Internet Filtering

Internet Filtering hedgesst

opendns-cisco-lock-up.pngThe OPLIN Board has negotiated a contract with Umbrella by OpenDNS to set up a statewide Internet content filtering system that will be available to all public libraries. OPLIN is charged by the Ohio Legislature "...to help local libraries use filters to screen out obscene and illegal internet materials." For many years, OPLIN fulfilled this requirement by distributing individual grants to libraries, but the earmarked funds were never enough to provide assistance to more than about 40-50 library systems. Clearly, a "central" filtering system available to all libraries would be better.

After several unsuccessful tests over the years, OPLIN finally identified Umbrella as a filtering solution which can effectively provide content filtering for all Ohio public libraries, while still allowing each library to have complete control over how, or if, the filter is to be used in their library system.

How it works

OPLIN purchases licenses to Umbrella for all Ohio public libraries. This provides libraries with free usage of Umbrella's web filtering capabilities, which each library can easily manage and customize by using a relatively simple interface. Ohio public libraries of all sizes have been able to adapt Umbrella to their individual needs. Just contact http://support.oplin.org to request access to your Umbrella license.

Service objectives:

  • Incident Response: OPLIN staff will respond within one hour to malfunctions of the Internet filtering during regular business hours Monday through Friday from 8:00 a.m. to 5:00 p.m., excluding State of Ohio holidays. Contact us through the OPLIN Support site.
  • Incident Resolution: OPLIN staff will attempt to resolve every Internet filtering malfunction within 4 business hours of Incident Response.

More technical information:

Rather than filtering content using a proxy based or span port appliance, Umbrella is a filtered Domain Name Server (DNS) service. You set up an account and associate IP address blocks with said account, and then you can control what types of content you want your users to see much like a traditional content filter. For any request to access a website that falls outside what you deem appropriate, Umbrella returns the IP of one of their block servers, instead of the IP for the real web server. The block can be bypassed on a per session basis by inputing a ticket code you create in the web admin interface. This ticket creates a cookie in the user's browser, which the block server detects and proxies the user to the content. Unless a ticket code is in use, the user is never proxied, so there is no worry of interfering with IP authenticated resources. There are also quite a few other options for how you can specify which machines are held to which rules.

In addition, since Umbrella does not have to handle the actual traffic after the initial DNS request, you do not have to worry about bottlenecks like you would with an appliance. 

If you have questions about our free, statewide filtering, please contact http://support.oplin.org.

See our Steps for obtaining an OPLIN-paid Umbrella account document for more information.

CIPA Requirements

CIPA Requirements hedgesst

Public Library Requirements for Complying with CIPA

Disclaimer

This document is presented for information purposes only. Libraries should consult their own legal counsel for an analysis of any specific policy.

Summary

The American Library Association (ALA) provides a lot of background information about the Children's Internet Protection Act (CIPA) and the Neighborhood Internet Protection Act (NCIPA), which taken together are commonly referred to as "CIPA." (NCIPA is a subtitle of CIPA; NCIPA only affects E-rate applicants.) CIPA requires public libraries to install Internet filtering software on all Internet computers (public and staff) if the library receives federal money from Library Services & Technology Act grants (LSTA) to purchase computers that will access the Internet, or receives federal E-rate (Universal Services) discounts for anything other than services classified as telecommunications.

Brief History

Both CIPA and NCIPA were included in a large federal appropriations bill that passed Congress in December 2000. In March 2001, the ALA, the American Civil Liberties Union (ACLU) and several other groups filed suit to prevent the enforcement of CIPA's filtering requirement in public libraries. This litigation eventually made its way to the U.S. Supreme Court, which upheld CIPA in June 2003.

When must a public library comply with CIPA?

If the library:

  • receives E-rate discounts for any item or service classified as Internal Connections or Internet Access; or
  • receives LSTA funds to purchase any computers that will access the Internet, or Internet access (i.e. pay an Internet Service Provider);

then the library must be CIPA-compliant.

A library does NOT have to be CIPA-compliant to receive E-rate discounts on the Data Transmission services only, or to receive LSTA money for any other purpose than buying Internet access or computers that will access the Internet.

How to comply

There are three requirements that must be met.

Requirement #1: Use a technology protection measure

"Technology protection measure" means a filter on the Internet that blocks visual depictions that are obscene, child pornography, or harmful to minors (defined as any person less than 17 years of age). The filter need not affect text or audio, whatever the content. "Obscene" and "child pornography" have rather vague definitions in U.S. obscenity law. The CIPA legislation defines "harmful to minors" as nudity and sex without literary, artistic, political, or scientific value. See the Ohio Library Council's CIPA FAQ [pdf] for the complete definition.

You must be able to turn off the filter at the request of an adult "without significant delay."

Possible filter configuration:

If you are using the OpenDNS Web Content Filtering available free from OPLIN, the easiest way to meet this requirement is to select content filtering level "Low," which filters websites in the categories Pornography, Tasteless, Sexuality, and Proxy/Anonymizer (to prevent bypassing the filter). The descriptions of these categories can be found at https://community.opendns.com/domaintagging/categories. If you want to select your own filtering categories, rather than using the pre-selected categories in the Low level, the Tasteless category is probably not necessary for CIPA compliance.

Note that OpenDNS also has a Nudity category that is not selected in the Low level. CIPA requires blocking images that "appeal to a prurient interest in nudity," and OpenDNS almost always tags websites in the Pornography category with a Nudity tag, too. Websites that only have a Nudity tag and no Pornography tag likely have artistic or scientific value and are not intended to be prurient.

Proving that you have a filter:

E-rate's Program Integrity Assurance (PIA) process for reviewing applications sometimes requests proof that a library has a filter. A screenshot of a filtering log or a purchase order should be sufficient. If you are using the free OPLIN OpenDNS filtering, then the email from OPLIN confirming the establishment of your account would take the place of a purchase order.

Requirement #2: Adopt an Internet Safety Policy

The library must adopt and enforce an Internet Safety Policy that includes the use of a technology protection measure. If the library is applying for E-rate discounts, the policy must address the following items:

  • access by minors to inappropriate matter on the Internet and the Web;
  • the safety and security of minors when using electronic mail, chat rooms, and other forms of direct electronic communications;
  • unauthorized access and other unlawful activities by minors online;
  • unauthorized disclosure, use, and dissemination of personal identification information regarding minors; and
  • measures designed to restrict minors' access to materials harmful to minors.

Note that the Ohio Revised Code (3375.64-C) already requires that libraries receiving OPLIN Internet connections "…establish and enforce procedures designed to keep juveniles who use the participant's services from having access to materials or performances that may be obscene or harmful to juveniles and to keep persons who are not juveniles and who use the participant's services from having access to materials or performances that may be obscene." The OPLIN office has copies of such policies on file from every Ohio public library.

Requirement #3: Hold a public hearing

The Internet Safety Policy must be adopted after a public hearing, or as the CIPA language says, libraries "shall provide reasonable public notice and hold at least one public hearing or meeting to address the proposed Internet safety policy." [Title 47, §254(h)(6)] The regularly scheduled library board of trustees meeting may be used as the required public meeting, assuming the agenda is made public before the meeting and the meeting allows for public comments.

Declaring CIPA compliance

Libraries must certify their CIPA compliance, and there are several ways to do this. Libraries with OPLIN Internet connections are required to send OPLIN an E-rate Form 479 each year that declares whether or not the library is CIPA-compliant. No additional certification is necessary, but if a library is applying for E-rate discounts, the filing of a Form 486 also confirms CIPA compliance.

Steps for obtaining an OPLIN-paid Umbrella account

Steps for obtaining an OPLIN-paid Umbrella account hedgesst

Cisco Umbrella first steps

Note: Cisco Umbrella is the new name and branding of Umbrella by OpenDNS

1. Send an email to support@oplin.ohio.gov stating that you would like to participate, along with the contact information for the person to whom we should email the account login details.
2. The contact's account will be set to an administrator level for your library account. This user will have the ability to send out additional invitations to other staff members, and also elevate them to administrator status.
3. From now on, your library is in complete control of your account. To get started, see Cisco Umbrella's Getting Started Guide.

You will want to use the Umbrella name servers on your network. The IPs for those servers are 208.67.222.222 and 208.67.220.220. If you want to test out the service before making it live on the entire network, you can always change the DNS servers on just your workstation to those two IPs and verify the filtering is working as you want it to. If you're ready to make filtering live, the place to use those two IPs will vary depending on how your network is currently configured.

  • If you statically define every workstation with its DNS settings (ex. the state DNS servers at 156.63.130.100) then you would need to change every workstation to use these two new IPs.
  • If your workstations point to a local device for DNS (ex. a firewall/router/ActiveDirectory server) then the place you would use the two OpenDNS IPs would be in the forwarders settings of that device. Changing the IPs on a top level device like this will make filtering live for every workstation pointing to said device.

 Questions? Please ask at http://support.oplin.org.