SAN MATEO (05/22/2000) - Has anyone considered that Microsoft Corp. and the federal government might deserve each other? With the recent arrival of the Children's Online Privacy Protection Racket, er ... Act (COPPA), the current administration has delivered on its vision that "it takes a village" to raise a youngster in today's Internet-corrupted culture. With the assistance of overeager beavers such as Microsoft's Hotmail service, we have sunk to a new low in this "free" society.
We are actually dumbstruck by the wording of this regulation, found at www.ftc.gov/os/1999/9910/index.htm#20. We'll demonstrate the inadequacy of this law in short order, but let's take a brief moment to contemplate some of its more humorous passages:
"The rule sets forth several exceptions: For example, no consent is required to respond to a one-time request by a child for 'homework help' or other information." Drive your truck right through that one, kids. "Schools can act as parents' agents or as intermediaries between Web sites and parents." Oh, thank heavens, Principal Skinner can vouch for me. The statute defines "verifiable parental consent" as "any reasonable effort ... to ensure that a parent of a child ... authorizes the collection, use, and disclosure" of a child's personal information. Read on to see how useless this is.
Here's the ham-handed COPPA in action: As of April 21, one of your Security Watch columnists became unable to log in to his Hotmail account. He was continually prompted to sign in to something colorful and fluffy called Kid's Passport and to make sure his parents were with him. Without parental permission, he was not permitted to access his mail.
The Hotmail staff's response to this was a long string of form letters (over the course of nearly a month) explaining:
"Due to some unavoidable circumstances, we have been experiencing some network problems. ... Rest assured, we will resolve the problem at the soonest possible time.
"During the last few days we have been experiencing an increase in support requests. As a result, there will be a temporary delay in responding to your inquiry.
"Your Hotmail Personal Profile shows that when you signed up for Hotmail, you told us that you ... are 12 years of age or under. In compliance with COPPA, we therefore need to obtain your parent's permission before you can reactivate and use your Hotmail account. ... Your parent will then need to sign in or register for their own Passport. Your parent will then be asked to provide a credit card to authorize their consent."
After fruitlessly attempting to explain no fewer than five times that we really weren't 12, we obtained "parental" consent using a bogus Passport account created with false information and a phony credit card number generated from a Windows 9x-based tool that any child could find on the Internet.
We have yet to determine why an ostensibly anonymous Web-based e-mail service such as Hotmail would be required to comply with COPPA, but since we're here, let's spell it out for the folks in Washington (D.C. and state of, respectively): Privacy and parental consent are like oil and water. Does anyone still believe a credit card number can protect children's privacy? Isn't this a violation of "parental" rights to keep financial information private? Where is this number stored? Who will protect adults who have to figure out how to untangle all this red tape in order to simply retrieve e-mail? Does Microsoft think that it is changing its image of a Borglike entity when Hotmail mechanically responds with canned letters refusing to address legitimate personal pain?
We're sorry that we didn't bring this to the attention of our readers sooner, and we're especially sorry that we were not aware of this bureaucratic booby trap back in 1999, when public commentary was solicited. We can only hope that someone gets wise to the burdensome effects of this sort of meaningless restriction on everyday Internet use and derails it after the fact. Send petition signatures to email@example.com.
Stuart McClure is president and CTO and Joel Scambray is a managing principal at security consultant Foundstone Inc. (www.foundstone.com). They were formerly analysts in the InfoWorld Test Center.