What Do The Standards Say?
Various standards that schools must or should adhere to specify a number of technical requirements that require unencrypted content to be read:
Meeting Digital and Technology Standards in Schools and Colleges (DfE)
Under the section Filtering systems should block harmful and inappropriate content without unreasonably impacting teaching and learning (Technical requirements to meet the standard), the document states:
Your filtering systems should allow you to identify, as a minimum: ... the search term or content being blocked
Appropriate Filtering (UK Safer Internet Centre)
Under Filtering system features, the document states:
Contextual Content Filters – in addition to URL or IP based filtering, Schools should understand the extent to which (http and https) content is dynamically analysed as it is streamed in real time to the user and blocked. This would include AI or user generated content, for example, being able to contextually analyse text and dynamically filter the content produced (for example ChatGPT). For schools’ strategy or policy that allows the use of AI or user generated content, understanding the technical limitations of the system, such as whether it supports real-time filtering, is important.
Deployment ...As technology and security standards evolve, relying solely on network-level filters may become increasingly challenging and less effective. Schools might consider combining network-level filtering with device-level configurations tailored to school-owned and managed devices.
Generative AI Systems
Your school policy on generative AI systems may require decryption depending on which systems you use and what other monitoring tools you have in place. Your must effectively and reliably prevent access to harmful and inappropriate content generated by Generative AI systems, as detailed in the following documents:
Does My Filtering System Support Decryption?
Most if not all school filtering systems will support content decryption, but it will not enabled by default. This is because your IT team will have to do some setup work on your managed devices to enable it to work, this will usually be installing or deploying the filtering system's root certificate to ensure that the browsers on the devices trust the encrypted content they receive.
If TestFiltering is showing that you do not have decryption enabled, firstly ensure that:
- You are using a school managed device
- You are either:
- testing from within the school network or:
- have filtering product that filters your device from anywhere
- The device has been configured to enable the decryption feature
If you are not on a managed device, or are testing from outside the school network, your connection may not be using the school filtering system, and therefore will not support decryption.
If you are and you are not sure if decryption is enabled, or it should be enabled but the test is failing, you should speak to your DSL, IT team, and filtering provider to see whether you have it enabled, and what steps you need to take to ensure it is switched on and working correctly.
The Importance of Decryption
Decryption ensures a safer and more secure online environment for students by:
- Preventing access to inappropriate content: It allows the system to block specific pages or files that contain violence, pornography, or hate speech, even on sites that are generally considered safe
- Providing more granular insights: When decryption is enabled, you will be able to log the URL's that your users are accessing, rather than just the domain name
- Protecting against malware and phishing: It enables the system to scan for malicious code or phishing links hidden within encrypted traffic
- Enforcing policy consistency: It ensures that filtering policies are applied uniformly across all websites, eliminating loopholes created by encryption
How Decryption Works
A school filtering system with decryption capabilities acts as a "man in the middle". When a school managed device tries to access an HTTPS website, the filtering system intercepts the connection and makes the request on behalf of the device, enabling it to decrypt the contents.
The system inspects the content for any policy violations (like prohibited URL's or keywords), and then re-encrypts the traffic using its own root certificate, before sending it on to the requesting device. If the content is safe, it is allowed to pass through, if not, it is blocked.
Normally a browser would reject the content, as it has not been signed by a "root certificate authority" (The browser has these root certificates pre-installed to check authenticity), but the filtering system will have pre-installed its own root certificate on the school's devices, enabling the browser to trust the inserted certificate.
The Problem with Encrypted Traffic
Most modern websites use HTTPS (Hypertext Transfer Protocol Secure) to encrypt the data exchanged between the user's browser and the website's server. This is a vital security feature that protects sensitive information like passwords and credit card numbers from being intercepted.
However, this same encryption also makes it difficult for a standard filtering system to see what content is being accessed. Without decryption, a filter can only see the domain name (e.g., youtube.com) but not the specific content (e.g., an inappropriate video). This "blind spot" could allow students to bypass school filters and access harmful content, without the school having the ability to detect and filter it.
Decryption is a crucial feature of a school filtering system because it allows the system to inspect encrypted web traffic (HTTPS) for potentially harmful or inappropriate content that would otherwise be hidden.