Here’s a new animated explainer video that I narrated for the Federalist Society’s Regulatory Transparency Project. The 3-minute video discusses how earlier “tech giants” rose and fell as technological innovation and new competition sent them off to what the New York Times once appropriately called “The Hall of Fallen Giants.” It’s a continuing testament to the power of “creative destruction” to upend and reorder markets, even as many pundits insist that there’s no possibility change can happen.

This is an important lesson for us to remember today, as I noted in the recent editorial for The Hill about why, “Open-ended antitrust is an innovation killer“:

Those who worry about today’s largest tech giants becoming supposedly unassailable monopolies should consider how similar fears were expressed not so long ago about other tech titans, many of which we laugh about today. Just 14 years ago, headlines proclaimed that “MySpace Is a Natural Monopoly,” and asked, “Will MySpace Ever Lose Its Monopoly?” We all know how that “monopoly” ceased to exist. At the same time, pundits insisted “Apple should pull the plug on the iPhone,” since “there is no likelihood that Apple can be successful in a business this competitive.” The smartphone market of that era was viewed as completely under the control of BlackBerry, Palm, Motorola and Nokia. A few years prior to that, critics lambasted the merger of AOL and TimeWarner as a new corporate “Big Brother” that would decimate digital diversity and online competition.

Accordingly, policymakers should be humble and recognize that, “it’s better to let rivalry and innovation emerge organically,” and only bring in the wrecking ball of heavy-handed antitrust regulation as a last resort, I argued. Technological change and entrepreneurialism has a way of upending and reordering markets when we least expect it. Just ask all those members of the Hall of Fallen Giants.

Alice Marwick, assistant professor of communication and media studies at Fordham University, discusses her newly-released book, Status Update: Celebrity, Publicity, and Branding in the Social Media Age. Marwick reflects on her interviews with Silicon Valley entrepreneurs, technology journalists, and venture capitalists to show how social media affects social dynamics and digital culture. Marwick answers questions such as: Does “status conscious” take on a new meaning in the age of social media? Is the public using social media the way the platforms’ creators intended? How do you quantify the value of online social interactions? Are social media users becoming more self-censoring or more transparent about what they share? What’s the difference between self-branding and becoming a micro-celebrity? She also shares her advice for how to make Twitter, Tumblr, Instagram and other platforms more beneficial for you.

Download

Related Links

• Status Update: Celebrity, Publicity, and Branding in the Social Media Age, Marwick
• Engineered Performances Alice E. Marwick’s ‘Status Update’, The New York Times
• Biography, Marwick

David Garcia, post doctoral researcher at the Swiss Federal Institute of Technology and co-author of Social Resilience in Online Communities: The Autopsy of Friendster, discusses the concept of social resilience and how online communities, like Facebook and Friendster, withstand changes in their environment.

Garcia’s paper examines one of the first online social networking sites, Friendster, and analyzes its post-mortem data to learn why users abandoned it.

Garcia goes on to explain how opportunity cost and cost benefit analysis can affect a user’s decision whether or not to remain in an online community.

Download

Related Links

• Social Resilience in Online Communities: The Autopsy of Friendster, Garcia, Mavrodiev, Schweitzer
• An autopsy of a dead social network, The Physics arXiV Blog
• Researchers conduct ‘autopsy’ of dead social network Friendster, Solon

In this new Money Morning article, “The Antitrust Curse: What Apple Can Learn From Microsoft, IBM,”  David Zeiler wonders whether the antitrust lawsuit filed against Apple and several book publishers by the U.S. Department of Justice last week could open the door to a broader case against Apple or, at a minimum, simply become a major distraction to the firm and it’s ability to innovate going forward. He uses IBM and Microsoft as case studies in this regard and notes that, “the problem with being in the DOJ’s gunsight is that it distracts management, makes the company hesitant to innovate, and blemishes the company’s public image.  While antitrust woes may not have been entirely responsible for Microsoft and IBM ceding their dominant positions in tech, they were clearly a major factor,” he says. “And worse for Apple, the e-book case could be just the beginning.”

Quite right. I raised the same concern in my recent Forbes column,”Regulatory, Antitrust and Disruptive Risks Threaten Apple’s Empire,” which Zeiler was kind enough to quote in his essay. In that piece, I argued:

Even if Apple beats back [the eBooks] investigation, broader questions are being raised about the company’s power that could invite a much broader investigation. The danger for Apple is that antitrust becomes an omnipresent threat that must be factored into all ongoing business decisions. Antitrust is a particular danger to Apple because the firm is highly vertically integrated and that integration is the source of many of their innovations.  As earlier tech titans like IBM and Microsoft learned, when antitrust hangs like the Sword of Damocles, every decision about how to evolve and innovate becomes a calculated gamble.

Regarding the earlier impact that antitrust Sword of Damocles had on Microsoft, Zeiler unearthed this terrific 2005 quote from Mark Kroese, a general manager of information services at the Microsoft Network, who described the impact of the MS antitrust case on innovation at the firm as follows: “Working at Microsoft today vs. five years ago is different,” Kroese said. “If anyone thinks the antitrust case hasn’t slowed us down, you’re wrong. If I want to meet with a products manager for Windows, there needs to be three lawyers in the room. We have to be so careful, we err on the side of caution. We are on such a fine line of conduct.” Regarding how antitrust chilled IBM, Zeiler cites veteran tech journalist Steve Wildstrom of Tech.pinions who noted,  “Twelve years of litigation were an enormous distraction in a time of rapid technological and business change. IBM management became cautious and over-lawyered, constantly looking over its shoulder-a condition that persisted for years after the case ended. The antitrust case was almost certainly a major cause of the serious decline of IBM in the late 1980s and early 90s,” Wildstrom said.

Of course, it is impossible to scientifically determine to what degree antitrust harassment contributed to either IBM or Microsoft’s inability to innovate and adapt to the rapidly changing market conditions. And let’s be clear: both IBM and MS have found ways to rebound and innovate in other ways. But one wonders what was lost in the process as the threat of antitrust constantly loomed and potentially chilled innovative efforts that could have kept both firms on the cutting-edge.

It’s not just Apple that faces similar threats today. Google is obviously another company increasingly mentioned as an antitrust target. Commenting of the dangers of a potential case against Google, Bernstein Research senior analyst Carlos Kirjner argues that “even if regulatory proceedings come to naught, the process has the potential, in the most extreme circumstances, to consume so much of the company’s energy that it can lead to important strategic missteps: many believe that Microsoft missed the boat on the Internet, and IBM on the importance of the personal computer, in large part because their management teams were focused on defending against the DoJ’s antitrust efforts.”

The better approach to disciplining tech firms and markets is to rely less on intervention and more on Schumpeter’s “perennial gales of creative destruction,” which are blowing harder than ever in our modern high-tech economy. In markets built largely upon binary code and governed by Moore’s Law, the pace and nature of change has become hyper-Schumpeterian: unrelenting and utterly unpredictable. Innovative risk-takers are constantly shaking things up and displacing yesterday’s lumbering, lethargic giants. Just ask some of the players that have been largely left in the dust, including AOL, AltaVista, MySpace, Palm, and others. Of course, there’s my favorite recent case study: Research In Motion’s BlackBerry smartphone.  As I noted in my recent column, “Bye Bye BlackBerry. How Long Will Apple Last?” BlackBerry was virtually synonymous with “smartphones” and was considered one of the tech titans that seemed destined to dominate for many years to come. But now the BlackBerry’s days appear numbered and its parent company Research In Motion Ltd. is struggling for its very survival.

Too many tech industry pundits today ignore these dynamic realities and instead rely a myopic analytical approach to the information economy that is fundamentally static in character. Many static equilibrium scholars in both the legal and economic profession tend to adopt a snapshot view of markets and innovation. Such critics often express an overly nostalgic view of the technological past while adopting an excessively gloomy view of the present and the chances for future progress.

But, a la Schumpeter, modern tech markets are highly dynamic. There is no static end-state, “perfect competition,” or “market equilibrium” in today’s information technology marketplace. Change and innovation are chaotic, non-linear, and paradigm-shattering. Schumpeter said it best long ago when he noted how, “in capitalist reality as distinguished from its textbook picture, it is not [perfect] competition which counts but the competition from the new commodity, the new technology, the new source of supply, the new type of organization… competition which commands a decisive cost or quality advantage and which strikes not at the margins of the profits and the outputs of the existing firms but at their foundations and their very lives. This kind of competition is as much more effective than the other,” he argued, because the “ever-present threat” of dynamic, disruptive change “disciplines before it attacks.”

By contrast, the static equilibrium mindset is myopically fixated on short-term market share and price competition while ignoring “competition for innovation,” which is what matters most in the more dynamic Schumpeterian model. “Schumpeterian competition is primarily about active, risk-taking decision makers who seek to change their parameters,” note economists Jerry Ellig and Daniel Lin. “It is about continually destroying the old economic structure from within and replacing it with a new one.” Thus, while static or “perfect competition” models assume away innovation and are preoccupied with equilibrium, dynamic models revolve around disequilibrium and assume that the only constant is change. What is most important to economic progress, therefore, is the ongoing process of constant experimentation and spontaneous discovery that allows new business models and organizational structures to emerge in response to market signals.

The other danger of the static equilibrium mindset is that the same new innovators and innovations that obtain success and scale quite rapidly as a result of this process are sometimes thought to possess problematic market power. Accusations of “monopoly” quickly follow. As Nobel Laureate Ronald Coase noted, “if an economist finds something—a business practice of one sort or another—that he does not understand, he looks for a monopoly explanation. And as in this field we are very ignorant, the number of understandable practices tends to be very large, and the reliance on a monopoly explanation, frequent,” he argued.  Of course, non-economists are just as likely—perhaps more likely—to make that same error. This is why a short-term fixation on market share and market power is so problematic.

Moreover, as Schumpeter also taught us, it is essential that uneven entrepreneurial gains be tolerated so that innovation can occur and be continuously incentivized. Economies need innovators to take risks because progress is born from it. Penalizing the risk-takers by trying to “level the playing field” through rash regulation or antitrust interventions will simply sap the entrepreneurial spirit from the marketplace, limit technological innovation, and diminish the possibility of progress and prosperity over the long-haul.

If you’d like a better understanding of this dynamic conception of competition and an explanation of why the static equilibrium mindset — especially in the antitrust field — is so horribly misguided, then I strongly recommend you begin your investigation with the following readings:

The Mercatus Center at George Mason University has just released my new white paper, “The Perils of Classifying Social Media Platforms as Public Utilities.” [PDF] I first presented a draft of this paper last November at a Michigan State University conference on “The Governance of Social Media.” [Video of my panel here.]

In this paper, I note that to the extent public utility-style regulation has been debated within the Internet policy arena over the past decade, the focus has been almost entirely on the physical layer of the Internet. The question has been whether Internet service providers should be considered “essential facilities” or “natural monopolies” and regulated as public utilities. The debate over “net neutrality” regulation has been animated by such concerns.

While that debate still rages, the rhetoric of public utilities and essential facilities is increasingly creeping into policy discussions about other layers of the Internet, such as the search layer. More recently, there have been rumblings within academic and public policy circles regarding whether social media platforms, especially social networking sites, might also possess public utility characteristics. Presumably, such a classification would entail greater regulation of those sites’ structures and business practices.

Proponents of treating social media platforms as public utilities offer a variety of justifications for regulation. Amorphous “fairness” concerns animate many of these calls, but privacy and reputational concerns are also frequently mentioned as rationales for regulation. Proponents of regulation also sometimes invoke “social utility” or “social commons” arguments in defense of increased government oversight, even though these notions lack clear definition.

Social media platforms do not resemble traditional public utilities, however, and there are good reasons why policymakers should avoid a rush to regulate them as such. Treating these nascent digital services as regulated utilities would harm consumer welfare because public utility regulation has traditionally been the archenemy of innovation and competition. Furthermore, treating today’s leading social media providers as digital essential facilities threatens to convert “natural monopoly” or “essential facility” claims into self-fulfilling prophecies. Related proposals to mandate “API neutrality” or enforce a “Separations Principle” on integrated information platforms would be particularly problematic. Such regulation also threatens innovation and investment. Marketplace experimentation in search of sustainable business models should not be made illegal.

Remedies less onerous than regulation are available. Transparency and data-portability policies would solve many of the problems that concern critics, and numerous private empowerment solutions exist for those users concerned about their privacy on social media sites.

Finally, because social media are fundamentally tied up with the production and dissemination of speech and expression, First Amendment values are at stake, warranting heightened constitutional scrutiny of proposals for regulation. Social media providers should possess the editorial discretion to determine how their platforms are configured and what can appear on them.

This 63-page paper can be found on the Mercatus site here, on SSRN, or on Scribd.  I’ve also embedded it below in a Scribd reader. Eventually, a shorter version of this paper will appear as a chapter in a MIT Press book.

Social Networks as Public Utilities [Adam Thierer]

The European Commission has a new report out today on “Implementation of the Safer Social Networking Principles for the EU.” It’s a status report on the implementation of “Safer Social Networking Principles for the EU“, a “self-regulatory” agreement the EC brokered with 17 social networking sites and other online operators back in 2009. (Co-regulatory would be more accurate here, since the EC is steering, and industry is simply rowing.) The goal was to make the profiles of minors more private and provide other safeguards.

Generally speaking, the EC’s evaluation suggests that great progress has been made, although there’s always room for improvement. For example, the report found that “13 out of the 14 sites tested provide safety information, guidance and/or educational materials specifically targeted at minors;” “Safety information for minors is quite clear and age-appropriate on all sites that provide it, good progress since the first assessment last year; “Reporting mechanisms are more effective now than in 2010;” and most sites have improved Terms of Use that are easy for minors to understand and/or a child-friendly version of the Terms of Use or Code of Conduct; and many “provide safety information for children and parents which is both easy to find and to understand.” Again, there’s always room for improvement, but the general direction is encouraging, especially considering how new many of these sites are.

Unfortunately, Neelie Kroes, Vice President of the European Commission for the Digital Agenda, spun the report in the opposite direction. She issued a statement saying:

I am disappointed that most social networking sites are failing to ensure that minors’ profiles are accessible only to their approved contacts by default. I will be urging them to make a clear commitment to remedy this in a revised version of the self-regulatory framework we are currently discussing. This is not only to protect minors from unwanted contacts but also to protect their online reputation. Youngsters do not fully understand the consequences of disclosing too much of their personal lives online. Education and parental guidance are necessary, but we need to back these up with protection until youngsters can make decisions based on full awareness of the consequences.

This position is misguided, as explained below. But here’s the crucial point: What this Kroes statement once again proves is that, ultimately, every major public policy debate about online privacy and child safety comes down to a question of where to set the defaults and who should set them. Rarely, however, do policymakers or regulatory advocates acknowledge the downsides associated with mandating highly restrictive defaults from the top down.

Back in 2008, I penned a paper on “The Perils of Mandatory Parental Controls and Restrictive Defaults” in which I argued that, “Government regulation mandating restrictive parental control defaults for media devices would likely have unintended consequences and would not achieve the goal of better protecting children from objectionable content, whereas increased consumer education efforts would be more effective in helping parents control their child’s media consumption.” The general point was that if government defaulted all sites and/or devices to be in a “locked-down” state right out of the gates, it would mean products and services would, in essence, be shipped to market in a crippled state.  This would have a variety of unintended consequences, including consumer confusion and such restrictions would discourage the maximum amount of utility / experimentation associated with those products and services.

The same is true of highly restrictive privacy defaults. How are you even to network with others and make new friends if everything is private by default? Worst of all is the fact that the EC seems to want websites to make it practically impossible for minors to even search for each other. That’s increasingly how users of all ages connect with their real world acquaintances, for whom they may have no other contact information. Isn’t the point of social networking to be social and share more? If a child or a parent doesn’t like that openness, why isn’t it sufficient that they be empowered to change that setting on their own?  Why must the law mandate it by default and tell them what is supposedly best for them?

Nicklas Lundblad & Betsy Masiello made a similar point in their important recent essay on “Opt-In Dystopias.” They noted that more formal opt-in consent models may involve many trade-offs and downsides that need to be considered relative to opt-out models, which are currently more prevalent online. “The decisions a user makes under an opt-in model are less informed” they argue, because “the initial decision to opt-in to a service is made without any knowledge of what value that service provides,” and, therefore, “under an opt-in regime a decision can probably never be wholly informed.” They continue: “If instead of thinking about privacy decisions as requiring ex-ante consent, we thought about systems that structured an ongoing contractual negotiation between the user and service provider, we might mitigate some of these harmful effects.”

The crucial point here is that choice should lie with the consumer and not be set from above. Companies should empower the consumer — including kids — with more and better tools and then let them decide what their privacy settings should be. Government need not “nudge” consumers or companies in paternalistic ways based upon the values of unelected bureaucrats. Most importantly, policymakers should not not conflate “privacy by design” with privacy by default. Let experimentation continue and let consumers make these determinations for themselves.

Over at Mashable, Ben Parr has a post (“Facebook Turns to the Crowd to Eradicate Offensive Content“) expressing surprise that Facebook has a crowdsourcing / community policing solution to deal with objectionable content:

Did you know that Facebook has a crack team of employees whose mission is to deal with offensive content and user complaints? Their ranks number in the hundreds. But while most websites have people on staff to deal with porn and violence, none of them have 350 million users to manage… Now the world’s largest social network found a way to deal with this shortage of manpower, though. Facebook has begun testing a new feature called the Facebook Community Council [currently invite-only]. According to a guest post on the Boing Boing blog by one of the council’s members, its goal is to purge Facebook of nudity, drugs, violence, and spam. The Facebook Community Council is actually a Facebook app and tool for evaluating content for various offenses… The app’s tagging system allows council members to tag content with one of eight phrases: Spam, Acceptable, Not English, Skip, Nudity, Drugs, Attacking, and Violence. If enough council members tag a piece of content with the same tag, action is taken, often a takedown.

What Facebook is doing here is nothing all that new.  Many other social networking sites or platforms such MySpace, Ning, and many others, do much the same. Video hosting sites like YouTube do as well. [See my summary of YouTube’s efforts down below]**

No doubt, some will be quick to decry “private censorship” with moves by social networking sites, video hosting sites, and others to flag and remove objectionable content within their communities, but such critics need to understand that:

1. Big communities require interest-balancing: Online communities like Facebook, MySpace, YouTube, etc., are broad-based communities with diverse interests and sensitives. Some forms of community policing are, therefore, necessary to achieve a reasonable balance among those interests. You are always free to “move” elsewhere if you don’t like the standards set by a particular online community. The Internet is a big place; there’s a community out there for every taste and interest!
2. Private community policing beats public censorship: If larger, more popular online communities fail to take steps to establish private community standards, policymakers will suggest they should do it for them. Better that the various private online communities police themselves by “flagging & tagging” objectionable content than to have 5 unelected bureaucrats at the FCC (or FTC) regulating online speech for us.  As pointed out above, you can always escape private online communities. By contrast, you cannot escape blanket, one-size-fits all federal censorship efforts.

** In late 2008, YouTube created a new “Abuse and Safety Center” to make it easier for users to report abusive behavior or inappropriate content. The site also makes it easy for users to find helpful information from various expert organizations who deal with troubling behavior.

For example, if a YouTube user reports “hateful content,” they are directed to tips from the Anti-Defamation League. Similarly, information from the National Suicide Prevention Lifeline is provided to those who report suicide concerns, and the National Center for Missing & Exploited Children provides information and links about sexual abuse of minors. YouTube also has strict “community guidelines” governing appropriate behavior on the site.

Finally, in May 2009, YouTube announced a new “Filter Wrds” program that lets users block profanity and racial slurs. According to the site: “Users can opt into this by clicking on ‘Options’ next to the Comments header and checking the ‘Filter Wrds’ box. Users can also choose to hide comments altogether by clicking on ‘Hide Comments.’” Those user preferences will then be saved by the browser.  According to YouTube, the site uses “a combination of feedback from users, proprietary technology, and a commonsense collection of words in English to decide what to filter.” Incidentally, there’s also a free Firefox extension called “YouTube Comment Snob” that that filters out undesirable comments from YouTube comment threads.

I got some feedback from readers about my post last night regarding the irony of the FCC’s newly-created MySpace page containing some rather vulgar user comments. I wondered if the agency would continue to allow such comments when the agency regulates similar words when they are uttered on broadcast TV or radio.  A few people asked me why the agency hasn’t bother using the comment management tools that MySpace puts at the public’s disposal.  It’s a good question, and actually I’m not sure why they didn’t do that right from the start.  Perhaps the agency is concerned about being accused of censoring public comment. [Incidentally, the White House and some federal agencies have MySpace pages, so perhaps I need to look into how those agencies manage comments.]

Regardless, the FCC now has taken steps to deal with this. John Eggerton of Broadcasting & Cable and Kim Hart of The Hill point out that the agency has removed some vulgar comments on their MySpace page (namely, any comment with the F-bomb in it).  And I assume the agency is now taking steps to screen comments going forward. For those who are not aware, MySpace empowers users (including government agencies if they choose to set up profiles) to require approval before new comments appear on their profiles (accessed by clicking “My Account” and then “Spam”).  Here are the options:

Moreover, I should also mention that if people want to see the FCC’s MySpace profile but don’t want to see all the comments, they can always change their default view to MySpace’s “Lite View,” which hides all comments, third party applications, and some other sections of a page. To switch to Lite View, click on “My Account” in the upper-right corner of any MySpace page, then click on “Miscellaneous” to access the Default View setting. It’s another nice way that MySpace empowers users to control their site experience.

Regardless, this will be a difficult issue for federal agencies to manage going forward. If agencies are going to take the plunge and boldly enter the social networking world, they’ll need to understand that the vibrant exchange of views will sometimes entail some salty language and occasional insults.  Yet, when they take steps to deal with some of the most offensive comments posted on their pages, accusations of censorship are bound to fly. It’s a tough position for agencies to be in since they want to encourage maximum public interaction and input, and yet some of that input is bound to get heated, even ugly.

So, here are some questions that both agencies and policy wonks will need to consider going forward. Will government agency profiles on social networking sites be considered “public forums” under traditional First Amendment jurisprudence?  While there are important limits on how government can regulate the “time, place, and manner” of speech on government property, the Supreme Court has allowed government-run schools to regulate the use of profanity to some extent. It probably makes sense for government agencies to have the discretion under the First Amendment to impose some basic ground rules on the use of profanity comments on their social networking profiles, as well as on the kinds of crowd-sourcing discussion platforms that the Obama administration has been experimenting with.  Most agencies already have some policies in place for public comments directly to their websites. And yet, with a little effort, one can find the same sort of profanity in comments submitted to the FCC’s own website. But social networking sites are much easier to use than the FCC’s existing Electronic Comment Filing System.  They’re easier to use in two respects: It’s easier for people to submit comments, and it’s easier for others to see those comments. So that’s why government agencies would be well-advised to establish and publish clear ground rules for online comments.

But even with posting guidelines in place, there are other sticky questions here, especially for the FCC. As Broadcasting & Cable’s John Eggerton points out, the agency does have moderation policies for its other sites, but those policies raise still more questions because of positions the FCC has taken in court on other First Amendment matters:

“We have moderation policies for blog and Ideascale comments,” said an FCC spokesman, “and are applying those principles to MySpace while we draft a moderation policy specific to that site.” The Blogband moderation policy excludes “slurs; abusive or obscene language,” so profanity of the S- and F-word varieties could fall under that prohibition. But a check of the moderation policy for Ideascale, a crowd-sourcing site the FCC is employing for comments on policies and proposals, revealed the following: “Comments which include any of the following may be removed from the public site: Threats or incitements to violence; Obscenity; Duplicate posts; Posts revealing your own or others’ sensitive/personal information (e.g., Social Security numbers); Information posted in violation of law, including libel, condoning or encouraging illegal activity, revealing classified information, or comments which might affect the outcome of ongoing legal proceedings; Promotion of commercial services or products; Spam.” Hmmm. That creates another potential problem. The only category a post simply containing the F-word would seem to fit in is “obscenity.” But, as First Amendment attorneys will tell you, obscenity in content control terms is a legal definition for speech that is totally unprotected. If the FCC is suggesting cursing is obscene in the legal sense, then it is wholly unprotected and could be banished entirely from the online waves and from the airwaves, too, safe harbor be doggoned.

In other words, we’re back to the legal fight we’ve been having in court for decades about the meaning of terms like “indecency,” “obscenity,” and so on.  The FCC is going to be walking a bit of legal tightrope here, and other agencies will likely encounter similar problems in the future.

If readers are aware of how other agencies or government officials are dealing with this, I’d appreciate your comments below.  I have not studied this issue that closely in the past, but plan to do so now.

Oh my.  So today, as part of its ongoing effort to look like the hip new regulatory agency on the block, the Federal Communications Commission decided to launch a MySpace page.    Really. Big. Mistake.

I mean, shouldn’t someone over there have known it would take about 2 milliseconds for various cranks to launch into profanity-laced rants that would make George Carlin blush? Sure enough, the page is already littered with some of the most colorful language you’ll ever lay your eyes on, mixed in with some 9/11 conspiracy theories, a plug for the Marijuana Policy Posse, and something about the FCC “build[ing] a cone of terror in [our] homes.”

Go check it out, but avert the children’s eyes first. It ain’t pretty. Which begs the question: Will the FCC apply its  Pacifica indecency standard to its own MySpace page?  Seems like their site is pretty “pervasive” to me, and there could be “children in the viewing audience.”  Time to censor these “fleeting expletives” on the FCC’s MySpace page!

by Berin Szoka & Adam Thierer, Progress Snapshot 5.11 (PDF)

Ten years ago, Nobel Prize-winning economist Milton Friedman lamented the “Business Community’s Suicidal Impulse:” the persistent propensity to persecute one’s competitors through regulation or the threat thereof. Friedman asked: “Is it really in the self-interest of Silicon Valley to set the government on Microsoft?” After yesterday’s FCC vote’s to open a formal “Net Neutrality” rule-making, we must ask whether the high-tech industry—or consumers—will benefit from inviting government regulation of the Internet under the mantra of “neutrality.”

The hatred directed at Microsoft in the 1990s has more recently been focused on the industry that has brought broadband to Americans’ homes (Internet Service Providers) and the company that has done more than any other to make the web useful (Google). Both have been attacked for exercising supposed “gatekeeper” control over the Internet in one fashion or another. They are now turning their guns on each other—the first strikes in what threatens to become an all-out, thermonuclear war in the tech industry over increasingly broad neutrality mandates. Unless we find a way to achieve “Digital Détente,” the consequences of this increasing regulatory brinkmanship will be “mutually assured destruction” (MAD) for industry and consumers.

New Fronts in the Neutrality Wars

The FCC’s proposed rules would apply to all broadband providers, including wireless, but not to Google or many other players operating in other layers of the Net who favor such broadband-specific rules. With this rulemaking looming, AT&T came after Google with letters to the FCC in late September and then another last week accusing the company of violating neutrality principles in their business practices and arguing that any neutrality rules that apply to ISPs should apply equally to Google’s panoply of popular services. In particular, AT&T accused Google of “search engine bias,” suggesting that only government-enforced neutrality mandates could protect consumers from Google’s supposed “monopolist” control.

The promise made yesterday by the FCC—to only apply neutrality principles to the infrastructure layer of the Net—is hollow and will ultimately prove unenforceable. The reality is that regulation always spreads. The march of regulation can sometimes be glacial, but it is, sadly, almost inevitable: Regulatory regimes grow but almost never contract. Indeed, in some ways, the prediction we made just three weeks ago is already coming true: The basic premise of neutrality regulation is already being proposed for other layers of the Internet—and not just by AT&T in retaliation. One need not agree with all of AT&T’s accusations to recognize that, whatever the FCC might say today, any large online intermediary with a popular platform potentially faces the threat of “network neutrality” mandates—because every platform is essentially a “network,” too. We’re not just talking about “search neutrality” (Google as well as Microsoft) but also about “device neutrality” (mobile handsets), “app neutrality” (Apple’s iTunes store, Facebook’s developers and Google’s Android mobile OS) and so on for social networking, email, instant messaging, online advertising, etc.

An open letter sent to FCC Chairman Julius Genachowski this week by 28 founders and CEOs of leading application providers—including Amazon, Google, Facebook, Netflix, Craigslist, Sony and Twitter—speaks generally about the need for the FCC to enforce a “guarantee of neutral, nondiscriminatory access by users.” While many of these signatories may have in mind ISPs as the network “gatekeepers” that need to be reined in by the FCC, the more successful among them are likely to find this letter used against them in the future—perhaps even by co-signatories—to advance a broad conception of what the government must do to ensure “openness” and “access” for platforms at all layers of the Internet.

Dumb Networks, Dumb Devices

The intellectual foundations for this regulatory creep have already been laid by groups like Free Press and Public Knowledge and law professors like Columbia’s Tim Wu, Harvard’s Jonathan Zittrain and Seton Hall’s Frank Pasquale. As originally conceived by Tim Wu in 2003, “network neutrality” is not unique to broadband networks: “the basic economic problem found in the network neutrality debate (a form of ‘platform exclusion’ or ‘vertical foreclosure’) can be found in many other markets.” Indeed, Wu’s popular Net Neutrality FAQ declares:

The promotion of network neutrality is no different than the challenge of promoting fair evolutionary competition in any privately owned environment, whether a telephone network, operating system, or even a retail store. Government regulation in such contexts invariably tries to help ensure that the short-term interests of the owner do not prevent the best products or applications becoming available to end-users.

Zittrain picked up where Wu left off in The Future of the Internet and How to Stop It—attacking, as the enemies of innovation, not ISPs but the supposedly “closed” platforms of Apple, TiVo and Microsoft’s Xbox. Zittrain warns that:

If there is a present worldwide threat to neutrality in the movement of bits, it comes not from restrictions on traditional Internet access that can be evaded using generative PCs, but from enhancements to traditional and emerging appliancized services that are not open to third-party tinkering.

Zittrain’s general solution is “API [Applications Programming Interface] neutrality:” If you create a platform (whether hardware or software) and begin allowing third-party contributions (“generativity”), you will lose all control over devices or applications that can run on that platform.

Those who offer open APIs on the Net in an attempt to harness the generative cycle ought to remain application-neutral after their efforts have succeeded, so all those who built on top of their interface can continue to do so on equal terms…. [N]etwork neutrality ought to be applied to the new platforms of Web services that, in turn, depend on Internet connectivity to function.

Clearly, if Zittrain and his allies have their way, the sort of neutrality mandates envisioned by the FCC or some Congressmen for ISPs will eventually cover companies such as Apple, Google, Facebook, Myspace, Twitter and Amazon—all singled out by Zittrain in a New York Times op-ed in July:

If the market settles into a handful of gated cloud communities whose proprietors control the availability of new code, the time may come to ensure that their platforms do not discriminate. Such a demand could take many forms, from an outright regulatory requirement to a more subtle set of incentives — tax breaks or liability relief — that nudge companies to maintain the kind of openness that earlier allowed them a level playing field on which they could lure users from competing, mighty incumbents.

Frank Pasquale agrees on the need to restrain all “the dominant players at all layers of online life,” but focuses on his demand for a Federal Search Commission to control supposedly “biased” search results. While the FCC wrings its hands over “managed services” offered by ISPs, search engines are increasingly offering their own value-added services by “blending” algorithmically-derived results with special features like maps, videos, books or music depending on what the search term suggests the user is interested in. “Artificially” ensuring that these features appear on the first page of search results is clearly non-neutral, and necessarily involves search engines making ”managed” decisions as to whose features to include. Yet such features also clearly benefit users—dramatically improving the usefulness of search engines and helping to sustain struggling business models like music retailing.

But one need not resort to the works of “ivory tower” academics to see the slippery slope we’re already tumbling down with the infinitely elastic principle of “neutrality.” The prospect of the FCC gradually transforming into a “Federal Information Commission” becomes more apparent when one reads the Wireless Innovation and Investment Notice of Inquiry recently released by the FCC:

As other approaches, such as cloud computing, evolve, will established standards or de facto standards become more important to the applications development process? For example, can a dominant cloud computing position raise the same competitive issues that are now being discussed in the context of network neutrality? Will it be necessary to modify the existing balance between regulatory and market forces to promote further innovation in the development and deployment of new applications and services?

One can imagine how some might use such language to accuse Google of being in “a dominant cloud computing position” such that “the context of network neutrality” will be applied to cloud service (like Google Voice) to “modify the existing balance between regulatory and market forces” through regulation. Indeed, that’s precisely what AT&T has suggested in recent letters (September 25 ^th and October 14 ^th) to the FCC.

AT&T’s partner Apple has already been the subject of such attacks for its decision to block the Google Voice app earlier this summer. The incident marked the beginning of open warfare between Google and AT&T/Apple. The FCC quickly jumped into the mix, first questioning how Apple manages its iTunes apps store for the iPhone, then questioning how Google runs its free Voice application. What legal authority the FCC has over either service is far from clear, but Apple seems to have gotten the message: It recently approved the Spotify music streaming app for the iPhone, which could be a serious competitive threat to the iTunes music store. This small incident highlights how easily regulators can impose their will through informal mechanisms like open-ended investigations even without clear authority to issue rules or bring enforcement actions. Yet none dare call it what it is: regulatory blackmail.

The Inevitability of Regulatory Capture

No doubt, other industry players will cheer on such regulatory harassment of the titans of tech—and maybe even demand more of it. Regulatory creep is driven by more than the self-interests of every bureaucracy to expand its own mission, budget and staff. As the Electronic Frontier Foundation has noted, “Experience shows that the FCC is particularly vulnerable to regulatory capture.” While lobbyists play an important role in defending business from government, all too many businesses naively look at government as a beast that can be tamed, trained, and turned to one’s own advantage, and often try to use the expanding regulatory apparatus to their own advantage or simply throw their competitors under the bus to save themselves. The result is a Hobbesian regulatory “war of all against all” within industry.

As Professor Alfred E. Kahn explained in his 2-volume opus, The Economics of Regulation, all regulation—however high-minded—is inevitably captured by special interests because:

When a commission is responsible for the performance of an industry, it is under never completely escapable pressure to protect the health of the companies it regulates, to assure a desirable performance by relying on those monopolistic chosen instruments and its own controls rather than on the unplanned and unplannable forces of competition. […] Responsible for the continued provision and improvement of service, [the regulatory commission] comes increasingly and understandably to identify the interest of the public with that of the existing companies on whom it must rely to deliver goods.

If Internet regulation follows the same course as other industries, the FCC and/or lawmakers will eventually indulge calls by all sides to bring more providers and technologies “into the regulatory fold.” Clearly, this process has already begun. Even before rules are on the books, the companies that have made America the leader in the Digital Revolution are turning on each other in a dangerous game of brinksmanship, escalating demands for regulation and playing right into the hands of those who want to bring the entire high-tech sector under the thumb of government—under an Orwellian conception of “Internet Freedom” that makes corporations the real Big Brother, and government, our savior.

Toward a Less MAD World: Digital Détente

Sincere defenders of real Internet Freedom—that is, freedom from government techno-meddling—recognize that there will always be disputes over how companies deal with each other online across all layers of the Internet. The question is not whether we need a technical coordinating mechanism for handling such disputes. Someone should mediate conflicts over alleged deviations from abstract neutrality principles. But should that arbitrator be an inherently political body like FCC? Or should we instead look to truly independent, apolitical arbitrators like the Internet Engineering Task Force or collaborative efforts like the Network Neutrality Squad? Such alternative dispute resolution mechanisms and fora need not have the power of law to be effective: The weight of their expert opinion, based on careful investigation of the facts, would likely resolve most disputes, because companies have strong reputational incentives to comply with reasoned rulings by truly neutral experts. And the white hot spotlight of public attention has a way of disciplining marketplace behavior as well.

Government would still have a role to play, of course, in enforcing antitrust laws where anticompetitive harm to consumers can be proven, and in enforcing the promises companies make to consumers. Ultimately, however, certain business models and technologies require non-neutral treatment, and the best remedy for concerns about non-neutrality is competition itself: In the high-tech sector more than any other, disruptive innovation makes it difficult for even the most successful companies to stay on top forever. Competitive entry—or even the threat of new entry—provides a powerful check on the power of so-called “gatekeepers,” but even more important is the prospect that today’s leaders will be tomorrow’s laggards: There’s little reason to think Google (search and advertising), Apple (smart phones and music) and Facebook (social networking) won’t someday find themselves playing catch-up, just as IBM (computers), Microsoft (desktop software and search), Friendster and MySpace (social networking), and Yahoo! and AOL (web portals) have had to do.

“Digital Détente” would require that all parties concede something and work constructively toward a more “peaceful” ( i.e., less regulatory) resolution. And yet, no Internet company wants to disarm unilaterally, foreswearing politics as a continuation of competition by other means. Only through multilateral disarmament could they break out of the current cycle of regulatory one-upmanship: If the companies in the Internet ecosystem could form a united front against increased government regulation and in favor of removing existing regulatory obstacles to competition, they could all return to their core competencies of creativity and innovation.

The alternative is a regulatory “nuclear winter”: high-tech titans turning their political fire on each other, catching innocent third parties in the cross-fire and bringing a dark cloud of government regulation over the entire Internet. Such increased regulation would stifle investment and innovation throughout the Internet ecosystem. Thus, it is consumers who will ultimately suffer most from the tech industry’s suicidal impulse, as their choices and digital lives are impoverished. For their sake, we hope all industry players will step back from the brink to avoid such high-tech mutually assured destruction.

On July 27th, The Progress & Freedom Foundation hosted a Capitol Hill panel discussion entitled “Online Child Safety, Privacy, and Free Speech: An Overview of Challenges in Congress & the States.” The event featured remarks from:

• Parry Aftab, Executive Director, WiredSafety.org
• Todd Haiken, Senior Manager of Policy, Common Sense Media
• Jim Halpert, Partner, DLA Piper
• Berin Szoka, Senior Fellow, The Progress & Freedom Foundation

We’ve just released the transcript of the event, which I have also pasted down below the fold in a Scribd document reader. Also, the audio for this event can be heard by clicking below:

Download mp3

Here is the full event description:

Online child safety, privacy, and free speech remain hotly debated issues at both the federal and state level. Bills introduced in Congress to address cyberbullying concerns propose either educational initiatives or a criminalization approach. Access to objectionable content also remains a concern and a new, government-mandated task force is looking into those issues. Meanwhile, state officials, including many state attorneys general, continue to explore age verification mandates for social networking sites and some have considered building on the federal Children’s Online Privacy Protection Act (COPPA) to expand “parental notification” mandates. The Federal Trade Commission (FTC) has recently announced an expedited review of COPPA to see if it is keeping up with new developments. The FTC is also exploring child safety in virtual worlds. New concerns about “sexting,” or the sending of sexual explicit images over mobile devices, has also raised new concerns led some lawmakers to ponder penalties.

How serious are these concerns? Is legislation or regulation needed to address them? What free speech issues are at stake? Should Congress take the lead or leave it to the States to experiment with different models? These and other issues were discussed by a panel of leading experts in the field of online safety and privacy policy.

Transcript PFF Online Child Safety Privacy Hill Event (7-27-2009) http://d.scribd.com/ScribdViewer.swf?document_id=18756666&access_key=key-1blb7az1ag406howibuk&page=1&version=1&viewMode=

The latest edition (Version 4.0) of my PFF special report on “Parental Controls and Online Child Protection: A Survey of Tools & Methods” is now up.  For those not familiar with the report, it explores the market for parental control tools, rating schemes, education and media literacy efforts, and various other tools, methods, and initiatives aimed at promoting online child safety.  After evaluating that state of this market, I conclude: “There has never been a time in our nation’s history when parents have had more tools and methods at their disposal to help them decide what constitutes acceptable media content in their homes and in the lives of their children.”  Moreover, I believe that the parental controls and content management tools cataloged in the report represent a better, less restrictive alternative to government regulation.

Version 4.0 of the report is now over 250 pages long (up from 200 pages in Version 3.0) and it contains almost 70 exhibits (up from 50), 725 references (up from roughly 500), and numerous updates in all five sections of the book. Major updates have been made to the Internet, social networking, and mobile media sections, reflecting the growing importance of those sectors and issues. Other new sections or appendices have also been added to the report, including:

• a new section examining how many households really need parental control tools;
• a new appendix on the downsides of mandatory parental controls and restrictive default settings;
• a new section on the dangers of “deputizing the online middleman” solution as an approach to solving child safety concerns;
• a new appendix reviewing the findings of 5 past online safety task forces;
• … and much more.

I issue major updates once a year and 1 or 2 minor tweaks during the course of the year to reflect the evolution of the parental control and online child safety marketplace and debate. The report is available free-of-charge on the PFF website, and the previous editions of the report are housed there too in case you want to see how it has evolved over the past couple of years. For those interested in taking a quick look at the report, I have embedded it down below the fold as a Scribd file. Finally, as is always the case, I encourage readers to send me updates and suggestions for how to improve the report and I will incorporate them into future versions.

I’ve just had a new article published by the American Legislative Exchange Council (ALEC) in which I make the case against “techno-panics,” which refers to public and political crusades against the use of new media or technologies by the young. The article is entitled “Parents, Kids & Policymakers in the Digital Age: Safeguarding Against ‘Techno-Panics‘” and it appears in the July 2009 Inside ALEC newsletter.  This is something I have spent a lot of time writing about here in recent years (See 1, 2, 3, 4, 5) and I finally got around to putting it altogether in a concise essay here.  I have pasted the full text below. [And I just want to send a shout-out to my friend Anne Collier of Net Family News.org, whose work on this topic has been very influential on my thinking.]

“Parents, Kids & Policymakers in the Digital Age: Safeguarding Against ‘Techno-Panics‘” by Adam Thierer

A cursory review of the history of media and communications technologies reveals a reoccurring cycle of “techno-panics” — public and political crusades against the use of new media or technologies by the young.  From the waltz to rock-and-roll to rap music, from movies to comic books to video games, from radio and television to the Internet and social networking websites, every new media format or technology has spawned a fresh debate about the potential negative effects they might have on kids.

Inevitably, fueled by media sensationalism and various activist groups, these social and cultural debates quickly become political debates. Indeed, each of the media technologies or outlets mentioned above was either regulated or threatened with regulation at some point in its history. And the cycle continues today. During recent sessions of Congress, countless hearings were held and bills introduced on a wide variety of media and content-related issues. These proposals dealt with broadcast television and radio programming, cable and satellite television content, video games, the Internet, social networking sites, and much more.  State policymakers, especially state Attorneys General (AGs), have also joined in such crusades on occasion.  The recent push by AGs for mandatory age verification for all social networking sites is merely the latest example.

What is perhaps most ironic about these techno-panics is how quickly yesterday’s boogeyman becomes tomorrow’s accepted medium, even as the new villains replace old ones.  For example, the children of the 1950s and 60s were told that Elvis’s hip shakes and the rock-and-roll revolution would make them all the tools of the devil. They grew up fine and became parents themselves, but then promptly began demonizing rap music and video games in the ‘80s and ‘90s.  And now those aging Pac Man-era parents are worried sick about their kids being abducted by predators lurking on MySpace and Facebook. We shouldn’t be surprised if, a decade or two from now, today’s Internet generation will be decrying the dangers of virtual reality.

These techno-panics are almost always disproportionate to the real risk posed by new media and technology, which typically do not have the corrupting influence on youth that older generations fear.  Parents and public policymakers alike need to remember they were once kids, too, and managed to live through many of the same fears and concerns about media and popular culture. As the late University of North Carolina journalism professor Margaret A. Blanchard once noted: “[P]arents and grandparents who lead the efforts to cleanse today’s society seem to forget that they survived alleged attacks on their morals by different media when they were children. Each generation’s adults either lose faith in the ability of their young people to do the same or they become convinced that the dangers facing the new generation are much more substantial than the ones they faced as children.” And Thomas Hine, author of The Rise and Fall of the American Teenager, argues that: “We seem to have moved, without skipping a beat, from blaming our parents for the ills of society to blaming our children. We want them to embody virtues we only rarely practice. We want them to eschew habits we’ve never managed to break.”

The better response by both parents and policymakers is a measured and balanced approach to children’s exposure to media content and online interactions.  All-or-nothing extremes are never going to work.  In particular, techno-panics are hopelessly counter-productive. “Fear, in many cases, is leading to overreaction, which in turn could give rise to greater problems as young people take detours around the roadblocks we think we are erecting,” argue John Palfrey and Urs Gasser, authors of Born Digital: Understanding the First Generation of Digital Natives. What parents, educators, and policymakers need to understand, they argue, “is that the traditional values and common sense that have served them well in the past will be relevant in this new world, too.”

Most simply, we need to be willing to talk to our kids about the new technologies and cultural developments that shape their generation. When we as parents (or policymakers) do not fully comprehend or appreciate the new-fangled gadget in our kids’ pocket—or whatever they are playing, watching, or listening to on it—instead of engaging in demagoguery and driving a wedge between us and them, we should instead invite them to have a conversation with us about it.  Ask three simple questions to get that conversation started: “What is this new thing all about?”  “Tell me how you use it.”  “Why is it important to you?”  Once you’ve got them talking to you, good ‘ol fashion common sense and timeless parenting principles should kick in. “Do you understand why too much of this might be bad for you?” “Will you please come talk to me if you don’t understand something you’ve seen or heard?” And so on.

In sum, it’s about parental responsibility and rational, measured responses. The “techno-panic” mentality, by contrast, creates distrust and distance between our kids and us. As Anne Collier of Net Family News notes, techno-panics “cause fear, which interferes with parent-child communication, which in turn puts kids at greater risk.”

Parents and policymakers need to engage kids in an ongoing conversation about the technologies du jour—even when we don’t fully understand or appreciate them.

————— [printable Scribd version follows] —————

“Against Techno-Panics” by Adam Thierer, PFF (July 2009 – Inside ALEC) http://d.scribd.com/ScribdViewer.swf?document_id=17392730&access_key=key-2gdkqylyeu5h376buyyi&page=1&version=1&viewMode=

Internet policy Shame Artist extraordinaire Chris Soghoian has struck again! Chris recently shamed the online advertising industry into improving their privacy practices with his Targeted Advertising Cookie Opt-Out (TACO) plug-in for Firefox. Now Chris has set his sight on the security practices of cloud service providers.

A letter released this morning, signed by 37 leading online security experts (and organized by Chris), calls on Google to offer persistent SSL (HTTPS) encryption by default for all Google services—or at the very least, to make more visible the option currently given to users to opt-in to use SSL for all communications. Google, in its response, indicated that it was already “looking into whether it would make sense to turn on HTTPS as the default for all Gmail users.”

While Google’s response identifies some clear problems with implementing persistent SSL for all users (esp. connection speed), few would deny that it makes sense for webmail providers to encrypt all traffic using SSL, rather than sending email data “in the clear,” which risks interception by hackers. We at PFF hold no brief for Google, in fact we have found ourselves disagreeing with them on many other occasions on a range of issues (most notably net neutrality mandates). Nonetheless, on this front, Google has long been a leader, having offered SSL since Gmail launched and having begun providing the persistent HTTPS option last summer while most of their competitors still use SSL only for the initial authentication that occurs when a user first signs in. While the letter focuses on Google and webmail in particular, this issue has far broader implications for all online cloud service providers.

No Free Lunch: The Costs of Encryption Gmail, Yahoo! Mail, Hotmail, etc. are, of course, “free” ( i.e., ad-supported). Google in particular has lead the way in increasing the functionality offered in Gmail, not just constantly increasing the total storage space provided to every user (now over 7GB), but regularly adding innovative new features—at no charge to users.

Offering persistent SSL is resource-intensive, because encryption requires computing power on the server side. Google currently spends billions on the servers that run all Google’s services, including Gmail — $2.4 billion back in 2007, when the company was much smaller. Google’s pricing for their App Engine offers some insight into cost, putting a cost of $0.10/CPU computing cycle. But without knowing what their actual cost is or how many CPU computing cycles the average Gmail user might consume per year using persistent SSL, it’s difficult to translate this price into an actual estimate of the cost of providing persistent SSL. Thus, while there are no hard numbers on how much Gmail costs Google to provide or how much more it would cost to provide persistent SSL for every user by default, both costs are clearly substantial. Chris himself provides a shot-in-the-dark guess that SSL-encrypted communications might require as much as six times the server resources as unencrypted communications. I’d love to know where Chris came up with that guess, whether the upper-bound might be even higher, and how he thinks smaller operators would pay for that cost.

Indeed, Chris’s letter does not discuss the cost of providing SSL at all, mentioning the word “cost” just once, and in a completely different sense: “Other Google applications demonstrate that security need not come at the cost of performance.” This is perfectly consistent with Chris’s general response to the costs of regulation: “Your broken business model is not my problem” (which sounds more charming in Chris’s elegant British English).

But just as Chris is correct that “Defaults matter,” it is even more true that “Costs matter.” Google appears to take the question of how much it costs to provide SSL off the table: “in this case, the additional cost of offering HTTPS isn’t holding us back.” But this is by no means a dismissal of the importance of costs. Rather, Google is simply saying that it has already decided that the advantage of providing persistent SSL are worth the costs. Every advantage to users in terms of greater security is, of course, also an advantage to Google as it competes for customers. While Gmail may have the highest profile among webmail companies, it still lags far behind Yahoo! Mail and Microsoft’s Hotmail in market share: As of February, Yahoo!’s market share was 56%, Microsoft’s 19% and Google’s 11%. Offering increased security, as Google already does with the full-SSL opt-in, is simply a way for Google to gain a competitive advantage over its rivals. One can only imagine the barrier to entry such an expensive default, if mandated or simply expected, will create for new, smaller competitors to Google, Microsoft, Yahoo! and other web titans across a wide range of cloud services.

Google’s apparent agreement with Chris and his band of cybersecurity experts conceals a more fundamental difference of perspectives. While I consider Chris a good friend, what separates us him, and what separates him from Google, is the question of trade-offs. Chris exemplifies what the economist and philosopher Thomas Sowell called the “Vision of the Anointed.” As the best and brightest in society (“the talented few”), the Anointed are often right, as Chris certainly is here on some level: Persistent SSL is a great thing and most Gmail users would probably be better off with it once Gmail irons out all the kinks in implementing it. (Indeed, I had already opted-in to using persistent SSL reading before Chris’s letter.)

No, the problem with the Anointed is not that they are necessarily wrong, but that they focus on “Solutions” to problems, while those with the “Tragic Vision” focus on the “Trade-offs” inherent in the constraints of reality. For the Anointed, seeking to impose their preferences on others, Sowell notes:

it is simply a question of choosing the best solution, while to those with the tragic vision the more fundamental question is: Who is to choose? And by what process, and by what consequences for being wrong? … it is so easy to be wrong—and to persist in being wrong—when the costs of being wrong are paid by others. (pp. 135-36).

Google’s response focuses on one important trade-off: that made by users deciding between added security and a slower Gmail connection. Individual preferences on this choice might vary, even among fully-informed users: For example, some Gmail power users may prefer speed over security, knowing that the risks addressed by are lessened because they do not take their desktop PCs to unsecure Wi-Fi hotspots at, say, the local coffee shop.

But there is a more fundamental trade-off at stake: While Google already offers persistent SSL for free to all users and says that they intend to make this the default setting in the near future, using SSL for everyone will be expensive and that cost will ultimately be borne by consumers as well as by Google (and other webmail operators that follow suit). The cost of providing SSL might mean, for example, that Google will provide less storage space or other innovative Gmail features than it would otherwise have done, because while the politicians in Washington can simply print more money to put a “chicken in every pot” (and a mortgage in every subprime borrower’s hands), Google’s resources are necessarily limited. In short, even in the world of “Free!” content and services, there is no free lunch! In a world of scarce resources (a/k/a reality, even the reality of the digital economy), we must make trade-offs.

Again, Chris may well be correct that the security benefits of SSL are worth this particular trade-off but it’s important to distinguish between two different kinds of decisions. Again, Sowell makes the point brilliantly:

trade-offs must be incremental rather than categorical, if limited resources are to produce optimal results in any social system as a whole. Despite the importance of incremental trade-offs, the language of politics is filled with categorical rhetoric about ‘setting priorities,” “providing basic necessities.” or “assuring safety” in foods, medicines, or nuclear power. But incremental decisions differ as much from categorical decisions as trade-offs differ from solutions. If faced with a categorical choice between food and music, every sane person would choose food, since one can live without music but not without food. But if faced with an incremental choice, the decision could easily be just the opposite. If food were categorically more important than music, then we would never reach a point where we were prepared to sacrifice resources that could be used to produce food, in order to produce music. Given this premise, Beethoven, Brahms, and Bach should all have been put to work growing potatoes, instead of writing music, if food were categorically more important.

Online “security” (like online “privacy”) is, like food or physical safety, undeniably a good thing. But we must still make trade-offs between security and the other things with which is necessarily competes. Google currently runs vast server farms, but still has only a certain number of CPU cycles to use for a variety of competing purposes. Spending that scarce resource (and the money that ultimately pays for it) on persistent SSL necessarily means being able to offer less of other things across the wide range of services Google offers. It is in recognition of such unintended consequences that Sowell concludes that:

many a sound and beneficial principle becomes a dangerous absurdity when it becomes a fetish. That is why any categorical principle must be assess not only in terms of its soundness as a principle, but also in terms of what happens when that principle is applied categorically.

So, what would happen if this insistence on persistent SSL were “applied categorically?”

Impact on the Competitive Landscape While Google may be able to “eat” the cost of persistent SSL for all its Gmail users, mandating the use of persistent SSL may create a significant barrier to entry that could keep smaller providers out of the market. Even shaming a leading webmail provider like Google into voluntarily increasing their security offering may accomplish the same result by raising consumer expectations. Indeed, this is what competition is all about!

For a large webmail provider like Yahoo!-already struggling to find its way in a rapidly evolving competitive landscape for web content, services and advertising despite its 56% webmail market share-the cost of providing persistent SSL for their enormous installed base of users will necessarily reduce their resources available to compete with Google in webmail and on other fronts. For Microsoft, every dollar spent on upgrading Hotmail security could have been spent on improving Bing, Microsoft’s new search engine, which seems capable of posing a significant challenge to Google in the search market.

In general, increasing the cost of providing a service will necessarily tend to make that service less competitive. If there are fewer companies competing to offer webmail (and other related products like calendar services), there will be less pressure on each of them to compete in non-price terms such as…. security and privacy protection. Thus, in the real world, fetishizing security can actually lead to less security.

The Cost/Benefit Approach to Security Improvements Indeed, while the full use of SSL is an obvious way to improve the security of webmail, it is not obvious that it is the most cost-efficient way to do so. If the precise costs of using persistent SSL for all users are substantial but unclear, it is impossible to evaluate whether user security might be improved more by prioritizing scarce resources to deal with other threats.

The threat posed by unauthorized account access via cookie stealing and packet sniffing appears to be far smaller than other less obvious security threats, such as permitting the use of weak passwords, duplicating passwords across accounts, reliance on poor secret questions, the accessing of accounts at unsecured public terminals, and the failure of users to log out. Likewise, threats to end-user security and privacy such as cross-site scripting attacks or cross-site forgery requests account for a far greater portion of internet-related security incidents. There may be no technological “silver bullet” for these problems, but they may represent the “low hanging fruit” for improving security at a much lower cost.

Again, the question is not just whether the Anointed are right, but who is to decide among various options such as persistent SSL, user education and changes in user interface design.

HTTPS Über Alles: Where is This Going? Google indicated that they’re exploring turning on persistent SSL (HTTPS) for all Gmail users, but says nothing about other Google services. Chris’s letter, however, asks Google to adopt HTTPS for Google Docs and Calendar, and goes on to mention Facebook and MySpace as companies that leave their users “vulnerable to data theft and account hijacking” because they do not use HTTPS.

So just how far should the adoption of HTTPS go? Chris’s draft “Caught in the Cloud” paper repeatedly argues that all cloud services should adopt persistent SSL. Yet even he recognizes that e-mail may be uniquely sensitive:

While most users’ word processing documents or photo collections may not be that valuable to a fraudster, an email account can have considerable value – due to the fact that inboxes routinely contain passwords and account information for other websites. For example, many Web sites will resend a password to a user’s email address in the event that the user forgets her password. Thus, a poorly secured email account can be leveraged to gain access to a victim’s bank account, brokerage account or online health records. (p. 15)

Here, Chris seems to recognize the need to make real trade-offs. But his coalition letter draws no such distinction, and even if it did, the more important point is that the Anointed think they know better how to draw these distinctions than anyone else —especially the companies who actually offer cloud services.

So what about Facebook messaging, Twitter tweets, and other social networking communication tools? How should “we” decide which of these services really merits persistent SSL? More important, who is this “we,” anyway?
Who’s actually going to make these decisions? Rather than trusting in the “systemic process” of competition among cloud computing companies, for whom security can be an element of non-price competition, the Anointed presume to make these decisions for everyone else.

Paying for SSL In a world of trade-offs, it’s important to look not just at the opportunity cost of providing features like persistent SSL, but also at the additional sources of revenue that could cover the costs of cloud computing features like SSL. If we can “grow the pie,” the trades-offs made to support persistent SSL will not be so painful. Two potential revenue streams seem obvious.

First, Google and other cloud service providers could simply charge for persistent SSL. For instance, Google currently charges $50/year/user for customized, ad-free Google Apps email accounts.

Second, if the advertising that supports webmail and other cloud services were more profitable, Google could afford more “guns and butter”: persistent SSL for everyone and continued expansion of storage space and roll-out of new Gmail features. This is precisely why Google, Yahoo! and other online advertising companies want to offer “Interest-Based Advertising” that is tailored to a user’s interests based on data about their web surfing. Unfortunately, the Anointed have so fetishized “User Privacy” that they are blind to these trade-offs, and fail to recognize that limiting targeted advertising in the name of “Privacy” may compromise “Security,” just as mandating “Security” protections may actually reduce competitive pressures to increase “Privacy” protections.

Thus, as Sowell emphasizes, we must understand that trade-offs cannot be made in isolation because “What can be afforded seriatim vastly exceeds what can be afforded simultaneously.” That is, we must make “trade-offs within an overall system constrained by inherent limitations of resources, knowledge, etc.” It is precisely because that task is so challenging that we must proceed cautiously and resist the insistence of the Anointed that there is an “urgent need for action to avert impending catastrophe.”

Other Options: User Empowerment & Education Chris’s letter calls for persistent SSL by default in the belief that users do not know enough to protect themselves. In the alternative, the letter suggests four steps Google could take to help users make more fully informed choices. These suggestions seem generally reasonable, and it might well make sense to adopt them, but there are other means to address the ignorance of the “Benighted” than by presuming to decide which trade-offs Google should make in how it designs the user interface of Gmail for all users.

First, Google could present more information and a cleaner choice about persistent SSL during the initial account set-up process. In other words, when a user creates a new Google account, they would be told the pros and cons of persistent SSL and could then make a more informed decision about whether to use persistent SSL or SSL only for authentication. Since Gmail currently has only an 11% share of the webmail market, the vast majority of potential users would have to make these decisions at the point of initial sign-up, while the user interface for existing users would not be further complicated. This example illustrates just one way in which Google might be able to able to make better decisions about the trade-offs at issue than the Anointed, however well-deserved their credentials in the field of web security.

Second, Google could add more discussion of SSL to its existing online educational resources about user privacy and security. Google could expand its Privacy Center on YouTube to include detailed discussions about the potential risks of not using persistent SSL and easy-to-follow video tutorials about the pros and cons of HTTPS.

The Politics of Shame A final word about tactics: I call Chris a “Shame Artist” in the best sense of the term. Shaming corporations is a key part of the reputational marketplace —something my colleague Adam Thierer has emphasized in his work [PDF p. 30] on online parental controls and child protection. People like Chris play a critical role in helping to raise public awareness of genuine problems, and to encourage companies to improve their practices. This dynamic has never worked as well, or as quickly, as it does in the online marketplace. But there are two important caveats to the beneficial role played by shame artists.

First, there is a fine line between (i) shining the spotlight of public attention on a problem and bringing reputational pressure to bear on the company responsible, and (ii) threatening such a company with regulation if you don’t get what you want. Here, as is often the case, Chris is playing dangerously close to that line. Chris’s “Lost in the Cloud” paper calls first for companies to change their practices voluntarily, then for mandating disclosure of SSL choices and risks, and then for mandates:

the government [could] regulate providers of cloud computing services, as it has already done in the banking and health industries. Banks are simply not permitted to let customers to make encryption a “choice,” just as car manufacturers are no longer permitted to make seat belts optional. We would prefer that regulators first forced cloud computing providers to display clear educational warnings before regulators go down the path of mandating specific technologies. However, if educational warnings failed to provoke a sufficient market response, stronger regulation might be appropriate.

At the very least, Chris is hanging the regulatory “Sword of Damocles” over the necks of cloud computing providers: The sword hasn’t fallen yet, but it threatens to drop at any moment if industry doesn’t cooperate.

Second, pressuring providers of free (ad-supported) services to offer more features risks increasing the deeply-rooted assumption that users of these services are somehow entitled to them, including whatever specific functionality the Anointed think ought to be included in the service. In fairness to Chris and his coalition, their letter does not specify how persistent SSL should be provided and he seems to be content with the idea that Google might charge for the service—a recognition of a trade-off that separates him from the more extreme among the Anointed. But once Congress, AGs and other government officials start rushing in to do Chris’s bidding, subtly or not-so-subtly coercing cloud service providers, I hope he isn’t surprised when they come back knocking on those same doors asking for more favors in the name of “Internet security.” With one hand they giveth (what Chris wants); with the other they might eventually take away (something Chris and his comrades find important).

But anytime a company is pressured to give away even more of what it’s already giving away for free, the expectation of a getting a “Free Lunch” grows. (“Free dessert, too?
Don’t mind if I do!“) Worse, if companies appear to cave in to this pressure without acknowledging the trade-offs involved, they both add to that expectation and encourage future attacks by shame artists, since they are signaling a willingness to cave-in. This is essentially the same moral hazard problem as created by negotiating with terrorists. I certainly don’t mean to compare either Chris’s goals or his methods to those of violent extremists or to trivialize his arguments. But the dynamic created by weak responses to shaming in this context is nonetheless analogous: Every time a company says “Why not? Cost is no issue!,” they make it that much more difficult for themselves and others to say, in the future, that cost sometimes will require more obvious trade-offs like charging users for the feature demanded by the Anointed. At some point, such “upsells” may become so politically untenable that the practical choices are (i) not offering the feature at all and (ii) offering it to everyone for free (the costs of which will be borne somewhere else). I fear we may already have reached that point.

Adam Thierer & I have just released a detailed examination (PDF) of brewing efforts to expand the Children’s Online Privacy Protection Act of 1998 to cover adolescents and potentially all social networking sites—an approach we call “COPPA 2.0.”

As Adam explained on Larry Magid’s CNET podcast, COPPA mandates certain online privacy protections for children under 13, most importantly that websites obtain the “verifiable consent” of a child’s parent before collecting personal information about that child or giving that child access to interactive functionality that might allow the child to share their personal information with others. The law was intended primarily to “enhance parental involvement in a child’s online activities” as a means of protecting the online privacy and safety of children.

Yet advocates of expanding COPPA—or “COPPA 2.0″—see COPPA’s verifiable parental consent framework as a means for imposing broad regulatory mandates in the name of online child safety and concerns about social networking, cyber-harassment, etc. Two COPPA 2.0 bills are currently pending in New Jersey and Illinois. The accelerated review of COPPA to be conducted by the FTC next year (five years ahead of schedule) is likely to bring to Washington serious talk of expanding COPPA—even though Congress clearly rejected covering adolescents age 13-16 when COPPA was first proposed back in 1998.

We’ll discuss some of the key points of our paper in a series of blog posts, but here are the top nine reasons for rejecting COPPA 2.0, in that such an approach would:

• Burden the free speech rights of adults by imposing age verification mandates on many sites used by adults, thus restricting anonymous speech and essentially converging—in terms of practical consequences—with the unconstitutional Children’s Online Protection Act (COPA), another 1998 law sometimes confused with COPPA;
• Burden the free speech rights of adolescents to speak freely on—or gather information from—legal and socially beneficial websites;
• Hamper routine and socially beneficial communication between adolescents and adults;
• Reduce, rather than enhance, the privacy of adolescents, parents and other adults because of the massive volume of personal information that would have to be collected about users for authentication purposes (likely including credit card data);

• Would likely be the subject of massive fraud or evasion since it is not always possible to definitively verify the parent-child relationship, or because the system could be “gamed” in other ways by determined adolescents;
• Do nothing to prevent offshore sites and services from operating outside these rules;
• Present major practical challenges for law enforcement officials in the face of such evasion by both domestic users and offshore sites;
• Could destroy opportunities for new or smaller website operators to break into the market and offer competing services and innovations, thus contributing to consolidation of online content and services by erecting barriers to entry; and
• Violate the Commerce Clause of the U.S. Constitution, since Internet activity clearly represents interstate commerce that states have no authority to regulate.

Today, the U.S. Department of Commerce’s National Telecommunications and Information Administration (NTIA) announced the members of the new Online Safety and Technology Working Group (OSTWG).  I am honored to be among those chosen to participate in this new task force and I look forward to continuing the work started last year with the Harvard Berkman Center’s Internet Safety Technical Task Force (ISTTF), which I also served on.   I was very proud of the work done by the ISTTF and the impressive final report that Prof. John Palfrey crafted to reflect our findings.  I am eager to investigate these issues further and take a look at the latest research and technologies that can help us better understand how to protect our kids online while also protecting the free speech and privacy rights of Netizens.

The new NTIA working group, which was established under the “Protecting Children in the 21st Century Act,” will report to the Assistant Secretary of Commerce for Communications and Information on industry-implemented online child safety tools and efforts. Within a year of convening its first meeting, the group will submit a report of its findings and make recommendations on how to increase online safety measures.

Below the fold I have listed the complete roster of OSTWG task force members.  I very much looking forward to working with this outstanding group.  And I’m happy to report that my TLF blogging colleague Braden Cox will be joining me on this task force!

Ms. Parry Aftab, WiredSafety Ms. Elizabeth Banker, Yahoo! Inc. Mr. Christopher Bubb, AOL Ms. Anne Collier, Net Family News, Inc./ConnectSafely.org Mr. Braden Cox, NetChoice Coalition Ms. Caroline Curtin, Microsoft Mr. Brian Cute, Afilias U.S.A. Mr. Jeremy Geigle, Arizona Family Council Ms. Marsali Hancock, Internet Keep Safe Coalition Mr. Michael Kaiser, National Cyber Security Alliance Mr. Christopher Kelly, Facebook Mr. Brian Knapp, Loopt, Inc. Mr. Timothy Lordan, Internet Education Foundation Mr. Larry Magid, SafeKids.com/ConnectSafely.org Mr. Brian Markwalter, Consumer Electronics Association Mr. Michael McKeehan, Verizon Communications, Inc. Dr. Samuel McQuade, III, Rochester Institute of Technology Ms. Orit Michiel, Motion Picture Association of America, Inc. Mr. John Morris, Center for Democracy & Technology Mr. Jonathon Nevett, Network Solutions, LLC Mr. Hemanshu Nigam, MySpace/Fox Interactive Media Ms. Jill Nissen, Ning, Inc. Mr. Jay Opperman, Comcast Corporation Mr. Kevin Rupy, United States Telecom Association Mr. John Shehan, National Center for Missing & Exploited Children Mr. K. Dane Snowden, CTIA – the Wireless Association Mr. Adam Thierer, Progress & Freedom Foundation Ms. Patricia Vance, Entertainment Software Rating Board Mr. Ralph Yarro, The CP80 Foundation

• denotes co-chairs of the task force

My friend Anne Collier of Net Family News, one of America’s great sages on child safety issues, has produced a terrific list of reasons “Why Technopanics are Bad.”  Technopanics and moral panics are topics I’ve spent quite a bit of time commenting on here. (See 1, 2, 3, 4.) Anne is a rare voice of sanity and sensible advice when it comes to online child safety issues and I encourage you to read all her excellent work on the subject, including her book with Larry Magid, MySpace Unraveled: A Parent’s Guide to Teen Social Networking.  Anyway, here’s Anne’s list, and I encourage you to go over to her site and contribute your thoughts and suggestions about what else to add:

Technopanics are bad because they…

• Cause fear, which interferes with parent-child communication, which in turn puts kids at greater risk.
• Cause schools to fear and block digital media when they need to be teaching constructive use, employing social-technology devices and teaching new media literacy and citizenship classes throughout the curriculum.
• Turn schools into barriers rather than contributors to young people’s constructive use.
• Increase the irrelevancy of school to active young social-technology users via the sequestering or banning of educational technology and hamstring some of the most spirited and innovative educators.
• Distract parents, educators, policymakers from real risks – including, for example, child-pornography laws that do not cover situations where minors can simultaneously be victim and “perpetrator” and, tragically, become registered sex offenders in cases where there no criminal intent (e.g., see this).
• Reduce the competitiveness of US education among developed countries already effectively employing educational technology and social media in schools.
• Reduce the competitiveness of US technology and media businesses practicing good corporate citizenship where youth online safety is concerned.
• Lead to bad legislation, which aggravates above outcomes and takes the focus off areas where good laws on the books can be made relevant to current technology use.
• Widen the participation gap for youth – technopanics are barriers for children and teens to full, constructive participation in participatory culture and democracy.

Ars Technica has just posted the transcript of a friendly debate I recently engaged in with Harvard University law professor John Palfrey about the future of Section 230 of the Communications Decency Act and online liability more generally.  Our debate got started last fall, shortly after I penned a favorable review of John’s excellent new book (with Urs Gasser), Born Digital: Understanding the First Generation of Digital Natives.  [Listen to my podcast with John about it here.]  Although I enjoyed John’s book, I also raised some concerns about his call in the book to reopen and revise Section 230, specifically to address child safety concerns.  At the time, John and I were working together on the Berkman Center’s “Internet Safety Technical Task Force” and we decided to begin an e-mail exchange about the future of 230 and online liability norms more generally.  The result was the debate that Ars has just published.

In our exchange, I begin by asking John to more fully develop some statements and proposals he sets forth in Born Digital.  Specifically, he and co-author Urs Gasser argue that: “The scope of the immunity the CDA provides for online service providers is too broad” and that the law “should not preclude parents from bringing a claim of negligence against [a social networking site] for failing to protect the safety of its users.” They also suggest that “There is no reason why a social network should be protected from liability related to the safety of young people simply because its business operates online.” Specifically, the call for “strengthening private causes of action by clarifying that tort claims may be brought against online service providers when safety is at stake,” although they do not define those instances.

Using those proposals as a launching point for our discussion, I challenge John as follows:

I’m troubled by your proposals because I believe Section 230 has been crucial to the success of the Internet and the robust marketplace of online freedom of speech and expression. In many ways — whether intentional or not — Section 230 was the legal cornerstone that gave rise to many of the online freedoms we enjoy today. I fear that the proposal you have set forth could reverse that. It could lead to crushing liability for many online operators-and not just giants like MySpace or Facebook-that might not be able to absorb the litigation costs. Could you elaborate a bit more about your proposal and explain why you think the time has come to alter Section 230 and online liability norms?

And John does and then we go back-and-forth from there.  Again, you can read the whole exchange over at Ars.

It was a great pleasure to engage in this exchange with Prof. Palfrey and I look forward to what others have to say in response to our debate.  I am working on a longer paper looking broadly at the rising threats to Sec. 230 and the increasing calls for expanded online liability and middleman deputization.  I will use whatever feedback I get from this exchange to refine my paper and proposals.

Online child safety — especially the fear of predators lurking on social networking sites (SNS) — continues to spur calls by state and federal lawmakers for regulation.  At first, some federal lawmakers advocated outright bans on SNS in schools and libraries via the Deleting Online Predators Act (DOPA).  Meanwhile, state and local lawmakers — specifically state Attorneys General (AGs) — have been even more vociferous in their calls for regulation in the form of mandatory age verification for social networking sites, which would cover a broad swath of online sites and activities according to their definitions of SNS. But the question that ultimately gets lost in this debate is: Just how much risk do social networking sites really pose for teens?  Which risks are real and which are overblown? And what’s the best way to deal with the risks that we find to be legitimate?

Nancy Willard devotes her life to answering those questions. Willard is one of America’s leading experts on online safety and risk prevention. She runs the Center for Safe and Responsible Internet Use and she is the author of two outstanding books, Cyberbullying and Cyberthreats and Cyber-Safe Kids, Cyber-Savvy Teens.  In my opinion, Willard’s general approach to online child safety is the most enlightened, level-headed, and likely to be effective. That’s because Willard focuses on putting fears in perspective, identifying the actual risks that kids face online, and devising sensible strategies to deal with risks and problems as they are discovered. Her approach is holistic and built upon sound data, targeted risk-identification strategies, and time-tested education and mentoring methods. For my money, it’s the most sensible approach to online safety issues. In fact, when other parents ask me for “just one thing” to read on the topic, I usually recommend Willard’s work — especially her amazing book Cyber-Safe Kids, Cyber-Savvy Teens. And her background in early childhood education, special education for “at risk” children with emotional and behavior difficulties, as well as experience in computer law, means she is uniquely suited to be analyzing these issues.  In sum, this is woman we should all be closely listening to on these issues.

Recently, Willard has been responding to criticisms that state AGs have leveled against the Internet Safety Technical Task Force (ISTTF) and its final report. [Disclaimer: I was a member of the ISTTF.] I’ve already outlined the ISTTF’s work at length here, but the three key takeaways from the report were that:

1. the risk of predation on social network sites has been over-stated; the data suggest that cyber-bullying is the bigger problem on SNS;
2. there is no silver-bullet technical solution to online child safety concerns, and mandatory age verification, in particular, would not make kids safer online but could even create bigger problems in the long-run;
3. education and empowerment are the real keys to keeping kids safer online.

The response from some state AGs to these findings was quite hostile, with some arguing that the ISTTF did not take online risks seriously enough, or that we relied on “outdated and inadequate” data in reaching our conclusions.  Willard addresses those arguments in a new white paper: “Research that is ‘Outdated and Inadequate?’ An Analysis of the Pennsylvania Child Predator Unit Arrests in Response to Attorney General Criticism of the Berkman Task Force Report.”  In this study, she analyzes data from arrest records from Pennsylvania’s Child Predator Unit to determine exactly how these individuals were operating online. Although it’s just one state’s worth of data — that’s all that seems to have been made publicly available in a single database at this time — it can give us a clue to what might be going on out there. The results are illuminating.

Here’s what Willard found:

The search yielded 143 responses. As noted by the Attorney General, 183 predators had been arrested. All of these arrests were described in the press releases dated from March 21, 2005 to January 13, 2009 – thus allowing for a full analysis of the arrests of sexual predators in the state Pennsylvania for the last 4 years by the Attorney General’s Child Predator Unit. The analysis of the arrests that involved predatory actions, excluding the arrests for child pornography, revealed the following:

• Only 8 incidents involved actual teen victims with whom the Internet was used to form a relationship.
  • In 4 of these incidents, teens or parents reported the contact. The other 4 cases were discovered in an analysis of the computer files of a predator who had been arrested in a sting operation. Five of the cases had led to inappropriate sexual contact. The other situations were discovered prior to any actual contact.
• There were 166 arrests as a result of sting activities where the predator contacted an undercover agent who was posing as a 12 – 14 year old, generally a girl.
  • The vast majority of the stings, 144, occurred in chat rooms. Eleven stings occurred through instant messaging. Nine of the arrests failed to specify the location, but the description bore significant similarity to the chat room incidents. One involved an advertisement that had been placed on Craig’s List.
  • There were only 12 reports of predators being deceptive about their age.
  • The descriptions of these chats incidents bear out what the research reviewed by the [ISTTF’s] Research Advisory Board found – that online predators are rarely deceptive about their interests.

Specifically,”Because the attorneys general have been focusing their attention on the social networking sites, MySpace and Facebook,” Willard made sure to give “special attention to any case that mentioned any activity occurring on either of these two sites.” Here’s what she found in that regard:

• One of the incidents involving an actual teen victim, communications took place on MySpace. This was a rearrest of a person who had already been arrested through a sting.
• A police officer who was arrested for sexual abuse of many teens with whom he had interacted with in the line of duty also had a MySpace account with friendship links to teen girl, but there was no assertion that these communications had led to sexual activity.
• One predator in a sting provided the agent with a link to his Facebook page.
• In 5 of the stings that took place in a chat room, reference was made to the fact that the predator had either looked at the teen’s MySpace account or suggested the teen look at his profile.

Importantly, Willard points out, “Despite the establishment of one or more public profiles on MySpace [by the PA Child Predator Unit], there has apparently not been one successful sting operation initiated on MySpace in the more than two years during which these sting profiles have been in existence.”

From these findings, Willard concludes that:

The insight gained through an analysis of the Pennsylvania Attorney General’s press releases on arrests for online sexual predation provide strong support for the validity of the conclusions of the Berkman Research Advisory Board and demonstrate the need for greater collaboration between law enforcement and researchers to address the actual risks to young people from sexual predators online.

In other words, the Pennsylvania data seem to confirm that predation is not as serious of a risk on SNS as some AGs had claimed. “It appears that chat rooms are far less safe than social networking sites and that there is limited inclination and ability of predators to use social networking sites to contact potential teen victims,” Willard notes. Consequently, she argues:

Attention must be paid to the obvious risks related to chat room communications, as well as the risk factors that are being manifested by the young people who may still be frequenting these chat rooms, especially the chat rooms where sexual relations are being discussed. It appears that rather than seek ways to discourage teens from participating in social networking sites, these sites are destinations that should be encouraged as much safe than the alternatives. A focus must be placed on improving the protective features of chat rooms that are frequented by minors.

We need to know more about which chat rooms are in question and why some youth visit those chat rooms. More importantly, how can we develop sensible messages for youth about the dangers of chat rooms that are targeted to adults and adult sexual activity?

But it is vitally important not to lose sight of the big picture here. As Willard summarizes it:

The incidents of online sexual predation are rare. Far more children and teens are being sexually abused by family members and acquaintances. It is imperative that we remain focused on the issue of child sexual abuse – regardless of how the abusive relationship is initiated.

Indeed, volumes of research on child abuse, child predation, and child abduction all point to this same conclusion: Your kids are actually more at risk from known acquaintances — especially family members — than they are from random strangers (including random strangers they might meet online).

Of course, this doesn’t mean we shouldn’t continue to develop sensible educational messages for youth about proper online behavior and how to report legitimate problems or troubling interactions that they experience online. Again, Willard has done this elsewhere and many of us (including those of us involved in the Berkman Center task force) have long been pushing for increased resources for online safety education and media literacy efforts as the first, best step towards improving online youth safety. We need to get AGs and other policymakers to work together with us to get this important task started — now!

Finally, Willard correctly notes that the AGs and other law enforcement agencies need to be willing to release more data like the Pennsylvania AG did such that further analysis of this problem is possible. If the AGs’ primary complaint with the ISTTF report was that the data we used was somewhat dated, then the best solution to that problem is for the AGs and other law enforcement agencies to open up their records to the child safety community so that risk researchers like Willard can get a better feel for what’s going on out there and devise strategies to deal with it.  Unfortunately, there’s still too much horn-locking going on between these communities and, sadly, I think some AGs are using this issue to create an atmosphere of fear for political gain. We need to find ways to communicate actual risks — such as those that kids would face in some specific, adult-oriented chat rooms — without going overboard and making parents and the general public think that there’s a bogeyman on every cyber-corner of the Internet.

[ Further reading: As usual, my friend Anne Collier over at Net Family News.org has done a much better job summarizing an issue than I have. Read her discussion of Nancy Willard’s paper and its implications here.]

(HT The 463) Forget the sex offenders on MySpace, Connecticut Attorney General Richard Blumenthal (and C|Net reporter Elinor Mills) should be investigating reincarnation on Facebook!!

Terrorism too!

Seriously, they appear to have been completely taken in by a joke MySpace page.

The Internet Safety Technical Task Force (ISTTF), which was formed a year ago to study online safety concerns and technologies, today issued its final report to the U.S. Attorneys General who authorized its creation. It was a great honor for me to serve as a member of the ISTTF and I believe this Task Force and its report represent a major step forward in the discussion about online child safety in this country.

The ISTTF was very ably chaired by John Palfrey, co-director of Harvard University’s Berkman Center for Internet & Society, and I just want to express my profound thanks here to John and his team at Harvard for doing a great job herding cats and overseeing a very challenging process. I encourage everyone to examine the full ISTTF report and all the submissions, presentations, and academic literature that we collected. [It’s all here.] It was a comprehensive undertaking that left no stone unturned.

Importantly, the ISTTF convened (1) a Research Advisory Board (RAB),which brought together some of the best and brightest academic researchers in the field of child safety and child development and (2) a Technical Advisory Board (TAB), which included some of America’s leading technologists, who reviewed child safety technologies submitted to the ISTTF. I strongly recommend you closely examine the RAB literature review and TAB assessment of technologies because those reports provide very detailed assessments of the issues. They both represent amazing achievements in their respective arenas.

There are a couple of key takeaways from the ISTTF’s research and final 278-page report that I want to highlight here. Most importantly, like past blue-ribbon commissions that have studied this issue, the ISTTF has generally concluded there is no silver-bullet technical solution to online child safety concerns. The better way forward is a “layered approach” to online child protection. Here’s how we put it on page 6 of the final report:

The Task Force remains optimistic about the development of technologies to enhance protections for minors online and to support institutions and individuals involved in protecting minors, but cautions against overreliance on technology in isolation or on a single technological approach. Technology can play a helpful role, but there is no one technological solution or specific combination of technological solutions to the problem of online safety for minors. Instead, a combination of technologies, in concert with parental oversight, education, social services, law enforcement, and sound policies by social network sites and service providers may assist in addressing specific problems that minors face online. All stakeholders must continue to work in a cooperative and collaborative manner, sharing information and ideas to achieve the common goal of making the Internet as safe as possible for minors.

In sum, education and empowerment are the real keys to keeping kids safer online. We all need to work harder to mentor our children and help them develop the skills and good old fashion common sense to make smart decisions online. Technical tools can supplement — but can never supplant — education, parental guidance, and better mentoring.

Still, this was a task force that primarily came about after state attorneys general (AGs) had been incessantly pressuring social networking sites like MySpace and Facebook to adopt age verification technologies as a solution to online child safety concerns. Specifically, fears about online predators — driven largely by the moral panic whipped up by shows like NBC’s “To Catch a Predator” — prompted calls for mandatory age verification for social networking sites.

So, what did the final ISTTF report have to say about mandatory age verification. Answer: Probably not as much as the AGs were hoping for, and what we did say they may not like to hear.

First, the ISTTF’s Research Advisory Board conclusively proved the primary online safety issue today is peer-on-peer cyber-harassment, not adult predation. Mandatory age verification would do nothing to stop cyberbullying. Indeed, the lack of adult supervision may even exacerbate the problem.

Second, after reviewing various age verification solutions, the ISTTF’s Technical Advisory Board concluded:

Age verification and identity authentication technologies are appealing in concept but challenged in terms of effectiveness. Any system that relies on remote verification of information has potential for inaccuracies. For example, on the user side, it is never certain that the person attempting to verify an identity is using their own actual identity or someone else’s. Any system that relies on public records has a better likelihood of accurately verifying an adult than a minor due to extant records. Any system that focuses on third-party in-person verification would require significant political backing and social acceptance. Additionally, any central repository of this type of personal information would raise significant privacy concerns and security issues.

As a result, our final report concluded that:

The Task Force does not believe that the Attorneys General should endorse any one technology or set of technologies to protect minors online. Instead, the Attorneys General should continue to work collaboratively with all stakeholders in pursuing a multifaceted approach to enhance safety for minors online.

Then, on pages 28-31, we go into more detail about age verification, finding that:

[Age verification] approaches are less effective in the child safety context — in other words, at creating safe environments for minors — than in the context of completing financial transactions or regulating purchases, especially to the extent that identity authentication and age verification focus solely upon adults. The reasons for this include the fact that in the commercial and financial contexts, an adult typically wants to verify his or her identity correctly in order to purchase a product or get access to records. Moreover, when adults purchase regulated items (such as alcohol or tobacco) online, in some cases a second form of age verification occurs when the item is delivered.

The identity authentication and age verification solutions that authenticate or verify only adults could be and are already sometimes used to reduce minors’ access to adult-only sites. Because they do not authenticate or verify minors, however, they cannot be used to create environments for minors that require authentication or verification prior to access. To the extent that an adult nonetheless uses his or her own verifiable information when accessing an environment intended only for minors, these technologies could enhance the ability of Internet service providers and social network sites to exclude that adult. Of course, it seems unlikely that an adult with nefarious purposes would proceed in this manner. Thus, while these types of identity authentication and age verification technologies may be helpful for other purposes, they do not appear to offer substantial help in protecting minors from sexual solicitation.

And there’s far more detail following this passage from the final report, so please read that section for additional discussion.

Again, some AGs may not like to hear all this but these were near-consensus findings of the Task Force. And, if anything, the Task Force probably did not far enough to show why mandatory age verification will not work and how age verification will actually make kids less safe online. In my final statement to the Task Force, this is what I spent my time focusing on. I outlined the dangers of age verification as well as 10 questions about age verification that the AGs must answer if they persist in this pursuit of a technological Holy Grail. I have embedded my entire expanded final statement down below as a Scribd document, but here are the key reasons I believe mandatory age verification represents a dangerous solution to online child safety concerns:

Again, although the Task Force didn’t go quite as far as I would have liked in terms of making clear the dangers associated with mandatory age verification, I think our final report reflects the general skepticism among Task Force members about taking that path or relying too heavily on any single, silver-bullet technical approach to online child safety concerns. Again, this is real progress; a sensible step forward in the discussion about keeping our kids safe online.

I hope policymakers will take a close look at our conclusions and recommendations and take them seriously. We need to stop wasting so much time searching for silver bullets and start getting more serious about how to better mentor our kids so that they can be good — and safe — digital citizens. Education, not regulation, is the key.

Below I have linked to some background essays about the Internet Safety Technical Task Force as well as additional thoughts by fellow task force members or reporters. I’ll add to it as I see new things in coming days.

Additional thoughts / articles about the ISTTF:

• ISTTF director John Palfrey discusses the report on this short podcast with Larry Magid as well as this longer one from the Berkman Center
• ISTTF co-director danah boyd comments on the report on her blog
• ISTTF member Larry Magid of ConnectSafely.org: “Net Threat to Minors Less Than Feared,” CNet News.com
• ISTTF member Anne Collier of Net Family News: “Key Crossroads for Net Safety“
• ISTTF member Stephen Balkam of FOSI featured on an NPR podcast about our work
• ISTTF member John Morris of CDT: “Deconstructing Reaction to Net Safety Task Force Report“
• ISTTF member Marsali Hancock, President of iKeepSafe blog essay about the task force
• AGs respond to report in interview with Emily Steel of the Wall Street Journal: “The Case for Age Verification“
• New York Times article by Brad Stone: “Report Calls Online Threats to Children Overblown“
• Wall Street Journal article by Emily Steel: “No Easy Answer for Protecting Kids Online“
• Associated Press story by Anick Jesdanun: “Panel: Technology Alone Can’t Protect Kids Online“
• Chronicle of Higher Education Wired Campus blog entry by Tracy Mitrano, “Report Weighs the Benefits and Risks of Social Networks,”
• PC World article by Jaikumar Vijayan: “Study Accused of Exaggerating Kids Online Safety“
• PC World blog post by Jaikumar Vijayan: “Are Internet Child Safety Concerns Overblown or Understated?”

Background info:

• an old blog entry of mine about the formation of the task force
• an old paper of mine about the agreement between MySpace and AGs that led to the formation of the ISTTF
• an essay of mine from the ISTTF’s mid-point: “Age Verification Debate Continues; Schools Now at Center of Discussion“
• my big white paper on the dangers of mandatory age verification
• my book: “Parental Controls and Online Child Protection: A Survey of Tools and Methods”
• my final ISTTF statement, which is also embedded below as a Scribd document…

Last month, I noted that UCLA Law School professor Doug Lichtman has a wonderful new monthly podcast called the “Intellectual Property Colloquium.” This month’s show features two giants in the field of tech policy — George Washington Law Professor Daniel Solove and Santa Clara Law Professor Eric Goldman –- discussing online privacy, defamation, and intermediary liability. More specifically, in separate conversations, Solove and Goldman both consider the scope of Section 230 of the Communications Decency Act of 1996, which shields Internet intermediaries from liability for the speech and expression of their users. Sec. 230 is the subject of hot debate these days and Solove and Goldman provide two very different perspectives about the law and its impact.

Goldman calls Sec. 230 “pure cyberspace exceptionalism” in the sense that it breaks from traditional tort norms governing intermediary liability. But he argues that this new online version of intermediary liability (which is extremely limited in scope) encourages more robust speech and expression than the older, offline version of liability (which was far more strict). I completely agree with Eric Goldman, but I respect the arguments that Lichtman and Solove raise about the privacy and defamation problems raised by the purist approach that Goldman and I favor.

Goldman also does a nice job dissecting the Roomates.com and Craigslist.com cases. And Lichtman brings up the JuicyCampus.com case during the conclusion. These are important cases for the future of Sec. 230 and online liability. Incidentally, there’s also an interesting conversation between Lichtman and Solove (around the 32:00 mark) about an issue that Alex Harris and Tim Lee have been raising here about the nature of online contracts and the perils of messy EULAs / Terms of Service (TOS).

These are two absolutely terrific conversations. Very in-depth and very highly recommended. Listen here.

[Note: I recently reviewed Daniel Solove’s important new book, Understanding Privacy, here.]

Important article in the New York Times yesterday in which Brian Stelter wondered if, in the wake of the Lori Drew verdict this week, “Is lying about one’s identity on the Internet now a crime?” It’s still unclear if the case will have such profound ramifications, but it has many quite worried. Stelter quotes occasional TLF contributor Andrew Grossman, who is Senior Legal Policy Analyst at the Heritage Foundation. Andrew penned an outstanding paper on the case for Heritage in mid-September: “The MySpace Suicide: A Case Study in Overcriminalization.” He summarized the paper and the important issues at stake in the case in this post for the TLF: “Go to Jail for Online Anonymity: The End of Internet Freedom?”  Make sure you read them. I wholeheartedly agree with the concerns Andrew outlines in those essays.

You’ll also want to check out Orin Kerr’s analysis of the case over at the Volohk Consipiracy as well as his tounge-and-cheek piece today about changing the blog’s Terms of Service in light of the decision. I’ve been more focused recently on the threat posed to online anonymity by mandatory online age verification, but this case could have equally important ramifications.

Over the past year, I have been monitoring a very interesting trend with important ramifications for the future of Internet policy. State Attorneys General (AGs) — often in league with the National Center for Missing and Exploited Children (NCMEC) — have been striking a variety of “voluntary” agreements with various Internet companies that deal with child safety concerns or other online issues. These agreements require the companies involved to take various steps to alter site architecture and functionality, commit to stop certain practices, or take steps to block certain users (ex: predators; escort services) or types of content (ex: child porn; online “discrimination”) altogether.

To begin, let me be very clear about one thing: Some of these activities or types of content warrant a law enforcement response. That is certainly the case with child pornography or predation, for example. However, as I will note down below, there is a legitimate question about whether state officials and a non-profit private organization should be crafting legal or regulatory policies to address such concerns for a global medium like the Internet. Regardless, these agreements are creating a new layer of Internet regulation (almost extra-legal in character) that is worthy of exploration.

First, let me itemize some of these recent “voluntary” agreements between Internet companies and the AGs and/or NCMEC:

• MySpace, Facebook & 49 state AGs: On January 14th, 2008, social networking website operator MySpace.com announced an agreement with 49 state Attorneys General (AGs) aimed at better protecting children online. As part their “Joint Statement on Key Principles of Social Networking Safety,” MySpace promised the AGs it would expand online safety tools, improve education efforts, and expand its cooperation with law enforcement. Facebook entered into a similar agreement with the AGs in May. These agreements came after AGs had relentlessly pushed these social networking sites for over a year to adopt age verification techniques to screen site users. Although mandatory age verification was not part of the final agreements, an Internet Safety Technical Task Force (ISTTF) was formed to study online safety tools, including a review of online identity authentication technology. It was clear when the announcements were made that the AGs were very interested in seeing online age verification pursued.
• Various ISPs and New York AG + NCMEC: In June 2008, New York Attorney General Andrew Cuomo pushed several major ISPs to enter into a Memorandum of Understanding (MOU) with NCMEC to address the dissemination of child pornography online.  Under the MOU, the ISPs must use a NCMEC-provided list of URLs supposedly containing child pornographic images to blacklist and block all access to those sites for their users. The agreement also closed off access to Usenet discussion boards on those ISP’s networks.
• Craigslist & California AG + NCMEC: In early November, Craigslist struck an agreement with 40 state AGs as well as NCMEC in which the online classifies operator agreed to take steps to root out certain sexually-themed or “erotic services” listings. See this Ars Technica article for additional details.
• eHarmony & New Jersey AG: Just this past week, the online dating service company eHarmony announced it had struck an agreement with the Attorney General of New Jersey to settle a complaint that a New Jersey resident filed with the state in 2005 alleging that eHarmony violated his rights by not offering a same-sex matching service. The agreement creates some interesting questions, as George Mason University law professor David Bernstein told the Wall Street Journal. The discrimination claim “seems like quite a stretch,” he said, and he said that he is worried it might encourage similar claims. “If you start a dating service for African Americans, do you need one for whites and Latinos? If you have one for Jews, do you need one for Christians and Muslims?” According to the Journal, eHarmony faces a similar discrimination claim in a California court, so we might get answers soon enough.

There are a number of interesting legal and practical questions raised by these agreements:

• “Voluntary” Agreements & the Law: Although typically billed as “voluntary” in nature, it seems highly unlikely that any of the companies involved would have made these concessions without  pressure from the state AGs (and sometimes NCMEC) to do so. How binding are these agreements in light of that? Of course, it is unlikely any of the companies involved would (or could) later challenge the validity or scope of these agreements after they had already signed onto them. But what if a free speech or civil liberties group challenged these agreements in court because of their impact on the Internet, online speech, or a certain group of citizens? Would they have a case? Would they even have standing? Where do they have it?
• Precedent & Applicability: Do such agreements constitute precedents that could be applied in other cases or contexts? Could parties not involved in the original agreements — either because they refused or did not yet exist — eventually be covered by them in some fashion? Do these agreements cover services available in the American but hosted entirely overseas?
• Commerce Clause Issues: Do state Attorneys General have the right to impose such quasi-regulatory regimes on an interstate medium like the Internet? Can 50 state AGs impose uniform laws on the Net without any congressional oversight, as was the case in the MySpace and Craigslist agreements? Conversely, what will the impact be of individual state AGs going their own way, as was the case with the eHarmony agreement? If Congress remains silent on the agreements but a group (ex: a civil liberties group) brings a dormant Commerce Clause case, what are their chances of prevailing in court?
• Accountability & Effectiveness: Will anyone in Congress or a federal agency oversee these agreements? How transparent are these agreements when they are brokered behind closed doors or with NCMEC? Does the Freedom of Information Act (FOIA) apply such that records and information can be made public?  What is the benchmark of success when different states adopt different legal regimes for the Net?

I’m not saying I have any good answers here; I’m just trying to get the questions on the table and get a discussion going. I would appreciate any input on the matter, especially of the legal variety. It strikes me that we are in somewhat uncharted waters here, at least for the Internet. On the other hand, I’m sure there have been state AG-related “voluntary” agreements struck in other industries and contexts in the past that might provide some insight into what, if anything, happens next.

What I find most interesting about these developments is that the state AGs appear to be gradually accomplishing what Congress has not been able to do over the past dozen years: To impose a comprehensive regulatory structure on the Internet. But that emerging regulatory structure is highly fractured and piecemeal in nature, and that troubles me. I am particularly concerned about the long-term impact of a 50-state patchwork approach to online regulation — both for speech and commerce. It’s not like we’re talking about the regulation of a corner newsstand here, after all. This is the Internet, and localized regulation of this national — actually global — platform makes me more than a bit nervous.

In closing, I want to again reiterate that I do not necessarily oppose intervention in any of these cases. However, to the extent such regulations do need to be imposed and enforced, it may make more sense for the process to be federalized and NCMEC’s role nationalized and administered by the Federal Bureau of Investigation or some branch of the Department of Justice. There needs to be greater transparency and accountability when matters of child pornography or predation are at issue, and NCMEC’s lack of FOIA-ability in this regard is problematic. I think NCMEC is a fine organization that does very important work to help protect children, but it is work that involves criminal activities and the collection of evidence that could be used in criminal court proceedings. In light of that — and in light of the expanded law enforcement powers being granted to NCMEC — I believe the time has come to have a serious conversation about whether those powers should continue to be housed in a private, non-profit organization, or if they should be transfered to a federal law enforcement agency. Of course, there could be serious downsides associated with the nationalization of those powers, which also should be considered.

I’ve spent a lot of time in recent years trying to debunk various myths about online child safety or at least put those risks into perspective. Too often, press reports and public policy initiatives are being driven by myths, irrational fears, or unjustified “moral panics.”  Luckily, the New York Times reports that there’s another study out this week that helps us see things in a more level-headed light. This new MacArthur Foundation report is entitled Living and Learning with New Media: Summary of Findings from the Digital Youth Project. This white paper is a summary of three years of research on kids’ informal learning with digital media. The survey incorporates the insights from 800 youth and young adults and over 5000 hours of online observations. The information will eventually be contained in a book from MIT Press (“Hanging Out, Messing Around, Geeking Out: Living and Learning with New Media.”)

From the summary of the study on the MacArthur website:

“It might surprise parents to learn that it is not a waste of time for their teens to hang out online,” said Mizuko Ito, University of California, Irvine researcher and the report’s lead author. “There are myths about kids spending time online – that it is dangerous or making them lazy. But we found that spending time online is essential for young people to pick up the social and technical skills they need to be competent citizens in the digital age.”

Importantly, regarding the concerns many parents and policymakers have about online predation, Ms. Ito told the New York Times that, “Those concerns about predators and stranger danger have been overblown.” “There’s been some confusion about what kids are actually doing online. Mostly, they’re socializing with their friends, people they’ve met at school or camp or sports.”

In the report, according to the summary, the researchers “identified two distinctive categories of teen engagement with digital media: friendship-driven and interest-driven. While friendship-driven participation centered on “hanging out” with existing friends, interest-driven participation involved accessing online information and communities that may not be present in the local peer group.” The specific findings of the study are as follows:

• There is a generation gap in how youth and adults view the value of online activity.
  • Adults tend to be in the dark about what youth are doing online, and often view online activity as risky or an unproductive distraction.
  • Youth understand the social value of online activity and are generally highly motivated to participate.
• Youth are navigating complex social and technical worlds by participating online.
  • Young people are learning basic social and technical skills that they need to fully participate in contemporary society.
  • The social worlds that youth are negotiating have new kinds of dynamics, as online socializing is permanent, public, involves managing elaborate networks of friends and acquaintances, and is always on.
• Young people are motivated to learn from their peers online.
  • The Internet provides new kinds of public spaces for youth to interact and receive feedback from one another.
  • Young people respect each other’s authority online and are more motivated to learn from each other than from adults.
• Most youth are not taking full advantage of the learning opportunities of the Internet.
  • Most youth use the Internet socially, but other learning opportunities exist.
  • Youth can connect with people in different locations and of different ages who share their interests, making it possible to pursue interests that might not be popular or valued with their local peer groups.
  • “Geeked-out” learning opportunities are abundant – subjects like astronomy, creative writing, and foreign languages.

These findings are consistent with the much of the existing research already out there about online youth behavior and Internet interactions. As I have mentioned here before, over the past year, I have been serving on the Internet Safety Technical Task Force (ISTTF), which was formed following a January 2008 agreement between social networking website operator MySpace.com and 49 state Attorneys General. As part their “Joint Statement on Key Principles of Social Networking Safety,” MySpace promised the AGs it would expand online safety tools, improve education efforts, and expand its cooperation with law enforcement. Importantly, they also agreed to create the ISTTF to study online safety issues and technologies.

The Berkman Center for Internet & Society at Harvard Law School was tapped to run the ISTTF, and the Task Force included a wide diversity of child safety groups, non-profit organization, and Internet companies. During a session the Task Force held in Washington, DC on April 30th, we heard from several of the nation’s top researchers in the field of online child safety. The presentations were quite enlightening and the videos of the sessions — as well as supporting materials — have all been posted on a special Berkman Center website. I just wanted to share all of those links with you here so that you have access to these wonderful materials. As you will see, they tell the same story the new MacArthur report does: Almost everything the press and policymakers have told us about online child actions and safety has been wrong.

Anyway, read (or watch) for yourself and decide. (P.S. When the final ISTTF report comes out later this year, it will include a massive compendium of all the relevant surveys and academic research done in this field. It will be the definitive treatment of the issue. An early draft is online here. I will post the final link here once the Task Force wraps up.)

April 30, 2008 – ISTTF Child Online Safety Expert Panel

• Teens OnlineStranger Contact and Cyberbullying: What research is telling us Amanda Lenhart, Pew Internet & American Life Project Presentation in .pdf video
• Youth & Law Enforcement Surveys Janis Wolak, Crimes against Children Research Center Presentation in .pdf video
• Social networking sites, unwanted sexual solicitation, Internet harassment, and cyberbullying Michele Ybarra, Internet Solutions for Kids, Inc. Presentation in .pdf video
• Panel Q&A video
• Further reading
  • 1 in 7 Youth: The Statistics about Online Sexual Solicitations
  • Online “Predators” and Their Victims: Myths, Realities, and Implications for Prevention and Treatment
  • Internet Safety Education for Teens: Getting It Right
  • Internet Prevention Messages: Targeting the Right Online Behaviors
  • Teens, Stranger Contact & Cyberbullying
  • How Risky Are Social Networking Sites?
  • Updated Trends in Child Maltreatment, 2006

Of the titles I included in a mega-book review about Internet optimists and pessimists that I posted here a few months ago, I mentioned Lee Siegel’s new book, Against the Machine: Being Human in the Age of the Electronic Mob.  It is certainly the dourest of the recent books that have adopted a pessimistic view of the impact the Internet is having on our culture, society, and economy. Because Siegel’s book is one of the most important technology policy books of 2008, however, I decided to give it a closer look here.

Siegel’s book essentially picks up where Andrew Keen’s leaves off in Cult of the Amateur: How Today’s Internet is Killing our Culture (2007).  I posted a two-part review of Keen’s book here last year [Part 1, Part 2], but here’s a quick taste of Keen’s take on things.  He argues “the moral fabric of our society is being unraveled by Web 2.0” and that “our cultural standards and moral values are not all that are at stake.  Gravest of all,” Keen continues, “the very traditional institutions that have helped to foster and create our news, our music, our literature, our television shows, and our movies are under assault as well.”

As I noted in my earlier “Net optimists vs. pessimists” essay, after reading Cult of the Amateur, I didn’t think anyone else could ever be quite as over-the-top and Chicken Little-ish as Keen. But after working my way through Siegel’s Against the Machine, I realized I was wrong. It made Keen seem downright reasonable and cheery by comparison! Keen and Siegel seem to be in heated competition for the title “High Prophet of Internet Doom,” but Siegel is currently a nose ahead in that race.

Keen and Siegel are both essentially channeling the ghost of the late Neil Postman, the one-time dean of the modern school of techno-pessimism. Postman’s 1992 book Technopoly: The Surrender of Culture to Technology, was the first major anti-Digital Age diatribe and it remains the reigning champion of anti-technology screeds. “Information has become a form of garbage,” Postman argued, “not only incapable of answering the most fundamental human questions but barely useful in providing coherent direction to the solution of even mundane problems.” If left unchecked, Postman argued, America’s new technopoly — “the submission of all forms of cultural life to the sovereignty of technique and technology” — would destroy “the vital sources of our humanity” and lead to “a culture without a moral foundation” by undermining “certain mental processes and social relations that make human life worth living.”

Although Lee Siegel doesn’t bother citing him, he owes much to Postman’s brand of social criticism. Indeed, in large part, Siegel is simply bringing Postman’s critique of the Information Age up to date. Like Postman and Keen, Siegel is concerned about the “destructive side” of the Internet and the Information Age, which they all feel is being overlooked. Specifically, the attack these authors mount on the Information Age and the Net can be boiled down to two major themes:

1. The Net is destroying (or at least greatly diminishing) the role of experts, authority, “truth”, and traditional societal norms and institutions. This is having (or eventually will result in) dangerous ramifications for our culture, economy, and democracy.
2. The personalization and customization that the Information Age and the Internet have spawned is an unambiguously negative development for our society and culture. Moreover, in large part, the entire Web 2.0 experience is largely just about commercial interests furthering their ends.

Let’s take a closer look what Siegel says about each.

Experts, Authority, and “Truth”

Like Postman and Keen, Siegel doesn’t mix words when it comes to his contempt for the disintermediating influences of modern information technology. He is particularly concerned about the loss of “truth” and “authority” in our new environment. “Culture needs authoritative institutions like a powerful newspaper; it needs them both to protect its critical, independent spirit and to make sure that culture’s voices heard in the louder din of more powerful economic and political entities.” (p. 140-1) By empowering the masses to have more of a voice, Siegel says, “unbiased, rational, intelligent, and comprehensive news… will become less and less available.” (p. 165) “[G]iving everyone a voice,” he argues, “can also be a way to keep the most creative, intelligent, and original voices from being heard.” (p. 5)

Like many other Net skeptics, Siegel views Wikipedia, YouTube, blogs, and almost all user-generated content with a combination of confusion or contempt. “[S]elf-expression is not the same thing as imagination” or art, he argues. (p. 52)  Instead, he regards the explosion of online expression as the “narcissistic” bloviation of the masses and argues it is destroying true culture and knowledge. “Under the influence of the Internet,” he says, “knowledge is withering away into information.” (p. 152) Our new age of information abundance is not worth celebrating, he says, because “information is powerlessness.” (p. 148).

One reason Siegel gets nostalgic about the age of scarcity is because elites like him — and others who were lucky enough to have access to mainstream media — had a more privileged place in the old media world.  As a social / cultural critic, he can’t be happy with all the competition he now faces in that field from the blogosphere and online media outlets.

But it’s difficult to sympathize with Siegel’s position that others should be excluded from having a voice now in an effort to preserve the old order. After all, for the past seven decades, public policy has largely been preoccupied with getting society out of the scarcity mess (even though public policy created much of that mess!) by ensuring that citizens had more choices and outlets. Now that we have more options, some people like Keen and Siegel aren’t happy about the fact that the hoi polloi have been empowered. But, even if some traditional institutions lose the dominant position they once held in society, plenty of “authoritative” and “professional” media options and outlets continue to exist. Our new Information Age simply empowers millions of other voices to join the conversation and offer alternative perspectives and input.

But Siegel also disputes what he regards as such romanticized notions of “online participation” and “personal democracy.” To him, everyone is just in it for the money. “Web 2.0 is the brainchild of businessmen,” and the “producer public” is really just a “totalized ‘consumerist’ society.”  But what about all those bloggers who (like me!) are in it for the love of the conversation and debate?  Well, says Siegel, we just don’t realize the harm we are doing by trying to have our say!  “[T]he bloggers are playing into the hands of political and financial forces that want nothing more than to see the critical, scrutinizing media disappear.” (p. 141) And as for those true believers and Net evangelists who believe that something truly exciting is happening with our new online conversation, according to Siegel, they are simply “in a mad rush to earn profits or push a fervent idealism.” (p. 25-6)

It’s difficult for me to imagine anything more insultingly stupid than those last two statements.  The insulting part about them is that Siegel is essentially telling us all to shut up!  We all need to put down our pens — or, rather, our keyboards — and understand that we are doing great harm to those journalists, institutions, or other enlightened few who are really providing the “critical, scrutinizing” function so essential for a healthy democracy and culture. It’s just blatantly elitist for Siegel to suggest that only a select few have any business sharing their views with the world, and he even acknowledges that several times in the book. But he wears that elitist tag like a badge of honor as he stares down his nose at the newly empowered masses, snorting in disgust at everything he sees.

And the stupid part about those statements above is that the vast majority of bloggers or online participants are absolutely not in it for the money, or even out to take down mainstream media. They just want to be heard. But, again, Siegel believes that what you all have to say is not worth hearing anyway.

The Supposed Perils of Personalization

Indeed, Siegel’s primary gripe with the Web 2.0 world is that while most of us appreciate the growing personalization of information and content as well as the increasingly participatory nature of the Internet, he sees that as an unmitigated evil.  “The Internet is the first social environment to serve the needs of the isolated, asocial individual.” (p. 6)  The “Daily Me” (personalized, instantaneously delivered content) that Nicholas Negroponte predicted and longed for in his prescient 1995 book Being Digital, is viewed by Siegel as nothing more that the creation of a “narcissistic culture” in which “exaggeration” and the “loudest, most outrageous, or most extreme voices sway the crowd his way; the cutest, most self-effacing, most ridiculous, or most transparently fraudulent of voices saw the crowd of voices that way.” (p. 79)  He goes so far as to refer to it as our “democracy’s fatal turn” in that, instead of “allowing individuals to create their own cultural and commercial choices,” Web 2.0 has instead created “a more potent form of homogenization.” (p. 67)

In this regard, Siegel is channeling another Net skeptic, the prolific Cass Sunstein of the University of Chicago Law School.  In his 2001 book Republic.com, Sunstein also referred to Negroponte’s “Daily Me” in contemptuous terms, saying that the hyper-customization of websites and online technologies was causing extreme social fragmentation, isolation, and alienation, and could lead to political extremism. “A system of limitless individual choices, with respect to communications, is not necessarily in the interest of citizenship and self-government,” he wrote. As I said in my review of his book in Regulation magazine that year, Sunstein was essentially saying that the Internet is breeding a dangerous new creature: Anti-Democratic Man. “Group polarization is unquestionably occurring on the Internet,” he proclaimed, and it is weakening what he called the “social glue” that binds society together and provides citizens with a common “group identity.” If that continues unabated, Sunstein argued, the potential result could be nothing short of the death of deliberative democracy and the breakdown of the American system of government.

Siegel continues this line of reasoning in Against the Machine but, like Sunstein, completely fails to offer anything more than a few random anecdotes in defense of their thesis that the Net is leading to close-mindedness, homogenization, and the death of deliberative democracy. Worse yet, they also both completely fail to look at the other side of the story, which is that the Internet and Web 2.0 may be having the exact opposite effect. I made that argument in my 2005 book, Media Myths: Making Sense of the Debate over Media Ownership (p. 39):

The reality is that citizens do face an overwhelming number of media choices today, and that probably does make it somewhat more difficult for them to have “shared experiences” involving any individual news or entertainment program. But that isn’t really such a lamentable development. Government need not take steps to make sure everyone watches or listens to the same programs each night so they can all talk about them around the watercooler at work the next day. It’s just as good that everyone can discuss something different that they saw or heard the night before. And the very fact there are so many distinct media options available to citizens is better for a healthy democracy than a limited range of media options. Again, regardless of who owns what, the fact remains that we have more sources of news, communications, and entertainment than ever before in this country. Still, some media critics wax nostalgic about a mythical time — a supposed “Golden Age” of newspapers, radio, or television — when the populace was more closely linked or unified in some grand sociological sense by common reporting or programming options. But that is a stretch. The days when William Randolph Hearst dominated media, or when only three TV networks brought us our news at a set time each night, could hardly be labeled the “Golden Age” of those respective mediums. If that’s the world media critics want us to return to, then this represents, as Jonathan Knee argues, “an argument for homogeneity hiding under the pretext of diversity.”

And, indeed, that’s exactly what Siegel is proposing in his book, as Keen also does in his. They want to roll back to clock and return us to the mythical “good ‘ol days” of media. Again, when were those days? I simply cannot fathom how anyone can claim that the age of media scarcity — with its limited outlets and opportunities — was truly better than the world we find ourselves in today. As I noted in the first part of my two-part review of Keen’s book, which was entitled “Why an Age of Abundance Really is Better than an Age of Scarcity”:

What Keen doesn’t seem willing to tolerate is that when everyone has a voice, a lot more silly things are going to be said and heard. Back in the days before we all had our own soapboxes (websites, blogs, social networks, YouTube posts, etc.) we all had opinions, but we had few ways to get those opinions out. Now that the Internet has become the great leveler and given everyone the ability to be a one-person newspaper or broadcaster to the world, the dream of a more fully empowered citizenry is slowly becoming a reality. The upside is that everyone gets an equal chance to be heard. But the downside is that everyone gets an equal chance to be heard! That is, with the good comes some bad. There are wonderful contributions to culture and human communications being made by average Joes and Janes across the globe because of the Web. But let’s face it, there’s a lot of crap out there too. Cutting through the cultural clutter can been a real challenge, and even with the best search tools in the world at your disposal, it can still be difficult to find that diamond in the rough. But aren’t we better off as a society because of the opportunities now at our disposal? Isn’t an age of media and cultural abundance — warts and all — still preferable to the age of scarcity which preceded it?

I believe it is. And as I concluded in my review of Keen’s book, which seems like an equally sensible way to conclude this review of Lee Siegel’s tedious screed:

I think we are definitely better off because of this seismic shift in our communications and media environment. The human conversation is more diverse than ever before, and we have been empowered to experience the full range of culture and human creativity (for better and for worse!)

This week, I have been up at Harvard University participating in another meeting of the Internet Safety Technical Task Force (ISTTF), of which I am a member. The ISTTF was organized earlier this year pursuant to an agreement between 49 state attorneys general (AGs) and social networking giant MySpace.com. A group of experts from academia, non-profit organizations, and industry were appointed to the Task Force, which is charged with evaluating the market for online child safety tools and methods and issuing a report on the matter to the AGs at the end of this year.  ISTTF members have been meeting privately and publicly in both Cambridge, MA and Washington, D.C. The Task Force has been very ably chaired by John Palfrey, co-director of Harvard’s Berkman Center for Internet & Society.

Although the ISTTF is looking at a wide variety of tools and methods associated with online child protection (ex: filters, monitoring tools, educational campaigns, etc.), many of the AGs who crafted the agreement with MySpace that led to the Task Force’s formation have made it clear that they are most interested in having the ISTTF evaluate age verification / online verification technologies.  In fact, at the start of this week’s session at Harvard Law School, AGs Martha Coakely of Massachusetts and Richard Blumenthal of Connecticut both spoke and made it abundantly clear they expect the Task Force to develop age and identify-verification tools for social networking sites (SNS). AG Blumenthal said we need to deal with “the dangers of anonymity” and repeated his standard line about online age verification: “If we can put a man on the moon, we can make the Internet safe.”  [Of course, putting a man on the moon took hundreds of billions of dollars and a decade to accomplish, but never mind that fact! Moreover, one could also argue that if we can put a man on the moon we can cure hunger, AIDS, and the common cold, but some things are obviously easier said than done. Finally, putting a man on the moon didn’t require all Americans or their kids to give up their anonymity or privacy rights in order to accomplish the feat!]

On many occasions here before, I have outlined various questions and reservations about proposals to mandate online age verification.  Last year, I also published a lengthy white paper on the issue and hosted a lively debate on Capitol Hill [transcript here] about this.  I also have discussed age verification in my book on parental controls and online child safety. [Braden Cox also talked about his experiences up at Harvard this week here, and CNet’s Chris Soghoian had a brutal assessment of this week’s proposals on his “Surveillance State” blog.]

In this essay, I will discuss the new fault lines in the debate over online age verification and outline where I think we are heading next on this front.  I will argue:

• There is now widespread understanding that it is extraordinarily difficult to verify the ages and identities of minors online using the methods we typically use to verify adults. Because of this, age verification proponents are increasingly proposing two alternative models of verifying kids before they go online or visit SNS…
• First, for those who continue to believe that we must do whatever we can to verify kids themselves, schools and school records are increasingly being viewed as the primary mechanism to facilitate that. This raises two serious questions: Do we want schools to serve as DMVs for our children? And, do we want more school records or information about our kids being accessed or put online?
• Second, for those who are uncomfortable with the idea of verifying kids or using schools, or school records, to accomplish that task, parental permission-based forms of authentication are becoming the preferred regulatory approach. Under this scheme, which might build upon the regulatory model found in the Children’s Online Privacy Protection Act of 1998 (COPPA), parents or guardians would be verified somehow and then would vouch for their children before they were allowed on a SNS, however defined.  But how do we establish a clear link between parents and kids?  And will parents be willing to surrender a great deal more information (about themselves and their kids) before their kids can go online? And, is it sensible to use a law that was meant to protect the privacy and personal information of children to potentially gather a great deal more information about them, and their parents?
• It remains very unclear how either of those two verification methods would make children safer online. Indeed, that could actually make kids less safe by compromising their personal information and creating a false sense of security online for them and their parents.
• It is highly unlikely the Internet Safety Technical Task Force will be able to reach consensus on this complicated, controversial issue. A small camp will likely flock to the sort of proposals mentioned above. Another, larger camp (including me) will flock to education-based approaches to child safety as well increased reliance on other parental empowerment tools and strategies, industry self-regulatory efforts, social norms, and better intervention strategies for troubled youth. But the age verification debate will go on and, as was the case over the past two years, the legal battleground will be state capitals across America, with AGs likely pushing for age verification mandates regardless of what the Task Force concludes.

Continue reading if you are interested in the details.

How We Could Verify Kids, and Why We Should Not Do It

Let’s assume that we want to achieve AG Blumenthal’s “man-on-the-moon” dream of verifying all kids before they go online. How would we do it?  There are really only two solutions: (1) full-blown national ID cards for kids, or (2) tapping school records about kids to somehow age-verify kids (sort of a “National ID card-Lite” scheme).

National ID Cards for Kids

The first scheme is fairly straightforward, but incredibly frightening to those of us who care about civil liberties. Basically, government could demand that all minors be issued the equivalent of a domestic passport or a national ID card. After all, minors aged 14 to 17 are already required to obtain a passport before they travel overseas. Minors under 14 must have both parents or legal guardians appear together to vouch for the child when applying for a passport. Conceivably, government could simply extend this model to incorporate a domestic identification requirement. Once the youngster had been issued such a domestic passport, it could be requested by others — including social networking sites — as proof of age. Sites could cross-reference a government national ID database to verify identity.

Clearly, however, imposing such a solution domestically would raise serious privacy concerns because it would require the collection, retention and processing of sensitive information about children.  Adults are not required to carry such a domestic passport or national ID card, so why should children? Indeed, all the same privacy concerns related to national ID cards for adults would be amplified with children because, as a society, we generally take extra precautions to protect the privacy of minors and their personal information. And a national ID card for kids would need to include a great deal of information about themselves to allow the card to be used by third parties online as an age-verifying tool. Government would need to issue an age-verified identity, user name, and password to every child.

Particularly concerning is the fact that a national ID card for children would require the creation of more government databases and bureaucracy. The potential for “mission creep” then enters the picture in that more tracking of children by government (and others) becomes possible. What other uses might there be for such information? We don’t know, and we probably don’t want to find out.

The costs of setting up and enforcing such a system would be substantial and must also be considered. Although the cost of digital storage continues to fall, we’re talking about potentially massive digital databases here. But the more important cost factor is the human time and effort that would go into  collecting, processing, and organizing such records and databases.

For those reasons, a government-issued ID card or age verification scheme for kids is a nonstarter. It would raise grave privacy concerns, induce public paranoia, probably encourage a great deal of evasion, and require significant government expenditure to enforce. Moreover, a national ID card would do little to prevent youngsters from visiting offshore sites.

Using the Schools to Help Verify Kids

So, let’s work from the assumption that National ID cards for kids is not going to fly as an online identity authentication solution.  The only other realistic scheme would involve getting the schools involved in the process.  Why?  Because to paraphrase Willy Sutton: “That’s where the data is.”  Schools have more information about our children than probably every other institution or organization combined.  They have very detailed records about kids, their ages and much more, which makes schools a logical candidate for participation in a possible age verification system for minors.  But involving schools in any age verification scheme would raise serious privacy concerns and administrative problems.

Depending on how the scheme worked, the administrative burdens imposed on schools could be significant. Someone at each school would have to be in charge of answering phones calls and e-mails from potentially hundreds of website operators looking to age-verify minors. Who will be liable if things go wrong? The school? The school district? An employee in the school’s administrative department who accidentally releases thousands of digital records? And will schools receive the additional funding needed to administer whatever scheme is mandated?

Moreover, if schools are required to create more accessible databases containing personal information about minors, who else besides social networking websites would be given access? Data breaches would become a real concern for both students and schools alike. Such a scheme could run up against federal or state laws. For example, the Family Education Rights and Privacy Act of 1974 makes it illegal to release school records without written permission from parents. Both parents and government officials have long demanded that access to school records be tightly guarded because, as a society, we take the privacy of our children very seriously.

Thus, serious questions remain about the wisdom and practicality of roping the schools into the age verification process. Most schools and school districts are already over-burdened with federal and state mandates and probably wouldn’t like the sound of additional mandates of this variety.  But what if a technology vendor could serve as the middleman and facilitate the easy transfer of some basic data about kids from the school system in an effort to provide digital credentials? That’s probably where we are heading.  Even the most vociferous advocates of age verification for minors must realize how absolutely radioactive this issue could become since school records about our kids are in play here.  Identity theft concerns are already running at an all-time high in our country and the thought of being required to surrender more info about our kids in this environment is not going to go over well with many parents.

But, again, what if we could keep to a minimum the amount of data being transferred about the child to the vendor or the SNS?  Perhaps at the beginning of each school year when a minor is registering they could be given a “secure” digital token or ID number that only associated a grade year (i.e., “sophomore”) with their name, and little or no additional info was included in that token in order to minimize the threat of identity theft or privacy violations.  Of course, the fewer pieces of information contained in that token or credential, the less likely it will be a credible verification tool, or the more likely it is it will be easy to forge or defeat (especially by kids themselves).

Regardless, whether we like it or not — and I do not like it one bit — schools are now at the center of the online age verification debate. It will be very interesting to hear what the educational community itself has to say about this development going forward.  Incidentally, no one from the educational community was present at Harvard this week as these proposals were flying.  Something tells me that school administrators and educational officials aren’t going to look too kindly on proposals that would turn them into the equivalent of a DMV for kids.

How about Parental Permission Slips for Online Verification?

Another potential way to go about online verification is to avoid verifying the kids directly and instead just verify parents (or guardians) and then get them to vouch for their children.  Some age verification advocates are now calling for such parental consent-based forms of child verification.  Specifically, they are now attempting to drive regulation through the prism of the Children’s Online Privacy Protection Act (COPPA) of 1998.

By way of background, COPPA required websites that marketed to children under the age of 13 to get “verifiable parental consent” before allowing children access to their sites. Generally speaking, the goal was to make sure that such websites were not collecting personal information about children without getting parental permission. The Federal Trade Commission (FTC), which is responsible for enforcing COPPA, adopted a sliding scale approach to obtaining parental consent. The sliding scale approach allows website operators to use a mix of the methods to comply with the law, including print-and-fax forms, follow-up phone calls and e-mails, and credit card authorizations. The FTC also authorized four “safe harbor” programs operated by private companies that help website operators comply with COPPA.

In a February 2007 report to Congress about the status of the COPPA and its enforcement, the FTC said that no changes to COPPA were necessary at this time because it had “been effective in helping to protect the privacy and safety of young children online.” In discussing the effectiveness of the parental consent methods, however, the agency also said that “none of these mechanisms is foolproof” and that “age verification technologies have not kept pace with other developments, and are not currently available as a substitute for other screening mechanisms.” This seems to imply that the FTC does not regard COPPA’s parental consent methods as the equivalent of perfect age verification.

Nonetheless, what should be evident here is that COPPA’s parental consent framework could serve as a vehicle for pushing through greater regulation of all social networking sites, not just those sites geared toward kids under 13.   Indeed, we have already seen that proposed at the state level.  For example, in the debate that took place over age verification in the North Carolina statehouse last summer, a parental permission-based verification proposal supported by North Carolina Attorney General Roy Cooper was billed as a way to strengthen and expand the COPPA framework.  (Never mind the fact that COPPA is a federal statute, or that the state of North Carolina is likely barred from regulating Internet speech and commerce thanks to the First Amendment and the Commerce Clause of the Constitution!)

In other words, future age verification mandates could arrive in the form of COPPA amendments, or at least cite COPPA’s regulatory framework as precedent.  Specifically, the proposal would be to: (a) extend COPPA’s coverage to kids up to the age of 18 and then (b) broaden the range of SNS sites that are covered by its parental consent requirements.

There are many problems associated with such a proposal, and I will get to some of them in a moment. But here’s the more interesting question that few have asked: Is COPPA really working?  It is very much unclear to me that COPPA actually works as billed, but to the extent it does, it is likely because of the very limited scale and nature of the operations it covers.  As I have said in my past writing on the issue, there is a direct relationship between the size of a site and the likelihood of success in attempting to verify its users / members. Of course, that is hardly surprising.  But let’s get a little more concrete about why that is important.  Here are the two reasons that I believe the COPPA / parental consent regime has generally worked so far, or at least hasn’t failed miserably:

(1) Many smaller sites charge a fee for admission; and

(2) The functionality of those sites is usually tightly limited. They are closed, walled gardens.

Regarding the first point: Obviously, the more a site charges for access, the more likely it is that the parent / guardian pays attention to what their kid is doing.  Of course, that doesn’t mean a bad guy couldn’t still get into those “verified” environments under false pretenses.  And there’s the problem of minors with access to credit cards.  Moreover, even assuming credit cards worked as an age verification method, there is the more practical question of whether lawmakers have the guts to mandate that every social networking site in the land start charging admission for access.  Since almost all SNSs are free-of-charge today, that is not going to be a very popular mandate!

Nonetheless, for very small, niche-oriented social networking sites geared toward younger kids, credit cards and fees are part of the reason people think COPPA has “worked.”  In essence, it acts as a bit of a roadblock or hassle thrown in the way of access, and that gets parents thinking and talking to the kids about those sites. That is the argument put forward by Denise Tayloe of Privo, one of the four FTC-approved COPPA safe harbor providers.   Ironically, Tayloe has noted that one of the problems associated with the current COPPA regime is that “Children quickly learned to lie about their age in order to gain access to the interactive features on their favorite sites. As a result,” she notes, “databases have become tainted with inaccurate information and chaos seems to be king where COPPA is concerned,” she says.

Despite these problems, Tayloe argues that COPPA serves an important role.  Even though “there is no perfect solution” and it is not possible to completely “stop a child from lying and putting themselves at risk,” Tayloe believes that COPPA “provides a platform to educate parents and kids about privacy.”  Of course, providing a platform to educate parents and kids about online privacy or safety is very important, but it is not necessarily synonymous with strict age verification.  And we don’t really have any idea what level of parent-child interaction COPPA incentivizes.  More importantly, we don’t really have any good data regarding the accuracy of claims made pursuant to COPPA’s requirements regarding the relationship between parents and the kids seeking access to the site.  How many people (kids or adults) were able to gain access under false pretenses? We don’t know.

Nonetheless, the operating assumption here is that by creating an added economic hurdle or barrier to entry (in the form of the hassle of filling out paperwork or forms), COPPA gets some parents (perhaps most?) to put more thought into what their kids are doing online, and that somehow improves online safety in larger scheme of things.  The problem is that that does not necessarily mean that their kids are operating in perfectly “secure” or “verified” environments.  The danger is that – to the extent some “bad guys” are getting on those sites under false pretenses – kids and parents may fall prey to a false sense of security after they are told the site is COPPA-verified.  Of course, COPPA wasn’t put on the books to keep “bad guys” away from kids online; it was about keeping site operators from collecting personal information about kids.

The second reason COPPA has “worked” to a limited degree is that SNS sites geared toward younger kids tightly limit functionality.  In essence, the site administrators “cripple” the sort of functionality we find in SNS sites geared toward older kids.  That fact alone makes these sites far less likely to be subject to fraudulent entry or dangerous interactions.   If I am an older teen or a pervert, why would I ever want to gain access to a site that has nothing more than drop-down menus and a few buttons to click on when interacting with others?  Thus, the primary reason that kids are likely safer in those environments has almost nothing to do with COPPA’s parental consent mechanisms and almost everything to do with the fact that most of the sites it covers are tightly controlled walled gardens with very limited functionality.

With these facts in mind, let’s gets back to the ultimate question: What would happen if we tried to apply COPPA to all social networking sites for kids of all ages? The threshold question that would need to be answered remains the same as it does today: How do we verify the parent-child relationship when someone asserts they are the parent or guardian?  That’s a very thorny question.  But let me just list out the many other questions that everyone is overlooking here:

(1) What sort of mechanisms will need to be put in place to guarantee that the parent or guardian is who they claim to be (for both initial enrollment and subsequent visit authentication)?  Sign-and-fax forms can be easily forged, so credit cards (and perhaps mandatory user fees) will likely become the default solution. A third method, follow-up phone calls, just doesn’t seem practical.  But might lawmakers demand a mix of all of the above?

(2) Regardless, how burdensome will those mandates be for parents / guardians?

(3) And how burdensome will those mandates be for SNS site operators? What kind of compliance costs / legal penalties are we talking about?

(4) Will the barriers to site enrollment become economic in character such that it requires previously free social networking sites to charge admission?

(5) If so, could that be a disadvantage to low-income families / youth?

(6) If compliance costs go through the roof for SNS sites, will this be a recipe for massive industry consolidation in order to comply with the mandates?

(7) Who is collecting the massive databases of information created by such a mandate for all SNS? Who has access to that data? What might government use it for?

(8) Will this new regime be applicable to offshore sites? And will kids flock to offshore sites as a result of such mandates on domestic sites? If some do, how will we stop them?

And so on.  Bottom line: The future of age verification battles will likely be increasingly tied up with COPPA and the question of how well parental permission-based forms of authentication might work. It is unlikely, however, that such a framework could be easily applied on “Internet scale.”  There is a world of difference between something like Disney’s “Club Penguin” and MySpace, Xanga or Bebo.  And with social networking capabilities being integrated into every site and service these days — from CNN.com to Microsoft’s Xbox Live service — one wonders how that will magnify the compliance costs and hassles for all involved.  Are parents really going to be expected to verify themselves and then their kids for every “social networking site” their kids want to visit?  That seems unnecessary, unworkable, and potentially counter-productive.

Finally, the irony of a proposal to expand COPPA in this fashion is that lawmakers would be using a law that was meant to protect the privacy and personal information of children to potentially gather a great deal more information about them, and their parents!  It’s important we not overlook the privacy implications of any effort to expand COPPA to do something it was not originally intended to cover.

Conclusion

It will likely be very difficult for the Technical Task Force to reach consensus on these controversial and complicated issues.  There are many challenging technical, legal, and even philosophical issue in play here.  The problem is that this Task Force is charged with looking at technical solutions and yet most child safety advocates and academics on the Task Force are of the mind that technical solutions are only one part — and probably the smallest part — of the sort of “layered solution” to online child safety that I describe in my book on “Parental Controls and Online Child Protection.” As I argue in that book:

“the best answer to the problem of unwanted media exposure or contact with others is for parents to rely on a mix of technological controls, informal household media rules, and, most importantly, education and media literacy efforts.”

In sum, we need to get serious about talking to our kids about online safety and proper online behavior. Education is the key, and government has a major role to play in that regard in the classroom and through awareness-building efforts. And technical tools that empower parents to better monitor and guide their child’s online experiences can help too. Social networking sites and other online service providers can offer more of those tools and also take additional steps to improve the safety of their sites and encourage a dialog about appropriate and inappropriate online behavior. Again, it’s a multi-layered effort with education and communication at the core of the plan.

It’s not like I am saying anything new here. Indeed, that layered approach was the recommended approach of two previous online safety blue ribbon task force efforts: The 2000 COPA Commission and the 2002 National Academy of Sciences “Thornburgh Commission.” And every major book about online child safety published over the last 5 years has come to the same conclusion.

But that is not likely going to be enough for state attorneys general. There is no other way for me to state this than to just come right out and say it: The AGs are looking for a silver-bullet technical solution to a complex problem they do not fully understand.  And age verification schemes are the technical bullet du jour.

Alas, for all the reasons I have stated here and elsewhere, age verification schemes are likely to fail miserably.  Even if age verification systems worked as billed, it is unlikely that kids would really be any better off.  All the academic research in this field points to a single, inescapable conclusion: The primary danger to kids online is not adult predators, it is other kids.  In particular, it is peer-on-peer harassment and cyber-bullying.   As parents and a society, we have to do more — a lot more — to address that problem.

Age verification schemes, however, aren’t going to help us solve that problem.  Worse yet, by creating the illusion of safety, it could compromise our children’s privacy in the process and create a false sense of security when kids or their parents come to believe they are operating in “trusted” online environments.  For the sake of our children, it is essential we not fall prey to such a fatal conceit.

Forget net neutrality and the growing Googleplex. The real threat to Internet freedom comes from plain old criminal law.

In three weeks time, Missouri housewife Lori Drew will face trial for entering false personal details when she signed up for a MySpace account. Her indictment alone, whether or not she is convicted, should frighten anyone who’s ever filled out a form online.

The case, which captured the tabloid media when it broke last year, turns on unusual facts. Drew, posting as a teenage boy, created the MySpace account to probe why a neighbor’s daughter, Megan Meier, had broken off a friendship with her own daughter. She gave a few others access to the account, and things quickly spiraled out of control. Before long, “Josh Evans” (the fictional teen) and Meier were an online couple, and soon after that, they were hurling insults at one another on public message boards.

Meier, already suffering from depression, was devastated by Josh’s turnabout. A final private message from the Evans account–“The world would be a better place without you”–pushed her over the edge. Twenty minutes after receiving it, Meier hung herself in her closet.

Even though she was not responsible for the worst of the messages (according to a prosecutor who investigated the case but declined to file charged), Lori Drew mislead an emotionally troubled youth, and that was surely wrong.

But it’s more problematic to say that it’s a crime.

The theory of the prosecutor behind this case would make all Internet users criminals. It goes like this: Drew lied when she created the “Josh Evans” account. That was a violation of MySpace’s terms of service (those slabs of legalese that nobody reads before checking the box on a sign-up form). And by violating those terms, she accessed MySpace without authorization. “Unauthorized access” is a felony under a federal statute, the Computer Fraud and Abuse Act of 1986. The statute was meant to target hacking, but its loose language leaves the door open for a much broader reading.

(And as I discuss in a National Review Online column today, that’s the same law that could be used to prosecute the person who hacked into Gov. Sarah Palin’s email account.)

To put it succinctly: Violate any website’s terms of service, and you could face five years’ jailtime. Include a conspiracy charge (Drew faces several), and the maximum sentence doubles.

As the Electronic Frontier Foundation spells out in a brief in the case, that formula spells an end to online anonymity. Using a fake name or making up any detail when creating an email account or anything else could be grounds for prosecution.

Even innocent exaggeration could be targeted. Adding an inch or two to your height is a violation of the terms of service on Match.com and most dating sites.

But that’s not the scariest part. This threat isn’t just about one law, twisted into absurd form by an aggressive prosecutor, but thousands of them. After decades of fast growth, there are at least 4,450 separate criminal offenses in federal laws, and perhaps tens of thousands more in regulations. And then there’s state law: Each state, to begin with, has its own copy of the federal anti-hacking statute Lori Drew is accussed of violating.

I discuss this issue, in the context of the Drew case, at some length in a recent paper. The problem, in brief, is this: Public pressure has led legislators to criminalize so much behavior in vague and broad statutes that probably all Americans are criminals under some dumb law. When there’s a tragedy–like the death of Megan Meier–prosecutions will follow, whether or not anyone had reason to believe that what went on was actually against the law.

Fixing this one statute won’t solve the problem.

Right now, the only thing that safeguards our online freedoms–anonymity, free speech, the right to access speech, and so on–is prosecutorial discretion that could be revoked for any one of us at any time for any reason. This isn’t a hypothetical–it’s happening today.

Just FYI, the latest update of my booklet on “Parental Controls and Online Child Protection: A Survey of Tools & Methods” is now live. The new version, Version 3.1, provides minor updates to all sections of the book and a new appendix of relevant research in the field. I issue major updates early each year and 1 or 2 tweaks during the course of the year to reflect the evolution of the parental control and online child safety market and debate.

For those not familiar with the report, it explores the market for parental control tools, rating schemes, education efforts, and initiatives aimed at promoting online child safety. I believe that the parental controls and content management tools cataloged in the report represent a better, less restrictive alternative to government regulation. As I conclude after evaluating that state of the market: “There has never been a time in our nation’s history when parents have had more tools and methods at their disposal to help them decide what constitutes acceptable media content in their homes and in the lives of their children.”

The report is available free-of-charge on the PFF website, and the previous editions of the report are housed there too in case you want to see how it has evolved over the past two years. For those interested in taking a quick look at the report, I have embedded it down below the fold as a Scribd file. Finally, as is always the case, I encourage readers to send me updates and suggestions for how to improve the report and I will incorporate them into future versions.

By Berin Szoka & Adam Thierer

As we noted in our intro to this ongoing series, Google’s tenth anniversary has passed with Googlephobia reaching new heights of hysteria.

But is Google really too big and dangerous, or are people just too lazy to find other alternatives to each of the wonderful services that Google offers?  If one is truly paranoid about the firm’s supposed dominance, it doesn’t take much effort to live a Google-free life. To prove it, we set out to find alternatives to each of the services that Google provides.  After awhile, we got a little tired of compiling alternatives in each category and just provided links for the additional choices at your disposal.  It’s tough to see what the fuss is about with the cornucopia of choices at our disposal.  If you don’t like Google, then just don’t use it or any of its services.  The choice is yours.

In each case, we’ve listed Google first, even though Google may not be the market leader ( e.g., Google’s relatively unknown social network Orkut).

Search Engines

• Google
• Microsoft Live Search
• Yahoo!
• Ask.com
• AltaVista
• Cuil
• others: en.wikipedia.org/wiki/List_of_search_engines

eMail

• Google Gmail
• MSN Hotmail
• Apple .Mac/MobileMe
• Yahoo!
• AOL
• others: www.emailaddresses.com/email_web.htm

Encyclopedia

• Knol (Google)
• Wikipedia
• Citizendium
• Microsoft Encarta
• Britannica Online
• World Book Online
• others: www.surfnetkids.com/encyclopedia.htm

Instant Messaging

• Google Talk
• Yahoo Messenger
• Windows Live Messenger (Microsoft)
• AOL AIM
• Jabber
• others: en.wikipedia.org/wiki/Instant_messaging#User_base

Web Browsers

• Chrome (Google)
• Firefox (Mozilla Foundation)
• Internet Explorer (Microsoft)
• Safari (Apple)
• Opera
• Flock
• others: en.wikipedia.org/wiki/List_of_web_browsers

Social Networks

• Orkut (Google) – (not popular in the U.S.)
• Facebook
• Myspace
• Bebo
• LinkedIn
• Friendster
• LiveJournal
• others: en.wikipedia.org/wiki/List_of_Social_network_service

Mapping

• Google Maps
• Microsoft Live Search Maps
• MapQuest
• WikiMapia
• Google Earth
• Virtual Earth (Microsoft)
• others: en.wikipedia.org/wiki/List_of_online_map_services

Mobile Search / Portal Services

• Google mobile
• Yahoo! mobile
• Microsoft Windows mobile & Mobile Live Search
• AOL Mobile

Video Hosting

• YouTube (Google)
• Google Video
• Flickr (Yahoo!)
• Yahoo Video
• Vimeo
• Photobucket
• BlipTV
• others: en.wikipedia.org/wiki/List_of_video_sharing_websites

Photohosting

• Picasa (Google)
• Flickr (Yahoo!)
• Apple .Mac/MobileMe
• Photobucket
• Snapfish
• Shutterfly
• Imageshack
• AOL Pictures
• others: en.wikipedia.org/wiki/Photo_sharing#Online_photo_sharing_websites

Document / Spreadsheet Creation

• Google Docs
• Microsoft Office
• OpenOffice
• ThinkFree Office
• EditGrid
• NumSum
• Zoho Sheet
• Zoho Writer
• ajaxWrite
• Glide Write
• others: www.editgrid.com/user/siulung/Web-based_Spreadsheets_Comparison_Matrix

Online File Storage

• Google Docs
• Windows Live SkyDrive (Microsoft)
• Apple .Mac/MobileMe
• Mozy
• Buzzword (Adobe)
• Xdrive
• Box.net
• others: http://www.listible.com/list/online-file-storage

Blog hosting services

• Blogger (Google)
• Wordpress
• Windows Live Spaces (Microsoft)
• Skyrock (based in France, but bigger than WordPress and almost as big as Blogger)
• LiveJournal
• Note: many social networking services also have a blogging component
• others: http://en.wikipedia.org/wiki/Blog_hosting_service#Developer-hosted

RSS blog feed aggregators

• Google Reader
• My MSN
• My Yahoo!
• NewsGator Online
• Bloglines
• FeedBucket
• others: dmoz.org/Computers/Software/Internet/Clients/WWW/Feed_Readers/Web_Based
• others: www.newsonfeeds.com/faq/aggregators

WebClipping Services

• Google Notebook
• Digg
• Del.icio.us (Yahoo)
• Reddit
• Clipmarks
• Zotero
• WebResearch
• ScrapBook
• Diigo

News Aggregators

• Google News
• Yahoo News
• MSN News & MSNBC (Microsoft)
• News Directory.com
• Reuters
• CNN.com
• Digg
• Topix
• others: news.nettop20.com
• others: newsonfeeds.com/faq/aggregators

Calendar Services

• Google Calendar
• Microsoft Outlook
• Lotus Notes
• Lightning/Sunbird (Mozilla Foundation)
• Apple .Mac/MobileMe
• others: www.calendarzone.com