Lightspeed Knows Networks

(especially school networks and their administrators)

What To Do When Your AUP Stands for Actually Unenforceable Policy — 7 Tips From the Trenches

On any given day, someone is likely abusing your acceptable use policy (AUP). The infractions can range all the way from inadvertent to illegal. Copyrighted music is being downloaded and stored on school servers, eBay auctions are being monitored throughout the day but, much worse, a person on the network is seeking information on how to commit suicide, a man is soliciting a conversation with a female student, pornographic content is being sought out and viewed or death threats are being issued.

The question is, with the large, diverse and fluid set of users that come with a school's network territory, do you have the time, tools, and appropriate staff to enforce your AUP?

If you don't have monitoring software, when a situation arises, it is possible to cobble together event logs and map IP addresses to workstations to people. Ted McDaniel, director of technology for Firebaugh- Las Deltas Unified School District, vividly recalls such an instance.

The day the police showed up

"One day a police officer walked into my office with a fax from another county's district attorney and asked me to explain it," McDaniel remembers. "Someone on the East Coast looking at their Web server access log had noticed a link came from a search query 'how to kill someone.'" Turns out the concerned East Coast Web master had queried WHOIS to track down the source. Eventually it was traced back to Firebaugh-Las Deltas where it was used as the public address for its Web content proxy. "We had been using a proxy server for content filtering and the reports were quite simplified," says McDaniel. "I had no way of seeing what traffic was actually on the network. The only way I could trace it on the inside was to call the content filter support staff and have them run a query based on the time of the search string." It took two hours of looking through 40 pages of data to come up with the internal IP address that was used, which turned out to be a classroom computer. After remembering to adjust for the east/west time difference, the student was finally identified and the issue resolved. McDaniel adds, "That whole situation really made it clear just how little we knew or could do with our existing system."

Proactive vs. reactive monitoring

Ok, so it's one thing to be able to react to situations, it's another to proactively collect, document and analyze digital evidence to protect our students and districts from those within who would repeatedly access inappropriate content. How will it be accomplished, how fast can you deliver usable information, and who is responsible? IT staff, human resources, school principals, district superintendents? Some combination?

First, get some monitoring software installed to find out what's running on your network. Technology Director Lee Sleeper, at Bullard Independent School District in Texas, used Lightspeed Systems' Total Traffic Control and identified significant non-educational Internet usage. He shared the reports with the district's principals who, in turn, held a series of meetings with school staff to discuss district Internet-use policies. Sleeper then held meetings with students to discuss the reports and the acceptable use policy that they and their parents had signed with the district.

"We had to reduce bandwidth usage and refocus student and faculty on the proper use of the Internet in an educational environment," said Sleeper. "Very precise reports gave us the tools to do that in a way that left no room for debate." McDaniel also installed software to monitor his district's approximately 1,000 computers across six different schools. "Once the network traffic was being recorded, I was able to see who and where the users and abusers were on the network," McDaniel reports. "I began to see the users that chiseled away at our bandwidth by using the computer as their personal radio device. Then along came Napster, Kazaa, and iTunes users and some curious file sharing within our network.

"I waited about a month to get a good record of what was 'normal' network activity to support my purchase decision to the school board. They were somewhat surprised at the number of staff who spent class time shopping and chatting on the net. Then I began to reconfigure the setup to limit those abusers." With the final setup complete, McDaniel had to change how and to who reports would be issued. Since the content of the reports could mean dismissal of an employee, it was decided that only the director of technology and the superintendent would see these reports. McDaniel says, "This also meant we had to come up with procedures for reporting inappropriate activities and a letter of reprimand just in case one would be necessary."

In addition, principals held special staff meetings to reinforce to employees that the computers and the network are owned by the district and the contents therein also belong to the district. Past legal opinions have supported this position. Each employee was given an updated AUP and asked to sign it. It was explained, too, that monitoring was for their protection. If a student claims they saw bad stuff on the teacher's computer, McDaniel's staff could provide evidence to prove it one way or the other.

Recommendations from the trenches

Folks like McDaniel and Sleeper, who have done hard time digging up digital evidence, do have some practical recommendations.

  1. Select monitoring software with easy-to-read reports.
    Your monitoring software will need to generate reports that are easy enough to be used and understood by non-technical district employees and law enforcement. Ideally, these non-IT individuals can be assigned administrative rights to directly access what they need.

  2. Get before and after snapshot reports.
    Keep a snapshot of district reports before you change anything. Then take another snapshot after using a content filter like Total Traffic Control's to block search results for inappropriate keywords and phrases, force Google and Yahoo! Safe- Search, block P2P, etc. Then you can have confidence in your network being appropriately used and prove that it's being used for educational purposes.

  3. Consider letting HR be the content cop.
    Schedule suspicious-traffic reports to be sent to specific people in Human Resources (HR) each day. Reviewing these reports will take less than 15 minutes—and helps determine who or what to monitor more closely including an individual, computer, email address, or IP address. Ideally, this additional monitoring can be initiated directly by the HR staff. Lightspeed Systems supports such a scenario with its HR Reports function where HR can create a full report, without further assistance from IT, based on discoveries in the suspicious-traffic reports. The HR Report will deliver search engine queries, instant messaging, domains visited (URLs), and emails sent and received.

  4. Watch specific reports.
    One good report to watch will show spikes in bandwidth, which are indicators of large downloads. A report showing suspicious search-engine queries (ie., "naked boy" or "naked girl") will easily detect anyone persistently searching for inappropriate content. Also, watch weekend network traffic reports when staff members may have hours of private Internet time at their disposal.

  5. Be patient to accumulate enough data.
    Wait for a substantial number of occurrences before putting on your forensics hat" and becoming invasive. This way there's no chance that the content arrived as an "accident" on a user's desktop.

    McDaniel says, "I run several reports on a weekly basis to look for patterns of behavior. What is of concern is a person who actively seeks adult sites or pornography. Those who appear to be searching for or attempting to access inappropriate sites are placed on a watch list and reports are then generated daily. These reports are kept and reviewed as additional data is collected. If it is determined that policy has been violated, the superintendent would meet with the staff member and issue the letter of reprimand or file a police report if charges are sufficient."

  6. Preserve reports.
    Export reports to PDF for easy preservation and presentation.

  7. Present a contrast.
    Give a picture of the network activity for the district as a whole and contrast that to an individual user's activity to show how far out of the norm it is.

Whether you, another department or some combination of departments will be the content cop, these best practices will make the task cleaner and easier. Enforcing an AUP can appear to be a thankless task – but occasionally – it proves to be a really, really important undertaking.