It is easy register as a user on a site using a different identity than the actual one. A 14 year old can pretend to be 25 and set up a profile on most social networking sites. As a result, minors have been able to find their way onto sites that were intended for adults. In some cases, they have become the victims of child predators whom they met online. Governments and legislators are looking at age verification as a way to protect minors from inappropriate contacts on the Internet. This article explores some of the issues raised by age verification and looks at the status of laws and government enforcement actions that focus on keeping minors out of sites that are not intended for them, or not prepared to handle them.
The case John Doe v. SexSearch.com (Case. No. 3:07 CV 604 U.S. Dist. Ct N. District of Ohio) provides an example of encounters that may result where there is no verification of the age or other information provided by a registrant. SexSearch.com offers an online adult dating service intended for a mature audience. For more detailssee the version of this article published in the Shidler Journal of Law, Commerce + Technology Shortly after he became a member of SexSearch.com, John Doe located Jane Roe’s profile, which provided Jane Roe’s birth date, her age (18), and an authentic image of Jane Roe at her then-current age. After chatting online through SexSearch.com, the two decided to schedule a sexual encounter. The meeting went as planned, and the two engaged in consensual sexual relations. However, Jane Roe was actually 14. A few weeks after their encounter, John Doe was arrested and charged with engaging in unlawful sexual conduct with a minor, which exposes him to 15 years in prison, and a classification that might include lifetime registration as a sex offender.
2. New Rules Affecting Social Networking Sites
In attempt to address the dangers to which children are exposed, States Attorneys general have investigated major social networking sites in order to identify complacent practices. The settlements between a coalition of 49 State Attorneys General (all US States except Texas) and MySpace and Facebook provide guidelines for best practices that social networking sites should implement.
The January 2008 settlement with MySpace requires the implementation of design and functionality changes to the site and the development of education and tools for parents, educators, and children. MySpace has agreed to cooperate with law enforcement to deter and prosecute criminals misusing the Internet, and to develop a new set of privacy protection standards. It will hire a third party to compile a registry of email addresses provided by parents who want to restrict their children’s access to the website, and will bar anyone using an email address listed in the registry from signing up or creating a user profile. In addition, MySpace will improve the algorithm used to check for underage users and will keep closed a section of its site called “high school” for users under 18. It will automatically change the default setting from “public” to “private” for profiles of users under 18, and restrict requests from others to be their “friends”.
The May 2008 settlement with Facebook contains similar provisions. Facebook has agreed to add over 40 safeguards to protect young users from sexual predators and cyber bullies. It will ban convicted sex offenders from its site and will limit older users’ ability to search online for subscribers under 18. Facebook will ensure that companies offering services on the site comply with the new safety and privacy guidelines.
3. US Legislative Activity
The risks to which children and minors are exposed when using social networking sites have prompted legislators to introduce bills in order to address these issues. In September 2008, the US President signed into law two bills aimed at protecting children.
Senate Bill S. 431 (Public Law N. 110-400), Keeping the Internet Devoid of Sexual Predators Act of 2008 – or “KIDS Act of 2008” – requires sex offenders to register their email addresses and other Internet identifiers with the National Sex Offender Registry. This information is exempt from public disclosure, but social networking sites are allowed to compare their records against the database.
Senate Bill S.1738 (Public Law N. 110-401) “Providing Resources, Officers and Technology to Eradicate Cyber Threats to Our Children Act of 2008” – or “PROTECT Our Children Act of 2008” – requires electronic communications service providers and remote computing service providers to report content, correspondence and other illegal activities related to child abuse and child pornography. If they have identified an individual who appears to have violated the law, they must provide law enforcement authorities with the identity of the individual, his email address, IP address, URL, and other identifying information they may have collected.
State legislators have been very active, as well. Numerous bills requiring age verification measures on websites were proposed in North Carolina and Connecticut in 2007, and Georgia, Illinois, Iowa and Mississippi in 2008. Bills mandating that convicted sex offenders register their e-mail addresses with the state were also introduced in Kentucky, Virginia, and Arizona.
4. Children Online Privacy Protection Act
The Children Online Privacy Protection Act (“COPPA”), which became effective in 2000 does not deal directly with child predators or cyber bullying issues. It regulates the collection online of children personal data primarily in connection with marketing. The law requires websites to identify users who are under 13 and to use specified precautions when collecting, using, or retaining children’s data such as full name, home address, email address, and hobbies, and information collected through cookies and other tracking mechanisms when they are tied to individually identifiable information. The guidance issued by the Federal Trade Commission requires websites to use an age screening mechanism that asks users to provide age in a way that does not invite falsification (neutral age-screening). For example, a temporary or permanent cookie may be used to prevent users from back buttoning and entering a new age to circumvent the screening mechanisms.
Since the late 1990’s, the FTC has conducted numerous enforcement actions against sites that collected children information. For example, it assessed a $1million fine against Xanga. Although the Xanga site sign-up process stated that children under 13 could not join, it allowed visitors to create profiles even if they provided a birth date indicating that they were under 13. Under the consent order, Xanga will periodically provide the FTC with descriptions of the methods used to obtain parents verifiable consent and the methods provided for parents to review personal information collected from children. It will also clarify why each type of information collected from children is necessary for the particular activity, and will identify the procedures used to protect the confidentiality, security, and integrity of the information.
State Attorneys General are also actively prosecuting COPPA violations. For example, in April 2008, the Texas State Attorney General completed an action against Doll Palace Corp. whose site required users to provide their age, as part of the sign-up registration process. The users were then presented with a screen stating “The site requires that you have permission from a parent if you are under 13. Do you have a parent with you now?” Following the statement, the user was required to click a “yes” or “no” box in order to continue. The Texas Attorney General found that a company “cannot take on a veil of innocence by hinting to underage users ways to bypass age verification requirements”.
5. Child Registry Laws
Utah and Michigan have addressed the protection of minors from solicitations for the purchase of illegal products or substances by enacting their Child Registry Laws in 2005. Both of these laws allow individuals to register “contact points” of minors (email address, phone number, and fax number). They prohibit sending a communication to a contact point that is registered in the State Registry if the communication advertises a product or service that a minor is prohibited by law from purchasing, or that is harmful to minors: gambling, pornography, alcohol, tobacco, and illegal and prescription drugs. Marketers who wish to advertise products or services that are covered by the law must compare their list against the registry list before sending their emails.
6. Electronic Authentication
To date, legislators have stayed away from age verification, and have opted to address the issue of child predators and the dangers of social networking through measures that would prevent sex offenders from accessing the sites. There are many other powerful ways available. See for example, the services offered by ChoicePoint and IDology.
Identity verification through electronic authentication poses numerous legal questions. The identification process requires the collection of personal information by the identity provider, and the disclosure of this information to the social networking site (relying party). What information would have to be collected by the identity provider? How much of this information may it disclose to the relying party? What security measures should be used to protect the information? Can this information be reused for purposes other than identification, such as targeted marketing? If information is transferred across borders, foreign laws restricting the transfer of information outside a country may apply. There are also liability concerns. What happens if there is a faulty authentication and the applicant is granted access to a site when he should have been excluded? Who will bear the risk associated with a faulty authentication?
7. Other Complex Issues
There are many issues surrounding the concept of age verification. Verifying a person’s age is likely to require access to more information than just age so that the person is authenticated. When the disclosure of a person’s identity is required, numerous privacy and security issues arise. There are also concerns about errors, the consequences for these errors (data spills, people being wrongfully accused, identity theft) and the liability for these errors. There are also questions about human rights and freedoms.
In order to be able to verify that an individual is not part of an excluded category, databases will have to be created. Who would be responsible for managing these databases? Which security measures would have to be used to protect this information? How would errors be identified and corrected?
Age verification systems require the collection of personal information. As such, they are privacy invasive. In order to protect children, should adults only be “tagged”, so that an individual would be deemed a child if he / she is not listed on the databases? What would be the content of such a database, and how much information would be required to authenticate a person and label that person an adult?
Even if all websites were classified or labeled “PG 13” or “R” like movies or video games are, and if it were possible to create a technical solution that would be easy to implement, it would still be necessary to balance the legitimate individual rights and freedoms against the need to protect children from predators or from content that might not be suited to them. Identification requires knowledge of, and access to personal data. Would it be possible to have robust age verification, but still protect privacy? Would the right to access information anonymously be undermined? The “Children Online Protection Act” or “COPA” (not to be confused with the Children Online Privacy Protection Act or COPPA), which was adopted to restrict access to material defined as harmful to minors on the Internet, has been repeatedly struck down by courts on the grounds that it violates the constitutional right to free speech under the First Amendment to the Constitution of the United States.
8. Global Issues
Abroad, several countries have issued recommendation and guidance on the protection of children online in connection with access to social networking sites. The United Kingdom has issued a social networking guidance for the industry, parents, and children, aimed at helping minors interact safely on the Internet. The comprehensive report recommends that social networking websites offer strong privacy protection procedures, and use identity authentication measures. In Spain, the Data Protection Agency published a privacy handbook for children and parents that addresses the risks to which minors are exposed online, and provides recommendations.
However, local initiatives are not sufficient. The global reach of the Internet creates thorny issues. A country-centric age verification regime would fail when minors can access foreign-based websites located in more permissive legal regimes. Even if countries wanted to cooperate on age verification, they would be hampered by thorny definition issues. While most countries have adopted 18 as the age of majority, in Japan, Taiwan, Thailand, and the Republic of Korea, the age of majority is 20. In Singapore, Monaco, Honduras, or Egypt, it is 21. The same disparities appear in the United States. While the age of majority is 18 in most US States, it is 19 in Alabama and Nebraska, and 21 in the District of Columbia and Mississippi. With such disparities, the implementation of a global age verification regime becomes highly problematic.
Is age verification the cure to the problem of child predators and other dangers? Even before the Internet and social networking sites, society has struggled to prevent teens from using fake identification documents and other fraudulent means to gain access to restricted goods or content, such as alcohol, tobacco, or sexually explicit material. Can we hope to succeed in identifying and authenticating individuals on the Internet when children’s creativity and ingenuity – and adults’ complacency – have made it impossible to achieve reliable identification or authentication in the brick and mortar world? While age verification measures may provide viable safeguards if adequately designed and implemented, parents and schools have a crucial role in protecting children and minors from the dangers of the online world. The Internet cannot be used as a babysitter or a nanny without proper supervision. It is important for families and schools to keep educating children about the risk they may face while online, and to monitor their use the Internet.
Palo Alto, CA January 2009