Microsoft proposes age-limited digital playgrounds

Microsoft has an idea for keeping children safe online: create "digital playgrounds," sites where visitors have to prove their age using digital identity credentials.

The idea was detailed in a paper Microsoft was set to release early on Wednesday as part of its Trustworthy Computing initiative. The concept builds on a notion called "End to End Trust" that Microsoft first proposed in April at the RSA Security conference.

The company is tackling the challenge of how to make the Internet safer not just for children, but also for adults wanting to conduct business, make transactions, and communicate with the confidence that the people they are interacting with really are who they say they are. A big concern is how to add more identity authentication without compromising the privacy of the people involved.

"I started thinking about how we identify people in the physical world three years ago, when my wife had a (baby) boy," Scott Charney, Microsoft's corporate vice president for Trustworthy Computing, said in a recent interview. "I was in the delivery room, and out he came, and the doctor said, 'What's his name?'"

"It occurred to me that all identity is based on social custom and derivative identity. Parents name the child, and the name is put on the birth certificate," which then becomes the irrefutable proof of that person's identity, he said. "We haven't done that on the Internet."

Microsoft proposes using existing identity verification systems, such as schools that register children for classes, post offices that verify identities for passports, and motor vehicle agencies that issue drivers' licenses, to help create digital credentials that people would use online.

"For example, I could produce my driver's license, stick it in a card reader, and prove it's really me," Charney said.

Under the scenario related to children, digital identity "cards," or credentials, could be based on either national identity documents created at birth or on identity documents schools use to determine age and identity for school registration, with parental permission. The data could be limited to age and proof of authenticity, and the credentials should be encrypted and require use of PIN numbers.

The Microsoft paper, entitled "Digital Playgrounds: Creating Safer Online Environments for Children," acknowledges that attempts at creating children-only online environments haven't quite taken off and cites the kids.us domain as an example.

"But there are reasons to believe that age-limited online services could be appealing," the paper states, mentioning that some sites might want to use age authentication as a feature to attract parents who want to keep their children away from predatory adults and teens who might want a more discreet experience than most dating and social-networking sites offer.

Interactive Web sites could be categorized into three areas: "general audience," for all ages, and "children only" and "adults only," both of which could require proof of age. The paper provides no specifics on how adults-only sites would authenticate, though it's likely that they would use the same digital credential system envisioned for children's sites.

Microsoft submitted its digital-identity approach, as outlined on its Web site, to the Internet Safety Technical Task Force, led by Harvard University's Berkman Center for Internet and Society, as well as to the European Commission, which is looking at online age verification concepts.

Digital information card infrastructure, such as Windows CardSpace or the open-source Higgins project, could be used in conjunction with the in-person proof.

Improving user authentication on the Internet isn't something that can be realized anytime soon, Charney admits.

"We'll get there, but it will take time," he says. "People work (on issues) for years and years, and suddenly, like a snowball rolling down the hill, it takes on critical mass... We're at the pushing-the-ball stage."

[Valhakar]

It's about time. The moral and legal issue of mixing adults and children in open mic games has been a real issue. In some states it is illegal to use strong language in the presence of a minor, right now no one knows who is really on the other side of the screen. They can also use this system to keep children away from adult rated games.

[Penguinisto]

IIRC, Disney already does this rather successfully, and there is (again, IIRC) the Leap Frog toys (I believe it's them) which connect to kid-only sites (and they're not alone - Mattel (Barbie) and other toy companies have done this for quite awhile).

Funny thing is, they do it without the stupid demand for sticking DRM into every user's computer (which is where I strongly suspect that this little proposal is leading).

All it really takes to create a successful kid-only site is for the site owner to apply existing profanity filters, and to get up a group of volunteer moderators to keep an eye on things. And it's lot cheaper than this whole infrastructure that the MSFT guy is proposing to boot.

[umbrae]

Idiot MS. There is a reason this is not done on the internet. Because information is easily stolen. I do not want my "identity" passed around on the internet. That is same as yelling your name and SSN in a crowded room. Maybe after ALL connections require SSL, but until then anonymity actually benefits White Hats as much as Black Hats.

[kojacked]

"All it really takes to create a successful kid-only site is for the site owner to apply existing profanity filters, and to get up a group of volunteer moderators to keep an eye on things"

If it were that simple it would have been done by many by now. People want the internet to act like a toaster (like an Apple product). It does what they expect it to do with little or no effort. Filters are destined to be broken (look to spam as an example). Expecting volunteers to police matters is short lived at best. I don't see the thousands of Linux volunteers have been successful at dethroning Microsoft on the desktop.

"Funny thing is, they do it without the stupid demand for sticking DRM into every user's computer (which is where I strongly suspect that this little proposal is leading)."

No it's more like providing people with certificates like those that are issued by Verisign today for web sites and mail servers. Of course coming from Microsoft you always have to spin things to the negative don't ya Peng?

[Penguinisto]

"If it were that simple it would have been done by many by now."

...what makes you think it hasn't? A quickie Google search turned up:
pbskids.org
kids.nationalgeographic.com
kids.aol.com
nick.com
kids.discovery.com

...and thousands more.

You were saying something?

"I don't see the thousands of Linux volunteers have been successful at dethroning Microsoft on the desktop."

funny, but MSFT no longer owns 95% of the desktop market (hint: OSX is also open-source).

"No it's more like providing people with certificates like those that are issued by Verisign"

Also destined to fail (assuming you are correct - jury is still out as to what he really meant). After all, it would be drop-easy to fake such credentials (considering that pedophiles often have kids and young relatives as well...)

[kojacked]

"...what makes you think it hasn't? A quickie Google search turned up:
pbskids.org
kids.nationalgeographic.com
kids.aol.com
nick.com
kids.discovery.com

...and thousands more.

You were saying something?"

Great! Then there is no problem! Going back to bury my head in the sand...

"funny, but MSFT no longer owns 95% of the desktop market (hint: OSX is also open-source)."

Oh, what is it then? 94% now? I love how you put words in my mouth: I mentioned "Linux" not "Open Source" but you had to go there to TRY and make your case. Epic Fail.

"Also destined to fail (assuming you are correct - jury is still out as to what he really meant). After all, it would be drop-easy to fake such credentials (considering that pedophiles often have kids and young relatives as well...)"

And what has that to do with you labeling it as some evil DRM implementation? Keep spinning your FUD linux boy.

[Penguinisto]

"Going back to bury my head in the sand..."

...which would be an improvement over where you usually keep it, I surmise.

Squirm all you want, but the points stand. Deal. ;)

[humanssssss]

Why is identity even necessary in the age of information? When people ask you "what is your name?" You are giving them your identity. Do you expect them to give back your name and not tell others about you? Your restriction of not identifying yourself is your problem. The fact today is, people post their real name everywhere. From resume on craigslist, to names on facebook, to names on myspace, to for sale on craigslist, etc. There's company like Google who harvest these information and store them. The collection and display of identity are compromise. You have little privacy on your identity.

The thing you want to do is diversify your identity. Meaning a person should have multiple names to ensure privacy. In today's age, police arrest people from a youtube video. It doesn't take long for them to arrest everyone for identifying themselves on the Internet. The best way to avoid getting arrested is to use fake identity. At least this will reduce your risk.

And the last part, laws need to change to favor human rights. U.S. laws violate so many human rights laws that make U.S. a criminal. From criminal negligence to using drugs to prostitution, why is it there are laws forbidding people from engaging in activities they choose to do? It is because other people don't like? If a person is doing things in their private place of establishment, the law should protect the private property of individual, not perverse and invade the rights of individual private property because some idiots don't like.

[Kesteral]

A fake ID in a no-trust environment like the internet is exactly the problem that people are trying to address in the article. There is no way to know if the person your 9 year old child is chatting with is actually another child or a 40 year old pervert. Until there is a reliable way to verify that a person online is who they actually say they are, all online social sites are untrustworthy. I do not allow my children to use chat at all online, and all social sites are blocked at home because of this.

[Kesteral]

The problem I see with most forms of online ID is that there is no way to control who keeps a record of your ID. In Real Life, very few people/organizations have a copy of my ID... my employer, my bank, and some government branches like the DMV are the only ones that come to mind right now. There are strict policies and laws in these organizations on who has access to this information and how it can be used. None of that exists online right now. I think online ID will only really take off if the following conditions were met first:
a) There was a way to guarantee that the ID cannot be copied (or at least make it sufficiently difficult and expensive that most criminals cannot do it).
b) A way to effectively enforce the keeping of online ID secure on the sites that are allowed to keep copies.
c) Easy use, but not automatic. I want to know when someone is verifying my ID, who they are, and why they are doing it.

Personally, I don't think it will ever happen.

[shanedr]

Everything sounds great on the surface. But children would not keep PIN numbers secret, as would a large number of adults. Plus imagine the size of the database and the amount of time it would take to verify your identity.

At a minimum you would need a much faster Internet. supercomputer speeds and probably 128 Bit operating systems. I think we're a bit short on the infrastructure.

[Raemir]

I get very nervous whenever someone says "it's for the children", but that aside, this is simply one more case of a "solution" in search of a problem. Only a small minority of people are parents of small children and only small number of that group allow their children unsupervised access to the internet. So, because of a few irresponsible parents this guy at M$ wants to create an entire "secure identity regime"? To me, this just looks like a further extension of the existing Microsoft tax--someone is going to have to pay for all this infrastructure and someone else is going to make plenty of money off of it. And, I'm sure we all know who's going to be on the paying and receiving sides.

Also, not all parents believe that their children should be kept in "glass houses" until they turn eighteen. My children (24, 23, 20) all grew up with an open internet and neither my wife nor I ever attempted to censor what they had access to. We did monitor what they were doing as pre-teens, but the idea was to teach them to make good decisions on their own, and if they weren't sure what to decide to come talk to us.

No parent will ever be able to protect their child from every possible misfortune or mistake--life is a process of learning from mistakes, hopefully others' as well as one's own--and trying to do so is foolish at best. Creating these little walled gardens does little but prevent children from learning and growing. And, we should be more afraid of the walled gardens then of the mistakes children will make learning and growing.

[BrendaJPreston]

There is an age appropriate wesite for children ages 5-18 that requires the childs school to verify their identificton before they can become a member. The site is content monitored and children are on different ilands according to their ages. My child can still play games, IM, chat, create his own webpage and recieve tutoring if needed. The site is totally free. The site for kids is www.iland5.com and the site for parents is www.safewave.org. They are having a free webinar September 25th .