9
Infrastructure for Age Verification

Fred Cotton

My background is predominantly law enforcement, so I come to this issue having tried to clean up the results of many societal problems, and I see what is going on in the streets. I agree with Eddie Zeitler about authentication and verification. You have to watch it work in the real world with driver’s licenses. You can book an individual into the county jail and rely on fingerprint information that does not come back to the right person. You will face these problems anytime you try to superimpose authentication of age onto the real world.

9.1 THE REAL WORLD VERSUS THE INTERNET

How, and to what extent, is interaction with a human being needed to validate identity? Who will validate the validator? Who is it that you trust to say who somebody else is? That level of trust does not exist in any level of government these days. What level of confidence is needed for the accuracy of an assertion of age to pass the legal requirements? The law will define that for you. If you foul it up, you will know. Just as with any other problem in society throughout history, the lawyers will solve it. They will find the tort in the problem, find the person or persons responsible for the tort—either directly or vicariously—and then sue their shorts off. The necessary level of confidence will be defined rapidly as soon as the legal community determines that there is money to be made from it.

What infrastructure is needed to support age checks outside the Internet? We have an existing infrastructure for dealing with credit cards, fingerprints, biometrics, chips in your head, and other things that can be



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 53
Technical, Business, and Legal Dimensions of Protecting Children from Pornography on the Internet: Proceedings of a Workshop 9 Infrastructure for Age Verification Fred Cotton My background is predominantly law enforcement, so I come to this issue having tried to clean up the results of many societal problems, and I see what is going on in the streets. I agree with Eddie Zeitler about authentication and verification. You have to watch it work in the real world with driver’s licenses. You can book an individual into the county jail and rely on fingerprint information that does not come back to the right person. You will face these problems anytime you try to superimpose authentication of age onto the real world. 9.1 THE REAL WORLD VERSUS THE INTERNET How, and to what extent, is interaction with a human being needed to validate identity? Who will validate the validator? Who is it that you trust to say who somebody else is? That level of trust does not exist in any level of government these days. What level of confidence is needed for the accuracy of an assertion of age to pass the legal requirements? The law will define that for you. If you foul it up, you will know. Just as with any other problem in society throughout history, the lawyers will solve it. They will find the tort in the problem, find the person or persons responsible for the tort—either directly or vicariously—and then sue their shorts off. The necessary level of confidence will be defined rapidly as soon as the legal community determines that there is money to be made from it. What infrastructure is needed to support age checks outside the Internet? We have an existing infrastructure for dealing with credit cards, fingerprints, biometrics, chips in your head, and other things that can be

OCR for page 53
Technical, Business, and Legal Dimensions of Protecting Children from Pornography on the Internet: Proceedings of a Workshop used today. But these things are cost prohibitive and not widely disseminated. To have any kind of authentication process, it has to be globally disseminated; otherwise, there is no standardization. The problem is dissemination. Credit cards are great in the United States but not in the middle of Africa and other places around the global Internet where the infrastructure does not exist. In Third World countries that are developing sites that deal with child pornography and child exploitation, implementing online authentication and age verification technologies is a whole different business. Cops dealing with problems online tell us that the problem is that our laws only extend as far as our borders, and, historically, our ability to regulate or influence things extends only as far as our laws. Our laws are based on how much territory we can hold with a standing army. This has no application on the global Internet. It is a totally new environment—a brave new world. There is little we can do other than talk about it, because nobody owns the Internet and nobody runs it. Nobody has any say over it other than the people who use it. It is truly a democratic society. When the people who use the Internet get tired enough of something, they will do something about it, independent of government. Has the Internet environment changed the necessary infrastructure? Obviously, we cannot superimpose the existing structure on the Internet, because of its global and nebulous nature. If you are going to validate identification online, then it has to be standardized to some extent. If you are validated through ABC signature company, and I am a retail merchant who subscribes to XYZ but not ABC, does that mean that you do not get to buy from me? This is probably not going to work well, and something will need to be done about standardization. What are the costs to the user and to the government? Who will maintain the database of validation? This is a huge responsibility, a huge cost, and a huge security risk. If you blow that one, you are guaranteed to get the legal community involved. How reliable is the technology? It is reliable today, but tomorrow brilliant little Johnny in the class will figure it out. It only takes one little Johnny to figure it out, and then he automates it and gives it to all the others. We have seen this in computer security for years. It does not require much skill to hack. All you have to do is download the tools that somebody who had the skills to write them made available. It is a point and shoot operation. Other things that we do in the real world in age verification may or may not have application here. A driver’s license is an official ID because we have an official government entity. It is well funded and well staffed, and it requires that you show up to prove who you are before you get the token or identification. It is very difficult to do that on the Internet. I can

OCR for page 53
Technical, Business, and Legal Dimensions of Protecting Children from Pornography on the Internet: Proceedings of a Workshop apply for a credit card through the mail, and I call the issuing company to activate it, and no one there ever actually sees my face. But credit card fraud is easy to commit. People just throw those forms in the garbage. I could go through your garbage and pick up those applications, fill them out, put in a change of address, and charge things in your name. This happens daily. Identity theft is huge. Once you are in that particular loop, getting out of it is next to impossible. Biometric technologies and fingerprint scans are possible, but it is cost prohibitive for both the user and authentication organization at this time. In addition, the initial validation is always a problem with anything that you superimpose here. Tokens are too mobile. We see that with identities now. We have juveniles buying alcohol over the counter with false IDs, which are not difficult to forge. Historically, law enforcement protection is a three-legged triangle. It involves enforcement, education, and prevention. Of the three, education is probably the cheapest. This is where you get the most bang for the buck. You simply get people to change their ways by telling them that something is not right, and that it is not in their best interests. So far we have not been very successful with things like narcotics. If we could get people to stop wanting children to access pornography on the Internet, then it would go away. That leaves you with the other two legs of the triangle. Prevention involves giving parents and teachers some tools that they can use to try to stem the flow. The tools will not stop it but will give them some control over their own part of the environment. The third aspect is enforcement. We find the people who are bringing this grief on us and we bring grief on them, or we find the biggest offenders and put their pelts on the fence as a warning to others. Historically, that is what enforcement is about. We get them to the point where they do not know if they will be next, and they keep their heads down. If they all decide to do bad things at once, there is no law enforcement agency in the world that can prevent it. But we can keep them on their toes enough that they will think twice before they do it. Everything I have talked about so far deals with the Web, the least offensive of the content problems. How does any of this technology affect e-mail or Usenet? The worst offender is Internet relay chat (IRC), when kids are involved in that arena. I train 30 task forces around the country to do nothing but go after online predators, people who will get on an airplane and go find a child for sex. They spend months and months cultivating that situation. You would not believe the astronomical numbers involved. In that type of environment, all of the screening software and age verification do no good. Technology will not solve this particular

OCR for page 53
Technical, Business, and Legal Dimensions of Protecting Children from Pornography on the Internet: Proceedings of a Workshop problem. Right now, the only thing that is having an effect is enforcement. We are at least identifying the offenders and taking them out of circulation as fast as we can—surgically removing them from society by whatever means is currently socially acceptable. If you could keep kids off e-mail and Internet Relay Chat1—that is, if kids accessed the Internet in a way that worked only through the Web, but ported—then it would eliminate access to children for most of these preferential sexual offenders. But you would also eliminate a lot of things that kids use the Internet for; it would be like keeping kids out of the park or off the telephone. IRC has replaced the telephone after school, and that global circle of friends is a strong social draw. For latchkey kids after school, this is their way of communicating nowadays. With Usenet, if they want to surf for porn, then they will find a public news server and pull off whatever they want. Screening does little about that, particularly with all the things that are mislabeled. 9.2 SOLUTIONS Any successful effort to keep pornography away from children will have to draw from all available solutions; you need a bit of everything to make it work. No one model will be successful by itself, but, when combined, they likely will have some impact. The degree of impact will depend on the social acceptance of this effort in the long run. The available models include the following: Age verification and validation is a positive ID model. Before I can get in somewhere, I must prove that I am an adult. This lends itself to the use of tokens, or what I have and what I know. But this leaves us with the problems mentioned earlier concerning who controls that database and who keeps track of that information. The supervision model does nothing at the technological level, but rather has parents supervise kids online. If you put your kids online, then you do not throw them into an electronic pool hall without supervision. You move the computer out into the family room; you do not let kids sit in the back room and do these things all by themselves. Unfortunately, the reality is that most parents do not take the time to do this. The software model involves the screening software—Net Nanny, Cyber Patrol, and the others. With the false positives and so on, this is 1   Milo Medin said that he could build a system to do this; the question is whether anyone would want such a product.

OCR for page 53
Technical, Business, and Legal Dimensions of Protecting Children from Pornography on the Internet: Proceedings of a Workshop problematic, but, when combined with the two approaches mentioned above, it may offer some reassurance. The law enforcement model says we go out there and increase our presence online, so it keeps the predators’ heads down and keeps them from doing what we want to prevent. They will think twice before engaging someone online, for fear that they are engaging me. This keeps them guessing. This is a fear model. The intervention model says we identify the people causing the problem and enlist the aid of the cyber-network neighborhood and crime prevention types so that people who see this activity do not ignore it. They step in and do something about it—they report it, and something happens as a result. This works with burglaries and territorial crimes. We have to rely on the community to tell us how things are going. The education model involves improving education to the point where people see that something is wrong and change their behavior. When you change the behavior pattern, it no longer will be socially acceptable or tolerated by the majority of society. We also need to remove roadblocks in law enforcement that severely limit what I can do online. The rules currently applied to online situations were written for telephones, not the Internet. We work within very narrow parameters. For example, a recent case in the Ninth Circuit dealt with a supervisor going onto a password-protected Web page under the auspices of a pilot during a pilot’s strike. The Ninth Circuit said that was not right. If I am a law enforcement officer working undercover, what does that mean for me when I try to access a child pornography Web site? They do not think about the ramifications and how it affects our ability to function online. I cannot just take your computer, go through it, and find out what is on it. I have to write a search warrant, convince a judge that I have probable cause to believe that what I seek will be there, and show proof of that before someone will give me a search warrant. This is wise, of course. We have these protocols and procedures because you do not want us running amuck and grabbing everything. However, at some point you have to remove some roadblocks if we are to address new technologies based on laws for old technology. We have to remove some of roadblocks so that we can become effective; but we also have to keep parameters in place to keep it from getting out of hand. There is a balance. The roadblocks have not been collected and presented in an article or publication. They are buried in case law—not even codified law. They are buried in the decisions of the U.S. Supreme Court, district courts, and

OCR for page 53
Technical, Business, and Legal Dimensions of Protecting Children from Pornography on the Internet: Proceedings of a Workshop courts of appeal, in a variety of cases, and in civil lawsuits.2 Agencies are less concerned about protecting you as a citizen than about getting sued. But we have advocates for change. The U.S. Department of Justice has the tools to do that. The first thing I would do is to protect children online. We have to find the most egregious cases out there of the providers. I would identify who is causing the problem. Second, if I cannot arrest that person for a violation of law, then I would sic a whole battery of attorneys and law firms on them for a tort violation, basically a violation of my rights. At some point, they will get a clue that this is not acceptable behavior. All of this has to be done within the parameters of the law, but the people causing this problem have to fix the problem. They are causing a problem for the rest of society and they will have to own up to their part and face the consequences. Criminal prosecution is generally the least effective approach. Using the law is always available; the pen is mightier than the mouth. But the bottom line is, you need to change behaviors. There is no law west of the modem. Look at the development and rapid growth of the Internet, and compare it to the westward expansion of this country in the early 1800s. The same type of thing is happening. Behavioral changes will be required on both sides. It will require different behavior on the part of people being victimized now. They need to realize that they cannot continue to do these things online without the potential of being a victim. The other behavior we have to change is that of people who look at the Internet as the wild and woolly west, who do not care what they do to anyone else online. You have to change the behavior of children who use the Internet at some point and, by default, change their parents’ behavior. I am not picking on any one group. Society as a whole will have to look at this problem and say, “Do we really want this to continue?”3 The group causing the biggest problem right now are the offenders, 2   Dick Thornburgh said that someone should read all the cases, collect them, and develop a strong argument for a remedy. 3   Eddie Zeitler said that, as long as society keeps developing new technologies, these problems will arise. A problem is created when someone puts digitized music in a file and then says you cannot copy it. You cannot commercialize it in the United States, but you can go somewhere else where there is no law against this. No one can tell you that you cannot make copies, because you can, and no one can tell you that you cannot use the Internet, because you can. Fred Cotton noted that, if you send a picture of women without veils to Saudi Arabia, you have sent pornography. In other words, there is also a nebulous community standards issue.

OCR for page 53
Technical, Business, and Legal Dimensions of Protecting Children from Pornography on the Internet: Proceedings of a Workshop the ones sending material to kids unsolicited, targeting kids, going after them in a planned and concerted manner. That is the first behavior to be changed. They need to wise up and realize that this is not appropriate or face the consequences, because what they are doing is a violation of the law. Sending 12- or 13-year-old kids horrific graphic images is unacceptable to me because the kids do not get a choice. If you tell them, “Hey, do not go over there, because there is bad stuff,” and they stay away, then it is fine. But keep the bad stuff over there. You cannot dry up the supply by somehow taking the money out of it. The sexual predator is not motivated by money but rather by access to children. This cannot be managed like the banking model, in which a concerted effort is made in multiple areas that largely prevents a problem. There are few predators within the banking community, and we tend to get our wagons in a circle when under attack—we control where money goes electronically. On the Internet, nobody controls the pornography supply. You have a widely dispersed supply and a widely dispersed demand, with no central point at which you can install controls. 9.3 THE EXTENT OF THE PROBLEM When talking about protecting children online, it makes no difference whether it is protection from a sexual predator or a pornographer,4 because predators use pornography as a tool to lower the inhibitions of children. I have seen them with cartoons of Homer Simpson and Fred Flintstone, telling little kids, “See, Wilma thinks it’s okay.” There is no difference; pornography is still being put out there and accessed by children. If children are hooked into it and able to go to another site and feed that paraphilia (i.e., unusual sexual preference), then it simply serves to lower the inhibitions further. (Some sexual preferences are illegal; some are not. Child pornography paraphilia happens to be illegal.) This is like watching violence on TV; eventually, you get numb to it. Most law enforcement officers see the same thing. Finding a dead body on the street is not horrific to me any longer; I have seen too many of them. To the average citizen, it is absolutely horrific, but I have been desensitized to it over the last 27 years. This is sad to say, but it is true of 4   Marilyn Mason asked whether there are two different, but related, aspects to the pornography issue. On the one hand, there are sexual predators who are trying to make contact with juveniles—the scariest part. On the other hand, there are creators of sexually explicit material who are trying to make a buck by selling it, presumably to adults, but sometimes they solicit children as well.

OCR for page 53
Technical, Business, and Legal Dimensions of Protecting Children from Pornography on the Internet: Proceedings of a Workshop many people who are exposed, over and over again, to things that society does not wish to deal with. Pornography is one of those things. Just because someone possesses or distributes child pornography does not necessarily make them a predator. But every single predator whom I have dealt with in my 27 years in law enforcement had child pornography—they possessed it, collected it, and used it to entice someone. Predators also use sexually explicit material that is not illegal. The process does not take place overnight. My investigators work on these cases for months. A predator meets a child in a chat room and becomes a friend— talking about things that they cannot talk about with their parents, lowering their inhibitions. The whole object is to get physical access to the kid. These are the people whom I would go after first, because they are the most dangerous. But there is also a group of them who have set up an industry that supports this paraphilia. When they cannot get access to children, they get access to child pornography, because it is the next best thing. David Finkelhor5 put together a study for the Office of Juvenile Justice and Delinquency Prevention, published early this year. It was an empirical study of young teenagers online and their contact with sexual predators. Of young girls in the 14-year-old age range that were online, 90 percent of those interviewed had been contacted with unwanted sexual advances. Several went on to further levels. They were interviewed in control groups, too. The numbers were shocking, amazing. How much of this is unique to the Internet, and how much is just reflective of society in general? For about the first half of my 27 years, I could count on my hands the number of child sexual abuse cases that I handled. With the advent of the Internet, it has grown exponentially. I handled 10 to 15 cases in 1989, the first year that I realized there was a problem. When we started looking at the agencies dealing with it, everyone thought that they were the only one. A segment of our society has this paraphilia or would like to explore it or act it out. They use the Internet as the mask they hide behind. They can play whatever persona they want online, because there is no validation of who they are. I think we have had child sexual offenders in our society from the beginning, but they used to have to go to extraordinary measures to get access to children. The Internet has made it easy for them. Those who may never have thought of acting out in the real world now have no com- 5   Finkelhor, of the University of New Hampshire, testified at the committee’s first meeting, in July 2000.

OCR for page 53
Technical, Business, and Legal Dimensions of Protecting Children from Pornography on the Internet: Proceedings of a Workshop punction about doing it on the Internet. It is the borderline cases that are coming out now; this is part of the problem. There is also a phenomenon called validation. If you are into sexually assaulting children, then you are universally disdained in almost every society in the world. You are the lowest form of bottom feeder; if you go to prison, murderers will kill you because you went after a kid. Therefore, when child sexual offenders have the ability to get together in affinity groups they say, “Oh, I’m not the only one. I thought I was the only one, but there are thousands of me out here. And now we can validate it. We can exchange information about children and target children online. We can find out where they live and go and meet with them. This is a wonderful tool.” Just because they talk to one another does not make them easier to catch. It has made for an interesting enforcement environment, but we still have roadblocks that prevent us from catching them. Their Internet communications are in transit, so, technically, we are using forms of wire intercepts. The law was written for the old days of wiretapping the telephone; it does not apply to an Internet chat room. The courts have not defined this well enough. They have not told us what we can and cannot do as far as this new communications medium. As a result, law enforcement is more concerned about getting sued over these types of things. We have to be careful how we proceed. But these people are coming out in droves. The numbers are astronomical; I have never seen anything like it, and I see no end to it. Children are at risk. Can the risk be managed? Yes, if we implement a variety of different approaches, not just technology, we may be able to manage or limit that risk. But can we eliminate it? Absolutely not. Can we control the global Internet? Probably not. Can we change how people use the Internet through education, prevention, and enforcement? Probably.