I’ll be heading to Oxford University this week to participate in an Oxford Internet Institute (OII) forum on the subject of “Child Protection, Free Speech and the Internet: Mapping the Territory and Limitations of Common Ground.”  It’s being led by several experts from the OII as well as my good friends John Morris and Leslie Harris of the Center for Democracy & Technology (CDT).  The aims of this forum are:

• To facilitate a dialogue between NGOs campaigning to protect respectively, child protection and children’s rights online, and freedom of speech and other civil liberties online.
• To promote a better understanding of each others’ positions, to share perspectives and information with a view to identifying areas of common ground and areas of disagreement.
• To identify any shared policy goals, and possible tools to support the achievement of those goals.
• To publicize the findings of the forum in international policy debates about Internet governance and regulation.

Conference participants were asked to submit a 2-3 pg summary of their views on a couple of questions that will be discussed at this event.  I have listed those questions, and my answers, down below the fold.  It’s my best attempt to date to succinctly outline my views about how to balance content concerns and free speech issues going forward. 

What is the nature of your interest or experience in this field?

I have spent the last 18 years covering the intersection of child safety concerns and free speech issues at four different think tanks.  In recent years, I have tied together all my research in a constantly updated Progress & Freedom Foundation special report entitled, “Parental Controls & Online Child Protection: A Survey of Tools & Methods.” The 4^th edition of this 250-page report was released in August.

Are there particular values or principles which underlie your work?

The goal of my research has been to explore the tension between free speech and child protection and to identify methods of striking a sensible balance between these two important values.   It is my hope and belief that we are now in a position to more fully empower parents such that government regulation of content and communications will be increasingly unnecessary.

In the past, it was thought to be too difficult for families to enforce their own “household standard” for acceptable content. Thus, many believed government needed to step in and create a baseline “community standard” for the entire citizenry.  Unfortunately, those “community standards” were quite amorphous and sometimes completely arbitrary when enforced through regulatory edicts.  Worse yet, those regulatory standards treated all households as if they had the same tastes or values—which is clearly not the case in most pluralistic societies.

If it is the case that families now have the ability to effectively tailor media consumption and communications choices to their own preferences—that is, to craft their own “household standard”—then the regulatory equation can and should change.  Regulation can no longer be premised on the supposed helplessness of households to deal with content flows if families have been empowered and educated to make content determinations for themselves.  Luckily, that is the world we increasingly live in today. Parents have more tools and methods at their disposal to help them decide what constitutes acceptable media content in their homes and in the lives of their children.

Going forward, our goal should be to ensure that parents or guardians have (1) the information necessary to make informed decisions and (2) the tools and methods necessary to act upon that information.  Optimally, those tools and methods would give them the ability to not only block objectionable materials, but also to more easily find content they feel is appropriate for their families. In my work, I refer to this as the “household empowerment vision.”

Will we ever be able to achieve a world of perfect parental control over all online content and communications?  That is unlikely since both content and technology will continuously evolve and make that goal elusive. But government regulation of speech should yield where less restrictive alternatives such as household-based controls and strategies exist.  Given the value associated with free speech and the danger of government censorship, these alternatives need not be perfect to be preferable to government regulation.

What are the issues/policies or laws which you see as most problematic in terms of creating or illustrating a conflict between online child protection and free speech?

It is essential that policymakers resist the temptation to extend traditional broadcast industry regulatory statutes and standards to new media outlets and digital technologies.  In a world of media convergence and increasing user empowerment, traditional regulatory rationales make increasingly less sense.  Nonetheless, many ongoing social problems and challenges remain to achieving the “household empowerment vision” I outlined above, including:

• The “lack of awareness” problem: Some parents remain unaware of empowerment tools.
• The “bad parent” problem: Some parents don’t use tools even when aware of them.
• The “bad neighbor” problem: “Good” parents fear what happens when their kids visit other kids with more permissive parents.
• The “generation gap” problem: Kids sometimes know more about new digital technologies than their parents.
• The “technological surprise” problem: Rapid emergence and diffusion of new digital technologies can catch some parents by surprise.
• The “bad corporate actor” problem: Most companies self-regulate, but a handful push the boundaries of good taste in ways that create social concerns that reflect on industry generally.
• The “user-generated content” problem: Even when “professional” content can be managed, it is difficult to control “amateur” expression and creations.
• The “peer-on-peer bullying” problem: While many are concerned about predators, the real online safety problem turns out to be cyber-bullying among peers.

Because of these ongoing social challenges or concerns, legal and regulatory proposals will continue to be put forward. But each has serious downsides:

• Future of filtering: Centralized, network-based or decentralized, user-based?  The former creates serious censorship threats, as we see in China and other repressive states. The latter is more consistent with the household empowerment vision.
• Middleman deputization: Should online intermediaries be required to police the Net for various social ills?  If so, as hand-maidens of the state, they could become over-zealous speech regulators.
• Universal content ratings: Can policymakers mandate unified (or “scientific”) content media ratings?  Doing so puts regulators in a position to dictate content standards—for better or worse.  Moreover, this does nothing to address user-generated “amateur” content.
• Mandatory online age / identity verification: Potentially threatens anonymity, privacy, and free speech rights.  Moreover, to the extent “bad guys” continue to get into “secured” environments it creates a false sense of security for parents and kids.
• Expanded data retention: Although it would help facilitate some law enforcement goals, it also gives rise to new privacy and data breach risks.

Might any of these conflicts be avoidable, e.g. through the use of improved legislative instruments or greater clarity and accountability in processes of self-regulation?

For the above reasons, it makes more sense to put our energies into finding new self-regulatory mechanisms, social norms, and user empowerment strategies to solve ongoing social problems instead of focusing on regulatory solutions or mandates.  Instead of providing greater clarity, legislative instruments are more likely to instead create greater ambiguity, or at least uncertainty, for content creators and consumers alike. This is because, as was noted above, “community standards” are notoriously subjective; they are ham-handed attempts to gloss over the diverse needs and values of a diverse citizenry. By contrast, self-regulation, social norms, and empowerment strategies are evolutionary in character and more responsive to differences among cultures and households.

What are the issues where you think there might be most scope for finding some common ground?

In two words: empowerment and education. Because reliance on legislation is perilously difficult and enforcement of regulatory mandates is complicated (and sometimes impossible in an increasingly borderless world), efforts to better empower families and educate both kids and parents offer the most sensible path forward.  All stakeholders involved in child safety and free speech debates can generally agree that empowerment efforts, media literacy programs, awareness-building programs, and so on, are both effective and unobjectionable.

At the international level, are there certain key principles which we ought to be defending above all others?

Because of the “values clash” at the international level, it’s hard to imagine we’ll ever achieve consensus on some of these issues.  Countries vary widely in their sensitivities about speech, making any attempt to devise “universal principles” complicated.  For example, Europeans generally deride America’s prudish ways when it comes to matters of sexuality or “indecency.”  By contrast, most Americans cannot understand European concerns about “hate speech” or violently-themed media.  Meanwhile, governments in many other parts of the world are still busy trying to quell political or religious dissent.  “Harmonization” among those competing cultural norms remains complicated, therefore, and it would be a mistake if international harmonization was accomplished by sacrificing free speech rights for countries and cultures who cherish them.

We often talk about the problem of having all 50 states impose different regulatory requirements on the Internet, with the most restrictive standard effectively applying to all Internet actors.Fortunately, in the U.S. such efforts can be stamped down either by invoking the “Dormant Commerce Clause” (DCC) in court or by passing “preemptive federal regulation.”  (Unfortunately, most who complain about patchwork approaches, both in industry and the advocacy community, usually forget about the DCC and move right to federal legislation.)

But what about the 195 independent countries in the world (to say nothing of their regional/local subdivisions)? What if they each tried regulating Internet activity? Our friends at the Center for Democracy at Technology report on a scary precedent set by a Belgian court in March when it ruled that Belgian law applied to Yahoo! merely because Belgian citizens could access Yahoo! Mail. Thus, the court ruled that Yahoo! violated Belgian law when the company refused to hand over user data in response to an email from a Belgian prosecutor. CDT rightly applauds Yahoo! for insisting that the Belgians “follow established diplomatic and legal processes in order to gain access to user information.” But as the post notes, the really scary prospect is that of one country asserting authority over every site or service on the Internet that can be accessed in their country.

If this precedent stands, it’s likely to cause, at the very least, many companies to limit access to their sites or services by persons from countries with burdensome regulatory approaches. Even if those foreign laws are well-intentioned and laudable—such as efforts to punish fraud (as in the Belgian case) or to crack down on, say, child porn or protect user privacy)—the result could be to balkanize Internet services.  This would be especially unfortunate, given the incredible importance of services that might previously have seemed “un-serious” like Twitter or Facebook as “technologies of freedom.” CDT notes the danger to Internet freedom:

To understand how problematic this ruling is, we need only imagine how the governments of China, Iran, Vietnam or other repressive regime of your choice may decide that the precedent set here is one well worth following. Such actions undermine Belgium’s moral authority since, after all, it would only be hypocritical for Western democracies to criticize such radically overbroad assertions of jurisdiction by other nations.

Recall a couple of years ago when I lauded Google – and also picked on them – for making customer data “more anonymous”?

“‘Anonymous’ is correctly regarded as an absolute condition,” I wrote. “Like pregnancy, anonymity is either there or it’s not. Modifying the word with a relative adjective like ‘more’ is a curious use of language.”

The challenge of these concepts – “anonymized” or “de-identified” data – is still around, and it’s still a difficult one.

Here’s a sophisticated take on the question:

Information is increasingly difficult to classify as “identified” or “de-identified,” particularly as it is copied, exchanged, or recombined with other information. With rapidly evolving technologies and databases, it is more appropriate to describe a spectrum of “identifiability,” rather than a binary classification of information as identifiable or not. The question could then become not whether deidentified information might be made re-identifiable, but rather which entities would be able to re-identify the information, how much effort they would have to expend, and what limits are placed on their doing so.

And here’s an advocacy group apparently lacking that sophistication. They treat information as flatly “de-identified” in a legal filing about a New Hampshire law that bans the sale of prescription drug data for marketing purposes:

[T]he Prescription Information Law does not implicate patient privacy. While it purports to protect privacy interests, the statute regulates patient de-identified information.

Here’s the thing: Both quotes were issued by the Center for Democracy and Technology.

The first is from CDT’s filing with the Department of Health and Human Services about the circumstances under which HHS should require health providers to notify patients about a data breach. CDT wants more breach notices, so it argues that information might be pieced together. The concept of “de-identification” is weak.

The second quote is from a CDT legal brief asking the Supreme Court to review (and I believe they would argue to reject) the New Hampshire law. CDT wants the data to be shared, so it argues that the data is “de-identified.”

However, as data is copied, exchanged, or recombined with other information such as payment claims to Medicare and Medicaid, it’s easy to imagine records of doctors’ prescribing practices being used to help piece together patients’ drug-taking habits and health conditions.

Is this mendacity on the part of CDT? I don’t think so. It illustratates how difficult these issues are, even for sophisticated parties. Until more intellectual groundwork is laid, information policy arguments before regulators, lawmakers, and courts will not rest on solid footing. Everyone’s trying their best!

You’re dying to know the right answers, of course: Government-mandated data breach notifications are part of a growing trend toward command-and-control data security. Giving injured parties common law remedies and letting the legal incentives sort things out would be much better. HHS, of all agencies, should not be doing data security.

The New Hampshire law weakens drug comanies’ ability to market to doctors, which deprives them of information that could help them serve patients better. The remote privacy risk to patients when doctors’ prescribing practices are shared should also be handled by common law remedies rather than the state’s regulation, with its attenuated privacy claims. Rather than the U.S. Supreme Court finding a federal trump card, the legislature in New Hampshire should correct its error and maximize the flow of information in the state’s health care system.

Adam Thierer & I have just released a detailed examination (PDF) of brewing efforts to expand the Children’s Online Privacy Protection Act of 1998 to cover adolescents and potentially all social networking sites—an approach we call “COPPA 2.0.”

As Adam explained on Larry Magid’s CNET podcast, COPPA mandates certain online privacy protections for children under 13, most importantly that websites obtain the “verifiable consent” of a child’s parent before collecting personal information about that child or giving that child access to interactive functionality that might allow the child to share their personal information with others. The law was intended primarily to “enhance parental involvement in a child’s online activities” as a means of protecting the online privacy and safety of children.

Yet advocates of expanding COPPA—or “COPPA 2.0″—see COPPA’s verifiable parental consent framework as a means for imposing broad regulatory mandates in the name of online child safety and concerns about social networking, cyber-harassment, etc. Two COPPA 2.0 bills are currently pending in New Jersey and Illinois. The accelerated review of COPPA to be conducted by the FTC next year (five years ahead of schedule) is likely to bring to Washington serious talk of expanding COPPA—even though Congress clearly rejected covering adolescents age 13-16 when COPPA was first proposed back in 1998.

We’ll discuss some of the key points of our paper in a series of blog posts, but here are the top nine reasons for rejecting COPPA 2.0, in that such an approach would:

• Burden the free speech rights of adults by imposing age verification mandates on many sites used by adults, thus restricting anonymous speech and essentially converging—in terms of practical consequences—with the unconstitutional Children’s Online Protection Act (COPA), another 1998 law sometimes confused with COPPA;
• Burden the free speech rights of adolescents to speak freely on—or gather information from—legal and socially beneficial websites;
• Hamper routine and socially beneficial communication between adolescents and adults;
• Reduce, rather than enhance, the privacy of adolescents, parents and other adults because of the massive volume of personal information that would have to be collected about users for authentication purposes (likely including credit card data);

• Would likely be the subject of massive fraud or evasion since it is not always possible to definitively verify the parent-child relationship, or because the system could be “gamed” in other ways by determined adolescents;
• Do nothing to prevent offshore sites and services from operating outside these rules;
• Present major practical challenges for law enforcement officials in the face of such evasion by both domestic users and offshore sites;
• Could destroy opportunities for new or smaller website operators to break into the market and offer competing services and innovations, thus contributing to consolidation of online content and services by erecting barriers to entry; and
• Violate the Commerce Clause of the U.S. Constitution, since Internet activity clearly represents interstate commerce that states have no authority to regulate.

Chris Soghoian has responded to my recent post lauding his Targeted Advertising Cookie Opt-Out (or “TACO” – documented and downloadable here). We’re agreed in the main on user empowerment. The interesting stuff is on the margin: He disagrees with me that blocking third party cookies as I do (and he does too) is a satisfactory approach to suppressing tracking by advertisers.

There are a couple of points worth making about the discussion.

The first has to do with our slightly differing objectives. Chris is deeply focused on advertisers and his dislike of being tracked by advertisers. Though it is not absolute, I have a preference against tracking by anyone other than sites that I know, like, and trust. I’m no more worried about advertisers than any entity that would track my surfing – and there are many.

Again, TLF readers, I ask you to try setting your browser to query you before setting cookies. It’s a real insight into the dozens of entities getting a look at you as you surf, including a bunch of social networks and news sites.

If “advertisers” are what you seek to harness, that seems like a group that can be captured through some kind of centralized control mechanism. (I don’t think it actually is.) But if your goal is privacy as against all comers, you don’t attempt to centrally plan or decide who is good and who is bad. Responsibility rests with the end user.

Let the goal be “advertisers,” though. And I ask: Those social networks and news aggregators – are they “advertisers”? If you’re going to require a subset of Web communicators to obey opt-out cookies, you have to be able to define that subset – a problem Chris doesn’t seem to have thought about yet.

Lots of different publishers, sites, and networks have data that is entirely fungible with the tracking data advertisers collect. What do you get if you push down on the “officially advertisers” part of the balloon? Workarounds.

But I’ve backed into the second point – the means to these ends. Chris soft-pedals how he would get at tracking, but as far as I can tell it’s a law that says “advertisers” have to obey opt-out cookies.

Unlike all of the previous anti-advertising technologies, the opt-out mechanism provides users with a way to positively affirm that they do not wish to be tracked and targeted. This opt-out cookie is something that advertisers cannot ignore.

Is it by magic that they “cannot ignore” opt-out cookies? No, it’s by law.

With the right law in place, Chris appears to believe, “[t]he Federal Trade Commission and Congress would likely take an interest” when advertisers tried to skirt opt-out cookies, using other technologies to glean information about Web surfers’ interests.

His hope is to end the “arms race” in which users have to constantly chase the shifting tactics advertisers use to track them. It’s a fair point: There is a constant, rolling change in how the Web is used by publishers, advertisers, and consumers to interact and trade the data each produces.

That is an “arms race” only if you’ve adopted the rigid, war-like stance that tracking by advertisers is inherently wrong. It’s not. Berin and Adam, who have done a lot more work than me on this lately, have done a good write-up of the subtleties. What Chris calls an “arms race” is better thought of as a constantly unfolding negotiation among all parties about the terms of the content-for-advertising bargain.

I believe, as a person who dislikes third-party cookies, that offering them to my computer in the hopes of gleaning some information is not wrong. Some people think it’s horribly wrong. Most people are indifferent.

Who’s right? Everyone and nobody. There doesn’t have to be one answer.

But should the terms of use for the Web be written by a vociferous minority (i.e. Chris) that can’t persuade the public to refuse tracking using the tools available to them? Perhaps the demand for control comes because the public won’t be persuaded.

Now that would be wrong – regulating cookies to force “protection” on a public that could seek it for itself, but won’t. That would deprive “advertisers” – we still don’t know who they are – of freedom and communications channels, it would deny publishers revenues, and it would deny consumers content they want and enjoy.

But let’s talk about arms races. Chris seeks exit from the so-called arms race on the technical and user side in favor of an arms race in the legislative and regulatory world. The law he imagines – so perfect as it resides there in his head – would have to be passed by Congress and implemented by a regulatory agency like the Federal Trade Commission.

Each of these regulatory bodies is under constant, well, “siege” by phalanxes of lobbyists, paid to advocate the views of their clients, including ” advertisers.” There is no realistic hope that Chris’ opt-out cookie law would make it through that in the form he wants. Defining what one means by “advertisers” is a gruesome task, with likely First Amendment problems. Instead of the clean bill Chris imagines, it would be perverted (from Chris’ perspective) by lobbying and special-interest influence. Remember when Congress passed a law alleging it would prevent spam?

Chris would transfer the arms race we’re in now – where consumers are in control, if apathetic – to a field where consumers are not in control and very apathetic, believing that they are protected by the government. This is the approach preferred by victims of the fatal conceit, who think that they can design society better than society can design itself. (Berin has done a terrific job of lambasting the Center for Democracy and Technology for its similarly conceited, blindly pro-regulatory armchair quarterbacking on the online advertising issue.)

Plenty of people dream about regulation that works, of course. The SEC’s failure to protect investors in the Madoff case provides one more example among many where law and regulation failed utterly to protect consumers – and by its existence encouraged their irresponsibility.

It is damaging folly to try protecting consumers from the tracking advertisers do when consumers can just as well protect themselves.

I’ve already laid out my own reactions to Google’s roll-out of an “interest based advertising” (IBA) program here.  In a nutshell, I applauded Google setting a new “gold standard” in user empowerment by providing:

• Notice in their IBA-targeted ads of who’s paying for the ad and the fact that Google is serving it; and 
• A link to a powerful “Ad Preference Manager” that allows users to:
  • See and modify the “digital dossier” (to use the fearmonger’s term) of interests associated with the cookie on their computer; and 
  • Opt-out of tracking for IBA purposes.    

But as I predicted, despite these pro-privacy features (and despite the fact that other major companies such as Yahoo! and Microsoft already have IBA programs), a number of privacy advocacy organizations are attacking Google for daring to enter the IBA (or “online behavioral advertising”) business at all.   I’ll have much more to say about the criticism of Google’s new Ad Preference Manager soon, especially coming from Marc Rotenberg of EPIC (a “disaster“) and Jeff Chester of CDD—precisely the sort of the “paroxysms of privacy hysteria” I predicted.  

But first, the criticism from Ari Schwartz of the Center for Democracy & Technology requires a response today.  At its best, CDT plays a vital role in calling corporations to continually raise the bar on privacy.  My own think tank, the Progress & Freedom Foundation, works closely with CDT on many issues, such as advocating user empowerment through technological means as a constitutionally “less restrictive” way of protecting children than government censorship.

 Here’s what Ari had to say:

[T]he opt-out is based on a failed premise. The truth of the matter is that the industry needs to work together to move beyond the discredited cookie opt-out model….  Google claims to have improved upon the old model by creating a plug-in for users to keep their opt-out cookie while deleting the rest of their cookies. While as a technical matter that may be true, without an industry-wide solution these plug-in options just serve to confuse users about what they need to do to protect themselves. If this plug-in approach catches on, will users need to download a plug-in from every network advertiser and every analytics company to stop the tracking? That model just isn’t sustainable.

Ari is setting up a straw man when he suggests that users are going to have to download a separate plug-in for every ad network.  The obvious solution, as Ari points out, is an industry-wide plug-in. But if it’s so obvious, why can’t CDT just write it themselves?  Indeed, why didn’t they write it years ago?

These aren’t rhetorical questions.  I  really  want to know what would be required to create a plug-in that does what Google’s plug-in does for every other ad network’s opt-out cookie in the Opt-out tool developed by the Network Advertising Initiative (NAI):  Maintain “persistent” user choice by checking to see whether a user has deleted whatever their opt-out cookies and, if so, restoring those cookies.  

CDT will probably insist that, if it’s really so easy to create such an industry-wide plug-in, NAI should have done so years ago.  Maybe so.  Perhaps if the industry had moved faster to innovate in privacy protection, they would be in a stronger position right now politically.  Of course, if the industry moves slowly in this regard, maybe that’s because they’ve got their hands full trying to keep advertising, the economic engine that funds the Internet’s “free” content and services, working-a reality Ari ignores.  Or perhaps it wouldn’t matter:  It seems that no matter what industry might do, it’s just not good enough for Ari.  Under the banner of “Keeping the Internet Open, Innovative and Free,” Ari is in fact leading CDT in a full-on attack on the Internet, pushing for regulation that will make the Internet:

• Less “Open” to competition among service providers and the diversity of voices and choices produced by online content creators who depend on advertising;
• Less “Innovative” in terms of new content, new services, new online personalization technologies, and new advertising business models that could broaden the base of economic support for the entire Internet; and
• Less “Free” both in political terms—“free” from government regulation and controls—and in financial terms—“free” to users because advertisers foot the bill.

CDT ignores these very real costs to crippling online advertising, which will ultimately be borne by the very consumers whom CDT claims to be protecting.  This is precisely why Adam Thierer and I have argued so strongly for a layered approach (and here at page 7) to privacy concerns about online advertising that combines self-regulation and tough FTC enforcement of privacy policies with a recognition that only by empowering individual users to make their own choices can we balance inherently subjective concerns about privacy with the need to fund the Internet’s future:

We stand at an important crossroads in the debate over the online marketplace and the future of a “free and open” Internet.  Many of those who celebrate that goal focus on concepts like “net neutrality” at the distribution layer, but what really keeps the Internet so “free and open” is the economic engine of online advertising at the applications and content layers.  If misguided government regulation chokes off the Internet’s growth or evolution, we would be killing the goose that laid the golden eggs. 

Back to the plug-in…  CDT argues that the opt-out cookie system is flawed in respects other than ensuring the persistence of user opt-outs.  We can debate that question.  But I’d just like to get a clear answer once and for all about why CDT hasn’t already developed this plug-in themselves.

Here‘s the NAI opt-out, Ari, and here‘s the code for Google’s plug-in—it’s open source! How much easier could Google have made this for you?  Quit yapping and start coding! 

Since CDT doesn’t seem up to the task, we’ve already modified the Google plug-in to preserve another ad network’s opt-out cookie (download our beta plug-in here) and are currently working to expand the plug-in to work for multiple cookies—which is simply a matter of coding.  We’d welcome help from anyone with experience in writing Firefox plug-ins. 

NAI could (and probably should) do this, themselves.  But if CDT wants to start being philosophically consistent about empowering consumers across in the board —on privacy issues as well as child protection issues—writing this plug-in themselves is a great way to shame the rest of the advertising industry into picking up where Google left off.   I suspect CDT’s failure to do so thus far reflects a crass political calculation that anything they does to empower users to manage their own privacy through technical solutions simply undermines their arguments that only government can protect users—thus weakening their push for regulation.  So much for CDT’s declared mission of “seek[ing] practical solutions to enhance privacy!”