The growing trend for secure websites could mean your school’s web filtering set-up may no longer be meeting your needs and providing a safe online environment for your students. Lee Suckling investigates what’s changing and what you can do about it.
During the lifetime of most teachers, web filtering has changed substantially. When computers were first introduced into classrooms 20-odd years ago, filtering often involved simple ‘white’ and ‘black’ lists of websites that were permissible and restricted. As in-plain-sight desktops were switched out to laptops and now, BYOD tablets and other personal devices, web filtering has become increasingly complex, as has its need.
Monitoring internet use on students’ own devices and preventing access to inappropriate material (such as pornography and hateful material) is a challenge internet security companies have been adapting to for years. Most recently, the challenge of monitoring secure websites has proven problematic in web filtering.
N4L reports that 60 per cent of traffic on its Managed Network, used by almost 90 per cent of all New Zealand schools, is now to secure websites, in other words addresses that start with HTTPS rather than HTTP (the ‘S’ denoting ‘secure’). Today, all Google searches, most social networks (including Facebook, Instagram, Pinterest, and Twitter), and other popular websites like YouTube use HTTPS.
The reason for HTTPS is to protect the data being sent – which is why it is used for private social accounts, banking websites, online shopping websites, etc. With traditional tools, secure sites may only be blocked in their entirety, meaning many useful sites with great educational content are blocked as inappropriate content within the sites cannot be identified. The alternative is to allow access to these sites, along with their inappropriate content. SSL certificates allow these sites to be used, while still ensuring any content deemed by the school as inappropriate is filtered.
Meeting safety requirements
N4L expects the use of HTTPS to only increase in the future, meaning schools’ existing web filtering set-up may not be meeting the requirements to keep students safe online anymore – and may need to be reviewed, in accordance with your digital citizenship policy.
“Schools are responsible for keeping their students safe online,” said N4L’s Head of Marketing and Communications Andy Schick. “Parents want to know their children are learning in a safe online environment and the material they search for online and read online is not inappropriate.
“There are many inappropriate pages on Facebook, videos on Vimeo and YouTube … and they’re all sitting behind HTTPS security, and the only way to make sure kids can’t access them at school is by inspecting the HTTPS traffic, which involves installing trusted SSL certificates on devices on the Managed Network. If you don’t use SSL certificates in your internet safety solution, your students will be able to access much more inappropriate content. There is no two ways about it.”
Visibility and filtering of content on secure websites is now possible by installing digital SSL (Secure Sockets Layer) Certificates on internet-connected devices. N4L’s installation of certificates enables ‘Secure Website Inspection’, a specific feature designed to help ensure students’ online safety. In action, SSL certificates will help stop students from seeing inappropriate text, images and videos within any secure website, like YouTube and Vimeo, using keyword identification. Similarly, images within secure social networks (or other HTTPS websites) are blocked if the images have been flagged as inappropriate by other users, or they are accompanied by restricted keywords.
SSL certificates can be deployed for BYOD programmes via email, shared drives or cloud services such as Google Drive or Dropbox, on USB sticks, or automatically pushed out through a network policy.
“These certificates sit on the device invisibly, and have no performance impact. They take about a minute to install and can be done by teachers or students,” added Schick.
While SSL certificates can also be removed by a student (albeit with some difficulty), if a school’s managed network requires certificates, a student’s device would not be able to access HTTPS websites without one installed. Options exist, however, to disallow the need for certificates to be installed on teacher devices.
It must be noted that SSL certificates only protect devices when connected to a school’s N4L Managed Network. When they go outside that network (for example, connecting to Wi-Fi at home) or go onto a mobile connection, there’s no filtering or monitoring.
Rights to privacy
But how does this impact students’ (and teachers’) right to privacy? According to NetSafe, under the Education Act 1989, “Teachers and authorised staff are not permitted to search a student’s digital device or online account for information, because doing so will breach students’ rights to privacy.”
For this reason, N4L allows school to filter only the websites that need to be, leaving sites of particular sensitivity completely private, such as banking, health and government sites. It is always the school’s responsibility to ensure their setup matches their school internet usage policy. N4L’s web filtering solution contains detailed audit trails and role-based access controls to ensure only trusted staff have access to reports, and detailed reporting functionality is not misused.
While N4L’s product is supported by the Government (N4L is Crown-owned), there is no requirement for schools to use it. Other companies, such as Fortinet, offer similar SSL certificate solutions alongside next-generation firewall products, like FortiGate.“Fortinet products provide real-time visibility of web browsing traffic,” said Tracey Robert, Marketing Manager, Fortinet. “Detailed logs can also be viewed on full URL, search keywords and content which can be used to identify inappropriate activity.”
What about people’s concerns over privacy?
“Access to the logs is controlled via role based access. We have not had any school raise concerns with regards to the monitoring or logging/storage of a student’s activity. To draw an analogy this is no different to an ISP who has information on which websites you’ve been.”
Not all companies are on board with the SSL certificate approach.
Globally, these certificates are known as ‘man-in-the-middle’ attacks, which, in the age of internet spying by governments and corporations, are problematic.
“We are against inspecting SSL content,” said Scott Noakes, CEO of Linewize, which uses an application layer filtering approach. “‘Linewize offers filtering of HTTPS websites and applications without the need to install these certificates. Instead, we provide schools with clear visibility over student internet use, identifying students using bullying apps, such as Yik Yak, or those spending disproportionate time on mental health sites. This visibility enables schools to fulfil their duty of care through guiding and protecting students.”
Safe digital environment
On behalf of the Ministry of Education, the Connected Learning Advisory provides advice to schools as they make decisions around filtering online content, and positions advice in the context of “effective curriculum design and learning”.
“The Advisory provides guidance to help schools select the best solution for web filtering in their context, as well as offering a checklist of requirements to help make their decision making more straightforward,” explained Senior Advisor Karen Melhuish Spencer. “Broadly, we’re available to help all New Zealand schools understand that they have a responsibility to maintain a safe digital environment for their students.”
To determine the appropriate solution for your school, the Advisory suggests:
Involve stakeholders in your school/community before making a decision regarding inspecting and filtering secure traffic;
- Liaise with them about the possible implementation of inspecting and filtering secure web traffic;
- Be informed. There are many concerns, myths and misconceptions about security and privacy when using the internet, so it is important to understand the implications of sticking with your current solution or implementing a new one;
- Be mindful that a technology solution, such as secure web inspection and filtering, is only a small part of an effective overall strategy to help create the kind of digital experience that you want for your students. There are no quick fixes; and
- Filtering must be balanced with strategies that promote: development of skills and knowledge for safe and responsible use of digital technology; opportunities for students to be involved in decisions about the management of digital technology; development of a pro-social culture of digital technology use; and cooperation of the whole community in preventing and responding to incidents.
Positive and safe use Schools have a duty to protect students – and face the challenge of how to achieve that. Whatever option you choose, however, perhaps the most important factor is the user. Digital citizenship education remains paramount, according to NetSafe’s Neil Melhuish.
“Control over internet content is certainly important but monitoring and protection software is only part of the bigger picture. If you restrict kids on one device, they’ll just go to another device you don’t have control over, like their phones.
“Schools are responsible for promoting and ensuring positive and safe use of the internet. That means taking into account the culture of use, bullying, the skill levels of staff, and genuine engagement in how technology is used. You could be using the most sophisticated protection software but not necessarily providing or promoting the skills required for safe internet use.”
“Our guidance for a ‘bigger picture’ solution is a combination of prevention and protection.”
HTTP vs HTTPS
Standing for Hypertext Transfer Protocol, some web addresses start with ‘http’ and others with ‘https’. What’s the difference? Those that start with ‘http’ are open and subject to the standard keyword filters most schools have as part of their web filtering setup. You can set rules to manage access to these sites, as well as what content on the sites is visible, and what is blocked. Websites that start with ‘https’ are different. They’re called secure websites and they use what are known as ‘secure protocols’. This means they’re not able to be filtered using standard rules and policies, potentially exposing students and staff to inappropriate content.