DEPARTMENT OF COMMERCE
National Telecommunications and Information Administration
[Docket No. 020514121-2121-01] - RIN 0660-XX14
Request for Comment on the Effectiveness of Internet Protection Measures and Safety Policies
AGENCY: National Telecommunications and Information Administration, U.S. Department of Commerce
ACTION: Notice; Request for Comments

Section 1703(a)(1) of the Act requires NTIA to evaluate whether or not currently available technology protection measures, including commercial Internet blocking and filtering software, adequately address the needs of educational institutions

 

My name is Nicole Toomey Davis.  I was a co-founder and the President and CEO of DoBox, Inc., a leading provider of parental control technologies for broadband connectivity from 1999 until we were acquired by a public company in March, 2002.  I am submitting these comments on behalf of myself and my experience at DoBox, Inc., including the experience of DoBox in attempting to deliver our state of the art parental control technology to the education market to help meet CIPA requirements.  In particular, in answering the questions posed by the Study, I will outline the types of technologies that COULD have been available to the education market that absolutely are completed and would have met the rich needs of CIPA, had DoBox been able to find ANY funding that would support an educational product.  Unfortunately, venture capitalists and investors told us that “education is a poisoned market”, “education is an ungrateful vertical”, or simply crossed us off the list of potential investments if we even brought up the issue of delivering technology to the education market. 

 

Although the technology still exists in the public company of which DoBox is a part, it is targeted at parental control and the consumer and small business broadband market and this firm has not yet committed to the education market.  In general the technology market to education is poorly structured, very slow to purchase, and exceptionally cost sensitive, leading to the “ungrateful vertical” moniker from the investment community.  To quote one experienced business development executive with years of experience delivering protection technology to the education market, “I don’t believe that public [or for profit] companies should be in the education market.” 

 

I want to emphasize that the technologies that I describe in my comments below were already created, were in the testing phase, and that we had begun fine tuning of the interface to assist administrators of schools to more easily configure a variety of groups etc.  This is not future technology, this is technology that exists, but that needed funding in order to “customize for education and deliver to market to education. 

 

If there is one message I could deliver to you, it would be that DoBox had a solution that, in combination with our web categorization partners, provided solutions to the complaints/concerns that I have seen and read leveled at CIPA.  DoBox technology managed ALL FACETS of Internet access, including Web, email, chat/instant messaging, applications/games, peer to peer systems, etc, the only product coming to market to provide such comprehensive CIPA compliant solutions.  It is customizable by user and by group, providing appropriate access to adults, administrators, researchers and children, without cumbersome “requests for access”.  It is locally customizable, meaning that teacher or administrators could immediately add sites to be blocked, or permit sites for permanent or temporary access.  

 

However, because we could not get funding for this market, that technology, at least currently, is lost to the education market.  We desperately needed some assistance from the government to help us cross the threshold to productization and market penetration in the education market.  In addition, as we approached schools, most of them had taken a position that if they provided web access management they were CIPA compliant, which is clearly contrary to the spirit and letter of the CIPA legislation and regulations.  Schools, if permitted to self certify, are not going to add any additional costs to their current access management systems, and they are certainly not going to install the type of solutions required by the law.  At the same time, existing vendors are struggling or exiting the market, further limiting the availability of solutions to schools.  CIPA regulation does not pay for the solution, further exacerbating the problem. 

 

 

As a mother, a long time technology executive and a former CEO of a company focused on protection of children, I applaud the efforts of CIPA and various agencies to foster availability and usability of technology designed to protect our children from unwanted and inappropriate exposure to Internet-based materials.  If I can be of any further assistance, please contact me at

 

Nicole Toomey Davis

P.O. Box 1214

Draper, UT 84020

Cell 801-550-6642

ndavis@cove-mtn.com

Please do not publish my coordinates, thank you.

 

Yours Sincerely,

 

 

 

 

Nicole Toomey Davis

 

Evaluation of Available Technology Protection Measures

Section 1703(a)(1) of the Act requires NTIA to evaluate whether or not currently available technology protection measures, including commercial Internet blocking and filtering software, adequately address the needs of educational institutions.

1. Discuss whether available technology protection measures adequately address the needs of educational institutions.

In general, currently available solutions address only the web filtering portion of Internet Access Management.  Actually, CIPA requires educators to manage the entire range of internet interactions, including:  Web Access, Chat/Instant Messaging, Email, Game and application management, School network firewall and security.  Today, the schools that DoBox surveyed did NOT have even a basic network firewall, fundamentally violated CIPA’s security requirements.  In addition, there currently exist on the market for education NO tools that provide management of the other, non-web, uses of the Internet.  A summary of technology management modules required to comply with CIPA is below, all capabilities need to be configurable by PERSON, GROUP, or UNIVERSALLY: 

 

Chat and Instant Messaging monitoring[1]

• All chat/IM parameters can be configured:
• Universally
• By group
• By user
• Chat protocols monitored:
• AIM
• ICQ 2000
• MSN Messenger
• Yahoo! Chat
• Chat can be blocked
• Completely (24x7)
• During certain times of day or week
• Monitoring includes:
• Log “room” entry/exit times and “chat-mate” entry/exit
• Log private messages (who, when)
•  “Chat-mates” list, choice of:
• White list: all approved chat-mate chat IDs
• Black list: all blocked chat-mate chat IDs

Web Access Management[2]

• All web access parameters can be configured:
• Universally
• By group
• By user

• Web access can be blocked completely during certain times of day or week
• Blocking of sites by content
• Blocked page can be overridden by user with privileges to see that site
• District or school can set sites/categories that are not permitted for anyone
• Parameter can be customized at the school
• Web data collection
• Sites visited
• When visited
• From which machine

Email Control (POP and SMTP)[3]

• Manages any POP email account (web-based email is blocked with Web Access Manager)
• Bi-directional monitoring
• Logs source and destination addresses, headers and keywords
• Approved “correspondents” list
• Monitor (both monitor and child receive message)
• Block (message never enters the school network)
• Allow (no blocking)
• Can be configured at “master level” with customization for specific cases
• Example:  All email blocked, except for email from a specific domain.

Smart Firewall™ [4]

• Time-based access control for Internet games and applications: block or allow
• Simple web-based interface for configuration
• Extensive list of applications for access control—by user, by time of day.
• Easily customized to add/manage other applications

 

2. Is the use of particular technologies or procedures more prevalent than others?

No Comment

3. What technology, procedure, or combination has had the most success within educational institutions?

No Comment

4. Please explain how the technology protection products block or filter prohibited content (such as Ayes@ lists, (appropriate content); Ano" lists, (prohibited content), human review, technology review based on phrase or image, or other method.) Explain whether these methods successfully block or filter prohibited online content and whether one method is more effective than another.

The DoBox philosophy was to provide educators with the option to either use “ayes” list for younger children or “ano” lists for older children.  In addition, the DoBox technology provided the ability to easily customize the system by allowing schools/educators to adding sites to a block list permitting selected sites that may be inappropriately blocked.  We had partnerships pending or signed with companies who used neural network, content vectoring and statistical word count analysis tools to evaluate, at least initially, the categorization of a web site.  In certain cases, these sites would be reviewed by human reviewers, in other cases, schools simply bypass inappropriate blocks or add sites that are inappropriately bypassed. DoBox preferred to use a real time web site categorization partner (pass a URL from the education gateway to the online categorization server, receive back a category and then make appropriate local policy decisions), backed up by locally stored caches of accessed sites.

5. Are there obstacles to or difficulties in obtaining lists of blocked or filtered sites or the specific criteria used by technology companies to deny or permit access to certain web sites? Explain.

The Internet changes too quickly for a static list to provide appropriate access or limitations on access.  An effective list categorizes 10’s of millions of web sites into categories, some of which would be considered offensive to children, others would be permitted.  Access to this type of “list” would be unwieldy and would change on a daily basis.  The DoBox interface allowed an administrator to type into the system a selected web site and receive back the categorization of that site, so that they could immediately know if they  needed to customize their system to either block or permit the site(s) in question.   See example customization interface. [5]

6. Do technology companies readily add or delete specific web sites from their blocked lists upon request? Please explain your answer.

DoBox had a strategy to let schools submit sites that they requested to be added or removed to the block lists. However, because schools could immediately customize their own add/block lists at the local gateway, it is not the same type of concern as in other implementations.  See example customization interface in footnote above.

7. Discuss any factors that were considered when deciding which technology tools to use (such as training, cost, technology maintenance and upgrades or other factors.)

No Comment

Fostering the Development of Technology Measures

Section 1703(a)(2) directs NTIA to initiate a notice and comment proceeding to make recommendations on how to foster the development of technology measures that meet the needs of educational institutions.

1.      Are current blocking and filtering methods effectively protecting children or limiting their access to prohibited Internet activity?

DoBox had an explicit commitment to helping educators manage ALL elements of Internet access, not just web filtering.  As far as our research shows, no other provider of educational protection technology provider delivers this range of capabilities.  For example, the user profile includes permitted times of usage for web surfing and chat/instant messaging (IM), as well as approved “correspondents” for email and chat/IM. Administrators can specifically permit or prohibit use of a wide range of interactive Internet games and other Internet applications, such as FTP, Napster, Gnutella, Morpheus and others.  Schools can also limit user- or group-level access to web content by category, including “hate”, “pornography,” “adult content” and many others.

 

CIPA requires that schools implement technology measures to prevent access by minors to “visual depictions” of certain inappropriate content.  New peer-to-peer and instant messaging technologies are becoming the leading mechanisms for children to access visual depictions. These software clients are able to easily share any type of file, many of which may violate CIPA regulations, infringe copyrights or be harmful to children.  Web filtering solutions by themselves cannot begin to address these new avenues of access, since they are by definition limited to the “web”, or the browser-accessed portion of the Internet. Failing to address them, however, is a clear violation of the spirit and letter of the CIPA regulations. 

 

SchoolWall™ also includes DoBox’s unique Smart Firewall™, which provides an industrial-strength network firewall and protects equipment and resources from being attacked and used inappropriately. Smart Firewall™ is a key component of CIPA compliance, which requires protection from “hacking and other unauthorized activities.” SchoolWall™ is simple to integrate into existing technology infrastructures, with LDAP lookup capabilities and a database import facility to speed user-account setup and ease administration.  With multiple levels of management control, SchoolWall™ can be deployed at the district, school, or lab level. 

 

2.      If technologies are available but are not used by educational institutions for other reasons, such as cost or training, please discuss.

No Additional Comment

3.      What technology features would better meet the needs of educational institutions trying to block prohibited content?

See Explanation above of range of technologies required to manage web, chat/instant messaging, games/applications, peer to peer systems and email

4. Can currently available filtering or blocking technology adjust to accommodate all age groups from kindergarten through grade twelve? Are these tools easily disabled to accommodate bona fide and other lawful research? Are these tools easily dismantled?

See Explanation above of ability to customize the filter lists and to customize access BY PERSON, GROUP OR DEFAULT settings, permitting schools to rapidly configure the system to permit research or other “lawful” access to wider sets of sites, while still providing strict controls over access as desired per age group or other parameters.  It is important to remember that PC or client based solutions will ALWAYS be vulnerable to bypassing and are, of necessity, a one-size fits all solution.   The only long-term effective way to protect children is to manage Internet Access at the connection to the Internet, so that any packets attempting to access the Internet pass through the access management system.  In addition, a solution like DoBox’s SchoolWall™ permitted any student to use any machine and still have only the access appropriate to their age or class work, while permitting teachers, administrators and others to have appropriate access. 

 

I must comment on a crucial problem in this industry.  The Internet Access Management industry has fallen on very difficult times.  Many of the previous vendors who were in this market are either leaving the market entirely or are significantly de-emphasizing their focus on education in lieu of more lucrative and easier consumer, small business and enterprise markets for the same technologies.

Some examples:  SmartStuff provided an attractive web filtering solution to the education industry.  They were purchased by Riverdeep, and now are focused primarily on their PC “desktop management” tools, as opposed to their web filtering and access management solutions.  According to discussions in the industry, this is primarily due to difficulties in getting schools to pay for these types of solutions.

 

N2H2 is a vendor well known in the educational web filtering market, and I assume that you will receive comment from them. I simply direct your attention to publicly available information http://quote.yahoo.com/q?s=NTWO.OB&d=c&t=5y&l=on&z=b&q=l about them, indicating that their stock price high was over $30/share, compared to their current price of $0.145/share.  In addition, you can see on their web site http://www.n2h2.com/, that they are touting their corporate solutions as much as their education solutions, including their latest announcement of a partnership with Cisco for enterprise solutions. 

 

Other companies focused on Internet Access Management for education have gone out of business or dropped their education products altogether.  As we attended national trade shows such as Comdex and CES, we had sophisticated school districts who were committed to following the CIPA regulations come to us and tell us that NONE of their existing web filtering vendors had any interest in providing a complete CIPA solution, and that they had been left high and dry and were very interested in working with us on solutions. 

 

Unfortunately, due to these issues, the investment community has developed a STRONG aversion to funding anything relating to education, particularly K-12.  We were unable to secure funding to launch our SchoolWall™ solution, and, as a result, had to sell DoBox and its technology to a company that was not interested in the education market.  Had we been able to find funding or appropriate grants from the government, we would have delivered our state of the art, CIPA solution to schools in early 2002. 

Current Internet Safety Policies

Section 1703(a)(3) requires NTIA to evaluate the development and effectiveness of local Internet safety policies currently in operation that were established with community input.

1.      Are Internet safety policies an effective method of filtering or blocking prohibited material consistent with the goals established by educational institutions and the community? If not, please discuss the areas in which the policies do not effectively meet the goals of the educational institutions and/or community.

Internet safety policies are an important part of the goal of preventing children from having access or exposure to inappropriate material on the Internet.  However, by themselves, a policy cannot be effective in appropriate protecting children, because children can EASILY have unintended access or exposure to inappropriate materials. 

 

“Internet Access” is more than “Web”.  New peer-to-peer and instant messaging technologies are becoming the leading mechanisms for children to access visual depictions. These software clients are able to easily share any type of file, many of which may violate CIPA regulations, infringe copyrights or be harmful to children. 

 

Students can transfer filed via Chat and instant messaging, File Transfer Protocol (FTP) peer-to-peer applications such as Napster, Gnutella, Morpheus, Kazaa and Media Desktop; as well as the familiar Web access.  It’s well-known that files can be attached to email messages, but most teachers and parents would be surprised to learn that most chat and instant messaging systems, such as AOL Instant Messenger, ICQ and MSN Messenger, can easily exchange files, including pirated software and videos, as well as pictures and videos that violate CIPA.  These non-web methods of file transfer are easy to use at school and are quickly growing in popularity for the exchange of files, content and other material.

 

There are now many vectors for inappropriate materials to reach children, even unintentionally, and our experience at DoBox told us that CIPA’s emphasis on  technology protection measures to prevent access by minors to “visual depictions” of inappropriate content as well as to restrict their access via the Internet to any type of materials that could be considered harmful is a wise one. CIPA does not distinguish between the many ways students can access “visual depictions” or harmful material over the Internet, but it is explicit that schools must focus on the safety of students when using “…electronic mail, chat rooms, and other forms of direct electronic communications.” That safety policy must include measures designed to enforce it. 

:  accidental web exposure through exploration, email SPAM, chat room access .

 

One child out of every five who use the Internet as little as one time a month is the target of unwanted sexual solicitation according to a study sponsored by the National Center for Missing and Exploited Children.  The Internet, including chat/instant messaging can be a tremendous accessory to a child's learning tools.   However, there are adults who use the Internet who want to take advantage of a child's trust and vulnerability in order to fulfill their own sick objectives. No Policy will be able to effectively protect our children from them without the assistance of appropriate technology tools.

 

The study, which was conducted by the University of New Hampshire's Crimes Against Children Research Center (CACRC), noted that an astonishing 19 percent of children, aged ten to 17 years old, who log on to the Internet regularly receive "requests to engage in sexual activities or sexual talk or to give personal sexual information. "Eighty-nine percent of these incidents began in a chat-room or instant messaging session. In addition, CACRC's study found that one in four children had an unwanted exposure to pictures of naked people or people having sex in the last year.[6]

 

2. Please discuss whether and how the current policies could better meet the needs of the institutions and the community. If possible, provide specific recommendations.

No additional Comment.

 

3. Are educational institutions using a single technology protection method or a combination of blocking and filtering technologies?

See previous descriptions of the range of technologies needed to adequately protect children.

4.      Describe any best practices or policies that have been effective in ensuring that minors are protected from exposure to prohibited content. Please share practices proven unsuccessful at protecting minors from exposure to prohibited content.

No additional Comment.

 

 ENDNOTES