 Great. Thank you. Thank you, John, and thanks to the Berkman Center staff. I also wanted to thank Generals Coakley and Blumenthal and Cooper for their attention to this issue and for their their opening remarks and their staff. Jay, Tony, Scott, thanks very much for helping with this effort. And acknowledge one of the social networks out there that is already using age verification, that being Lyndon Lab. And there are others that are voluntarily taking an approach to age verification, which enables a mitigation of risk. It certainly is not a all-encompassing solution, but we will take what we can get, as the Attorney General said. And there are social networks out there that are actually taking the initiative with respect to age and identity verification. I have just a couple of slides. I'm going to skip over the majority of them, but I wanted to just review this with you. Integrity is an already deployed age and identity verification solution. More than 50 million verifications have been performed by citizens who are providing information, then entering certain types of sites, winery sites, for instance, and others where age needs to be verified. We provide this technology for a fee to various commercial entities and to some government entities who want to know a little bit more about the people that are coming into the website. And we ensure the transaction, meaning we ensure the merchant against prosecution for violation of an age verification requirement, as in the case of tobacco, for instance. There are four scenarios under which age and identity verification can mitigate risk for youngsters at social networks. And I will review them. They fall into two categories. One is to deter kids from acting older than they are. And the second is to deter adult predators from acting younger than they are. In case one, a child registers with the correct age. Case two, they register with bogus details. Three, a predator registers with correct details. And four, a predator impersonates a child and an adult, creates a fictitious child and a fictitious adult. In scenario one, with the child attempts to register age verifications, pretty straightforward. It's done every day at thousands of sites for global Fortune 1000 companies. If the access is granted, then and the child has impersonated another real adult who has been verified. A postcard is sent. Similar to what I get from Fidelity when I change my password at the Fidelity website or United Airlines, it's very simple, it's very effective. I get one when my daughter is supposed to carry home her report card and I get a postcard in the mail from the school asking me if I receive the postcard. This is not high tech, but it works very, very well. It's also not perfect. Under scenario two, the child attempts to register with bogus details. Again, if the details are fabricated, the access can be granted, but the parent, in the case of a tobacco website, for instance, receives a phone call. Or again, a postcard saying someone registered with your details at this website. And if it wasn't you, call this 800 number. Under scenario three, the predator tries to register with the correct details. Well, if you're doing a scrub of the convicted sex offender database, you can catch those predators who are doing that. And of course, under scenario four, you're back where a predator has created a fictitious child and a fictitious adult. But if the fictitious, if the predator has impersonated an adult, that adult again gets a notification, a phone call or a postcard at the address on the government-issued ID used for the verification and thereby knows that someone registered in their name. Now, as I say, these solutions are not perfect, but they do serve to mitigate risk. Part of the issue with age verification is that if you accept that if you want to go to the point of view that age verification cannot work online, then there are large areas of commerce currently engaged in by these same social networks, which would be off limits, tobacco marketing, alcohol marketing and the like. So we are in a scenario now where with many activities, age verification is an accepted form of limiting child access to certain types of content or material and extending it to the social networks with their advertising, but also with protection of children in mind is a fairly straightforward process. I'm going to skip through this and get straight to the questions. But I did want to say one thing about the overall discussion. We have laws in the real world where if a sexual predator moves into a neighborhood, the neighbors have to be notified. And what we're talking about here is an analogous situation in the virtual world, where if someone is a sexual predator and they have set up shop at a social network, those who have been in contact with that sexual predator unknowingly have a right to know that they were contacted by a sexual predator or worse still that their child had been communicating with a sexual predator. And one of the things that we would like to see this task force unambiguously recommend is that those who were contacted by the 50,000 convicted sex offenders that had infested MySpace, those parents of children who were in communication with those 50,000 convicted sex offenders, they have a right to know. They have a right to know that their children were being communicated with by convicted sex offenders. This information is available. It is contained in the logs of the contacts between MySpace and the logs of the contacts of MySpace between those convicted sex offenders and the minors. And the parents have a right to know this. I will be happy to take any questions at this point about age verification or about the presentation in general. John Phillips, thank you for modeling good behavior with five minutes of presentation and we'll take some questions now from the back, sir. And if you don't mind telling us, that'd be great. Hello? There we go. Okay. So my name is Chris Segoian. I'm a blogger with the CNET, blogger network. We saw last week that Vice Presidential Candidate Sarah Palin's email account was hacked because someone went on to Wikipedia and found her date of birth where she met her husband and her zip code. What's to stop children from going on to Wikipedia, finding the names, date of birth and zip codes of other people and logging in as them onto these systems? Would this would the security of your product rely upon Sarah Palin's staff receiving the postcard and calling you up to notify you that the information was used for? Thank you. Yeah, very good question. So the nature of the security you can make with identity verification, you can make the security procedures as as robust or as loose as you wish to make it. And it generally depends on an industry by industry basis. So for instance, if you look at any of the major motion picture studios which show our rated trailers online, they use generally very loose age verification standards, the type of information, for instance, which you can find online about certain individuals. Now some of the age verification providers look to block out the use of a an ID Sarah Palin, for instance, would be one that came up a week ago, where Sarah Palin is repeatedly trying to log into an R rated movie site, for instance, or people impersonating Sarah Palin because the details are being passed around by kids. But in the case of a tobacco website, for instance, the information such as social security number, or last four digits of social drivers license number, that information is much harder to come by. Again, it depends on the risk profile of the website and how much information you want to pose. There are also the knowledge based authentication, you'll hear from some of the providers today, and where knowledge based authentication comes in is where you're, you're asking somebody, for instance, information that is not in their wallet, but would be known only to them, or to their spouse, for instance, where do you hold a mortgage which bank holds a mortgage on your home, or where did you live two or three years ago. So but I want to acknowledge that none of these systems are perfect, including the one that protects my 401k. These are all gradations of different levels of security. John, thank you. Is anyone on the Technology Advisory Board eager to ask a question based on the submissions? I just want to make sure that the this group also gets a crack in at questions. Please. No, great. Jess, if you wouldn't mind and Sir, I think your hand was up back here. Sure. Great question. So after this, after tomorrow, I'll be going to Luxembourg with some of the other members of the task force we're presenting regarding European social networks that are based in Europe. There will always be those who are, for instance, trading in in stolen ID as Attorney General Coakley referenced. And there will be it will be more difficult in certain regions of the world to verify using information that's in a database. But there is information, for instance, in the gambling sector, where there is a tremendous amount of commerce internationally, but not in the United States. These gaming websites have found means to request enough information to make sure that the person who's registering at the site is going to pay their bill, for instance, or confer comports with what the credit card company has that they are using to place the transaction. So they're not perfect. And some jurisdictions like there's certain Eastern European jurisdictions where a lot of fraudulent transactions come through where they know if they do not get they have tighter security. So they will require more information about that individual than they would in a place like the UK where the fraud rates are lower. So just as with the type of website, if you're selling tobacco, you will have under the master settlement, you will have a tougher standard for identity verification require more information than you will if you are letting somebody into see an R rated trailer. It's not to say that people won't try to break in to see an R rated trailer or a tobacco website. But if you raise the bar high enough with the industry and with the country, you can find that optimal mix. And I would say this. The vast majority of social network sites, those in Europe and those that are here are going to are not going to abandon the US market if regulations are put into place here or if there's a self regulatory regimen here and in Europe, because that's where the advertisers are. It's highly unlikely that Coors and Anheuser-Busch and others are going to follow MySpace to Tasmania so that they don't have to do age verification, not that MySpace would want to go to Tasmania. But the fact of the matter is if you can set up a self regulatory, a reasonable, commercially reasonable self regulatory structure that works in the United States and works in Europe, you have done a great deal to protect children in the United States and Europe. And that's what, that's the goal. Just a short question. I just need to clarification. As part of the cycle, if you will, let's say a child is attempting to log on with false information, maybe borrowed information, whatever. Part of the cycle is this card that is sent to the parent. Is that correct? It can be for certain sites, such as 401Ks. That is part of the identity verification cycle. Okay. So what's the normal procedure then? Well, it depends on how, depends on this type of site, whether they want to have, in the case of tobacco, for instance, in California, you must make a phone call to the residents after five p.m. if you want to ship tobacco into the state. But it varies. Virginia's got a different rule and other states have different rules and it depends on the industry and depends on the degree of security. You know, if, if the position is that certain social network sites will not adopt age verification and mitigate risk and disclose communications with children to the parents of those children, then I would suggest that if the lawmakers get involved, the standards that are imposed are going to be much more draconian as happened in California with respect to tobacco. So, you know, this is really the time to come forward with a voluntary regimen to find a re commercially reasonable steps. They don't have to be perfect, but commercially reasonable steps that help to mitigate risk and help to keep parents informed. John, let me just ask you noted in your written submission that, that the system after a child has been verified. There's really nothing that you're providing that would prevent that user ID from being traded around or given to other people. Is that, is that right? That's correct. I wanted to, and thank you John, that the, the system is not perfect in this regard. So, I'll give you an example of how we address that particular issue. It's not perfect, but how we address the particular issue of shared credentials. This happens a lot with the R rated movies where one kid gets online using his, again, with a low security bar, using his, some types of credentials that they needed to get online to watch, you know, forgetting Sarah Marshall, the R rated trailer for that. Now, what happens is once that kid gets in, he or she will provide those same credentials to their circle of buddies. Maybe they go on My Space to do it. Maybe they just email their friends or pass it at the playroom in the playground at school. We look for those credentials being used more than once, coming from a different location. So, when we, so when we see five Sarah Palins coming in to see forgetting Sarah Marshall, R rated trailer, we shut down those credentials. Again, you've let four kids in to see the forgetting Sarah Marshall trailer, but you've stopped that same credential for being used again and again. The kids are very creative and they're going to find ways to sneak into various types of sites. But the number of kids are going to take their parents, social security number, driver's license number, and other types of information in order to pose a scenario such as the ones I mentioned are very rare. So, it's not a perfect solution, John, as you say. There are ways for credentials to be shared, but we do have a way to put a stop to that at a certain point. You can shut it down after two, you can shut it down after ten, you can shut it down after just one instance of a credential being used. We've got one last question here, please. Hi, John. Bart LaClelle Institute for Policy Innovation. And the Task Force member as well. Thank you, sir. In the best thinking of doing a properly prepared appellate brief, what's the best argument against your technology as compared to the marketing landscape? Or, phrase a different way, what is your biggest challenge in the market when you're selling now? In other words, social networking sites, it would seem to me there's been a great case laid out that most of them would probably want to provide as much protection for their customers as possible. Why don't they all have your technology? Okay, so I can answer the way it's framed the second way you put it and it's an excellent question. Okay, so the, you know, the age and the identity verification market is going to grow and grow and grow. Companies need to know who they're doing business with and they want generally to do the responsible thing. They do not want to have to go to Tasmania in order to set up a social networking site and principally that's because the advertisers are here. The advertisers want to reach people that they want to be able to target with specific advertising based on whether they can buy their products. Alcohol is an example of that. The difficulty that we have is that some social networks think that imposing any type of age verification is going to be a death below to the social network itself. They, presumably they've got a different model in mind which is that complete anonymity is, you know, is a business model that can thrive and maybe, maybe it can. We would like to see social networks have a minimum floor of self-regulatory behavior the way the movie studios do the wineries the tobacco companies and the like in the case of tobacco companies it's the law. So I would say that the market itself is developing and it's going to be growing quite rapidly. If this task force were to conclude, incredible as it seems to me, that age verification does not mitigate risk for social networking sites that would be a problem for the age verification companies because what that does is provide a green light to companies who also in other sectors as well as in this sector who want to do the right thing but have competitors who are doing nothing to mitigate the risk to children. So I would say that we're not looking for a government mandated solution but the recommendations of this task force with respect to adopting age and identity reasonable age and identity verification to mitigate risk to children and most importantly notifying the parents of kids who've been contacted by predators online. I think those are reasonable steps this task force can take in order to move the ball forward and avoid a regulatory the passage of laws which may be draconian and may not benefit anybody in the industry. Thank you very much. Thank you very much. As ideology sets up there was one question that I was asked and wanted just to address address directly which is of the 41 submissions how were the 15 or so who are presenting today selected and I wanted to just give a sense of that process as ideology sets up. We did two things one was those who were invited to be members of the task force by the attorneys general in my space at the outset were given a chance to present and in addition to that those who were identified by the technology advisory board to the task force I accepted those recommendations so that is how the group of 15 were set up. Ideology please. Hi I'm Jody Florence I'm with ideology and I wanted to tell you my approach or our approach at ideology and it goes back to what Attorney General Blumenthal was talking about this morning was that there is no one perfect solution it is there is no magic bullet what we're trying to do is show how important identity and age verification is and how much it helps enable other technologies as well thank you so with that in mind I'll just give you an overview of what ideology is all about and we're an identity and age verification provider we've been in the market since 2003 and our solutions have been deployed since 2003 and they are commercially reasonable and viable and the way that it works is we essentially verify the identity and age of consumers not present and we do this in a safe and secure way and what I mean is that we're very focused on consumer privacy and making sure that we're keeping data out of the hands of the enterprises and protecting the consumers and the businesses from overexposure of data and how this could be worked in a social networking situation is that it helps the social networks to create a walled garden so to speak so that they are not compromising consumer privacy they're allowing adult choice and essentially a lot of the their social networks today have unverified walled gardens where they're trying to segment certain things for people under 18 people over 18 so this helps to make those walled gardens for the adults actual verified communities so ideology solutions are used in multiple industries it's concerned with protecting minors on the internet this includes social networks john spoke bit of those we also have some social networks that are have actively deployed age verification and are voluntarily adopting it those include imv u and zoe's room so he's room is a perfect example of parental consent they're verifying the adult and then the adult is granting access to the children they're not doing relying just on age verification they're combining it with other technologies such as reaching out to the parents to verify that this was an actual child and that they are related and allowing them to grant access to the site other clients include tiger direct kindle jackson and basically anywhere that a an identity needs to be verified before making a transaction or completing a transaction on the internet so how does it work it works for 18 and over one of the concerns we keep hearing is that it doesn't verify kids and that's true because the data around kids is protected but it can work to verify the adults 18 and over and it does it through a quick and safe process we take the information from the consumer we base it on as little information as name and address only and we access public data records and what that means is we go and dip into the public data we verify the attributes of the identity we're not aggregating data we're not we're not keeping data so we're residing but as a firewall essentially between the enterprise and the consumers and we perform analytics to make sure that the attributes are matching up and to pinpoint any suspicious behavior and then we escalate to a higher level of verification KBA or knowledge-based authentication which I'll talk about in just a second if that is needed and then essentially we return a result and this isn't sharing this person is of this age we're just simply sharing this person is of age or this person is underage or this person is verified so knowledge-based authentication this is a higher level of verification and just like in IT security we try and take a layered approach to identity so as John was saying some enterprises want the minimal amount of identity and age verification some people require a higher level of verification and they want to make sure that you are who you say you are and that you're not someone that has stolen someone's credentials or is posing as an as a fraudster and so KBA is used to verify their identity and it's used through a set of dynamically generated questions and you're probably thinking what is my mother's maiden name or what is the pet name of my favorite pet but that is a form of knowledge identification but it is not what we call dynamic identification we go into a consumers data file or access this publicly available data that is protected and we fall under the the rights of data protection and we dynamically generate questions on the fly so we're asking things like what is this property who do these people do you know which of these cars have you owned and this serves to help the kids from impersonating their parents because many of these questions they're not going to know the answers to and today KBA is used for account openings opening up new accounts password resets to your your question earlier had Yahoo been issuing a knowledge based authentication they probably the hacker would not have been able to get into Palin's account access to medical records wire transfers high value transactions and anywhere that we need to make sure that someone is who they say they are and most importantly knowledge based authentication can be used with future technologies I think later this afternoon we're going to hear from Microsoft about information cards and at the last meeting which I believe was public I'm John dance who gave a presentation of how information cards can be used to establish a trusted identity questions and when I say and I wish you would also say who you are and that you're on the test first I apologize and call your with connect safely dot org could you tell us how you verify guardianship we don't the way that Zoe's room is doing that is that they verify the age of the parent or the adult leader of the group and then they do other measures and and means to make sure that that person has access or authority over the child I like these concise answers very good Jeff Smith was trying to get in the last one and I cut him off so thank you comment and then a question comment on the point that was just raised when we're talking about age verification it's very different to assert childhood versus asserting adulthood and I think that in this forum we find ourselves confused quite a bit between the two asserting adulthood for the purpose of purchasing an age restricted item is a very different scientific question in a different problem than asserting childhood which is almost impossible because you don't even know the child exists so I just encourage us to be very clear when we talk about a history of asserting adulthood is not the same as a history of asserting childhood okay the question I'm sorry the the question is as a new parent I'm looking at this a little bit differently now and why would I trust you or any commercial company with a bunch of information about my kids you're not trusting information about your kids to us we are actually accessing data that's publicly available so this these types of transactions are being run every day hundreds of thousands of times and your everyday life when you access your bank when you're opening up a new account when you go to act make sign up for some telecommunication services you're being age-verified and there's different levels the KBA is an interaction between the consumer and the and the service or the enterprise that's issuing the authentication or trying to find out who you are but then the lower level is is basically under cover under the covers and it's happening when you're not even aware as a consumer practically Jeff thank you I'm gonna John Morris would like a question if anyone other than John Morris would like a question I'm gonna give it to him first and then to you next just so we make sure we keep it going all right my name is John Cardillo I'm also a member of the task force I have to I want to make one clarification then a question with regards to adult data you're correct that's in publicly accessible databases but Jeff Schmidt is a hundred percent right when you run an adult and that adult asserts a child we don't know whether or not the child is real but assuming they are this private site is banking very valuable information of a kid so my question is what methods are in place to safeguard the valuable PII that is formal law enforcement I'm quite concerned about identity theft well that would fall to the social network that the age verification identity verification providers are not capturing the information and managing who's accessing the social networks or any of the sites that would be held to each business to follow you know privacy protection laws and consumer data and protect their own data and just as they would with the data breach all right John Morris and then at least one more your your submission focuses on creating wall gardens so I am the Zoe's room as a wall garden for minors I am VU has wall gardens for adults but what value does the service have for social networks that quite consciously allow adults and minors to interact in other words they don't want to separate they don't want to build a wall between adults and minors saying what what what is your service do in that situation well for one you you're going to be verifying an adult so you could set up a token and people that are interacting on the site would know if someone is of ID and age verified so you have a better trust established with who you're interacting with and another way it would also help to determine which of the levels of activities we should moderate more so if there's unverified members chatting and it turns into a risky situation you might want to watch that a little bit more than you would among verified adults and to subject you to three more questions if that's okay over here benedita then back to Bart hi Kelly Maloney with red star HS first I want to say that there is a way to verify the age of children so there you know that everyone's saying that you verify the age of adults and that's great but there is a way to do it with children so just put that out there also I just I wondered so how do you prevent say an uncle from getting or you know a brother of someone from getting the information that you're asking for and creating a fictitious child or something like that you know do I mean I think your question is how do you keep an adult from creating setting up in a child's account that they don't have access to that child has the information has the information of another adult and can create a fictitious child using that information so it can't be tracked back to him but he has credentials well that would be where we would say that I would I would say that the social network would deploy a KBA solution because they want to verify that the person putting in those in those credentials is actually who they say they are and it's not just stolen my brother or my sister's information and put it in to set up an account thanks for your presentation quick question you mentioned very quickly that you don't think that kids can impersonate their parents given the question set but if I understand correctly the question set you ask are similar to the ones that some of the cell phone companies have asked like which mortgage company do you have and what cars do you own and what not do you have any data that supports the fact that kids can't impersonate their parents because I don't know that that was the threat model when those questions were well I don't have data that supports that kids can't do that but I will say that you know companies today are very are relying on this technology to prevent identity theft and prevent being victims of fraud and it is working effectively they're using it in the context of anybody impersonating anybody so medical records would be a great example you know access before your medical records you need to make sure that you really are you before you can access the medical records part then Stephen then we will move on to the next presenter Bartlett-Clellan again in the back of the room I'm going to keep running of this question for all the presenters to the extent I get a question so it'd be easy if people answered their presentation something similar ask Aristotle but I'm going to add a little wrinkle to it so what's been the biggest marketplace challenge for your product but secondly you've now mentioned an externality which is a negative externality for the social networking sites once its information is collected they now have to protect the information that's collected and supposedly and presumably bear the liability in risk if they get hacked so can you give me a better picture of the real cost of your product I will not talk about cost I'm sorry but I will say that it is you know I don't mean actual dollar value I mean real cost because you mentioned a cost that wasn't laid on the table so I mean cost of an economic well I would I would argue that social networks are already collecting data on us whether you're choosing to give them real data or not so they're protecting your data anyway and they should have you know technologies in place to prevent data breaches or prevent someone from accessing their systems just as any business would do today but with all the influx of data breaches and and security leaks etc so I believe that you know that's something that's already being addressed by social networks or I would I would hope that it's already being addressed by social networks you know the the real the real issue here is that it goes back to cost social networks do you believe that this might be a high cost of doing business and and that's kind of the white elephant in the ring I'm sorry that I lied when I said three more questions but Stephen Balkum of the task force is not yet spoken so I can give him one more and maybe Sentinel can come up while he's asking it thank you John it was just asserted a moment ago that age verification of children is possible I know in in Germany in South Korea they have a national ID number and that's how they do it my understanding it's a point of clarification that birth records are not public is that correct so therefore my question I suppose it's directed to the woman from Red Star how how is it that children can be verified if we don't have public records that state a child was born on a certain date and we don't have and don't accept in this country national ID numbers from whom would you like an answer Stephen anyone in the room all right I'm gonna let Red Star do it since I promised ideology they were off the hook sorry well actually that's exactly what my solution is if you collaborate with schools who give kids a user ID and a password you can get them to go into a vetted IP address or some other source that's already secure and they can create a second username password entering their date of birth that's coded and then they get onto the social networking site from any location so that's a double secure entry model that you you know who's getting on to the social networking site is within a certain age range does that is that clear the way I said it it's clear it's it's questionable whether that's desirable all right well oh just one of the thing it one per customer it falls under all purple please thank you very much ideology thanks so much I appreciate it I'm sorry in advance to be harsh but I have to be or we will not make it to the end of the day another task force member John Cardillo of Sentinel we've already heard from Sentinel also as you'll note from your packets submitted three separate technical entries they have been evaluated separately but we've unfortunately giving them the same amount of time so John has a particularly hard task but go to it please well good morning everyone I'm John Cardillo at Sentinel I just want to say thanks very much to John in the Berkman Center to General Blumenthal General Coakley General Cooper there's only staff is here and the 46 other AG's as well as my space for organizing this I want to preface it by saying we are actually withdrawing from consideration the kids email registry after further review and analysis we just and and the tabs suggestions which we appreciated and they were incredibly valuable we realized that that there were just too many flaws in the model where the authentication and verification of all things was concerned so we're withdrawing that from consideration will note which of the three and that was the I believe it's called the kids email registry what we're going to show you is sent in a safe right kids safe exactly sorry about that but the other two stand the other two stand thanks safe and adapt and I've got six slides in total and we can get through them in a matter of minutes and I will answer Bartlett's question first I promise so without any further intro Sentinel safe many you may know what the product is others may not know what the product is we deployed Sentinel safe we announced it in late 2006 with the inaugural partner my space deployed in 2007 and it was really the first comprehensive searchable national database of registered offenders and we built the product after reviewing other solutions and realizing that the authentication and verification methods for me as former law enforcement simply weren't up to the task of what I would consider a security tool and I put a much higher bar and a much stronger burden on companies that jump into the security space I think the AGs would agree with me and that when you put the onus upon yourself to protect anyone you you definitely have to live up to a higher standard and we looked at the authentication verification models we couldn't find a feasible defensible solution for them to be considered security mechanisms so we informally polled end users and what we found was that and it scared us to an extent and users when they heard the word verification assumed for the most part that a full background check in vetting was being done and now I wish I had spent the money to do it as a scientific poll because it was interesting but we realized off the bat that the false sense of security that that would have promoted would have been would have done far more damage than looking at alternative solutions so what we realized was let's not look for needles and stacks and needles inside haystacks let's start with bad guys we could identify the topic to your and and it's been for a while was the registered convicted sex offender we have loads of data on these individuals they've been arrested they've been booked they've been put through a correction system they've probably been fingerprinted I'm going back to my experience nine times state local and federal cards probably three times through the process so we know who these guys are and and there are no issues of authentication and verification with them we know fully well who they are we have photos of them and what I'll show you is a little bit about the service what you're seeing now is actually the the back-end interface that the National Center for Missing and Exploited Children utilizes for those that don't know we donate Sentinel safe to Nick Mac and we make it available to law enforcement free of charge via Nick Mac all they need to do is request Nick Mac this is the standard interface you can search on about a hundred and twenty three points of identification we add new ones all the time something that interesting that's that's come up and we're quite happy about it is states state law enforcement local law enforcement are now contacting us saying hey we have these additional data fields what do you need can we send it to you absolutely we take it we hired a director of data and analytics to do just that to liaise with law enforcement and large aggregators to build the most robust solution is possible we keep it as simple as possible we have basic dossiers on the offender with things like scars marks tattoos that you can see the bottom of the first dossier we have photographs which make it highly effective when our clients have an internal security team they can do a human analysis we can reconcile photo to photo we know we've got the right guy in the event there's ambiguity with the photo or some other type of anomaly we have an adjudication mechanism it's an 800 number or they can call the sentinel office will forward that to our 800 number calls are logged recorded we deploy two call centers one out of Seattle Washington Tacoma Washington and one out of South Dakota and what the operators there do is they'll then run a much more comprehensive background on the individual and ascertain well somebody calls and says I'm John Smith but I'm good guy John Smith not bad guy John Smith we certainly want to cast we want to cast a net that's wide enough to be safe but not too wide as to inconvenience at end user so if John Cardillo bad guy were to come on to my where my client sites and his date of birth was two years off from mine maybe he lived in New York City in Miami around the times I did by all means I hope that I'm stopped when I attempt to register on a network and I'm gonna call the 800 number and the operators are gonna ascertain whether or not on the good guy or the bad guy and what we then do is we take as much as I said as much info as possible down to the offense which we like to know the offense because when often it with interesting thing is a quick anecdote if I have 15 seconds we find more offenders call us and tell us yeah I'm an offender I certainly am but I'm not evil I think we had a guy send us an email the other day I'm not an evil guy I should be allowed and they were on another client of ours wasn't my space and when I looked at him the guy was when he was 42 years old it molested to 10 year old girls and there he is arguing with us that he's not an evil guy so we find the adjudication mechanism works quite well but there was always a nagging question general Blumenthal raised earlier today and it's an excellent point and that is what do you do when someone uses a fake name oh we weren't comfortable with the identity age verification model for a simple reason outside of Sentinel I have two investments with my brother and my dad a couple pieces of property I know everything about them I could easily defeat knowledge base authentication assuming my brother my dad's identity and my mom's identity if I wanted to it's a family business so it's a very simply defeatable system when you know enough there was a case in Florida actually a friend of mine not a case kept it quiet friend of mine 17 year old son I sit on the board of directors and make a wish foundation high net worth guy his 17 year old son and opened an American Express Platinum Card in his dad's name because he knew everything about his dad the card was sent to the house via FedEx and he was out charging on South Beach the next weekend so we looked at best of breed technologies and what we found was a company called 41st parameter that we partnered with we developed a solution called Sentinel adapt which is advanced detection analysis and predator tracking and what it does simply is it sucks off JavaScript settings and other identifying info from a computer and creates a 40 character hash of the machine now what I won't do is bore you with the details essentially it's this if someone comes in from various email addresses various IP addresses work this power point a little better a multitude of different street addresses using various pedigree information John Smith David Smith John Davis Steve Davis et cetera et cetera the one constant will be the machine now it does require some work and some light algorithm put on to our clients user interface but again when searching for solutions and we have an open door policy with any vendor Sentinel will speak to anybody and we will take a meeting with anyone and they can afford to come see us because they're a startup will go see them who says they have a solution that might enhance our services we love to talk to them they can get me on my direct line there's no receptionist to buffer we found this company we really liked what we saw and we said that while it won't answer all the questions and to address Bartlett's question quickly there are going to be inherent flaws sophisticated users as the tab noticed we'll be able to deactivate the settings but right now in terms of what we're seeing in the marketplace we were impressed with this and an initial testing has rendered it effective effective enough for us to put our brand on it and say yeah we like this is it to be all in and on no but is it a good element for us to add to a solution that should be deployed alongside other solutions probably from other vendors at yeah absolutely so on that note I'm going to close and would love to take any questions I'd like to be by nobody likes people to be brief and thank you thank you John and thank you also for taking one of the questions during the presentation as we pass around a mic just one note on what you said one come conversation with general Blumenthal earlier was about you know one thing we could do with this task force is to identify ways in which multiple technologies could work together and you've obviously done this within your product I've heard from several others associated with this process already that they're exploring possible partnerships you know just as each person has said so far there even a single solution isn't going to solve all of the sub problems here but it may well be that some combination of these things with further development could be you know helpful and so we'll be looking forward to you know how can we make recommendations and I highly recommend partnerships with the NGOs as well because we've just garnered incredible information working with Fawzi working with Nick Maxow thank you questions for John I put the TA yes sir in the back the gentleman from CNET hello again so I'm interested in this hashing technology as a computer scientist I know actually notice an absence of computer scientists in the room and I'm wondering okay we have no there's actually a good cluster the technology advisory board we've convened some of them are quite eminent in their field in fact so I guess what I'm wondering is which prominent computer scientists have examined this technology and this and and let their name to it as secure and abuse resistant I don't have the answer for you know what I'm going to do is if you want to circle up with me after I will get you in touch with our CTO who you guys can chat about this stuff for hours and both enjoy that conversation which I won't be great absent other hands I'm going to my friend John Morris of CDT over here but if there are others great one from the next one will go back to the TAV John on now it is you just it will be on you just need to speak very directly into it so with the adapt technology if I were to ask my friend Jeff Schiller I certified computer technologist or geek or whatever to create a little utility to essentially send different signals to essentially fool the adapt technology would he be able to do that fairly easily assuming he's as intelligent as I what the engineers tell me is somebody who is intelligence in a computer intelligent and a computer scientist probably would which is why I think with every security solution out there we sent those mantras we'd like to talk very little about the products we deploy because we're cognizant of the fact that bad guys are pretty smart I mean you know I I lived on Hudson and Leroy on 9 11 2001 they were able to bring down two buildings in my neighborhood and I worked in law enforcement in you know as law enforcement we were reactive they had already committed the crimes for the most part you know as law enforcement people were unfortunately reactive more than we're proactive or passive so the answer is yes and I think the vigilance doesn't just come in in the engineering of products the vigilance also comes in the discretion with which they're deployed and the public relations surrounding them and I'll dare say maybe even a little bit of misinformation as to what they do to confuse the bad guys maybe that's not the politically correct statement but as an ex cop I like keeping bad guys on their toes great we've got two members of the TAB and then a member of the observer group of the TAB and then we'll probably move to Ben verified from there I like the idea of creating a signature from the computer but if everybody's computer is like mine it gets updated pretty regularly I mean almost automatically now and I wonder how stable that signature is as the software and the various utilities that you're hashing from are going to be updated regularly is there's some thought about how that signature will be stable yeah there is and what I anticipated these questions and not being the technologist but the guy that runs the company what I've instructed our tech team to do is to publish a quick paper on this which will post to the site and anyone who needs that information can certainly email me via the the task force I believe the mass mailers we get and then we'll direct you guys to the orl for that which should answer these questions and by all means if we don't answer your questions send them to us and we'll add them to the document great Jeff Schiller of MIT yeah yeah I'm Jeff Schiller from MIT and I'm on the TAB I was just gonna ask the more focused question which is so if I turn off JavaScript right I what actually happens with your product you'll disable the product at that point you will have defeated the product yeah but I'm saying is that it is it reported up to the to the customer that that this person has done something that's disabled the product it would be individual to our client depending on how deep they want it to go with a solution and obviously that would fall into the pricing model with how deep the integration would be thank you Teresa tells you are in please go ahead keep trying keep talking it's a great question anything could happen I would say the likelihood is very low because we don't rely on one single piece of data have often said at other forums I speak at among the same group that we like to look at five to seven at least five to seven different points of information to make a determination on whether or not we do what's called yellow light somebody in other words this is a potential bad guy right and that's if it's a common name if somebody had an uncommon name we would we would for the most part those are what we call red lights we look at other criteria very uncommon name with a with a specific DOB or zip code or age and that email address is one element we probably wouldn't even log the email we would red light the individual without logging any specific element because we would almost assume if if five points match and one is an anomaly we would almost toss out the anomaly great last question for the Helen Baker of AirSign sir question Philip well first let me say I think everyone agree I'm not relying on anything banks are doing these days but that was a setup right there very good he's set some up but you're a hundred percent right and it was something we looked at and this was a tool for the financial services community and as I said earlier I think what we're looking to do what Sentinels looking to do I don't want to speak for competitors and colleagues is aggregate as many good technologies and if this can solve 60 percent of a problem we can aggregate other technologies to address the remaining 40 percent and make no mistake where we never have illusions that we're addressing a hundred percent of anything it's just it's not it's not practical it's not feasible realistic or honest but if we can put best of great technologies as they exist today and I often say I wish I was having this conversation in 2058 because I probably have better solutions to deploy to protect kids but but I'm not so today in September still see a September of 2008 this this is what we find is market ready to be deployed and beta tested and and you know a year down the road the market may say hey this works but not well enough for enhancements may come to it but I agree with you and I would never would I ever use this a standalone solution no I wouldn't great John thank you very much appreciate it alright so our last presentation before lunch and lunch is now a free period I have the pleasure of announcing to you and there's you can see in fact the lunch that you're standing between them and over here to the right so we'll go for the the same 15 or 20 minutes or so and then and then take a break this has been verified for those who may have noted been verified was a slightly late submission but which we took into consideration all the same it's had this slightly different level of scrutiny but we're delighted they're here today thank you good afternoon my name is Josh leavey I'm the CEO and co-founder have been verified I'd like everybody to think back for a second to the old days of the internet when purchasing something online required you to take out your credit card and any information over and over again well along came PayPal and they solved all that right they made it really easy for you to share your credit card information and you only had to enter it once they also made it simple for you to purchase something on a website or even send money to an individual but the best thing that PayPal provided was the ability for both you and the website that you were making a payment for to be able to trust all parties within the transaction well today in the current internet environment we need the exact same service when it comes to exchanging identity information and that's what been verified does I'd like you to meet Janet Jones Janet Jones is the chief marketing officer had been verified she's also a former executive at Goldman Sachs she's a former Harvard Harvard alumni and in fact she has 17 other Harvard alumni that she's connected to but the problem with Janet Jones is that she doesn't exist and this problem is the same for Janet Jones as it is for hiring someone online as it is for dating and as it is for child-solving child safety the problem is it's a lack of identity it's impossible to know where someone went to school where they work how old they are or what their sec or what their criminal history is if they don't truly if we don't truly know who they are well been verified has a solution for that and first we'll talk about the five core principles of our technology and then we'll talk about why we've adopted this approach first it's entirely opt-in it's voluntary it's user-centric the individual chooses which information they'd like verified and then you as an individual can choose where who when and why we should share that information it's portable just like PayPal you only need to go through the verification process once and then you can share it wherever you want online and most importantly and we'll get back to this in a moment but incorporates best of breed verification technologies and also data sources and additionally it's really easy for any website or community implement our web service so why is it opt-in why does it have to be voluntary well if it's not we're going to have a similar process to what happened with the online gambling industry where network operators will simply go underground and it'll be impossible for us to regulate or moderate any of the social networks however in order to encourage opt-in we need to provide incentive to the users it has to be about them we need to empower the individual to use their personal information to get a job find love or access age restricted sections of a social networks and as we spoke about it needs to be portable it needs to work wherever they go online no one wants to go through these process over and over and over again and to talk about best of breed data the best solutions for finding sexual predators might not be the best solution for finding age verification and it also might not be the best technology for locating where somebody really went to school and what's important about that is to go back to the PayPal case study not only was PayPal successful because individuals just had to go through the process once but websites simply had to implement PayPal and program for PayPal once and then they got access to all the payment sources that they were accessing it's the same thing for been verified the programmers at MySpace do not want to program over and over and over again for every new technology the great technologies today are not going to be the great technologies tomorrow so when we look at the future of companies like been verified probably a bad time to put up the credit industry but when we look at when we look at the future of been verified it represents a lot of what the credit card industry looks like there's few strong players which leads to mass adoption and also usability but it also allows the government to have a hand in regulation and also oversight for the standards of what these companies are doing so how do we get there well first the networks need to offer and encourage user centric opt-in services then they need to pride the us the businesses what we're doing right and what we can do better the government needs to make information more accessible it's great that sex offender searches are free but it's highly prohibitive when somebody in the state of New York wants to prove that they're not a criminal online and has to pay fifty five dollars we need to educate first we need to educate individuals that they can prove who they are online but additionally they actually have the right to request that somebody else that they're interacting with someone who's going to be a nanny for their child or someone that they're going to work with that they can have them verified and they have the right to know who they are and additionally would like to thank John Palfrey the Attorney General Jessica Tatlock and everybody here because what we're doing here today is the most important part we need to collaborate and the spirit of collaboration tonight we're hosting a party for everyone here that wants to join us it's at the red line which is 59 JFK Street it'll be at 5 30 and it'll provide enough time for everybody come back for John Palfrey's event at 7 o'clock thank you thank you for two questions thanks so much all right do you want to answer Bartlett's question first since we know that's coming yeah I think it wants the question after Bartlett the obvious challenge for us is a marketing one how do we market to MySpace and Facebook and encourage them to adopt us because adopt our service because it's about adoption the challenge isn't on the technology side because we're simply a simple API hook for all the other websites to tie into all of these services so we have while we have to vet those technologies it's really about establishing ourselves as a brand name Teresa is your approach different from the other vendors that we've heard about in terms of the mechanisms that you use to do the age and identity verification great great question I think the first thing is that we're multi-factor so while we're not just an age verification tool we incorporate with that the best that you need to verify who somebody else we combine credit card verification with age verification with knowledge-based authentication and then also combine that with the credit report information as well so you're getting the best of all worlds by using our service and additionally we come partners for the exact services that we heard about short follow on sure great great question and it's really it's exactly like PayPal when you want to make a payment to somebody on a website that accepts PayPal you click the button you go over to PayPal's secure site for those that are technical we use the OAuth protocol which has been vetted it's used by Google MySpace as a way of authenticating and sharing personal information and once you provide the details on the been verified server you simply go back and we disclose the information as and it's encrypted and we disclose the information to the website so it's all done on our servers and exactly similar to the user follows PayPal Larry Mechit right and I think the great thing about about adopting an approach like this is that it allows for we just found out today that children could be verified so we can incorporate that once we vet that technology we can incorporate that into the service it's not tied into one methodology it's not tied into any methodology what might be great today might change maybe one day we adopt that national ideas it has to be flexible to allow for new technologies that do solve that exact solution that exact problem all right I'm gonna and do the follow-up and then go to the gentleman just behind you right I should I should clarify the opt-in is the individual has a choice it's not they don't get spied on but their choice is either to access the social network their child let's say Club Penguin the parent that has a choice whether they can opt in so that their child can access Club Penguin or they don't the end the the social network and the website is also able to opt-in or out of this service as well and they might each industry might have a different need depending on what their self-regulations are what the federal mandates are and I think we have to encourage parents and we're seeing with the identity theft that's going on people are taking a lot more ownership of the information that's available out there and this actually gives them the benefit they get to take control of their personal information and who what when and why it's shared one of the things I heard before is that how do you prevent somebody from just sharing these accounts well if a been verified account actually if we presume that it has value that it controls where you work and where you went to school people aren't just going to be distributing those so readily three more questions at least sir so right so the question you're saying is if a predator enters their real information into been verified right is that the question so if we run a sex offender search on them which we would do and we would use the best technologies whether it's sentinel or some other company that we vet and then it's okay if they have an account that says that they're a sex offender what's not okay is if club penguin doesn't allow somebody who has a sex offender listed on their account into there and access their system so once they're listed it once they're listed as a sex offender they wouldn't be able to access club penguin then they'd be able to access club penguin right now then it comes into and what happens is it needs to be flexible so that each industry or service can figure out what's best for their members and what the best workflow is for their members there's no we've spoken about there's one there's no one silver bullet well part of the problem with being with there being no one silver bullet is that every social network and service has a different audience that they're servicing so John Morris they need to handle their own user flows John Morris than Jeff Schmidt hi I just want to just make sure I understand your answer to Larry and Anne's questions on on identifying kids are validating because am I right that your company doesn't actually have a system to identify kids you would be relying on some some other service right so we that rely so I mean you don't have a magic way to connect some adult to some kid right the way to do it would be to link and I think the current quasi accepted standards to link a child to a parent but how how how would you link that so we would identity we would verify the identity through our process of multiple factor credit card verification age of an adult adult exactly we verify the identity of an adult and then what and then once we pass that identity to the social network they can trust who that adult actually really is and then handle how they want to handle linking a parent to a child okay so your company doesn't do any of the parent child exactly exactly it's left it's left to the network to decide the best way to understand what helpful clarification thank you jeff then benedita then lunch so all the solutions that we've talked about so far today seem to create somewhere in the hands of some private for-profit entity a database full of sensitive information about kids now my parent hat doesn't like that I'm having trouble kind of come into grips with that and it seems like we already have laws on the books like kappa that seem to protect the sensitive information about kids so I'm I'm confused yeah as I mentioned we don't verify children at the moment and we don't have plans to we might if federal regulations or or the business environment changes and and that we should or that there's actually data that says that we can't we you can't even register for our service if you're not over 18 but are you asking adults to provide information about their kids no we're currently not okay would anybody else would anybody else like benedita's question there is a gentleman who wants the question all right we've got it you won't get booed I promise by me aha what are you doing to the mic for the record here what we're really saying and as as you guys got over there is that really this is a start and one of the one of the benefits have been verified is that there's going to be a ton of education costs involved in this whole identity space so if we start now with the other kind of verifications and the technology evolves with the bright minds in this room to sort of answer the questions that we have on how do we identify children you know the the they'll be a start of an infrastructure and it sort of starts this way and I just want to clarify it thank you very much this thing been verified thank you