CIPA Compliance in less than 700 words

In 2000, Congress enacted the Children’s Internet Protection Act (CIPA) to try and stop kids from accessing obscene or harmful content via the Internet. CIPA is required for schools or libraries that receive E-rate discounts for Internet access or internal connections through the E-rate program. In 2001, the FCC issued rules implementing CIPA and those were updated again in 2011. In short, if your school or library wants to receive E-rate funds for Internet access, you have to follow the CIPA guidelines.

Now, what are the guidelines? For such a big, federal program, there are remarkably few rules. Here they are in plain language.

  • Your TECHNOLOGY protection measures must block or filter Internet access to pictures that are obscene, child pornography or harmful to minors for computers that are accessed by minors.
  • Schools and Libraries must provide reasonable notice and hold at least one public hearing or meeting to address the proposal.

The summary is you need to stop porn and obscene pictures and you need to tell the public that you are going to do it. That’s the technology side; there is another piece, which is your Internet Safety Policy.

The safety policy must address:

  • Access by minors to inappropriate matter on the Internet;
  • The safety and security of minors when using electronic mail, chat rooms and other forms of direct electronic communications;
  • Unauthorized access, including so-called “hacking,” and other unlawful activities by minors online;
  • Unauthorized disclosure, use, and dissemination of personal information regarding minors; and
  • Measures restricting minors’ access to materials harmful to them.

Notice that this part of the policy does not need to be technology driven; you just need to have the ability to implement the steps. I’m sure someone on staff would be happy to stand behind the minors and “monitor” their access right?
Schools (but not libraries) also have to have a plan to educate minors about appropriate online behavior “including interacting with other individuals on social networking websites and in chat rooms, and cyberbullying awareness and response.”

So in exchange for Federal dollars, you have to follow these rules. Here is where I think it breaks down a bit. CIPA is in place to protect minors, and minors are the ones trying to violate CIPA. It’s like wrestling my 2 year old into her car seat: it’s a fight to get her in there, and as soon as I walk away she starts trying to escape. It’s there for her protection, but she hates it and wants nothing more than to get out. The range of tools that can help minors bypass standard content filters is vast. Proxy software, proxy networks and “browsers on a stick” are easy to find, easy to install and many of them work all too well.

A couple of points to consider:

  • Know how to break your own filter. I know that sounds strange at first read, but it makes sense. If you don’t know where the holes in your own defenses are, how can you know how to make them stronger? Search for “how to get past …….” , and put the name of your filter in there. Get to the 5th and 6th pages of results and really see what’s available.
  • Know your reports. At Untangle, we have products that collect a whole lot of data. We have spent years trying to make sure we are presenting that data in the most helpful way possible but even customers that have use our products for years don’t know just how flexible and powerful our reports are. Understand that looking for HTTP traffic over non standard ports and excessive bandwidth consumption on specific machines can be good indicators that there is trouble. Get to know what information is available to you and set up automatic delivery so they show up in your inbox.

We at Untangle want to help make your CIPA compliance as easy and effective as possible. Take a look at the blog entry “Keeping inappropriate content out of the classroom” for ideas on how to enforce CIPA compliance.

– Joe