As information security professionals, we’re often asked about how to best protect children online. I’ve got four of my own, and discussions about what is or isn’t appropriate, are nearly endless. Because let’s be honest, the Internet can be a scary place with a lot of scary people. But it’s also a wondrous, nearly magical place with a lot of awesome people. Walking that tightrope between valuable experience and neglectful exposure is not for the weak of heart, but it is our jobs as parents.
My goal isn’t to protect my kids forever, but to teach them how to protect themselves; to learn how to survive independently. That, however, is a gradual process. In the beginning they need stricter controls and more guidance. As they grow we can allow them more freedom and responsibility to make wise choices.
In the real world we’re instinctively more cautious with our kids. For example when they’re using a power tool for the first time, or driving, or visiting a theme park, we recognize danger and exercise caution. We teach them about dangerous signs and potential mistakes. We have slogans like “Stranger Danger” and “Just Say No” to help guide them. But online the signs are less clear and mistakes are sometimes harder to avoid. On top of that, technology is complex and always changing. It’s hard to keep up.
To better understand how to protect kids, it’s helpful to separate potential threats into two separate categories. The first type of danger is from targeted attackers like stalkers, pedophiles, traffickers, bullies, etc. These are intentional “bad people” that seek out our kids to do harm. As parents, part of our job is to protect our kids from these scoundrels when they’re too young to do it themselves. But the second half of our job is to begin preparing them for the day that they will need to defend themselves.
The second category of threats is from unintended exposure to materials that the kids aren’t ready to experience. This includes things like pornography, profanity, violence, and other forms of vulgarity. It’s important to note with this latter category that oftentimes our children themselves may actually be seeking it out, whether through curiosity or malicious intent. Nothing gets a kid more interested in something than a boundary that he’s not supposed to cross. But we have to be intentional and careful to draw age appropriate lines for what is acceptable and what’s not.
Behavioral vs Technical Controls
Ultimately, protecting kids from any kind of threat is a balance between behavioral and technical security controls. As infants, a completely technical solution is simple. But as they get older and begin to use our phones and tablets, we have to introduce more behavioral controls. This includes things like time limits and clear family rules with well-communicated consequences. Of course technical controls are still very useful. Things like content filtering, app age restrictions, and monitoring tools help enforce the rules.
Over time, this balance begins to shift from mostly technical to mostly behavioral. If we’re successful, by the time our kids are teenagers, we should be able to lean on their responsibility and experience more than on the technical controls. But the technical controls never completely go away. There’s value, even for adults, in being protected from some of the filth in the Internet sewer lines.
Communication is the Key
To make this shift successful, we parents have to engage our kids. Regular communication is the only way to know what issues they are experiencing and how we can help them handle it. It’s the only way to know whether they are making wise, responsible decisions, or flirting foolishly with danger. Because if we’re honest, our kids are smarter than us, maybe not individually, but definitely collectively. With enough time they’re going to find ways to bypass any technical roadblock we put up. Our job is to be interacting with them regularly enough to recognize what’s happening before it becomes a problem.
Here are a few suggestions for Mom & Dad.
- Set clear expectations with clear consequences (and enforce them!).
- Set reasonable restrictions on usage. This includes how much time per day and where devices can be used. For example: No devices at the dinner table or after lights-out.
- Talk regularly about what apps they use and how they use them.
- Ask who their “friends” are on various social networks.
- Discuss what kinds of information is appropriate to share with different types of people.
- Don’t shy away from hard topics (bullies, sexting, porn, etc).
- Remember that they will likely have friends with no rules or restrictions, so explain why you have rules.
- Be approachable.
- Trust, but verify. Set a rule that parents get to audit all connected devices at will.
And here are a few things to talk about with your kids. These will vary based on the age and maturity of the child, but the goal is to develop critical thinking skills.
- Never give out your location online.
- Don’t assume people are who they say they are.
- Understand how much information you’re sharing.
- Don’t take pictures you don’t want everyone to see.
- Anything that’s posted on the Internet will stay on the Internet.
- Nothing online is truly anonymous. You can be tracked.
- Don’t assume apps will do what they say.
- Be respectful of everyone. (The Golden Rule doesn’t end at your keyboard)
- Be VERY skeptical of anyone wanting to meet in person, and never go alone.
There are also a number of good technical controls to consider. Both Android and iOS have built-in child restrictions, but they must be enabled. For younger children, it’s a good idea to configure the devices to require passcodes to install applications. This gives the parents a chance to review all apps first. Content filtering is also a great tool for all ages. Popular commercial tools like K9 Web Protection, CovenantEyes, and OpenDNS FamilyShield help prevent accidental access to objectionable material.
Nathan Sweaney is a Senior Security Consultant with Secure Ideas. If you are in need of a penetration test or other security consulting services you can contact him at firstname.lastname@example.org, on Twitter @sweaney, or visit the Secure Ideas – ProfessionallyEvil site for services provided.