<HTML dir=ltr><HEAD></HEAD>
<BODY>
<DIV id=idOWAReplyText2362 dir=ltr>
<DIV dir=ltr><FONT face=Arial color=#000000 size=2>The discussion of using openid for age enforcement got me thinking more widely.</FONT></DIV>
<DIV dir=ltr><FONT face=Arial color=#000000 size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial color=#000000 size=2>It's interesting to see how quickly an authentication benefit (leave authenticated comments, suitable for building trust via endorsement) becomes attached to the issues of enforcement and control : (i) what's the assurance level of the assertion of age, nationality or other attributed fact, by provider, and (ii) how can one now enforce policy myXdesire based on that assured attribute. One can think more widely about the question of what focusing on mostly "control objectives" would mean for the investment prospects in relation to the budding vendor community, here.</FONT></DIV>
<DIV dir=ltr><FONT size=2><FONT face=Arial color=#000000><SPAN style="FONT-SIZE: 7.5pt"></SPAN></FONT></FONT> </DIV></DIV>
<DIV><FONT face=Arial size=2>The issues of enforcement and control are of course long embedded in the traditional outsourced identity management business - which already uses a myriad of proprietary and semi-standard protocols. Folks in that business will happily admit openid standards, I venture: they could not care less about which bits and bytes are used, so long a reasonable folk think its a reasonable thing to apply when addressing the customer's "control issue". Identity management is, and always will fundamentally be, an outsourcing revenue model, fitting neatly into Wall Street's "information service bureau' category.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>The topics of control and enforcement always trigger question in my mind about the Foundation's mission. The mission comes across as wanting to above all promote authenticated comments on blogs, leading to the creation of a scalable trust framework in which linked-backed identity becomes an endorsing feedback system that ultimately self-regulates the average contributor - once reputation is publicly attached to the gestalt of his/her public contributions. Folk such as ClaimID have built clear demonstrators of such notions, building on "authentication via linkback services" to assert qualified ownership via openid and microIDs of posted authenticated _content_, too. (Having seen it all 'brought together as a concept" in ClaimID, I'm on board, as an eary adopter type!) However, I also see an undercurent in the Foundation's tone that seems to believe that -- even in the short term -- the only significant revenue that will ever be attached to all this, with which to sustain the infrastructure, will be good ol business of classical identity management outsourcing.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>The most traditional identity management crowd (EDS, Hughes, Reuters, CAP, etc) competing for the (non-telco) $100M+ outsourcing size revenue opportunities will probably not directly participate in generating adoption of an openID-based trust feedback system: they are not evangelists, they are simple run of the mill business folk seeking to operate policy systems dealing with "control problems" . With luck, the business development folks in such companies may view OpenID as a market expansion driver however, for core services - leading to development investment or tech sponsorship. If the movement gets critical mass beyond the social networking space, one can see a world in which such firms, in order to build market share or get to market fast in the new market of authenticated comments and endorsement systems, will purchase those privately-held OPs that (a) somehow get critical mass of participation and consumer acceptance, or (b) have VC-quality Intellectual Property assets embodying some twist that make their approach particularly suitable or cost effective when applied to the very _traditional_ control and audit problems in banking, insurance, healthcare, suppy chain,..., and then - ultimately - general enterprise.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT><BR> </DIV>
<DIV>
<DIV>
<HR tabIndex=-1>
</DIV>
<DIV><FONT face=Tahoma size=2><B>From:</B> tom<BR><B>Sent:</B> Thu 4/3/2008 10:43 PM<BR><B>To:</B> Brendon J. Wilson<BR><B>Cc:</B> general@openid.net<BR><B>Subject:</B> Re: [OpenID] OpenID and the COPPA<BR></FONT><BR></DIV></DIV>
<DIV><PRE style="WORD-WRAP: break-word">Hi Brendon,
In Sweden under 18's are not allowed into bars and clubs. These
facilities are required to forbid access to under 18's which is why
you'll find a security guard checking ID's on the front door of any bar
in Stockholm. They can do this because people in Sweden have a national
ID card (kind of stating the obvious here, but it is important to draw
parallels with real world examples of access denial).
On the web we can put many barriers in place, but until we can prove
that they are in fact over 18 and not lying then we cannot guarantee any
check or guarantee denial of service. In fact all we can do in a court
of law is say "we clearly pointed out that they should be under 18" and
it is not our fault that they lied or did not understand this.
In short, we have no way of knowing if someone is under 13, hence we are
unable to apply any form of security check which we can in real life
using an ID card.
So the real onus here is on the parent. Parents can load software such
as Net Nanny, CYBERsitter or CyberPatrol (there are many others) which
have web filtering where they can deny access to domain A and allow
access to domain B, hence they do your work for you because the child
won't be able to get to the original "bad" site from which to
authenticate from.
In short we have no age verifiable ID card on the web so we have to rely
on parents deploying software to protect their children and on
legalisation to stop service terminal access to children (for instance,
stop Internet cafe owners allowing Internet access to children).
Make sense?
[side note on age checks]
I have seen many web sites that deploy age checks via credit checks. You
pay 25USD via a credit card and they use that to check your age. In fact
they do not. A credit card check does not reveal ago. Visa specifically
tells you not to perform these checks (see
http://usa.visa.com/business/security/online_purchasing_protection.html#anchor_8)
so just to save anyone some time... using credit checks to verify age is
not an option either:)
[/side note on age checks]
Brendon J. Wilson wrote:
> A really interesting contribution Tom - thanks for that!
>
> I'm not sure if the eligibility clause will survive over the long term
> under legal scrutiny - we'll see, I guess. If it doesn't I think
> there's actually an opportunity in the market to provide an OP with
> capabilities to delegate "permission" - imagine if, as a parent, I
> could create identities for my kids, and also manage an authorization
> list of some kind (you can go on facebook, but not on myspace, or what
> have you).
>
> Brendon
>
> On Apr 1, 2008, at 10:27 PM, tom wrote:
>
>> Hi Brendon,
>>
>> All US based OP's and consumers fall under the definition of "The
>> operator" - meaning "any person who operates a website located on
>> the Internet or an online service and who collects or maintains
>> personal information from or about the users of or visitors to such
>> website or online service."
>>
>> If you store personal information obtained via SREG/AX/
>> any_other_extension or from a form (as a consumer) or you give out
>> information requested by SREG/AX/any_other_extension (as an OP) then
>> you will need to comply with COPPA.
>>
>> Here is the act for those that want to know more -> http://www.coppa.org/coppa.htm
>>
>> Whilst it does not affect OpenID authentication specifically COPPA
>> should be noted in guidelines for web developers. If you are
>> concerned and you want to check your service then the way around
>> COPPA is to provide an Eligibility clause in you terms of service
>> which denies service to under 13 year olds. You can find an example
>> in the Facebook terms of service - http://www.facebook.com/terms.php
>> - [hint] In a quick survey I found 3 OP's this morning that I know
>> have servers in the US and DO NOT have COPPA protection in their
>> terms of service. Ladies and Gentlemen - you've been warned,
>>
>> Tom
>>
>>
>>
>>
>>
>>
>>
>> Brendon J. Wilson wrote:
>>
>>> Hi all,
>>>
>>> I'm curious if anyone has given any thought to the possible
>>> ramifications of COPPA (the Child Online Privacy and Protection Act)
>>> on the proliferation of OpenID? My understanding is that COPPA
>>> requires service providers to obtain permission from a parent to
>>> collect, disclose, etc information from a child less than 13 years of
>>> age. It appears to me that the Simple Registration Extension would
>>> qualify as disclosure of the user's personal information, and hence a
>>> relying party would need some way to confirm a user's age and
>>> parental
>>> permission prior to, or perhaps as part of, allowing an underage user
>>> to authenticate via OpenID?
>>>
>>> Brendon
>>> ---
>>> Brendon J. Wilson
>>> www.brendonwilson.com
>>> _______________________________________________
>>> general mailing list
>>> general@openid.net
>>> http://openid.net/mailman/listinfo/general
>>>
>>>
>>>
>> --
>> Tom Calthrop
>> Founding director, Barnraiser.
>>
>> Dedicated to giving people the tools they need to share
>> knowledge and advance society through social software.
>>
>> Web site: http://www.barnraiser.org/
>> OpenID: http://tom.calthrop.info/
>>
>
> _______________________________________________
> general mailing list
> general@openid.net
> http://openid.net/mailman/listinfo/general
>
>
--
Tom Calthrop
Founding director, Barnraiser.
Dedicated to giving people the tools they need to share
knowledge and advance society through social software.
Web site: http://www.barnraiser.org/
OpenID: http://tom.calthrop.info/
_______________________________________________
general mailing list
general@openid.net
http://openid.net/mailman/listinfo/general
</PRE></DIV></BODY></HTML>