My name is David Duggan. I am a Principle Member of the Technical Staff at Sandia National Laboratories and the volunteer Technology Coordinator at a parochial school in Albuquerque, New Mexico. My contact information is: David Duggan PO Box 13071 Albuquerque, New Mexico 87192-3071 Phone: 505-845-8100 (w) Email: dduggan@ola.k12.nm.us I'll start off by stating my qualifications to making comments in this area of policies. I spent several years at Sandia working in the CIO organization where I was responsible for implementing our policy for catching offenders to the corporate Pornography Policy. Due to the nature of our organization, which could be similar to that of schools, we felt that we couldn't implement blocking software as being sold by several companies at the time. While they block some percentage of pornographic material, they do miss a fair number of sites. The porn sites change on a regular basis (hourly, in some cases) and are always a step ahead of most software updates. These programs also tend to block quite a few legitimate sites needed by researchers, due to their methods of blocking. We instead went with a strategy of monitoring the usage and taking action after the fact, including dismissal of employees. Some of the more constant and well known sites are blocked, but the list is not updated on a daily basis. It would take too much manpower to maintain such a dynamic list. Now to directly answer the questions listed in the request. Evaluation of Available Technology Protection Measures. 1. Schools are not financially or technologically well endowed. The available commercial protection measures do not address the needs of these institutions. They either block too much, or not enough. The fact that people are more concerned with inappropriate content from the Internet over that of television is important. There is a rating system concerning television programs that is readily adhered to by stations. Even though it isn't required by law, it is used. There is no such system in place for the Internet, and since much content of the Internet is provided from outside this country, there will not be any enforcement mechanisms for content in the near future. 2. The use of "acceptable use" forms and other simple blocking strategies seems to be what is in use where money is a problem. 3. At the school I volunteer for, we have decided to block all sites for students, allowing only those sites that have been screened by a teacher. The teacher is then responsible for the content shown on that page. The teachers have accepted the responsibility for this. All actions that allow students to view some specific URL are recorded, keeping the teacher authorizing the URL, the time, and the URL authorized. 4. The several packages I reviewed for Sandia were not able to block an adequate percentage of bad content. I am not able to provide the lists of software tested, since it was an internal review. As a Computer Scientist, I see no possible way for the blocking software to work correctly in the majority of cases. Until the Internet becomes as regulated as TV is now, blocking software will not work. 5. The lists of sites to block change all the time. It takes someone, or some process to keep getting the new lists and restarting the software to incorporate the new list. Using a list generated by some other organization will then put your access capabilities in the hands of someone that does not work for your school. They might not have the same goals as your organization. The sites that need to get blocked change on a regular basis and the chance that it takes days to get the new site address blocked is very high. 6. I don't know how those companies work internally. That is part of the problem. 7. The number one factor we discussed was the technology used in the blocking software. Other than the vendors that just implement a blocking list, most won't let you know how the program works. Securing the program by obscurity does not work. There are many methods to identify how something works, and thereby allowing it to be circumvented. Another important factor was cost. Schools just don't have the kind of money to pay the initial costs and continue the maintenance costs to keep up with the new lists. Fostering the Development of Technology Measures 1. The method we use is effective since everything is blocked, except teacher approved URL's. We utilize a web proxy, Squid, to perform the blocking. Programs that work on the individual desktop can be easily bypassed. 2. Some technologies are not used due to inadequate training of staff and inadequate budget for computer literate teachers or support. 3. Technologies that are positioned at the boundary to the school network have the biggest advantage. These must work with operating systems other than Windows derivatives. Use of Linux and other free Unix variants will allow the schools to use scarce technology monies for something other than infrastructure support. 4. There is really no reason to block adults from specific sites on the Internet. If they are willing to sign the "acceptable use" agreement, and monitoring is performed on all Internet accesses, it just keeps them from doing legitimate research. I see no reason why there should be a difference in the acceptable sites for anyone through 12th grade. Tools on the desktop are easily bypassed. Current Internet Safety Policies 1. There must be policies in place before the systems are in place. Without the policies, there is no enforcement mechanism for those that violate the policy. Without a policy, there is no way to design the blocking/filtering/monitoring system. 2. The policies should address only goals of the program and not any specific method or technology to implement those goals. Give the individual schools the ability to implement the solution that they can afford and that they can live with according to their own budget and other resources. 3. We are using two methods of protection. The first is the "acceptable use" policy statement, which every student, faculty member, and staff member must sign. The second is our web proxy that only allows teacher approved URL's to student machines. 4. Through my Sandia job, I have found that allowing only approved sites is effective at keeping inappropriate content from entering a network. I have also found that trying to identify inappropriate content through other methods, including URL/site lists, color analysis, and word analysis are ineffective, at best. A human screener is still the best way to keep inappropriate content from passing through some portal. Technology solutions today don't come close.