Slashdot Mirror
What Restrictions Should Student Laptops Have?
An anonymous reader writes "We're a school district in the beginning phases of a laptop program which has the eventual goal of putting a Macbook in the hands of every student from 6th to 12th grade. The students will essentially own the computers, are expected to take them home every night, and will be able to purchase the laptops for a nominal fee upon graduation.
Here's the dilemma — how much freedom do you give to students? The state mandates web filtering on all machines. However, there is some flexibility on exactly what should be filtered. Are things like Facebook and Myspace a legitimate use of a school computer? What about games, forums, or blogs, all of which could be educational, distracting or obscene? We also have the ability to monitor any machine remotely, lock the machine down at certain hours, prevent the installation of any software by the user, and prevent the use of iChat. How far do we take this?
While on one hand we need to avoid legal problems and irresponsible behavior, there's a danger of going so far to minimize liability that we make the tool nearly useless. Equally concerning is the message sent to the students. Will a perceived lack of trust cripple the effectiveness of the program?"
I worked in a school district in British Columbia, Canada long ago. They were the second (?) district in BC to institute this same idea. In the end it was successful. You can find them at http://www.nisgaa.bc.ca/ (note the kids with macbooks on the main page). I'm sure they have a plethora of info on the do's and don'ts on the subject. Sorry Nisga'a school district for all the traffic I could be sending you ;)
...about 300 kids K-12. I'm a little surprised that you're asking this question. Are you a technology coordinator who is now addressing these concerns for a district who has never addressed them until now?
Most districts have access restriction policies that students have to agree to and sign. I'm sure about 95% of the Slashdot crowd's gonna scream to high heaven against restrictions, but it's a no-brainer. In short, four letters: CIPA. From the FCC's webpage:
Schools and libraries subject to CIPA are required to adopt and implement a policy addressing: (a) access by minors to inappropriate matter on the Internet; (b) the safety and security of minors when using electronic mail, chat rooms, and other forms of direct electronic communications; (c) unauthorized access, including so-called "hacking," and other unlawful activities by minors online; (d) unauthorized disclosure, use, and dissemination of personal information regarding minors; and (e) restricting minors' access to materials harmful to them.
These last two are really the biggest ones to consider when drafting an Acceptable Use policy, particularly the last, since "materials harmful to them" could mean practically anything.
Our district has taken steps to block MySpace, FaceBook, etc., because all these websites allow minors to publish themselves online. If students accessed these sites at school, and the child was kidnapped due to information posted on MySpace, districts may be found liable.
And banning MySpace will certainly not make these laptops useless. I'm surprised by this comment...it sounds quite ignorant. Districts didn't spend millions of dollars on these machines for students to post poorly-made self-portraits of themselves online. They (I hope) spent the money to grant students equal access to a tool that can be used to enhance learning. I would see a school-owned laptop in the hands of a student exactly the same way as any other computer at school. I'd restrict the hell out of it, because until they graduate and buy it for themselves, the district is responsible for what is done with that laptop.
You don't stand a chance. The kids have physical access and you need to be able to run mainstream software. That means any knowledgeable kid can get administrative access in a heartbeat . Then 11+ year olds will tell each other how. You are done. As for remote monitor, they are on their home routers. They phone / cable company firewall is not going going to accept a TCP/IP connection you establish which means you can't do it.
The first thing you need to do is get realistic expectations or start constructed a much more secure system, which is not going to be a macbook you are talking encrypted drives, TPM chips, access keys on some pager which need to be plugged in for the system to work.... trusted computing group website.
Schools aren't going to pay for that sort of stuff. What you do is you set expectations reasonably, lock the system down badly, filter the minimum and have an easy way to re-image and that's it.
As a 10th Grader in the US, and a linux observer, I do realize that, however, going by the kids I have seen in the local public schools (Thankfully I don't have to go there!), The majority are too stupid to do it subtly enough that the local admin wouldn't notice, and then their privileges are revoked.
http://CryoLANparty.com/ A lan I'm staff on!
The First Amendment pretty much does not apply to public k12 schools, though how much of those rights are removed is dependent on the state.
I taught in a laptop school several years ago. The technology was JUST maturing then, but most of my problems were person-driven rather than technology-driven.
Here are my tips
1) Firmly establish who actually owns what, because that determines the scope of your reach. If the computers are still school property, you have a lot more reach than if the kids buy them up front or buy on an installment plan.
2) Either way, you're going to have to amend your Acceptable Use Policy to address issues brought up by the laptops. I would do some research into other laptop schools and download their AUP. In fact, contacting other laptop schools is probably a good idea in general. It's always better to make your first mistakes vicariously through someone else.
3) Partition the laptops so that user data is stored on a separate partition, and invest in a good disk-imaging system. You're going to be imaging a lot of laptops after a few weeks. No matter how hard you lock them down, someone is going to screw something up so royally that you can spend 6 hours fixing it or 10 minutes imaging the disk, and it will happen frequently (how frequently depends on school size). In fact, you may want to get clever and make 3 partitions. 1 main, 1 user data, and 1 unmounted that holds a local copy of your image file. Image your main partition only, copy it to your "hidden" partition, and image the whole thing for deployment.
4) Figure out a theft-protection mechanism. This will eventually become an issue. Laptop insurance/warranties will also be an issue. If 15% of the laptops begin malfunctioning near the end of a 4-year-run, that will be enough to make it difficult for teachers to rely on those machines for classroom exercises. Nothing it more frustrating than having a whole lesson plan come to a stand-still because 4 kids' computers won't work. I've had it happen to me plenty of times. These also tend to be the kids who don't need any additional distractions.
5) If these are school-owned laptops, then you have a great deal of latitude in locking them down. Remote monitoring is another issue, and I would consult your district's attorney. As far as locking them down, the guiding question should be "what level of security supports the curriculum." Most slashdot users will think of these laptops as computers, with all of the implied potential. Thus any lockdowns curb that potential, and in turn the student's freedoms and opportunity. While this is a valid mode of thinking for personal machines intended for personal purposes, it is the wrong mindset to have in an educational environment. For starters, most students will never come close to tapping that potential (they want to surf the web and IM).
These laptops are being purchased to augment your curriculum, and should be configured in a way that makes it a platform for your curriculum. This may involve lots of restrictions, or just enough to keep a kid from accidentally breaking something. While you'll probably learn as you go, you should already have some idea of where that line is. If you don't, I'd recommend more research and consultation/training your teachers before writing that big check.
With totally unlocked computers, it is likely that a significant portion of the machines will begin malfunctioning due to user-abuse: "I'm going to install every piece of crap software I find! Isn't it great?" While it won't be a majority, it will be enough to make it difficult for teachers to rely on the machines to function properly during an activity (see above).
I'm the Mac tech in an elementary school with a one-to-one MacBook program and the kids take them home. We filter Internet content via the network at school, but not at home. We leave that up to their parents. However if someone brings something inappropriate that they downloaded at home, the computer will be taken away.
My High School started a laptop program when I was entering my Junior year. They started with the Sophomores that year so I wasn't able to get one. However, I ordered myself a laptop to use in my own classes, but didn't have any "laptop" classes. My brother was in the initial class, though, and I knew a lot of his friends.
First, and foremost, if the school is fronting most of the money, don't get macs. They cost way too much. I would suggest either have the families pay for the laptop up front with subsidies for those who can't afford it or get something else. Acer is fairly reasonable as are a few other brands.
The one issue my school had was that they got them the shittiest laptops they could. Don't do this; nobody will purchase them upon graduation.
Second, stop buying dead tree books and find eBooks to run your classes on. It will save the school money and make upgrading easier. It'll also help the kids by not having to carry so much and they'll always have their books in class and at home.
Don't lock down the machines; they will find a way around it. Instead, lock any ports on the school's network you deem necessary and do any proxy blocking you can. If you see students using a proxy, ban the IP. It isn't as preventative as some more invasive tools, but it's a lot less trouble.
As for software, let them install what they want. If they bring it home, they should be able to do with it as they please. If they were school-owned and only used during class I can see restricting them, but they're not.
One last thing, the admin at my high school was incompetent. Find someone who knows what they're doing and for god's sake, backup their hard drives before you work on them or set up a network storage solution for kids' files. Our admin would just format and re-image when anyone had a problem for ANYTHING. The keyboard would break, reformat, just in case that was the issue before replacing hardware. A lot of my brother's friends stopped bringing their issues to the school because they would lose everything on their machines every time they brought it in.
Our program was ultimately shut down because the teachers weren't taking advantage of the laptops in class. This is the biggest problem. Use the eBooks, get software designed to augment their classes, and have teachers go through a rigorous computing course. If they don't know how things work, they won't use them.
-SaNo
This is incorrect. I work for a school district that provides a 1:1 laptop program for the high school students. The students do not own the laptops, and instead are leased/lent them. They have to sign an agreement as to what they can and can not do on the computer.
As for live CDs/dual booting, we password the bios. The laptops do not have a removable battery for the cmos, so the only way to reset it and remove the password is to actually short out the mainboard.
We have the ability to run software audits on all of the machines, whether or not they have somehow managed to remove our remote management agent.
On the school network, we have the usual content filter, but it also does DPI, so even SSL proxies, SSH tunnels, and VPNs get blocked. Remote desktop, too.
The reporting system for the content filter also ties in AD usernames, and watches Cisco netflows, so we can monitor the network in real time and see which users are taking up more than their fair share of bandwidth.
We don't actually filter content at the student's homes, but I know of several districts that do - several of which are required to by law, as the laptop programs are publicly funded.
A student could swap the hard drive at home, but it would be completely unusable at school, so we don't really care about that. We just don't want them putting crap on the hard drives we issue with the machines. If they want to go through the effort daily, more power to them. But it would also certainly be possible to lock it down to where they couldn't do this, either.
Physical access means that it can be compromised, for sure. But it does not mean that it can be compromised without us knowing, especially in a situation where every day they have to come in and log on to the domain to use their machines. Students breaking the rules and either a) letting their grades slip, or b) adversely affecting other students by abusing the network connection are punished. Depending on the severity, all will have to pay a $25 reimaging fee, and after that, punishments can include in school suspension, as well as being given a laptop with no wireless card - Teachers have ethernet cables they can hand out, but no students are allowed to use them without teacher permission. This effectively cripples the students on these punishment laptops to only being allowed to use the net when a teacher specifically wants them to use it - to having their laptops revoked completely for the rest of the year.