CDA II witness: Credit cards useless

PHILADELPHIA -- Think you can ensure the visitors to your Web site are over 18 by collecting their credit card numbers? Think again, said the last witness for the plaintiffs in the Child Online Protection Act trial Thursday.

Dan Farmer, the head of computer security at Internet service provider EarthLink, testified that there is no technologically-foolproof way to check the ages of Web site visitors, including the credit card verification scheme promoted by the U.S. Department of Justice in the lawsuit over enforcement of the COPA law.

A call for age verification
The law, passed in October as part of an omnibus federal spending bill, would make it a crime for commercial Web sites to publish material deemed "harmful to minors" without first verifying site visitors' ages.

The EarthLink official also noted that while many companies issue "adult identifiers," or software tools for use to gain access to adult-oriented Web sites, no standards now exist to say who can issue such identifiers.

The credit card issue is vital to the government's contention that the law, which remains suspended under a preliminary injunction issued in November, should be reinstated. U.S. District Court Judge Lowell Reed Jr., the same judge who approved the November injunction, is to decide by Feb. 1 on whether to grant a American Civil Liberties Union-led coalition's bid to extend the ban.

If the ACLU coalition loses this round, the law goes into effect Feb. 1. But if the coalition (which includes ZDNet and a number of other online publishers) wins, the government is likely to appeal, and a subsequent trial on a permanent injunction could follow, ACLU attorneys said.

A privacy nightmare?
Under questioning from ACLU attorney Ann Beeson, Farmer testified Thursday that COPA's requirement that sites offering content deemed "harmful to minors" collect credit card numbers from all visitors could turn into a privacy nightmare.

The vast majority of commercial Web sites don't employ adequate security when collecting such information, he said.

"I've tested these systems, and three out of four of them are insecure," Farmer said. With the right technical knowledge, "You can intercept credit card numbers as they're transmitted. You can do anything you want -- you are God on that machine," he said.

Farmer's testimony came at the end of the second day of contention in the COPA trial, both in the courtroom and behind the scenes, as news organizations sued to gain access to an expected closed hearing on some sensitive financial data.

On Friday, the government will get to call its witnesses. They are expected to include Brian Blonder, a partner in the financial advisory services group at PriceWaterhouseCoopers, Brigham Young University computer science professor Dan Olsen Jr., and Laith Alsaraff, CEO of Cybernet Ventures Inc., a company that produces "adult identifiers."

Blonder is expected to testify about the plaintiffs' claims that COPA would ruin their business models, and he is the witness who sparked the tussling over whether a portion of the hearing should take place behind closed doors. Judge Reed is expected to rule on whether to allow the closed-door hearing Friday after consulting with the attorney for the news organizations who filed suit earlier Thursday.