[cap-talk] Can webkeys solve the MySpace problem?

Jed Donnelley jed at nersc.gov
Wed Jan 16 19:54:01 EST 2008 

On 1/16/2008 9:42 AM, Karp, Alan H wrote:
> I'm surprised that nobody raised my #1 objection
> to this proposal.  Should schools be in the
> business of supporting a commercial enterprise
> such as MySpace?  My answer is, No, but schools
> do it all the time.  For example, Coke pays the
> school district lots of money to be allowed to
> put Coke machines on campus and keep Pepsi
> machines out.  The answer to my objection is
> that MySpace will pay the schools to do the age
> verification.

Hmmm.  The above might tie into what I communicated
to you privately.  My knowledge of this area is
limited, coming only as it does from a parent of
children who were at one time home schooled.

Still, from that weak background, I believe its
the state's responsibility to insure that
children are educated.  Because of that they
have to know who all the children are and
which schools are responsible for educating
them.  That suggests to me that you could
"tie into" the system at the state level.
Providing a network child ID mechanism at
the state level might even help the state with
their responsibilities.  In that case you
could get such an ID "WebKey" to the child
(perhaps through the school responsible for
that child), but that could be used for any
service (e.g. not just MySpace) that might
need to identify a child.  MySpace (as with
any other vendor) could just demand that an
account present a valid state "child ID",
dare I say it, "capability" that would allow
them to meet their responsibilities for
protecting children.

Of course I think this whole approach assumes
that children don't just sign up as adults,
e.g. because it is easier (no school hassle)
or because they want more flexibility in their
communication.  The way it seems to me you are
describing things to this point the onus is
on the children (their parents or whoever) to
do the extra work to get more restrictions.
Usually things work better if you have to get
the extra qualifications to get more responsibility
(flexibility, freedom).  E.g. prove to me that
you are over 21 so I can sell you this liquor,
prove to me that you are over 18 and can vote,
prove to me that you are over 16 and can drive,
etc.  I guess what's happening in this case is
that you are being asked to prove that you are
a child so that you will be allowed to communicate
with other children.

Is that the basic idea?

My last point above is similar to:

On 1/16/2008 10:29 AM, ihab.awad at gmail.com wrote:
 >
 > On Jan 16, 2008 9:32 AM, Karp, Alan H <alan.karp at hp.com
 > <mailto:alan.karp at hp.com>> wrote:
 >
 >     The webkey is only needed to set up a MySpace account as a child.
 >      Other accounts will be presumed to be owned by adults and will have
 >     limited access to children.
 >
 > So does it require children to *want* (or *have*) to use it? If a child
 > has open access to the Internet, they can set up an account as an adult.
 > They can even get their friends to do the same, so they have a community
 > free from the (inevitable) supervision that buying into this scheme
 > would entail. I still fail to see the value proposition from the point
 > of view of the child.

to which Alan's response seems reasonable:

On 1/16/2008 11:04 AM, Karp, Alan H wrote:
 > Ihab wrote:
 >
 >> So does it require children to *want*...
 >
 > The child who wants to feel safe can know that
 > it is unlikely that the MySpace account of another
 > child is run by an adult.  Also, many children
 > obey rules set by their parents.  The proposal
 > is intended for these two groups.

, though I wonder if it will continue to be regarded
as sufficient.

I also think my statement, "...prove that you are
a child so that you will be allowed to communicate
with other children." puts it in a slightly different
light than:

On 1/16/2008 10:47 AM, ihab.awad at gmail.com wrote:
 > So, if I may attempt to state the "social engineering" threat model: A
 > child may be trusted to enforce the policy, "Only talk to other
 > children." We wish to provide them with a mechanism for verifying who is
 > and is not a child. Is this correct?

--Jed  http://www.webstart.com/jed/

More information about the cap-talk mailing list