[OpenID] OpenID and the COPPA

tom tom at barnraiser.org
Fri Apr 4 05:43:57 UTC 2008 

Hi Brendon,

In Sweden under 18's are not allowed into bars and clubs. These 
facilities are required to forbid access to under 18's which is why 
you'll find a security guard checking ID's on the front door of any bar 
in Stockholm. They can do this because people in Sweden have a national 
ID card (kind of stating the obvious here, but it is important to draw 
parallels with real world examples of access denial).

On the web we can put many barriers in place, but until we can prove 
that they are in fact over 18 and not lying then we cannot guarantee any 
check or guarantee denial of service. In fact all we can do in a court 
of law is say "we clearly pointed out that they should be under 18" and 
it is not our fault that they lied or did not understand this.

In short, we have no way of knowing if someone is under 13, hence we are 
unable to apply any form of security check which we can in real life 
using an ID card.

So the real onus here is on the parent. Parents can load software such 
as Net Nanny, CYBERsitter or CyberPatrol (there are many others) which 
have web filtering where they can deny access to domain A and allow 
access to domain B, hence they do your work for you because the child 
won't be able to get to the original "bad" site from which to 
authenticate from.

In short we have no age verifiable ID card on the web so we have to rely 
on parents deploying software to protect their children and on 
legalisation to stop service terminal access to children (for instance, 
stop Internet cafe owners allowing Internet access to children).

Make sense?

[side note on age checks]
I have seen many web sites that deploy age checks via credit checks. You 
pay 25USD via a credit card and they use that to check your age. In fact 
they do not. A credit card check does not reveal ago. Visa specifically 
tells you not to perform these checks (see 
http://usa.visa.com/business/security/online_purchasing_protection.html#anchor_8) 
so just to save anyone some time... using credit checks to verify age is 
not an option either:)
[/side note on age checks]






Brendon J. Wilson wrote:
> A really interesting contribution Tom - thanks for that!
>
> I'm not sure if the eligibility clause will survive over the long term  
> under legal scrutiny - we'll see, I guess. If it doesn't I think  
> there's actually an opportunity in the market to provide an OP with  
> capabilities to delegate "permission" - imagine if, as a parent, I  
> could create identities for my kids, and also manage an authorization  
> list of some kind (you can go on facebook, but not on myspace, or what  
> have you).
>
> Brendon
>
> On Apr 1, 2008, at 10:27 PM, tom wrote:
>   
>> Hi Brendon,
>>
>> All US based OP's and consumers fall under the definition of "The  
>> operator" - meaning "any person who operates a website located on  
>> the Internet or an online service and who collects or maintains  
>> personal information from or about the users of or visitors to such  
>> website or online service."
>>
>> If you store personal information obtained via SREG/AX/ 
>> any_other_extension or from a form (as a consumer) or you give out  
>> information requested by SREG/AX/any_other_extension (as an OP) then  
>> you will need to comply with COPPA.
>>
>> Here is the act for those that want to know more -> http://www.coppa.org/coppa.htm
>>
>> Whilst it does not affect OpenID authentication specifically COPPA  
>> should be noted in guidelines for web developers. If you are  
>> concerned and you want to check your service then the way around  
>> COPPA is to provide an Eligibility clause in you terms of service  
>> which denies service to under 13 year olds. You can find an example  
>> in the Facebook terms of service - http://www.facebook.com/terms.php  
>> - [hint] In a quick survey I found 3 OP's this morning that I know  
>> have servers in the US and DO NOT have COPPA protection in their  
>> terms of service. Ladies and Gentlemen - you've been warned,
>>
>> Tom
>>
>>
>>
>>
>>
>>
>>
>> Brendon J. Wilson wrote:
>>     
>>> Hi all,
>>>
>>> I'm curious if anyone has given any thought to the possible
>>> ramifications of COPPA (the Child Online Privacy and Protection Act)
>>> on the proliferation of OpenID? My understanding is that COPPA
>>> requires service providers to obtain permission from a parent to
>>> collect, disclose, etc information from a child less than 13 years of
>>> age. It appears to me that the Simple Registration Extension would
>>> qualify as disclosure of the user's personal information, and hence a
>>> relying party would need some way to confirm a user's age and  
>>> parental
>>> permission prior to, or perhaps as part of, allowing an underage user
>>> to authenticate via OpenID?
>>>
>>> Brendon
>>> ---
>>> Brendon J. Wilson
>>> www.brendonwilson.com
>>> _______________________________________________
>>> general mailing list
>>> general at openid.net
>>> http://openid.net/mailman/listinfo/general
>>>
>>>
>>>       
>> -- 
>> Tom Calthrop
>> Founding director, Barnraiser.
>>
>> Dedicated to giving people the tools they need to share
>> knowledge and advance society through social software.
>>
>> Web site: http://www.barnraiser.org/
>> OpenID: http://tom.calthrop.info/
>>     
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>   


-- 
Tom Calthrop
Founding director, Barnraiser.

Dedicated to giving people the tools they need to share 
knowledge and advance society through social software.

Web site: http://www.barnraiser.org/
OpenID: http://tom.calthrop.info/

More information about the general mailing list