The ID Space

On December 17, 2008 we submitted a supplemental Member Statement to the Internet Safety Technical Task Force’s Final Report. The report was delivered to the Attorneys General on December 23 and made public today. The final report was not a consensus document and the Member Statements served as an avenue for us to state our comments and/or objections in a one-page format with a link to additional information if needed. This blog post is dedicated to expanding on the points we presented in our Statement as well as to address the reoccurring arguments we heard from certain Task Force Members this past year.

Our original Statement can be found in Appendix F of the Final Report and is as follows:

Statement Regarding the Internet Safety Technical Task Force’s Final Report to the Attorneys General

IDology, Inc finds issue with the Final Report and recommendations regarding the use of identity verification (IdV) and age verification solutions because:

• There are several technologies that exist that can help keep kids safe when used in a layered approach
• Policies of Social Networking Sites (SNS) rely on age and identity segmenting to protect minors and restrict content access as outlined in Appendix E of the report yet the verification processes are ineffective
• Terms of Service for most SNS require members to register with true and factual information about themselves making identity verification feasible
• Identity and age verification is commercially reasonable and being used today in numerous commercial applications including verification pursuant to government regulations
• The recommendations were developed around the perception that there is minimized risk to minors based on research; however, the scale of SNS is not taken into context so that even a small percentage of risk translates into millions of people
• The researchers admittedly report that there are limited numbers of large-scale studies and that there is no research regarding the online activities of registered sex offenders which was one of the major areas the Task Force was to study

Using IdV and age verification helps protect kids from 2 of the 3 threats the report outlines including sexual solicitation and access to problematic content.  Overall IdV and age verification:

• Is commercially reasonable and verifies individuals 18+ that are legitimate identities
• Provides a higher knowledge-based authentication method to verify someone is who they claim to be which is proven and effective today in helping businesses prevent fraud and identity theft in multiple industries
• Can help law enforcement locate an individual if there is inappropriate behavior from an adult toward a minor
• Separates adults from minors and prevents minors from accessing restricted content

Using IdV and age verification is a policy decision not a technology issue.  The Task Force agrees that IdV is effective in certain environments; however it did not adequately discuss ways technologies and policies could be layered together and used to reduce risks to children.  The Task Force does not provide best practices to solve the problem we were charged with examining and the report is based on limited research.  The report criticizes effective technologies while promoting the limited steps SNS have taken.  There is clearly much more work and vigorous discussing needed.  For more information on IDology’s position, visit www.blog.idology.com tag word MySpace or Internet Safety Technical Task Force.

While our Statement concisely captures our points, we want to expand upon our comments related to the Final Report:

1. The Task Force took the approach of looking for point solutions that would be the silver bullet to the issues of online safety for our children. The Task Force did not take the more logical step of determining how layering technologies could improve online safety by supporting the steps that Social Networks have taken or should take.
2. There is limited large-scale research and no research available on sexual predators online activities. The Final Report attempts to minimize the risks to minors from sexual predation and does not factor in the scale of Social Networks which we know is immense.  Further this minimized risk is based on statistics from studies which state: “Youth identify most sexual solicitors as being other adolescents (48%; 43%) or young adults between the ages of 18 and 21 (20%; 30%), with few (only 4%, 9%) coming from older adults and the remaining of unknown age (Finkelhor et al 2000; Wolak et al 2006).”  First these are studies that were completed before the accelerated growth of certain Social Networks.  Second, the Final Report’s emphasis on the “few” older adults is understating the issue as the above numbers indicate that 54% to 57% (more than a majority) of sexual solicitors are either over the age of 18 or their age could not be determined.  Given the limited large-scale research available, the lack of actual research relating to sexual predators online activity, the scale of Social Networks (MySpace indicates that its site has 122 million monthly active users) and that the majority of sexual solicitors are over the age of 18 or their age could not be determined, there is still substantial research to be done before a conclusion can be determined on the extent of online sexual predation on minors.
3. Age and identity verification is commercially reasonable technology that is being used today in social networks to create walled gardens by separating adults and minors.  An example includes SecondLife (operated by Task Force Member Linden Lab) which is using a third party to verify age.  And some Social Networks highlighted in Appendix E including MySpace and Facebook, already rely on age and identity segmentation for their members but use ineffective verification processes including relying on the honesty policy.  An example of current age and identity segmentation on these sites can found in Appendix E where MySpace states that it “restricts the ability of younger users to access age-inappropriate content.  For example users under 18 are denied access to age-appropriate areas such as Romance & Relationship chat, forums, and groups:  all groups designated as Mature; and Classified categories such as Personals and Casting Calls.“
4. No Best Practices and Recommended Guidelines were provided to solve any portion of the problem, even though several technologies exist and can be layered together to address certain issues the Task Force was formed to examine.

While most agree there is no silver bullet to address all the issues, this fact proved to be detrimental.  A “it is not effective to police the whole Internet” approach was taken versus a “what baby steps can be taken today to improve online child safety in Social Networks” approach to determine ways in which technologies could be used together today to address a portion of the problem.  Starting at a baseline that not one solution solves all problems, we believe the Final Report would have been more useful to Social Networks and law enforcement had we examined different risk scenarios and discussed ways technologies could be used versus looking at each technology in a silo.   For example, creating a walled garden by using identity and age verification to establish an “adult” garden separates the pool of members.  This approach combined with moderation, filtering, access controls that some Social Networks have already implemented, and education of minors and adults is a step toward a solution.

During the year, IDology presented to the Task Force the ways identity and age verification work and how this technology keeps kids safe.  Our presentation focuses on how age and identity verification is being used today in social networks and in other industries.  Over the course of the year, we heard several arguments related to the use of identity and age verification which we feel are important to address again:

1. “Not international in scope” - several countries are addressing the issue of age verification and the Task Force did not evaluate what other steps or regulations have been established in other countries in its analysis.
2. “Costs of making widely available to the public” - identity and age verification has a cost associated with it for Social Networks.  There is no economic impact on consumers unless the site charges a premium for its  verification service.  Some Social Networks have taken this approach in regard to restricting access to adult related content.  It is our belief that cost is the white elephant in the room as to why certain Social Networks choose not to use identity and age verification to verify their adult members.  As with a bricks and mortar company, age and identity verification is a cost of doing business.
3. “It is invasive and violates privacy issues” - identity and age verification requires minimal information from the consumer most of which is already being captured by most Social Networks.  Results of verifications are limited to the validation of the claim versus sharing data.
4. “Prevents anonymity” - providing anonymity should be supported through profile settings and screen names.
5. “Kids can fool the system” - a higher level of verification such as dynamic knowledge-based authentication prevents members from joining using someone else’s identity credentials.  This is a technology that is being used today to stop fraud and identity theft and is a compliance requirement in some industries.
6. “It doesn’t verify kids” - the limitations of any age verification solution are based on the availability of data and where minors are concerned this data is protected.  However, identity and age verification does identify adults and can be used to establish an adult walled garden community with fewer restrictions related to content and activities.  Several Social Networks are already doing this including Task Force Member Linden Lab within SecondLife (see Linden Lab’s Member Statement in Appendix F)

Our Thoughts on Next Steps:

Many of the necessary components are available today to develop a better process for Social Networks to protect children online.  It involves a multifaceted approach which includes parental involvement and education, employing layers of technology (identity verification, filtering and moderation) and strengthening the steps the Social Networks have taken to monitor activity while establishing effective means of separating unwanted activities between adults and children.

Although some may believe that the Internet should make us suspend the community rules that we have established to protect minors in the physical world, the reality is we need effective ways of establishing those community rules for the Internet.  For example, in our bricks and mortar world most parents talk with and educate their children about underage drinking.  Law enforcement and associations such as Mothers Against Drunk Driving develop awareness programs aimed at teens about the dangers of drinking.  However, if a teen walks into a liquor store we still rely on the fact that the sales clerk will ID them.  In other words, there are multiple checkpoints to try to prevent underage drinking.  As our online communities continue to grow businesses, consumers, and law enforcement need to work together to mirror the protection standards we all enjoy in our “real” communities that keep our children safe.

We would recommend the following as next steps:

1. Accurately establish the walled garden approach some Social Networks have already taken by using id and age verification methods.  Clearly the Social Networks see the security value in separating minors from adults through the practices they have put in place today related to minors.  For example, both Facebook and MySpace provide restrictions for ways minor profiles can be searched, how  friends are established with users under 18, and the default privacy settings of minor profiles (see Appendix E).  While the data availability limitation prohibits an identity and age vendor from verifying the age of a minor, it does verify adults.  There are two issues that cause an identity not to be verified:  the person is either under 18 or the person is a lying adult.  Both these situations warrant limiting the actions people can take within an unverified community to better protect our children.  Additionally, creating a walled garden doesn’t mean that no interaction is allowed between verified adult members and unverified members.  This type of walled garden creates a safer, more positive experience for adults, such as teachers, coaches, and relatives to interact with minors.  And should something inappropriate transpire between an adult and a minor, having a verified community better supports law enforcement.
2. Best Practices and Recommended Guidelines for online safety should be developed.  This is a natural progression given the tremendous growth of Social Networks.  For example, CTIA has established guidelines for the access of adult related content that would be useful for Social Networks.  The Task Force did not fully study, discuss and evaluate how other industry guidelines (telecommunications, alcohol, tobacco, movies, etc.) have been established to protect children  online.
3. More research needs to be conducted around sexual predator activities online.  Both law enforcement and Social Networks need to work better together in communicating and sharing information to better protect minors.
4. Continue education efforts toward parents and kids alike.  IDology fully supports the education efforts, as well as technologies that empower parents, which have been made to date.  Our stance regarding age verification has always been “it takes a village” (see our age verification whitepaper published in 2006).  Technology solutions and education efforts are complementary to each other and should never be considered as “either or” solutions.