CIPA: 10 Years Later, There is Still Confusion

CIPA: 10 Years Later, There is Still Confusion

This year marks the 10th anniversary of the landmark Supreme Court decision to uphold the Child Internet Protection Act (CIPA) law. Despite considerable efforts by the people responsible for enforcing CIPA (E-Rate/USAC and the FCC), there remains confusion among those required to interpret or implement it.

The concern is understandable. School communities are worried that if they are not compliant with the CIPA law, they may lose much needed e-rate dollars. But the reality is, CIPA is not a “filtering law.” If understood properly, it can help guide an articulated policy of Internet safety and digital education in your schools.

The Basics
The overarching law that governs what and how we filter--and what is at stake if we do not--can be broken down into three major components:

1. The Child Internet Protection Act of 2000, which deals primarily with blocking specific categories of Internet-accessed images;
2. The Neighborhood Child Internet Protection Act of 2001, which calls on school districts and their communities to develop an Internet safety policy around Web content and online communication, and;
3. The Protecting Children in the 21st Century Act of 2008, which amended the Internet safety policy to include “educating minors about appropriate online behavior, including interacting with other individuals on social networking Websites and in chat rooms and cyber-bullying awareness and response.”

Collectively, these three Acts comprise the law we commonly refer to as CIPA. Taken together, they spell out the requirements for school districts that wish to receive federal funds through the E-Rate program.

CIPA Fact 1: A Filter is required

In order to comply with CIPA on the most basic level, the school district must employ a device or software—not human supervision or educational efforts alone—to block three specific things:

■ Child pornography
■ Obscene images
■ Visual depictions that are harmful to minors

The FCC defines the term “technology protection measures” as a filtering device or software. The law is clear that “technology protection measures” must be applied to all Internet-connected computers on the school network regardless of who uses the computer.

CIPA Fact 2: Public Input is required

What is filtered or permitted should be a reflection of the values of your school district and community. CIPA requires public notice of a meeting during which the school district will officially consider or adopt your Internet safety plan. Your plan must address the following topics:

■ Online access to inappropriate matter and content that is harmful to minors
■ Unethical or illegal use of the Internet (e.g., hacking or identity fraud)
■ Safety of minors using electronic communication (e.g., chat, IM, or email)

When discussing this agenda alongside the broader goals and initiatives of your schools, discuss how to maximize the district’s technology investment rather than limiting it. For example, how can 21st century tools like social media be used safely in your district?

CIPA Fact 3: CIPA requires Internet Safety Education

A good source for administrators looking for straightforward ways to comply with the education mandates of CIPA is Their free, step-by- step toolkit creates the framework, as well as practical guides and lessons for teachers, to implement the Internet safety requirements.

Rather than burden one department each year (though the lessons are linked to ELA Common Core State Standards), the benchmark model fits nicely within a wellness curriculum with its focus on healthy online relationships. Bringing in guidance counselors to help deliver the ready-made content can lead to better conversations around how student’s digital footprint effects her college and career prospects. If available, social workers are a natural fit for the cyber-bullying exercises. A team approach underscores that this topic is of school wide importance and not just the purview of the tech department.

CIPA Fact 4: Monitoring of Internet Use is required

CIPA states clearly that monitoring does not mean “tracking of Internet usage by any identifiable minor or adult user.” Increasingly school districts are embracing the “Trust but Verify” model. Students are expected to comply with the Acceptable Use portion of the CIPA required Internet Safety Policy, and adults respond to activity that they find in violation of the AUP.

While not required, software can facilitate this process for school administrators and IT staff. With the explosion of 1:1 and BYOD, there is valuable data that can be mined to bolster community support for your technology initiatives. Imagine sharing the thousands of hours students are logging on Khan Academy or other education sites? Students instinctively move away from adult infiltrated social media or communication tool. Want to know what the next Twitter will be? Look over your Web traffic logs, and use that data to inform your CIPA required Internet safety programs.

Monitoring Student Communication

Even when faced with the tangible benefits of tools like Google Apps for Education, it is natural for tech directors and principals to worry about more monitoring and scale back on tools with open communication and collaboration features. Instead, consider entrusting parents with their children’s password as a way to ease the burden from IT. For peace of mind and legal recourse, email archiving and indexing services are available. Commercial products like Gaggle can more proactively monitor and report on student communication with safety and education in mind.

We cannot let the monumental task of monitoring derail the legitimate need for our students to be active collaborators, creators, and communicators online. Whether it is by a software solution, or staff and parent supervision, the monitoring requirement of CIPA is achievable if we share the load.

Finding a Solution
A common criticism of filtering packages is that vendors don’t reveal their block lists or determination methods, allowing an outside entity to define your community standards. Schools do not need to abdicate local control, however, and should try and find a filter that meets basic CIPA compliance out of the box, but also has granular control so that the filter can reflect community standards.

Relying too heavily on the IT department to manage block lists often creates response time delays and will lead users to avoid using the school network or devices and resort to slower but unfiltered options such as smartphones or mobile hotspots. It is legal for filters to have teacher-created “safe zones” or for teachers to temporarily override the filter for students when a site is inadvertently blocked. This empowers teachers to provide just-in-time access to learning, as well as saves time and effort from the IT staff.

Beware of Overblocking

In an effort to guarantee CIPA compliance, some schools turn on all filtering categories. Overblocking, not underblocking, is what leads to legal challenges to your Internet Safety Policy, usually on First Amendment grounds. Be certain you understand what each filter category means and contains. While almost no content filter vendor could reasonably be expected to hand you their block lists, any worth considering should be comfortable discussing the general approach they employ, and the types of sites that will be filtered based on their sub categories. Filters have come a long way since the inception of CIPA, and it is fair that schools expect more nuance, control, and transparency from their solutions.

Particular attention should be paid to what some filters determine as “lifestyle” groups, which can block constitutionally protected information for some of our most at-risk students who are seeking legitimate information, support and community online. It is important to customize your “blocked” splash-screen to remove any implied stigma a student feels while attempting to access a blocked site. Give students options to request an override in a safe and anonymous fashion. Use the splash-screen as an opportunity to educate people about CIPA, and as a conversation starter--not a dead end.

The $20,000 Question: Will CIPA Require Home Filtering for 1:1 Programs?

The FCC recently ended the public comment period on this extremely thorny topic. School leaders must pay careful attention to the anticipated 2014 announcement of their ruling, as providing home filtering will present considerable financial and technical challenges. Making home filtering a success will require parent and student buy-in—otherwise they will opt-out, circumvent, or abandon the valuable tools the districts are providing them.

Yes, Federal e-rate money comes with strings and requirements attached, in the form of CIPA compliance. Yet when you break down the law into what is absolutely required of schools, the law can serve as a catalyst for some of our basic goals: namely, keeping our students safe when they are with us, and educating them to be responsible users of the open Internet when they are not within our walled gardens.

Andrew Wallace is the Director of Technology in the South Portland School Department in Portland, ME. Follow @andrewtwallace

Quick Facts: CIPA Requirements in a Nutshell

School Districts must:

• Use a “technology protection measure” to block images that are: child pornography, obscene, or harmful to minors.• Determine, with community input what content (visual or written) is inappropriate for minors.• Adopt an Internet safety policy that applies to both students and staff.• Teach students how interact on email, social networking sites, and in chat rooms.• Deliver instruction with a focus on cyberbullying.• Monitor in school use of the Internet.