Last month, Google launched a beta of Secure Search, an implementation of its search engine that uses SSL to encrypt users’ searches to protect them from interception by third parties.  This past week, stories began hitting the net that school districts were cutting off access to many Google apps, including Google Apps for Education, because of claims that the new search tool violates CIPA.  The stories state that CIPA, the Children’s Internet Protection Act, requires schools receiving Federal E-rate funding to monitor and filter students’ internet access and block access to certain sites.  Because the new Secure Search prevents monitoring, the schools assert that it violates CIPA.   Since many Google apps share the same https://www.google.com domain as the Secure Search tool, blocking it blocks the apps as well.

It seems like there is some confusion about just what CIPA requires, so I’m posting the relevant information from the FCC’s CIPA Consumer Facts page here:

Schools and libraries subject to CIPA may not receive the discounts offered by the E-rate program unless they certify that they have an Internet safety policy that includes technology protection measures. The protection measures must block or filter Internet access to pictures that are: (a) obscene, (b) child pornography, or (c) harmful to minors (for computers that are accessed by minors). Before adopting this Internet safety policy, schools and libraries must provide reasonable notice and hold at least one public hearing or meeting to address the proposal.

Schools subject to CIPA are required to adopt and enforce a policy to monitor online activities of minors.

Schools and libraries subject to CIPA are required to adopt and implement an Internet safety policy addressing: (a) access by minors to inappropriate matter on the Internet; (b) the safety and security of minors when using electronic mail, chat rooms, and other forms of direct electronic communications; (c) unauthorized access, including so-called “hacking,” and other unlawful activities by minors online; (d) unauthorized disclosure, use, and dissemination of personal information regarding minors; and (e) measures restricting minors’ access to materials harmful to them.

CIPA does not require the tracking of Internet use by minors or adults.

CIPA doesn’t actually mandate the way in which these requirements are met, that is left up to the individual schools and/or districts to determine.  CIPA also does not require the tracking of specific student’s internet usage (in fact, doing that may be a violation of other laws).  Google’s new Secure Search actually acts to protect the personal information of minors by preventing a third party from determining their search habits.  My understanding of this problem is that administrators are acting preemptively to block access to Secure Search before Google Image Search is added because it is feared that students will be able to use that to access thumbnails of pornographic images.

There is so much that I could say about this situation, that it’s actually been difficult for me to write this article.  Before I get too much farther in to this, I want to stress that I think schools do need to take steps to protect students, especially younger ones, while they are using the internet at school.  Having said that, I do have some serious concerns about how that protection is being implemented.  In my opinion, content blocking and filtering are not a good substitute for having a staff member physically present to monitor student computer use.

If you haven’t delved too deeply into this issue before, let me clarify the two primary methods of access restriction that CIPA mentions: blocking and filtering.  Content blocking is a method that denies access to a specific list of internet sites.  Because the internet is always expanding, these lists are periodically updated through subscriptions to a service, oftentimes, bundled with your firewall.  These lists are sometimes called “blacklists” because they only deny access to the sites they contain.  Any site not on the list is accessible.  The obvious failing of content blocking is the impossibility of including every inappropriate site on the blacklist.  There will always be some that are missed for whatever reason (which is why filtering exists).  The other failing is a subtle one, but I feel it is the most important.  Namely, who determines which sites are “inappropriate” and how is that determination reached?

Content filtering, on the other hand, doesn’t rely on a predetermined site blacklist.  Instead, it makes use of a list of keywords that are forbidden.  A filter scans the content of each page that is being requested and, if it detects one of the key words, it blocks access to that page.  As a basic example, consider the word “cat”.  If “cat” were in the filter’s list, this page would be blocked.  However, what if the word “catalogs” was not an inappropriate word?  This page would most likely still be blocked because the string “cat” is contained in “catalogs”.

I’m sure that you can see the negative educational implications for each of these methods.  Blocking may prevent access to valuable sites and getting those sites unblocked may require a great deal of effort on your part depending a specific schools’ policies.  Filtering can be extremely annoying to work with, most especially if partial word matching is enabled.  And the even sadder thing is, that many students have figured out ways around these blocks and filters.  I don’t want to go in to a great deal of detail on ways to defeat filters, but one very common way is through the use of an internet proxy.  A proxy is an unblocked site that acts like a middleman for content.  A request for a site is sent to the proxy, then the proxy accesses that page and serves it to the computer.  Because the connection is being made to an allowed site, that content is passed.  Of course, access to these proxies can be blocked, but that means another list (and some proxies are a bit more difficult to block than others) and more time spent.  Additionally, it’s not too hard to set up a proxy service, so more show up every day.  In other words, it’s an endless arms race between IT staff and students.

The best method to ensure students are making appropriate use of computer time is to have a staff member physically present and aware of student actions whenever students are using the computer.  This can be challenging, too, especially in large classes, and it also requires that the staff member is knowledgeable enough about computer security and the internet to tell when students’ actions are inappropriate (that’s another topic in itself).

My other concern with automated access restrictions is that it is an extrinsic motivator.  Students aren’t able to access inappropriate content because the blacklist or filter won’t let them.  The students are learning why those sites are inappropriate or why they may not mesh with a Christian worldview.  It’s as though a wall, hung with “Do Not Enter” signs was built around those sites.  If students don’t have an internalized motivation to not visit those sites, building a wall around them only increases their appeal.  Students are curious and forbidding them to go somewhere often only increases that curiosity.  Also, what happens when the students go home or go off to college and those artificial blocks are removed?  Now, the external motivator is gone and, if the students didn’t develop an internal motivation, nothing prevents them from access all of those inappropriate sites.

Obviously, this is a complex issue that demands discussion.  Hopefully, the high-profile of this incident will foster some.  Is internet access control an issue at your schools?  I love to hear your thoughts on it.