“If all of your computers were in Active Directory, there could be the means of restricting those options through Group Policy. But since we are a large district of up to 60,000 computers across our wide area network, and a majority of those are Macs, we would not able to push this policy,” Gutstadt said.
Although a school’s web filters can block access to HTTP sites delivered through an encrypted search, the service still presents many problems for schools.
“In many cases, the content that needs to be restricted can be viewed without leaving Google’s encrypted search,” said Rob Chambers, chief technology officer for Lightspeed Systems, a company that provides network security and internet content control services to roughly 2,000 school districts in the United States.
“One example of this is video and image searching. Image searching is not currently available; however, Google has said they will be adding it. Video searching is currently available. Encrypted searching for adult content that schools must restrict results in video thumbnails that otherwise would have been blocked. This will be even worse once image searching is enabled.”
Another problem is that CIPA requires schools to monitor and log all web activity, so they can provide adequate reports should a faculty member or student be found accessing inappropriate material, said Jerry Jones, director of computer, network, and telecommunications support for the Sacramento County Office of Education, which serves nearly 238,000 students.
“Our web filtering software logs all search requests on the standard Google web site,” Jones said. “This information is not used unless there is reasonable suspicion that someone is misusing the internet, after which we can perform a thorough search to determine whether the activity was permissible or a violation of our acceptable-use policy. The Google encrypted search encrypts all data sent to the Google search engine servers, preventing our web filter software from logging any of this activity—which prevents our agency from being fully CIPA compliant.”
Jones said that while the risk of losing e-Rate funding is bad enough, CIPA is in place mainly to protect student safety. He explained that if a school allowed encrypted search, safety consequences could arise.
For instance, “a child predator [who] has contact with students in an educational setting could theoretically search for child pornography without the IT staff ever knowing about it,” he said. “Since there are thousands of new web sites that are created daily, it would be impossible for our filter to have categorized all of them in order to block them before they show up in the Google search engine. … Worst of all, none of this activity would be recorded, and therefore it would be undetectable to IT or human resources staff who are responsible for monitoring the network usage of staff and students, putting our students at risk.”
With Google’s regular search engine, such search queries would be logged and reportable and would appear during a “suspicious search queries” report that runs nightly, Jones said. But with encrypted search, it is impossible to “see” what a person has been looking for, should he or she be charged with a crime or suspected of nefarious activity.
One possible solution for schools would be to block access to all HTTPS sites—but that would mean potentially blocking web sites used to purchase products for school use, sites that require encryption to protect login information, banking web sites, health-care sites, or any web system that legitimately needs to encrypt data because it contains users’ personal information.
Another solution would be to block HTTPS sites on the Google domain, and that’s what many schools have chosen to do. But that means other popular SSL-protected Google services used by schools—including Gmail and Google Docs for Education—no longer are accessible, either.
“Google’s encrypted implementation uses the same certificate information for encrypted Google searching as for Google Apps or Gmail,” said Lightspeed’s Chambers. “From the internet gateway, where CIPA-required content filters reside, this causes all of these sessions to look the same.”
He continued: “There are schools that had planned to implement Google Apps for their districts this summer that have now put these projects on hold until a resolution is in place. Many schools that were using Google Apps had to block access to these services soon after the encrypted site was released, which understandably is frustrating to many educators and students who had been relying on these services for lessons and projects.”
LaGace said several SDUSD schools “have begun to rely on Google Apps as a means to collaborate with students, parents, and the community. Google’s timing couldn’t be worse as we come upon the end of a school year.”