Chapter 5 |
5 Security and ethicsThe issuesThe Internet gives access to people and to unimaginable amounts of valuable material. It allows anyone to publish their opinions and promote their ideas. As another mass medium, the Internet has great potential to inform, entertain and create wealth. But like many essential technologies – for instance, the telephone, which can be used for all kinds of villainy – there is a downside. In any system where people communicate, you can expect to find every kind of human thought expressed. And in a system where trade takes place, you would expect no less dubious activity than elsewhere. If you know where to look, you will find people explaining how to make drugs and bombs, or how to commit suicide or pirate credit cards. You may find people asserting extremist views, trading pornography and offering a get-rich-quick scheme. You may not yourself find evidence of theft, fraud and terrorist plots, but you can imagine that it is possible for them to be organised over the Internet. Alarming as they are, these eventualities are not necessarily reasons for avoiding the Internet. First, you can take measures to make the Internet a safer place. You can protect the people using it by employing various ways of preventing exposure to undesirable materials. Second, though the Internet may be new and difficult to police, the authorities could deal with illegal activities or introduce new laws. Third, the Internet will become so much a part of life that parents and those who are in loco parentis will need to encourage young people to use it responsibly. How can the Internet be harmful?· People may be exposed to unwelcome nudity, pornography, bad language, and antisocial material. The millions of Web pages typify a cross-section of human life. A tiny percentage contain such things as sexually explicit images, vulgar language, or incitements to racial hatred. The most innocent searches, such as one for ‘CD-Rom’ produces a list of places with pornographic CD-Roms for sale. · Copyright is easy to infringe. Ever since the first home computers, people have traded copies of games and other software. Now with the Internet, there is a particularly convenient way of illegally obtaining and distributing not just software but all kinds of material. Learners and teachers may innocently take words, a poem, a picture of pop star or the lyrics of song from a Web page and use them in worksheets or project work, or publish them on a school’s Internet area. In most cases they are breaking copyright law, even if doing so carries little social stigma and prosecution is unlikely. · The Internet is a source of computer viruses. Files on the Internet can carry viruses which can infect machines and damage files and functionality. · People can receive unsavoury e-mail and ‘meet’ unsavoury people. Children have received e-mail from a paedophile masquerading as a child – paedophiles can obtain names by scanning the school Web site. Learners have used e-mail to send insulting messages to each other or extract money from other learners. In a school where students knew each other’s passwords, the offending mail was found to come from students who had supposedly been absent. In another, students were caught selling passwords. In places where learners share a mailbox or mail is sent anonymously, it has been difficult to identify the culprit. These are new manifestations of age-old bullying, defrauding and harassing. · People can ‘break into’ other computers. The Internet is a way into computer networks. It enables people without authorisation to connect to, say, a school network and cause at best mischief or at worst damage. When anyone uses school or college facilities to do this and the story hits the newspapers, the PR disaster and embarrassment can be acute. Controlling the InternetDespite what can go wrong, evidence from UK projects indicates that there is no need for draconian measures. For example, the experience from the Education Departments’ Superhighways Initiative and Schools On Line projects points to the need to be aware of the pitfalls and to develop a policy for handling them. Schools adopt different approaches to use of the Internet, ranging from total trust to close supervision. Some say that preventing students’ access to undesirable material does not enable them to make healthy choices nor does it teach them about their responsibilities. They would see teaching about the Internet as a good opportunity to debate ideas about censorship, law-breaking, responsibility, free speech and tolerance. And there is the view that schools have always been places where learners, particularly primary school children, are protected against all sorts of undesirable occurrences and that this should be extended to their contact with the Internet. Yesterday’s Internet was significantly less controllable than it is today. While legislation is still struggling to keep pace with the technology, the tools for control today are more refined: some access providers block out undesirable areas of the Internet, and software to protect people has been developed. Beyond that, a number of ideas have been suggested: some want the government to introduce the controls, some want to see all objectionable material withheld unless proof of age is supplied; others want to give parents a rating system they can use for guidance. But there are difficulties – it is hard to police a system where national boundaries are meaningless and where material can be copied quickly from one place to another. One approach has been to put pressure on Internet service providers to censor their service, but this inevitably gains a reaction from countries with different moral codes. Indeed, when CompuServe was threatened with prosecution by the German authorities, it complied by introducing a ban on some discussion groups. The ban extended to all its subscribers since at the time it was not possible to be selective when blocking access to the groups by German subscribers. The blanket ban was later lifted after widespread protests about the ‘export’ of German morals. The result of such battles, together with parental tensions, led the consumer and business Internet services such as AOL, CompuServe and Microsoft’s MSN to offer a feature whereby parents can control what children access. Most still have a disclaimer to say how safe their system is and it may exonerate them from liability, at least to prosecution. The reason for the disclaimer is that many control mechanisms work by referring to a list of blocked sites. For example, Research Machines’ Internet for Learning blocks access to discussion groups and a long list of contentious sites. Users can also send in reports of any sites they object to and RM may add these to the exclusion list. The LINK was set up by the Internet Watch Foundation to implement proposals by Internet provider associations, the government and police in the UK. It works in two ways. First, anyone finding illegal material on the Internet is invited to report its location by phone, fax or e-mail. This begins a process where the Foundation traces its origin and informs the police. Second, the IWF is establishing a rating system for the UK, possibly to become a model for the European Union, to help prevent exposure to materials people consider unsuitable. While it will take time for such measures to work, some service providers offer secure approaches to control. In place of the ‘block list’, they use an ‘allow list’ where only those areas deemed useful can be accessed. The education provider BT CampusWorld uses this approach. It offers a protected environment where all the content has been endorsed and, without the teacher’s password, access to anything else is blocked. Control and filtering productsSome schools and colleges have opted for providers offering open access to the Internet. This shifts all the controls downstream – in other words it is now up to the teacher. The options then are that the teacher leaves learners to act responsibly, supervises them while they use the Internet, or installs control software on the machine. The concept of controlling learners’ access to a computer by means of software has been part of school computer policy for many years. Internet filtering software, with names such as Cyber Patrol, Net Nanny or SafeSurf allow a teacher or parent to determine what they want children to see or do while connected. As we have seen, several service providers do this for you and, behind the scenes, they often use the self-same programs. For example, AOL has an unusually comprehensive set of controls covering the Web, mail and chat groups. Nevertheless, no single approach will prevent every kind of transgression that people can commit using a computer. Some schools have found controls too limiting or, because the controls appear to cause technical problems, have eventually removed them altogether. When learners choose a place to go on the Internet, the software refers to a list of blocked places before allowing them access. When you set up this software you may find categories such as sex, violence, alcohol, language, nudity, racism, tobacco, gambling or drugs, and you can choose which you want to block. The software can automatically maintain its list of acceptable sites by accessing an updated list stored on the Internet. The idea works much the same whether you use a stand-alone computer or one connected to a school network – it is just a case of how far upstream the control system is placed. On a computer network, control software will allow you to set up different users and give them different privileges. A staff member might have a password which gives open Internet access, while a Year 7 group might be given access to material which the system deems suitable for under-13s. Once installed, this kind of software will require periodic checking to see if it has been tampered with. On a network, you may have the filtering software work on the central server to which all access requests must go. The filtering software will be maintained by the network administrator and, as long as people are careful with their passwords, is less prone to being overridden by individual users’ controls on their computer. Of course, who decides what is acceptable is an issue here – but filtering software usually allows the teacher or parent a good measure of control. The perfect system may not actually exist, but rating systems aim to distinguish, for instance, nudity which is medical, artistic or non-provocative. There is a growing industry of rating systems and quality assurance managers – a service which inevitably you pay for by buying the filtering software and subscribing to ‘block list’ updates. An incidental point here is that such software could, in theory, be used by one organisation to block access to a competitor’s site. This raises the perennial question in these issues: who polices the censors? Some software allows you to create your own rating system or send your opinion of something you have found objectionable to the rating service. In others, you can edit a dictionary of offensive words that the software uses to scan everything coming into the computer. However, people complain when the computer refuses to load material containing, for example, words like Essex, gay or breast cancer. Some software provides more control – it may limit Internet access to certain times of day or limit how long is spent on line. It may monitor the Internet pages seen, the phone numbers called and it may scan outgoing e-mail to check whether personal details like addresses and credit card numbers are being given out. Some software can record shots of the computer screen at predetermined intervals, or check for pictures with flesh tones. Some will shutdown to system, or dispatch e-mail to the supervisor or parent if certain violations occur. However, it can be time-consuming to search for abuse when there are large reports. There is then the question of what to do when the information uncovered points to a member of staff – even more reason, if any were needed, to be careful with passwords. Self rating – control without censorshipAs we have seen, there are moves towards self-regulation by the industry, if only to forestall the introduction by government of harsher controls. The Internet Watch Foundation proposals encourage those who publish content to say what they contain. The idea, which has been widely endorsed, is to rate or tag content using a system similar to film ratings. As with filtering software, an invisible ‘tag’ enables parents or teachers to choose what they want to make available. It allows people to express different ideas about what is acceptable, while preserving the notion of individual rights. Unlike filtering software, the intention is to use an internationally agreed way of tagging, or invisibly marking the content. In this method, called PICS (Platform for Internet Content Selection), the browser software recognises and acts on a PICS tag. If content can be marked in this way, it remains for publishers – or indeed anyone putting a page on the Internet – to rate their work. For example, the system introduced by the Recreational Software Advisory Council (RSAC), is based on four aspects of contentious subject matter: sex, violence, nudity and bad language. Content is rated on a five-point scale for each of these headings and this is used to create a label – a string of characters which is put into the page. When a child tries to access a page with such a label, the browser software checks their access level and decides whether the page will be shown or not. What the RSAC system does is to allow them a choice – for example, to reject bad language but accept nudity. Compared with film, which is graded into age bands, this appears to be more flexible than saying something is ‘good’ or ‘bad’. It also preserves ‘free speech’ by letting adults choose what they do and do not want to see. In other words, they could choose to see only adult sites. For all this to work, a critical mass of people will need to ensure that their work is appropriately rated and tagged. Some companies are using software ‘robots’ to roam the Internet and rate pages automatically – this they can do by looking for tell-tale words in the text. Otherwise, ‘self-rating’ could be made a statutory requirement on all content providers, or built into Internet authoring tools. There are some difficulties with this, but what is likely to create pressure is the knowledge that browsers everywhere are set to reject non-rated material – if there is no PICS rating, the page has no audience. In time, it may be that trusted authorities, service providers, educational or religious groups will create ready-to-use PICS ‘profiles’ which people can apply easily. CopyrightSince 1985, UK copyright legislation has encompassed digital media. In fact, the UK was one of the first countries to extend its copyright laws on traditional media to computers. The amendments to the copyright acts had to take account of the fact that software, unlike a book, actually needs to be copied to make use of it. It led to today’s situation where you never actually own the software – you buy a licence to make transient copies and back-up copies. Most software comes with small print about this and there is some variation between software publishers. With network software you buy a licence for as many users as you need. Network auditing software can monitor your system to ensure that you do not exceed the terms of your licence, and that you do not waste money on more licences than you need. The Internet provides something of a challenge to the legal system. The Internet is a particularly convenient way of distributing software – no longer need disks pass from pocket to pocket – instead, software can be electronically mailed from one computer to another. The added ease of this may give learners a false sense of innocence about their software trading. The Internet offers for the taking valuable data that again brings ‘copyright’ to the fore. Ironically, some of the value of using the Internet is invested in the notion of learners doing precisely this, that is the ‘re-purposing’ of original material. This will call upon teachers’ experience of dealing with copying and plagiarism but there is a spectrum of possibility between original work, other work where sources are acknowledged and passing work off as one’s own. As we move into the digital age, ideas about where to draw the line may actually change. To date, copyright laws have dealt with ‘works’ which are fixed on some medium. For example, the licence for a piece of software will say something about copying to install it on a machine. But the law has yet to take on the idea of the ‘virtual’ digital documents that exist on the Internet. For example, you can incorporate pictures on your Web page which appear to be part of your page but which are in fact 'inline' graphics residing at the original site; this is achieved simply by writing HTML code instructing browsers to display them. The law has yet to decide whether the URL of that image is copyright; if so, the whole concept of hyperlinks fails; if not, then deceitful practice is easy. In time, if only to ensure that trade on the Internet thrives, such points will need to be dealt with at an international level. One developing area involves a ‘digital watermark’ that can be embedded within a track of music or photograph. With the help of this, new legislation may be more feasible, but whatever the approach, if they are to work, laws need to be enforceable. In the meantime, it is appropriate to follow the same copyright rules that apply to ordinary media and to resist the temptation to scan in, for example, an Ordnance Survey map to show your school’s location, even if it is easy to do! Using or distributing copyright material for commercial gain will infringe those rules. Using material for private study, criticism or chance uses (for example, of a picture in a photograph) will not infringe. Neither will using a single word, or note of music – you have to use a ‘substantial’ part of something, the test of that being more to do with quality than quantity. As at present, the law provides certain exemptions for libraries and educational uses. That is not to say that copyright materials may appear on your Web site or that ignorance that they are subject to copyright is any defence. In any case, there is a moral issue about an originator’s intellectual property and livelihood. The advice must be that schools and colleges monitor their sites with copyright in mind. As ever, sources should be acknowledged and – given the ease of asking by e-mail – permission should be sought wherever appropriate. Equally, teachers ought to make learners aware of the existence of copyright in all media and what it seeks to achieve. Access to your network from outsideSchools and colleges are turning their computer networks into an internal Internet, called an intranet. Intranets may connect to the Internet, although they don’t have to. Inevitably, easy access to data is the beginning of a network security issue. Making a network secure is comparable to making a building secure. You identify the weak points, and then assess how they are likely to be broken into. On a network, the main risks are of information being copied or read by people other than the intended recipient as it travels through the system. It could even be routed to a wrong destination. Security measures are akin to those for security of buildings: you can put heavy locks on the main doors, and you can keep a constant eye on visitors during their visit. In any case, security measures will need to be ‘reasonable’ since too many locks on a door will mean that people leave it open or, in the case of password access, leave their system on when they are at lunch. And in the case of education uses, too many locks will lead to less use of the system to support the curriculum. Under the Data Protection Act, the personal information which is part of this system needs to be kept secure. The head teacher, governing body and education authority may each need to register as data users and accept legal responsibility. They will therefore want to ensure that learners’ personal details are suitably protected – more so if the network is accessible from the Internet. Some security measures will require password control and some will require what is called a ‘firewall’ – a wall between your private data and what can be accessed from outside. Firewalls block or allow data traffic based on certain rules that you set. Some firewalls are just concerned with where the data and the users go, but some ‘keep their eye on’ what is being done. While a firewall is an off-the-shelf item, installing one is really a job for experts. If administration and school curriculum data are kept on separate networks, as they sometimes are, the risk is less. Note too that any computer, whether connected to the Internet or not, can risk using software carrying computer viruses. These are programs that can damage files on your machine – so you may want to use anti-virus software to guard against this possibility. A machine connected to the Internet has a greater risk of getting viruses through the e-mail system. New viruses are created all the time and anti-virus software needs to be kept up to date. This can conveniently be done on the Internet. Bear in mind that those with the mentality that creates viruses also create endless virus scares and hoaxes. You can even receive an antidote for a new virus that turns out to be the virus ‘poison’ itself. In short, there is no end to such ‘scams’ and the advice is to use only trusted sources of anti-virus software. Some Web sites use special features that allow the people viewing them to interact with the site. For example, a ‘script’ (a small program) offers features where visitors can leave comments, use a database, or use more interesting menus on Web pages. These scripts can be written by those with programming skills, or obtained freely over the Internet. Badly written scripts have been tricked into doing things that they were not designed for. In one case, a hacker tricked a script which normally accessed a database into supplying the network’s complete password list. Installing a more secure firewall protection system removed the risk of this ever happening again.
PasswordsThe password is the key to all things computer. Like letting go of your school keys or a cash card PIN number, the password slip can cause all kinds of damage – for example, passwords can be used to disable security measures or to send bogus mail. Many networks offer different identities and passwords for different levels of network access and network managers typically set the system policies for these levels. When your password offers all kinds of system privileges you may prefer not to key in yours in front of an audience. There are guidelines for passwords: they should be easy for you to remember so that you never write them down. The best passwords mix numbers, characters and letters. Try an anagram of a memorable word if a random password like ‘%Sq6l(’ is too hard to recall. Your Internet provider will no doubt say that they will never ask for your password – meaning that there is never a reason for you to divulge it.
CryptographyIn time, more confidential material – such as pay slips, credit card details and personnel files – will pass over the Internet. This in turn will increase the risk of computers en route ‘sniffing’ or intercepting them. In these situations, it is common to encrypt information before you send it. A password is needed at the receiving end to decrypt it. In a good encrypting system the process will be fairly transparent to all. One way of ensuring secure communications uses a pair of passwords, and both are needed for a message to be encrypted and decrypted. The sender –the education authority, say – encrypts a message with its password and the message can only be read if the receiver has the other, more public, password. This method, called the Public Key system, makes it less likely that a message could be faked. Other systems exist to warn that a message has been tampered with and comes from who it says. There are even systems that can distribute the passwords securely for you. Hackers (people who break into computer systems) are adept at finding passwords. Happy to spend weeks trying all possible combinations, they sometimes succeed. Over time, increasingly sophisticated ways to thwart these attacks appear. Just as we increase the number of levers in a door lock to enhance its security, computers are using more and more levels of encryption in the attempt to raise levels of security to match the risks.
What should schools and colleges do?· Use a service provider that offers a filtered service and/or use Internet control software. · Place computers with Internet access in a public, well-monitored place and positioned so that the screen is visible. A large monitor will not only help with security, but will also make it possible for a group of learners to discuss what is on the screen. · Encourage learners and parents to discuss and accept a policy for acceptable use of the Internet. These are compulsory in many American states and can be seen on the Web. You can find a UK example on the Web site of Linlithgow Academy (http://www.linlithgowac.wlothian.sch.uk/prospectus/rup.html). · Sensitise learners to the dangers of giving out personal details over the Internet and encourage them to be suspicious of unusual offers, requests, or messages. · Raise awareness of copyright issues in all media. The person creating the work automatically gains ‘intellectual property rights’ even if they actually make no claim to them. Encourage people to seek permission to use resources and always to acknowledge their source. Stress the fact that the law is broken if someone passes work off as their own. When you publish materials on the Web, you might add a statement along these lines: ‘Copyright, X School/College 1997. You may copy these materials for non-commercial use provided that you acknowledge the source and give this school/college a copy of the materials.’ · Make it clear to learners that you know what people can get up to on the Internet. Let them see that you track usage and have systems to monitor activity. Make sure that sanctions for disk handling and unauthorised use of school equipment are clearly understood. · See that lines to the Internet are closely managed, and provide different levels of access to them. Start learners off with access to information previewed by a member of staff. Later on, give them full open access only after a period of supervised open access. Some schools have awarded Internet ‘driving licences’, with learners earning points for showing responsibility and losing their licence if abuse occurs. · Ensure that parents and teachers know how to report incidents. Alert parents to problems as appropriate. Deal with criminal offences involving computers in the same way as you would with other crimes. Based on American models (for example, http://www.siec.k12.in.us/aup/Acceptable.Use.txt), ACITT, the association for school IT co-ordinators, offers the following model guidelines and letters (http://www.rmplc.co.uk/orgs/acitt/resources/aup1.html).
Pupil guidelines for using the InternetPupils are responsible for good behaviour on the Internet just as they are in a classroom or a school corridor. General school rules apply. The Internet is provided for pupils to conduct research and communicate with others. Parents’ permission is required. Remember that access requires responsibility: it is a privilege, not a right. Individual users of the Internet are responsible for their behaviour and communications over the network. It is presumed that users will comply with school standards and will honour the agreements they have signed. Computer storage areas and floppy disks will be treated like school lockers. Staff may review files and communications to ensure that users are using the system responsibly. Users should not expect that files stored on servers or disks will be always be private. During school, teachers will guide pupils toward appropriate materials. Outside school, families bear responsibility for such guidance, as they must also exercise with information sources such as television, magazines, telephones, movies, radio and other potentially offensive media. The following are not permitted:
Sanctions
Parent’s permission letter
How schools can help parents at homeIf schools adopt such measures, any Internet abuse which occurs is more likely to happen elsewhere, most probably in the home. Parents may take out a subscription to an Internet provider which does not block materials or young people may use the home computer unsupervised. Here are some steps which schools may like to consider taking to minimise the likelihood of Internet abuse away from school. · Share your concerns with parents and seek their guidance and approval for your policies. Ensure that they support the idea that their children have access to the Internet at school. Make sure that parents know to which member of staff they should take any concerns they may have. · Recommend that the computer be brought into the living room rather than allow children to use it alone in a bedroom. · Suggest that by learning to use the Internet with their child, parents can instil the values to use when selecting material on the Internet. This approach applies equally to television or printed material. · Some parents ask their children to set up ‘parental controls’ for them. Help parents to understand more about IT by telling them about the Internet, by discussing the IT requirements of the curriculum or explaining how to use controls if they have computers at home. · Suggest that if they have Internet access from home it will need management, if only to control the telephone bill. • Advise parents to be extra careful about security of their credit card details, as they can be used for on-line purchases. Suggest that parents warn children about disclosing personal information and provide them with copies of the NCH House Rules’ that follow. NCH Action For Children – House Rules· Never tell anyone you meet on the Internet your home address, your telephone number or your school’s name, unless your parent or carer specifically gives you permission. · Never send anyone your picture, credit card or bank details, or anything else, without first checking with your parent or carer. · Never give your password to anyone, even a best friend. Change it monthly; keep a note of it, but hidden. · Never arrange to meet anyone in person without first agreeing it with your parent or carer, and get them to come along to the first meeting, which should always be in a public place. · Never hang around in a chat room or in a conference if someone says or writes something which makes you feel uncomfortable or worried, and always report it to your parent or carer. · Never respond to nasty, suggestive or rude e-mails or postings in Usenet groups. · Always tell your parent or carer if you see bad language or distasteful pictures while you are on line. · Always be yourself and do not pretend to be anyone or anything you are not. · Always remember if someone makes you an offer which seems too good to be true, it probably is. Footnote: House Rules from NCH Action for Children, a charity for children at risk. Available from NCH Action for Children. Reproduced with permission. |