Perhaps nowhere in K-12 education are decisions about network security more important than in the day-to-day activities of schools’ technology administrators–the ed-tech specialists who work on the front lines, supporting and protecting not only their school districts’ networks, but also the administrators, teachers, and students who engage the digital world.
What do experienced leaders in this expanding and increasingly sophisticated segment of the education profession most want to communicate to their colleagues and the public about ed-tech security? For answers, eSchool News spoke recently with two ed-tech officials–Lloyd Brown, director of technology for the Henrico County Public Schools in Virginia, and James Culbert, a network security analyst for the Duval County Public Schools in Florida. Their districts provide thousands of students with laptop computers for educational use at school and at home.
Joining Brown and Culbert was Paul Myer, president and chief operating officer of 8e6 Technologies, a California-based provider of products for internet filtering, monitoring, and reporting. Robert L. Jacobson, senior editor of eSchool News, moderated the discussion. Following are edited portions of the transcript.
eSN: What you would identify as the most important internet security issues in schools today?
Myer: The biggest trend we’ve seen over the last year has been tracking behavior online, rather than just filtering it. Filtering is just the first step, and everybody needs to filter. But the shift we’ve seen is that school districts are a lot more interested now in tracking what people are doing and why, so they can plug holes in their policies and address the issues–whether it’s students going to social-networking sites, or online predators, or open-source proxies. People just don’t know what they don’t know, so the ability to track exactly what’s happening on the network is something that the enterprise has been concerned about for some time, and now education is taking the same tack.
Culbert: I agree. Within the last year, we have been concerned about authenticating our users and not permitting broad-based, anonymous internet access to our networks. We saw that it really didn’t matter how much bandwidth we gave to high schools or middle schools. Students were simply going to use every bit of available bandwidth to surf the web. And we found that kids were not always going to sites that we had spent the money and the effort to make available. And it wasn’t just inappropriate stuff that was the problem. It was stuff that was completely off task, with no real educational benefit.
So we added the authentication piece in our middle and high schools. We require all students, and all staff, to log on with unique user names and passwords, and to acknowledge our acceptable-use policy. They’re notified every time they log on that their activity is monitored. And that has really caused the kids to move away from not just the inappropriate sites, but also the non-educational sites, and into more of the substance that we’re interested in for them. So we have made the students accountable for their actions, and we’ve seen great results.
Brown: We have to try to make sure that students are using the tools for instruction, and not for all the other stuff. The internet can be a huge distraction. So having reports and procedures and technical solutions for what students are doing is great. But we also have to make sure that our teachers are on board. Teachers should not be saying to students, "Here’s a free-for-all–go." When you get that kind of thing, I don’t know that you would have enough filtering to stop it.
Surfing by proxy
eSN: As you know, schools have been focusing more lately on the use of anonymous proxies. What’s that about?
Brown: We have seen a big increase in the last year in students accessing proxy servers to get around the filtering system and get to inappropriate sites. It’s important for schools to track that to keep students and teachers on course with what your public money is giving you–the laptop and the internet–and to help them focus on the curriculum.
Culbert: We’ve also seen a real increase in proxies, especially this last school year. Creating proxies used to be pretty technical, and you had to have people who really knew what they were doing to set up a proxy at home. But now, it’s just a simple executable that kids can run at the house, then copy their IP address, take it to school, and–boom–they’re proxying through their box at home and surfing wherever they want to go. And we can’t monitor that activity.
So the simplicity has caused a huge jump in proxying. I guess it’s also the kids’ undying need to get to these social-interaction web sites like MySpace and Facebook. So what we have done for the last six months or so is turn all the proxy stuff on. First, we’re blocking the proxy sites themselves, even when they’re set up at home. Then, the system monitors people trying to access the proxies and it automatically throws them off the internet for a set period of time.
eSN: So the context here is that school systems are saying to the kids, "Here’s a laptop you can use in school and at home, but you can use it only on our terms." Can you comment on the responsibilities of the school board, the central administration, and the IT people in creating these policies to control how students use computers?
Culbert: It’s the technology division’s responsibility to enforce the policy that’s been set by the school board. We have an acceptable-use policy and a student code of conduct that dictates what can and cannot be done on our network with our equipment.
Brown: I agree that the board sets the policy, and then the technology department supports it. But it’s also our technology department’s role to educate our board about what the kids are doing so it can make that policy, so we try to steer the policy in the right direction. Because you can’t block everything. If the board decides to block everything, then the computer just becomes a paperweight.
eSN: So how are these decisions made? How do you and your school districts shape the policy so it’s clear up and down the line what’s permissible, what’s not, and what you’re monitoring?
Brown: We take input throughout the whole school year on our policy, as well as on our code of conduct for our students. We see how many infractions we had throughout the year, what the kids were doing. Then I make modifications to the acceptable-use policy, the code of conduct, and the staff acceptable-use policy, and I turn that in to our board before the end of June.
eSN: What sort of modifications have you made?
Brown: The last one I did was on using proxy servers–telling students that that is something they’re not allowed to do and is against our policy. We made sure there’s a line in there, so that when principals do have students who are breaking those rules, they have an area where they can code it to say what the rule was.
Privacy vs. security
eSN: Some folks say that monitoring internet activity reminds them of "Big Brother." What do you see as the tradeoffs between protecting students and the educational process, and perhaps imposing standards on some kids whose parents might have a different point of view?
Culbert: In the cases we deal with, there’s not anybody in the public who would feel that we’re infringing on somebody’s rights. For example, if someone employed by the school district is purposely, repeatedly, and with intent going out and looking at inappropriate images of underage kids, I don’t think anybody is going to stand up and defend that person. Many parents do expect that if you’re going to have the internet, then you’re going to have to have some type of content filter. But you’ve got to back that up with some reporting and monitoring. There is some responsibility that goes along with having the internet available to all your students on the network. If the kids are doing the wrong thing, we report them, they get suspended for three days, and there’s a parent-teacher conference. That goes like a wave through a school, and the kids realize that there’s accountability. But you have to be very cautious, when you have these monitoring programs and investigate an individual, that you’re positive that it’s not a case of accidental access but involved the complete intent of the person to view prohibited images or web sites. That’s very important to us.
eSN: How do you determine intent?
Brown: We do a lot of investigations. That’s not our profession, but we do know how to track the computer and the footprints that the computer leaves. Technology folks have to know how to troubleshoot and to track. We can’t track it to the fingertips that were typing and searching the web, but we can track it to the actual computer that was assigned to the child or the adult.
Culbert: It’s personal responsibility. If you give someone your user name and password, and they go out and surf the internet and do something inappropriate, well, it may be a hard lesson for you to learn, but you may have some disciplinary action brought against you just for that. Sharing user names and passwords is something that’s prohibited in our code of conduct and our acceptable-use policy.
But handling policy from the top down also is critical. We didn’t receive support for our monitoring and reporting policy until we presented detailed reports showing what our users were accessing or attempting to access. The vast majority of our users do not use the internet to access inappropriate material. But if they do, we report them and they are punished–and the word gets around quickly. Trained staff is essential, too, so you don’t report someone who reached inappropriate sites accidentally. We always look for intent–for words used in various search engines, for whether the user clicked on the images, over how many days the activity took place.
eSN: What else do you do?
Culbert: We search internet history with a number of different tools. We look for search terms that were used inside Google or Yahoo, or images, because those are things you just can’t get away from. I mean, you’re not going to be able to sit here tell me that you accidentally got a web page after you typed in "naked lesbians." I mean, that’s intent. But all reports go to the principals, and obviously, they’re the final judge of whether disciplinary action is going to be taken.
Brown: You’re looking at people who show a pattern. Usually, if you have a student or an adult who’s got the intent–they’ve typed something in more than, you know, 10, 15, 20 times, then you’re sitting there, going, "OK, something’s not right. What is it?" Then you start investigating that and narrow it down. But you wouldn’t go after someone who maybe did it just one or two times.
Doing a lot–with limited resources
eSN: Is all this monitoring and tracking a realistic task for relatively small IT departments to handle? And how expensive is it to do it right? Do school districts have sufficient funds and personnel to do the job?
Brown: On my staff, I’ve got four people out of 84 employees for whom that is their core job description, although it’s not all they do. We oversee 31,000 laptops and 18,000 desktops. And there’s a lot more stuff out there than just the laptops, such as DVD players and VCRs. So we do need to draw a fine line and try to enforce those things that are in our policy and our code of conduct.
Myer: Our school systems are being asked to do a lot on a small budget. And ultimately, it’s the parents and the community that are going to hold them responsible for the content at that school. The PTA, the parents, everybody just wants the kids to be focused on using technology and getting the best educational content out of it–without being distracted by social-networking sites, and certainly not harmful sites. They’ve got a big job to do, and we’ve got to be able to build them products they can deploy quickly and easily, and that will give them a handle on what’s happening on their networks.
eSN: So how do you respond if a school system that hasn’t fully tackled this yet comes to your company and says, "OK, we don’t have a lot of money. What are the priorities, and what can you offer?"
Myer: The basic filter itself is really the starting point and includes a subscription. Essentially, depending on the size of the network–and a small network is relatively more expensive to filter than a larger one–you’ve got to budget at least $3 to $5 per computer, per year, for the basic filtering.
Brown: You also have to budget some man hours into that. If you’re a small school system, you probably have to have consulting fees in there, too. And if you’re a large school district, you may have to expand some job descriptions. But in small systems, you’re going to have consulting fees, which can be $50 to $120 an hour.
eSN: You mentioned that you have four people working on this. Is that adequate for your purposes, or would you like to, say, double or triple the number?
Brown: No, I wouldn’t double or triple it. But I would probably add two people to it, and that way I’d know I could do a little more on keeping the policy and filters up to date and everything working smoothly.
eSN: Let’s return to the issue of how much a school system needs to do, and what the consequences of monitoring might be. To take the devil’s-advocate position, we’d ask if you think all this electronic oversight could limit what inquisitive, creative kids might want to do on the web, as opposed to making sure that they don’t wander off base?
Culbert: There’s a huge responsibility when you bring the internet into a school district. Somebody has to be pretty aggressive in looking at the material in the sites the kids are accessing. So I think it’s very basic: You have to have a content filter in place that meets the minimum requirements of CIPA [the Children’s Internet Protection Act]. And you have to back that up with reporting and monitoring of activity on your network, by students and staff. One way our school board views it is: What’s the cost of getting sued if you have an employee who may have been accessing inappropriate material for a long period of time, your content filter was picking it up and logging it, but nobody was bothering to check? So there are some legal aspects there, too, and the board sees it as a cost-avoidance thing: Let’s monitor what’s going on on our networks, let’s stop the kids from accessing the inappropriate material, let’s get rid of the employees who are making poor decisions–and in the long run, the board thinks it’s going to save some money.
Brown: We’re in a new world today, with a lot of students who have been growing up with the internet, unlike their parents and grandparents. So we need to be educating the adults, too, to help them understand the good and the bad of the internet, and to become more familiar with it–so that, when they do find their children in certain areas, they know how to get them out or know what to do.
Culbert: And that’s a very difficult thing to do sometimes. We’ve tried to host these meetings where you try to get the parents in. We had one at a middle school and only two people showed up–the principal and one other staff member. No parents came. Sometimes it seems that when kids hit middle school, their parents float off into someplace else. They’re no longer as involved with the kids and the school. And very often, when you talk to parents, they think it’s the school district’s responsibility to filter everything. But even when you can prove that the kid was actively out there, searching and searching for this inappropriate stuff, there is no product in the world that is going to prevent a very smart middle-schooler with a lot of time on his hands from finding some inappropriate material.
Brown: Another big thing now is spam coming around again with another wave. I don’t feel that, in the school system, we’re ever going to win the battle of trying to keep everything out of our networks. So we have to figure out a way to continue doing the education part of it, as well as making the necessary adjustments on a daily, weekly, monthly, and yearly basis.
Keeping one step ahead
eSN: Do you feel right now that you’re ahead of the game?
Brown: I feel we’re ahead of the game, but I don’t think we’re going to finish it without getting the federal government involved, and a lot of people don’t like talking about that. … We all have to work together and try to come up with a way to start tagging inappropriate material a little more easily, so companies like 8e6 can do a better job in helping us.
Culbert: Another issue that bothers me is the industry’s unwillingness to regulate itself. I agree with Lloyd that images or sites should be tagged so filters can easily identify them as inappropriate for minors. I’m not advocating the censoring of the internet. But when a third-grade student can type the word "doggy" into a major search engine and a top result refers to sexual positions, you know you have a problem. I would love to talk to the person who can defend that.
eSN: With the growth of mobile computing and other new technology, where do you think we’ll be a few years down the road, in terms of new capabilities to circumvent the controls?
Culbert: We’ve added wording into our code of conduct this year that strictly prohibits any student from using any device to access the internet from outside our network. Students aren’t allowed to have mobile phones visible in school. The same thing applies to any type of PDA device that can reach the internet, and to students who bring their laptops in. They can’t have wireless access cards for the internet. But this comes down to classroom management. It’s not something that we can monitor at the district level.
Brown: I would agree. The issues we were running into three years ago are not the same ones we’re running into today. And three years from now, we’re going to have totally different issues, because the technology is going to change and there is going to be more opportunity for our students and teachers to do either good or bad with the features that come out.
Myer: 8e6 has been in business for 12 years, and I’ve been at it for five. Five years ago we were selling to the football coach, who handled the network part-time. Today, we have people with a deep knowledge of IT and forensics and security, and these people just didn’t exist in education five, six, seven years ago.
To really prepare students to function in today’s world, you’ve got to use all the tools at your disposal. That being said, you simply can’t bring technology into the classroom unless, from a policy perspective, you deal with the PTA, with the district administration. You’ve got to get the buy-in from the administration before you get too far into the technology–to set policy so that you know what you’re dealing with. Then, it’s simply a matter of budgeting sufficient resources to regulate and monitor and to keep those kids in a safe learning environment.
Our responsibility as a company is to listen to guys like Jim and Lloyd. Our service is a moving target. The threats and the challenges we faced two years ago are very different than the ones we face today. That’s why we have to have updates to our product every single day, so we can stay in front of the curve. Because these kids are smart, they understand technology, and they’ve got time on their hands, so they’re going to try to find ways to get around the system. We just have to keep a step ahead of them.
Editor’s note: Readers are invited to submit comments on this discussion. Please send your eMail to firstname.lastname@example.org.
Henrico County Public Schools
Duval County Public Schools
Children’s Internet Protection Act