Imagine for a moment that you're one of those creepy people we've heard so much about: a chatroom pervert. You've "stalked", you've "groomed", and now your prospective victim, who claims to be a 12-year-old girl, has finally agreed to meet you in person. Now you face a dilemma: do you make the date? Thing is, she might not really be 12. She might not even be a "she". Maybe she's someone much like yourself, in which case the two of you can grin uncomfortably at each other and walk away; but maybe she's actually a male undercover cop, in which case the consequences of trying to date her may be more serious. How do you know? Well, thanks to VeriSign, now you can be sure.
They're trying to market a USB-based ID token for children. Possession of the token is supposed to prove the possessor's age and gender. According to the article, "Chatroom lurkers who can't prove their age will stick out like sore thumbs as more kids adopt the tokens[.]" Lurkers like, for instance, those undercover cops.
Assuming the system actually works, it'll be a great bonanza for stalkers, perverts, and other creepy people who want to know they're talking to real children. I'm not sure it's so great for its claimed purpose of protecting children. It's not plausible that a large fraction of chatroom participants would ever have the tokens except in the kinds of backwater "gated community" venues that are already crawling with police anyway, and in the real public Net, there are lots of reasons someone might fail to have the token while still being legitimate. So if I have the token that means I'm not a cop... but if I don't have the token that does not mean I must be a pervert. The certainty is on the wrong side.
Or will undercover police be issued fake tokens, and if so, will that implicate search and seizure and entrapment and all the other fun stuff the lawyers will pull out? Actually, that's probably not a big problem - the police were already lying about their identities and this wouldn't seem any worse than that - but it's one more thing to think about. And if it's too easy for adults to get "I am a child" tokens, then the whole system breaks down, so you'd better not have too many of those licensed undercover police out there.
Lots of pedophiles are parents and can be expected to be able to obtain the tokens of the children they live with. Then they can go on the Net under those IDs, and be trusted. Forget passphrases and biometrics to make sure the token can't be used without its owner's consent; children are considered unable to withhold consent from adults, remember? That's how we got into this mess in the first place!
So if these tokens are distributed to a significant fraction of the population at all, then it'll be easy for exactly the wrong people to get ahold of them; and the level of circulation at which they become pretty much useless for that reason is much lower than the level of circulation you'd need (virtually 100%) for them to even be useful for their intended purpose in the first place. If just one of my close friends who I know and trust is token-less and has to remain token-less for software compatibility or other reasons, then I'm not going to have much faith in the people who insist "Anyone without a token is an evil pervert!"
The idea that the system is also supposed to verify gender is interesting. What is the threat that that's supposed to protect against? Why do we need to be protected from young people who really are the age they claim to be, but are lying about their gender? It seems to me that knowing the person you're talking to really is the gender they say they are is only important if you want to do something with them for which gender is relevant, and I can't think of very many such activities that we accept as being okay for children to participate in. (Then we can also have fun with the definition of "gender" versus "sex" - oh, won't someone think of the poor misunderstood transgendered children?)
I haven't even started on the technical issues. It might be possible to make the tokens do public-key crypto and have a cryptographically secure connection all the way from the token to the verification software on the verifier's computer. I suspect that the system more likely involves a trusted client on the child's end, so you prove your age and gender to your own computer and then the person on the other end takes your computer's word for it. Of course, that breaks down because your computer is on your side and will lie if you tell it to. It would be very amusing if some enterprising young people were to design a piece of software to demonstrate that kind of attack. Not that I know anyone who'd do such a thing, of course. But I think it's clear that we don't even need to touch the crypto issues anyway: even if the tokens really worked as designed from a crypto perspective, they would be almost useless to the good guys and a great bonanza for the bad guys.
Which side is VeriSign really on?
[VeriSign helps expose chatroom cops]