Europe on age verification, social networking

As the Internet Safety Technical Task Force wraps up its year of studying potential tech solutions for youth risk on the social Web, some perspective from across the Atlantic seems timely. The ISTTF's report, which we worked on together this week as Task Force members, goes to the 49 attorneys general who formed the ISTTF at the end of the year. The European Commission last summer held a public consultation on social networking, age verification, and content rating "to gather the knowledge and views of all relevant stakeholders (including public bodies, child safety and consumer organisations, and industry)." More than 6 dozen entities responded (links to their individual comments are included here).

Reports on those stakeholders' 70+ comments were presented at the EC's Safer Internet Forum in September. Here are the EC's conclusions on social networking and age verification, two subjects of particular interest to the US's state attorneys general and the ISTTF (so I'm zooming in on these two):

1. Summary of European views on age verification

Bottom line: "There is no existing approach to Age Verification that is as effective as one could ideally hope for.”

Flaws a reality: “Each individual method carries its own flaws, as does any combination of methods used.”

"Universal" really means "universal": The effectiveness of age-verification systems already in place in the UK and Germany is "largely undermined by the availability of sites offering similar services” in countries where there is no age verification in place. It can only be effective if it is "universally accepted, inclusive, secure and relatively inexpensive."

Avoid false sense of security: "Concerns were also raised about the false sense of security that might be provided and the adverse effects on safety this might have."

2. Conclusions from report on social networking

Significant consensus. "There was an important degree of consensus between respondents across most questions."

The peer-to-peer risk. "Bullying and other threats which young users inflict upon each other may be more likely to arise than threats from adults."

Communication not confrontation. "Parental involvement in their children's online activity is important, but principles of privacy and trust should dictate how parents help children to stay safe."

Education > regulation. "Education and awareness are the most important factors in enabling minors to keep themselves safe."

Industry self-regulation > legislation. "Industry self-regulation is the preferred approach for service providers to meet public expectations with regard to the safety of minors. Legislation should not place burdens on service providers which prevent them from providing minors with all the benefits of social networking.

Mandatory safety minimums maybe. "Available safety measures vary greatly from one provider to another and mandatory minimum levels of provision may need to be established."

More research needed. "Much is known about potential risks, but more research on the nature and extent of harm actually experienced by minors online is needed."

Related links

From this week's US news: "Age verification: An attorney general's concern" in the New York Times and my blog post about it

"Age verification debate continues; Schools now at center of discussion" at Adam Thierer's tech policy blog

Age verification: An attorney general's concern

The headline chosen by the European Commission's QuickLinks blog certainly cuts to the chase: "No Adults Allowed. (Marketers Welcome)." What it links to is a timely New York Times piece about the potential unintended consequences of the age verification that state attorneys general are calling for (consequences that would not please many parents). What the headline refers to is the alleged business model of some of the 2 dozen+ companies who want to help (and involve US schools in helping) verify American children's ages - apparently for the purpose of protecting them online but also reportedly to make a business out of selling data they gather on kids to marketers. Kids' social sites, virtual worlds, and other services would pay the age-verification vendor a "commission for each [child] member" a school signs up; "the [kids'] Web site can then use the data on each child to tailor its advertising," the Times reports. One of the age-verification companies the Times talked to, eGuardian, says kids are exposed to ads anyway (well, in some, not all, kids' sites), it just makes sure they're appropriate. The question is, how can that "appropriate advertising" be guaranteed? There's a pretty sexualized media culture and a lot of obesity in this society anyway, to name only a couple of issues. One of the remarkable things about this piece is the quote at the bottom from Connecticut Attorney General Richard Blumenthal, a leading proponent of age verification, saying that verifying kids' ages online to promote marketing to them would be very concerning. This is the first qualifying statement about age verification we've seen from the attorneys general since they started calling for its implementation more than two years ago.

Online ID verification in South Korea

The world's most connected country - South Korea, where 97% of the population has broadband Internet access - is conducting an experiment in Internet control that the world (especially the US) might do well to watch. I say "especially the US" because we're having a discussion here (at the Internet Safety & Technology Task Force) about online verification of minors' ages (see this about that). The Guardian reports that Seoul is trying to "curb online anonymity and debate." New legislation, some of which is "due to pass" next month would require all forum and chatroom users to make verifiable real-name registrations (South Koreans have national ID cards). The legislation would also make all news sites subject to the same restrictions as newspapers and broadcast media, answerable to the Korean Communications Standards Commission regulatory body, and give the Commission "powers to suspend the publication of articles accused of being fraudulent or slanderous, for a minimum of 30 days. During this period the commission will then decide if an article that has been temporarily deleted or flagged should be removed permanently." The Guardian suggests that includes blog posts, which is a problem: "Seoul's previous experience with such censorship suggest that unless the government hires thousands more people to staff the commission, which is already behind in processing some 2,000 internet-related objections, just addressing the initial complaints will be unworkable, untenable and unenforceable." The other problem is, the Korean government would also have to block all sites based overseas because it couldn't make them card Koreans at their virtual doors. Here's more from the Korea Times.

The ISTTF: Chicken or egg?

"ISTTF" stands for Internet Safety Technical Task Force, the result of an agreement last January between 49 state attorneys general (minus Texas) and MySpace. The emphasis is on the word "technical," because the attorneys general basically charged the task force, of which I'm a member, with reviewing technical solutions to online youth risk - "age verification" technology being their stated predetermined solution of choice. Why? Because they're law enforcement people. They deal with crime - not all these other subjects that have come up in online-youth and social-media research - so they probably feel that this is all about crime and technology, so some technology that separates adult criminals from online kids, or that somehow identifies every American on the Web, is what will make the Internet safe for youth.

The problem is, we now know - via a growing body of research - that young people's use of technology for socializing is not limited to MySpace, to social networking in general, or even to the Web. Youth don't even focus on what technology or device (phone, chat, blogs, IM, Skype, computer, Xbox Live, Club Penguin, World of Warcraft, etc.) they use when they're socializing. They just communicate, produce, and socialize. So the "problem" is not technology. We're dealing with behavior, learning, adolescent development, social norm development, and identity formation, here. What technology is going to give adults (those who want it) control over that, or somehow sequester American youth into American sites that are compelled to verify ages, or separate adults and children across the entire universe of increasingly mobile, device-agnostic communications, media-sharing, and social activity?

Besides, we also know now that only a tiny percentage - well under 1% - of US youth are at risk of being victimized by the kinds of crimes the attorneys general put the Task Force together for, and this minority is, unfortunately, already at risk in "real life." Technology probably doesn't have much of a chance at curing the age-old struggles of troubled youth - certainly not ID verification technology.

The other thing we know, though we adults don't think about it a whole lot, is that the "problem" is changing - fast (it actually won't be that long before our teenagers are parents!). Because nobody's brains are fully developed till their early 20s, teens need our input, but so do we need theirs. For the most part, youth understand what's happening with tech and the social Web, they're the drivers of it, they're changing (growing up), and technology is changing faster than we can keep up with it, so we don't have anything close to a static "problem" to get a fix on, much less to fix.

Which leads me to the chicken/egg question. The first day we heard at least a dozen presentations by purveyors of various technologies, many of them focused on verifying either ages (very hard with US minors, who under federal privacy law have very little verifiable personal information in public records) or identities. By the end of the day I couldn't shake off the unnerving picture of a roomful of baby boomers (digital non-natives, including me) - many of whom barely understand the "problem," much less the full picture of young social Web participants, and some of whom stand to gain a great deal from selling the Task Force on a particular technology for nationwide adoption - trying to assert control over the unruly social Web. The understanding is growing, not least because the Task Force has a research advisory board as well as a technical one, and the former is right now completing a review of all research on youth online safety to date - the first of its kind. This is brilliant! So what's wrong with this picture? Seems to me the research comes first, then - as we understand the problem - we begin to look at what the solutions should be.

The second day we heard from a Rochester Institute of Technology sociology professor with a background in law enforcement. It's an important study (I'll blog about it more next week) because it looks at Internet use by more than 40,000 Rochester-area students all the way from kindergarten up through 12th grade, and it offered the Task Force insights into the peer-on-peer, noncriminal but negative and sometimes unethical and illegal side of the online-safety question. But youth were referred to in an extremely negative adversarial way, first- and second-graders referred to as "perpetrators" and "offenders." For example, the "four types" of middle-school "online offenders," he said, are "generalists, pirates, academic cheaters, and deceiving bullies." As useful as the data is, I don't feel this is productive language to use when trying to change behavior or inspire children about digital citizenship (see my description of an amazing such project at Bel Aire Elementary School in Tiburon, Calif., here).

So there you have one person's (rambling) perspective. There are others available now - that of Adam Thierer of the Washington, DC-based Progress & Freedom Foundation and a more radical one from CNET blogger and Berkman fellow Chris Soghoian. [The Task Force is hosted and chaired by the Berkman Center for Internet & Society at Harvard Law School.]

Your views are always welcome - in our forum here, posted in this blog, or via anne[at]netfamilynews.org. With your permission, I love to publish your views for the benefit of all readers.

Microsoft's age-verification concept

Microsoft has created a euphemism to go with its age-verification plan: "digital playgrounds," where kids get digital ID cards so they can hang out in adult-free places online. It's part of Microsoft's Trustworthy Computing initiative that has involved other companies in a consortium aimed at tackling the Internet identity problem. The problem is "how to make the Internet safer not just for children, but also for adults wanting to conduct business, make transactions, and communicate with the confidence that the people they are interacting with really are who they say they are," CNET reports. What makes it so tough to solve is the need to authenticate people's identities without jeopardizing their privacy - especially children's, whose personal info is protected by US federal law. "Under the [Microsoft] scenario related to children, digital identity 'cards,' or credentials, could be based on either national identity documents created at birth or on identity documents schools use to determine age and identity for school registration, with parental permission. The data could be limited to age and proof of authenticity, and the credentials should be encrypted and require use of PIN numbers. As Internet News points out, dozens of other companies and groups will be presenting their proposed solutions to the Internet Safety Task Force later this month. [See also "Age verification: Key question for parents," "UK data security breach & kids," "Social networker age verification revisited," and other items on the subject.]

Data insecurity on the rise

Here's one reason why verification of online children's ages or identities is a slightly scary concept: data breaches are up. What does this have to do with online kids? If age verification is required of Web sites, children's personal information would have to be stored in a database somewhere, so that Web sites' "bouncers," or ID-checking technology, will have a collection of information against which it can check the info kids provide. The problem is, "businesses, governments and universities reported a record number of data breaches in the first half of this year, a 69% increase over the same period in 2007," Washington Post security writer Brian Krebs reports, citing research from the San Diego-based Identity Theft Resource Center. Interestingly, hacking was "the least-cited cause of data breaches in the first six months of 2008.... Instead, lost or stolen laptops and other digital storage media remain the most frequently cited cause of data breaches. See also "UK data security breach & kids." And I seem to be seeing more news of data breaches all the time, the latest for Google employees - see CNET.

UK data security breach & kids

A massive security breach involving the personal information of "virtually every child in Britain" has occurred in the United Kingdom, The Guardian reports. It "could expose the personal data of more than 25 million people - nearly half the country's population," CBS News reports. The data concerns "families with children, including names, dates of birth, addresses, bank account information and insurance records." Two computer disks containing the data were sent via ordinary mail between two government departments and were apparently lost in the mail. The breach was announced to the House of Commons yesterday by Alistair Darling, Britain's equivalent to our treasury secretary. He said this wasn't the first time Britain's tax agency had experienced such a breach. There was, however, no evidence that the data has fallen into criminal hands. This is a clear illustration of risky it would be to have a national database of children's personal information in the US, which is what would be required in order to establish children's age verification online (for more on this, see "Social networker age verification revisited").

Social networker age verification revisited

Parents often ask us why on Earth social-networking sites can't just block teens altogether - verify their ages or something? After all, it's all over the US news media that attorneys general are calling for age verification. Well, we have been replying for months that it just wouldn't work (e.g., see "Verifying kids' ages: Key question for parents"). But don't take it from us this time. The UK-based Financial Times has an editorial on this saying the exact same thing. Why wouldn't it work? "The practical problems are considerable. Fourteen-year-olds do not have drivers’ licences and credit cards that can be checked via established agencies. The sites could insist on verifying the parents, but anyone who believes that a teenager will not 'borrow' his father’s Visa has never been 14 years old." Also, think about how hard it is accurately to verify kids' ages in person, at the door of a nightclub, much less over the anonymous Internet with no physical evidence or view of the person's face.

And then what would the result be? "The consequences of successful age verification, meanwhile, would be even worse," the FT continues. "Minors would be driven off mainstream sites such as MySpace and Facebook and on to unaccountable offshore alternatives or the chaos of newsgroups," which we tell parents all the time - because kids are experts at finding workarounds. "There they would be far more vulnerable than on MySpace, which now makes efforts to keep tabs on its users." In other words, parents probably want their kids in sites that have customer service departments that actually respond to abuse reports and parents' complaints. MySpace has an email address just for parents (parentcare@myspace.com), as well as ones for educators and law enforcement. [For more on age verification, see a blog post from Adam Thierer of the Progress & Freedom Foundation, complete with a podcast he did with other experts on the issue. The FT also this week published a summary on where social-networking sites, attorneys general, and all the rest of are on all this.]

Can online kids be verified?

This question keeps coming up because politicians keep insisting it has to happen and ID verification professionals keep saying it’s not possible. And it’s not, actually, unless or until personal information on minors is as available as personal information on adults. By personal info, I mean credit records, mortgages, mother’s maiden name, social security number, etc., all pulled together in the kind of database credit bureaus have. There is no such database on minors for any ID or age-verification technology to check against. And does this society, particularly parents, want such a national database on children to exist, given all the database hacking and theft in the news in recent years and given the attractiveness of squeaky-clean minors’ credit records to ID thieves? In fact, there is a federal law that protects children’s personal info in the US. So, certainly, online adults’ ages and identities can be verified, but not children’s. Jacqui Cheng recently blogged about this in ArsTechnica.com, referring to a one-day conference that thoroughly vetted the options and aired many perspectives, hosted by the Washington-based Progress & Freedom Foundation; here’s the transcript. And speaking of children’s privacy and databases, check out “Half a million kids’ DNA on UK police database” in the UK’s The Register. It reports that the DNA data of 4.1 million people are now in the database, more than 520,000 of them people under 16. Britons can have their info removed (and presumably their children’s), but only 115 did last year. The comments at the bottom of the article offer a good look at the privacy implications.

State laws on age verification

Though people on both sides of the social Web’s age-verification debate have great intentions, opponents really seem to know more about what’s actually possible than proponents do. Proponents say things like, “if we can put a man on the moon, we can verify someone’s age,” the New York Times reports in an article about states proposing legislation requiring verification. Opponents or skeptics view it as overkill, what I’d call a baby+bathwater result (one opposing state legislator told the Times such a law is more like a sledgehammer where a “small mallet” would work better). ID verification companies say it’s not possible without a national database of children’s personal information (civil liberties and consumer privacy organizations would have some things to say about that – not to mention many parents). Child-safety advocates say it could potentially provide a false sense of security for parents and greater risk – if kids simply go to another site parents don’t know of that is less responsible to public opinion and parents’ requests than MySpace or other popular sites laws would cover. What the article doesn’t get into is all that’s in the bathwater these proposed laws are trying to address but don’t even begin to touch (see “Predators vs. cyberbullies” as well as “Verifying online kids’ ages”).