for “community standards”-based content regulation.

My entire filing can be found here and down below in a Scribd reader.  All comments in the matter are due tomorrow and then reply comments are due on May 18th.

[FCC FILING] Adam Thierer-PFF Re Child Safe Viewing Act NOI (MB 09-26) http://d.scribd.com/ScribdViewer.swf?document_id=14264143&access_key=key-2nrvjm96q9cl5vep567l&page=1&version=1&viewMode=

Whenever I pen anything about the dangers of age verification mandates for the Internet and social networking sites, I always point to Federal Trade Commission (FTC) reports about rising identity theft complaints. For the ninth year in a row, identity theft was the number one consumer complaint to the agency.

Now, imagine how much worse this problem could get if government mandated that everyone had to be “verified” before they were allowed to visit a social networking site, however that ends up being defined. Such a mandate would exponentially increase the amount of personal information — especially credit card information — that was available to identity thieves.  Age verification advocates often ignore this problem when making the case for regulation.

Worse yet, much of the information that would be made available via such mandates would be personal information about children, which makes for a very attractive target for identity thieves since those records are rarely checked until the kids get much older and start applying for things. At least most adults typically learn they have been the victim of ID theft shortly after it occurs, allowing them to take steps to deal with the situation. With kids, their records could be milked for years by bad guys without them or their parents ever knowing it.

It appears that the long legal saga of the Child Online Protection Act of 1998 (COPA) has finally come to a close. This morning, according to AP, the U.S. Supreme Court rejected the government’s latest request to revive the law, which was stuck down as an unconstitutional violation of the First Amendment by lower courts and never went into effect.

COPA was an effort by Congress to modify the Communications Decency Act of 1996 (CDA) in response to the Supreme Court’s decision in Reno v. ACLU finding that the CDA was unconstitutionally over-broad. COPA sought to narrow the scope of regulation and protect minors from sexual material on the Internet by making it a crime for someone to “knowingly” place materials online that were “harmful to minors.” The law provided an affirmative defense from prosecution, however, to those parties who made a “good faith” effort to “restrict[ ] access by minors to material that is harmful to minors” using credit cards or age verification schemes. Although narrower than the CDA, COPA was immediately challenged and also blocked by lower courts because it was still too sweeping in effect. Moreover, the courts found there were other “less restrictive means” that parents could use to deal with objectionable content — such as Internet filters.

Following the initial challenge, COPA then became the subject of an epic, decade-long legal battle that finally concluded today when the U.S. Supreme Court refused to revisit the law. COPA had already been reviewed by the Supreme Court twice before — in 2002 and 2004.  Thus, a third visit to the Supreme Court by COPA would have been something of a historical development in the world of First Amendment jurisprudence. But with the Supreme Court’s rejection of the government’s appeal today, lower court rulings stand and COPA will remain unconstitutional and unenforceable.

The key recent legal battle occurred in the Third Circuit Court of Appeals, which upheld a lower court ruling striking down COPA. The Third Circuit’s full decision is here. And I penned a 3-part series on the lower court ruling by Judge Lowell Reed Jr., senior judge of the U.S. District Court for the Eastern District of Pennsylvania, here, here, and here. Also make sure to check out this summary of COPA’s legal journey that Alex Harris penned last November.

While COPA is now dead and buried, it would be foolish to think this is the end of efforts to legislate on this front. Although it remains unclear what the legislative response will look like during a time of Democratic rule, I am certain that legislation will be floated in short order (i.e., “Son of COPA”) to try to get around the constitutional issues and regulate objectionable online content. If legislators were smart, they’d avoid legally risky solutions like more centralized filtering mandates or age verification requirements. They’d be on safer ground to consider going the subsidy route and finding a way to get parental control tools in the hands of more families and institutions. I’m not saying that I favor such subsidies, merely that such an approach would almostly certainly pass legal muster and probably wouldn’t even be challenged in court. They might also consider more public education / PSA-driven approached to online safety. Those approaches may end up finding more support in a Democratic Congress and administration anyway.

[More coverage at NYT, Reuters, CNet and Ars.]

The Internet Safety Technical Task Force (ISTTF), which was formed a year ago to study online safety concerns and technologies, today issued its final report to the U.S. Attorneys General who authorized its creation. It was a great honor for me to serve as a member of the ISTTF and I believe this Task Force and its report represent a major step forward in the discussion about online child safety in this country.

The ISTTF was very ably chaired by John Palfrey, co-director of Harvard University’s Berkman Center for Internet & Society, and I just want to express my profound thanks here to John and his team at Harvard for doing a great job herding cats and overseeing a very challenging process. I encourage everyone to examine the full ISTTF report and all the submissions, presentations, and academic literature that we collected. [It’s all here.] It was a comprehensive undertaking that left no stone unturned.

Importantly, the ISTTF convened (1) a Research Advisory Board (RAB),which brought together some of the best and brightest academic researchers in the field of child safety and child development and (2) a Technical Advisory Board (TAB), which included some of America’s leading technologists, who reviewed child safety technologies submitted to the ISTTF. I strongly recommend you closely examine the RAB literature review and TAB assessment of technologies because those reports provide very detailed assessments of the issues. They both represent amazing achievements in their respective arenas.

There are a couple of key takeaways from the ISTTF’s research and final 278-page report that I want to highlight here. Most importantly, like past blue-ribbon commissions that have studied this issue, the ISTTF has generally concluded there is no silver-bullet technical solution to online child safety concerns. The better way forward is a “layered approach” to online child protection. Here’s how we put it on page 6 of the final report:

The Task Force remains optimistic about the development of technologies to enhance protections for minors online and to support institutions and individuals involved in protecting minors, but cautions against overreliance on technology in isolation or on a single technological approach. Technology can play a helpful role, but there is no one technological solution or specific combination of technological solutions to the problem of online safety for minors. Instead, a combination of technologies, in concert with parental oversight, education, social services, law enforcement, and sound policies by social network sites and service providers may assist in addressing specific problems that minors face online. All stakeholders must continue to work in a cooperative and collaborative manner, sharing information and ideas to achieve the common goal of making the Internet as safe as possible for minors.

In sum, education and empowerment are the real keys to keeping kids safer online. We all need to work harder to mentor our children and help them develop the skills and good old fashion common sense to make smart decisions online. Technical tools can supplement — but can never supplant — education, parental guidance, and better mentoring.

Still, this was a task force that primarily came about after state attorneys general (AGs) had been incessantly pressuring social networking sites like MySpace and Facebook to adopt age verification technologies as a solution to online child safety concerns. Specifically, fears about online predators — driven largely by the moral panic whipped up by shows like NBC’s “To Catch a Predator” — prompted calls for mandatory age verification for social networking sites.

So, what did the final ISTTF report have to say about mandatory age verification. Answer: Probably not as much as the AGs were hoping for, and what we did say they may not like to hear.

First, the ISTTF’s Research Advisory Board conclusively proved the primary online safety issue today is peer-on-peer cyber-harassment, not adult predation. Mandatory age verification would do nothing to stop cyberbullying. Indeed, the lack of adult supervision may even exacerbate the problem.

Second, after reviewing various age verification solutions, the ISTTF’s Technical Advisory Board concluded:

Age verification and identity authentication technologies are appealing in concept but challenged in terms of effectiveness. Any system that relies on remote verification of information has potential for inaccuracies. For example, on the user side, it is never certain that the person attempting to verify an identity is using their own actual identity or someone else’s. Any system that relies on public records has a better likelihood of accurately verifying an adult than a minor due to extant records. Any system that focuses on third-party in-person verification would require significant political backing and social acceptance. Additionally, any central repository of this type of personal information would raise significant privacy concerns and security issues.

As a result, our final report concluded that:

The Task Force does not believe that the Attorneys General should endorse any one technology or set of technologies to protect minors online. Instead, the Attorneys General should continue to work collaboratively with all stakeholders in pursuing a multifaceted approach to enhance safety for minors online.

Then, on pages 28-31, we go into more detail about age verification, finding that:

[Age verification] approaches are less effective in the child safety context — in other words, at creating safe environments for minors — than in the context of completing financial transactions or regulating purchases, especially to the extent that identity authentication and age verification focus solely upon adults. The reasons for this include the fact that in the commercial and financial contexts, an adult typically wants to verify his or her identity correctly in order to purchase a product or get access to records. Moreover, when adults purchase regulated items (such as alcohol or tobacco) online, in some cases a second form of age verification occurs when the item is delivered.

The identity authentication and age verification solutions that authenticate or verify only adults could be and are already sometimes used to reduce minors’ access to adult-only sites. Because they do not authenticate or verify minors, however, they cannot be used to create environments for minors that require authentication or verification prior to access. To the extent that an adult nonetheless uses his or her own verifiable information when accessing an environment intended only for minors, these technologies could enhance the ability of Internet service providers and social network sites to exclude that adult. Of course, it seems unlikely that an adult with nefarious purposes would proceed in this manner. Thus, while these types of identity authentication and age verification technologies may be helpful for other purposes, they do not appear to offer substantial help in protecting minors from sexual solicitation.

And there’s far more detail following this passage from the final report, so please read that section for additional discussion.

Again, some AGs may not like to hear all this but these were near-consensus findings of the Task Force. And, if anything, the Task Force probably did not far enough to show why mandatory age verification will not work and how age verification will actually make kids less safe online. In my final statement to the Task Force, this is what I spent my time focusing on. I outlined the dangers of age verification as well as 10 questions about age verification that the AGs must answer if they persist in this pursuit of a technological Holy Grail. I have embedded my entire expanded final statement down below as a Scribd document, but here are the key reasons I believe mandatory age verification represents a dangerous solution to online child safety concerns:

Again, although the Task Force didn’t go quite as far as I would have liked in terms of making clear the dangers associated with mandatory age verification, I think our final report reflects the general skepticism among Task Force members about taking that path or relying too heavily on any single, silver-bullet technical approach to online child safety concerns. Again, this is real progress; a sensible step forward in the discussion about keeping our kids safe online.

I hope policymakers will take a close look at our conclusions and recommendations and take them seriously. We need to stop wasting so much time searching for silver bullets and start getting more serious about how to better mentor our kids so that they can be good — and safe — digital citizens. Education, not regulation, is the key.

Below I have linked to some background essays about the Internet Safety Technical Task Force as well as additional thoughts by fellow task force members or reporters. I’ll add to it as I see new things in coming days.

Additional thoughts / articles about the ISTTF:

• ISTTF director John Palfrey discusses the report on this short podcast with Larry Magid as well as this longer one from the Berkman Center
• ISTTF co-director danah boyd comments on the report on her blog
• ISTTF member Larry Magid of ConnectSafely.org: “Net Threat to Minors Less Than Feared,” CNet News.com
• ISTTF member Anne Collier of Net Family News: “Key Crossroads for Net Safety“
• ISTTF member Stephen Balkam of FOSI featured on an NPR podcast about our work
• ISTTF member John Morris of CDT: “Deconstructing Reaction to Net Safety Task Force Report“
• ISTTF member Marsali Hancock, President of iKeepSafe blog essay about the task force
• AGs respond to report in interview with Emily Steel of the Wall Street Journal: “The Case for Age Verification“
• New York Times article by Brad Stone: “Report Calls Online Threats to Children Overblown“
• Wall Street Journal article by Emily Steel: “No Easy Answer for Protecting Kids Online“
• Associated Press story by Anick Jesdanun: “Panel: Technology Alone Can’t Protect Kids Online“
• Chronicle of Higher Education Wired Campus blog entry by Tracy Mitrano, “Report Weighs the Benefits and Risks of Social Networks,”
• PC World article by Jaikumar Vijayan: “Study Accused of Exaggerating Kids Online Safety“
• PC World blog post by Jaikumar Vijayan: “Are Internet Child Safety Concerns Overblown or Understated?”

Background info:

• an old blog entry of mine about the formation of the task force
• an old paper of mine about the agreement between MySpace and AGs that led to the formation of the ISTTF
• an essay of mine from the ISTTF’s mid-point: “Age Verification Debate Continues; Schools Now at Center of Discussion“
• my big white paper on the dangers of mandatory age verification
• my book: “Parental Controls and Online Child Protection: A Survey of Tools and Methods”
• my final ISTTF statement, which is also embedded below as a Scribd document…

I was about post something more regarding why Kevin Martin’s AWS-3 spectrum filtering plan will fail, but I can’t say it any better than Steve Schultze does here:

Martin also recently leaked the fact that he is proposing that adults can verify their identity to avoid the porn filter initially mandated for all users of of the no-fee service. I helped author some comments to the FCC explaining why this filter was a bad idea, so an opt-out mechanism could theoretically be a good development… if age verification were viable, and if you thought that adults were eager to identify themselves as possible porn-lovers, and if we assumed that all adults had credit cards. In short, filtering is not a great option even with those caveats.

Exactly. Also, don’t forget about that little thing called the First Amendment! This plan would almost certainly be challenged on 1A grounds. (Also, here’s a filing I signed on to that critiques the filtering plan).

I’ve just finished reading Blown to Bits: Your Life, Liberty, and Happiness After the Digital Explosion, by Hal Abelson, Ken Ledeen, and Harry Lewis, and it’s another title worth adding to your tech policy reading list. The authors survey a broad swath of tech policy territory — privacy, search, encryption, free speech, copyright, spectrum policy — and provide the reader with a wonderful history and technology primer on each topic.

I like the approach and tone they use throughout the book. It is certainly something more than “Internet Policy for Dummies.” It’s more like “Internet Policy for the Educated Layman”: a nice mix of background, policy, and advice. I think Ray Lodato’s Slashdot review gets it generally right in noting that, “Each chapter will alternatively interest you and leave you appalled (and perhaps a little frightened). You will be given the insight to protect yourself a little better, and it provides background for intelligent discussions about the legalities that impact our use of technology.”

Abelson, Ledeen, and Lewis aren’t really seeking to be polemical in this book by advancing a single thesis or worldview. To the extent the book’s chapters are guided by any central theme, it comes in the form of the “two basic morals about technology” they outline in Chapter 1:

The first is that information technology is inherently neither good nor bad — it can be used for good or ill, to free us or to shackle us. Second, new technology brings social change, and change comes with both risks and opportunities. All of us, and all of our public agencies and private institutions, have a say in whether technology will be used for good or ill and whether we will fall prey to its risks or prosper from the opportunities it creates. (p. 14)

Mostly, what they aim to show is that digital technology is reshaping society and, whether we like or it not, we better get used to it — and quick!  “The digital explosion is changing the world as much as printing once did — and some of the changes are catching us unaware, blowing to bits our assumptions about the way the world works… The explosion, and the social disruption that it will create, have barely begun.” (p 3)

In that sense, most chapters discuss how technology and technological change can be both a blessing and a curse, but the authors are generally more optimistic than pessimistic about the impact of the Net and digital technology on our society. What follows is a quick summary of some of the major issues covered in Blown to Bits.

Privacy: In the chapter on privacy, the authors conclude that it is increasingly difficult to bottle up our personal information and protect it and ourselves entirely from the outside world. “Despite the very best efforts, and the most sophisticated technologies, we can not control the spread of our private information. And we often want information to be made public to serve our own, or society’s purposes.” (p. 70) They argue that there still may be some ways to deal with the misuse of information and that some new technologies might be able to help protect our privacy at the margins. Generally speaking, however, this is a losing battle, and, more importantly, there is an increasing tension between privacy and freedom of speech:

A continuing border war is likely to be waged, however, along an existing free speech front: the line separating my right to tell the truth about you from your right not to have that information used against you. In the realm of privacy, the digital explosion has left matters deeply unsettled. (p. 70)

These are issues I discussed in more detail in my recent review of Daniel Solove’s important new book, Understanding Privacy. Abelson, Ledeen, and Lewis are right to point out that these tensions are only going to increase in coming years and their chapter outlines many of the new fault lines in the debate over online privacy.

Encryption: Having followed the “crypto wars” closely in the mid-1990s, I also found their chapter on cryptography intriguing. The authors note that encryption has gone mainstream. “Keys are cheap. Secret messages are everywhere on the Internet. We are all cryptographers now.” Despite that, the authors note that “very little email is encrypted today.” With the exception of some human rights groups and some particularly privacy-sensitive users, most of us are perfectly content to send our e-mails unencrypted. They argue that there are three reasons most people are unconcerned about their e-mail privacy:

First, there is still little awareness of how easily our e-mail can be captured as the packets flow through the Internet. […] Second, there is little concern because most ordinary citizens feel they have little to hide, so why would anyone bother looking? […] Finally, encrypted email is not built into the Internet infrastructure in the way encrypted web browsing is. (p. 191-92)

They continue and conclude:

Overall, the public seems unconcerned about privacy of communication today, and that privacy fervor that permeated the crypto wars a decade ago is nowhere to be seen. In a very real sense, the dystopian predictions of both sides of that debate are being realized: On the one hand, encryption technology is readily available around the world, and people can hide the contents of their messages, just as law-enforcement feared… At the same time, the spread of the Internet has been accompanied by an increase in surveillance, just as the opponents of encryption regulation feared. (p. 193)

Actually, I’m not sure there really was a “privacy fervor that permeated the crypto wars a decade ago.” Many of us who argued passionately for crypto-freedom back then knew it was unlikely that the masses were going to rush right out and start encrypting all their mail the minute the policy battle ended. In reality, most of us live pretty mundane lives and just don’t care enough to go through the hassle of encrypting the random chatter of e-mail. But it was the principle of the matter that counted — the government should never be given the keys to unlock all private communications. That is what we were fighting about in the crypto wars — not the necessity of everyone encyrpting every e-mail they sent.

Importantly, however, the authors correctly note how the truly beneficial result of the fight for crypto-freedom was an explosion of online commerce, facilitated by behind-the-scenes crypto protecting our transactions. Amazon, eBay, and many other e-commerce vendors, both big and small, have prospered because of strong crypto. That was the security blanket many of us needed before we were willing to take the plunge and begin doing most of our shopping and financial transactions online. This is a great public policy success story, and Abelson, Ledeen, and Lewis do a wonderful job relaying it to the reader.

Online Free Speech / Age Verification: As a passionate First Amendment advocate, the chapter on free speech issues was also of great interest to me. The authors run through the early history of efforts to censor online speech, including the Communications Decency Act of 1996 (CDA) and the Child Online Protection Act of 1998 (COPA), and bring us right up to speed with congressional efforts such as the Deleting Online Predators Act (DOPA), which would ban social networking sites and services in publicly funded schools and libraries. “DOPA, which has not passed into law, is the latest battle in a long war between conflicting values,” note the authors. “On the one hand, society has an interest in keeping unwanted information away from children. On the other hand, society as a whole has an interest in maximizing open communication.” (p. 231)

Abelson, Ledeen, and Lewis go on to outline the dangers of online censorship and the importance of defending the First Amendment from new legislative and regulatory attacks, but they would have done well to cite the growing diversity of parental control tools and methods that are now on the market. I share their passion for defending free speech values, but it is equally important we work hard to show parents and policymakers how many effective self-help tools and strategies are out there on the market today to help them guide — or even control — their child’s media and Internet experiences. Not everyone is equally excited about what a world of media abundance offers us, or out children. If we hope to continue to fend off attacks on the First Amendment, we have to make sure parents are empowered to mentor their kids and limit access to content they find objectionable so they don’t expect Uncle Sam to play the role of national nanny.

I was glad to see the authors spend some time focusing on online age verification / identity authentication since that is probably the most important free speech debate raging today. [I’ve written quite a bit here about the battle over online age verification for social networking sites and other online sites.] The authors point out Congress already attempted to impose age verification on the Internet when they passed the Child Online Protection Act in 1998. “The big problem,” the authors note, “was that these methods either didn’t work or didn’t even exist.” (p. 248) Indeed, the effort in COPA to require “adult personal identification numbers” or a “digital certificate that verifies age” was in their words, “basically a plea from Congress for the industry to come up with some technical magic for determining age at a distance.” (p. 248)  And things really haven’t advanced much since then, they argue:

In the state-of-the-art, however, computers can’t reliably tell the if party on the other end of the communications link is a human or is another computer. For a computer to tell whether a human is over or under the age of 17, even imperfectly, would be very hard indeed. Mischievous 15-year-olds could get around any simple screening system that could be used in the home. The Internet just isn’t like a magazine store. (p. 249)

I hope policymakers are listening — especially the many stubborn state attorneys general who continue to push age verification as a silver-bullet solution to online child safety concerns.

Spectrum Policy: The authors point out how the death of media scarcity has profound implications for the future of speech regulation and spectrum policy alike. “As a society,” they argue, “we simply have to confront the reality that our mindset about radio and television is wrong. It has been shaped by decades of the scarcity argument.” (p. 292)  Regarding what it means for speech controls, they note:

If almost anyone can now send information that many people can receive, perhaps the government’s interest in restricting transmissions should be less than what it once was, not greater. In the absence of scarcity, perhaps the government should have no more authority over what gets said on radio and TV than it does over what gets printed in newspapers. (p. 261)

I couldn’t agree more, and I’ve written voluminously on the topic of creating a “consistent First Amendment standard for the Information Age.” Abelson, Ledeen, and Lewis seem to agree with what I said there when they argue:

Other regulation of broadcast words and images should end. Its legal foundation survives no longer in the newly engineered world of information. There are too many ways for the information to reach us. We need to take responsibility for what we see, and what our children are allowed to see. And they must be educated to live in a world of information plenty. (p. 293)

The death of the scarcity doctrine should also have a profound impact on the future spectrum policy decisions, they say. Perhaps scarcity-based rationales for regulation made (some) sense in the past, but:

These were facts of the technology of the time. They were true, but they were contingent truths of engineering. They were never universal laws of physics, and are no longer limitations of technology. Because of engineering innovations over the past 20 years, there is no practically significant “natural limitation” on the number of broadcast stations. Arguments from inevitable scarcity can no longer justify U.S. government denials of the use of the airwaves. The vast regulatory infrastructure, built to rationalize use of the spectrum but much more limited radio technology, has adjusted slowly — as it almost inevitably must: Bureaucracies don’t move as quickly as technological innovators. The FCC tries to anticipate resource needs centrally and far in advance. But technology can cause abrupt changes in supply, and market forces can cause abrupt changes in demand. Central planning works no better for the FCC than it did for the Soviet Union. (p. 272)

I completely agree, although challenging questions remain about how to get us out of the current mess. Abelson, Ledeen, and Lewis argue that “commons-based” approaches make the most sense. I am certainly open to the idea of treating certain swaths of spectrum as a commons, but it’s important to recognize that this does not necessarily get the regulators completely out of the picture. In fact, as my TLF colleague Jerry Brito has persuasively argued, there is the real potential that the FCC could become an aggressive device regulator if we switch to this approach. “A ‘commons’ model is not a third way between regulation and property, it is just another kind of regulation,” Brito concludes. That’s why I continue to believe that a property rights-based approach for most spectrum allocation makes the most sense and will get the spectrum deployed for its most highly-valued use. Commons-based approaches should supplement, not supplant, that model.

Abelson, Ledeen, and Lewis also fail to sweat the details about how to handle the issue of incumbent spectrum users in the transition to their preferred commons-based model. That strikes me as a pretty big problem. They repeatedly mention how incumbents often seek to block beneficial spectrum reforms — which is no doubt true on some occasions — but that doesn’t mean incumbent spectrum holders don’t have legitimate rights in their existing allocations that should be honored. I would hope that, even if they wanted to go with a pure commons approach going forward, the authors would at least be willing to grandfather-in existing spectrum users. If the goal is to encourage them to vacate what they currently have, incentivize them with flexible use and resale rights. For example, for the right price, a lot of broadcast spectrum holders might be willing to give up their current allotment. Alternatively, if flexible use was allowed, they might deploy their spectrum for a different purpose. Unfortunately, both of these options are currently prohibited by the FCC’s command-and-control regulatory system.

Overall, however, I enjoyed the spectrum chapter and found the history and technology primer in this chapter to be the best in the book.

Copyright: The authors have a strongly-worded chapter on copyright that generally argues for relaxing copyright protections. Interestingly, however, (unless I am missing something) I notice they don’t offer their book for free download on their site.  I’m always intrigued by copyright critics who refuse to put their own content online. Apparently, it’s another case of ‘copying is good for me, but not for thee.’ Regardless, in their copyright chapter, they argue that:

The war over copyright and the Internet has been escalating for more than 15 years. It is a spiral of more and more technology that makes it ever easier for more and more people to share more and more information. This explosion is countered by a legislative response that brings more and more acts within the scope of copyright enforcement, subject to punishments that grow ever more severe. Regulation tries to keep pace by banning technology, sometimes even before the technology exists… If we cannot slow the arms race, tomorrow’s casualties may come to include the open Internet and dynamic of innovation that fuels the information revolution. (p. 199)

The authors make a fair point about the perils of banning technologies to protect copyright. That’s never the right answer. Regrettably, however, they pay less attention to what I regard as the legitimate concerns of copyright holders about how to protect their creative works and expressive endeavors going forward. And it’s not just about protecting large-scale industries, as they and other copyright critics are often prone to claim. It’s about whether or not we want a workable copyright system going forward. Of course, some critics wouldn’t mind seeing copyright law fade into the sunset altogether. But Abelson, Ledeen, and Lewis don’t really make it clear how far they’d be willing to go. They do have a brief discussion about collective licensing approaches as a possible solution, which may be coming sooner than we think for the Net. Unfortunately, they don’t spend much time developing the details. I remain skeptical about the sensibility of that approach — especially since it will likely end up being compulsory in nature and fraught with fairness problems (i.e. Who pays in? How much? On the other end, who gets paid how much when their content appears online? etc.) Nonetheless, I think that’s where we’ll end up before the copyright wars are over, so it would have been nice to see the authors spend more time on collective licensing issues.

They also spend a lot of time discussing DRM. I was surprised by their comment that, “Developers of DRM and trusted platforms may be creating effective technologies to control the use of information, but no one has yet devised effective methods to circumscribe the limits of that control.” (p. 212) I must say, that does not seem to match up with the reality of the market we see around us today in which DRM systems are rapidly crumbling and being abandoned left and right.

Conclusion

I didn’t agree with everything in Blown to Bits, such as their unfortunate call for Net neutrality regulation. Overall, however, I enjoyed the book and recommend it. The narrative can be a little disjointed at times, almost sounding like a series of e-mail exchanges between friends (which may have been the case since the book had three authors). But the text is very accessible and contains a great deal of useful information to bring you up to speed on the hottest tech policy debates under the sun. If the authors are smart, they’ll throw the book online and update it periodically to keep it fresh. As I have found with my parental controls and Media Metrics reports, that’s the only way to keep up with the frantic pace of change in the tech policy arena — version your books like software and release periodic updates.

This book will definitely appear on my big, end-of-year “Most Important Tech Policy Books of 2008” list, which I should have wrapped up shortly. Also, I think this book makes a nice complement to Palfrey and Gasser’s Born Digital, which I reviewed here last month. And, if you are interested in another title that takes an approach similar to what Abelson, Ledeen, and Lewis have taken here, you might want to check out Bruce Owen’s outstanding 1999 book “The Internet Challenge to Television.” It’s an oldy but a goodie, as I noted here.

Finally, given the title of the book and the countless times in the text that Abelson, Ledeen, and Lewis talk about the “bits revolution,” how “bits are bits,” and how “bits behave strangely,” shockingly, they never seem to get around to crediting Nicholas Negroponte for his pioneering work on this front in Being Digital. Long before anybody else gave a damn about how the movement from a world of atoms to a world bits would change our entire existence, Nicholas Negroponte was preaching that gospel to the unconverted. And considering he was saying all that back in the dark (dial-up) ages of 1995, the man deserves some credit, as I have noted here before.

In a big post two months ago entitled “Age Verification Debate Continues; Schools Now at Center of Discussion,” I noted that there has been an important shift in the age verification debate: Schools and school records are increasingly being viewed as the primary mechanism to facilitate online identity authentication transactions. I pointed out that this raises two very serious questions: Do we want schools to serve as DMVs for our children? And, do we want more school records or information about our kids being accessed or put online?

Brad Stone of the New York Times has just posted an important article with relevance to this debate. In it, he points out that:

performing so-called age verification for children is fraught with challenges. The kinds of publicly available data that Web companies use to confirm the identities of adults, like their credit card or Social Security numbers, are either not available for minors or are restricted by federal privacy laws. Nevertheless, over the last year, at least two dozen companies have sprung up with systems they claim will solve the problem. Surprisingly, their work is proving controversial and even downright unpopular among the very people who spend their days worrying about the well-being of children on the Web. Child-safety activists charge that some of the age-verification firms want to help Internet companies tailor ads for children. They say these firms are substituting one exaggerated threat — the menace of online sex predators — with a far more pervasive danger from online marketers like junk food and toy companies that will rush to advertise to children if they are told revealing details about the users.

Stone highlights the efforts of eGuardian, a California company that, “asks a parent to submit the birth date, address, school and gender of a child, then it asks schools to confirm the information.”

Over the last year, eGuardian has been approaching schools, primarily in California, and offering them the entire $29 sign-up fee when they persuade parents to sign up their children. EGuardian’s real money-making hope — and this is what makes [Nancy] Willard nervous — is to have Web sites pay a commission for each eGuardian member. The Web site can then use the data on each child to tailor its advertising.

Nancy Willard, one of America’s leading online child safety experts, is the executive director of the Center for Safe and Responsible Internet Use, and the author of the outstanding book, Cyber-Safe Kids, Cyber-Savvy Teens. The concern she raised with Brad Stone is that “Age verification companies are selling parents on the premise that they can protect the safety of children online, and then they are using this information for market profiling and targeted advertising.” Basically, companies like eGuardian give the software to schools or parents and then hope to make it back through targeted advertising. According to Stone’s article, “EGuardian’s real money-making hope — and this is what makes Ms. Willard nervous — is to have Web sites pay a commission for each eGuardian member. The Web site can then use the data on each child to tailor its advertising.”

I’m not quite as concerned about the advertising / marketing issue as Nancy Willard, but I am equally disturbed about the prospect of using schools as online age verification agents– or partnering with others to make that happen. I apologize for quoting myself at length on this point, but here’s how I stated my concerns before:

[I]nvolving schools in any age verification scheme would raise serious privacy concerns and administrative problems. Depending on how the scheme worked, the administrative burdens imposed on schools could be significant. Someone at each school would have to be in charge of answering phones calls and e-mails from potentially hundreds of website operators looking to age-verify minors. Who will be liable if things go wrong? The school? The school district? An employee in the school’s administrative department who accidentally releases thousands of digital records? And will schools receive the additional funding needed to administer whatever scheme is mandated? Moreover, if schools are required to create more accessible databases containing personal information about minors, who else besides social networking websites would be given access? Data breaches would become a real concern for both students and schools alike. Such a scheme could run up against federal or state laws. For example, the Family Education Rights and Privacy Act of 1974 makes it illegal to release school records without written permission from parents. Both parents and government officials have long demanded that access to school records be tightly guarded because, as a society, we take the privacy of our children very seriously. Thus, serious questions remain about the wisdom and practicality of roping the schools into the age verification process. Most schools and school districts are already over-burdened with federal and state mandates and probably wouldn’t like the sound of additional mandates of this variety.  But what if a technology vendor could serve as the middleman and facilitate the easy transfer of some basic data about kids from the school system in an effort to provide digital credentials? That’s probably where we are heading.  Even the most vociferous advocates of age verification for minors must realize how absolutely radioactive this issue could become since school records about our kids are in play here.  Identity theft concerns are already running at an all-time high in our country and the thought of being required to surrender more info about our kids in this environment is not going to go over well with many parents. But, again, what if we could keep to a minimum the amount of data being transferred about the child to the vendor or the SNS?  Perhaps at the beginning of each school year when a minor is registering they could be given a “secure” digital token or ID number that only associated a grade year (i.e., “sophomore”) with their name, and little or no additional info was included in that token in order to minimize the threat of identity theft or privacy violations.  Of course, the fewer pieces of information contained in that token or credential, the less likely it will be a credible verification tool, or the more likely it is it will be easy to forge or defeat (especially by kids themselves). Regardless, whether we like it or not — and I do not like it one bit — schools are now at the center of the online age verification debate. It will be very interesting to hear what the educational community itself has to say about this development going forward. […] Something tells me that school administrators and educational officials aren’t going to look too kindly on proposals that would turn them into the equivalent of a DMV for kids.

Interestingly, Richard Blumenthal, the attorney general of Connecticut, who has been one of the leading proponents of age verification, told Brad Stone that the privacy issues raised by Willard and others are now on his radar screen:

“The attorneys general would be very concerned about using age verification to promote marketing or any other kinds of promotional pitches or gimmicks aimed at specific age groups,” he said. “Targeted marketing may have its place, but it should not be coupled with the issue of childhood safety.”

That’s good to hear. But I hope Mr. Blumenthal and the other AGs realize that that is just one of many reasons to be concerned about mandatory online age verification, especially if it involved schools as age verification agents. It has troubling implications for schools, kids, parents, free speech, online anonymity, privacy rights, and much more. Most importantly, as I made clear here, it remains highly unlikely that online age verification would actually do anything to really keep kids safer online. In sum, the costs far outweight the benefits when it comes to mandatory age verification.

Great post over on the Tor blog about how “anonymity on the Internet is not going away.” This is a subject I care about deeply. Here, for example, is an essay I wrote about mandatory age verification and the threat it poses to online anonymity.  I love this paragraph from the Tor essay, and agree with it wholeheartedly:

Anonymity is a defense against the tyranny of the majority. There are many, many valid uses of anonymity tools, such as Tor. The belief that anonymous tools exist only for the edges of societies is narrow-minded. The tools exist and are used by all. Much like the Internet, the tools can be used for good or bad. The negative uses of such tools typically generate huge headlines, but not the positive uses. Raising the profile of the positive uses of anonymity tools, such as Tor, is one of our challenges.

Amen brother.

This week, I have been up at Harvard University participating in another meeting of the Internet Safety Technical Task Force (ISTTF), of which I am a member. The ISTTF was organized earlier this year pursuant to an agreement between 49 state attorneys general (AGs) and social networking giant MySpace.com. A group of experts from academia, non-profit organizations, and industry were appointed to the Task Force, which is charged with evaluating the market for online child safety tools and methods and issuing a report on the matter to the AGs at the end of this year.  ISTTF members have been meeting privately and publicly in both Cambridge, MA and Washington, D.C. The Task Force has been very ably chaired by John Palfrey, co-director of Harvard’s Berkman Center for Internet & Society.

Although the ISTTF is looking at a wide variety of tools and methods associated with online child protection (ex: filters, monitoring tools, educational campaigns, etc.), many of the AGs who crafted the agreement with MySpace that led to the Task Force’s formation have made it clear that they are most interested in having the ISTTF evaluate age verification / online verification technologies.  In fact, at the start of this week’s session at Harvard Law School, AGs Martha Coakely of Massachusetts and Richard Blumenthal of Connecticut both spoke and made it abundantly clear they expect the Task Force to develop age and identify-verification tools for social networking sites (SNS). AG Blumenthal said we need to deal with “the dangers of anonymity” and repeated his standard line about online age verification: “If we can put a man on the moon, we can make the Internet safe.”  [Of course, putting a man on the moon took hundreds of billions of dollars and a decade to accomplish, but never mind that fact! Moreover, one could also argue that if we can put a man on the moon we can cure hunger, AIDS, and the common cold, but some things are obviously easier said than done. Finally, putting a man on the moon didn’t require all Americans or their kids to give up their anonymity or privacy rights in order to accomplish the feat!]

On many occasions here before, I have outlined various questions and reservations about proposals to mandate online age verification.  Last year, I also published a lengthy white paper on the issue and hosted a lively debate on Capitol Hill [transcript here] about this.  I also have discussed age verification in my book on parental controls and online child safety. [Braden Cox also talked about his experiences up at Harvard this week here, and CNet’s Chris Soghoian had a brutal assessment of this week’s proposals on his “Surveillance State” blog.]

In this essay, I will discuss the new fault lines in the debate over online age verification and outline where I think we are heading next on this front.  I will argue:

• There is now widespread understanding that it is extraordinarily difficult to verify the ages and identities of minors online using the methods we typically use to verify adults. Because of this, age verification proponents are increasingly proposing two alternative models of verifying kids before they go online or visit SNS…
• First, for those who continue to believe that we must do whatever we can to verify kids themselves, schools and school records are increasingly being viewed as the primary mechanism to facilitate that. This raises two serious questions: Do we want schools to serve as DMVs for our children? And, do we want more school records or information about our kids being accessed or put online?
• Second, for those who are uncomfortable with the idea of verifying kids or using schools, or school records, to accomplish that task, parental permission-based forms of authentication are becoming the preferred regulatory approach. Under this scheme, which might build upon the regulatory model found in the Children’s Online Privacy Protection Act of 1998 (COPPA), parents or guardians would be verified somehow and then would vouch for their children before they were allowed on a SNS, however defined.  But how do we establish a clear link between parents and kids?  And will parents be willing to surrender a great deal more information (about themselves and their kids) before their kids can go online? And, is it sensible to use a law that was meant to protect the privacy and personal information of children to potentially gather a great deal more information about them, and their parents?
• It remains very unclear how either of those two verification methods would make children safer online. Indeed, that could actually make kids less safe by compromising their personal information and creating a false sense of security online for them and their parents.
• It is highly unlikely the Internet Safety Technical Task Force will be able to reach consensus on this complicated, controversial issue. A small camp will likely flock to the sort of proposals mentioned above. Another, larger camp (including me) will flock to education-based approaches to child safety as well increased reliance on other parental empowerment tools and strategies, industry self-regulatory efforts, social norms, and better intervention strategies for troubled youth. But the age verification debate will go on and, as was the case over the past two years, the legal battleground will be state capitals across America, with AGs likely pushing for age verification mandates regardless of what the Task Force concludes.

Continue reading if you are interested in the details.

How We Could Verify Kids, and Why We Should Not Do It

Let’s assume that we want to achieve AG Blumenthal’s “man-on-the-moon” dream of verifying all kids before they go online. How would we do it?  There are really only two solutions: (1) full-blown national ID cards for kids, or (2) tapping school records about kids to somehow age-verify kids (sort of a “National ID card-Lite” scheme).

National ID Cards for Kids

The first scheme is fairly straightforward, but incredibly frightening to those of us who care about civil liberties. Basically, government could demand that all minors be issued the equivalent of a domestic passport or a national ID card. After all, minors aged 14 to 17 are already required to obtain a passport before they travel overseas. Minors under 14 must have both parents or legal guardians appear together to vouch for the child when applying for a passport. Conceivably, government could simply extend this model to incorporate a domestic identification requirement. Once the youngster had been issued such a domestic passport, it could be requested by others — including social networking sites — as proof of age. Sites could cross-reference a government national ID database to verify identity.

Clearly, however, imposing such a solution domestically would raise serious privacy concerns because it would require the collection, retention and processing of sensitive information about children.  Adults are not required to carry such a domestic passport or national ID card, so why should children? Indeed, all the same privacy concerns related to national ID cards for adults would be amplified with children because, as a society, we generally take extra precautions to protect the privacy of minors and their personal information. And a national ID card for kids would need to include a great deal of information about themselves to allow the card to be used by third parties online as an age-verifying tool. Government would need to issue an age-verified identity, user name, and password to every child.

Particularly concerning is the fact that a national ID card for children would require the creation of more government databases and bureaucracy. The potential for “mission creep” then enters the picture in that more tracking of children by government (and others) becomes possible. What other uses might there be for such information? We don’t know, and we probably don’t want to find out.

The costs of setting up and enforcing such a system would be substantial and must also be considered. Although the cost of digital storage continues to fall, we’re talking about potentially massive digital databases here. But the more important cost factor is the human time and effort that would go into  collecting, processing, and organizing such records and databases.

For those reasons, a government-issued ID card or age verification scheme for kids is a nonstarter. It would raise grave privacy concerns, induce public paranoia, probably encourage a great deal of evasion, and require significant government expenditure to enforce. Moreover, a national ID card would do little to prevent youngsters from visiting offshore sites.

Using the Schools to Help Verify Kids

So, let’s work from the assumption that National ID cards for kids is not going to fly as an online identity authentication solution.  The only other realistic scheme would involve getting the schools involved in the process.  Why?  Because to paraphrase Willy Sutton: “That’s where the data is.”  Schools have more information about our children than probably every other institution or organization combined.  They have very detailed records about kids, their ages and much more, which makes schools a logical candidate for participation in a possible age verification system for minors.  But involving schools in any age verification scheme would raise serious privacy concerns and administrative problems.

Depending on how the scheme worked, the administrative burdens imposed on schools could be significant. Someone at each school would have to be in charge of answering phones calls and e-mails from potentially hundreds of website operators looking to age-verify minors. Who will be liable if things go wrong? The school? The school district? An employee in the school’s administrative department who accidentally releases thousands of digital records? And will schools receive the additional funding needed to administer whatever scheme is mandated?

Moreover, if schools are required to create more accessible databases containing personal information about minors, who else besides social networking websites would be given access? Data breaches would become a real concern for both students and schools alike. Such a scheme could run up against federal or state laws. For example, the Family Education Rights and Privacy Act of 1974 makes it illegal to release school records without written permission from parents. Both parents and government officials have long demanded that access to school records be tightly guarded because, as a society, we take the privacy of our children very seriously.

Thus, serious questions remain about the wisdom and practicality of roping the schools into the age verification process. Most schools and school districts are already over-burdened with federal and state mandates and probably wouldn’t like the sound of additional mandates of this variety.  But what if a technology vendor could serve as the middleman and facilitate the easy transfer of some basic data about kids from the school system in an effort to provide digital credentials? That’s probably where we are heading.  Even the most vociferous advocates of age verification for minors must realize how absolutely radioactive this issue could become since school records about our kids are in play here.  Identity theft concerns are already running at an all-time high in our country and the thought of being required to surrender more info about our kids in this environment is not going to go over well with many parents.

But, again, what if we could keep to a minimum the amount of data being transferred about the child to the vendor or the SNS?  Perhaps at the beginning of each school year when a minor is registering they could be given a “secure” digital token or ID number that only associated a grade year (i.e., “sophomore”) with their name, and little or no additional info was included in that token in order to minimize the threat of identity theft or privacy violations.  Of course, the fewer pieces of information contained in that token or credential, the less likely it will be a credible verification tool, or the more likely it is it will be easy to forge or defeat (especially by kids themselves).

Regardless, whether we like it or not — and I do not like it one bit — schools are now at the center of the online age verification debate. It will be very interesting to hear what the educational community itself has to say about this development going forward.  Incidentally, no one from the educational community was present at Harvard this week as these proposals were flying.  Something tells me that school administrators and educational officials aren’t going to look too kindly on proposals that would turn them into the equivalent of a DMV for kids.

How about Parental Permission Slips for Online Verification?

Another potential way to go about online verification is to avoid verifying the kids directly and instead just verify parents (or guardians) and then get them to vouch for their children.  Some age verification advocates are now calling for such parental consent-based forms of child verification.  Specifically, they are now attempting to drive regulation through the prism of the Children’s Online Privacy Protection Act (COPPA) of 1998.

By way of background, COPPA required websites that marketed to children under the age of 13 to get “verifiable parental consent” before allowing children access to their sites. Generally speaking, the goal was to make sure that such websites were not collecting personal information about children without getting parental permission. The Federal Trade Commission (FTC), which is responsible for enforcing COPPA, adopted a sliding scale approach to obtaining parental consent. The sliding scale approach allows website operators to use a mix of the methods to comply with the law, including print-and-fax forms, follow-up phone calls and e-mails, and credit card authorizations. The FTC also authorized four “safe harbor” programs operated by private companies that help website operators comply with COPPA.

In a February 2007 report to Congress about the status of the COPPA and its enforcement, the FTC said that no changes to COPPA were necessary at this time because it had “been effective in helping to protect the privacy and safety of young children online.” In discussing the effectiveness of the parental consent methods, however, the agency also said that “none of these mechanisms is foolproof” and that “age verification technologies have not kept pace with other developments, and are not currently available as a substitute for other screening mechanisms.” This seems to imply that the FTC does not regard COPPA’s parental consent methods as the equivalent of perfect age verification.

Nonetheless, what should be evident here is that COPPA’s parental consent framework could serve as a vehicle for pushing through greater regulation of all social networking sites, not just those sites geared toward kids under 13.   Indeed, we have already seen that proposed at the state level.  For example, in the debate that took place over age verification in the North Carolina statehouse last summer, a parental permission-based verification proposal supported by North Carolina Attorney General Roy Cooper was billed as a way to strengthen and expand the COPPA framework.  (Never mind the fact that COPPA is a federal statute, or that the state of North Carolina is likely barred from regulating Internet speech and commerce thanks to the First Amendment and the Commerce Clause of the Constitution!)

In other words, future age verification mandates could arrive in the form of COPPA amendments, or at least cite COPPA’s regulatory framework as precedent.  Specifically, the proposal would be to: (a) extend COPPA’s coverage to kids up to the age of 18 and then (b) broaden the range of SNS sites that are covered by its parental consent requirements.

There are many problems associated with such a proposal, and I will get to some of them in a moment. But here’s the more interesting question that few have asked: Is COPPA really working?  It is very much unclear to me that COPPA actually works as billed, but to the extent it does, it is likely because of the very limited scale and nature of the operations it covers.  As I have said in my past writing on the issue, there is a direct relationship between the size of a site and the likelihood of success in attempting to verify its users / members. Of course, that is hardly surprising.  But let’s get a little more concrete about why that is important.  Here are the two reasons that I believe the COPPA / parental consent regime has generally worked so far, or at least hasn’t failed miserably:

(1) Many smaller sites charge a fee for admission; and

(2) The functionality of those sites is usually tightly limited. They are closed, walled gardens.

Regarding the first point: Obviously, the more a site charges for access, the more likely it is that the parent / guardian pays attention to what their kid is doing.  Of course, that doesn’t mean a bad guy couldn’t still get into those “verified” environments under false pretenses.  And there’s the problem of minors with access to credit cards.  Moreover, even assuming credit cards worked as an age verification method, there is the more practical question of whether lawmakers have the guts to mandate that every social networking site in the land start charging admission for access.  Since almost all SNSs are free-of-charge today, that is not going to be a very popular mandate!

Nonetheless, for very small, niche-oriented social networking sites geared toward younger kids, credit cards and fees are part of the reason people think COPPA has “worked.”  In essence, it acts as a bit of a roadblock or hassle thrown in the way of access, and that gets parents thinking and talking to the kids about those sites. That is the argument put forward by Denise Tayloe of Privo, one of the four FTC-approved COPPA safe harbor providers.   Ironically, Tayloe has noted that one of the problems associated with the current COPPA regime is that “Children quickly learned to lie about their age in order to gain access to the interactive features on their favorite sites. As a result,” she notes, “databases have become tainted with inaccurate information and chaos seems to be king where COPPA is concerned,” she says.

Despite these problems, Tayloe argues that COPPA serves an important role.  Even though “there is no perfect solution” and it is not possible to completely “stop a child from lying and putting themselves at risk,” Tayloe believes that COPPA “provides a platform to educate parents and kids about privacy.”  Of course, providing a platform to educate parents and kids about online privacy or safety is very important, but it is not necessarily synonymous with strict age verification.  And we don’t really have any idea what level of parent-child interaction COPPA incentivizes.  More importantly, we don’t really have any good data regarding the accuracy of claims made pursuant to COPPA’s requirements regarding the relationship between parents and the kids seeking access to the site.  How many people (kids or adults) were able to gain access under false pretenses? We don’t know.

Nonetheless, the operating assumption here is that by creating an added economic hurdle or barrier to entry (in the form of the hassle of filling out paperwork or forms), COPPA gets some parents (perhaps most?) to put more thought into what their kids are doing online, and that somehow improves online safety in larger scheme of things.  The problem is that that does not necessarily mean that their kids are operating in perfectly “secure” or “verified” environments.  The danger is that – to the extent some “bad guys” are getting on those sites under false pretenses – kids and parents may fall prey to a false sense of security after they are told the site is COPPA-verified.  Of course, COPPA wasn’t put on the books to keep “bad guys” away from kids online; it was about keeping site operators from collecting personal information about kids.

The second reason COPPA has “worked” to a limited degree is that SNS sites geared toward younger kids tightly limit functionality.  In essence, the site administrators “cripple” the sort of functionality we find in SNS sites geared toward older kids.  That fact alone makes these sites far less likely to be subject to fraudulent entry or dangerous interactions.   If I am an older teen or a pervert, why would I ever want to gain access to a site that has nothing more than drop-down menus and a few buttons to click on when interacting with others?  Thus, the primary reason that kids are likely safer in those environments has almost nothing to do with COPPA’s parental consent mechanisms and almost everything to do with the fact that most of the sites it covers are tightly controlled walled gardens with very limited functionality.

With these facts in mind, let’s gets back to the ultimate question: What would happen if we tried to apply COPPA to all social networking sites for kids of all ages? The threshold question that would need to be answered remains the same as it does today: How do we verify the parent-child relationship when someone asserts they are the parent or guardian?  That’s a very thorny question.  But let me just list out the many other questions that everyone is overlooking here:

(1) What sort of mechanisms will need to be put in place to guarantee that the parent or guardian is who they claim to be (for both initial enrollment and subsequent visit authentication)?  Sign-and-fax forms can be easily forged, so credit cards (and perhaps mandatory user fees) will likely become the default solution. A third method, follow-up phone calls, just doesn’t seem practical.  But might lawmakers demand a mix of all of the above?

(2) Regardless, how burdensome will those mandates be for parents / guardians?

(3) And how burdensome will those mandates be for SNS site operators? What kind of compliance costs / legal penalties are we talking about?

(4) Will the barriers to site enrollment become economic in character such that it requires previously free social networking sites to charge admission?

(5) If so, could that be a disadvantage to low-income families / youth?

(6) If compliance costs go through the roof for SNS sites, will this be a recipe for massive industry consolidation in order to comply with the mandates?

(7) Who is collecting the massive databases of information created by such a mandate for all SNS? Who has access to that data? What might government use it for?

(8) Will this new regime be applicable to offshore sites? And will kids flock to offshore sites as a result of such mandates on domestic sites? If some do, how will we stop them?

And so on.  Bottom line: The future of age verification battles will likely be increasingly tied up with COPPA and the question of how well parental permission-based forms of authentication might work. It is unlikely, however, that such a framework could be easily applied on “Internet scale.”  There is a world of difference between something like Disney’s “Club Penguin” and MySpace, Xanga or Bebo.  And with social networking capabilities being integrated into every site and service these days — from CNN.com to Microsoft’s Xbox Live service — one wonders how that will magnify the compliance costs and hassles for all involved.  Are parents really going to be expected to verify themselves and then their kids for every “social networking site” their kids want to visit?  That seems unnecessary, unworkable, and potentially counter-productive.

Finally, the irony of a proposal to expand COPPA in this fashion is that lawmakers would be using a law that was meant to protect the privacy and personal information of children to potentially gather a great deal more information about them, and their parents!  It’s important we not overlook the privacy implications of any effort to expand COPPA to do something it was not originally intended to cover.

Conclusion

It will likely be very difficult for the Technical Task Force to reach consensus on these controversial and complicated issues.  There are many challenging technical, legal, and even philosophical issue in play here.  The problem is that this Task Force is charged with looking at technical solutions and yet most child safety advocates and academics on the Task Force are of the mind that technical solutions are only one part — and probably the smallest part — of the sort of “layered solution” to online child safety that I describe in my book on “Parental Controls and Online Child Protection.” As I argue in that book:

“the best answer to the problem of unwanted media exposure or contact with others is for parents to rely on a mix of technological controls, informal household media rules, and, most importantly, education and media literacy efforts.”

In sum, we need to get serious about talking to our kids about online safety and proper online behavior. Education is the key, and government has a major role to play in that regard in the classroom and through awareness-building efforts. And technical tools that empower parents to better monitor and guide their child’s online experiences can help too. Social networking sites and other online service providers can offer more of those tools and also take additional steps to improve the safety of their sites and encourage a dialog about appropriate and inappropriate online behavior. Again, it’s a multi-layered effort with education and communication at the core of the plan.

It’s not like I am saying anything new here. Indeed, that layered approach was the recommended approach of two previous online safety blue ribbon task force efforts: The 2000 COPA Commission and the 2002 National Academy of Sciences “Thornburgh Commission.” And every major book about online child safety published over the last 5 years has come to the same conclusion.

But that is not likely going to be enough for state attorneys general. There is no other way for me to state this than to just come right out and say it: The AGs are looking for a silver-bullet technical solution to a complex problem they do not fully understand.  And age verification schemes are the technical bullet du jour.

Alas, for all the reasons I have stated here and elsewhere, age verification schemes are likely to fail miserably.  Even if age verification systems worked as billed, it is unlikely that kids would really be any better off.  All the academic research in this field points to a single, inescapable conclusion: The primary danger to kids online is not adult predators, it is other kids.  In particular, it is peer-on-peer harassment and cyber-bullying.   As parents and a society, we have to do more — a lot more — to address that problem.

Age verification schemes, however, aren’t going to help us solve that problem.  Worse yet, by creating the illusion of safety, it could compromise our children’s privacy in the process and create a false sense of security when kids or their parents come to believe they are operating in “trusted” online environments.  For the sake of our children, it is essential we not fall prey to such a fatal conceit.

Just FYI, the latest update of my booklet on “Parental Controls and Online Child Protection: A Survey of Tools & Methods” is now live. The new version, Version 3.1, provides minor updates to all sections of the book and a new appendix of relevant research in the field. I issue major updates early each year and 1 or 2 tweaks during the course of the year to reflect the evolution of the parental control and online child safety market and debate.

For those not familiar with the report, it explores the market for parental control tools, rating schemes, education efforts, and initiatives aimed at promoting online child safety. I believe that the parental controls and content management tools cataloged in the report represent a better, less restrictive alternative to government regulation. As I conclude after evaluating that state of the market: “There has never been a time in our nation’s history when parents have had more tools and methods at their disposal to help them decide what constitutes acceptable media content in their homes and in the lives of their children.”

The report is available free-of-charge on the PFF website, and the previous editions of the report are housed there too in case you want to see how it has evolved over the past two years. For those interested in taking a quick look at the report, I have embedded it down below the fold as a Scribd file. Finally, as is always the case, I encourage readers to send me updates and suggestions for how to improve the report and I will incorporate them into future versions.

Another chapter in the seemingly never-ending saga of the Child Online Protection Act (COPA) of 1998 was written this week when the Third Circuit Court of Appeals upheld a lower court ruling striking down COPA, which would require Web operators to restrict access to large amounts of online speech and expression. [The Third Circuit’s full decision is here. And I penned a 3-part series on the lower court ruling by Judge Lowell Reed Jr., senior judge of the U.S. District Court for the Eastern District of Pennsylvania, here, here, and here].

The DOJ will likely appeal the decision, yet again, to the Supreme Court. I can’t be certain, but I know of no other free speech-related law that has made THREE trips to the Supreme Court for review. (If readers know of any laws that can match that record, please let me know). It really is quite amazing, and even a little outrageous, when you think about it. After all, just think of all the time, energy and money that has gone into this 10-year legal fiasco. I know it is the DOJ’s job to defend congressional enactments before the courts, but how might we have spent that time and money if all this litigating wasn’t going on?? Regulation always has opportunity costs and in this case those costs have been 10 years of wrangling among lawyers. Those resources could have been used to educate parents and kids about online safety; to create and disseminate more and better private screening tools; and so on. Alas, we instead have mounds of paper piling up in the courts and millions being spent with nothing to show for it. Anyway, Declan has an excellent summary of the 3rd Circuit’s ruling here, and my friends at CDT have a statement here. But Susan Crawford has the best analysis of the decision in her essay on “Understanding COPA’s Journey.” She begins by summarizing the key findings:

The Third Circuit yesterday announced a host of reasons why COPA is insufficiently narrowly tailored, many based on the terms of the statute. The coverage of the HTM [“harm to minors”] definition is vague, the court felt, and so publishers won’t be able to tell in advance whether their operations are all subject to the COPA constraint (what if only a tiny portion of a web site has arguably HTM material on it?) or what fits within the HTM definition (are you supposed to be protecting 3 year-olds as well as 16 year-olds?). The court also found that having to implement credit card, debit account etc. shields would burden the providers of free web sites whose operations are nonetheless “commercial” and so covered by COPA. This was another instance of insufficient tailoring. But the key element here is that the Third Circuit held that the government had to carry the burden of showing that filters were less effective than COPA, and it failed to do that. In fact, it appears that filters are both less restrictive and more effective than the operation of the statute, based on extensive findings of fact by the district court below.

So, what will the Supreme Court say about that argument when COPA makes its unprecedented 3rd appearance before the judges? Susan says:

This approach may be difficult for the current Supreme Court to agree with. It was difficult enough the last time. The analytical framework adopted by the Third Circuit follows what Justice Kennedy said then – that it is the Court’s job to consider what alternatives are out there in the world to help parents, and to decide whether they’re more effective/less restrictive than COPA. The point, Justice Kennedy said, is to is ‘‘to ensure that speech is restricted no further than necessary,’’ not to consider ‘‘whether the challenged restriction has some effect in achieving Congress’ goal, regardless of the restriction it imposes.’’ So the court’s job is not to ask whether COPA would provide government with another tool to address harmful speech in the name of protecting kids. That standard would justify any restriction on speech. Instead, the inquiry should be ‘‘whether the challenged regulation is the least restrictive means among available, effective alternatives.’’ Right now, filters are more effective and less restrictive than COPA (or, at least, the government didn’t prove that they weren’t), and so the government loses. Never mind that filters are voluntary and that a lot of parents choose not to use them – that’s the parents’ choice. Filters are available. The government’s argument to the Third Circuit, and probably to the Supreme Court, will be that this is a maddeningly flawed analytical approach. The government would like to see a more protective, quasi-parental approach (on the assumption that parents are busy shoring up the failing economy and can’t be counted on to be watching their kids or caring what they see). Justice Breyer was very sympathetic to that view the last time around. His point is that filtering doesn’t count as an alternative to COPA. (‘‘The presence of filtering software is not an alternative legislative approach to the problem of protecting children.”) Doing nothing, legislatively, will always be less restrictive than doing something. He also thinks COPA isn’t much stronger than the Miller obscenity test and would only modestly burden adult access to legal adult speech. Veteran SCT-watchers will count noses, in this case as in Fox v. FCC, and try to figure out what will happen next. Last time around, Justice Kennedy’s majority opinion was joined by Stevens, Souter, Thomas, and Ginsburg, all of whom are still there. Justice Stevens wrote a concurring opinion, which was joined by Justice Ginsburg. Justice Scalia filed a dissent, as did Justice Breyer, who was joined by Chief Justice Rehnquist (now Roberts) and Justice O’Connor (now Alito). So maybe the 5-4 will stay in place. But if Thomas goes over to the dissenting side, and Justice Breyer’s analytic approach (”what do you mean, filtering is an alternative?”) gathers steam, COPA could survive its third trip to the SCT and be upheld.

So, it remains to be seen whether the third time is the charm for the DOJ and they are able to finally convince the Supreme Court to enforce COPA. And Susan is right in noting that all eyes will be on the decision in Fox v. FCC since that will be the next major free speech case before the Court.

As Susan rightly concludes: “This case is a big deal because it turns on the question whether private, edge-based solutions to speech issues should be taken seriously. I think they can, and I don’t want to see a lot of government tinkering with the sources of speech…. Let’s hope the government drops the COPA effort, which has now stretched on for almost ten years.”

Indeed.

Wendy Tanaka of Forbes penned a nice article this week on “Making Social Sites Safer,” as in social networking sites. She interviews many members of the new Internet Safety Technical Task Force that is being chaired by John Palfrey of the Berkman Center for Internet & Society at Harvard Law School. Wendy was also kind enough to call me for some comments.

Wendy wanted to know how far technology could go to solve online safety concerns. Specifically, as she notes in her piece, “The discussions have centered on whether identity technologies can make social sites safer, or whether consumer education works best. State attorneys general believe more technological solutions are necessary, but some task force members contend that identity technologies on the market aren’t adequate. And even if they were better, they likely can’t prevent every unwanted incident and they could block contact between friends and relatives.”

On that point, I told her that, even if the age verification technology worked as billed (and I have my doubts), we’d have other issues to grapple with:

“So, if he’s 16 and she’s 21, they shouldn’t talk? Maybe they’re brother and sister,” says Adam Thierer, a senior fellow at the Progress and Freedom Foundation. Thierer also says that too many checks and restrictions could turn off users and hamper advertising on social networks. “There’s only so far the sites can go before undermining their business and cutting off their customer base,” he says. “At some point, it becomes an annoyance for users.”

What I meant by that is that there is a balance that must be struck between security and freedom on social networking sites because, if lawmakers (or even the site operators themselves) push too far and add too many layers of controls, their could be adverse consequences. In particular, users could flock elsewhere, including to offshore sites that have no safety guidelines or mechanisms in place. That would be a troubling outcome that could leave site users far less safe in the long-run. As I have pointed out in my big paper, “Social Networking and Age Verification: Many Hard Questions; No Easy Solutions,“Whatever their concerns are about current domestic sites, parents and policy makers should understand that those sites are generally more accountable and visible than offshore sites over which we have virtually no influence but that have the same reach as domestic sites.”

Moreover, we need to be aware of the privacy and speech-related issues that arise when governments seek for force users to surrender the online anonymity. I have written more extensively about that issue in my essay here on “Age Verification and Death of Online Anonymity.”

Finally, as I told Wendy, there is no substitute for education and awareness-building efforts as the real solution to these problems. “There are no easy technical fixes for complex human behavioral problems,” I told her. “We need to teach kids ‘Netiquette.’ ” That is, we need to do a better job teaching our kids proper online manners toward their peers while also making sure they understand what risks are out there and how best to deal with them.

Anyway, make sure to read Wendy’s Forbes article for additional insights from other Task Force members.

The debate over social networking safety is increasingly tied up with the question of whether (and how) users should be authenticated before they are allowed onto a social networking site, however that term of art is defined. Age verification proposals have been flying for the last two years that would use a variety of approaches to determine the age / identity of users. [I have discussed those proposals in detail here.]

So, when I heard the news that the Catholic church “will set up a Catholic social networking Web site akin to a Catholic Facebook” so that Pope Benedict can text message thousands of young Catholics on their mobile phones during World Youth Day in Sydney, Australia this July, I just couldn’t help but wonder if the Pope and all the site’s users will be required to somehow have their identities or ages verified before they go online?

I’m being entirely serious. If anyone has information on how the site will work and whether the Church plans to use identity screening mechanisms, please let me know. I try to keep tabs on how each social networking site polices their site for underage or inappropriate use. I am personally quite skeptical that most current approaches can work effectively, but I am always willing to learn more about new tools and techniques.

Today and tomorrow I am attending a terrific conference at Penn State University called, “Playing to Win: The Business and Social Frontiers of Videogames.” It features panel discussions about various legal and business issues facing the video game industry, as well as discussions about how video games are used to aid teaching and learning. There are also panels on multiplayer online worlds and virtual reality environments and the issues surrounding both. [They will apparently be posting videos from the conference on their site shortly.] The folks at PSU were kind enough to invite me to deliver the luncheon keynote on Day 1 and I decided to provide a broad overview of the policy issues facing video games that I have covered in some of my past work. My presentation was entitled, “Video Games, Ratings, Parental Controls, & Public Policy: Where Do We Stand?” and the entire 36-slide presentation is now available online here. Down below, I thought I would just outline a couple of the key themes I touched upon in my presentation.

ESRB: Strengths & Challenges

One of the things I did in my presentation was to provide a brief sketch of how the Entertainment Software Rating Board (ESRB), the game industry’s voluntary rating and labeling system, works. After doing so–again, you can download the entire presentation if you want those details–I outlined the strengths of the ESRB system, which I listed as follows:

Then I discussed some of the challenges facing the ESRB system…

General Thoughts on Ratings vs. Government Regulation

Later in the presentation, after walking through how various parental control tools worked, I talked about my general feelings regarding critiques of private rating systems and the ESRB in particular:

Future Issues & Controversies

I concluded by throwing out a few predictions about future issues and controversies that I think we will be debating in coming months and years.

I suppose I should provide some more details regarding this last slide since it will be of the most interest to many readers. Here’s some more explanation regarding each of my 7 predictions:

(1) Renewed push for universal media ratings: This issue has always been hanging out there and I think we will continue to hear calls–from both policy makers and media critics–for some sort of universal rating system for all media. God only knows how that would work. The last Star Wars movie (“Revenge of the Sith”) yielded several distinct media products: a major theatrical motion picture, a video game, a book, a comic book, and even a musical soundtrack. Should they all be rated the same way using the same system? I think that would be difficult to pull off. More worrisome is the fact that any move toward a universal rating scheme would undermine much of the education and awareness-building efforts that have helped familiarize consumers (especially parents) with the ESRB and other existing private rating and labeling systems. Finally, because it is unlikely we will ever see a voluntary movement by all major media producers to abandon their existing rating schemes and adopt a universal system, such a move would likely only come about because of action by government officials. Of course, that raises a host of First Amendment issues. For that reason, we might instead see a push for…

(2) Oversight of ESRB by Congress or non-profit / academic groups: Some critics say that the ESRB needs more “objective” oversight by either a regulatory agency or some of the third-party group, like an academic institution. As I point out in some of those slides above, ratings will ALWAYS have a subjective element to them since raters all bring different values and insights to the task of judging artistic expression. So making the rating process more bureaucratic isn’t going to make matters any better. Instead, it will just politicize the system and slow it down. [See my lengthy essay on this issue from a few weeks ago.]

(3) More FTC oversight of retailer enforcement: The Federal Trade Commission already conducts secret shopper surveys and issues an occasional report about the “Marketing of Violent Entertainment to Children.” Those reports has shown that retailer enforcement of the ESRB rating system is improving, but still needs to improve. [Here you will find my detailed thoughts on the conclusion of the last FTC report.] But there have been some calls in Congress for stepped-up FTC oversight, and potential penalties, for retailers who fail to enforce the system properly. (Remember Sen. Clinton’s “Family Entertainment Protection Act”?)

(4) Mandatory age verification for MMOGs & online activities: Here’s one to keep a close eye on. With a debate raging about the wisdom and effectiveness of age verification for social networking sites, it’s only a matter of time before online video games are brought into the discussion in a major way. The recent Bryon report in the UK included a discussion of this in the online gaming section of their final report. Stay tuned, this debate is set to explode here in the States.

(5) Mandatory parental controls defaults: One of my next white papers discusses the perils of government mandates that might force media & technology providers to not only embed parental controls in all their devices, but also turn them “ON” when they are shipped to market (meaning they would set to their most restrictive position as a defaults). For example, it could be required that every video game console be shipped with on-board screening technologies that were set to block any games rated above “E” (i.e., “Everyone”-rated games). Similarly, all personal computers or portable media devices sold to the public could be required to have filters embedded that were set to block all “objectionable” content, however defined. If “default” requirements such as this were mandated by law, parents would be forced to opt out of the restrictions by granting their children selective permission to content above a certain ESRB rating. In theory, this might help create another roadblock to underage access to some objectionable content, but it would also create an enormous consumer backlash and lead to a great deal of regulatory hassles and console hacking. Again, I’ve got an entire paper coming out on this issue from PFF next month that addresses my reservations with such a mandate.

(6) What happens when “AO” games hit consoles? I created some controversy recently when I noted that: “Whether any of us care to admit it, the fact that AO-rated games are currently kept off the major consoles and off the shelves at some major retailers (ex: Wal-Mart and Target) is probably the most important thing holding back a full-on legislative assault on video games.” Some took that to mean that I was advocating rigorous self-censorship of “AO” (Adults Only-rated) games. To the contrary, as I told MTV Multiplayer News, “I am in no way advocating that the industry hold off in terms of allowing complete creative expression.” And I also told MTV Multiplayer that I thought that eventually one of the major consoles–probably Sony–would cave and allow some AO-rated games on their platform. But make no doubt about it, when that happens, all hell is going to break loose. Not only with the typical pro-censorship crowd kick their complaint-generating factories into high gear, but a lot more average parents will protest the move and likely petition lawmakers for greater regulation of games or consoles.

(7) What about virtual reality games? And finally we come to virtual reality. All these other video game debates we have been having pale in comparison to the heated debate we can expect during the coming decade as virtual realities games and devices proliferate. And we all know they are coming. I fully expect that something like the Star Trek “holo-deck” will be in my living room by the time my kids are teenagers. We are already seeing more “tactile” devices coming to market, such as steering wheels and video game guns, that add a new layer of involvement to the games we play. Most recently, video game vests are hitting the market that simulate the sensation of being shot while playing a game. Once you combine these tactile technologies with more visually immersive visual display technologies, we will be well on our way to a serious VR world. And once they figure out a way to make it fully online and interactive, a huge policy debate is going to develop over the wisdom of letting people (especially kids) play holo-deck games where they actually feel like they are inside Halo or World of Warcraft, mowing down competitors with plasma rifles and broad swords. (Personally, I am very eager to try out “Resident Evil” this way!) Regardless, this debate is coming and it will be a very heated affair.

PFF has just releasing an updated edition of my booklet on “Parental Controls and Online Child Protection: A Survey of Tools & Methods.” The new version, Version 3.0, includes two new appendixes and updates to each section to reflect new parental control tools and programs developed in the last nine months.

The updated report is timely as it comes on the heels of the recently-announced Internet Safety Technical Task Force, which is being chaired by the Berkman Center for Internet & Society at Harvard Law School. I am privileged to serve as a member of the Task Force, which is evaluating various online safety technologies and strategies and then reporting back to state attorneys general with our findings.

Those issues and much more are covered in the latest edition of my report. The report explores the market for parental control tools, rating schemes, education efforts, and initiatives aimed at promoting online child safety. I believe that the parental controls and content management tools cataloged in the report represent a better, less restrictive alternative to government regulation. As I conclude after evaluating that state of the market: “There has never been a time in our nation’s history when parents have had more tools and methods at their disposal to help them decide what constitutes acceptable media content in their homes and in the lives of their children.”

Version 3.0 of the special report, now over 200 pages, contains over fifty exhibits and numerous updates in all five sections of the book. Major updates have been made to the Internet, social networking, and mobile media sections, reflecting the growing importance of those sectors and issues. A greatly expanded section on video empowerment technologies has also been included. Finally, two appendices have also been added: a comprehensive legislative index cataloging over thirty bills introduced in Congress on these issues (complied with John Morris of Center for Democracy & Technology), and a glossary of 35 relevant terms and cases.

The report is available free-of-charge on the PFF website, as are the previous editions. And I am happy to provide hard copies to those who are interested.

The USA Today editorial board published a nasty piece today belittling MySpace.com’s recent efforts to implement more safeguards for its users. Despite the fact that MySpace made over 70 promises to the Attorneys General as part of the agreement–the entire agreement is summarized here–that’s still not good enough for the USA Today’s editorial board, which wants full-blown identity verification before anyone is allowed on a social networking site:

“Even in the absence of a perfect software solution, interim steps are possible. How about using databases of drivers’ licenses to cross-check ages? In more than 20 states, they are public records. The point is, more effective safeguards are needed now, …. MySpace [should be] moving faster to set up age and ID verifications, not just study them.”

Well, where do I begin? I get so frustrated when I see comments like this because it is abundantly clear to me that people don’t think things through when it comes to age verification. As I pointed out in my lengthy PFF report, “Social Networking and Age Verification: Many Hard Questions; No Easy Solutions,” age verification is extremely complicated, and it would be even more complicated in this case because public officials are demanding the age verification of minors as well as adults, which presents a wide array of special challenges and concerns.

What Age Verification Really Is: The Death of Online Anonymity We need to begin by understanding what age verification really is. By definition, mandatory age verification represents an effort to make online anonymity a crime. In simple terms, citizens would be forced to “show their papers” at the door of every website or else run the risk of being denied access–simply because they do not want to surrender their name or age.

Think about what that means. It’s easy to take the benefits of online anonymity for granted. There are millions of people who comment anonymously on blogs like this one every day, or write anonymous book or product reviews on Amazon.com or eBay, or who just chat with others about various topics under the cloak of anonymity. It is a wonderful thing.

Of course, anonymity has some downsides. The downside of people speaking their minds freely is that, well, people will speak their minds freely! And, yes, on occasion, that means some people will talk smack and just generally be jerks while disguising their identities because don’t want to stand by their comments or be accountable for them. But that’s the cost of free expression. If you want to live in a free society and encourage a vibrant exchange of views, there will be times when that means we must defend the right of people to say incredibly silly or even insulting things.

And God knows there are plenty of silly and insulting things being said on social networking sites every second of the day. But there are also countless moments of joy and wonder, when people come together and communicate with each other, or share culture with others in incredibly creative and social-beneficial ways. And, again, a great deal of that communication or culture-sharing is done in a completely anonymous fashion.

For example, as I have mentioned here before, I am fanatical about cars and home theater gadgets. I spend a lot of my free time hanging out at a small social networking site for fellow Lotus car lovers called Lotus Talk. And I also spend a fair amount of time at the amazing AVS Forum, which is the world’s biggest chat board for home theater and A/V stuff. On these sites, thousands of random strangers come into contact every day. We create profiles, we post pictures, we share stories, we talk about life and our passions for cars and A/V gadgets. This is very the essence of social networking. And, for the most past, we are all doing it anonymously. And it is happens everywhere online, every second of every day. Do we really want to make it all illegal?

Practical Considerations: The Complexities of Human Identification OK, so there might be some downsides to making anonymity illegal online. But some critics would say: “So what, we need to make people show their papers at the door of every website–at least for those social networking sites where kids hang out–to make sure kids are safe online.” Well, that’s easier said than done.

At least in theory, the problem that age verification is supposed to solve is to keep older people away from youngsters, at least in certain circumstances. Also, some proponents wish to use age verification to ban preteen access to social networking sites. To accomplish either of those objectives, we must be able to effectively verify everyone’s age by consulting reliable records about those looking to create an account on a social networking site. In other words, when Janie Smith comes to a social networking site for the first time, the site must be able to verify not only that she is Janie Smith, but that she really is as old as she claims to be. But, again, such verifying is easier said than done.

Consider first what is required to verify an adult’s identity. When government officials or even corporations seek to verify someone identify or age, they can rely on birth certificates, Social Security numbers, driver’s licenses, military records, home mortgages, car loans, other credit records, or credit cards.

But even with all those pieces of information, challenges remain. Is the information publicly accessible or restricted by legal or other means? Are all the underlying pieces of information and documentation trustworthy, or have they been manipulated or misreported in some way? Has someone faked his or her identity? And so on. Thus, while the identity authentication systems–both public and private–have improved significantly in recent decades, they still face some inherent challenges and concerns about fraud.

The current concern about “identity theft” demonstrates the complexities and level of difficulty involved in stamping out this problem. Even U.S. passports, which are relatively robust identification documents that contain authentication data, are occasionally forged with success. “It is safe to assume that future age verification efforts will yield failures on par with other identification/authentication mechanisms,” says information security expert Jeff Schmidt, former CEO of Authis, Inc.: “When one considers how frequently college students successfully circumvent age verification requirements in person and with government issued documents, one can begin to grasp the challenges that lie ahead.”

Importantly, we’re talking just about adults here. When the focus of identity verification efforts shifts to minors, the endeavor becomes far more complicated. Minors don’t have home mortgages or car loans. They don’t have military records and most have never worked. Most don’t have driver’s licenses or credit cards either.

Of course, minors do have birth certificates, Social Security numbers, and school records, but both parents and government officials have long demanded that access to those records be tightly guarded. That’s for a very good reason: As a society, we take privacy seriously—especially the privacy of our children. Laws and regulations have been implemented that shield such records from public use, including the Family Educational Rights and Privacy Act of 1974 and various state statutes.

Also, to the extent that age verification of adults works for some websites–online dating services, for example–it is important to realize that in most of those cases the users want to be verified. In that context, identify authentication increases marketability of a user’s “profile,” or it allows him or her to participate more actively in an environment where trust is essential. This fact makes it far more likely that age verification will work because user compliance is driven by market forces, not regulation. That compliance will not be the case when users–especially kids–inherently resist the idea of being age-verified before they go onto certain websites. (We should also not forget that some kids will share their online credentials or passwords with friends.)

It is also important to realize that age verification and background checks are not synonymous. Information security expert John J. Cardillo, President and CEO of Sentinel, a leading authentication firm, argues that:

Most people are ignorant of what we do. They hear the words “check” or “verification” and they assume a full background check will be run on the individual. When this is sponsored by an AG, the chief law enforcement officer of their state, there’s a perception that the criminal background checks are inclusive in whatever they’re proposing. Age verification, on its own, doesn’t indicate whether or not a person is a convicted sex offender. Mandated age verification, as proposed, would allow the hundreds of thousands of offenders… who are over 18, unrestricted access to sites. Worse, it would allow these offenders the ability to vouch for children that might or might not exist. This is where it gets most dangerous. People might assume that “verified” users have undergone some type of vetting, and let their guard down just that little bit the offenders need to exploit. In the case of convicted sex offenders, age verification actually helps them by giving them an additional layer of legitimacy.

This points to the danger of creating a false sense of security online by mandating a solution that doesn’t address the real problem.

Finally, the special challenges raised by the nature of the Internet and online communication must be reiterated. Finding a dependable source of identity or age information and then reliably matching it to someone thousands of miles away on the Internet (perhaps in another jurisdiction, or even another country) is a daunting challenge—made even more difficult by the fact that a remote individual may be actively attempting to subvert the age verification process. Solving this problem necessitates authentication data that are appropriate for online interaction. In the real world, we perform in-person authentication with a photo or physical description; the online world requires a username/password combination, biometric authenticator, or physical security token. An arms-race scenario is obviously at work here, and because a perfect solution is impossible, we must guard against a false sense of security. Lastly, because technology is evolving at such a rapid pace in this area, there is a risk that legislative solutions will become obsolete very rapidly.

In light of those complications, how would government, social networking sites, or anyone else, go about age-verifying minors online?

Do We Really Want National ID Cards for Kids? In the extreme, government could demand that all minors be issued the equivalent of a domestic passport or a national ID card. After all, minors aged 14 to 17 are already required to obtain a passport before they travel overseas. Minors under 14 must have both parents or legal guardians appear together to vouch for the child when applying for a passport. Conceivably, government could simply extend this model to incorporate a domestic identification requirement. Once the youngster had been issued such a domestic passport, it could be requested by others—including social networking sites—as proof of age. Sites could cross-reference a government national ID database to verify identity.

Clearly, however, imposing such a solution domestically would raise serious privacy concerns because it would require the collection, retention and processing of sensitive information about children. Adults are not required to carry such a domestic passport or national ID card, so why should children? Indeed, all the same privacy concerns related to national ID cards for adults would be amplified with children because, as a society, we generally take extra precautions to protect the privacy of minors and their personal information. And a national ID card for kids would need to include a great deal of information about themselves to allow the card to be used by third parties online as an age-verifying tool. Government would need to issue an age-verified identity, user name, and password to every child.

Particularly concerning is the fact that a national ID card for children would require the creation of more government databases and bureaucracy. The potential for “mission creep” then enters the picture in that more tracking of children by government (and others) becomes possible. What other uses might there be for such information? We don’t know, and we probably don’t want to find out.

The costs of setting up and enforcing such a system would be substantial and must also be considered. Although the cost of digital storage continues to fall, we’re talking about potentially massive digital databases here. But the more important cost factor is the human time and effort that would go into to collecting, processing, and organizing such records and databases.

For those reasons, a government-issued ID card or age verification scheme for kids is a nonstarter. It would raise grave privacy concerns, induce public paranoia, probably encourage a great deal of evasion, and require significant government expenditure to enforce. Moreover, a national ID card would do little to prevent youngsters from visiting offshore sites.

Sources of Age Information Thus, if social networking sites are going to age-verify minors, they will likely need to devise or rely on some other, nongovernmental solution. The most commonly proposed solutions typically fall into the following groupings:

(1) Credit cards as approximate age proxies; (2) Driver’s licenses as approximate age proxies or as a source of date of birth; (3) Birth certificates as a source of actual date of birth; (4) Parents or guardians vouching for minors; (5) Schools vouching for minors; (6) Third parties vouching for minors; and, (7) Biological or biometric determination of age.

I won’t summarize all them here since I do so in my longer PFF report on the issue. But let me just point out the deficiencies of the two leading proposals: Credits cards and parents vouching for children.

(1) Credit Cards as Approximate Age Proxies: Credit cards are often viewed by policy makers as the silver bullet solution for age verification. Even though credit card companies typically do not wish their cards to be used as age verification tools, government has advocated their use in that way in the past. But they are not a silver bullet.

“Mere possession of a credit card is not a reliable assertion of identity or age,” argues Jeff Schmidt. Credit cards can be a rough proxy for age on the assumption that only adults over the age of 18 have credit cards, but that assumption is false. Many minors are given credit cards by their parents. Youngsters can borrow or steal credit cards from their parents or others. And Schmidt notes that newly created stored value cards, specifically marketed for use by children, “are in many cases indistinguishable from actual credit cards—both in physical appearance and in the back-end transaction processing systems.” Sentinel’s John Cardillo points out additional reasons why credit cards are not effective age verification tools:

When a card is used for verification purposes, an authorization on that card is run for $1.00 (or less), however a charge isn’t put through. The card typically isn’t reconciled against any database for name and/or age, nor is a signature checked. Because of the insignificant dollar amount, the only thing that’s checked for security purposes, in some instances, is zip code. Anyone who’s ever bought gasoline with a credit card knows this to be true. Our names and ages aren’t checked at the pump. Check your statement online next time you gas up. You’ll see an authorization for $1.00 and the actual charge a few days later. The same merchant banks handle the transactions online. In other words, in most cases, all that’s being verified is that the card account isn’t closed or stolen. Who’s using it is irrelevant.

Moreover, “many parents may feel uncomfortable giving their credit card number online at children’s Web sites where there is no [commercial] transaction involved,” notes a coalition of major commercial organizations, including the American Advertising Federation, American Association of Advertising Agencies, Association of National Advertisers, The Direct Marketing Association, Inc., and Magazine Publishers of America. In a June 2005 filing to the Federal Trade Commission, those organizations noted that “in light of current online scams, heightened concerns about online security, and the rise of such practices as phishing, parents may be reluctant to provide credit card numbers absent a transaction.” But that begs the question: If lawmakers require social networking sites to process a financial transaction to age-verify, is that fair? In particular, is it fair for low-income families? And what about those families that do not possess a credit card?

Finally, the law is not even settled about using credit cards for access to adult-oriented websites. The Child Online Protection Act (COPA) was passed by Congress in 1998 in an effort to restrict minors’ access to adult-oriented websites. The measure provided an affirmative defense to prosecution if a website operator could show that it had made a good faith effort to restrict site access by requiring a credit card, adult personal identification number, or some other type of age-verifying certificate or technology. But the legislation was immediately challenged and has gone to the Supreme Court for review twice. And the law is still being debated in a lower court. Thus, almost 10 years after its initial passage, the legislation remains stuck in jurisprudential limbo after endless legal wrangling about its constitutionality.

Incidentally, COPA established an expert Commission on Online Child Protection to study methods for reducing access by minors to harmful material on the Internet. As part of its final report, the COPA commission said that credit card-based age verification would be completely inappropriate for instant messaging and chat, which were the precursors of social networking. The commission found: “This system’s limitations include the fact that some children have access to credit cards, and it is unclear how this system would apply to sites outside the U.S. It is not effective at blocking access to chat, newsgroups, or instant messaging.”

(2) Parents or Guardians Vouching for Minors: Legislation has been floated in a few states, such as North Carolina, that would make it illegal for a minor to maintain an account or webpage on a social networking site “without the permission of the minor’s parent or guardian and without providing such parent or guardian access to such profile web page.” Similar measures were recently introduced in North Carolina and Connecticut that would require social networking sites not only to obtain parental approval but also take steps to verify that they are the actual parents of the child.

This approach will appeal to many because it can be likened to a parent signing a “permission slip” for a child. Unfortunately, parental permission-based approaches are more complicated for online activities. Because websites are far away from the parents, how is the site operator going to ensure that the person vouching for the child’s age is really the parent or even an adult? Would the verifier mail or fax notarized documents? Those documents can be forged, of course. Mandatory follow-up phone calls would be cumbersome, costly, and potentially viewed as intrusive. And the use of credit cards to satisfy the permission requirement might raise some of the same problems already discussed above.

Despite these potential drawbacks, this was the general framework established by the Children’s Online Privacy Protection Act (COPPA) of 1998, which required websites that marketed to children under the age of 13 to get “verifiable parental consent” before allowing children access to their sites. The Federal Trade Commission (FTC), which is responsible for enforcing COPPA, adopted a sliding scale approach to obtaining parental consent. The sliding scale approach allows website operators to use a mix of the methods mentioned above to comply with the law, including print-and-fax forms, follow-up phone calls and e-mails, and credit card authorizations. The FTC also authorized four “safe harbor” programs operated by private companies that help website operators comply with COPPA.

In a recent report to Congress, the FTC said that no changes to COPPA were necessary at this time because it had “been effective in helping to protect the privacy and safety of young children online.” In discussing the effectiveness of the parental consent methods, however, the agency also said that “none of these mechanisms is foolproof” and that “age verification technologies have not kept pace with other developments, and are not currently available as a substitute for other screening mechanisms.” This seems to imply that the FTC does not regard COPPA’s parental consent methods as the equivalent of perfect age verification.

And the marketplace experience with COPPA so far reflects that conclusion. One of the problems associated with the current COPPA regime is that “Children quickly learned to lie about their age in order to gain access to the interactive features on their favorite sites,” notes Denise G. Tayloe, CEO of Privo, Inc., one of the four FTC-approved safe harbor programs. “As a result, databases have become tainted with inaccurate information and chaos seems to be king where COPPA is concerned,” she says. Parry Aftab of Wired Safety confirms this, noting that: “Preteens quickly learned that if they say they are under thirteen they will be prohibited from using many sites. So they regularly lie about their age everywhere online.”

Despite these flaws, Tayloe argues that COPPA serves an important role. Even though “there is no perfect solution” and it is not possible to completely “stop a child from lying and putting themselves at risk,” Tayloe believes that the law “provides a platform to educate parents and kids about privacy.” Of course, providing a platform to educate parents and kids about online privacy or safety is very important, but it is not necessarily synonymous with strict age verification.

Nonetheless, these permission-based verification schemes might work reasonably well for smaller, closed online communities in which the kids and parents are willing to take the time (and expense) to undertake extensive authentication. For example, smaller social networking sites such as ZoeysRoom.com, Imbee.com, ClubPenguin.com, and Tweenland.com have extremely strict enlistment policies, primarily because they target or allow younger users. As Sue Shellenbarger of the Wall Street Journal explains:

The under-16 sites pose few of the hazards linked to networking sites for older people. The activities range from chats and blogging to creating virtual pets or characters and acting out roles in virtual cities. For a child to register, the sites typically require a parent’s email permission, a parental signature on a permission form, or a parent’s credit card verification. Some limit young children’s interchanges to drop down menus of preapproved words and phrases. Most filter content for inappropriate material and employ live adult monitors who ensure that kids’ conversations don’t stray off course. Some limit chats or blog access to participants who are already preapproved and already known to a child’s family.

Ironically, one can probably safely assume that the kids using such services are not in the high-risk group discussed earlier. The parents who use such services are probably doing a fine job of mentoring their kids and don’t really need to resort to such restrictive solutions. Nonetheless, such highly restrictive “walled garden” approaches do provide parents with greater ease of mind. That’s not necessarily because of the strict enlistment policies so much as the extreme limitations on what kids can do on those sites or with whom they can communicate while online.

But regardless of how well the above-mentioned parental consent schemes work in practice for these smaller, more closed online communities–and some experts, like Cardillo, do question how well they actually work–such solutions lack scalability. Schemes that demand laborious and expensive enrollment requirements, or that greatly limit functionality and interactivity after users sign up, will almost certainly not work for larger social networking sites with a massive community of users. The administrative burdens would be significant for both site operators and parents alike. For example, Parry Aftab notes that COPPA has made it much more difficult for some smaller website operators to staff afloat. “The cost of obtaining verifiable parental consent for interactive communications is very high, estimated at more than $45 per child, and even at that price [consent is] difficult to obtain.”

And because users would sacrifice a great deal of autonomy and functionality once online, many would likely rebel against the system or would seek to subvert it in some fashion. If such a system significantly slows or impedes the creation of new accounts for domestic social networking sites, it will create a perverse incentive for kids to seek other sites with less-restrictive policies, including offshore sites.

Conclusion There are many other issues I haven’t mentioned here that deserve consideration. I’ll just check off a few:

• Assuming we go through with this, who is aggregating all this data? Who has access to the databases? How might that data be used?

• Is all this constitutional? Won’t there be First Amendment or privacy cases brought that endlessly complicate implementation?

• Will kids just flock off-shore to unregulated sites in an effort to reclaim some of the independence they have lost through by surrendering anonymity on U.S.-based sites? What are the consequences of that? Do parents or American policymakers really have any leverage over shady websites operators in Antigua?

• Aren’t there better ways to use our resources? How about focusing our time, energy and resources on educating kids about online risks and deal with these concerns in more constructive ways?

You get the point: Age verification is complicated. Insanely complicated. And it would have enormous costs and profound ramifications for the future of online speech and privacy. We must never forget that government regulation–no matter how well-intentioned–can often have such unintended consequences. It’s a lesson that the USA Today and many others need to heed before they flippantly suggest that age verification is a piece of cake and it’s just a matter of MySpace or someone else throwing a switch to magically make it happen.

Not. That. Simple.