Schneier on Security
A blog covering security and security technology.
« When Sky Marshals Do Bad Things |
| Lego Safe »
November 21, 2008
Online Age Verification
A discussion of a security trade-off:
Child-safety activists charge that some of the age-verification firms want to help Internet companies tailor ads for children. They say these firms are substituting one exaggerated threat -- the menace of online sex predators -- with a far more pervasive danger from online marketers like junk food and toy companies that will rush to advertise to children if they are told revealing details about the users.
It's an old story: protecting against the rare and spectacular by making yourself more vulnerable to the common and pedestrian.
Posted on November 21, 2008 at 11:47 AM
• 27 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
And given the past history of Saturday morning marketing to children, why would we think otherwise when it comes to marketing on the internet? I believe that most of the information collected about people, regardless of visible intent, is for marketing purposes.
> I believe that most of the information collected about
> people, regardless of visible intent, is for marketing purposes.
This is certainly a common driver in the post-1995 internet world.
I really hate this kind of discussion.
Just now in Germany they are again trying to force the ISPs to install filters agains child pornography. Yes, that is a horrible crime, but these filters will *not* make any usefull contribution to this.
The only thing you would create with such filters is a rather good instrument for censorship. The chinese firewall shows how this works: If you filter all or nearly all traffic you can keep most "evil" sites out. But at the same time there will still be numerous holes. So if you a criminal seeking CP, you will find these holes. If you are a normal citizen, you probably will not risk to use means that might be illegal to seek dissident information.
If you have "working" filters it is a much to high stake to add more and more sites to it. Terrorists propaganda? Bomb building guides? Hate sites? Copyright infringers? Anything that might insult the religion of someone somewhere on the hole planet?
Back to the original topic:
One of the fundamental security rules is, that enumeration badness will not work. And that also dooms any such filter.
Why don't install the concerned parents a whitelist on there computer? Or alternatively create a special tariff on the ISP level to do this on an opt-in basis.
If the social networking sites start allowing younger children with verification, and an adult can find a way to get "verified" as a child ... in some cases, we might be worse off on child safety than just knowing that we don't know.
Crass commercialism meets child porn and predators. Local apartment guides now show how many sexual predators are supposedly living within x miles of an apartment, but don't show how many miles of junk food, toys, and other crap kids are exposed to. The mundane is much more dangerous on average than the spectacular, but only the latter gets headlines.
Even if there wasn't a threat in the first place, the simple act of gathering the user's personal information *creates* an environment that is ripe for abuse. As misguided as it is to attempt to do online verification of someone's age being over 18, it is nothing short of creepy to mandate building a database of kids verified to be under 13. I've just about had it with all these perverts who constantly "think about the children".
I first read about this a few days ago. I was amused by the marketer's spin. "When children go to Web sites today, they are already exposed to ads," said Ron Zayas, eGuardian’s chief executive. Sure. But to an 8-year-old, a Lexus ad is a pretty picture. A cereal or toy ad is something to ask mom or dad for.
Michael Seese, Author of Scrappy Information Security
While I agree that more kids are damaged through junk food thank online predators, it bothers me that this comparison is being made. These are two completely different risks with very different consequences and different levels of control. I'll avoid the small risk of predators over the common risk of seeing across a junk food ad any day.
This will (mostly) fail. Some sites that require everyone to be 18+ have people as young as 12 frequent them. Who would give up their child's privacy for ads? This will be more underhanded. More importantly, how do we know the database would be secure?
Ben Robinson wrote: 'If the social networking sites start allowing younger children with verification, and an adult can find a way to get "verified" as a child ... in some cases, we might be worse off on child safety than just knowing that we don't know.'
This is not far fetched. People have faked having children for government benefits. I once read about a case where a farmer obtained social security numbers for his piglets so he could claim them as dependents on his tax filings.
@ 'If the social networking sites start allowing younger children with verification, and an adult can find a way to get "verified" as a child ... in some cases, we might be worse off on child safety than just knowing that we don't know.'
True. Most online verification is based on the belief that the information submitted is possessed by the right person. I don't see how such verification can be possible for children.
Of course, they obviously need for people to specify their age, but I believe the only way to get reasonable compliance with this requirement is for their to be severe penalties for impersonating a child, especially for attempting to meet (or meeting) a child through impersonation of a child. How to best accomplish this would be a difficult process, but penalities would have to be both well published and carried through on.
The other problem with age verification companies getting serious relationships with advertisement targeting companies is that it provides a monetary incentive towards meeting the advertising company's needs rather than that of the registered children (particularly since AFAICS the entire "child's" fee gets passed on). There's a similar problem with credit ratings agencies: because they get money from the people checking on you, there's a mild incentive to keep any possibly true "negative information" on your file as that's the safe position for their customers, rather than an incentive to get an accurate picture of you.
Now I don't know how those incentives might work here: if a predator manages to co-opt an identity that's in an area of affluence and high pester-power children might that identity get scrutinised less rigorously than one in a poorer neighbourhood? Sounds far-fetched, but those are the sort of things crossed economic incentives give rise to.
This process is not only difficult, but impossible. Just how would you prosecute such a minor violation as lying about your age, if seems not possible to get real CP site shut down? And how do you think this will work if the server is not in the US, but the UK, Germany or Mongolia?
Also the requirement of a verification of age is not practical. It would mean (in my option) to do away with the basicly anonymous www access, as you would always need to transmit a verificatable ID for the agecheck. And its nearly guaranteed that such an ID would be misused for tracking users.
Why not go the simple way: Each parent can very very easily and 100% correct check the age of their children. And implement a filter according to that age. (Or let their ISP filter their access for this agelevel)
@tk: "This process is not only difficult, but impossible."
Correct, there is no way to absolutely verify age. But, instances where impersonating a child is detected, it can be punished. This can serve as a deterrent.
@tk: "Why not go the simple way: Each parent can very very easily and 100% correct check the age of their children. And implement a filter according to that age. (Or let their ISP filter their access for this agelevel)"
Same reason the above is impossible, is because this would do nothing to prevent someone from impersonating a child. It would do no good for you to set your child up, then for me to set myself up as a child and we interact.
I apologize if I was misunderstood. I'm not recommending the impossible. I'm recommending we do what is possible, which is prosecute anyone found to be impersonating a child, particularly if they meet one through this imperonation.
We don't catch all drug dealers, and we never will. But stiff penalties do deter some. Same concept.
"While I agree that more kids are damaged through junk food thank online predators, it bothers me that this comparison is being made. These are two completely different risks with very different consequences and different levels of control. I'll avoid the small risk of predators over the common risk of seeing across a junk food ad any day."
How about the adds for casual wear / sports cloths and "running shoes" where there is a little logo prominently displayed to show it is "the real thing"?
And modern school society where your child gets socialy excluded, bullied or driven to suicied because you cannot afford the logo for your child to "belong"?
What is the risk of that -v-preditors and are you going to bet on the odds of your childs death by preditor or suicide from bullying?
I think maybe I was misunderstanding. We can pull issue after issue and risk after risk into this debate. I'm simply saying that they are tough to compare.
As far as bullying, I got bullied for not wearing the right jeans, and if I had the right jeans they'd find something else. Basically, I was the smallest kid in school and suffered accordingly--they just found anything else they could until I grew up and was able to thump them. I'm not sure saying bullying due to ads is worse is the way to go either.
There has to be a better way. predators are a problem. so is junk food. so are bullies. i don't see where dealing with them is mutually exclusive. Different risks, different consequences
great, so now we have a database of 750,000+ children under 13 that can be hacked into, and the information peddled on the black market to the highest bidding kiddie-porn-predator-cliche monster alluded to above... sound far fetched? it's just as likely as a predator data-mining social networking sites for victims...
the one component i never seem to hear in these arguements is a rather simple one and relatively low cost - active parenting.
now before everyone spews hate posts and gets defensive, i am not saying everyone posting is a bad parent (for those who are parents). what i am saying is it seems our society in general looks to the industry, whether it be software, media, music, or to "protect the children". put some of your own regulations and stipulations into play as parents. here's a thought - TALK to your children about what's out there, in terms they can understand and appropriate to their age. Then - and here's the kicker - FOLLOW UP on it. Have them tell you when they are online. Sit down with them and participate in their exploration and learning.
Are kids still going to do "stupid" things? sure. Are they going to break the rules occasionally? I know I did. But at least when I did, I knew where the lines were drawn, and I knew what was out there. You will never be able to fully "protect the children". Plain and simple. But what you CAN control, is the information they are given to be able to arm themselves as they delve into the "big bad" that is the internet.
A different take on this dynamic is [it seems our society in general looks to the industry, ...to "protect the children"] is suggested by Robert B. Laughlin in his unevenly reasoned The Crime of Reason. [Basic Books, Persus Books Group, Philadelphia, PA, 2008]
From his take, children (and other unanswerable vulnerabilities) are commonly used as an excuse to sequester knowledge.
"There are several social forces that seek to sequester knowledge, (the chief of which he identifies as commerce), and there are several techniques to do so.
"To consider the whole dynamic more broadly than he does, there are different grades of communicated knowledge, and each has one or more commmunities of governance deciding its content for us:
1 - publicly shared knowledge [what we learn in school, so everyone has a chance to know it],
2 - the knowledge shared within a social compartment of interest [professions' jargons],
3 - trade secret knowledge [which bestows a functional or commercial advantage on the holder to the degree others do NOT share it],
4 - criminal knowledge [used to advantage criminals in the performance of their criminal activities],
5 - police investigational knowledge [kept almost entirely secret to enable investigators to detect those others in possession of the criminal knowledge, and hence place them in the category of those most likely guilty of a crime - post-hoc profiling],
6 - underground knowledge [being passed secretly to communicate more widely abroad apart from, to avoid, or even in defiance of, the governance's restrictions]
7 - and state secret knowledge [kept secret from everyone without a need to know, as decided by, and for the benefit of, the state served by that government].
"In the past the biggest social problems were keeping proprietary secrets secure, and rarely shifting lines around the knowledge, as social jurisdictions shifted in competition with each other, as controlled by competing hierarchies.
American society was founded on the ideal of disempowering most of these hierarchies' control of knowledge.
"Anonymous communication, amplification of communication, recall, and access, all have now caused great leakage across these lines, formerly controlled by commanding institutions, which will continue to flood, despite rushed and ill-considered legal measures to try to prevent it.
"The question "Does knowledge make one more secure or insecure?" thus gets parsed according to how much enabling of change, identifiable accountability, and recoverability from consequence is bestowed on people as awareness and its reach is increased.
"As by definition, most of these governances are seeking to restrict or sequester knowledge, and so are interested in security through exclusively advantagous information, the trend is toward increasing restrictions against sharing knowledge to impede the risk of knowledge breakthroughs, according to Laughlin.
"Perhaps this is a motive for the oligolopolization of research. After all, the happy ending on Idie is to crate the artifact into obscurity in Colorado, rather than to deploy it for the amazement, woinder, and edification of all others."
- quoted for Bruce Schneier's blog by permission of the author from a review of The Crime of Reason, by Alex Khan, (c) 2008
"There has to be a better way. predators are a problem. so is junk food. so are bullies. i don't see where dealing with them is mutually exclusive. Different risks, different consequences"
I agree that dealing with threats should not be mutualy exclusive, but disagree about the risks and consequences.
There are risks with just about every thing we do in life, they all have consequences sometimes good sometimes bad.
However as humans we are bad at assessing gains and losses we have many sayings encoraging rediculous odds taking such as "nothing ventured nothing gained", "you have to be in it to win it" etc. Despite rediculous odds of lotteries we say to ourselves "somebody has to win and it could be me"...
But when the risk goes bad the only real difference is the degree of hurt. As adults we generaly grudgingly accept this for ourselves as individuals.
But what about our loved ones, friends, lovers, family and for those of us lucky enough to have them our children. Do we accept for them what we accept for ourselves?
In general, no we don't, nor should we, so why do we allow ourselves to be forced to do so by others?
Those who's only motivation is some kind of personal gain, and who also do not appear to care about the consiquences of their actions?
Which is a simple definition of a preditor.
But what is their "personal gain", if it is what we generaly regard as causing direct harm against others then, few would argue they are not preditors.
But what if it is, influance, power, or fiscal as it does not cause direct harm are they still preditors or not?
And what about information or knowledge, of others?
Or at the other extream because they belive they are doing good such as to "protect the children" could they be considered as preditors?
At face value probably not, but what of the side effects of their actions?
Do they even think about the potential harm of what they do, do they even care?
In general no, for several possible reasons, in the worst cases because they have no morals, in others because they discount the possible effects of their actions, and others because they are not aware of the posability of the side effects.
Those who read this blog on a regular basis will (possibly) have read and remembered that I'm very very opposed to information being collected on children and put in databases. Be it by government, transportation organistaion, marketing organisations, schools or doctors. Not because I belive that they are "intrinsicaly evil" (although there are bad apples in all walks of life) but because they never ask themselves "what could a bad person do with this data"
And because they rarely ask they may not be directly harmfull preditors but their actions certainly give rise to harm (identity theft from details sold by credit refrence agencies for instance).
Which brings me back to your point,
"There has to be a better way."
Yes there is, firstly accept that personal data belongs to the person and that they have rights over it at all times.
Also that the colection of personal data cannot be anonymous it is always traceable to the individual at the point of collection and potentialy at all points there after.
Further recognise that any personal data collected always has attendent risks and the risks increase not just with the quantaty of data collected both from the individual and the number of individuals but also with time.
Therefor act to stop people needlessly collecting, keeping, agrigating and distributing personal data.
And if you belive there is sufficient need to collect and agrigate data, collect the minimum data needed and properly anonymise it before allowing only necassary and traceable access and take action to prevent redistrubution of the data.
And if the data cannot be anonymized ensure access is strictly limited to those who have been properly checked and maintain a high level of audit, and only allow access in a way that the data cannot be copied except by memory.
And at all times ensure that any theft of electronic copies of data is effectivly worthless by suitable protection methods.
Although this will not stop random predation, it will limit targeted predation, which is a start.
Have you talked to your kids about lightning safety? A child is more likely to die from a lightning strike than to be abducted by a stranger.
The "pervert meets child online and convinces child to meet in real life" thing is an invention of the media, and is not a significant threat.
This has been studied: in cases where a child (teen) goes to meet an adult ain real life, after first meeting him online, the following is usually true:
1) The child knows that the adult is an adult.
2) The child goes to the meeting with the intention of having sex.
3) It is not the first meeting (i.e., the pair meets many times).
Not exactly internet-specific, just the same sort of seduction that has happened for centuries. An internet filter is *really* not the parent's best answer to that situation.
BTW, I wasn't joking about lightning: talk to your kids about lightning safety (especially in Florida) - it's a darn good risk prevention payoff for a 15 minute discussion. Of course, driving safely counts for more than preventing every "newsworthy" threat combined.
I believe the only effective pprotection for children is to give them a) a good sense of when they are out of their depy\th and b) the trust to ask a parent when they are. They may still run into stuff that can trouble them, but parents can neutralize most/all of it. I think nobody else can. Of course that also means if the parents do not care, then the children are lost and nobody can really help them. Sad, but true. There is no replacement for an understanding, caring and strong individual protector (or better a pair of them) for each child.
Exactly my point.
And I am certainly not saying things can't be done at the industry/technology level. However, I think the "kiddie-database" being proposed is not going to be as effective as tackling the issue at ground zero.
BTW, you should have seen the look of awe on my 10 year old's face when I told him I could see where he went online (grin). I know the awe will fade once he figures out how to look up browser histories, cookies, etc, but hey... it's cool now.
Skorj, thanks for the common sense.
This whole discussion is stupid. You don't leave your porn collection in your kids bedroom, why would you leave a computer with a network connection? Leave the thing in the common area until they are old enough to know for themselves.
"Have you talked to your kids about lightning safety? A child is more likely to die from a lightning strike than to be abducted by a stranger."
Silly point. Are you factoring the neighborhood? Some places have no lightning, while others have a high density of registered sex offenders.
Anyway, online age verification is inevitable when you have advertisers trying to work with regulations related to age. They want to keep advertising and so they are under pressure to find a way to prove they are doing their best to avoid broaching child-protection rules.
I'm sure that reasonable solutions can be found, but one thing that we need to be careful of is the risk of parents and children having a false sense of security.
Such biometrics may make it tougher for someone to claim they are a child, but, based on what you said it seems that 1) there will be an error rate, and 2) people tend to find ways around security.
As discussed above, I'm not a fan on spending too much resources on unlikely risks, but that doesn't mean I want to ignore risks that have huge consequences, even if they are rare.
I work for an entity that deals with cases where children have been victimized on the Internet, so perhaps I see more of it than exists on a percentage/probability basis. However, in most instances of children victimized, they had a computer in a private area of the home such as their bedroom. Had the computer been in a higher traffic area of the home, it would have further reduced risk of child exploitation (as well as lessing the children's exposure to inappropriate content). So it makes sense to continue to educate parents since it covers more common risks as well as less common ones.
Basically, and this has gotten long, I do fear over-dependence on biometrics may provide a false sense of security that may make exploitation easier once a predator gets in. Similar to the discussions on this site about how some security measures create a dangerous group--threats we have no reason to suspect, so they passed the test--such online controlls may create a similar group--predators who have managed be falsely verified to impersonate a child.
This is an issue when you want to use a service for free.
Either you pay for the service (In which case pay the social networking site a fee for using its service and the site will provide content with strictly no advertisement)
use the service for free (with advertisements; dont complain as long as the advertisements are not inappropriate).
Hoping for a free service without advertisement...aren't we asking for too much?
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.