Monitoring Web Searches to Prevent Radicalisation and Extremism

Fastvue Reporter is used in hundreds of schools and educational institutions throughout world, and a popular use case, especially in the United Kingdom, is to monitor Internet searches and web activity to help identify students that may be at risk of radicalization and extremism, violence or abuse, and other online safety issues.

We've seen a dramatic increase in this use case after The Prevent Duty legislation was published in July 2015, and again with the September 2016 changes to the Keeping Children Safe in Education (KCSiE) policies.

The September 2016 changes include a new paragraph highlighting the need for appropriate filters and monitoring systems to be put in place. They also strengthened the wording from 'should consider' to 'should ensure':

"Governing bodies and proprietors should be doing all that they reasonably can to limit children’s exposure to the above risks from the school or college’s IT system. As part of this process, governing bodies and proprietors should ensure their school or college has appropriate filters and monitoring systems in place."

If you are not receiving clear, timely alerts when a student's online behaviour steps into 'at risk' territory, then you are not doing 'all you reasonably can' to safeguard students. Furthermore, if you only have one person receiving alerts and reports, they can quickly become 'alert blind' and fail to follow up potential issues.

Fortunately, Fastvue Reporter makes sense of the web traffic flowing through your firewall (no need to install local agents on student devices), and can distribute alerts and reports to the right people such as teachers, principals, student counselors when specific search terms are used, or websites accessed.

Alerting On Search Terms

Below is a Fastvue alert email that has been sent to year 10 teachers identifying a student at risk of extremism and radicalization:

To receive these alerts, there are just three steps to follow.

1. Enable HTTPS Inspection (DPI SSL)

First of all, you'll need to enable HTTPS inspection on your firewall. Why? The world's most used search engine, google.com, strictly enforces HTTPS for all searches. This means your firewall knows there is traffic to https://www.google.com, but not what the full URLs or search terms are (e.g. https://www.google.com/?q=**My+Search+Term**).

Fortunately, most modern firewalls and UTMs include HTTPS Inspection as part of their feature set. SonicWALL calls this DPI SSL (Deep Packet Inspection of SSL traffic). When you enable this feature, the full URL including the search term will be logged and sent to Fastvue Reporter.

Note: DPI SSL / HTTPS Inspection requires some deployment effort due to certificates and client trust issues. Apply it to a sub-set of your network, and test the end user experience across all critical applications and devices before doing a full roll out. One common issue is that Chrome and Android devices may not function correctly unless these domains are excluded from HTTPS inspection.

2. Create an Alert for Extremist Searches

Fastvue Reporter now ships with this Alert by default. The steps below will take you through the process of creating such an alert, and can be applied to creating similar alerts on other search topics.

Coming up with an effective list of keywords is a difficult and time consuming task. So to make things easier, we have included a list of keywords, along with another list of 'exclude' keywords below.

To create your alert:

1. In Fastvue Reporter, go to Settings | Alerts

2. Click New Alert, name the alert Extremist Searches and click OK

   

3. In the Alert Criteria section, select: Category 'Equal to' Search Engines and Portals AND Search Term 'Contains'

[Paste in keywords from this text file] AND Search Term 'Does not contain' [

• In the Alert Properties section, leave the defaults (Name = Extremist Searches, Alert key = User, Priority = High)

  

•  In the Alert Evidence section, ensure the User, Search Term, and Origin Domain fields are set as columns along with any other columns you would like to see such as Source IP, Department etc.

  

• In the Alert Notification section, enter the email addresses of the people or distribution lists that should receive these alerts via email.

  Tip: To avoid the 'Alert Blindness' issue mentioned previously where a single person receives all alerts, it is a good idea to add a department filter to the criteria section in the alert, and email the alerts to person responsible for that department. You can then duplicate the alert (using the Duplicate button in the header for each alert) and change the department and email addresses for each one.

• Click Save Alert

• Click the toggle switch to enable the alert.

  

Test Your Alert

Now that you've added your alert, head to your favourite search engine (if you don't have HTTPS Inspection applied yet, use a search engine that works over http such as bing.com), and search for one of the keywords such as 'isis' or 'explosive'.

Go to the Alerts tab in Fastvue Reporter and you should see the resulting alert.

Reporting on Extremist Search Terms

Sending real-time alerts when extremist searches occur is a great first step, however it's important to note that alerts are purged after 48 hours. If you need to retrieve information about extremist searches prior to the last 48 hours, you will need to run a report.

User Overview Reports contain a 'Search Terms' section at the bottom of the 'Productivity' section of the report. However this shows all searches made by a specific user, and you probably don't want to open hundreds of user reports to investigate whether any extremist searches were made.

Fortunately, you can run an Activity Report that lists all 'extremist searches' made by anyone on your network, along with the username.

To do this:

1. Go to Reports and click Activity Report
2. Create the same filter you used in the alert Category 'Equal to' Search Engines and Portals AND Search Term 'Contains' [Paste in keywords from this text file] AND Search Term 'Does not contain' [Paste in keywords from this text file] Tip: it is a good idea to click the Save Filter button (next to the Add Filter button) and save the filter as 'Extremist Searches'. That way, whenever you need to run this report in the future, you can simply select the Load Filter button (next to Save Filter) and select the 'Extremist Searches' filter.
3. Select your date range and click Run Report, or Schedule Report to run it automatically every day, week or month. Scheduling also gives you the option to rename the report.

Keeping Children Safe in Education (KCSiE) - Appropriate Monitoring Requirements

The KCSiE policies outline a number of requirements to help define what is considered 'Appropriate' monitoring for schools.

• HTTPS can certainly limit what can be identified in your log data, and therefore in Fastvue Reporter. Ensure you have HTTPS Inspection (DPI SSL) enabled.
• SonicWALL does not log referrer URLs, so it is difficult to map a 'background' site such as an image served via a CDN or advertising server to the 'real site' a user was visiting. We've been informed that this will be addressed in a firmware release in early 2017.

|

Further Information

More information on Appropriate Monitoring for Schools can be found via the resources below:

• Statutory guidance for Keeping children safe in education (www.gov.uk)
• Appropriate Monitoring for Schools - May 2016 (www.saferinternet.org.uk)
• Why is safeguarding important in schools? (Know your responsibilities) (www.onlinedbschecks.co.uk)

We hope this information helps you in your endeavours to keep children safe online, and adhere to government policies in your school. If you have any questions or issues, please leave a comment below.

To find out how Fastvue Reporter third-party monitoring solutions are helping schools worldwide, visit Safeguarding Students.