It wasn't long ago that alarmed parents had to force administrators in a Northern California school to stop tagging their children with RFID-embedded IDs. The IDs, placards that hung from the neck with the childrens' names emblazened on the front, would also have allowed anyone with a compatible scanner to secretly gather additional personal details. That's right -- anyone could pick up this information, even potentially a sexual predator. The school's rationale? The placards would help with taking attendance and "improve school safety."

Now, as Edward Felten reports, the state of Michigan has created an email registry that's supposed to stop your child from receiving harmful email -- that is, spam for products that kids aren't allowed to buy or be exposed to, like pornography or alcohol. Only what it really does is help spammers and online predators determine whether your child is indeed a child (emphasis, mine):

What [should bother Michigan] is the possibility that unscrupulous emailers will use the list as a source of addresses to target with spam. In the worst case, signing up for the list could make your spam problem worse, not better.

The Michigan system doesn't just give the list to emailers — that would be a disaster — but instead provides a service that allows emailers to upload their mailing lists to a state-run server that sends the list back after removing any registered addresses. (Emailers who are sufficiently trusted by the state can apparently get a list of hashed addresses, allowing them to scrub their own lists.)

The problem is that an emailer can compare his initial list against the scrubbed version. Any address that is on the former but not the latter must be the address of a registered kid. By this trick the emailer can build a list of kids' email addresses. The state may outlaw this, but it seems hard to stop it from happening, especially because the state appears to require emailers everywhere in the world to scrub their lists.

If I lived in Michigan, I wouldn't register my kid's address.

Most of the media coverage of the Michigan registry appears positive, with only a few articles including a short note of caution -- for example, the single sentence, "Some Internet safety experts have said anti-spam laws have been difficult to enforce and others worry the lists will give hackers a way to get access to a large database of children."

It's not enough. If you care about childrens' safety, we encourage you to pass this post along and explain to parents that voluntarily contributing to a database that identifies children on the Internet is a bad idea.

We'll shortly have more on the law behind the registry and related developments; stay tuned.

Update (July 13): Professor Felten has published a follow-up post with additional information on how the registry works -- in particular, exploring how charging emailers a fee to screen addresses against the list affects the registry's function.

Related Issues