I've been spending a lot of time lately thinking and writing about the contentious issues surrounding social networking sites, age verification mandates and online child safety in general. I recently released a major PFF working paper on these issues ("Social Networking and Age Verification: Many Hard Questions, No Easy Solutions").
One of the people who has had a great deal of influence on my thinking about these matters is information security expert Jeff Schmidt, the CEO of Authis, a Reston-based authentication / identification firm. Jeff has 15 years of experience in this field and has worked for Microsoft, Ohio State University, and several other small technology companies. He is also a founder and the elected Director of the InfraGard National Members Alliance, which is the private sector component of the FBI’s InfraGard Program. (InfraGard is an FBI/private sector alliance dedicated to improving information sharing between private industry and the government on matters of national security). Jeff helped the FBI create the InfraGard Program in 1998.
So Jeff knows his stuff, and that's what makes what he has to say about these issues--especially age verification--particularly important. Luckily, some of the essays he has penned on this subject and shared with me in the past are now online for all to see here. I thought I'd provide some highlights of the key conclusions from his papers, which are listed below:
Here are his three key papers...
* "Online Child Safety: A Security Professional's Take"
* "Why Internet Age Verification Makes Kids Less Safe"
* "Evaluating Age Verification Systems"
...and here's some of what he has to say about age verification in particular:
The concept of age verification is nebulous at best, and any discussion of age verification also necessitates discussion of identification and authentication. ...We are at a roadblock because Internet-scale multi-factor authentication of children is simply unworkable from practical, operational, technological, and cost perspectives. Left with relatively weak password authentication, we must ask: how long will it take for a black market of "age verified" credentials to surface? How long until children begin to share or lose their "age verified" credentials? How long until child predators become skilled in guessing and phishing for children’s passwords? How long before enterprising children begin to sell their "age verified" credentials? In the frightening case where a child predator is also a parent of a young child, we must assume that the predators will use their children's "age verified" credential. If failure rates are similar to adult username/password failure rates, we will not have solved the problem and added a tremendous expense and burden managing literally hundreds of millions of children's usernames and passwords. ...
As no security solution is 100 percent effective, we must assume that anything we deploy will fail some percentage of the time. Two direct corollaries to Courtney's Second Law state this clearly: "Perfect security has infinite cost" and "There is no such thing as zero risk." ...
We are faced with the dangerous reality that the instant we create an "age verification" system we will have child predators admitted to our "safe areas" falsely age verified as youths. We also know that age verification by its definition would effectively create a target list for the predators while wandering these "safe areas."
We must conclude that any attempt at Internet-scale "age verification" will fail often, fail spectacularly, and fail in ways that actually make children less safe.