Thursday, March 22, 2007 - The Progress & Freedom Foundation Blog

The COPA Decision, Part 3: Implications for Age Verification and Social Networking

Today's decision in the U.S. District Court for the Eastern District of Pennsylvania again striking down the Child Online Protection Act of 1998 has important implications for the ongoing debate over age verification for social networking websites.

As I mentioned in an essay earlier this week, several state attorneys general (AGs) are currently pushing legislation to mandate age verification of minors before they would be allowed access to social networking sites. Already, age verification proposals have been introduced in Connecticut, Georgia and North Carolina. More proposals are likely on the way. AGs and other policy makers argue that age verification is necessary to protect kids from cyber-predators and other online dangers.

In my new paper, "Social Networking and Age Verification: Many Hard Questions; No Easy Solutions" I find that proposals to impose age verification mandates on social networking websites raise many sensitive questions with potentially profound implications for individual privacy and online freedom of speech and expression. That's especially the case in light of the definitional ambiguities associated with "social networking."

Today's COPA decision bolsters many of the findings in my paper. "Requiring users to go through an age verification process would lead to a distinct loss of personal privacy," Judge Lowell Reed Jr. says on page 55 of the decision. And his other conclusions are also relevant to the debate over social networking regulation.

Of particular importance is Judge Reed's conclusion that "there is no evidence of age verification services or products available on the market to owners of Web sites that actually reliably establish or verify the age of Internet users. Nor is there evidence of such services or products that can effectively prevent access to Web pages by a minor." (p. 44)

That's the same general conclusion I came to after studying the issue over the past few months. After reviewing the various leading proposals floating around, I devised a 7-part taxonomy of age verification techniques:

(1) Credit cards as approximate age proxies;
(2) Driver’s licenses as approximate age proxies or as a source of date of birth;
(3) Birth certificates as a source of actual date of birth;
(4) Parents or guardians vouching for minors;
(5) Schools vouching for minors;
(6) Third parties vouching for minors; and,
(7) Biological or biometric determination of age.

I'm certainly not going to go into all of them here since you can read my paper if you want the details. But the first and the fourth options (credit cards & parental permission schemes) are the ones to keep you eyes on since they are the leading contenders right now for social networking sites.

This recent COPA decision has implications for both, especially the use of credit cards as age proxies. On that point, Judge Reed specifically held that "payment cards cannot be used to verify age because minors under 17 have access to credit cards, debit cards, and reloadable prepaid cards." He also noted that "there are many other ways in which a minor may obtain and use payment cards." (p. 46 of decision).

Again, that's the same conclusion I reached in my new study:

Credit cards are often viewed by policy makers as the silver bullet solution for age verification. Even though credit card companies typically do not wish their cards to be used as age verification tools, government has advocated their use in that way in the past. But they are not a silver bullet. “Mere possession of a credit card is not a reliable assertion of identity or age,” argues information security expert Jeff Schmidt, CEO of Authis, Inc. Credit cards can be a rough proxy for age on the assumption that only adults over the age of 18 have credit cards, but that assumption is false. Many minors are given credit cards by their parents. Youngsters can borrow or steal credit cards from their parents or others. And Schmidt notes that newly created stored value cards, specifically marketed for use by children, “are in many cases indistinguishable from actual credit cards--both in physical appearance and in the back-end transaction processing systems.”

In my report, I also noted the use of credit cards as age verification devices in the context of social networking sites was going to be difficult since most sites do not require a financial transaction to join. I noted that in a June 2005 joint filing to the Federal Trade Commission, a coalition of major commercial organizations, including the American Advertising Federation, American Association of Advertising Agencies, Association of National Advertisers, The Direct Marketing Association, Inc., and Magazine Publishers of America revealed that, “many parents may feel uncomfortable giving their credit card number online at children’s Web sites where there is no transaction involved.” These organizations also argued that “in light of current online scams, heightened concerns about online security, and the rise of such practices as phishing, parents may be reluctant to provide credit card numbers absent a transaction.” But that begs the question: If lawmakers required social networking sites to process a credit card transaction to age-verify, is that fair? In particular, is it fair for low-income families? And what about those families that do not possess a credit card?

Not only isn't a purchase required to join social networking sites, but no product is physically delivered to the home, as is the case with beer or wine sales where the physical delivery of a product opens the door to in-person age verification. Judge Reed made this same argument in his decision today, arguing that "without a physical delivery of goods and an accompanying visual age verification, neither the [data verification services] nor the Web page operator can know whether an adult or a child provided the information. Attempting to verify age with this information in a consumer-not-present transaction is therefore unreliable." (p. 49)

This also gets to the special challenges raised by the nature of the Internet and online communication when it comes to age verification. As I noted in my study:

Finding a dependable source of identity or age information and then reliably matching it to someone thousands of miles away on the Internet (perhaps in another jurisdiction, or even another country) is a daunting challenge—made even more difficult by the fact that a remote individual may be actively attempting to subvert the age verification process. Solving this problem necessitates authentication data that are appropriate for online interaction. In the real world, we perform in-person authentication with a photo or physical description; the online world requires a username/password combination, biometric authenticator, or physical security token. An arms-race scenario is obviously at work here, and because a perfect solution is impossible, we must guard against a false sense of security. Lastly, because technology is evolving at such a rapid pace in this area, there is a risk that legislative solutions will become obsolete very rapidly.

Judge Reed also pointed out that such online age verification requirements could create significant economic burdens for some website operators. "It is not economically feasible for a Web page operator, especially one that provides free content, to verify the information of every customer that visits the Web page with a [data verification service]." (p. 53) I discuss that issue in my paper as well.

posted by Adam Thierer @ 2:15 PM |