VPNs – the multi-headed hydra that just won’t die…

Arguably, the biggest threat to the online safety of our students isn’t overseas bot farms filling their minds with lies and propaganda, or the threats to mental health and attention spans from modern social media, although these do of course still keep us awake at night. We could block access to virtually all damaging online content on our campus if not for one thing: the relative ease with which a determined and tech savvy student can access tools that allow them to bypass our security.

Ardingly is a large boarding school, situated in a glorious 240 acre campus in rural West Sussex. There is excellent broadband provision locally and therefore we have fast, reliable wi-fi throughout the campus (“bar a few notable black spots” I can hear some colleagues cry). We are doubly ‘blessed’ as our site receives no mobile reception. Bingo, you think. Put in place robust filters and firewalls, monitor and filter all internet traffic, educate the teachers and parents, then safeguarding students online will be a doddle, you tell yourself. Pity those schools with constant 5g coverage who have no control over when and how children can access the internet. And how wrong you would be…

The history of Virtual Private Networks (VPNs) can be traced back to the 1970s. The modern variant begins with a Microsoft employee who in 1996 developed a method of confidentially transferring data via the still relatively novel concept of the internet. The technology behind this development is no longer in use but it bequeathed a whole industry, valued at $25.41 billion in 2019 and estimated to rise to $75.59 billion by 2027. At their best VPNs are a valuable tool in the fight against authoritarianism the world over. But the very things that make them such a powerful weapon in the right hands, also provide a convenient means for recalcitrant teenagers determined to circumvent their school’s online security.

In my years at Ardingly we have encountered every flavour of VPN, from mobile phone apps and browser extensions to installable programmes, designed to bypass the restrictions we put on devices to prevent users installing apps. We had an on-premise combined filter and firewall device that couldn’t stop VPNs. We currently use a software filter that makes each September a challenge as we help students download an SSL certificate onto personal devices so they can access the wi-fi. The filter enables blacklisting of sites and prevents searches for the term ‘VPN’ but doesn’t stop you accessing links or sites that deliberately don’t use the term. It also slows down the search experience for every user and only works on managed devices or whilst on campus, so a mobile phone can be pre-loaded with a VPN at home and used to connect any device at school. We blacklist sites and services on a daily basis but, of course, a student determined to circumvent our security can always find a new option. We’re currently trialling a system that will inspect internet traffic at the packet level and costs roughly the equivalent of a newly qualified teacher. Annually. The technically minded amongst you will already know that even this won’t give us any guarantees. If the Chinese government, with an army of 2 million and a GDP of some $20 trillion, can’t stop school pupils visiting unwanted websites then what chance for our intrepid IT teams?

There is a precedent for government intervention leading to verification systems being implemented to prevent illegitimate use of online services. Given that this isn’t a current topic of conversation and, working on the assumption that the VPN vendors are unlikely to give up a presumably significant chunk of their business without a fight, how will we embrace the challenge in the short term? As passionate believers in the power of education, you will be unsurprised to learn that our approach is based around knowledge and skills.

We are implementing a digital skills framework for our students that not only delivers content on how to use technology effectively but also the ethical and well-being considerations. The comparison we kept in mind whilst developing our framework is that we don’t want to teach children the mechanics of how to operate the digital equivalent of a powerful car, without also teaching them the rules of the road.

The reality is that young people will always be on the frontline of new developments online and, even if we could manage to block every single potentially harmful site while they’re on campus, we can’t cocoon them from real life digital distractions once they are beyond the school gates. At Ardingly we believe that to be ready to succeed in this fast-changing world, teenagers need to be equipped with the skills to harness the potential of new technologies, whilst simultaneously being educated about how to self-regulate their online habits. With a well-developed education that gives them a good understanding of the dangers prevalent on the internet and how to avoid them, we can ensure that our students have the knowledge they need to remain safe and well whilst online, mitigating their ease of access with knowledge of why it shouldn’t be utilised. In our case, we see education as the Hercules that can slay the VPN hydra with which we continue to battle.