April 2020. The ongoing global corona virus pandemic has affected everyone in far too many ways. We’re not getting into the broader discussion but kids are now learning remotely over connected devices so today I’ll be covering online child safety while allowing kids to be productive learners.
As is with most security and safety mechanisms, nothing is perfect. But don’t let the lack of perfection stop you from advancing. Think of seatbelts. Imperfect yet effective. On the flip side – is it needed? Absolutely! Just as you wouldn’t let your 10 year old drive a car, you shouldn’t leave them unprotected online. Now where you draw the line is definitely based on parenting styles and the kid’s maturity. But “no safety” is always the wrong answer.
Back to the learning scenario
My kid mostly uses a browser (Google Classroom, Docs and a dozen other sites) but some of his schoolwork requires relatively “advanced” features like a working camera, speakers and microphone. For example, poem recital video or “scanning” paper-and-pencil based Math work by simply taking a photograph or class video conference calls.
Two pieces – device and network
Keeping it simple, you can go very far with security enabled in two places – on your device and also on your network (i.e. home router, ISP servers). All major platforms – Apple, Google and recently Microsoft – provide the concept of parents and children grouped into families. Parents can then specify what children can/cannot do.
For simplicity, I recommend an Apple iPad or a Google Chromebook since they’re inexpensive with fully functional cameras, microphones etc. If your budget allows and you have a responsible child, an entry level MacBook would be more powerful than an iPad without losing parental control. Personally I really like Apple’s privacy and security focus as well as their implementation of Families but Google has a much larger market share.
Devices – child accounts and family controls
Today, most devices allow you to login with your linked online credentials (e.g. [email protected] / gmail / outlook / whatever.com) . Do NOT share your adult credentials with your kids (“Dad, I need google docs!“). Apple/Google/Microsoft have great controls on what your kid can do on their devices as long as you setup your kid with a specific child account. Here are the links to each in more detail:
- Apple: AppleId for your child (work for iPhone, iPad, macOS)
- Google: Google account for your child (work for Chromebooks, Android)
- Microsoft: Microsoft child account for your PC (work for Windows 10 devices)
Device – enable parental controls
Now your kid logs into their device (or shared family device) using their own child account. Great! Now in whatever ecosystem you picked, enabled parental restrictions.
Personally, for my 7 year old, I’ve set it up as follows:
- Use the device during home “school” hours (8 am – 2 pm)
- Use specific apps (Google Classroom, Docs, Drive, Zoom, Epic Reading etc.) for about 4 hours each
- Use the browser only for specific URLs. I manually enter the allowed URLs to a whitelist (e.g. settings -> screentime -> name of kid -> content & privacy restrictions -> content restrictions -> web content -> allowed websites only -> “Add website” -> “docs.google.com” – you only need the base URL, not the http:// or anything later). Knowing which URLs are necessary for school work is a bit of a trial-and-error at the start but makes for a more managed outcome.
- Cannot install additional apps without parental consent. This is important because if one can install another browser (e.g. Firefox), it would bypass the restrictions specified above. More importantly I can totally see him waste his time on half the games on the app store!
If I only had Apple devices, I would have called it a day since Apple’s device security is pretty tight. But my son wanted to use his school issued Chromebook at home. Since his Chromebook is managed by his school, I couldn’t use Google’s Familylink. Plus we also have a Raspberry Pi 4 running Debian 10 Linux to tinker with which has absolutely no concept of parental controls. He also has a Nintendo Switch and a PS4 Pro – both of which have (never used) browsers. Anyway, but If I can’t influence the device, the next best step is to secure the home router.
Network – internet hours and content filters
My now aging Asus RT-AC88U router lets me filter content on a per-device basis. I can also restrict the hours of internet on a per-device basis.
My settings live in the “AiProtection” (LOL! Nothing AI about it!) -> Parental Controls section but most modern routers have something similar. I suggest you do a quick google search like “<name of your router> parental control”. If your router doesn’t have parental control, consider buying one that does from a company that takes security seriously.
Network – DNS filtering aka OpenDNS
Would have been great except, I noticed that my router couldn’t really block YouTube or Netflix despite blocking “Streaming services”. I didn’t really want to replace my home router which has been highly customized for my home office needs. Nor was I interested in setup and maintain my own DNS filtering or reverse proxy solution. But I did want to filter YouTube primarily because my kid is totally capable of spend hours on YouTube chasing Cartoon or Pokemon videos. Not to mention some of his school friend had been traumatized by YouTube videos encouraging kids to commit suicide (news article).
Turns out Cisco’s OpenDNS solution has a family oriented product that’s also free. OpenDNS has instructions when you signup but the core idea is this:
- You signup for OpenDNS here
- You tell OpenDNS “this is my home IP address”.
- You specify what content you want to block on OpenDNS’s site
- On your home router, in the “DHCP” settings, find your child’s device and tell the router to use OpenDNS’ server instead of the default one.
With that, when your kid tries to access something restricted (e.g. YouTube.com), because of your router settings, your child’s device then proceeds to asks OpenDNS (instead of the router itself) “Yo! Where can I find youtube.com?”. To which OpenDNS responds, “I don’t know!”. No more wasted time!
I do want to mention that these restrictions are ok for novices or kids but creative technical folks can overcome them leading to an ever escalating cat-and-mouse game.
Don’t let perfection be the enemy of productive. And stay safe out there kids!
UPDATE: If you made it this far – great! Since the last two weeks that I wrote this, I’ve personally moved from OpenDNS to a custom DNS and DHCP server that I run myself (aka PiHole). Why? Because my son’s school uses quite a few 3rd party sites and I hit quickly the 25 servers/domain name limit on OpenDNS. Plus I can also block ads/trackers on all my home devices (e.g. smart TV, thermostats, Fire TVs etc.). It’s definitely a LOT more work for 24/7 reliability and I do NOT recommend that route for most people.