Visit the ID Space’s new home at http://blog.idology.com/
You might recall I blogged about a bill being introduced to the GA legislature over a year ago to allow direct wine shipments into the State.
Earlier this week, Governor Sunny Perdue signed House Bill 1061 which allows wineries to ship wine directly to Georgians provided they have a “special order” shipping license from the State ($50 per year). With this license, wineries will be allowed to ship up to 12 standard cases of wine brand labels submitted to the State to an individual consumer over the course of a year.
In addition, the holder of a special order shipping license must require proper age verification for the consumer placing the order. Age may be verified by physical examination of government issued ID or by using an Internet based age and identification service.
The law takes effect July 1, 2008.
As an identity and age verification provider IDology continually monitors the market to stay up to date on the issues surrounding online identity and age verification. Today I thought I would share with you what we have recently compiled for age verification. This (very long) post presents age verification by industry and country and gives some background on what is going on in the market. I hope you will find this useful.
Examining Age Verification in Other Countries:
United Kingdom & Europe
In January 2004, the UK mobile market set a precedent for self regulation of new forms of content on mobile phones by developing a Code of Practice. The Code of Practice was developed by mobile operators Orange, O2, T-Mobile, Virgin Mobile, Vodafone and 3. The Code specifically covers new types of content, including visual content, online gambling, mobile gaming, chat rooms and Internet access but not peer to peer communications, although assurances were made to combat illegal, bulk and nuisance communications.
The Code of Practice addresses 8 categories. It called for an independent classification body to provide a framework for classifying content commercial content that is unsuitable for customers under the age of 18. The classification will be equivalent to material in magazines, films, video and computer games. Content classified as 18 will only be available behind access controls and is made available to only those consumers who have been age verified.
The specific definition of the Code’s term for age verification is:
a process by which reasonable and practical steps are taken to verify that a customer is 18 or over. Acceptable methods of age verification include:
a) at point of mobile device sale for new customers; inspection of document containing customer’s date of birth (e.g. drivers license, citizen card, etc; visual check (is the customer clearly over 18?)
b) “customer not present”: a valid credit card transaction for the customer; age confirmation using 3rd party agencies (e.g Experian, Dun & Bradstreet, etc.)
c) documents and/or process used for contract mobile phone customers, combined with a process by which customers can manage access controls
The Code also addresses that mobile operators have no control over Internet content and therefore can not insist that it be classified following the framework described above. Because of this, the Code addresses offering parents and caregivers the opportunity to apply a filter. In addition, the mobile operators agreed to provide advice to customers, including children, parents and other caregivers through relevant media literacy activities and will post information on the Code on their web sites.
Age Restricted Ecommerce
Last year in the UK, a bill was introduced to Parliament to require age verification for the online purchase of age-restricted goods and services such as alcohol, cigarettes, pornography or gambling. Currently retailers in the UK handle age verification by relying on the honesty policy. Since early 2000 numerous articles and studies have been published about the ease of underage consumers to access gambling sites and as such the gambling industry has been the most proactive in establishing age verification techniques to prevent underage access.
Last fall the UK Government commissioned Dr. Tanya Byron to look at the risks to children from exposure to potentially harmful or inappropriate material on the internet and in video games. The Byron Review was released in March 2008 and includes recommendations for the UK government to undertake that will help parents feel confident that their children are using new technologies in a way that is appropriate for their age and development. The ultimate conclusion calls for reforms in the structure of how government, industry and others engage in e-safety and specifically recommends that a UK Council on Child Internet Safety be established that reports to the Prime Minister. Recommendations for the function of this Council are:
• That this Council should lead the development of a strategy with two core elements: better regulation – in the form, wherever possible, of voluntary codes of practice that industry can sign up to – and better information and education, where the role of government, law enforcement, schools and children’s services will be key.
• That the Home Office and Department for Children, Schools & Families (DCSF) should chair the Council, with the roles of other Government departments, especially Department for Culture Media & Sport (DCMS), properly reflected in working arrangements.
• That the Council should have a properly resourced cross-government secretariat to secure a joined-up Government approach to children and young peoples’ safety online.
• That the Council should appoint an advisory group, with expertise in technology and child development, should listen to the voices of children, young people and parents and should have a sustained and rolling research programme to inform delivery.
• The Council investigates where the law around harmful and inappropriate material could be usefully clarified (including suicide websites) and explores appropriate enforcement responses.
Several items are reviewed and discussed in this report including filtering software, search limitations, restricting access, and also age verification which Byron recommends to:
• Keep research and practice on age verification under continuous review, and disseminates good practice, such as placing a “cookie” onto a user’s computer where they have registered with under age details to prevent them from reregistering with false age details.
In 2003, OUT-LAW News, which tracks the latest legal stories in IT and e-commerce, reported on an on-line program called “interactiveAgeCheck (iAC) designed to prevent fraud and protect children. iAC is offered by CitizenCard, a non-profit organization and UK’s largest photo-ID scheme, and allows accredited web sites within the program to check the details of users before allowing them access to the site. If the user is not recognized then access will be denied. Each application is verified stringently using several measures to counter fraudulent application. The program is supported by government, the police and retail groups and was developed in conjunction with a credit data provider.
Mobile Signatures: Anonymous Age Verification
This past February, Valimo Wireless issued a press release titled Wireless Mobile Signatures to Provide Age Verification with Certification on Demand or IDP Services.
Valimo’s wireless signature services are accepted by financial banks as a secure authentication method. Within the press release Valimo states:
”Mobile signatures also provide age verification and anonymous access control. Proof that these partial authentication processes are in demand is the German government’s announcement that their electronic ID cards will feature a function to use pseudonyms to authenticate oneself to an online service without revealing one’s full identity.”
The press release further explains how this process works:
“When using Valimo’s mobile signature solution: Consumers receive authentication requests to the mobile phone. Valimo uses public key cryptography and an authorization process that allows only a bona-fide service provider to reach the user’s mobile phone. Consumers do not need to manually copy text out of the received short message. They confirm the login or transaction by returning a digitally signed message via SMS. For each authentication event, there is an electronic record (i.e. digital signature) that can be verified by a third-party process.”
Content Classification within the European Union
As recently as April 22 of this year, Reuters published an article about the European Union Executive Body’s decision to give videogame makers and shops two years to come up with a code of conduct that has wider industry backing than the current one. The industry is also being asked to spend more on advertising its symbols denoting the age suitability of games. The industry’s age classification system — Pan European Games Information (PEGI) — is sponsored by more than 200 industry members and used in 20 of the 27 EU states. There is also an online version but with far fewer industry backers.
In January 2008, new rules went into effect from the Australian Communications and Media Authority (ACMA) for restricting access to age restricted content (commercial MA15+ content and R18+ content) either hosted in Australia or provided from Australia. These new rules were made in accordance to Schedule 7 to the Broadcasting Services Act 1992 and are specified in the Restricted Access System Declaration 2007, and
the Explanatory Statement to the Declaration.
The rules specifically address age verification and the quality control measures the providers of the content must follow to ensure that the applicant is the person they claim to be and meets the age requirements of the content access being requested. The rules do make provisions that consumer verification will be different for each content rating group. For MA15+ provisioning requires:
• a warning about the nature of MA 15+ content; and
• safety information about how a parent or guardian may control access to
MA 15+ content by persons under 15 years of age.
Before provisioning access to R18+, the system must satisfy a risk analysis which means considering:
• the risk of whether the proof of age evidence could be held or used by another person, or someone younger than the age which the form of evidence attributes to the person being identified; and
• the kind of evidence provided and the manner in which it is provided.
The Explanatory Statement delves into the intent of the RAS Declaration and addresses why the RAS Declaration does not prescribe a specific method for verifying age to access R18+ content, which is both to recognize the breadth of current methods of age verification used across various content platforms, and to ensure that there is flexibility now and in the future to allow designated content/hosting providers to develop systems that best suit their business models.
ACMA is aware of a number of different methods of age verification currently operating that range from submission of proof of age in person and actual sight of the applicant and the proof of age (which may be a driver’s license, passport etc) to reliance on credit card verification. Access-control systems are required to keep a record for 2 years on how the age of the applicant is verified while also following Australia’s National Privacy Principles contained in the Privacy Act 1988.
In May 2007, Google announced its plans to implement an age verification solution on adult themed searches to those 19 years of age or older to its search engine in Korea. According to an InfoWorld article:
Users will have to enter their name and national resident registration number, which will be checked against a database to verify the user — or at least the person whose data has been entered — is old enough.
The system will be combined with a localized version of the SafeSearch system that is already used on Google’s main English-language search engine to ascertain the context of the search so that queries for, for example, “rape” are challenged but those for “rape shelter” are not.
Examining Age Verification in USA Industries
CTIA – the International Association for Wireless Telecommunications Industry
Wireless carriers in conjunction with CTIA have voluntarily adopted the Wireless Carrier Content Classification and Internet Access Control Guidelines in an effort to provide consumers with the information and tools they need to make informed choices when accessing content using a wireless handset. According to the CTIA website, these guidelines are as follows:
• Carrier Content Classification Standards – a significant component of the Wireless Carrier Content Guidelines is the voluntary content classification standards for carrier content—those materials that are offered specifically on the carrier’s managed content portal, also known as the carrier’s “deck”, or any third-party content whose charges are included on a carrier’s bill. Carrier Content is divided into two classifications: “Generally Accessible Carrier Content” and “Restricted Carrier Content.” Generally Accessible Carrier Content is available to consumers of all ages. Restricted Carrier Content is accessible only to consumers age 18 years and older or to a consumer less than 18 years of age when specifically authorized by a parent or guardian.
• Providing Parental Controls on “Restricted Carrier Content” – The wireless industry has pledged not to offer any “Restricted Carrier Content” until it has provided controls to allow parents to restrict access to this type of content, based on the content classification standard. Each carrier is responsible for its implementation of access controls, including age-verification mechanisms. Additionally, the industry will undertake an education campaign to inform and educate consumers on how they can prevent unauthorized access to age-restricted carrier-controlled content.
• Content Rating Standards – Wireless carriers are working to define content rating standards to more fully inform consumers about the characteristics of carrier content and its suitability for particular audiences. The content rating standards will leverage existing rating systems familiar to consumers such as movie, television, music, and gaming rating systems.
• Internet Access Controls – As with carrier content, the industry is developing “Internet Access Control” technologies that will enable wireless account holders to limit access to specific websites. Currently, all major carriers provide consumers with the ability to completely block Internet access on their devices. Although carriers have no control over content generally available on the Internet, providing filters and tools is an important step intended to give consumers, particularly parents, the ability to limit the Internet content that can be accessed through their family’s wireless devices. Wireless companies are aggressively researching technological solutions and are implementing them on a carrier-by-carrier basis.
In 2005, the Supreme Court opened up the direct shipment of wine on a state by state basis. As part of this wineries and direct shippers must verify proof of age at the time of purchase. Industry organizations such as WineAmerica and The Wine Institute continue to educate members about the compliance tools available including how to verify age when consumers are not present. Both organizations have partnered with providers to offer these services to their members.
In 2006, the State of Michigan passed a bill that allowed direct wine shipments into the State provided that the Direct Wine Shipping Requirements of the Michigan Liquor Control Commission are followed. The requirements specifically state:
“You must verify that the person placing the order is at least 21 years of age through obtaining a copy of photo identification issued by the State of Michigan, another state or the federal government or by utilizing an identification verification service.”
As part of this, the Michigan Liquor Control Commission conducted a review of identity and age verification services. To provide these services within Michigan a provider must be an approved vendor. This is the first legal governing body to test and approve electronic age verification solutions.
The Master Settlement Agreement was signed in November 1998 which strictly prohibits the marketing of tobacco products and promotional merchandise to anyone under 18. As part of this, tobacco companies must age verify consumers before they are allowed to enter a tobacco website or receive any direct marketing materials.
The motion picture, music recording and electronic game industries have adopted a self-regulatory program to address violence, sexual content, language, drug use and other explicit content that may be of concern to parents.
Following the Columbine tragedy in 1999, President Clinton asked the Federal Trade Commission and the Department of Justice to conduct a study of whether the movie, music recording, and computer and video game industries market and advertise products with violent content to youngsters. The results of the study were published in September 2000 and concluded that these industries routinely target children under 17 as the audience for material they themselves acknowledge are inappropriate for children and warrant parental caution which undermines their own programs and limits the effectiveness of the parental review programs. Furthermore, retailers were making little effort to restrict access to children of products with violent content. Within the report certain calls to strengthen self regulation were made:
• Establish or expand codes that prohibit target marketing and impose sanctions for violations
• Improve self-regulatory system compliance at the retail level including avoiding sales of R-rated,M-rated/advisory-labeled products on Internet sites unless they use a reliable system of age verification.
• Increase parental awareness of the ratings and labels.
The sixth follow up to this report was released in April 2007 and found:
…with few exceptions, general compliance with existing voluntary standards but insufficient attention to the development and application of these standards to evolving market trends…
The practice of marketing R-rated and M-rated movies and explicit content labeled movies to media with teen audiences is particularly evident in the industries marketing on the Internet. Although the video game industry has adopted limits on Internet advertising, the relevant standard – ads cannot appear on a site where more than 45% of visitors are under 17 – is so permissive that advertisements for M-rated games can reach large numbers of young teens and children. Moreover the Commission’s review found many examples of noncompliance with even that limited restriction. The movie and music industries have adopted no standards restricting Internet advertising or R-rated movies and explicit-content labeled music.
An article published last year in USAToday discusses the issue of red band trailers. While some movie studios, like Sony, Universal and Paramount have implemented age verification to watch online “red-band” trailers, or movies that USA Today refers to as “heavy on raunch or violence” many of these same trailers be seen elsewhere on the web including the popular video sharing site, YouTube.
I stumbled on an interesting article today about data privacy, or really the lack thereof, for registered sex offenders in Oklahoma (and ultimately the State’s government employees as well). It seems that anyone on this list, or any other offender list in OK, has had their SSN numbers exposed on the Internet for the past 3 years.
…The result of this negligently bad coding has some rather serious consequences: the names, addresses, and social security numbers of tens of thousands of Oklahoma residents were made available to the general public for a period of at least three years. Up until yesterday, April 13 2008, anyone with a web browser and the knowledge from Chapter One of SQL For Dummies could have easily accessed – and possibly, changed – any data within the DOC’s databases.
What I find interesting is that a feeble attempt to protect this information was made at first. It wasn’t completely corrected until the writer of the article pointed out to the Department of Oklahoma Corrections that it wasn’t just criminals whose SSN numbers were exposed but also private data on the government employees could be found and downloaded easily.
Shortly after discovering this problem (thanks to reader AJ, who hesitantly pointed it out), I spent the following day working my way up the DOC’s call tree. Eventually, I found my way to George Floyd and explained how bad of an idea it was to have a SQL query as a parameter…
The following day, both the SVOR and Offender Search were taken down “for routine maintenance”. Great, I figured, they discovered an overlooked hole and were working to patch it up. However, when the sites came back up, I noticed that the “print-friendly page” still had a SQL query in the URL. Putting the “social_security_number” in, however, no longer displayed social security numbers. It took me all of ten seconds to figure out a way around their fix. This slightly-modified URL brought back all 10,597 SSNs once again.
…I emailed again, this time explaining the problem much more clearly and advising in BOLD, RED, CAPS that the “roster page” should be taken down immediately. I also demonstrated the power of the ALL_TABLES table, the contents of an “interesting” table named MSD_MONTHLY_MEDICAL_ACTIVITY, and how even their information was available for all to see…. That, apparently, did the trick. Soon thereafter, the sites underwent “routine maintenance” and the “roster pages” were no more. I guess they weren’t too thrilled about having their personal data up on the ‘net for all to see