There was an important article about online age verification in The New York Times yesterday entitled, “Verifying Ages Online Is a Daunting Task, Even for Experts.” It’s definitely worth a read since it reiterates the simple truth that online age verification is enormously complicated and hugely contentious (especially legally). It’s also worth reading since this issue might be getting hot again as Facebook considers allowing kids under 13 on its site.

Just five years ago, age verification was a red-hot tech policy issue. The rise of MySpace and social networking in general had sent many state AGs, other lawmakers, and some child safety groups into full-blown moral panic mode. Some wanted to ban social networks in schools and libraries (recall that a 2006 House measure proposing just that actually received 410 votes, although the measure died in the Senate), but mandatory online age verification for social networking sites was also receiving a lot of support. This generated much academic and press inquiry into the sensibility and practicality of mandatory age verification as an online safety strategy. Personally, I was spending almost all my time covering the issue between late 2006 and mid-2007. The title of one of my papers on the topic reflected the frustration many shared about the issue: “Social Networking and Age Verification: Many Hard Questions; No Easy Solutions.”

Simply put, too many people were looking for an easy, silver-bullet solution to complicated problems regarding how kids get online and how to keep them safe once they get there. For a time, age verification became that silver bullet for those who felt that “we must do something” politically to address online safety concerns. Alas, mandatory age verification was no silver bullet. As I summarized in this 2009 white paper, “Five Online Safety Task Forces Agree: Education, Empowerment & Self-Regulation Are the Answer,” all previous research and task force reports looking into this issue have concluded that a diverse toolbox and a “layered approach” must be brought to bear on these problems. There are no simple fixes. Specifically, here’s what each of the major online child safety task forces that have been convened since 2000 had to say about the wisdom of mandatory age verification:

2000 – Commission on Online Child Protection (“COPA Commission”)

“[Age verification] imposes moderate costs on users, who must get an I.D. It imposes high costs on content sources that must install systems and might pay to verify I.D.s. The adverse effect on privacy could be high. It may be lower than for credit card verification if I.D.s are separated from personally-identifiable information. Uncertainty about the application of a harmful to minors standard increases the costs incurred by harmful to minors sites in connection with such systems.  An adverse impact on First Amendment values arises from the costs imposed on content providers, and because requiring identification has a chilling effect on access. Central collection of credit card numbers coupled with the “embarrassment effect” of reporting fraud and the risk that a market for I.D.s would be created may have adverse effect on law enforcement.”

2002 – Youth, Pornography, and the Internet (“Thornburgh Commission”)

“In an online environment, age verification is much more difficult because a pervasive nationally available infrastructure for this purpose is not available. […] Note that each of these [age verification] methods imposes a cost in convenience of use, and the magnitude of this cost rises as the confidence in age verification increases.” (p. 63-4)

2008 – Safer Children in a Digital World (“Byron Review”)

“[N]o existing approach to age verification is without its limitations, so it is important that we do not fixate on age verification as a potential ‘silver bullet.’” (p. 99)

2009 – Internet Safety Technical Task Force (ISTTF)”

Age verification and identity authentication technologies are appealing in concept but challenged in terms of effectiveness.  Any system that relies on remote verification of information has potential for inaccuracies.  For example, on the user side, it is never certain that the person attempting to verify an identity is using their own actual identity or someone else’s.  Any system that relies on public records has a better likelihood of accurately verifying an adult than a minor due to extant records.  Any system that focuses on third-party in-person verification would require significant political backing and social acceptance.  Additionally, any central repository of this type of personal information would raise significant privacy concerns and security issues.” (p. 10)

2009 – “Point Smart. Click Safe” Blue Ribbon Working Group

“The task force acknowledges that the issues of identity authentication and age verification remain substantial challenges for the Internet community due to a variety of concerns including privacy, accuracy, and the need for better technology in these areas.”

2010 – Youth Safety on a Living Internet: Repost of the Online Safety and Technology Working Group (“OSTWG“)

“There is no quick fix or “silver bullet” solution to child safety concerns, especially given the rapid pace of change in the digital world. A diverse array of protective tools are currently available today to families, caretakers, and schools to help encourage better online content and communications. They are most effective as part of a “layered” approach to child online safety. The best of these technologies work in tandem with educational strategies, parental involvement, and other approaches to guide and mentor children, supplementing but not supplanting the educational and mentoring roles.”  […] “age verification is not only not effective but not necessarily advisable. There was some evidence presented to the (ISTTF) Task Force that it might actually endanger youth by keeping adult guidance or supervision out of online spaces where peer-on-peer harassment or cyberbullying could occur.” (p. 7, 27)

This makes it clear that there is near-universal consensus that mandatory age verification is not the smart path forward. In my closing statement to the Harvard Berkman Center Internet Safety Technical Task Force, of which I was a member, I actually went even further and argued that mandatory age verification represents a dangerous solution to concerns about online child safety because it:

1. Won’t Work: Mandatory age verification will not work as billed. For the reasons detailed below, it will fail miserably and create more problems than it will solve.
2. Will Create a False Sense of Security: Because it will fail, mandatory age verification will create a false sense of security for parents and kids alike. It will lead them to believe they are entering “safe spaces” simply because someone has said users are “verified.”
3. Is Not a Background Check: Moreover, even if age verification did work as billed, it is important to realize it is not synonymous with a complete background check. In other words, even if the verification process gets the age part of the process right, that tells us little else about the person being verified.
4. Is a Grave Threat to Privacy: Mandatory age verification is dangerous because it would require that even more personal information (about kids, no less) be put online at a time when identity theft and privacy violations continue to be a major concern.
5. Will Seriously Misallocate Resources: Devising and enforcing age verification regulations might also divert valuable time and resources that could be better used to focus on education and awareness-building efforts, especially K-12online safety and media literacy education. Moreover, it might divert law enforcement energy and resources away from policing serious crimes or more legitimate threats to children

I went on to post  “10 Questions about Age Verification that the AGs Must Answer” if they continued their foolish pursuit of this misguided silver bullet (non-)solution. Instead of repeating them all here, I have simply appended my closing statement to this post. [see Scribd embed below].

In closing, I remain convinced that nothing on the ground has changed since back then. All the traditional age verification schemes remain highly flawed, and the more sophisticated age verification systems (tapping school records and using biometric identifiers to create “digital passports,” for example), would have rather obvious downsides and still not likely be effective in practice. In the end, there is simply no substitute for an education and awareness-based approach to online safety that relies on parental mentoring, digital literacy / digital citizenship, and better social norms and self-regulation.  Techno-silver bullets will always fail.

ISTTF Thierer Closing Statement

The latest edition (Version 4.0) of my PFF special report on “Parental Controls and Online Child Protection: A Survey of Tools & Methods” is now up.  For those not familiar with the report, it explores the market for parental control tools, rating schemes, education and media literacy efforts, and various other tools, methods, and initiatives aimed at promoting online child safety.  After evaluating that state of this market, I conclude: “There has never been a time in our nation’s history when parents have had more tools and methods at their disposal to help them decide what constitutes acceptable media content in their homes and in the lives of their children.”  Moreover, I believe that the parental controls and content management tools cataloged in the report represent a better, less restrictive alternative to government regulation.

Version 4.0 of the report is now over 250 pages long (up from 200 pages in Version 3.0) and it contains almost 70 exhibits (up from 50), 725 references (up from roughly 500), and numerous updates in all five sections of the book. Major updates have been made to the Internet, social networking, and mobile media sections, reflecting the growing importance of those sectors and issues. Other new sections or appendices have also been added to the report, including:

• a new section examining how many households really need parental control tools;
• a new appendix on the downsides of mandatory parental controls and restrictive default settings;
• a new section on the dangers of “deputizing the online middleman” solution as an approach to solving child safety concerns;
• a new appendix reviewing the findings of 5 past online safety task forces;
• … and much more.

I issue major updates once a year and 1 or 2 minor tweaks during the course of the year to reflect the evolution of the parental control and online child safety marketplace and debate. The report is available free-of-charge on the PFF website, and the previous editions of the report are housed there too in case you want to see how it has evolved over the past couple of years. For those interested in taking a quick look at the report, I have embedded it down below the fold as a Scribd file. Finally, as is always the case, I encourage readers to send me updates and suggestions for how to improve the report and I will incorporate them into future versions.

I’ve just had a new article published by the American Legislative Exchange Council (ALEC) in which I make the case against “techno-panics,” which refers to public and political crusades against the use of new media or technologies by the young. The article is entitled “Parents, Kids & Policymakers in the Digital Age: Safeguarding Against ‘Techno-Panics‘” and it appears in the July 2009 Inside ALEC newsletter.  This is something I have spent a lot of time writing about here in recent years (See 1, 2, 3, 4, 5) and I finally got around to putting it altogether in a concise essay here.  I have pasted the full text below. [And I just want to send a shout-out to my friend Anne Collier of Net Family News.org, whose work on this topic has been very influential on my thinking.]

“Parents, Kids & Policymakers in the Digital Age: Safeguarding Against ‘Techno-Panics‘” by Adam Thierer

A cursory review of the history of media and communications technologies reveals a reoccurring cycle of “techno-panics” — public and political crusades against the use of new media or technologies by the young.  From the waltz to rock-and-roll to rap music, from movies to comic books to video games, from radio and television to the Internet and social networking websites, every new media format or technology has spawned a fresh debate about the potential negative effects they might have on kids.

Inevitably, fueled by media sensationalism and various activist groups, these social and cultural debates quickly become political debates. Indeed, each of the media technologies or outlets mentioned above was either regulated or threatened with regulation at some point in its history. And the cycle continues today. During recent sessions of Congress, countless hearings were held and bills introduced on a wide variety of media and content-related issues. These proposals dealt with broadcast television and radio programming, cable and satellite television content, video games, the Internet, social networking sites, and much more.  State policymakers, especially state Attorneys General (AGs), have also joined in such crusades on occasion.  The recent push by AGs for mandatory age verification for all social networking sites is merely the latest example.

What is perhaps most ironic about these techno-panics is how quickly yesterday’s boogeyman becomes tomorrow’s accepted medium, even as the new villains replace old ones.  For example, the children of the 1950s and 60s were told that Elvis’s hip shakes and the rock-and-roll revolution would make them all the tools of the devil. They grew up fine and became parents themselves, but then promptly began demonizing rap music and video games in the ‘80s and ‘90s.  And now those aging Pac Man-era parents are worried sick about their kids being abducted by predators lurking on MySpace and Facebook. We shouldn’t be surprised if, a decade or two from now, today’s Internet generation will be decrying the dangers of virtual reality.

These techno-panics are almost always disproportionate to the real risk posed by new media and technology, which typically do not have the corrupting influence on youth that older generations fear.  Parents and public policymakers alike need to remember they were once kids, too, and managed to live through many of the same fears and concerns about media and popular culture. As the late University of North Carolina journalism professor Margaret A. Blanchard once noted: “[P]arents and grandparents who lead the efforts to cleanse today’s society seem to forget that they survived alleged attacks on their morals by different media when they were children. Each generation’s adults either lose faith in the ability of their young people to do the same or they become convinced that the dangers facing the new generation are much more substantial than the ones they faced as children.” And Thomas Hine, author of The Rise and Fall of the American Teenager, argues that: “We seem to have moved, without skipping a beat, from blaming our parents for the ills of society to blaming our children. We want them to embody virtues we only rarely practice. We want them to eschew habits we’ve never managed to break.”

The better response by both parents and policymakers is a measured and balanced approach to children’s exposure to media content and online interactions.  All-or-nothing extremes are never going to work.  In particular, techno-panics are hopelessly counter-productive. “Fear, in many cases, is leading to overreaction, which in turn could give rise to greater problems as young people take detours around the roadblocks we think we are erecting,” argue John Palfrey and Urs Gasser, authors of Born Digital: Understanding the First Generation of Digital Natives. What parents, educators, and policymakers need to understand, they argue, “is that the traditional values and common sense that have served them well in the past will be relevant in this new world, too.”

Most simply, we need to be willing to talk to our kids about the new technologies and cultural developments that shape their generation. When we as parents (or policymakers) do not fully comprehend or appreciate the new-fangled gadget in our kids’ pocket—or whatever they are playing, watching, or listening to on it—instead of engaging in demagoguery and driving a wedge between us and them, we should instead invite them to have a conversation with us about it.  Ask three simple questions to get that conversation started: “What is this new thing all about?”  “Tell me how you use it.”  “Why is it important to you?”  Once you’ve got them talking to you, good ‘ol fashion common sense and timeless parenting principles should kick in. “Do you understand why too much of this might be bad for you?” “Will you please come talk to me if you don’t understand something you’ve seen or heard?” And so on.

In sum, it’s about parental responsibility and rational, measured responses. The “techno-panic” mentality, by contrast, creates distrust and distance between our kids and us. As Anne Collier of Net Family News notes, techno-panics “cause fear, which interferes with parent-child communication, which in turn puts kids at greater risk.”

Parents and policymakers need to engage kids in an ongoing conversation about the technologies du jour—even when we don’t fully understand or appreciate them.

————— [printable Scribd version follows] —————

“Against Techno-Panics” by Adam Thierer, PFF (July 2009 – Inside ALEC) http://d.scribd.com/ScribdViewer.swf?document_id=17392730&access_key=key-2gdkqylyeu5h376buyyi&page=1&version=1&viewMode=

Online child safety — especially the fear of predators lurking on social networking sites (SNS) — continues to spur calls by state and federal lawmakers for regulation.  At first, some federal lawmakers advocated outright bans on SNS in schools and libraries via the Deleting Online Predators Act (DOPA).  Meanwhile, state and local lawmakers — specifically state Attorneys General (AGs) — have been even more vociferous in their calls for regulation in the form of mandatory age verification for social networking sites, which would cover a broad swath of online sites and activities according to their definitions of SNS. But the question that ultimately gets lost in this debate is: Just how much risk do social networking sites really pose for teens?  Which risks are real and which are overblown? And what’s the best way to deal with the risks that we find to be legitimate?

Nancy Willard devotes her life to answering those questions. Willard is one of America’s leading experts on online safety and risk prevention. She runs the Center for Safe and Responsible Internet Use and she is the author of two outstanding books, Cyberbullying and Cyberthreats and Cyber-Safe Kids, Cyber-Savvy Teens.  In my opinion, Willard’s general approach to online child safety is the most enlightened, level-headed, and likely to be effective. That’s because Willard focuses on putting fears in perspective, identifying the actual risks that kids face online, and devising sensible strategies to deal with risks and problems as they are discovered. Her approach is holistic and built upon sound data, targeted risk-identification strategies, and time-tested education and mentoring methods. For my money, it’s the most sensible approach to online safety issues. In fact, when other parents ask me for “just one thing” to read on the topic, I usually recommend Willard’s work — especially her amazing book Cyber-Safe Kids, Cyber-Savvy Teens. And her background in early childhood education, special education for “at risk” children with emotional and behavior difficulties, as well as experience in computer law, means she is uniquely suited to be analyzing these issues.  In sum, this is woman we should all be closely listening to on these issues.

Recently, Willard has been responding to criticisms that state AGs have leveled against the Internet Safety Technical Task Force (ISTTF) and its final report. [Disclaimer: I was a member of the ISTTF.] I’ve already outlined the ISTTF’s work at length here, but the three key takeaways from the report were that:

1. the risk of predation on social network sites has been over-stated; the data suggest that cyber-bullying is the bigger problem on SNS;
2. there is no silver-bullet technical solution to online child safety concerns, and mandatory age verification, in particular, would not make kids safer online but could even create bigger problems in the long-run;
3. education and empowerment are the real keys to keeping kids safer online.

The response from some state AGs to these findings was quite hostile, with some arguing that the ISTTF did not take online risks seriously enough, or that we relied on “outdated and inadequate” data in reaching our conclusions.  Willard addresses those arguments in a new white paper: “Research that is ‘Outdated and Inadequate?’ An Analysis of the Pennsylvania Child Predator Unit Arrests in Response to Attorney General Criticism of the Berkman Task Force Report.”  In this study, she analyzes data from arrest records from Pennsylvania’s Child Predator Unit to determine exactly how these individuals were operating online. Although it’s just one state’s worth of data — that’s all that seems to have been made publicly available in a single database at this time — it can give us a clue to what might be going on out there. The results are illuminating.

Here’s what Willard found:

The search yielded 143 responses. As noted by the Attorney General, 183 predators had been arrested. All of these arrests were described in the press releases dated from March 21, 2005 to January 13, 2009 – thus allowing for a full analysis of the arrests of sexual predators in the state Pennsylvania for the last 4 years by the Attorney General’s Child Predator Unit. The analysis of the arrests that involved predatory actions, excluding the arrests for child pornography, revealed the following:

• Only 8 incidents involved actual teen victims with whom the Internet was used to form a relationship.
  • In 4 of these incidents, teens or parents reported the contact. The other 4 cases were discovered in an analysis of the computer files of a predator who had been arrested in a sting operation. Five of the cases had led to inappropriate sexual contact. The other situations were discovered prior to any actual contact.
• There were 166 arrests as a result of sting activities where the predator contacted an undercover agent who was posing as a 12 – 14 year old, generally a girl.
  • The vast majority of the stings, 144, occurred in chat rooms. Eleven stings occurred through instant messaging. Nine of the arrests failed to specify the location, but the description bore significant similarity to the chat room incidents. One involved an advertisement that had been placed on Craig’s List.
  • There were only 12 reports of predators being deceptive about their age.
  • The descriptions of these chats incidents bear out what the research reviewed by the [ISTTF’s] Research Advisory Board found – that online predators are rarely deceptive about their interests.

Specifically,”Because the attorneys general have been focusing their attention on the social networking sites, MySpace and Facebook,” Willard made sure to give “special attention to any case that mentioned any activity occurring on either of these two sites.” Here’s what she found in that regard:

• One of the incidents involving an actual teen victim, communications took place on MySpace. This was a rearrest of a person who had already been arrested through a sting.
• A police officer who was arrested for sexual abuse of many teens with whom he had interacted with in the line of duty also had a MySpace account with friendship links to teen girl, but there was no assertion that these communications had led to sexual activity.
• One predator in a sting provided the agent with a link to his Facebook page.
• In 5 of the stings that took place in a chat room, reference was made to the fact that the predator had either looked at the teen’s MySpace account or suggested the teen look at his profile.

Importantly, Willard points out, “Despite the establishment of one or more public profiles on MySpace [by the PA Child Predator Unit], there has apparently not been one successful sting operation initiated on MySpace in the more than two years during which these sting profiles have been in existence.”

From these findings, Willard concludes that:

The insight gained through an analysis of the Pennsylvania Attorney General’s press releases on arrests for online sexual predation provide strong support for the validity of the conclusions of the Berkman Research Advisory Board and demonstrate the need for greater collaboration between law enforcement and researchers to address the actual risks to young people from sexual predators online.

In other words, the Pennsylvania data seem to confirm that predation is not as serious of a risk on SNS as some AGs had claimed. “It appears that chat rooms are far less safe than social networking sites and that there is limited inclination and ability of predators to use social networking sites to contact potential teen victims,” Willard notes. Consequently, she argues:

Attention must be paid to the obvious risks related to chat room communications, as well as the risk factors that are being manifested by the young people who may still be frequenting these chat rooms, especially the chat rooms where sexual relations are being discussed. It appears that rather than seek ways to discourage teens from participating in social networking sites, these sites are destinations that should be encouraged as much safe than the alternatives. A focus must be placed on improving the protective features of chat rooms that are frequented by minors.

We need to know more about which chat rooms are in question and why some youth visit those chat rooms. More importantly, how can we develop sensible messages for youth about the dangers of chat rooms that are targeted to adults and adult sexual activity?

But it is vitally important not to lose sight of the big picture here. As Willard summarizes it:

The incidents of online sexual predation are rare. Far more children and teens are being sexually abused by family members and acquaintances. It is imperative that we remain focused on the issue of child sexual abuse – regardless of how the abusive relationship is initiated.

Indeed, volumes of research on child abuse, child predation, and child abduction all point to this same conclusion: Your kids are actually more at risk from known acquaintances — especially family members — than they are from random strangers (including random strangers they might meet online).

Of course, this doesn’t mean we shouldn’t continue to develop sensible educational messages for youth about proper online behavior and how to report legitimate problems or troubling interactions that they experience online. Again, Willard has done this elsewhere and many of us (including those of us involved in the Berkman Center task force) have long been pushing for increased resources for online safety education and media literacy efforts as the first, best step towards improving online youth safety. We need to get AGs and other policymakers to work together with us to get this important task started — now!

Finally, Willard correctly notes that the AGs and other law enforcement agencies need to be willing to release more data like the Pennsylvania AG did such that further analysis of this problem is possible. If the AGs’ primary complaint with the ISTTF report was that the data we used was somewhat dated, then the best solution to that problem is for the AGs and other law enforcement agencies to open up their records to the child safety community so that risk researchers like Willard can get a better feel for what’s going on out there and devise strategies to deal with it.  Unfortunately, there’s still too much horn-locking going on between these communities and, sadly, I think some AGs are using this issue to create an atmosphere of fear for political gain. We need to find ways to communicate actual risks — such as those that kids would face in some specific, adult-oriented chat rooms — without going overboard and making parents and the general public think that there’s a bogeyman on every cyber-corner of the Internet.

[ Further reading: As usual, my friend Anne Collier over at Net Family News.org has done a much better job summarizing an issue than I have. Read her discussion of Nancy Willard’s paper and its implications here.]

The Internet Safety Technical Task Force (ISTTF), which was formed a year ago to study online safety concerns and technologies, today issued its final report to the U.S. Attorneys General who authorized its creation. It was a great honor for me to serve as a member of the ISTTF and I believe this Task Force and its report represent a major step forward in the discussion about online child safety in this country.

The ISTTF was very ably chaired by John Palfrey, co-director of Harvard University’s Berkman Center for Internet & Society, and I just want to express my profound thanks here to John and his team at Harvard for doing a great job herding cats and overseeing a very challenging process. I encourage everyone to examine the full ISTTF report and all the submissions, presentations, and academic literature that we collected. [It’s all here.] It was a comprehensive undertaking that left no stone unturned.

Importantly, the ISTTF convened (1) a Research Advisory Board (RAB),which brought together some of the best and brightest academic researchers in the field of child safety and child development and (2) a Technical Advisory Board (TAB), which included some of America’s leading technologists, who reviewed child safety technologies submitted to the ISTTF. I strongly recommend you closely examine the RAB literature review and TAB assessment of technologies because those reports provide very detailed assessments of the issues. They both represent amazing achievements in their respective arenas.

There are a couple of key takeaways from the ISTTF’s research and final 278-page report that I want to highlight here. Most importantly, like past blue-ribbon commissions that have studied this issue, the ISTTF has generally concluded there is no silver-bullet technical solution to online child safety concerns. The better way forward is a “layered approach” to online child protection. Here’s how we put it on page 6 of the final report:

The Task Force remains optimistic about the development of technologies to enhance protections for minors online and to support institutions and individuals involved in protecting minors, but cautions against overreliance on technology in isolation or on a single technological approach. Technology can play a helpful role, but there is no one technological solution or specific combination of technological solutions to the problem of online safety for minors. Instead, a combination of technologies, in concert with parental oversight, education, social services, law enforcement, and sound policies by social network sites and service providers may assist in addressing specific problems that minors face online. All stakeholders must continue to work in a cooperative and collaborative manner, sharing information and ideas to achieve the common goal of making the Internet as safe as possible for minors.

In sum, education and empowerment are the real keys to keeping kids safer online. We all need to work harder to mentor our children and help them develop the skills and good old fashion common sense to make smart decisions online. Technical tools can supplement — but can never supplant — education, parental guidance, and better mentoring.

Still, this was a task force that primarily came about after state attorneys general (AGs) had been incessantly pressuring social networking sites like MySpace and Facebook to adopt age verification technologies as a solution to online child safety concerns. Specifically, fears about online predators — driven largely by the moral panic whipped up by shows like NBC’s “To Catch a Predator” — prompted calls for mandatory age verification for social networking sites.

So, what did the final ISTTF report have to say about mandatory age verification. Answer: Probably not as much as the AGs were hoping for, and what we did say they may not like to hear.

First, the ISTTF’s Research Advisory Board conclusively proved the primary online safety issue today is peer-on-peer cyber-harassment, not adult predation. Mandatory age verification would do nothing to stop cyberbullying. Indeed, the lack of adult supervision may even exacerbate the problem.

Second, after reviewing various age verification solutions, the ISTTF’s Technical Advisory Board concluded:

Age verification and identity authentication technologies are appealing in concept but challenged in terms of effectiveness. Any system that relies on remote verification of information has potential for inaccuracies. For example, on the user side, it is never certain that the person attempting to verify an identity is using their own actual identity or someone else’s. Any system that relies on public records has a better likelihood of accurately verifying an adult than a minor due to extant records. Any system that focuses on third-party in-person verification would require significant political backing and social acceptance. Additionally, any central repository of this type of personal information would raise significant privacy concerns and security issues.

As a result, our final report concluded that:

The Task Force does not believe that the Attorneys General should endorse any one technology or set of technologies to protect minors online. Instead, the Attorneys General should continue to work collaboratively with all stakeholders in pursuing a multifaceted approach to enhance safety for minors online.

Then, on pages 28-31, we go into more detail about age verification, finding that:

[Age verification] approaches are less effective in the child safety context — in other words, at creating safe environments for minors — than in the context of completing financial transactions or regulating purchases, especially to the extent that identity authentication and age verification focus solely upon adults. The reasons for this include the fact that in the commercial and financial contexts, an adult typically wants to verify his or her identity correctly in order to purchase a product or get access to records. Moreover, when adults purchase regulated items (such as alcohol or tobacco) online, in some cases a second form of age verification occurs when the item is delivered.

The identity authentication and age verification solutions that authenticate or verify only adults could be and are already sometimes used to reduce minors’ access to adult-only sites. Because they do not authenticate or verify minors, however, they cannot be used to create environments for minors that require authentication or verification prior to access. To the extent that an adult nonetheless uses his or her own verifiable information when accessing an environment intended only for minors, these technologies could enhance the ability of Internet service providers and social network sites to exclude that adult. Of course, it seems unlikely that an adult with nefarious purposes would proceed in this manner. Thus, while these types of identity authentication and age verification technologies may be helpful for other purposes, they do not appear to offer substantial help in protecting minors from sexual solicitation.

And there’s far more detail following this passage from the final report, so please read that section for additional discussion.

Again, some AGs may not like to hear all this but these were near-consensus findings of the Task Force. And, if anything, the Task Force probably did not far enough to show why mandatory age verification will not work and how age verification will actually make kids less safe online. In my final statement to the Task Force, this is what I spent my time focusing on. I outlined the dangers of age verification as well as 10 questions about age verification that the AGs must answer if they persist in this pursuit of a technological Holy Grail. I have embedded my entire expanded final statement down below as a Scribd document, but here are the key reasons I believe mandatory age verification represents a dangerous solution to online child safety concerns:

Again, although the Task Force didn’t go quite as far as I would have liked in terms of making clear the dangers associated with mandatory age verification, I think our final report reflects the general skepticism among Task Force members about taking that path or relying too heavily on any single, silver-bullet technical approach to online child safety concerns. Again, this is real progress; a sensible step forward in the discussion about keeping our kids safe online.

I hope policymakers will take a close look at our conclusions and recommendations and take them seriously. We need to stop wasting so much time searching for silver bullets and start getting more serious about how to better mentor our kids so that they can be good — and safe — digital citizens. Education, not regulation, is the key.

Below I have linked to some background essays about the Internet Safety Technical Task Force as well as additional thoughts by fellow task force members or reporters. I’ll add to it as I see new things in coming days.

Additional thoughts / articles about the ISTTF:

• ISTTF director John Palfrey discusses the report on this short podcast with Larry Magid as well as this longer one from the Berkman Center
• ISTTF co-director danah boyd comments on the report on her blog
• ISTTF member Larry Magid of ConnectSafely.org: “Net Threat to Minors Less Than Feared,” CNet News.com
• ISTTF member Anne Collier of Net Family News: “Key Crossroads for Net Safety“
• ISTTF member Stephen Balkam of FOSI featured on an NPR podcast about our work
• ISTTF member John Morris of CDT: “Deconstructing Reaction to Net Safety Task Force Report“
• ISTTF member Marsali Hancock, President of iKeepSafe blog essay about the task force
• AGs respond to report in interview with Emily Steel of the Wall Street Journal: “The Case for Age Verification“
• New York Times article by Brad Stone: “Report Calls Online Threats to Children Overblown“
• Wall Street Journal article by Emily Steel: “No Easy Answer for Protecting Kids Online“
• Associated Press story by Anick Jesdanun: “Panel: Technology Alone Can’t Protect Kids Online“
• Chronicle of Higher Education Wired Campus blog entry by Tracy Mitrano, “Report Weighs the Benefits and Risks of Social Networks,”
• PC World article by Jaikumar Vijayan: “Study Accused of Exaggerating Kids Online Safety“
• PC World blog post by Jaikumar Vijayan: “Are Internet Child Safety Concerns Overblown or Understated?”

Background info:

• an old blog entry of mine about the formation of the task force
• an old paper of mine about the agreement between MySpace and AGs that led to the formation of the ISTTF
• an essay of mine from the ISTTF’s mid-point: “Age Verification Debate Continues; Schools Now at Center of Discussion“
• my big white paper on the dangers of mandatory age verification
• my book: “Parental Controls and Online Child Protection: A Survey of Tools and Methods”
• my final ISTTF statement, which is also embedded below as a Scribd document…

Over the past year, I have been monitoring a very interesting trend with important ramifications for the future of Internet policy. State Attorneys General (AGs) — often in league with the National Center for Missing and Exploited Children (NCMEC) — have been striking a variety of “voluntary” agreements with various Internet companies that deal with child safety concerns or other online issues. These agreements require the companies involved to take various steps to alter site architecture and functionality, commit to stop certain practices, or take steps to block certain users (ex: predators; escort services) or types of content (ex: child porn; online “discrimination”) altogether.

To begin, let me be very clear about one thing: Some of these activities or types of content warrant a law enforcement response. That is certainly the case with child pornography or predation, for example. However, as I will note down below, there is a legitimate question about whether state officials and a non-profit private organization should be crafting legal or regulatory policies to address such concerns for a global medium like the Internet. Regardless, these agreements are creating a new layer of Internet regulation (almost extra-legal in character) that is worthy of exploration.

First, let me itemize some of these recent “voluntary” agreements between Internet companies and the AGs and/or NCMEC:

• MySpace, Facebook & 49 state AGs: On January 14th, 2008, social networking website operator MySpace.com announced an agreement with 49 state Attorneys General (AGs) aimed at better protecting children online. As part their “Joint Statement on Key Principles of Social Networking Safety,” MySpace promised the AGs it would expand online safety tools, improve education efforts, and expand its cooperation with law enforcement. Facebook entered into a similar agreement with the AGs in May. These agreements came after AGs had relentlessly pushed these social networking sites for over a year to adopt age verification techniques to screen site users. Although mandatory age verification was not part of the final agreements, an Internet Safety Technical Task Force (ISTTF) was formed to study online safety tools, including a review of online identity authentication technology. It was clear when the announcements were made that the AGs were very interested in seeing online age verification pursued.
• Various ISPs and New York AG + NCMEC: In June 2008, New York Attorney General Andrew Cuomo pushed several major ISPs to enter into a Memorandum of Understanding (MOU) with NCMEC to address the dissemination of child pornography online.  Under the MOU, the ISPs must use a NCMEC-provided list of URLs supposedly containing child pornographic images to blacklist and block all access to those sites for their users. The agreement also closed off access to Usenet discussion boards on those ISP’s networks.
• Craigslist & California AG + NCMEC: In early November, Craigslist struck an agreement with 40 state AGs as well as NCMEC in which the online classifies operator agreed to take steps to root out certain sexually-themed or “erotic services” listings. See this Ars Technica article for additional details.
• eHarmony & New Jersey AG: Just this past week, the online dating service company eHarmony announced it had struck an agreement with the Attorney General of New Jersey to settle a complaint that a New Jersey resident filed with the state in 2005 alleging that eHarmony violated his rights by not offering a same-sex matching service. The agreement creates some interesting questions, as George Mason University law professor David Bernstein told the Wall Street Journal. The discrimination claim “seems like quite a stretch,” he said, and he said that he is worried it might encourage similar claims. “If you start a dating service for African Americans, do you need one for whites and Latinos? If you have one for Jews, do you need one for Christians and Muslims?” According to the Journal, eHarmony faces a similar discrimination claim in a California court, so we might get answers soon enough.

There are a number of interesting legal and practical questions raised by these agreements:

• “Voluntary” Agreements & the Law: Although typically billed as “voluntary” in nature, it seems highly unlikely that any of the companies involved would have made these concessions without  pressure from the state AGs (and sometimes NCMEC) to do so. How binding are these agreements in light of that? Of course, it is unlikely any of the companies involved would (or could) later challenge the validity or scope of these agreements after they had already signed onto them. But what if a free speech or civil liberties group challenged these agreements in court because of their impact on the Internet, online speech, or a certain group of citizens? Would they have a case? Would they even have standing? Where do they have it?
• Precedent & Applicability: Do such agreements constitute precedents that could be applied in other cases or contexts? Could parties not involved in the original agreements — either because they refused or did not yet exist — eventually be covered by them in some fashion? Do these agreements cover services available in the American but hosted entirely overseas?
• Commerce Clause Issues: Do state Attorneys General have the right to impose such quasi-regulatory regimes on an interstate medium like the Internet? Can 50 state AGs impose uniform laws on the Net without any congressional oversight, as was the case in the MySpace and Craigslist agreements? Conversely, what will the impact be of individual state AGs going their own way, as was the case with the eHarmony agreement? If Congress remains silent on the agreements but a group (ex: a civil liberties group) brings a dormant Commerce Clause case, what are their chances of prevailing in court?
• Accountability & Effectiveness: Will anyone in Congress or a federal agency oversee these agreements? How transparent are these agreements when they are brokered behind closed doors or with NCMEC? Does the Freedom of Information Act (FOIA) apply such that records and information can be made public?  What is the benchmark of success when different states adopt different legal regimes for the Net?

I’m not saying I have any good answers here; I’m just trying to get the questions on the table and get a discussion going. I would appreciate any input on the matter, especially of the legal variety. It strikes me that we are in somewhat uncharted waters here, at least for the Internet. On the other hand, I’m sure there have been state AG-related “voluntary” agreements struck in other industries and contexts in the past that might provide some insight into what, if anything, happens next.

What I find most interesting about these developments is that the state AGs appear to be gradually accomplishing what Congress has not been able to do over the past dozen years: To impose a comprehensive regulatory structure on the Internet. But that emerging regulatory structure is highly fractured and piecemeal in nature, and that troubles me. I am particularly concerned about the long-term impact of a 50-state patchwork approach to online regulation — both for speech and commerce. It’s not like we’re talking about the regulation of a corner newsstand here, after all. This is the Internet, and localized regulation of this national — actually global — platform makes me more than a bit nervous.

In closing, I want to again reiterate that I do not necessarily oppose intervention in any of these cases. However, to the extent such regulations do need to be imposed and enforced, it may make more sense for the process to be federalized and NCMEC’s role nationalized and administered by the Federal Bureau of Investigation or some branch of the Department of Justice. There needs to be greater transparency and accountability when matters of child pornography or predation are at issue, and NCMEC’s lack of FOIA-ability in this regard is problematic. I think NCMEC is a fine organization that does very important work to help protect children, but it is work that involves criminal activities and the collection of evidence that could be used in criminal court proceedings. In light of that — and in light of the expanded law enforcement powers being granted to NCMEC — I believe the time has come to have a serious conversation about whether those powers should continue to be housed in a private, non-profit organization, or if they should be transfered to a federal law enforcement agency. Of course, there could be serious downsides associated with the nationalization of those powers, which also should be considered.

In a big post two months ago entitled “Age Verification Debate Continues; Schools Now at Center of Discussion,” I noted that there has been an important shift in the age verification debate: Schools and school records are increasingly being viewed as the primary mechanism to facilitate online identity authentication transactions. I pointed out that this raises two very serious questions: Do we want schools to serve as DMVs for our children? And, do we want more school records or information about our kids being accessed or put online?

Brad Stone of the New York Times has just posted an important article with relevance to this debate. In it, he points out that:

performing so-called age verification for children is fraught with challenges. The kinds of publicly available data that Web companies use to confirm the identities of adults, like their credit card or Social Security numbers, are either not available for minors or are restricted by federal privacy laws. Nevertheless, over the last year, at least two dozen companies have sprung up with systems they claim will solve the problem. Surprisingly, their work is proving controversial and even downright unpopular among the very people who spend their days worrying about the well-being of children on the Web. Child-safety activists charge that some of the age-verification firms want to help Internet companies tailor ads for children. They say these firms are substituting one exaggerated threat — the menace of online sex predators — with a far more pervasive danger from online marketers like junk food and toy companies that will rush to advertise to children if they are told revealing details about the users.

Stone highlights the efforts of eGuardian, a California company that, “asks a parent to submit the birth date, address, school and gender of a child, then it asks schools to confirm the information.”

Over the last year, eGuardian has been approaching schools, primarily in California, and offering them the entire $29 sign-up fee when they persuade parents to sign up their children. EGuardian’s real money-making hope — and this is what makes [Nancy] Willard nervous — is to have Web sites pay a commission for each eGuardian member. The Web site can then use the data on each child to tailor its advertising.

Nancy Willard, one of America’s leading online child safety experts, is the executive director of the Center for Safe and Responsible Internet Use, and the author of the outstanding book, Cyber-Safe Kids, Cyber-Savvy Teens. The concern she raised with Brad Stone is that “Age verification companies are selling parents on the premise that they can protect the safety of children online, and then they are using this information for market profiling and targeted advertising.” Basically, companies like eGuardian give the software to schools or parents and then hope to make it back through targeted advertising. According to Stone’s article, “EGuardian’s real money-making hope — and this is what makes Ms. Willard nervous — is to have Web sites pay a commission for each eGuardian member. The Web site can then use the data on each child to tailor its advertising.”

I’m not quite as concerned about the advertising / marketing issue as Nancy Willard, but I am equally disturbed about the prospect of using schools as online age verification agents– or partnering with others to make that happen. I apologize for quoting myself at length on this point, but here’s how I stated my concerns before:

[I]nvolving schools in any age verification scheme would raise serious privacy concerns and administrative problems. Depending on how the scheme worked, the administrative burdens imposed on schools could be significant. Someone at each school would have to be in charge of answering phones calls and e-mails from potentially hundreds of website operators looking to age-verify minors. Who will be liable if things go wrong? The school? The school district? An employee in the school’s administrative department who accidentally releases thousands of digital records? And will schools receive the additional funding needed to administer whatever scheme is mandated? Moreover, if schools are required to create more accessible databases containing personal information about minors, who else besides social networking websites would be given access? Data breaches would become a real concern for both students and schools alike. Such a scheme could run up against federal or state laws. For example, the Family Education Rights and Privacy Act of 1974 makes it illegal to release school records without written permission from parents. Both parents and government officials have long demanded that access to school records be tightly guarded because, as a society, we take the privacy of our children very seriously. Thus, serious questions remain about the wisdom and practicality of roping the schools into the age verification process. Most schools and school districts are already over-burdened with federal and state mandates and probably wouldn’t like the sound of additional mandates of this variety.  But what if a technology vendor could serve as the middleman and facilitate the easy transfer of some basic data about kids from the school system in an effort to provide digital credentials? That’s probably where we are heading.  Even the most vociferous advocates of age verification for minors must realize how absolutely radioactive this issue could become since school records about our kids are in play here.  Identity theft concerns are already running at an all-time high in our country and the thought of being required to surrender more info about our kids in this environment is not going to go over well with many parents. But, again, what if we could keep to a minimum the amount of data being transferred about the child to the vendor or the SNS?  Perhaps at the beginning of each school year when a minor is registering they could be given a “secure” digital token or ID number that only associated a grade year (i.e., “sophomore”) with their name, and little or no additional info was included in that token in order to minimize the threat of identity theft or privacy violations.  Of course, the fewer pieces of information contained in that token or credential, the less likely it will be a credible verification tool, or the more likely it is it will be easy to forge or defeat (especially by kids themselves). Regardless, whether we like it or not — and I do not like it one bit — schools are now at the center of the online age verification debate. It will be very interesting to hear what the educational community itself has to say about this development going forward. […] Something tells me that school administrators and educational officials aren’t going to look too kindly on proposals that would turn them into the equivalent of a DMV for kids.

Interestingly, Richard Blumenthal, the attorney general of Connecticut, who has been one of the leading proponents of age verification, told Brad Stone that the privacy issues raised by Willard and others are now on his radar screen:

“The attorneys general would be very concerned about using age verification to promote marketing or any other kinds of promotional pitches or gimmicks aimed at specific age groups,” he said. “Targeted marketing may have its place, but it should not be coupled with the issue of childhood safety.”

That’s good to hear. But I hope Mr. Blumenthal and the other AGs realize that that is just one of many reasons to be concerned about mandatory online age verification, especially if it involved schools as age verification agents. It has troubling implications for schools, kids, parents, free speech, online anonymity, privacy rights, and much more. Most importantly, as I made clear here, it remains highly unlikely that online age verification would actually do anything to really keep kids safer online. In sum, the costs far outweight the benefits when it comes to mandatory age verification.

This week, I have been up at Harvard University participating in another meeting of the Internet Safety Technical Task Force (ISTTF), of which I am a member. The ISTTF was organized earlier this year pursuant to an agreement between 49 state attorneys general (AGs) and social networking giant MySpace.com. A group of experts from academia, non-profit organizations, and industry were appointed to the Task Force, which is charged with evaluating the market for online child safety tools and methods and issuing a report on the matter to the AGs at the end of this year.  ISTTF members have been meeting privately and publicly in both Cambridge, MA and Washington, D.C. The Task Force has been very ably chaired by John Palfrey, co-director of Harvard’s Berkman Center for Internet & Society.

Although the ISTTF is looking at a wide variety of tools and methods associated with online child protection (ex: filters, monitoring tools, educational campaigns, etc.), many of the AGs who crafted the agreement with MySpace that led to the Task Force’s formation have made it clear that they are most interested in having the ISTTF evaluate age verification / online verification technologies.  In fact, at the start of this week’s session at Harvard Law School, AGs Martha Coakely of Massachusetts and Richard Blumenthal of Connecticut both spoke and made it abundantly clear they expect the Task Force to develop age and identify-verification tools for social networking sites (SNS). AG Blumenthal said we need to deal with “the dangers of anonymity” and repeated his standard line about online age verification: “If we can put a man on the moon, we can make the Internet safe.”  [Of course, putting a man on the moon took hundreds of billions of dollars and a decade to accomplish, but never mind that fact! Moreover, one could also argue that if we can put a man on the moon we can cure hunger, AIDS, and the common cold, but some things are obviously easier said than done. Finally, putting a man on the moon didn’t require all Americans or their kids to give up their anonymity or privacy rights in order to accomplish the feat!]

On many occasions here before, I have outlined various questions and reservations about proposals to mandate online age verification.  Last year, I also published a lengthy white paper on the issue and hosted a lively debate on Capitol Hill [transcript here] about this.  I also have discussed age verification in my book on parental controls and online child safety. [Braden Cox also talked about his experiences up at Harvard this week here, and CNet’s Chris Soghoian had a brutal assessment of this week’s proposals on his “Surveillance State” blog.]

In this essay, I will discuss the new fault lines in the debate over online age verification and outline where I think we are heading next on this front.  I will argue:

• There is now widespread understanding that it is extraordinarily difficult to verify the ages and identities of minors online using the methods we typically use to verify adults. Because of this, age verification proponents are increasingly proposing two alternative models of verifying kids before they go online or visit SNS…
• First, for those who continue to believe that we must do whatever we can to verify kids themselves, schools and school records are increasingly being viewed as the primary mechanism to facilitate that. This raises two serious questions: Do we want schools to serve as DMVs for our children? And, do we want more school records or information about our kids being accessed or put online?
• Second, for those who are uncomfortable with the idea of verifying kids or using schools, or school records, to accomplish that task, parental permission-based forms of authentication are becoming the preferred regulatory approach. Under this scheme, which might build upon the regulatory model found in the Children’s Online Privacy Protection Act of 1998 (COPPA), parents or guardians would be verified somehow and then would vouch for their children before they were allowed on a SNS, however defined.  But how do we establish a clear link between parents and kids?  And will parents be willing to surrender a great deal more information (about themselves and their kids) before their kids can go online? And, is it sensible to use a law that was meant to protect the privacy and personal information of children to potentially gather a great deal more information about them, and their parents?
• It remains very unclear how either of those two verification methods would make children safer online. Indeed, that could actually make kids less safe by compromising their personal information and creating a false sense of security online for them and their parents.
• It is highly unlikely the Internet Safety Technical Task Force will be able to reach consensus on this complicated, controversial issue. A small camp will likely flock to the sort of proposals mentioned above. Another, larger camp (including me) will flock to education-based approaches to child safety as well increased reliance on other parental empowerment tools and strategies, industry self-regulatory efforts, social norms, and better intervention strategies for troubled youth. But the age verification debate will go on and, as was the case over the past two years, the legal battleground will be state capitals across America, with AGs likely pushing for age verification mandates regardless of what the Task Force concludes.

Continue reading if you are interested in the details.

How We Could Verify Kids, and Why We Should Not Do It

Let’s assume that we want to achieve AG Blumenthal’s “man-on-the-moon” dream of verifying all kids before they go online. How would we do it?  There are really only two solutions: (1) full-blown national ID cards for kids, or (2) tapping school records about kids to somehow age-verify kids (sort of a “National ID card-Lite” scheme).

National ID Cards for Kids

The first scheme is fairly straightforward, but incredibly frightening to those of us who care about civil liberties. Basically, government could demand that all minors be issued the equivalent of a domestic passport or a national ID card. After all, minors aged 14 to 17 are already required to obtain a passport before they travel overseas. Minors under 14 must have both parents or legal guardians appear together to vouch for the child when applying for a passport. Conceivably, government could simply extend this model to incorporate a domestic identification requirement. Once the youngster had been issued such a domestic passport, it could be requested by others — including social networking sites — as proof of age. Sites could cross-reference a government national ID database to verify identity.

Clearly, however, imposing such a solution domestically would raise serious privacy concerns because it would require the collection, retention and processing of sensitive information about children.  Adults are not required to carry such a domestic passport or national ID card, so why should children? Indeed, all the same privacy concerns related to national ID cards for adults would be amplified with children because, as a society, we generally take extra precautions to protect the privacy of minors and their personal information. And a national ID card for kids would need to include a great deal of information about themselves to allow the card to be used by third parties online as an age-verifying tool. Government would need to issue an age-verified identity, user name, and password to every child.

Particularly concerning is the fact that a national ID card for children would require the creation of more government databases and bureaucracy. The potential for “mission creep” then enters the picture in that more tracking of children by government (and others) becomes possible. What other uses might there be for such information? We don’t know, and we probably don’t want to find out.

The costs of setting up and enforcing such a system would be substantial and must also be considered. Although the cost of digital storage continues to fall, we’re talking about potentially massive digital databases here. But the more important cost factor is the human time and effort that would go into  collecting, processing, and organizing such records and databases.

For those reasons, a government-issued ID card or age verification scheme for kids is a nonstarter. It would raise grave privacy concerns, induce public paranoia, probably encourage a great deal of evasion, and require significant government expenditure to enforce. Moreover, a national ID card would do little to prevent youngsters from visiting offshore sites.

Using the Schools to Help Verify Kids

So, let’s work from the assumption that National ID cards for kids is not going to fly as an online identity authentication solution.  The only other realistic scheme would involve getting the schools involved in the process.  Why?  Because to paraphrase Willy Sutton: “That’s where the data is.”  Schools have more information about our children than probably every other institution or organization combined.  They have very detailed records about kids, their ages and much more, which makes schools a logical candidate for participation in a possible age verification system for minors.  But involving schools in any age verification scheme would raise serious privacy concerns and administrative problems.

Depending on how the scheme worked, the administrative burdens imposed on schools could be significant. Someone at each school would have to be in charge of answering phones calls and e-mails from potentially hundreds of website operators looking to age-verify minors. Who will be liable if things go wrong? The school? The school district? An employee in the school’s administrative department who accidentally releases thousands of digital records? And will schools receive the additional funding needed to administer whatever scheme is mandated?

Moreover, if schools are required to create more accessible databases containing personal information about minors, who else besides social networking websites would be given access? Data breaches would become a real concern for both students and schools alike. Such a scheme could run up against federal or state laws. For example, the Family Education Rights and Privacy Act of 1974 makes it illegal to release school records without written permission from parents. Both parents and government officials have long demanded that access to school records be tightly guarded because, as a society, we take the privacy of our children very seriously.

Thus, serious questions remain about the wisdom and practicality of roping the schools into the age verification process. Most schools and school districts are already over-burdened with federal and state mandates and probably wouldn’t like the sound of additional mandates of this variety.  But what if a technology vendor could serve as the middleman and facilitate the easy transfer of some basic data about kids from the school system in an effort to provide digital credentials? That’s probably where we are heading.  Even the most vociferous advocates of age verification for minors must realize how absolutely radioactive this issue could become since school records about our kids are in play here.  Identity theft concerns are already running at an all-time high in our country and the thought of being required to surrender more info about our kids in this environment is not going to go over well with many parents.

But, again, what if we could keep to a minimum the amount of data being transferred about the child to the vendor or the SNS?  Perhaps at the beginning of each school year when a minor is registering they could be given a “secure” digital token or ID number that only associated a grade year (i.e., “sophomore”) with their name, and little or no additional info was included in that token in order to minimize the threat of identity theft or privacy violations.  Of course, the fewer pieces of information contained in that token or credential, the less likely it will be a credible verification tool, or the more likely it is it will be easy to forge or defeat (especially by kids themselves).

Regardless, whether we like it or not — and I do not like it one bit — schools are now at the center of the online age verification debate. It will be very interesting to hear what the educational community itself has to say about this development going forward.  Incidentally, no one from the educational community was present at Harvard this week as these proposals were flying.  Something tells me that school administrators and educational officials aren’t going to look too kindly on proposals that would turn them into the equivalent of a DMV for kids.

How about Parental Permission Slips for Online Verification?

Another potential way to go about online verification is to avoid verifying the kids directly and instead just verify parents (or guardians) and then get them to vouch for their children.  Some age verification advocates are now calling for such parental consent-based forms of child verification.  Specifically, they are now attempting to drive regulation through the prism of the Children’s Online Privacy Protection Act (COPPA) of 1998.

By way of background, COPPA required websites that marketed to children under the age of 13 to get “verifiable parental consent” before allowing children access to their sites. Generally speaking, the goal was to make sure that such websites were not collecting personal information about children without getting parental permission. The Federal Trade Commission (FTC), which is responsible for enforcing COPPA, adopted a sliding scale approach to obtaining parental consent. The sliding scale approach allows website operators to use a mix of the methods to comply with the law, including print-and-fax forms, follow-up phone calls and e-mails, and credit card authorizations. The FTC also authorized four “safe harbor” programs operated by private companies that help website operators comply with COPPA.

In a February 2007 report to Congress about the status of the COPPA and its enforcement, the FTC said that no changes to COPPA were necessary at this time because it had “been effective in helping to protect the privacy and safety of young children online.” In discussing the effectiveness of the parental consent methods, however, the agency also said that “none of these mechanisms is foolproof” and that “age verification technologies have not kept pace with other developments, and are not currently available as a substitute for other screening mechanisms.” This seems to imply that the FTC does not regard COPPA’s parental consent methods as the equivalent of perfect age verification.

Nonetheless, what should be evident here is that COPPA’s parental consent framework could serve as a vehicle for pushing through greater regulation of all social networking sites, not just those sites geared toward kids under 13.   Indeed, we have already seen that proposed at the state level.  For example, in the debate that took place over age verification in the North Carolina statehouse last summer, a parental permission-based verification proposal supported by North Carolina Attorney General Roy Cooper was billed as a way to strengthen and expand the COPPA framework.  (Never mind the fact that COPPA is a federal statute, or that the state of North Carolina is likely barred from regulating Internet speech and commerce thanks to the First Amendment and the Commerce Clause of the Constitution!)

In other words, future age verification mandates could arrive in the form of COPPA amendments, or at least cite COPPA’s regulatory framework as precedent.  Specifically, the proposal would be to: (a) extend COPPA’s coverage to kids up to the age of 18 and then (b) broaden the range of SNS sites that are covered by its parental consent requirements.

There are many problems associated with such a proposal, and I will get to some of them in a moment. But here’s the more interesting question that few have asked: Is COPPA really working?  It is very much unclear to me that COPPA actually works as billed, but to the extent it does, it is likely because of the very limited scale and nature of the operations it covers.  As I have said in my past writing on the issue, there is a direct relationship between the size of a site and the likelihood of success in attempting to verify its users / members. Of course, that is hardly surprising.  But let’s get a little more concrete about why that is important.  Here are the two reasons that I believe the COPPA / parental consent regime has generally worked so far, or at least hasn’t failed miserably:

(1) Many smaller sites charge a fee for admission; and

(2) The functionality of those sites is usually tightly limited. They are closed, walled gardens.

Regarding the first point: Obviously, the more a site charges for access, the more likely it is that the parent / guardian pays attention to what their kid is doing.  Of course, that doesn’t mean a bad guy couldn’t still get into those “verified” environments under false pretenses.  And there’s the problem of minors with access to credit cards.  Moreover, even assuming credit cards worked as an age verification method, there is the more practical question of whether lawmakers have the guts to mandate that every social networking site in the land start charging admission for access.  Since almost all SNSs are free-of-charge today, that is not going to be a very popular mandate!

Nonetheless, for very small, niche-oriented social networking sites geared toward younger kids, credit cards and fees are part of the reason people think COPPA has “worked.”  In essence, it acts as a bit of a roadblock or hassle thrown in the way of access, and that gets parents thinking and talking to the kids about those sites. That is the argument put forward by Denise Tayloe of Privo, one of the four FTC-approved COPPA safe harbor providers.   Ironically, Tayloe has noted that one of the problems associated with the current COPPA regime is that “Children quickly learned to lie about their age in order to gain access to the interactive features on their favorite sites. As a result,” she notes, “databases have become tainted with inaccurate information and chaos seems to be king where COPPA is concerned,” she says.

Despite these problems, Tayloe argues that COPPA serves an important role.  Even though “there is no perfect solution” and it is not possible to completely “stop a child from lying and putting themselves at risk,” Tayloe believes that COPPA “provides a platform to educate parents and kids about privacy.”  Of course, providing a platform to educate parents and kids about online privacy or safety is very important, but it is not necessarily synonymous with strict age verification.  And we don’t really have any idea what level of parent-child interaction COPPA incentivizes.  More importantly, we don’t really have any good data regarding the accuracy of claims made pursuant to COPPA’s requirements regarding the relationship between parents and the kids seeking access to the site.  How many people (kids or adults) were able to gain access under false pretenses? We don’t know.

Nonetheless, the operating assumption here is that by creating an added economic hurdle or barrier to entry (in the form of the hassle of filling out paperwork or forms), COPPA gets some parents (perhaps most?) to put more thought into what their kids are doing online, and that somehow improves online safety in larger scheme of things.  The problem is that that does not necessarily mean that their kids are operating in perfectly “secure” or “verified” environments.  The danger is that – to the extent some “bad guys” are getting on those sites under false pretenses – kids and parents may fall prey to a false sense of security after they are told the site is COPPA-verified.  Of course, COPPA wasn’t put on the books to keep “bad guys” away from kids online; it was about keeping site operators from collecting personal information about kids.

The second reason COPPA has “worked” to a limited degree is that SNS sites geared toward younger kids tightly limit functionality.  In essence, the site administrators “cripple” the sort of functionality we find in SNS sites geared toward older kids.  That fact alone makes these sites far less likely to be subject to fraudulent entry or dangerous interactions.   If I am an older teen or a pervert, why would I ever want to gain access to a site that has nothing more than drop-down menus and a few buttons to click on when interacting with others?  Thus, the primary reason that kids are likely safer in those environments has almost nothing to do with COPPA’s parental consent mechanisms and almost everything to do with the fact that most of the sites it covers are tightly controlled walled gardens with very limited functionality.

With these facts in mind, let’s gets back to the ultimate question: What would happen if we tried to apply COPPA to all social networking sites for kids of all ages? The threshold question that would need to be answered remains the same as it does today: How do we verify the parent-child relationship when someone asserts they are the parent or guardian?  That’s a very thorny question.  But let me just list out the many other questions that everyone is overlooking here:

(1) What sort of mechanisms will need to be put in place to guarantee that the parent or guardian is who they claim to be (for both initial enrollment and subsequent visit authentication)?  Sign-and-fax forms can be easily forged, so credit cards (and perhaps mandatory user fees) will likely become the default solution. A third method, follow-up phone calls, just doesn’t seem practical.  But might lawmakers demand a mix of all of the above?

(2) Regardless, how burdensome will those mandates be for parents / guardians?

(3) And how burdensome will those mandates be for SNS site operators? What kind of compliance costs / legal penalties are we talking about?

(4) Will the barriers to site enrollment become economic in character such that it requires previously free social networking sites to charge admission?

(5) If so, could that be a disadvantage to low-income families / youth?

(6) If compliance costs go through the roof for SNS sites, will this be a recipe for massive industry consolidation in order to comply with the mandates?

(7) Who is collecting the massive databases of information created by such a mandate for all SNS? Who has access to that data? What might government use it for?

(8) Will this new regime be applicable to offshore sites? And will kids flock to offshore sites as a result of such mandates on domestic sites? If some do, how will we stop them?

And so on.  Bottom line: The future of age verification battles will likely be increasingly tied up with COPPA and the question of how well parental permission-based forms of authentication might work. It is unlikely, however, that such a framework could be easily applied on “Internet scale.”  There is a world of difference between something like Disney’s “Club Penguin” and MySpace, Xanga or Bebo.  And with social networking capabilities being integrated into every site and service these days — from CNN.com to Microsoft’s Xbox Live service — one wonders how that will magnify the compliance costs and hassles for all involved.  Are parents really going to be expected to verify themselves and then their kids for every “social networking site” their kids want to visit?  That seems unnecessary, unworkable, and potentially counter-productive.

Finally, the irony of a proposal to expand COPPA in this fashion is that lawmakers would be using a law that was meant to protect the privacy and personal information of children to potentially gather a great deal more information about them, and their parents!  It’s important we not overlook the privacy implications of any effort to expand COPPA to do something it was not originally intended to cover.

Conclusion

It will likely be very difficult for the Technical Task Force to reach consensus on these controversial and complicated issues.  There are many challenging technical, legal, and even philosophical issue in play here.  The problem is that this Task Force is charged with looking at technical solutions and yet most child safety advocates and academics on the Task Force are of the mind that technical solutions are only one part — and probably the smallest part — of the sort of “layered solution” to online child safety that I describe in my book on “Parental Controls and Online Child Protection.” As I argue in that book:

“the best answer to the problem of unwanted media exposure or contact with others is for parents to rely on a mix of technological controls, informal household media rules, and, most importantly, education and media literacy efforts.”

In sum, we need to get serious about talking to our kids about online safety and proper online behavior. Education is the key, and government has a major role to play in that regard in the classroom and through awareness-building efforts. And technical tools that empower parents to better monitor and guide their child’s online experiences can help too. Social networking sites and other online service providers can offer more of those tools and also take additional steps to improve the safety of their sites and encourage a dialog about appropriate and inappropriate online behavior. Again, it’s a multi-layered effort with education and communication at the core of the plan.

It’s not like I am saying anything new here. Indeed, that layered approach was the recommended approach of two previous online safety blue ribbon task force efforts: The 2000 COPA Commission and the 2002 National Academy of Sciences “Thornburgh Commission.” And every major book about online child safety published over the last 5 years has come to the same conclusion.

But that is not likely going to be enough for state attorneys general. There is no other way for me to state this than to just come right out and say it: The AGs are looking for a silver-bullet technical solution to a complex problem they do not fully understand.  And age verification schemes are the technical bullet du jour.

Alas, for all the reasons I have stated here and elsewhere, age verification schemes are likely to fail miserably.  Even if age verification systems worked as billed, it is unlikely that kids would really be any better off.  All the academic research in this field points to a single, inescapable conclusion: The primary danger to kids online is not adult predators, it is other kids.  In particular, it is peer-on-peer harassment and cyber-bullying.   As parents and a society, we have to do more — a lot more — to address that problem.

Age verification schemes, however, aren’t going to help us solve that problem.  Worse yet, by creating the illusion of safety, it could compromise our children’s privacy in the process and create a false sense of security when kids or their parents come to believe they are operating in “trusted” online environments.  For the sake of our children, it is essential we not fall prey to such a fatal conceit.

Just FYI, the latest update of my booklet on “Parental Controls and Online Child Protection: A Survey of Tools & Methods” is now live. The new version, Version 3.1, provides minor updates to all sections of the book and a new appendix of relevant research in the field. I issue major updates early each year and 1 or 2 tweaks during the course of the year to reflect the evolution of the parental control and online child safety market and debate.

For those not familiar with the report, it explores the market for parental control tools, rating schemes, education efforts, and initiatives aimed at promoting online child safety. I believe that the parental controls and content management tools cataloged in the report represent a better, less restrictive alternative to government regulation. As I conclude after evaluating that state of the market: “There has never been a time in our nation’s history when parents have had more tools and methods at their disposal to help them decide what constitutes acceptable media content in their homes and in the lives of their children.”

The report is available free-of-charge on the PFF website, and the previous editions of the report are housed there too in case you want to see how it has evolved over the past two years. For those interested in taking a quick look at the report, I have embedded it down below the fold as a Scribd file. Finally, as is always the case, I encourage readers to send me updates and suggestions for how to improve the report and I will incorporate them into future versions.

Wendy Tanaka of Forbes penned a nice article this week on “Making Social Sites Safer,” as in social networking sites. She interviews many members of the new Internet Safety Technical Task Force that is being chaired by John Palfrey of the Berkman Center for Internet & Society at Harvard Law School. Wendy was also kind enough to call me for some comments.

Wendy wanted to know how far technology could go to solve online safety concerns. Specifically, as she notes in her piece, “The discussions have centered on whether identity technologies can make social sites safer, or whether consumer education works best. State attorneys general believe more technological solutions are necessary, but some task force members contend that identity technologies on the market aren’t adequate. And even if they were better, they likely can’t prevent every unwanted incident and they could block contact between friends and relatives.”

On that point, I told her that, even if the age verification technology worked as billed (and I have my doubts), we’d have other issues to grapple with:

“So, if he’s 16 and she’s 21, they shouldn’t talk? Maybe they’re brother and sister,” says Adam Thierer, a senior fellow at the Progress and Freedom Foundation. Thierer also says that too many checks and restrictions could turn off users and hamper advertising on social networks. “There’s only so far the sites can go before undermining their business and cutting off their customer base,” he says. “At some point, it becomes an annoyance for users.”

What I meant by that is that there is a balance that must be struck between security and freedom on social networking sites because, if lawmakers (or even the site operators themselves) push too far and add too many layers of controls, their could be adverse consequences. In particular, users could flock elsewhere, including to offshore sites that have no safety guidelines or mechanisms in place. That would be a troubling outcome that could leave site users far less safe in the long-run. As I have pointed out in my big paper, “Social Networking and Age Verification: Many Hard Questions; No Easy Solutions,“Whatever their concerns are about current domestic sites, parents and policy makers should understand that those sites are generally more accountable and visible than offshore sites over which we have virtually no influence but that have the same reach as domestic sites.”

Moreover, we need to be aware of the privacy and speech-related issues that arise when governments seek for force users to surrender the online anonymity. I have written more extensively about that issue in my essay here on “Age Verification and Death of Online Anonymity.”

Finally, as I told Wendy, there is no substitute for education and awareness-building efforts as the real solution to these problems. “There are no easy technical fixes for complex human behavioral problems,” I told her. “We need to teach kids ‘Netiquette.’ ” That is, we need to do a better job teaching our kids proper online manners toward their peers while also making sure they understand what risks are out there and how best to deal with them.

Anyway, make sure to read Wendy’s Forbes article for additional insights from other Task Force members.

The debate over social networking safety is increasingly tied up with the question of whether (and how) users should be authenticated before they are allowed onto a social networking site, however that term of art is defined. Age verification proposals have been flying for the last two years that would use a variety of approaches to determine the age / identity of users. [I have discussed those proposals in detail here.]

So, when I heard the news that the Catholic church “will set up a Catholic social networking Web site akin to a Catholic Facebook” so that Pope Benedict can text message thousands of young Catholics on their mobile phones during World Youth Day in Sydney, Australia this July, I just couldn’t help but wonder if the Pope and all the site’s users will be required to somehow have their identities or ages verified before they go online?

I’m being entirely serious. If anyone has information on how the site will work and whether the Church plans to use identity screening mechanisms, please let me know. I try to keep tabs on how each social networking site polices their site for underage or inappropriate use. I am personally quite skeptical that most current approaches can work effectively, but I am always willing to learn more about new tools and techniques.

PFF has just releasing an updated edition of my booklet on “Parental Controls and Online Child Protection: A Survey of Tools & Methods.” The new version, Version 3.0, includes two new appendixes and updates to each section to reflect new parental control tools and programs developed in the last nine months.

The updated report is timely as it comes on the heels of the recently-announced Internet Safety Technical Task Force, which is being chaired by the Berkman Center for Internet & Society at Harvard Law School. I am privileged to serve as a member of the Task Force, which is evaluating various online safety technologies and strategies and then reporting back to state attorneys general with our findings.

Those issues and much more are covered in the latest edition of my report. The report explores the market for parental control tools, rating schemes, education efforts, and initiatives aimed at promoting online child safety. I believe that the parental controls and content management tools cataloged in the report represent a better, less restrictive alternative to government regulation. As I conclude after evaluating that state of the market: “There has never been a time in our nation’s history when parents have had more tools and methods at their disposal to help them decide what constitutes acceptable media content in their homes and in the lives of their children.”

Version 3.0 of the special report, now over 200 pages, contains over fifty exhibits and numerous updates in all five sections of the book. Major updates have been made to the Internet, social networking, and mobile media sections, reflecting the growing importance of those sectors and issues. A greatly expanded section on video empowerment technologies has also been included. Finally, two appendices have also been added: a comprehensive legislative index cataloging over thirty bills introduced in Congress on these issues (complied with John Morris of Center for Democracy & Technology), and a glossary of 35 relevant terms and cases.

The report is available free-of-charge on the PFF website, as are the previous editions. And I am happy to provide hard copies to those who are interested.

The USA Today editorial board published a nasty piece today belittling MySpace.com’s recent efforts to implement more safeguards for its users. Despite the fact that MySpace made over 70 promises to the Attorneys General as part of the agreement–the entire agreement is summarized here–that’s still not good enough for the USA Today’s editorial board, which wants full-blown identity verification before anyone is allowed on a social networking site:

“Even in the absence of a perfect software solution, interim steps are possible. How about using databases of drivers’ licenses to cross-check ages? In more than 20 states, they are public records. The point is, more effective safeguards are needed now, …. MySpace [should be] moving faster to set up age and ID verifications, not just study them.”

Well, where do I begin? I get so frustrated when I see comments like this because it is abundantly clear to me that people don’t think things through when it comes to age verification. As I pointed out in my lengthy PFF report, “Social Networking and Age Verification: Many Hard Questions; No Easy Solutions,” age verification is extremely complicated, and it would be even more complicated in this case because public officials are demanding the age verification of minors as well as adults, which presents a wide array of special challenges and concerns.

What Age Verification Really Is: The Death of Online Anonymity We need to begin by understanding what age verification really is. By definition, mandatory age verification represents an effort to make online anonymity a crime. In simple terms, citizens would be forced to “show their papers” at the door of every website or else run the risk of being denied access–simply because they do not want to surrender their name or age.

Think about what that means. It’s easy to take the benefits of online anonymity for granted. There are millions of people who comment anonymously on blogs like this one every day, or write anonymous book or product reviews on Amazon.com or eBay, or who just chat with others about various topics under the cloak of anonymity. It is a wonderful thing.

Of course, anonymity has some downsides. The downside of people speaking their minds freely is that, well, people will speak their minds freely! And, yes, on occasion, that means some people will talk smack and just generally be jerks while disguising their identities because don’t want to stand by their comments or be accountable for them. But that’s the cost of free expression. If you want to live in a free society and encourage a vibrant exchange of views, there will be times when that means we must defend the right of people to say incredibly silly or even insulting things.

And God knows there are plenty of silly and insulting things being said on social networking sites every second of the day. But there are also countless moments of joy and wonder, when people come together and communicate with each other, or share culture with others in incredibly creative and social-beneficial ways. And, again, a great deal of that communication or culture-sharing is done in a completely anonymous fashion.

For example, as I have mentioned here before, I am fanatical about cars and home theater gadgets. I spend a lot of my free time hanging out at a small social networking site for fellow Lotus car lovers called Lotus Talk. And I also spend a fair amount of time at the amazing AVS Forum, which is the world’s biggest chat board for home theater and A/V stuff. On these sites, thousands of random strangers come into contact every day. We create profiles, we post pictures, we share stories, we talk about life and our passions for cars and A/V gadgets. This is very the essence of social networking. And, for the most past, we are all doing it anonymously. And it is happens everywhere online, every second of every day. Do we really want to make it all illegal?

Practical Considerations: The Complexities of Human Identification OK, so there might be some downsides to making anonymity illegal online. But some critics would say: “So what, we need to make people show their papers at the door of every website–at least for those social networking sites where kids hang out–to make sure kids are safe online.” Well, that’s easier said than done.

At least in theory, the problem that age verification is supposed to solve is to keep older people away from youngsters, at least in certain circumstances. Also, some proponents wish to use age verification to ban preteen access to social networking sites. To accomplish either of those objectives, we must be able to effectively verify everyone’s age by consulting reliable records about those looking to create an account on a social networking site. In other words, when Janie Smith comes to a social networking site for the first time, the site must be able to verify not only that she is Janie Smith, but that she really is as old as she claims to be. But, again, such verifying is easier said than done.

Consider first what is required to verify an adult’s identity. When government officials or even corporations seek to verify someone identify or age, they can rely on birth certificates, Social Security numbers, driver’s licenses, military records, home mortgages, car loans, other credit records, or credit cards.

But even with all those pieces of information, challenges remain. Is the information publicly accessible or restricted by legal or other means? Are all the underlying pieces of information and documentation trustworthy, or have they been manipulated or misreported in some way? Has someone faked his or her identity? And so on. Thus, while the identity authentication systems–both public and private–have improved significantly in recent decades, they still face some inherent challenges and concerns about fraud.

The current concern about “identity theft” demonstrates the complexities and level of difficulty involved in stamping out this problem. Even U.S. passports, which are relatively robust identification documents that contain authentication data, are occasionally forged with success. “It is safe to assume that future age verification efforts will yield failures on par with other identification/authentication mechanisms,” says information security expert Jeff Schmidt, former CEO of Authis, Inc.: “When one considers how frequently college students successfully circumvent age verification requirements in person and with government issued documents, one can begin to grasp the challenges that lie ahead.”

Importantly, we’re talking just about adults here. When the focus of identity verification efforts shifts to minors, the endeavor becomes far more complicated. Minors don’t have home mortgages or car loans. They don’t have military records and most have never worked. Most don’t have driver’s licenses or credit cards either.

Of course, minors do have birth certificates, Social Security numbers, and school records, but both parents and government officials have long demanded that access to those records be tightly guarded. That’s for a very good reason: As a society, we take privacy seriously—especially the privacy of our children. Laws and regulations have been implemented that shield such records from public use, including the Family Educational Rights and Privacy Act of 1974 and various state statutes.

Also, to the extent that age verification of adults works for some websites–online dating services, for example–it is important to realize that in most of those cases the users want to be verified. In that context, identify authentication increases marketability of a user’s “profile,” or it allows him or her to participate more actively in an environment where trust is essential. This fact makes it far more likely that age verification will work because user compliance is driven by market forces, not regulation. That compliance will not be the case when users–especially kids–inherently resist the idea of being age-verified before they go onto certain websites. (We should also not forget that some kids will share their online credentials or passwords with friends.)

It is also important to realize that age verification and background checks are not synonymous. Information security expert John J. Cardillo, President and CEO of Sentinel, a leading authentication firm, argues that:

Most people are ignorant of what we do. They hear the words “check” or “verification” and they assume a full background check will be run on the individual. When this is sponsored by an AG, the chief law enforcement officer of their state, there’s a perception that the criminal background checks are inclusive in whatever they’re proposing. Age verification, on its own, doesn’t indicate whether or not a person is a convicted sex offender. Mandated age verification, as proposed, would allow the hundreds of thousands of offenders… who are over 18, unrestricted access to sites. Worse, it would allow these offenders the ability to vouch for children that might or might not exist. This is where it gets most dangerous. People might assume that “verified” users have undergone some type of vetting, and let their guard down just that little bit the offenders need to exploit. In the case of convicted sex offenders, age verification actually helps them by giving them an additional layer of legitimacy.

This points to the danger of creating a false sense of security online by mandating a solution that doesn’t address the real problem.

Finally, the special challenges raised by the nature of the Internet and online communication must be reiterated. Finding a dependable source of identity or age information and then reliably matching it to someone thousands of miles away on the Internet (perhaps in another jurisdiction, or even another country) is a daunting challenge—made even more difficult by the fact that a remote individual may be actively attempting to subvert the age verification process. Solving this problem necessitates authentication data that are appropriate for online interaction. In the real world, we perform in-person authentication with a photo or physical description; the online world requires a username/password combination, biometric authenticator, or physical security token. An arms-race scenario is obviously at work here, and because a perfect solution is impossible, we must guard against a false sense of security. Lastly, because technology is evolving at such a rapid pace in this area, there is a risk that legislative solutions will become obsolete very rapidly.

In light of those complications, how would government, social networking sites, or anyone else, go about age-verifying minors online?

Do We Really Want National ID Cards for Kids? In the extreme, government could demand that all minors be issued the equivalent of a domestic passport or a national ID card. After all, minors aged 14 to 17 are already required to obtain a passport before they travel overseas. Minors under 14 must have both parents or legal guardians appear together to vouch for the child when applying for a passport. Conceivably, government could simply extend this model to incorporate a domestic identification requirement. Once the youngster had been issued such a domestic passport, it could be requested by others—including social networking sites—as proof of age. Sites could cross-reference a government national ID database to verify identity.

Clearly, however, imposing such a solution domestically would raise serious privacy concerns because it would require the collection, retention and processing of sensitive information about children. Adults are not required to carry such a domestic passport or national ID card, so why should children? Indeed, all the same privacy concerns related to national ID cards for adults would be amplified with children because, as a society, we generally take extra precautions to protect the privacy of minors and their personal information. And a national ID card for kids would need to include a great deal of information about themselves to allow the card to be used by third parties online as an age-verifying tool. Government would need to issue an age-verified identity, user name, and password to every child.

Particularly concerning is the fact that a national ID card for children would require the creation of more government databases and bureaucracy. The potential for “mission creep” then enters the picture in that more tracking of children by government (and others) becomes possible. What other uses might there be for such information? We don’t know, and we probably don’t want to find out.

The costs of setting up and enforcing such a system would be substantial and must also be considered. Although the cost of digital storage continues to fall, we’re talking about potentially massive digital databases here. But the more important cost factor is the human time and effort that would go into to collecting, processing, and organizing such records and databases.

For those reasons, a government-issued ID card or age verification scheme for kids is a nonstarter. It would raise grave privacy concerns, induce public paranoia, probably encourage a great deal of evasion, and require significant government expenditure to enforce. Moreover, a national ID card would do little to prevent youngsters from visiting offshore sites.

Sources of Age Information Thus, if social networking sites are going to age-verify minors, they will likely need to devise or rely on some other, nongovernmental solution. The most commonly proposed solutions typically fall into the following groupings:

(1) Credit cards as approximate age proxies; (2) Driver’s licenses as approximate age proxies or as a source of date of birth; (3) Birth certificates as a source of actual date of birth; (4) Parents or guardians vouching for minors; (5) Schools vouching for minors; (6) Third parties vouching for minors; and, (7) Biological or biometric determination of age.

I won’t summarize all them here since I do so in my longer PFF report on the issue. But let me just point out the deficiencies of the two leading proposals: Credits cards and parents vouching for children.

(1) Credit Cards as Approximate Age Proxies: Credit cards are often viewed by policy makers as the silver bullet solution for age verification. Even though credit card companies typically do not wish their cards to be used as age verification tools, government has advocated their use in that way in the past. But they are not a silver bullet.

“Mere possession of a credit card is not a reliable assertion of identity or age,” argues Jeff Schmidt. Credit cards can be a rough proxy for age on the assumption that only adults over the age of 18 have credit cards, but that assumption is false. Many minors are given credit cards by their parents. Youngsters can borrow or steal credit cards from their parents or others. And Schmidt notes that newly created stored value cards, specifically marketed for use by children, “are in many cases indistinguishable from actual credit cards—both in physical appearance and in the back-end transaction processing systems.” Sentinel’s John Cardillo points out additional reasons why credit cards are not effective age verification tools:

When a card is used for verification purposes, an authorization on that card is run for $1.00 (or less), however a charge isn’t put through. The card typically isn’t reconciled against any database for name and/or age, nor is a signature checked. Because of the insignificant dollar amount, the only thing that’s checked for security purposes, in some instances, is zip code. Anyone who’s ever bought gasoline with a credit card knows this to be true. Our names and ages aren’t checked at the pump. Check your statement online next time you gas up. You’ll see an authorization for $1.00 and the actual charge a few days later. The same merchant banks handle the transactions online. In other words, in most cases, all that’s being verified is that the card account isn’t closed or stolen. Who’s using it is irrelevant.

Moreover, “many parents may feel uncomfortable giving their credit card number online at children’s Web sites where there is no [commercial] transaction involved,” notes a coalition of major commercial organizations, including the American Advertising Federation, American Association of Advertising Agencies, Association of National Advertisers, The Direct Marketing Association, Inc., and Magazine Publishers of America. In a June 2005 filing to the Federal Trade Commission, those organizations noted that “in light of current online scams, heightened concerns about online security, and the rise of such practices as phishing, parents may be reluctant to provide credit card numbers absent a transaction.” But that begs the question: If lawmakers require social networking sites to process a financial transaction to age-verify, is that fair? In particular, is it fair for low-income families? And what about those families that do not possess a credit card?

Finally, the law is not even settled about using credit cards for access to adult-oriented websites. The Child Online Protection Act (COPA) was passed by Congress in 1998 in an effort to restrict minors’ access to adult-oriented websites. The measure provided an affirmative defense to prosecution if a website operator could show that it had made a good faith effort to restrict site access by requiring a credit card, adult personal identification number, or some other type of age-verifying certificate or technology. But the legislation was immediately challenged and has gone to the Supreme Court for review twice. And the law is still being debated in a lower court. Thus, almost 10 years after its initial passage, the legislation remains stuck in jurisprudential limbo after endless legal wrangling about its constitutionality.

Incidentally, COPA established an expert Commission on Online Child Protection to study methods for reducing access by minors to harmful material on the Internet. As part of its final report, the COPA commission said that credit card-based age verification would be completely inappropriate for instant messaging and chat, which were the precursors of social networking. The commission found: “This system’s limitations include the fact that some children have access to credit cards, and it is unclear how this system would apply to sites outside the U.S. It is not effective at blocking access to chat, newsgroups, or instant messaging.”

(2) Parents or Guardians Vouching for Minors: Legislation has been floated in a few states, such as North Carolina, that would make it illegal for a minor to maintain an account or webpage on a social networking site “without the permission of the minor’s parent or guardian and without providing such parent or guardian access to such profile web page.” Similar measures were recently introduced in North Carolina and Connecticut that would require social networking sites not only to obtain parental approval but also take steps to verify that they are the actual parents of the child.

This approach will appeal to many because it can be likened to a parent signing a “permission slip” for a child. Unfortunately, parental permission-based approaches are more complicated for online activities. Because websites are far away from the parents, how is the site operator going to ensure that the person vouching for the child’s age is really the parent or even an adult? Would the verifier mail or fax notarized documents? Those documents can be forged, of course. Mandatory follow-up phone calls would be cumbersome, costly, and potentially viewed as intrusive. And the use of credit cards to satisfy the permission requirement might raise some of the same problems already discussed above.

Despite these potential drawbacks, this was the general framework established by the Children’s Online Privacy Protection Act (COPPA) of 1998, which required websites that marketed to children under the age of 13 to get “verifiable parental consent” before allowing children access to their sites. The Federal Trade Commission (FTC), which is responsible for enforcing COPPA, adopted a sliding scale approach to obtaining parental consent. The sliding scale approach allows website operators to use a mix of the methods mentioned above to comply with the law, including print-and-fax forms, follow-up phone calls and e-mails, and credit card authorizations. The FTC also authorized four “safe harbor” programs operated by private companies that help website operators comply with COPPA.

In a recent report to Congress, the FTC said that no changes to COPPA were necessary at this time because it had “been effective in helping to protect the privacy and safety of young children online.” In discussing the effectiveness of the parental consent methods, however, the agency also said that “none of these mechanisms is foolproof” and that “age verification technologies have not kept pace with other developments, and are not currently available as a substitute for other screening mechanisms.” This seems to imply that the FTC does not regard COPPA’s parental consent methods as the equivalent of perfect age verification.

And the marketplace experience with COPPA so far reflects that conclusion. One of the problems associated with the current COPPA regime is that “Children quickly learned to lie about their age in order to gain access to the interactive features on their favorite sites,” notes Denise G. Tayloe, CEO of Privo, Inc., one of the four FTC-approved safe harbor programs. “As a result, databases have become tainted with inaccurate information and chaos seems to be king where COPPA is concerned,” she says. Parry Aftab of Wired Safety confirms this, noting that: “Preteens quickly learned that if they say they are under thirteen they will be prohibited from using many sites. So they regularly lie about their age everywhere online.”

Despite these flaws, Tayloe argues that COPPA serves an important role. Even though “there is no perfect solution” and it is not possible to completely “stop a child from lying and putting themselves at risk,” Tayloe believes that the law “provides a platform to educate parents and kids about privacy.” Of course, providing a platform to educate parents and kids about online privacy or safety is very important, but it is not necessarily synonymous with strict age verification.

Nonetheless, these permission-based verification schemes might work reasonably well for smaller, closed online communities in which the kids and parents are willing to take the time (and expense) to undertake extensive authentication. For example, smaller social networking sites such as ZoeysRoom.com, Imbee.com, ClubPenguin.com, and Tweenland.com have extremely strict enlistment policies, primarily because they target or allow younger users. As Sue Shellenbarger of the Wall Street Journal explains:

The under-16 sites pose few of the hazards linked to networking sites for older people. The activities range from chats and blogging to creating virtual pets or characters and acting out roles in virtual cities. For a child to register, the sites typically require a parent’s email permission, a parental signature on a permission form, or a parent’s credit card verification. Some limit young children’s interchanges to drop down menus of preapproved words and phrases. Most filter content for inappropriate material and employ live adult monitors who ensure that kids’ conversations don’t stray off course. Some limit chats or blog access to participants who are already preapproved and already known to a child’s family.

Ironically, one can probably safely assume that the kids using such services are not in the high-risk group discussed earlier. The parents who use such services are probably doing a fine job of mentoring their kids and don’t really need to resort to such restrictive solutions. Nonetheless, such highly restrictive “walled garden” approaches do provide parents with greater ease of mind. That’s not necessarily because of the strict enlistment policies so much as the extreme limitations on what kids can do on those sites or with whom they can communicate while online.

But regardless of how well the above-mentioned parental consent schemes work in practice for these smaller, more closed online communities–and some experts, like Cardillo, do question how well they actually work–such solutions lack scalability. Schemes that demand laborious and expensive enrollment requirements, or that greatly limit functionality and interactivity after users sign up, will almost certainly not work for larger social networking sites with a massive community of users. The administrative burdens would be significant for both site operators and parents alike. For example, Parry Aftab notes that COPPA has made it much more difficult for some smaller website operators to staff afloat. “The cost of obtaining verifiable parental consent for interactive communications is very high, estimated at more than $45 per child, and even at that price [consent is] difficult to obtain.”

And because users would sacrifice a great deal of autonomy and functionality once online, many would likely rebel against the system or would seek to subvert it in some fashion. If such a system significantly slows or impedes the creation of new accounts for domestic social networking sites, it will create a perverse incentive for kids to seek other sites with less-restrictive policies, including offshore sites.

Conclusion There are many other issues I haven’t mentioned here that deserve consideration. I’ll just check off a few:

• Assuming we go through with this, who is aggregating all this data? Who has access to the databases? How might that data be used?

• Is all this constitutional? Won’t there be First Amendment or privacy cases brought that endlessly complicate implementation?

• Will kids just flock off-shore to unregulated sites in an effort to reclaim some of the independence they have lost through by surrendering anonymity on U.S.-based sites? What are the consequences of that? Do parents or American policymakers really have any leverage over shady websites operators in Antigua?

• Aren’t there better ways to use our resources? How about focusing our time, energy and resources on educating kids about online risks and deal with these concerns in more constructive ways?

You get the point: Age verification is complicated. Insanely complicated. And it would have enormous costs and profound ramifications for the future of online speech and privacy. We must never forget that government regulation–no matter how well-intentioned–can often have such unintended consequences. It’s a lesson that the USA Today and many others need to heed before they flippantly suggest that age verification is a piece of cake and it’s just a matter of MySpace or someone else throwing a switch to magically make it happen.

Not. That. Simple.

This morning in New York City, social networking website operator MySpace.com announced a major joint effort with 49 state Attorneys General aimed at better protecting children online. (Coverage at CNet, NYT and Forbes). At a joint press conference, MySpace and the AGs unveiled a “Joint Statement on Key Principles of Social Networking Safety” involving expanded online safety tools, improved education efforts, and law enforcement cooperation. They also agreed to create an industry-wide Internet Safety Technical Task Force to study online safety tools, including a review of online identity authentication technology. Generally speaking, the agreement is step forward for online safety. Indeed, many of the principles in the agreement could form a potential model “code of conduct” that other social networking sites could adopt. In a report I authored for the Progress & Freedom Foundation in August 2006, I argued that it was vital for companies and trade associations to take steps such as this to avoid the specter of government regulation or censorship:

All companies doing business online… must show policymakers and the general public that they are serious about addressing [online safety] concerns. If companies and trade associations do not step up to the plate and meet this challenge soon—and in a collective fashion—calls will only grow louder for increased government regulation of online speech and activities. What is needed is a voluntary code of conduct for companies doing business online. This code of conduct, or set of industry “best practices,” would be based on a straight-forward set of principles and policies that could be universally adopted by [a] wide variety of operators…

In particular, this code of conduct proposal called for companies to make specific pledges regarding improved online safety tools, expanded education / media literacy efforts, and ongoing assistance to law enforcement regarding investigations of online crimes.

The Agreement

MySpace responded to this challenge in impressive fashion with its announcement today. The agreement touched upon all of those elements and included the following “Principles of Social Networking” (as described in a MySpace press release):

• Site Design and Functionality: The Principles incorporate safety initiatives that MySpace has already implemented and initiatives it will work to implement in the coming months. Examples of safety features MySpace has in place include reviewing every image and video uploaded to the site, reviewing the content of Groups, making the profiles of 14 and 15 year old users automatically private and protecting them from being contacted by adults that they don’t already know in the physical world, and deleting registered sex offenders from MySpace. Examples of improvements MySpace will make include defaulting 16 and 17 year old users’ profiles to private and strengthening the technology that enforces the site’s minimum age of 14.

• Education and Tools for Parents, Educators and Children. The Principles acknowledge that MySpace has already been devoting meaningful resources to Internet safety education including a new online safety public service announcement targeted at parents and free parental software that is under development. MySpace will explore the establishment of a children’s email registry that will empower parents to prevent their children from having access to MySpace or any other social networking site. In addition, under the Principles MySpace will increase its communications with consumers who report a complaint about inappropriate content or activity on the site.

• Law Enforcement Cooperation. The Attorneys General view MySpace’s cooperation with law enforcement, which includes a 24-hour hotline, to be a model for the industry. The parties will continue to work together to enhance the ability of law enforcement officials to investigate and prosecute Internet crimes.

• Online Safety Task Force. As part of the Principles, MySpace will organize, with the support of the Attorneys General, an industry-wide Internet Safety Technical Task Force to develop online safety tools, including a review of identity authentication tools. While existing age verification and identity products are not an effective safety tool for social networking sites, the Task Force will explore all new technologies that can help make users more safe and secure including age verification. The Task Force will include Internet businesses, identity authentication experts, non-profit organizations, academics and technology companies.

The agreement then goes on—in the form of two appendices—to detail over 70 specific steps that MySpace will take to expand upon these principles. As part of the agreement, MySpace agreed to:

• Implement “age locking” for existing profiles such that members will be allowed to change their ages only once above or below the 18 year old threshold. Once changed across this threshold, under 18 members will be locked into the age they provided while 18 and older members will be able to make changes to their age as long as they remain above the 18 threshold. MySpace will implement “age locking” for new profiles such that under 18 members will be locked into the age they provide at sign-up while 18 and older members will be able to make changes to their age as long as they remain above the 18 threshold.

• Users able to restrict friend requests to only those who know their email address or last name. “Friend only” group invite mandatory for 14 and 15 year olds. “Friend only” group invite by default for 16 and 17 years olds. Users under 18 can block all users over 18 from contacting them or viewing their profile. Users over 18 will be limited to search in the school section only for high school students graduating in the current or upcoming year. Users over 18 may designate their profiles as private to users under 18, and users under 18 may designate their profiles as private to users over 18.

• Change the default setting for 16-17 year olds’ profiles from “public” to “private” and create a closed high school section for users under 18. The “private” profile of a 16/17 year old will be viewable only by his/her “friends” and other students from that high school who have been vouched for by another such student. Students attending the same high school will be able to “Browse” for each other.

• Obtain a list of adult sites on an ongoing basis and sever all links to those sites from MySpace. They will also demand that adult entertainment industry performers set their profiles to block access to all under 18 users and remove all under 18 users from profiles of identified adult entertainment industry performers.

And that just scratches the surface. There is much more to the agreement. In fact, it is difficult to imagine how MySpace could have gone any further to satisfy the online safety concerns raised by AGs or other public policymakers. Indeed, some MySpace users will likely protest that some of the changes go too far. That’s especially clear after reading some of the other technical details of the proposal included in the two appendices.

E-Mail Registry

For example, in the technical appendix summarizing the design and functionality initiatives that MySpace has agreed to consider, they say they will pursue a new “children’s e-mail registry”:

[MySpace will] engage a third-party to build and host a registry of email addresses for children under 18. Parents would register their children if they did not want them to have access to MySpace or any other social networking site that uses the registry. A child whose information matches the registry would not be able to register for MySpace membership.

That proposal might raise some eyebrows since it is unclear how that registry would work and what, if any, privacy / security concerns it might raise. Of course, other critics will argue that such a system will be easily circumvented or tricked. After all, how does MySpace know that the person submitting an e-mail is child’s real parent? And what about multiple e-mail accounts? It’s fairly easy to get a free e-mail account these days. But, if the system somehow did work as billed, it would raise serious questions about who has access to that e-mail registry and how secure the database was.

The agreement also contains a number of restrictions on access by minors to specific types of content, or to other users or groups on MySpace. Viewed in isolation, those restrictions seem fairly reasonable—especially those dealing with access by minors to adult areas (ex: “swingers” clubs or the “Romance and Relationship Forum and Groups”). Taken together, however, the growing list of site restrictions might be viewed by many young users as an impediment to their social networking activities. Many parents and policymakers will like the sound of that, of course. But where might those users go if they are frustrated by the growing number of restrictions imposed on their online activities? This is indicative of the difficult position MySpace finds itself into today: They are piling on additional restrictions and safeguards in the name of online safety to satisfy the concerns raised by many parents and policymakers. But if these initiatives impose too many encumbrances on social networking activity and interactions it could undermine the very purpose of the site and its value to members.

This explains why MySpace is eager to get other social networking sites to adopt policies similar to those found in the agreement it struck with the AGs. Obviously, MySpace would prefer not be the only website stuck with these burdens. Moreover, it probably does not want other sites to have an unfair competitive advantage in terms of more lax operating restrictions. Of course, even if every domestic social networking site adopted stricter policies along the lines of what MySpace agreed to, there will always be offshore alternatives for youngsters to choose from. This is the tricky balance that complicates all debates about online child safety today: How do we create sensible online policies without encouraging kids to operate completely surreptitiously in a “digital underground,” especially shady offshore environments?

Age Verification

Generally speaking, however, MySpace struck the right balance with most of the other proposals in the agreement with the AGs, especially considering the pressure they were under from some policymakers to go much further. In that regard, the agreement with the AGs is especially notable for what it does not include: age verification mandates. The call for an Internet Safety Technical Task Force to study online safety methods and identity authentication tools is a sensible alternative to the rush to mandate age verification, which some AGs have been advocating vociferously over the past two years.

Hopefully the task force will provide critical examination of the issue and not simply begin with pre-ordained conclusions about the wisdom or effectiveness of online age verification techniques and technologies. At the press conference announcing the agreement, however, Attorneys General Roy Cooper of North Carolina and Richard Blumenthal of Connecticut seemed to imply that that the goal of the task force would be to develop and implement a full-blown age verification system for the Internet. “We are going to find and develop online identity authentication tools,” said AG Cooper. And AG Blumenthal reiterated an argument he made ad nauseum last year when he argued that, “if we can put a man on the moon” then we ought to be able to verify the ages of people when they go online. [I first heard AG Blumenthal make this argument when I debated him and AG Cooper at a NCMEC conference two years ago. Here’s the summary of my response that day.]

But it’s just not that simple. As I argued in a lengthy PFF study last year entitled, “Social Networking and Age Verification: Many Hard Questions; No Easy Solutions,” there are no silver bullet age verifications solutions. Online authentication is a complicated, multi-faceted technical issue. And, even assuming we could find a way to make it work, there are many other considerations that must be taken into account, such as the burden it might impose on freedom of speech or individual privacy.

The danger, therefore, is that the AGs have preconceived notions about the wisdom and efficacy of age verification mandates, and that they will either seek to stack the deck on the task force with age verification advocates or pressure the task force to adopt mandatory age verification without thoroughly studying the issue. Again, that would be a serious mistake and it would also likely give rise to legal challenges.

Education & Empowerment

The better approach is to focus on other steps that actually will keep kids safe online. As I have argued in my book on Parental Controls and Online Child Protection: A Survey of Tools and Methods, the best solution to online safety concerns is what I call the “3-E Solution: which stands for “education, empowerment, and enforcement.”

Luckily, there’s a great deal of that included in the MySpace agreement with the AGs. MySpace has pledged to “continue to dedicate meaningful resources to convey information to help parents and educators protect children and help younger users enjoy a safer experience on MySpace.” In particular, MySpace will “engage in public service announcements, develop free parental monitoring software, and explore the establishment of a children’s email registry.”

The importance of education initiatives cannot be overstated. Technical solutions, such as those the AGs clearly favor, will always suffer from inherent limitations and will often be circumvented. Education, by contrast, lasts a lifetime. We need to be teaching our kids how to be good cyber-citizens and how to identify and report legitimate online threats (predators, bullies, scam artists, etc). It is my belief that today’s youth are far more savvy and sensible about these threats than most adults or policymakers give them credit for. Nonetheless, it is important to be vigilant about online safety education and etiquette in an attempt to teach kids—especially more “at-risk” youth who might be susceptible to online threats—basic life lessons about sensible cyberspace behavior and interactions.

Conclusion

Despite the handful of concerns raised above, the MySpace agreement serves as a model for what other social networking companies and online operators could do if they wanted to get more serious about promoting Internet safety. MySpace has done about all it can to be responsive to the demands of parents and policymakers.

Of course, it could be true that no matter how much the company does to improve parental control tools or educate the public, some parents may never take advantage of those tools or information. This remains one of the great mysteries of the parental controls debate: Why is it that so many parents say they want more and better controls and strategies, but when they are made available many of them choose not to use them?

Regardless, if for whatever reason, parents are not taking advantage of these tools and options, their inaction should not be used to justify government regulation as a surrogate for household choice / parental responsibility. Parents have been empowered. It is now their responsibility to take advantage of the tools and controls at their disposal to determine what is acceptable in their homes and in the lives of their children.

MySpace should be applauded for its new statement of principles and its impressive efforts to empower and educate both parents and children about online safety while assisting law enforcement when necessary to root out the real bad guys lurking online.

PFF has just released my latest paper entitled “Parental Control Perfection? The Impact of the DVR and VOD Boom on the Debate over TV Content Regulation.” In the report, I focus on the extent to which new video technologies, such as digital video recorders (DVRs) and video on demand (VOD) services, are changing the way households consume media and are helping parents better tailor viewing experiences to their tastes and values. I provide evidence showing the rapid spread of these technologies and discuss how parents are using these tools in their homes. Finally, I argue that these developments will have profound implications for debates over the regulation of video programming. As parents are given the ability to more effectively manage their family’s viewing habits and experiences, it will lessen—if not completely undercut—the need for government intervention on their behalf.

This 16-page report can be found at: http://www.pff.org/issues-pubs/pops/pop14.20DVRboomcontentreg.pdf

As Braden mentioned, we were both down in Raleigh, North Carolina this week testifying at a big hearing on mandatory age verification for social networking sites.

It was quite a heated battle. The legislation, SB 132, was supported at the hearing by North Carolina attorney general Roy Cooper, several of his staff attorneys, a couple of NC senate lawmakers, and some folks from Aristotle, a company that claims it has devised a workable age verification solution for social networking purposes. A vote on the proposal was delayed and we’re still awaiting the final outcome.

Down below, I have attached the outline of my remarks in which I argued that age verification mandates would actually make kids less safe online. Here’s why:

1) Age verification is not synonymous with a background check.

• Are citizens being lead to believe that age verification guarantees them perfectly safe online environments? After all, even if the verification process gets the age part of the equation right, it tells us little else about the person being verified.

• Incidentally, what happens when the parent being verified is a predator using their child to create false credentials? Unfortunately, we know that some predators have children.

• This gets to the primary concern in this debate: The very real potential exists that we are creating solutions that inject a false sense of security in parents and children alike.

2) Even assuming we do not encounter problems with the initial sign-up phase and procedures, questions remain about follow-ups and subsequent validations.

• Will parents be asked to fill out and submit paperwork routinely to verify their identity (or their child’s) on an ongoing basis? Will parents be expected to take phone calls from dozens of social networking sites (or call sites themselves) to continue authorization? Will parents tolerate that?

• If the sign-up and subsequent authentication process proves cumbersome and time-consuming, will this encourage kids to search out less trustworthy “underground” or offshore websites?

• How are we going to regulate those offshore sites? Also, could new regulations drive domestic operators offshore?

• In sum, the sheer scale of the Net and online activities greatly complicate the enforcement of age verification schemes, especially those of the parental permission-based variety.

3) Will age verification mandates encourage the rise of an illegal black market in credentials?

• Will kids share or even sell their online credentials, such as their user name and passwords, to others who desire them?

• Certainly kids won’t just stop trying to get onto social networking sites. Are we going to punish kids (or prosecute their parents) for evasion? And, again, will kids look to offshore sites?

4) There are serious privacy issues at stake here, and those issues could give rise to other problems.

• Requiring all parents to be verified before their children can go online will obviously be seen by some parents as intrusive and a potential violation of their privacy.

• If some parents resist such regulations or refuse to submit to such verifications, what will their kids do? Again, it might encourage kids to seek out false credentials of to visit offshore sites.

• Incidentally, who has access to all this new information about parents and children that the government is requiring that social networking operators collect? Do we want online operators creating massive new databases of information about us or our kids if better alternatives exist?

Bottom line: The inherent danger of age verification regulation is that it: • results in unintended consequences or solutions that don’t solve the problems they were intended to address; • creates a false sense of security that might encourage some youngsters (or adults) to let their guard down while online; and • creates potential incentives to push mainstream social networking sites offshore. No matter how bad parents or policy makers think social networking sites are today—and, in reality, the sites are not nearly as bad as they imagine—those sites are infinitely superior to potentially shady offshore websites that are completely unaccountable to U.S. officials. And the domestic sites are more accountable to the general public and are responsive to press scrutiny.

In sum, there are no silver bullet solutions. Instead, we need a multi-prong, layered strategy…

Better approach to online child safety = The “3-E Solution”: Education, Empowerment, and Enforcement

“Education” refers to not only the need for K-12 information literacy efforts but also, more broadly, to the need for comprehensive online safety instruction and awareness-building efforts. Governments at all levels need to take an aggressive role here.

“Empowerment” refers to the importance of providing parents with more and better tools to make informed decisions about media and communications tools in their lives of their children. Government can facilitate these efforts in partnership with industry and non-profit organizations. For example, helping to make parents more aware of Internet monitoring tools and strategies would be one of the most constructive solutions.

“Enforcement” refers to stepped up law enforcement efforts to find and adequately prosecute child predators. It is essential that law enforcement officials receive the resources and training necessary to adequately monitor online networks for predators and to bring them to justice when they are found. For example, law enforcement agencies need sophisticated computer forensic labs and skilled experts to help investigate online crimes. And they need to be trained to conduct proper sting operations to find predators before they harm our children. Finally, much longer prison sentences are needed for child predation.

[For additional information, please see my March study, “Social Networking and Age Verification: Many Hard Questions; No Easy Solutions.”]

In late March, I hosted a congressional seminar entitled “Age Verification for Social Networking Sites: Is It Possible? And Desirable?” I brought together 5 experts in the field to debate the issue, including:

• John Cardillo, President & CEO, Sentinel
• Jay Chaudhuri, Special Counsel to North Carolina Attorney General Roy Cooper
• Raye Croghan, Vice President, IDology, Inc.
• Tim Lordan, Executive Director, Internet Education Foundation
• Jeff Schmidt, CEO, Authis

It was an outstanding discussion and I’m happy to report that the transcript is now available online here. Also, you can listen to the audio from the event here. Also, you can find the big study of mine that we discussed that day here.

Jennifer Medina of the New York Times penned an article yesterday on the debate over social networking fears leading to calls for age verification mandates. She noted that measures are moving in several states that would require social networking sites to age-verify users before they are allowed to visit the sites or create profiles there. But Medina also noted that there are many difficult questions about how age verification would work and how “social networking” would even be defined. (I summarize these questions in my recent PFF report, “Social Networking and Age Verification: Many Hard Questions; No Easy Solutions.”)

Ms. Medina was also kind enough to interview me for the story and she summarizes some of what I had to say in her piece. In a nutshell, I stressed that the most effective way to deal with this problem is to get serious about dealing with sex offenders instead of trying to regulate law-abiding citizens. We need to be locking up convicted sex offenders for a lot longer in this country to make sure they behind bars instead of behind keyboards seeking to prey on our children.

I also stressed the importance of online safety education as part of the strategy here. But my comments on that didn’t make the cut in the story. But you can read my big recent paper on this issue for additional details.

Lisa Lerer of Forbes was nice enough to do a feature story this week about my views on the panic over social networking and the push for age verification of such sites. Her piece is entitled “Why MySpace is a Safe Space,” and begins as follows: “Adam Thierer doesn’t look like much of a revolutionary. But last month he challenged both Washington and conventional wisdom with a fairly radical proposition: Perhaps MySpace and the Internet aren’t so scary for kids, after all.”

I don’t really regard what I’ve been saying in my recent essays or big new PFF study as “revolutionary.” Rather, if you spend any time studying this issue and these sites in a dispassionate, educated way, I think the conclusions I draw seem quite reasonable. Unfortunately, I don’t think many policy makers or critics have spent any serious time on these sites or seriously explored the relative danger of online social networking sites relative to offline social networking places. A classic “moral panic” has developed because of this: An older generation fears a new medium that it does not use or understand.

Anyway, read my discussion with Lisa for more details.

I’m putting the wraps on a big paper on the dangers of mandating age verification for social networking websites. One of the questions I ask in the study is exactly how broadly “social networking sites” will be defined for purposes of regulation? Will chat rooms, hobbyist sites, listservs, instant messaging, video sharing sites, online marketplaces or online multiplayer gaming sites qualify? If so, how will they be policed and how burdensome will age-verification mandates become for smaller sites? Finally, does the government currently have the resources to engage in such policing activities since almost all websites now have a social networking component? I explore these and other questions in my paper.

But now I have another type of site to add to list, and not one that I originally gave much consideration to: online newspapers. Over the weekend, the USA Today relaunched its website, not only to freshen up its look, but also to fundamentally change the ways the site works. According to the editors, the new features of the site will give readers the ability to:

• Scan other news sources directly on USATODAY.com; • See how readers are reacting to stories; • Recommend stories and comments to other readers; • Comment directly on stories; • Participate in discussion forums; • Write reviews (of movies, music and more); • Contribute photos; • Better communicate with USA Today staff.

Other bloggers were quick to note that the newspaper is essentially trying to refashion itself as a social networking site. Some wonder whether a newspaper can really be a social networking site. Others point out that traditional newspaper readers may resist such changes for a variety of reasons. (Don Dodge points out that 92% of reader responses have been negative so far).

But let’s ignore all that for a moment and get back to the question I posed in the title of my post: If USA Today is billing itself as a social networking site–or if others argue that it represents a social networking site–will the company be required to age-verify users before they visit the site?

Well, that depends on how the age verification regs would get written, of course. But one definition has already been suggested under the proposed “Deleting Online Predators Act” (DOPA), which would ban such sites in publicly funded schools and libraries. Under DOPA, “Commercial Social Networking Websites” are defined as any site that: “(a) allows users to create web pages or profiles that provide information about themselves and are available to other users; and (b) offers a mechanism for communication with other users, such as a forum, chat room, email, or instant messenger.”

Keeping that definition in mind, let’s check out some more material from the USA Today’s “Quick Guide to New Features.” Specifically, look at sections on this page about “personal spaces” and “avatars”:

Personal space: When you become a member, we automatically establish a personal profile page. As you interact with the USA Today community, your comments, recommendations and other contributions are automatically appended to your page. Your profile page includes a place for you to upload photos, write a blog, and the ability to send messages to other users. These pages allow readers to get a better sense of the site’s most active contributors. Avatar: Every one of our pages features a spot just for you: up there in the right-hand corner. That’s where you’ll be notified of messages left by other readers. Make yourself at home. Upload a picture of yourself, a funny icon, or choose from our selection of ready-made avatars.

Sounds a heck of lot like a social networking site to me. And if it was defined as such by lawmakers, it could mean that (under DOPA) access to the USA Today would need to be banned in public schools and libraries and that everyone would need to be age-verified before they go on the new USA Today website in their own homes. Welcome to the world of unitended regulatory consequences!

Additional Reading:

“Social Networking Websites & Child Protection: Toward a Rational Dialogue,” by Adam Thierer, Progress & Freedom Foundation Progress Snapshot 2.17, June 2006.

“Is MySpace the Government’s Space?,” by Adam Thierer, Progress & Freedom Foundation Progress Snapshot 2.16, June 2006.