[OpenID] OpenID and the COPPA

Sat Apr 5 16:20:03 UTC 2008

The discussion of using openid for age enforcement got me thinking more widely.

It's interesting to see how quickly an authentication benefit (leave authenticated comments, suitable for building trust via endorsement) becomes attached to the issues of enforcement and control : (i) what's the assurance level of the assertion of age, nationality or other attributed fact, by provider, and  (ii) how can one now enforce policy myXdesire based on that assured attribute. One can think more widely about the question of what focusing on mostly "control objectives" would mean for the investment prospects in relation to the budding vendor community, here.

The issues of enforcement and control are of course long embedded in the traditional outsourced identity management business - which already uses a myriad of proprietary and semi-standard protocols. Folks in that business will happily admit openid standards, I venture:  they could not care less about which bits and bytes are used, so long a reasonable folk think its a reasonable thing to apply when addressing the customer's "control issue". Identity management is, and always will fundamentally be, an outsourcing revenue model, fitting neatly into Wall Street's "information service bureau' category.

The topics of control and enforcement always trigger question in my mind about the Foundation's mission. The mission comes across as wanting to above all promote authenticated comments on blogs, leading to the creation of a scalable trust framework in which linked-backed identity becomes an endorsing feedback system that ultimately self-regulates the average contributor - once reputation is publicly attached to the gestalt of his/her public contributions. Folk such as ClaimID have built clear demonstrators of such notions, building on "authentication via linkback services" to assert qualified ownership via openid and microIDs of posted authenticated _content_, too. (Having seen it all 'brought together as a concept" in ClaimID, I'm on board, as an eary adopter type!) However, I also see an undercurent in the Foundation's tone that seems to believe that -- even in the short term -- the only significant revenue that will ever be attached to all this, with which to sustain the infrastructure, will be good ol business of classical identity management outsourcing.

The most traditional identity management crowd (EDS, Hughes, Reuters, CAP, etc) competing for the (non-telco) $100M+ outsourcing size revenue opportunities will probably not directly participate in generating adoption of an openID-based trust feedback system: they are not evangelists, they are simple run of the mill business folk seeking to operate policy systems dealing with "control problems" . With luck, the business development folks in such companies may view OpenID as a market expansion driver however, for core services - leading to development investment or tech sponsorship. If the movement gets critical mass beyond the social networking space, one can see a world in which such firms, in order to build market share or get to market fast in the new market of authenticated comments and endorsement systems, will purchase those privately-held OPs that (a) somehow get critical mass of participation and consumer acceptance, or (b) have VC-quality Intellectual Property assets embodying some twist that make their approach particularly suitable or cost effective when applied to the very _traditional_ control and audit problems in banking, insurance, healthcare, suppy chain,..., and then - ultimately - general enterprise.

From: tom
Sent: Thu 4/3/2008 10:43 PM
To: Brendon J. Wilson
Cc: general at openid.net
Subject: Re: [OpenID] OpenID and the COPPA

Hi Brendon,

In Sweden under 18's are not allowed into bars and clubs. These 
facilities are required to forbid access to under 18's which is why 
you'll find a security guard checking ID's on the front door of any bar 
in Stockholm. They can do this because people in Sweden have a national 
ID card (kind of stating the obvious here, but it is important to draw 
parallels with real world examples of access denial).

On the web we can put many barriers in place, but until we can prove 
that they are in fact over 18 and not lying then we cannot guarantee any 
check or guarantee denial of service. In fact all we can do in a court 
of law is say "we clearly pointed out that they should be under 18" and 
it is not our fault that they lied or did not understand this.

In short, we have no way of knowing if someone is under 13, hence we are 
unable to apply any form of security check which we can in real life 
using an ID card.

So the real onus here is on the parent. Parents can load software such 
as Net Nanny, CYBERsitter or CyberPatrol (there are many others) which 
have web filtering where they can deny access to domain A and allow 
access to domain B, hence they do your work for you because the child 
won't be able to get to the original "bad" site from which to 
authenticate from.

In short we have no age verifiable ID card on the web so we have to rely 
on parents deploying software to protect their children and on 
legalisation to stop service terminal access to children (for instance, 
stop Internet cafe owners allowing Internet access to children).

Make sense?

[side note on age checks]
I have seen many web sites that deploy age checks via credit checks. You 
pay 25USD via a credit card and they use that to check your age. In fact 
they do not. A credit card check does not reveal ago. Visa specifically 
tells you not to perform these checks (see 
http://usa.visa.com/business/security/online_purchasing_protection.html#anchor_8) 
so just to save anyone some time... using credit checks to verify age is 
not an option either:)
[/side note on age checks]

Brendon J. Wilson wrote:
> A really interesting contribution Tom - thanks for that!
>
> I'm not sure if the eligibility clause will survive over the long term  
> under legal scrutiny - we'll see, I guess. If it doesn't I think  
> there's actually an opportunity in the market to provide an OP with  
> capabilities to delegate "permission" - imagine if, as a parent, I  
> could create identities for my kids, and also manage an authorization  
> list of some kind (you can go on facebook, but not on myspace, or what  
> have you).
>
> Brendon
>
> On Apr 1, 2008, at 10:27 PM, tom wrote:
>   
>> Hi Brendon,
>>
>> All US based OP's and consumers fall under the definition of "The  
>> operator" - meaning "any person who operates a website located on  
>> the Internet or an online service and who collects or maintains  
>> personal information from or about the users of or visitors to such  
>> website or online service."
>>
>> If you store personal information obtained via SREG/AX/ 
>> any_other_extension or from a form (as a consumer) or you give out  
>> information requested by SREG/AX/any_other_extension (as an OP) then  
>> you will need to comply with COPPA.
>>
>> Here is the act for those that want to know more -> http://www.coppa.org/coppa.htm
>>
>> Whilst it does not affect OpenID authentication specifically COPPA  
>> should be noted in guidelines for web developers. If you are  
>> concerned and you want to check your service then the way around  
>> COPPA is to provide an Eligibility clause in you terms of service  
>> which denies service to under 13 year olds. You can find an example  
>> in the Facebook terms of service - http://www.facebook.com/terms.php  
>> - [hint] In a quick survey I found 3 OP's this morning that I know  
>> have servers in the US and DO NOT have COPPA protection in their  
>> terms of service. Ladies and Gentlemen - you've been warned,
>>
>> Tom
>>
>>
>>
>>
>>
>>
>>
>> Brendon J. Wilson wrote:
>>     
>>> Hi all,
>>>
>>> I'm curious if anyone has given any thought to the possible
>>> ramifications of COPPA (the Child Online Privacy and Protection Act)
>>> on the proliferation of OpenID? My understanding is that COPPA
>>> requires service providers to obtain permission from a parent to
>>> collect, disclose, etc information from a child less than 13 years of
>>> age. It appears to me that the Simple Registration Extension would
>>> qualify as disclosure of the user's personal information, and hence a
>>> relying party would need some way to confirm a user's age and  
>>> parental
>>> permission prior to, or perhaps as part of, allowing an underage user
>>> to authenticate via OpenID?
>>>
>>> Brendon
>>> ---
>>> Brendon J. Wilson
>>> www.brendonwilson.com
>>> _______________________________________________
>>> general mailing list
>>> general at openid.net
>>> http://openid.net/mailman/listinfo/general
>>>
>>>
>>>       
>> -- 
>> Tom Calthrop
>> Founding director, Barnraiser.
>>
>> Dedicated to giving people the tools they need to share
>> knowledge and advance society through social software.
>>
>> Web site: http://www.barnraiser.org/
>> OpenID: http://tom.calthrop.info/
>>     
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>   

-- 
Tom Calthrop
Founding director, Barnraiser.

Dedicated to giving people the tools they need to share 
knowledge and advance society through social software.

Web site: http://www.barnraiser.org/
OpenID: http://tom.calthrop.info/

_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080405/3a89e328/attachment-0002.htm>