State attorneys general push online child safety snake oil
Attorneys general from a number of states give their support to a collection of weak and ineffective age verification technologies, all of which aim to protect children on the Internet.
Updated:This post originally contained incorrect information about Sentinel's products. That has been corrected (see below).
Attorneys general from a number of states have given their support to a collection of weak and ineffective age verification technologies, all of which aim to protect children on the Internet. At a meeting of the Internet Safety Technical Task Force at Harvard University on Tuesday, the consensus seemed to be that while none of the technologies actually work, doing anything at all was better than nothing. Simply put, no one wants to be blamed for inaction against online child predators.
Kicking off the meeting, Richard Blumenthal, the Connecticut attorney general, summed up the general expectation of the other 48 state attorneys general involved in the effort: "If we can put a man on the moon, we can make the Internet safe (for children)." Unfortunately, while the federal government sunk billions of R&D dollars into NASA's space efforts, the AGs have yet to cough up any research funds, and seem to expect industry to come up with their own solutions.
Won't someone think of the children?
Given the intense political pressure to do something about child safety online, and a complete lack of proven, peer-reviewed, and abuse-resistant technologies available on the market, a number of private companies have stepped in to fill the void--with products that can at best be described as ineffective, and at worst as snake oil.
Several age verification solutions were presented at the task force meeting, from companies that included Aristotle, IDology
and Sentry. All of the companies seem to do pretty much the same thing--collecting information from public records, and then prompting users to enter some of this info when they wish to log in to an "age restricted" Web site. One example of this is the rated R movie trailers of many Hollywood movie studios, which require a user to enter in his or her name, ZIP, and date of birth before playing the trailer.
This form of verification has been repeatedly criticized as "laughable" by security experts. As a test, I was able to successfully view the trailer for Sony's new thriller movie, Quarantine, by giving the name, date of birth, and ZIP code of vice presidential candidate Sarah Palin, all of which were available on the politician's Wikipedia page. Sony Pictures uses an age verification service from Sentinel (another company which presented at the task force meeting), which seems to only protect the fragile eyeballs of technologically unsavvy youngsters who have not yet learned how to use a search engine.
During the question and answer sessions following their presentations, each of the age verification and other child safety technology vendors admitted that their products are neither bullet proof nor even that difficult to evade. However, they all generally preached a belief in the security benefits of "raising the bar" and providing a "bump in the road."
Speak softly and carry a big stick
With companies and politicians falling over themselves to prove how much they are doing to keep children safe, it is worth taking a look at the incentives and motivations of this industry.
First, the politicians: Attorneys general from 49 states have been focusing on this issue for some time, culminating in an agreement signed with MySpace back in February of this year--the only state to reject the deal was Texas, whose AG felt that the deal didn't go far enough. This is an issue that carries a lot of weight with voters, and as New York AG Andrew Cuomo's of ISPs over their Usenet news feeds has demonstrated, easy political wins can be gained with little to no pushback from the tech industry.
Second, the social-networking sites: Facebook and MySpace, the 500-pound gorillas of the industry don't seem to be too keen to adopt any of the existing solutions pitched by vendors--primarily because the technology doesn't do much, won't stop abuse, and will cost the companies money. While News Corp's MySpace certainly has deep pockets and could easily pay a couple million for age verification software, the company appears to be resisting calls to do so primarily out of an urge to avoid a slippery slope. That is, if the social-networking site can be pressured into forcing its user base to jump through one level of inconvenient and burdensome verification, other demands will soon follow.
Third, the "solution" vendors: This collection of companies rely upon fear to sell their products--not so much fear of the abuse of children by predators, but the fears of companies and politicians that they will be accused of not doing anything. These firms are not selling complete solutions to the problem of age verification (since one does not exist)--but are selling excuses. That is, if social-networking sites purchase their products, and children are later groomed or abused online, the companies will at least be able to claim that "we've purchased and used the best age verification products that industry offers. Don't blame us--we've at least tried to do something."
The not so thinly veiled threat aired at the event was that if the industry didn't police itself, the various state AGs might have to push for regulation. The fact that the technology isn't effective doesn't seem to be a major cause for concern. All that really seems to matter, at least for the policy makers, is that the industry do something, which can then be sold to voters back home as a success in protecting little Jane or Johnny.
The offshore problem
The elephant in the room in this debate is the issue of foreign Internet companies. That is, if American social-networking sites are forced to implement oppressive and burdensome age verification rules, teens may ditch MySpace and head to a Chinese, Brazilian, or Indian Web company, where a user's age is not verified.
Internet users are a fickle bunch--that is, they are not particularly loyal to brands, and if a company's product ceases to be cool, users will leave in droves. As an example, just look to Friendster, which was at one point the most popular social-networking site on the Internet. Once MySpace offered a better, more enjoyable experience, Friendster turned into a cyber-ghost town. While the network effect is indeed a powerful and sticky force, a lame user experience will be more than enough to make users leave for greener pastures.
Now, as another example, consider the case of Napster, the first peer-to-peer file-sharing company. Remember that for a time, Napster was the most popular file-sharing tool on the Internet, with tens of millions of users. As an American company, once Congress got wind of the file-sharing phenomenon, it was able to hold hearings, and force the CEO of Napster to appear before the Senate Judiciary Committee.
Fast forward a couple years: Napster had been sued into financial oblivion, and America's teens had moved on to a significantly more legislation-resistant file-sharing platform--Kazaa. This file-sharing company, designed by three men from Sweden, developed by programmers in Estonia, headquartered in Australia, and incorporated in the south pacific island nation of Vanuatu, was global in scale, and for the most part, completely beyond the reach of America's laws.
Whatever you think of file-sharing, there is one thing that is beyond debate: Due to a change in the legal environment, Americans abandoned, en-masse, an American company's P2P offerings, and instead signed up for the services offered by a foreign company whose CEO could never be hauled before the U.S. Congress. Furthermore, while Napster was primarily a service offering free music downloads, the Kazaa platform offered easy access to music, movies, pirated software, and pornography (of both legal and illegal varieties)--all from the same easy to use graphical interface. That is, by chasing file-sharing underground, we completely gave up any possibility of lightly regulating it.
No one present at Tuesday's Task Force meeting had any solutions to this problem, nor were they too keen to discuss it. It would be cruelly ironic if in an effort to protect America's youth online, those same children were chased into the hands of unscrupulous foreign firms with little incentive to protect their users from predators and other forms of harm.
Update: The original version of this blog post included Sentinel in the list of companies who push weak age verification software to social networks. In fact, Sentinel has voluntary withdrawn its age verification products from the social networking market, although it continues to supply the easy-to-evade product to Hollywood movie studios.
Disclosure: I am a paid student fellow at the Berkman Center at Harvard University, which participates in and hosted the meeting of the Internet Safety Technical Task Force. In particular, professor John Palfrey, the chair of the Task Force, is also the Faculty co-director of the Berkman Center, where I work. I have neither consulted with Palfrey, nor any of my other colleagues at Harvard with regard to this blog post. It reflects my own opinions, and certainly not those of Harvard or any of the other people associated with the Berkman Center.