This means that inquisitive 12-year-olds who visit NBCNews.com to learn about current events would be, by default, misrepresenting their ages. Again, this could be criminal under the DOJ's interpretation of the CFAA.

We’d like to say that we’re being facetious, but, unfortunately, the Justice Department has already demonstrated its willingness to pursue CFAA to absurd extremes. Luckily, the Ninth Circuit rejected the government’s arguments, concluding that, under such an ruling, millions of unsuspecting citizens would suddenly find themselves on the wrong side of the law. As Judge Alex Kozinski so aptly wrote: "Under the government’s proposed interpretation of the CFAA...describing yourself as 'tall, dark and handsome,' when you’re actually short and homely, will earn you a handsome orange jumpsuit."

And it’s no excuse to say that the vast majority of these cases will never be prosecuted. As the Ninth Circuit explained, “Ubiquitous, seldom-prosecuted crimes invite arbitrary and discriminatory enforcement.” Instead of pursuing only suspects of actual crimes, it opens the door for prosecutors to go after people because the government doesn’t like them.

Unfortunately, there’s no sign the Justice Department has given up on this interpretation outside the Ninth and Fourth Circuits, which is why the Professor Tim Wu in the New Yorker recently called the CFAA “the most outrageous criminal law you’ve never heard of.”

...we are concerned that the updated definition of when a website is “directed to children” could expand COPPA's reach to general audience sites and confuse website owners as to whether these new rules apply to them. This uncertainty will likely prompt more sites to take advantage of the Commission’s new age-screening safe harbor, which could lead to many more sites demanding age or identifying information from all users before allowing access. Requiring age verification from every user runs counter to the First Amendment right to access information anonymously and increases the collection of potentially sensitive information generally. The new rule's uncertainty is magnified for third party plug-in operators, who may now be liable for the decisions of publishers to embed their plug-in on sites directed to children

To start, by deeming persistent identifiers as personal information per se, the FTC's new rule runs contrary to established U.S. privacy law: federal courts have unanimously decided that IP addresses do not allow the contacting of a specific individual.

Further, as Commissioner Ohlhausen's dissent notes, the COPPA statute does not allow the FTC to impose liability on sites that do not collect children's information merely because the operator may somehow benefit from an ad network or plug-in operator collecting information—provided the third party neither targets children nor shares information with the site operator.

If a third party becomes liable once a single employee "recognizes the child-directed nature" of a website—whatever that means—COPPA will become the worst kind of notice-and-takedown system: Would a single complaint—or tweet—from a parent or activist group create "knowledge?" Faced with the impossible task of predicting how the FTC might characterize each of the millions of sites on which ads or plug-ins might appear, operators will have to try to block advertising or plug-ins on sites that appears to be child-oriented. If they can't do that effectively, this potential liability may effectively kill behavioral advertising on any site that can't prove it isn't child-oriented—in other words, on small sites.

Thus, COPPA will now impact adult sites, denying publishers revenue and adult users the functionality that is increasingly provided by embeds. Thus, the FTC invites not only a statutory challenge but also a constitutional challenge similar to that which led the Child Online Protection Act (COPA) to be struck down.

Yesterday, the U.S. Federal Trade Commission (the FTC) promulgated new rules (effectively July 1, 2013) interpreting the Children’s Online Privacy Protection Act (COPPA), and the new rules are a real mess. They are riddled with innumerable ambiguities and questionable policy choices, and I could spend a decade or two trying to figure out how the new rules apply to different factual situations.

The FTC wanted to crack down on these COPPA workarounds, but in typical FTC fashion, it did so in a ham-fisted and marble-mouthed way.

The FTC plans to put COPPA obligations on plugin developers if they “know or have reason to know” that their plugin has been installed on a children’s site. “Plugins” include analytics providers, advertising networks, social media plugins, embedded videos, or anyone else who provides third-party code for websites. Under the FTC's proposed change, if plugin developers receive a user’s IP address through a plugin that’s been installed on a children’s site, they could face legal liability for collecting children’s personal information.

It’s unclear how a plugin or platform like Twitter is supposed to “know or have reason to know” that someone has cut and pasted a line of their code into a children’s site. The FTC says that plugin developers “will not be free to ignore credible information brought to their attention.” But the FTC doesn’t say what counts as “credible.” Would developers have to assume every random e-mail is a credible tip that could saddle them with legal liability? Even if the FTC did provide clarity, though, it would still be extraordinarily burdensome to place legal obligations on plugin developers based on the actions of others.

Things get worse with the FTC’s second major proposal: expanding the scope of sites deemed “directed to children” from sites aimed primarily at a very young audience to include sites and services that are “likely to attract an audience that includes a disproportionately large percentage of children under 13 as compared to the percentage of such children in the general population.”

This convoluted standard raises a number of serious issues. Not only is it difficult for site operators to gauge what proportions of their audience fall into arbitrary age buckets, but the FTC also gives operators no sense of what it means for an audience to be “disproportionately” composed of children in comparison to the general population. If a site’s audience is 20 percent children, is it disproportionately composed of children? What about at 30 percent? It’s not clear from the language, and it won’t be clear to website operators trying to run their sites while staying within the bounds of the law.

I asked Mamie Kresses, senior attorney for the FTC’s Division of Advertising Practices, whether there had been any study about how truthful children are reporting their ages online. They have no such research, she said. I asked whether the FTC had any data about how often parents use the means of notice and consent COPPA provides. None, she said.

The most disturbing unintended consequence of the regulation, I think, is the chill it likely puts on serving children online. In the early days of the web, I started the Yuckiest Site on the Internet — about goo, bugs, and science — to serve young readers at the local news sites I ran. After COPPA, my employer decided the risk in serving young people and even inadvertently recording a child’s name or targeting an ad was too great.

We don’t know how many sites have not been started to serve children online. Isn’t this the group we should be serving best? I asked Kresses whether the FTC had done research on the extent of a chill. No, she said.

Finally, I asked whether the FTC had revisited the reasons for COPPA. What harm are we trying to prevent by restricting identity online — and is it effective? She responded with circular logic: They are giving parents the opportunity of notice and consent regarding children’s information.

Children need to play online, too. They should create and get credit for their creativity. They should be able to establish a relationship with an educational site where they can track their own progress. Technology and the net don’t just present danger; they afford opportunity. But by focusing only on the former, we can risk losing sight of the latter.

"In its tear-jerker 'Dear Sophie' Google Chrome ad, a father creates a Gmail account (dear.sophie.lee@gmail.com) for his just-born daughter to preserve memories of her childhood. So, how does that work out in real life? Not so good, at least in the case of 10-year-old Alex Sutherland, who the WSJ reports was reduced to tears after being notified that the Gmail account his father created on his behalf two years earlier would be deleted because the Google+ Profile Alex created triggered a Google Terms of Service age violation. 'You made my son cry, Google,' wrote blogger Martin Sutherland. 'I'm not inclined to forgive that.' Not to pile on, but Alex may also be persona non grata at Khan Academy, where learning under the age of 13 can also constitute a TOS violation."