I haven’t been blogging much lately because, along with my PFF colleagues Berin Szoka and Adam Marcus, I’m working on a lengthy paper about the importance of Section 230 to Internet freedom. Section 230 is the sometimes-forgotten portion of the Communications Decency Act of 1996 that shielded Internet Service Providers (ISP) from liability for information posted or published on their systems by users or other third parties. It was enshrined into law with the passage of the historic Telecommunications Act of 1996. Importantly, even though the provisions of the CDA seeking to regulate “indecent” speech on the Internet were struck down as unconstitutional, Sec. 230 was left untouched.

Section 230 of the CDA may be the most important and lasting legacy of the Telecom Act and it is indisputable that it has been remarkably important to the development of the Internet and online free speech and expression in particular. In many ways, Section 230 is the cornerstone of “Internet freedom” in its truest and best sense of the term.

In recent years, however, Sec. 230 has come under fire from some academics, judges, and other lawmakers. Critics raise a variety of complaints — all of which we will be cataloging and addressing in our forthcoming PFF paper. But what unifies most of the criticisms of Sec. 230 is the belief that Internet “middlemen” (which increasingly includes almost any online intermediary, from ISPs, to social networking sites, to search engines, to blogs) should do more to police their networks for potentially “objectionable” or “offensive” content. That could include many things, of course: cyberbullying, online defamation, harassment, privacy concerns, pornography, etc. If the online intermediaries failed to engage in that increased policing role, they would open themselves up to lawsuits and increased liability for the actions of their users.

The common response to such criticisms — and it remains a very good one — is that the alternative approach of strict secondary liability on ISPs and other online intermediaries would have a profound “chilling effect” on online free speech and expression. Indeed, we should not lose sight of what Section 230 has already done to create vibrant, diverse online communities. Brian Holland, a visiting professor at Penn State University’s Dickinson School of Law, has written a brilliant paper that does a wonderful job of doing just that. It’s entitled “In Defense of Online Intermediary Immunity: Facilitating Communities of Modified Exceptionalism” and it can be found on SSRN here. I cannot recommend it highly enough. It is a masterpiece. In the paper, Holland argues that Section 230 has helped give rise to our modern Web 2.0 world and that it “plays a vital role in [the] process of building heterogeneous communities that encourage collaborative production and communication.” Specifically, Holland argues that Sec. 230 immunity allows an online community:

to evolve and structure itself in the most efficient manner. To a limited extent, §230 immunity permits uncoordinated and uncoerced individual choice among different values and among different embodiments of those values. It further allows the intermediary to play an active role in facilitating the market in social norms and in creating enforcement mechanisms as a tool of self-governance. Those enforcement mechanisms can then themselves adapt. This allows not only for the development of distinct community values, but also for a means of tapping into incentives, adapting to evolving norms and conditions, and reducing costs associated with disputes. Within this framework, greater variations in community norms are possible. As communities grow, niche communities are formed at low cost. It… functions as a laboratory for testing social norms and values.

I think that is exactly right. Moreover, reading Professor Holland’s article got me thinking about something my favorite modern political philosopher, the late Harvard University philosophy professor Robert Nozick, said in his brilliant 1974 book, Anarchy, State, and Utopia. In a sense, Section 230 and existing online liability norms have helped foster what Nozick called “a utopia of utopias.”

Because people are all complex and quite different from one another, Nozick argued that, “There is no reason to think that there is one community which will serve as ideal for all people and much reason to think there is not.” Consequently, as a normative matter, it would be preferable for government to allow spontaneous community formation such that individuals can pursue their own interests. Nozick elaborated in the closing chapter of his book as follows:

The conclusion to draw is that there will not be one kind of community existing and one kind of life led in utopia. Utopia will consist of utopias, of many different and divergent communities in which people lead different kinds of lives under different institutions. Some kinds of communities will be more attractive to most than others; communities will wax and wane. People will leave some for others or spend their whole lives in one. Utopia is a framework for utopias, a place where people are at liberty to join together voluntarily to pursue and attempt to realize their own vision of the good life in the ideal community but where no one can impose his own utopian vision upon others.

That last line almost perfectly encapsulates everything that is so wonderful about our modern Web 2.0 world. Netizens are free to pursue their own vision of a good life in a community of their choosing, free from centralized or coerced visions of what “a good life” should entail.

Web 2.0 is Nozick’s utopia of utopias, and Section 230 has been instrumental in fostering and protecting it. We shouldn’t forget that.

I’ve just finished reading Blown to Bits: Your Life, Liberty, and Happiness After the Digital Explosion, by Hal Abelson, Ken Ledeen, and Harry Lewis, and it’s another title worth adding to your tech policy reading list. The authors survey a broad swath of tech policy territory — privacy, search, encryption, free speech, copyright, spectrum policy — and provide the reader with a wonderful history and technology primer on each topic.

I like the approach and tone they use throughout the book. It is certainly something more than “Internet Policy for Dummies.” It’s more like “Internet Policy for the Educated Layman”: a nice mix of background, policy, and advice. I think Ray Lodato’s Slashdot review gets it generally right in noting that, “Each chapter will alternatively interest you and leave you appalled (and perhaps a little frightened). You will be given the insight to protect yourself a little better, and it provides background for intelligent discussions about the legalities that impact our use of technology.”

Abelson, Ledeen, and Lewis aren’t really seeking to be polemical in this book by advancing a single thesis or worldview. To the extent the book’s chapters are guided by any central theme, it comes in the form of the “two basic morals about technology” they outline in Chapter 1:

The first is that information technology is inherently neither good nor bad — it can be used for good or ill, to free us or to shackle us. Second, new technology brings social change, and change comes with both risks and opportunities. All of us, and all of our public agencies and private institutions, have a say in whether technology will be used for good or ill and whether we will fall prey to its risks or prosper from the opportunities it creates. (p. 14)

Mostly, what they aim to show is that digital technology is reshaping society and, whether we like or it not, we better get used to it — and quick!  “The digital explosion is changing the world as much as printing once did — and some of the changes are catching us unaware, blowing to bits our assumptions about the way the world works… The explosion, and the social disruption that it will create, have barely begun.” (p 3)

In that sense, most chapters discuss how technology and technological change can be both a blessing and a curse, but the authors are generally more optimistic than pessimistic about the impact of the Net and digital technology on our society. What follows is a quick summary of some of the major issues covered in Blown to Bits.

Privacy: In the chapter on privacy, the authors conclude that it is increasingly difficult to bottle up our personal information and protect it and ourselves entirely from the outside world. “Despite the very best efforts, and the most sophisticated technologies, we can not control the spread of our private information. And we often want information to be made public to serve our own, or society’s purposes.” (p. 70) They argue that there still may be some ways to deal with the misuse of information and that some new technologies might be able to help protect our privacy at the margins. Generally speaking, however, this is a losing battle, and, more importantly, there is an increasing tension between privacy and freedom of speech:

A continuing border war is likely to be waged, however, along an existing free speech front: the line separating my right to tell the truth about you from your right not to have that information used against you. In the realm of privacy, the digital explosion has left matters deeply unsettled. (p. 70)

These are issues I discussed in more detail in my recent review of Daniel Solove’s important new book, Understanding Privacy. Abelson, Ledeen, and Lewis are right to point out that these tensions are only going to increase in coming years and their chapter outlines many of the new fault lines in the debate over online privacy.

Encryption: Having followed the “crypto wars” closely in the mid-1990s, I also found their chapter on cryptography intriguing. The authors note that encryption has gone mainstream. “Keys are cheap. Secret messages are everywhere on the Internet. We are all cryptographers now.” Despite that, the authors note that “very little email is encrypted today.” With the exception of some human rights groups and some particularly privacy-sensitive users, most of us are perfectly content to send our e-mails unencrypted. They argue that there are three reasons most people are unconcerned about their e-mail privacy:

First, there is still little awareness of how easily our e-mail can be captured as the packets flow through the Internet. […] Second, there is little concern because most ordinary citizens feel they have little to hide, so why would anyone bother looking? […] Finally, encrypted email is not built into the Internet infrastructure in the way encrypted web browsing is. (p. 191-92)

They continue and conclude:

Overall, the public seems unconcerned about privacy of communication today, and that privacy fervor that permeated the crypto wars a decade ago is nowhere to be seen. In a very real sense, the dystopian predictions of both sides of that debate are being realized: On the one hand, encryption technology is readily available around the world, and people can hide the contents of their messages, just as law-enforcement feared… At the same time, the spread of the Internet has been accompanied by an increase in surveillance, just as the opponents of encryption regulation feared. (p. 193)

Actually, I’m not sure there really was a “privacy fervor that permeated the crypto wars a decade ago.” Many of us who argued passionately for crypto-freedom back then knew it was unlikely that the masses were going to rush right out and start encrypting all their mail the minute the policy battle ended. In reality, most of us live pretty mundane lives and just don’t care enough to go through the hassle of encrypting the random chatter of e-mail. But it was the principle of the matter that counted — the government should never be given the keys to unlock all private communications. That is what we were fighting about in the crypto wars — not the necessity of everyone encyrpting every e-mail they sent.

Importantly, however, the authors correctly note how the truly beneficial result of the fight for crypto-freedom was an explosion of online commerce, facilitated by behind-the-scenes crypto protecting our transactions. Amazon, eBay, and many other e-commerce vendors, both big and small, have prospered because of strong crypto. That was the security blanket many of us needed before we were willing to take the plunge and begin doing most of our shopping and financial transactions online. This is a great public policy success story, and Abelson, Ledeen, and Lewis do a wonderful job relaying it to the reader.

Online Free Speech / Age Verification: As a passionate First Amendment advocate, the chapter on free speech issues was also of great interest to me. The authors run through the early history of efforts to censor online speech, including the Communications Decency Act of 1996 (CDA) and the Child Online Protection Act of 1998 (COPA), and bring us right up to speed with congressional efforts such as the Deleting Online Predators Act (DOPA), which would ban social networking sites and services in publicly funded schools and libraries. “DOPA, which has not passed into law, is the latest battle in a long war between conflicting values,” note the authors. “On the one hand, society has an interest in keeping unwanted information away from children. On the other hand, society as a whole has an interest in maximizing open communication.” (p. 231)

Abelson, Ledeen, and Lewis go on to outline the dangers of online censorship and the importance of defending the First Amendment from new legislative and regulatory attacks, but they would have done well to cite the growing diversity of parental control tools and methods that are now on the market. I share their passion for defending free speech values, but it is equally important we work hard to show parents and policymakers how many effective self-help tools and strategies are out there on the market today to help them guide — or even control — their child’s media and Internet experiences. Not everyone is equally excited about what a world of media abundance offers us, or out children. If we hope to continue to fend off attacks on the First Amendment, we have to make sure parents are empowered to mentor their kids and limit access to content they find objectionable so they don’t expect Uncle Sam to play the role of national nanny.

I was glad to see the authors spend some time focusing on online age verification / identity authentication since that is probably the most important free speech debate raging today. [I’ve written quite a bit here about the battle over online age verification for social networking sites and other online sites.] The authors point out Congress already attempted to impose age verification on the Internet when they passed the Child Online Protection Act in 1998. “The big problem,” the authors note, “was that these methods either didn’t work or didn’t even exist.” (p. 248) Indeed, the effort in COPA to require “adult personal identification numbers” or a “digital certificate that verifies age” was in their words, “basically a plea from Congress for the industry to come up with some technical magic for determining age at a distance.” (p. 248)  And things really haven’t advanced much since then, they argue:

In the state-of-the-art, however, computers can’t reliably tell the if party on the other end of the communications link is a human or is another computer. For a computer to tell whether a human is over or under the age of 17, even imperfectly, would be very hard indeed. Mischievous 15-year-olds could get around any simple screening system that could be used in the home. The Internet just isn’t like a magazine store. (p. 249)

I hope policymakers are listening — especially the many stubborn state attorneys general who continue to push age verification as a silver-bullet solution to online child safety concerns.

Spectrum Policy: The authors point out how the death of media scarcity has profound implications for the future of speech regulation and spectrum policy alike. “As a society,” they argue, “we simply have to confront the reality that our mindset about radio and television is wrong. It has been shaped by decades of the scarcity argument.” (p. 292)  Regarding what it means for speech controls, they note:

If almost anyone can now send information that many people can receive, perhaps the government’s interest in restricting transmissions should be less than what it once was, not greater. In the absence of scarcity, perhaps the government should have no more authority over what gets said on radio and TV than it does over what gets printed in newspapers. (p. 261)

I couldn’t agree more, and I’ve written voluminously on the topic of creating a “consistent First Amendment standard for the Information Age.” Abelson, Ledeen, and Lewis seem to agree with what I said there when they argue:

Other regulation of broadcast words and images should end. Its legal foundation survives no longer in the newly engineered world of information. There are too many ways for the information to reach us. We need to take responsibility for what we see, and what our children are allowed to see. And they must be educated to live in a world of information plenty. (p. 293)

The death of the scarcity doctrine should also have a profound impact on the future spectrum policy decisions, they say. Perhaps scarcity-based rationales for regulation made (some) sense in the past, but:

These were facts of the technology of the time. They were true, but they were contingent truths of engineering. They were never universal laws of physics, and are no longer limitations of technology. Because of engineering innovations over the past 20 years, there is no practically significant “natural limitation” on the number of broadcast stations. Arguments from inevitable scarcity can no longer justify U.S. government denials of the use of the airwaves. The vast regulatory infrastructure, built to rationalize use of the spectrum but much more limited radio technology, has adjusted slowly — as it almost inevitably must: Bureaucracies don’t move as quickly as technological innovators. The FCC tries to anticipate resource needs centrally and far in advance. But technology can cause abrupt changes in supply, and market forces can cause abrupt changes in demand. Central planning works no better for the FCC than it did for the Soviet Union. (p. 272)

I completely agree, although challenging questions remain about how to get us out of the current mess. Abelson, Ledeen, and Lewis argue that “commons-based” approaches make the most sense. I am certainly open to the idea of treating certain swaths of spectrum as a commons, but it’s important to recognize that this does not necessarily get the regulators completely out of the picture. In fact, as my TLF colleague Jerry Brito has persuasively argued, there is the real potential that the FCC could become an aggressive device regulator if we switch to this approach. “A ‘commons’ model is not a third way between regulation and property, it is just another kind of regulation,” Brito concludes. That’s why I continue to believe that a property rights-based approach for most spectrum allocation makes the most sense and will get the spectrum deployed for its most highly-valued use. Commons-based approaches should supplement, not supplant, that model.

Abelson, Ledeen, and Lewis also fail to sweat the details about how to handle the issue of incumbent spectrum users in the transition to their preferred commons-based model. That strikes me as a pretty big problem. They repeatedly mention how incumbents often seek to block beneficial spectrum reforms — which is no doubt true on some occasions — but that doesn’t mean incumbent spectrum holders don’t have legitimate rights in their existing allocations that should be honored. I would hope that, even if they wanted to go with a pure commons approach going forward, the authors would at least be willing to grandfather-in existing spectrum users. If the goal is to encourage them to vacate what they currently have, incentivize them with flexible use and resale rights. For example, for the right price, a lot of broadcast spectrum holders might be willing to give up their current allotment. Alternatively, if flexible use was allowed, they might deploy their spectrum for a different purpose. Unfortunately, both of these options are currently prohibited by the FCC’s command-and-control regulatory system.

Overall, however, I enjoyed the spectrum chapter and found the history and technology primer in this chapter to be the best in the book.

Copyright: The authors have a strongly-worded chapter on copyright that generally argues for relaxing copyright protections. Interestingly, however, (unless I am missing something) I notice they don’t offer their book for free download on their site.  I’m always intrigued by copyright critics who refuse to put their own content online. Apparently, it’s another case of ‘copying is good for me, but not for thee.’ Regardless, in their copyright chapter, they argue that:

The war over copyright and the Internet has been escalating for more than 15 years. It is a spiral of more and more technology that makes it ever easier for more and more people to share more and more information. This explosion is countered by a legislative response that brings more and more acts within the scope of copyright enforcement, subject to punishments that grow ever more severe. Regulation tries to keep pace by banning technology, sometimes even before the technology exists… If we cannot slow the arms race, tomorrow’s casualties may come to include the open Internet and dynamic of innovation that fuels the information revolution. (p. 199)

The authors make a fair point about the perils of banning technologies to protect copyright. That’s never the right answer. Regrettably, however, they pay less attention to what I regard as the legitimate concerns of copyright holders about how to protect their creative works and expressive endeavors going forward. And it’s not just about protecting large-scale industries, as they and other copyright critics are often prone to claim. It’s about whether or not we want a workable copyright system going forward. Of course, some critics wouldn’t mind seeing copyright law fade into the sunset altogether. But Abelson, Ledeen, and Lewis don’t really make it clear how far they’d be willing to go. They do have a brief discussion about collective licensing approaches as a possible solution, which may be coming sooner than we think for the Net. Unfortunately, they don’t spend much time developing the details. I remain skeptical about the sensibility of that approach — especially since it will likely end up being compulsory in nature and fraught with fairness problems (i.e. Who pays in? How much? On the other end, who gets paid how much when their content appears online? etc.) Nonetheless, I think that’s where we’ll end up before the copyright wars are over, so it would have been nice to see the authors spend more time on collective licensing issues.

They also spend a lot of time discussing DRM. I was surprised by their comment that, “Developers of DRM and trusted platforms may be creating effective technologies to control the use of information, but no one has yet devised effective methods to circumscribe the limits of that control.” (p. 212) I must say, that does not seem to match up with the reality of the market we see around us today in which DRM systems are rapidly crumbling and being abandoned left and right.

Conclusion

I didn’t agree with everything in Blown to Bits, such as their unfortunate call for Net neutrality regulation. Overall, however, I enjoyed the book and recommend it. The narrative can be a little disjointed at times, almost sounding like a series of e-mail exchanges between friends (which may have been the case since the book had three authors). But the text is very accessible and contains a great deal of useful information to bring you up to speed on the hottest tech policy debates under the sun. If the authors are smart, they’ll throw the book online and update it periodically to keep it fresh. As I have found with my parental controls and Media Metrics reports, that’s the only way to keep up with the frantic pace of change in the tech policy arena — version your books like software and release periodic updates.

This book will definitely appear on my big, end-of-year “Most Important Tech Policy Books of 2008” list, which I should have wrapped up shortly. Also, I think this book makes a nice complement to Palfrey and Gasser’s Born Digital, which I reviewed here last month. And, if you are interested in another title that takes an approach similar to what Abelson, Ledeen, and Lewis have taken here, you might want to check out Bruce Owen’s outstanding 1999 book “The Internet Challenge to Television.” It’s an oldy but a goodie, as I noted here.

Finally, given the title of the book and the countless times in the text that Abelson, Ledeen, and Lewis talk about the “bits revolution,” how “bits are bits,” and how “bits behave strangely,” shockingly, they never seem to get around to crediting Nicholas Negroponte for his pioneering work on this front in Being Digital. Long before anybody else gave a damn about how the movement from a world of atoms to a world bits would change our entire existence, Nicholas Negroponte was preaching that gospel to the unconverted. And considering he was saying all that back in the dark (dial-up) ages of 1995, the man deserves some credit, as I have noted here before.

In a big post two months ago entitled “Age Verification Debate Continues; Schools Now at Center of Discussion,” I noted that there has been an important shift in the age verification debate: Schools and school records are increasingly being viewed as the primary mechanism to facilitate online identity authentication transactions. I pointed out that this raises two very serious questions: Do we want schools to serve as DMVs for our children? And, do we want more school records or information about our kids being accessed or put online?

Brad Stone of the New York Times has just posted an important article with relevance to this debate. In it, he points out that:

performing so-called age verification for children is fraught with challenges. The kinds of publicly available data that Web companies use to confirm the identities of adults, like their credit card or Social Security numbers, are either not available for minors or are restricted by federal privacy laws. Nevertheless, over the last year, at least two dozen companies have sprung up with systems they claim will solve the problem. Surprisingly, their work is proving controversial and even downright unpopular among the very people who spend their days worrying about the well-being of children on the Web. Child-safety activists charge that some of the age-verification firms want to help Internet companies tailor ads for children. They say these firms are substituting one exaggerated threat — the menace of online sex predators — with a far more pervasive danger from online marketers like junk food and toy companies that will rush to advertise to children if they are told revealing details about the users.

Stone highlights the efforts of eGuardian, a California company that, “asks a parent to submit the birth date, address, school and gender of a child, then it asks schools to confirm the information.”

Over the last year, eGuardian has been approaching schools, primarily in California, and offering them the entire $29 sign-up fee when they persuade parents to sign up their children. EGuardian’s real money-making hope — and this is what makes [Nancy] Willard nervous — is to have Web sites pay a commission for each eGuardian member. The Web site can then use the data on each child to tailor its advertising.

Nancy Willard, one of America’s leading online child safety experts, is the executive director of the Center for Safe and Responsible Internet Use, and the author of the outstanding book, Cyber-Safe Kids, Cyber-Savvy Teens. The concern she raised with Brad Stone is that “Age verification companies are selling parents on the premise that they can protect the safety of children online, and then they are using this information for market profiling and targeted advertising.” Basically, companies like eGuardian give the software to schools or parents and then hope to make it back through targeted advertising. According to Stone’s article, “EGuardian’s real money-making hope — and this is what makes Ms. Willard nervous — is to have Web sites pay a commission for each eGuardian member. The Web site can then use the data on each child to tailor its advertising.”

I’m not quite as concerned about the advertising / marketing issue as Nancy Willard, but I am equally disturbed about the prospect of using schools as online age verification agents– or partnering with others to make that happen. I apologize for quoting myself at length on this point, but here’s how I stated my concerns before:

[I]nvolving schools in any age verification scheme would raise serious privacy concerns and administrative problems. Depending on how the scheme worked, the administrative burdens imposed on schools could be significant. Someone at each school would have to be in charge of answering phones calls and e-mails from potentially hundreds of website operators looking to age-verify minors. Who will be liable if things go wrong? The school? The school district? An employee in the school’s administrative department who accidentally releases thousands of digital records? And will schools receive the additional funding needed to administer whatever scheme is mandated? Moreover, if schools are required to create more accessible databases containing personal information about minors, who else besides social networking websites would be given access? Data breaches would become a real concern for both students and schools alike. Such a scheme could run up against federal or state laws. For example, the Family Education Rights and Privacy Act of 1974 makes it illegal to release school records without written permission from parents. Both parents and government officials have long demanded that access to school records be tightly guarded because, as a society, we take the privacy of our children very seriously. Thus, serious questions remain about the wisdom and practicality of roping the schools into the age verification process. Most schools and school districts are already over-burdened with federal and state mandates and probably wouldn’t like the sound of additional mandates of this variety.  But what if a technology vendor could serve as the middleman and facilitate the easy transfer of some basic data about kids from the school system in an effort to provide digital credentials? That’s probably where we are heading.  Even the most vociferous advocates of age verification for minors must realize how absolutely radioactive this issue could become since school records about our kids are in play here.  Identity theft concerns are already running at an all-time high in our country and the thought of being required to surrender more info about our kids in this environment is not going to go over well with many parents. But, again, what if we could keep to a minimum the amount of data being transferred about the child to the vendor or the SNS?  Perhaps at the beginning of each school year when a minor is registering they could be given a “secure” digital token or ID number that only associated a grade year (i.e., “sophomore”) with their name, and little or no additional info was included in that token in order to minimize the threat of identity theft or privacy violations.  Of course, the fewer pieces of information contained in that token or credential, the less likely it will be a credible verification tool, or the more likely it is it will be easy to forge or defeat (especially by kids themselves). Regardless, whether we like it or not — and I do not like it one bit — schools are now at the center of the online age verification debate. It will be very interesting to hear what the educational community itself has to say about this development going forward. […] Something tells me that school administrators and educational officials aren’t going to look too kindly on proposals that would turn them into the equivalent of a DMV for kids.

Interestingly, Richard Blumenthal, the attorney general of Connecticut, who has been one of the leading proponents of age verification, told Brad Stone that the privacy issues raised by Willard and others are now on his radar screen:

“The attorneys general would be very concerned about using age verification to promote marketing or any other kinds of promotional pitches or gimmicks aimed at specific age groups,” he said. “Targeted marketing may have its place, but it should not be coupled with the issue of childhood safety.”

That’s good to hear. But I hope Mr. Blumenthal and the other AGs realize that that is just one of many reasons to be concerned about mandatory online age verification, especially if it involved schools as age verification agents. It has troubling implications for schools, kids, parents, free speech, online anonymity, privacy rights, and much more. Most importantly, as I made clear here, it remains highly unlikely that online age verification would actually do anything to really keep kids safer online. In sum, the costs far outweight the benefits when it comes to mandatory age verification.

Good editorial in the Boston Globe today about “The Dangers of Internet Censorship” by Harry Lewis, a professor of computer science at Harvard and fellow at Harvard’s Berkman Center for Internet and Society. Lewis argues that:

Determining which ideas are “harmful” is not the government’s job. Parents should judge what information their children should see – and should expect that older children will, as they always have, find ways around restrictive rules.

Worth reading the whole thing. Incidentally, Harry Lewis is the co-author of an interesting new book I am reading right now, Blown to Bits: Your Life, Liberty, and Happiness After the Digital Explosion. I’m going to try to review it here eventually.

This week, I have been up at Harvard University participating in another meeting of the Internet Safety Technical Task Force (ISTTF), of which I am a member. The ISTTF was organized earlier this year pursuant to an agreement between 49 state attorneys general (AGs) and social networking giant MySpace.com. A group of experts from academia, non-profit organizations, and industry were appointed to the Task Force, which is charged with evaluating the market for online child safety tools and methods and issuing a report on the matter to the AGs at the end of this year.  ISTTF members have been meeting privately and publicly in both Cambridge, MA and Washington, D.C. The Task Force has been very ably chaired by John Palfrey, co-director of Harvard’s Berkman Center for Internet & Society.

Although the ISTTF is looking at a wide variety of tools and methods associated with online child protection (ex: filters, monitoring tools, educational campaigns, etc.), many of the AGs who crafted the agreement with MySpace that led to the Task Force’s formation have made it clear that they are most interested in having the ISTTF evaluate age verification / online verification technologies.  In fact, at the start of this week’s session at Harvard Law School, AGs Martha Coakely of Massachusetts and Richard Blumenthal of Connecticut both spoke and made it abundantly clear they expect the Task Force to develop age and identify-verification tools for social networking sites (SNS). AG Blumenthal said we need to deal with “the dangers of anonymity” and repeated his standard line about online age verification: “If we can put a man on the moon, we can make the Internet safe.”  [Of course, putting a man on the moon took hundreds of billions of dollars and a decade to accomplish, but never mind that fact! Moreover, one could also argue that if we can put a man on the moon we can cure hunger, AIDS, and the common cold, but some things are obviously easier said than done. Finally, putting a man on the moon didn’t require all Americans or their kids to give up their anonymity or privacy rights in order to accomplish the feat!]

On many occasions here before, I have outlined various questions and reservations about proposals to mandate online age verification.  Last year, I also published a lengthy white paper on the issue and hosted a lively debate on Capitol Hill [transcript here] about this.  I also have discussed age verification in my book on parental controls and online child safety. [Braden Cox also talked about his experiences up at Harvard this week here, and CNet’s Chris Soghoian had a brutal assessment of this week’s proposals on his “Surveillance State” blog.]

In this essay, I will discuss the new fault lines in the debate over online age verification and outline where I think we are heading next on this front.  I will argue:

• There is now widespread understanding that it is extraordinarily difficult to verify the ages and identities of minors online using the methods we typically use to verify adults. Because of this, age verification proponents are increasingly proposing two alternative models of verifying kids before they go online or visit SNS…
• First, for those who continue to believe that we must do whatever we can to verify kids themselves, schools and school records are increasingly being viewed as the primary mechanism to facilitate that. This raises two serious questions: Do we want schools to serve as DMVs for our children? And, do we want more school records or information about our kids being accessed or put online?
• Second, for those who are uncomfortable with the idea of verifying kids or using schools, or school records, to accomplish that task, parental permission-based forms of authentication are becoming the preferred regulatory approach. Under this scheme, which might build upon the regulatory model found in the Children’s Online Privacy Protection Act of 1998 (COPPA), parents or guardians would be verified somehow and then would vouch for their children before they were allowed on a SNS, however defined.  But how do we establish a clear link between parents and kids?  And will parents be willing to surrender a great deal more information (about themselves and their kids) before their kids can go online? And, is it sensible to use a law that was meant to protect the privacy and personal information of children to potentially gather a great deal more information about them, and their parents?
• It remains very unclear how either of those two verification methods would make children safer online. Indeed, that could actually make kids less safe by compromising their personal information and creating a false sense of security online for them and their parents.
• It is highly unlikely the Internet Safety Technical Task Force will be able to reach consensus on this complicated, controversial issue. A small camp will likely flock to the sort of proposals mentioned above. Another, larger camp (including me) will flock to education-based approaches to child safety as well increased reliance on other parental empowerment tools and strategies, industry self-regulatory efforts, social norms, and better intervention strategies for troubled youth. But the age verification debate will go on and, as was the case over the past two years, the legal battleground will be state capitals across America, with AGs likely pushing for age verification mandates regardless of what the Task Force concludes.

Continue reading if you are interested in the details.

How We Could Verify Kids, and Why We Should Not Do It

Let’s assume that we want to achieve AG Blumenthal’s “man-on-the-moon” dream of verifying all kids before they go online. How would we do it?  There are really only two solutions: (1) full-blown national ID cards for kids, or (2) tapping school records about kids to somehow age-verify kids (sort of a “National ID card-Lite” scheme).

National ID Cards for Kids

The first scheme is fairly straightforward, but incredibly frightening to those of us who care about civil liberties. Basically, government could demand that all minors be issued the equivalent of a domestic passport or a national ID card. After all, minors aged 14 to 17 are already required to obtain a passport before they travel overseas. Minors under 14 must have both parents or legal guardians appear together to vouch for the child when applying for a passport. Conceivably, government could simply extend this model to incorporate a domestic identification requirement. Once the youngster had been issued such a domestic passport, it could be requested by others — including social networking sites — as proof of age. Sites could cross-reference a government national ID database to verify identity.

Clearly, however, imposing such a solution domestically would raise serious privacy concerns because it would require the collection, retention and processing of sensitive information about children.  Adults are not required to carry such a domestic passport or national ID card, so why should children? Indeed, all the same privacy concerns related to national ID cards for adults would be amplified with children because, as a society, we generally take extra precautions to protect the privacy of minors and their personal information. And a national ID card for kids would need to include a great deal of information about themselves to allow the card to be used by third parties online as an age-verifying tool. Government would need to issue an age-verified identity, user name, and password to every child.

Particularly concerning is the fact that a national ID card for children would require the creation of more government databases and bureaucracy. The potential for “mission creep” then enters the picture in that more tracking of children by government (and others) becomes possible. What other uses might there be for such information? We don’t know, and we probably don’t want to find out.

The costs of setting up and enforcing such a system would be substantial and must also be considered. Although the cost of digital storage continues to fall, we’re talking about potentially massive digital databases here. But the more important cost factor is the human time and effort that would go into  collecting, processing, and organizing such records and databases.

For those reasons, a government-issued ID card or age verification scheme for kids is a nonstarter. It would raise grave privacy concerns, induce public paranoia, probably encourage a great deal of evasion, and require significant government expenditure to enforce. Moreover, a national ID card would do little to prevent youngsters from visiting offshore sites.

Using the Schools to Help Verify Kids

So, let’s work from the assumption that National ID cards for kids is not going to fly as an online identity authentication solution.  The only other realistic scheme would involve getting the schools involved in the process.  Why?  Because to paraphrase Willy Sutton: “That’s where the data is.”  Schools have more information about our children than probably every other institution or organization combined.  They have very detailed records about kids, their ages and much more, which makes schools a logical candidate for participation in a possible age verification system for minors.  But involving schools in any age verification scheme would raise serious privacy concerns and administrative problems.

Depending on how the scheme worked, the administrative burdens imposed on schools could be significant. Someone at each school would have to be in charge of answering phones calls and e-mails from potentially hundreds of website operators looking to age-verify minors. Who will be liable if things go wrong? The school? The school district? An employee in the school’s administrative department who accidentally releases thousands of digital records? And will schools receive the additional funding needed to administer whatever scheme is mandated?

Moreover, if schools are required to create more accessible databases containing personal information about minors, who else besides social networking websites would be given access? Data breaches would become a real concern for both students and schools alike. Such a scheme could run up against federal or state laws. For example, the Family Education Rights and Privacy Act of 1974 makes it illegal to release school records without written permission from parents. Both parents and government officials have long demanded that access to school records be tightly guarded because, as a society, we take the privacy of our children very seriously.

Thus, serious questions remain about the wisdom and practicality of roping the schools into the age verification process. Most schools and school districts are already over-burdened with federal and state mandates and probably wouldn’t like the sound of additional mandates of this variety.  But what if a technology vendor could serve as the middleman and facilitate the easy transfer of some basic data about kids from the school system in an effort to provide digital credentials? That’s probably where we are heading.  Even the most vociferous advocates of age verification for minors must realize how absolutely radioactive this issue could become since school records about our kids are in play here.  Identity theft concerns are already running at an all-time high in our country and the thought of being required to surrender more info about our kids in this environment is not going to go over well with many parents.

But, again, what if we could keep to a minimum the amount of data being transferred about the child to the vendor or the SNS?  Perhaps at the beginning of each school year when a minor is registering they could be given a “secure” digital token or ID number that only associated a grade year (i.e., “sophomore”) with their name, and little or no additional info was included in that token in order to minimize the threat of identity theft or privacy violations.  Of course, the fewer pieces of information contained in that token or credential, the less likely it will be a credible verification tool, or the more likely it is it will be easy to forge or defeat (especially by kids themselves).

Regardless, whether we like it or not — and I do not like it one bit — schools are now at the center of the online age verification debate. It will be very interesting to hear what the educational community itself has to say about this development going forward.  Incidentally, no one from the educational community was present at Harvard this week as these proposals were flying.  Something tells me that school administrators and educational officials aren’t going to look too kindly on proposals that would turn them into the equivalent of a DMV for kids.

How about Parental Permission Slips for Online Verification?

Another potential way to go about online verification is to avoid verifying the kids directly and instead just verify parents (or guardians) and then get them to vouch for their children.  Some age verification advocates are now calling for such parental consent-based forms of child verification.  Specifically, they are now attempting to drive regulation through the prism of the Children’s Online Privacy Protection Act (COPPA) of 1998.

By way of background, COPPA required websites that marketed to children under the age of 13 to get “verifiable parental consent” before allowing children access to their sites. Generally speaking, the goal was to make sure that such websites were not collecting personal information about children without getting parental permission. The Federal Trade Commission (FTC), which is responsible for enforcing COPPA, adopted a sliding scale approach to obtaining parental consent. The sliding scale approach allows website operators to use a mix of the methods to comply with the law, including print-and-fax forms, follow-up phone calls and e-mails, and credit card authorizations. The FTC also authorized four “safe harbor” programs operated by private companies that help website operators comply with COPPA.

In a February 2007 report to Congress about the status of the COPPA and its enforcement, the FTC said that no changes to COPPA were necessary at this time because it had “been effective in helping to protect the privacy and safety of young children online.” In discussing the effectiveness of the parental consent methods, however, the agency also said that “none of these mechanisms is foolproof” and that “age verification technologies have not kept pace with other developments, and are not currently available as a substitute for other screening mechanisms.” This seems to imply that the FTC does not regard COPPA’s parental consent methods as the equivalent of perfect age verification.

Nonetheless, what should be evident here is that COPPA’s parental consent framework could serve as a vehicle for pushing through greater regulation of all social networking sites, not just those sites geared toward kids under 13.   Indeed, we have already seen that proposed at the state level.  For example, in the debate that took place over age verification in the North Carolina statehouse last summer, a parental permission-based verification proposal supported by North Carolina Attorney General Roy Cooper was billed as a way to strengthen and expand the COPPA framework.  (Never mind the fact that COPPA is a federal statute, or that the state of North Carolina is likely barred from regulating Internet speech and commerce thanks to the First Amendment and the Commerce Clause of the Constitution!)

In other words, future age verification mandates could arrive in the form of COPPA amendments, or at least cite COPPA’s regulatory framework as precedent.  Specifically, the proposal would be to: (a) extend COPPA’s coverage to kids up to the age of 18 and then (b) broaden the range of SNS sites that are covered by its parental consent requirements.

There are many problems associated with such a proposal, and I will get to some of them in a moment. But here’s the more interesting question that few have asked: Is COPPA really working?  It is very much unclear to me that COPPA actually works as billed, but to the extent it does, it is likely because of the very limited scale and nature of the operations it covers.  As I have said in my past writing on the issue, there is a direct relationship between the size of a site and the likelihood of success in attempting to verify its users / members. Of course, that is hardly surprising.  But let’s get a little more concrete about why that is important.  Here are the two reasons that I believe the COPPA / parental consent regime has generally worked so far, or at least hasn’t failed miserably:

(1) Many smaller sites charge a fee for admission; and

(2) The functionality of those sites is usually tightly limited. They are closed, walled gardens.

Regarding the first point: Obviously, the more a site charges for access, the more likely it is that the parent / guardian pays attention to what their kid is doing.  Of course, that doesn’t mean a bad guy couldn’t still get into those “verified” environments under false pretenses.  And there’s the problem of minors with access to credit cards.  Moreover, even assuming credit cards worked as an age verification method, there is the more practical question of whether lawmakers have the guts to mandate that every social networking site in the land start charging admission for access.  Since almost all SNSs are free-of-charge today, that is not going to be a very popular mandate!

Nonetheless, for very small, niche-oriented social networking sites geared toward younger kids, credit cards and fees are part of the reason people think COPPA has “worked.”  In essence, it acts as a bit of a roadblock or hassle thrown in the way of access, and that gets parents thinking and talking to the kids about those sites. That is the argument put forward by Denise Tayloe of Privo, one of the four FTC-approved COPPA safe harbor providers.   Ironically, Tayloe has noted that one of the problems associated with the current COPPA regime is that “Children quickly learned to lie about their age in order to gain access to the interactive features on their favorite sites. As a result,” she notes, “databases have become tainted with inaccurate information and chaos seems to be king where COPPA is concerned,” she says.

Despite these problems, Tayloe argues that COPPA serves an important role.  Even though “there is no perfect solution” and it is not possible to completely “stop a child from lying and putting themselves at risk,” Tayloe believes that COPPA “provides a platform to educate parents and kids about privacy.”  Of course, providing a platform to educate parents and kids about online privacy or safety is very important, but it is not necessarily synonymous with strict age verification.  And we don’t really have any idea what level of parent-child interaction COPPA incentivizes.  More importantly, we don’t really have any good data regarding the accuracy of claims made pursuant to COPPA’s requirements regarding the relationship between parents and the kids seeking access to the site.  How many people (kids or adults) were able to gain access under false pretenses? We don’t know.

Nonetheless, the operating assumption here is that by creating an added economic hurdle or barrier to entry (in the form of the hassle of filling out paperwork or forms), COPPA gets some parents (perhaps most?) to put more thought into what their kids are doing online, and that somehow improves online safety in larger scheme of things.  The problem is that that does not necessarily mean that their kids are operating in perfectly “secure” or “verified” environments.  The danger is that – to the extent some “bad guys” are getting on those sites under false pretenses – kids and parents may fall prey to a false sense of security after they are told the site is COPPA-verified.  Of course, COPPA wasn’t put on the books to keep “bad guys” away from kids online; it was about keeping site operators from collecting personal information about kids.

The second reason COPPA has “worked” to a limited degree is that SNS sites geared toward younger kids tightly limit functionality.  In essence, the site administrators “cripple” the sort of functionality we find in SNS sites geared toward older kids.  That fact alone makes these sites far less likely to be subject to fraudulent entry or dangerous interactions.   If I am an older teen or a pervert, why would I ever want to gain access to a site that has nothing more than drop-down menus and a few buttons to click on when interacting with others?  Thus, the primary reason that kids are likely safer in those environments has almost nothing to do with COPPA’s parental consent mechanisms and almost everything to do with the fact that most of the sites it covers are tightly controlled walled gardens with very limited functionality.

With these facts in mind, let’s gets back to the ultimate question: What would happen if we tried to apply COPPA to all social networking sites for kids of all ages? The threshold question that would need to be answered remains the same as it does today: How do we verify the parent-child relationship when someone asserts they are the parent or guardian?  That’s a very thorny question.  But let me just list out the many other questions that everyone is overlooking here:

(1) What sort of mechanisms will need to be put in place to guarantee that the parent or guardian is who they claim to be (for both initial enrollment and subsequent visit authentication)?  Sign-and-fax forms can be easily forged, so credit cards (and perhaps mandatory user fees) will likely become the default solution. A third method, follow-up phone calls, just doesn’t seem practical.  But might lawmakers demand a mix of all of the above?

(2) Regardless, how burdensome will those mandates be for parents / guardians?

(3) And how burdensome will those mandates be for SNS site operators? What kind of compliance costs / legal penalties are we talking about?

(4) Will the barriers to site enrollment become economic in character such that it requires previously free social networking sites to charge admission?

(5) If so, could that be a disadvantage to low-income families / youth?

(6) If compliance costs go through the roof for SNS sites, will this be a recipe for massive industry consolidation in order to comply with the mandates?

(7) Who is collecting the massive databases of information created by such a mandate for all SNS? Who has access to that data? What might government use it for?

(8) Will this new regime be applicable to offshore sites? And will kids flock to offshore sites as a result of such mandates on domestic sites? If some do, how will we stop them?

And so on.  Bottom line: The future of age verification battles will likely be increasingly tied up with COPPA and the question of how well parental permission-based forms of authentication might work. It is unlikely, however, that such a framework could be easily applied on “Internet scale.”  There is a world of difference between something like Disney’s “Club Penguin” and MySpace, Xanga or Bebo.  And with social networking capabilities being integrated into every site and service these days — from CNN.com to Microsoft’s Xbox Live service — one wonders how that will magnify the compliance costs and hassles for all involved.  Are parents really going to be expected to verify themselves and then their kids for every “social networking site” their kids want to visit?  That seems unnecessary, unworkable, and potentially counter-productive.

Finally, the irony of a proposal to expand COPPA in this fashion is that lawmakers would be using a law that was meant to protect the privacy and personal information of children to potentially gather a great deal more information about them, and their parents!  It’s important we not overlook the privacy implications of any effort to expand COPPA to do something it was not originally intended to cover.

Conclusion

It will likely be very difficult for the Technical Task Force to reach consensus on these controversial and complicated issues.  There are many challenging technical, legal, and even philosophical issue in play here.  The problem is that this Task Force is charged with looking at technical solutions and yet most child safety advocates and academics on the Task Force are of the mind that technical solutions are only one part — and probably the smallest part — of the sort of “layered solution” to online child safety that I describe in my book on “Parental Controls and Online Child Protection.” As I argue in that book:

“the best answer to the problem of unwanted media exposure or contact with others is for parents to rely on a mix of technological controls, informal household media rules, and, most importantly, education and media literacy efforts.”

In sum, we need to get serious about talking to our kids about online safety and proper online behavior. Education is the key, and government has a major role to play in that regard in the classroom and through awareness-building efforts. And technical tools that empower parents to better monitor and guide their child’s online experiences can help too. Social networking sites and other online service providers can offer more of those tools and also take additional steps to improve the safety of their sites and encourage a dialog about appropriate and inappropriate online behavior. Again, it’s a multi-layered effort with education and communication at the core of the plan.

It’s not like I am saying anything new here. Indeed, that layered approach was the recommended approach of two previous online safety blue ribbon task force efforts: The 2000 COPA Commission and the 2002 National Academy of Sciences “Thornburgh Commission.” And every major book about online child safety published over the last 5 years has come to the same conclusion.

But that is not likely going to be enough for state attorneys general. There is no other way for me to state this than to just come right out and say it: The AGs are looking for a silver-bullet technical solution to a complex problem they do not fully understand.  And age verification schemes are the technical bullet du jour.

Alas, for all the reasons I have stated here and elsewhere, age verification schemes are likely to fail miserably.  Even if age verification systems worked as billed, it is unlikely that kids would really be any better off.  All the academic research in this field points to a single, inescapable conclusion: The primary danger to kids online is not adult predators, it is other kids.  In particular, it is peer-on-peer harassment and cyber-bullying.   As parents and a society, we have to do more — a lot more — to address that problem.

Age verification schemes, however, aren’t going to help us solve that problem.  Worse yet, by creating the illusion of safety, it could compromise our children’s privacy in the process and create a false sense of security when kids or their parents come to believe they are operating in “trusted” online environments.  For the sake of our children, it is essential we not fall prey to such a fatal conceit.

[Note: You might want to first read my review of Jonathan Zittrain’s book to give this essay some context.]

Jonathan Zittrain must have been smiling as he read Leander Kahney’s excellent Wired cover story this month, “How Apple Got Everything Right By Doing Everything Wrong.” In a sense, the article vindicates Zittrain’s thesis in The Future of the Internet–And How to Stop It. Again, in his provocative book, Zittrain argues that, for a variety of reasons, the glorious days of the generative, open Internet and general-purpose PCs are supposedly giving way to closed networks and a world of what he contemptuously calls “sterile, tethered devices.” And Apple products such as the iPhone, the iPod, and iTunes serve as prime examples of the troubling world that await us. And Kahney’s article confirms that Apple is every bit as closed and insular as Zittrain suggests. Kahney nicely contrasts Apple with Google, a company that “embraces openness,” trusts “the wisdom of crowds,” and has its famous “Don’t be evil” philosophy:

It’s ironic, then, that one of the Valley’s most successful companies ignored all of these tenets. Google and Apple may have a friendly relationship — Google CEO Eric Schmidt sits on Apple’s board, after all — but by Google’s definition, Apple is irredeemably evil, behaving more like an old-fashioned industrial titan than a different-thinking business of the future. Apple operates with a level of secrecy that makes Thomas Pynchon look like Paris Hilton. It locks consumers into a proprietary ecosystem. And as for treating employees like gods? Yeah, Apple doesn’t do that either.

On the other hand, Kahney’s article serves as vindication of my response to Zittrain’s book since the article illustrates how, despite breaking all the typical rules of Silicon Valley, the company is more successful than ever and has legions of happy customers. Again, in my review of his book, I argued that there is no reason that we can’t have the best of both worlds. Much of the time, “open” systems produce the best results. Other times, more closed, proprietary models give rise to great products. Today’s digital marketplace is full of wonderful devices and services of both flavors. Apple’s success proves that point, as Kahney’s Wired article shows:

by deliberately flouting the Google mantra, Apple has thrived. When Jobs retook the helm in 1997, the company was struggling to survive. Today it has a market cap of $105 billion, placing it ahead of Dell and behind Intel. Its iPod commands 70 percent of the MP3 player market. Four billion songs have been purchased from iTunes. The iPhone is reshaping the entire wireless industry. Even the underdog Mac operating system has begun to nibble into Windows’ once-unassailable dominance; last year, its share of the US market topped 6 percent, more than double its portion in 2003. It’s hard to see how any of this would have happened had Jobs hewed to the standard touchy-feely philosophies of Silicon Valley. Apple creates must-have products the old-fashioned way: by locking the doors and sweating and bleeding until something emerges perfectly formed. It’s hard to see the Mac OS and the iPhone coming out of the same design-by-committee process that produced Microsoft Vista or Dell’s Pocket DJ music player. Likewise, had Apple opened its iTunes-iPod juggernaut to outside developers, the company would have risked turning its uniquely integrated service into a hodgepodge of independent applications — kind of like the rest of the Internet, come to think of it.

Importantly, it’s not just that Apple has thrived, it’s that consumers have loved their products to the point that there is a sort of “cult of Apple” out there. I should make clear that I am no Apple fanboy. As my TLF colleagues Tim Lee and Jerry Brito can attest, I am constantly making fun of them for their love of Apple products. I am willing to deal with the warts associated with the PC environment because I love the more open-ended nature of it. That being said, there are times when I have to swallow my pride and admit to Tim and Jerry that, in many ways, their Apple products are superior to my PC and Windows-based toys. It’s impossible to spend a few minutes with the iPhone or the latest iPods and Macs and not fall in love with those devices and their interfaces. They are truly spectacular. Thus, as Kahney’s article makes clear, whether you love him or hate him, you have to admit that Jobs is on to something:

No other company has proven as adept at giving customers what they want before they know they want it. Undoubtedly, this is due to Jobs’ unique creative vision. But it’s also a function of his management practices. By exerting unrelenting control over his employees, his image, and even his customers, Jobs exerts unrelenting control over his products and how they’re used. And in a consumer-focused tech industry, the products are what matter.

Indeed they are. And even though Zittrain labels Apple’s products “sterile and tethered,” there is no doubt that the company’s approach has produced some wonderful results. Personally, they are not for me since I prefer all those “general purpose” devices that Zittrain lionizes. But, again, we can have both. Let Steve Jobs be a control freak and keep those walls around Apple’s digital garden high and tight if he wants. There are plenty of other wide open gardens for the rest of us to play in.