Trusting, but verifying, your teenager’s use of the Internet

Parents nowadays face tough questions about whether to monitor or (try to) control their kids’ use of the Internet, and if so, how. Although my personal opinion is that trying to restrict access is a losing battle, I understand why the idea is appealing. You’d like your kids to have some maturity and some perspective under their belts before encountering some of what the Internet so readily brings to their attention. When my kids were younger, the Internet was younger too. I guess if they were still that young I’d be wishing I could create a sandbox for them, even though I don’t think you can. But they’re teenagers now, and they have their own computers. For two reasons, activating the parental controls on those computers isn’t the strategy I want to pursue.

The first reason is that I don’t think filtering the Internet is feasible. Even if we could agree on a definition of what may be harmful, which we never could, people will find ways to route around censorship. Meanwhile we’ll inevitably censor things we never meant to — like, for example, my InfoWorld blog.

The second reason is that I don’t want to incent my kids to route around controls I might try to impose. Nor do I want to force them to go elsewhere to experience an uncensored Internet. The reality of the Internet, like the reality of the world, is something they’ll be dealing with for the rest of their lives. I’d rather they engage with that reality at home where I can more easily keep track of their activities.

If you want to be able to monitor without imposing explicit controls — in other words, trust but verify — then it’s worth knowing about the feature of Windows Vista that supports that preference. It’s in Control Panel -> User Accounts and Family Safety -> Parental Controls. There are two On/Off choices. The first, Parental Controls, enforces any of the controls you elsewhere define. These include restrictions about which websites are accessible, when the computer may be used, and which games or other programs may be used.

My strategy is to leave Parental Controls off, but switch on the second On/Off choice: Activity Reporting. That produces a detailed report about which websites were visited, which applications were used when, which games were played, messages sent/received and contacts added (if the kids use Outlook and Windows Messager, which mine don’t), and more.

The crucial item here, for me, is websites visited. That’s recently become an issue that I want to keep an eye on. With this setup I can, in a way that’s browser-independent, persistent across flushes of the browser cache, and very unlikely to be disabled.

Windows XP and Mac OS X don’t offer the same capability out of the box, but there are of course lots of third-party add-ons. Not ever having tried them myself, I’d be interested to hear how effectively they can be used to implement a “trust but verify” policy. And more generally, I’d be interested to hear about how other parents of teenagers are dealing with the difficult tradeoffs involved in this thorny issue.

Posted in .

16 thoughts on “Trusting, but verifying, your teenager’s use of the Internet

  1. Jon

    We’re trying to educate our children, but I think they’re a little young for me to explain in detail about:

    1. Ugly stuff (pornography, violence)
    2. Lurkers (in chat rooms)
    3. Viruses of various forms.

    Currently we restrict internet access unless an adult is present, but later we want to free them up some, and still be able to verify what’s happened. That needs us to check the lists later, which might eventually become a large effort.

    I think we’ll probably go with a dedicated computer that has white lists for sites we don’t mind about. And we’ll provide a reasonably policy for adding to the white list.

    I don’t want to shield them from the world. I just want them to be prepared BEFORE they are exposed to things they may not know what do do with.

    My biggest nightmare? That they click on some site that brings in a payload that cracks all the computers in the house and exposes all sorts of private data. I see this as a much bigger danger than the first two things I listed above.

  2. “That needs us to check the lists later, which might eventually become a large effort.”

    Maybe, maybe not. A hard question is whether kids should know there /are/ such lists. If they do know, you might need to check less. Of course that might only have the effect of moving activities that you’d want to monitor to places where you can’t.

    “I don’t want to shield them from the world. I just want them to be prepared BEFORE they are exposed to things they may not know what do do with.”

    Agreed. When mine were little it was less of an issue. They didn’t have their own computers, and in 1997, when they were five and eight, things seemed (but maybe only seemed) a bit more manageable. If mine were those ages now I’d be thinking along the same lines as you, as daunting as the notion of whitelisting the Internet seems, and indeed is.

    “My biggest nightmare? That they click on some site that brings in a payload that cracks all the computers in the house and exposes all sorts of private data.”

    As far as that goes, I’d say that kids are never too young to learn to be wary of strangers. And that a shields-up stance — no elevated privileges, aggressive firewalling both inbound and outbound — should protect both kids and adults from the effects of unwariness.

  3. The geek solution would be to set up a transproxying squid installation on your router. Given how many routers run (or can run) openwrt, it’s not that much of a stretch. Since logs are all you want, you’d probably turn off caching unless you hooked up a cache drive via USB.

  4. “The geek solution would be to set up a transproxying squid installation on your router.”

    True. Although the definition of “home” is stretchy here in the case of a kid with a laptop who accesses the Net from elsewhere.

  5. Our solution (young children 3, 8 and 10) so far is to limit their internet access to a computer in the kitchen. This is a busy room with a good deal of over the shoulder supervision. I also have them browsing on a limited access account on an OS-X box to minimize spy ware and the like.

    On a couple of occasions my son (10) has google and got more than he expected (but nothing too scary either — we do have google safe search on), but I try and use that as an opportunity for conversation.

  6. Jon,

    (I’m not a parent, and couple of years ago, I’d qualify as a teenager, so this reply tries to put another perspecive)

    I’d argue that there is no such thing as “trust but verify” — you either trust or verify. My mother always said: “Trust is the thing you work very hard to gain, and lose very easy”. Make sure your kids learn that. And if you trust them, trust them; if you don’t, then don’t, but make sure they know either way.

    And the systems for “verifying” are as unpleasant as systems for control (and just as circumventable: you can always use linux on a usb drive, or a live cd).

    Also you can very easily jump to wrong conclusions by watching the list of web pages someone visited. Hyperlinks work in mysterious ways — you never know where they might take you. And ever since browsers implemented multiple tabs, you can never truly tell how much did someone look at the site, and no reporting tool can tell you what were they *thinking* while they were on that site.

    That very thing, you’ll need to find out yourself. By talking to your kids. A lot.

  7. “That very thing, you’ll need to find out yourself. By talking to your kids. A lot.”

    We do. Quite a lot.

    Also, like many of our friends, we’ve always applied the rule that when kids go visiting, we know where they are and with whom, and parents on both ends of the deal have communicated and are in agreement on the matter. Semantics are always tricky, but arguably that’s more like a system for verifying than a system for control.

  8. Strangely, it seems this discussion leads to the question whether websites kids visit are more like books they read (no monitoring being the best policy, at least by some standards), or more like place they visit (monitoring is the norm, and is acceptable if only for safety reasons).

    Jon is working from the places metaphor (see comment 8), while Petar is thinking about reading and related activities.

    As we have known for many years both metaphors are applicable to (some elements of) cyberspace. And yet, how to apply this insight to monitoring, blacklisting etc. is still a question.

  9. Jon:
    I’m still working on whitelisting my 11 yr old’s gmail, but they haven’t made it very easy for a more typical user like me.

  10. John, We use a Linksys wrt54gs with built-in parental controls. Its an OEM version of netopia with no client-side software. I love this because it applies to every computer on my network (including mine). It comes with pre-defined age appropriate filters and includes approved hours and control over IM & e-mail. We’ve used it for 3 years. For the most part it has worked well. My kids are tech-savvy, but mostly lazy (and I’m not).

    It has led to some good converastions. Dad I can’t get to this site, its a music group I like. Well, why do you think it is rated as an adult site? Well, some of their lyrics are bad. Well, let’s look at it.

    I’m a believer that kids need to be protected, not just monitored. On today’s internet, it is too easy for kids to go to an unintended site that can show some really foul stuff. That may be fine for older children, but for younger children, I want to protect them.


  11. Jon,

    My kids have had some level of access to the internet for over 10 years, and these issues are some that we’ve given considerable thought to. Our kids now range from a 1st-grader to a high school senior. We’ve concluded that the following are a good set of principles/rules:

    1) There is no assumption of privacy for anybody using our internet connection. Everybody knows that anything we do on the computers may be seen, monitored or logged by somebody else.

    2) Computers with internet access are only used in public parts of our house.

    3) We run software that shuts down a computer’s access to the internet by default. A password is required to enable access. Parents hold that password. Logging out, powering down, or not using it for a while will disable the access again.

    3a) Internet access is only available when parents are around

    3b) Internet access is turned off when parents leave the house

    4) We run software that logs URL visits and IM chats. These logs are reviewed periodically, and have sometimes been the source of worthwhile discussions.

    5) We run a filter. Filtering is not and cannot be 100%. However, there are too many “hardcore” porn sites camping on misspellings of kid-appropriate URLs or with only a couple of clicks of separation from them. This is where “trust but verify” breaks down, because the exposure may be accidental but the damage is still real. Most filters block most accidental visits to porn sites (and other inappropriate sites). Inadvertent blocking of “ok” sites is not an issue because parents are always available when the internet is in use to bypass the filter on an as-needed basis with closer supervision.

    6) We teach the kids when they are young that if they run into something or someone on the internet that makes them uncomfortable they should “crash and tell”. That means powering the computer off (without worrying about the consequences to the hard drive) and telling a parent about the problem.

    The logging reveals any patterns of behavior designed to bypass the filter or access inappropriate sites that the filter vendor may not have cataloged.

    While it may sound like we are being overly protective or authoritarian, we know from sad experience that it’s much harder to undo the effects of exposure to certain inappropriate content than it is to avoid that exposure in the first place.

    We currently use Safe Eyes software because it provides the filtering, logging and access control described above and also provides remote access to its logs and a multi-PC license. However, we have used 3-4 other software packages over the years.

  12. I do agree with a lot of what you guys are saying.Ok but the lets face it teenagers are getting smarter and smarter with computers.My son is 15 I trust him on the internet because we have never had any trouble out of all this stuff.Even if I wanted to put parental block on are computer they wouldn’t do anything for us cause his computer dual boots and it is running linux and windows,he has all the root password so there is not much I can do.So you could put all the parental blocks on windows you wanted and he would just reboot the computer and they would do nothing.Lets just face the facts kids are getting better with computers what will you do when your son or daughter gets tired of having myspace blocked off cause you are scared they will do something or see something they shouldn’t and the just get them a linux live cd from a friend and bam they just got around all of your stuff.The whole routers thing come on it is not hard to disable a router and all of its security.You guys are wanting to tech your kids the internet by blocking it off come on that is like me saying hey when you get 16 I am going to put a gps in your car and teach you to drive.I mean the dumbest method of using a computer is the “crash and tell”.It is like oh man someone tryed to talk to me on the internet I am going to freak out not shutdown the computer right way and run away,risk messing my computer up.Just thinks a second before you go and do all this to keep your kids safe.A few things are not going to change girls and them chat rooms will always be a problem and boys and porn sites will always be a problem.If you tech them while they are young you will never have these problems.Sure you will catch your son on a porn site once or twice but you can’t change the facts.

  13. Jon,

    I just stumbled upon this discussion thread, and it’s very timely even though you posted this over a year ago.

    This has been a really interesting discussion thread to read. What I keep thinking is that we – teenagers and their parents – are swimming in relatively uncharted waters. I sure didn’t have Internet access when I was 14, but my daughter participates in online art communities and chat rooms. I think a lot about how to walk that fine line between giving her the independence and autonomy she wants, and yet seeing that she doesn’t have a lot of good judgment yet, simply because she’s only 14. My husband and I want her to have the chance to make the stupid mistakes which are inherent in growing up, but we also want to be able to have an idea of what she’s doing online.

    Currently, we have a parental monitoring software installed; our computers are in high-traffic parts of the house; our daughter knows we will look over her shoulder at any time, and ask questions. The monitoring software provides us with logs of URLS visited, images seen, and that gives us the opportunity to talk to her. We want her to have the privacy she craves, but we also want to keep a handle on what she does until she’s older, more mature, and better able to make smart decisions. There’s so much research showing that teenager’s brains aren’t fully developed until their early 20’s, and the ability to make sound judgment calls is hampered until then. That, I believe, is the biggest reason for keeping tabs on what our children are doing – whether online or in person.

    Finally, it occurred to me today that as working adults, our email and internet activity is monitored as well, and most of us don’t argue with that. The companies we work for can access our computer activity at any time. Isn’t that just another aspect of this whole issue? Aren’t the adults also being monitored?

  14. “Aren’t the adults also being monitored?”

    That’s a /really/ good point. Access to the network isn’t free of consequence. We pay for it in loss of privacy. And most of us are willing to make the bargain.

Leave a Reply to GregCancel reply