K12 Elgg Security

October 19, 2008 in Elgg, Policies, RSS, Social Networking, Technology, open source | 3 comments

Elgg 1.1 is arriving soon. The project is maturing with more plugins and themes becoming available. It’s time to plan for deployment in the K12 environment. I have been mulling over several special issues in deploying Elgg in a K12 public school setting. I invite you to join the K12 Elgg group on the Elgg Community Website. I am also considering Web publishing and educational technology issues in my Educational Technology Policy Site. Policies need to be in place for working with Elgg and other Web 2.0 applications.

The first thing we need to consider is security. In our situation we will need to have a walled garden. Our school requires anything that is open to the world on the Internet be moderated. Since we cannot moderate in the Elgg environment, all content will have to be kept in house.

The Walled Garden plugin from the Elgg developers does much of what we will need. It disables registration so that  any user accounts must be created by the admin. This prevents outsiders from registering and gaining access to student content. It falls short in a couple ways. As configured, users can choose to make content available to the public under the access controls. In addition RSS feeds could allow outsiders to view content if they obtained the appropriate urls.

In response to my concerns expressed in the K12 Elgg area of the Elgg community, Dave Tosh offered some solutions. He pointed to engine/lib/access.php as the place to eliminate the “Public” option. Students will only be able to select permissions for access to people within the site: private, logged in users, or any collections of friends. I plan on creating a plugin offering this functionality soon leaving the core intact for easy upgrading.

With RSS feeds, Dave suggested that I eliminate the options to subscribe to an RSS Feed and Syndicate OpenDD from the owner’s block menu, then delete RSS and and OpenDD views in the views directory.

Dave is looking into administrative options to toggle public access OpneDD and RSS feeds from the administrative interface. I think this is a good idea that will make it more appealing to the K12 audience out-of-the-box.

If we allow students to work in Elgg without moderation, we need a way to monitor what the students are doing so that they are accountable for their behavior on the site.

Elgg offers several tools to this end. There is the log browser with the ability to refine the results by username and by start/end dates. As admins, we can click on a user’s avatar menu and explore their log. There is also the user option to report content to the administrator.

Use of the log options require active searching and the logs have a lot of entries not related to content. Are there ways to filter out some of the non-content related noise making it easier to monitor students? Would it be possible to create plugins to make this process easier?

These are just a couple areas of concern that I will need to address with school administration and tech committee before deploying Elgg. I hope to have answers to the questions that I know I will face. I’d like to hear what others have to say about these matters. Please comment!

Related Posts

Tags: , , , ,

  1. Mark Pearson’s avatar

    Mark Pearson on October 20, 2008 at 11:16 am

    It’s a shame that school administrators feel the need to censor student access to the Internet. But I guess that’s the reality. Two questions:

    1) RSS feeds. In Elgg 0.9 RSS feeds only obtained content from public postings. Any item with a non-public permission did not got it’s content into an RSS feed. My understanding is that this is a function of RSS — it depends upon public, unrestricted access. If this is still the case in Elgg 1.0 (which I’m guessing it is) by eliminating ‘public’ posts you thereby remove any content from RSS feeds. Thus you should not have to worry about RSS. The corollary however is that you cannot use RSS internally either — think how nice it would be to feed a class blog into the school portal.

    2) “Since we cannot moderate in the Elgg environment”. If you *could* moderate what form would that take? Would not a solution to your problem be ‘moderation’ plugin that allowed teachers to delete or change access to student’s blog postings? Would this not be simpler than the other hacks you are proposing? And maybe this would also be attractive to other Elgg implementors who might need some form of content moderation. Certainly, I’ve seen this request on the Elgg 0.9 discussion forums.

    Reply

  2. Steve’s avatar

    Steve on October 20, 2008 at 11:38 am

    Yes that is the reality. Perhaps with time we can keep nudging toward more openness.

    I’ll start with moderation. I would just like to be able to moderate items so that once approved, they could appear to the public. This would have to include a way to keep a student from changing the content once it goes public. There may well be those that would prefer to moderate everything including those only viewable internally. I’d rather not go to that extreme. I think accountability and monitoring is adequate.

    I agree with your statements regarding RSS. I haven’t tested the rss for other than public access setting, but I presume it to be the case. It would certainly be the case once one enables the walled garden plugin. It would be nice to use the feed for our school website. I wonder if there is some limited way to do this. Perhaps the Elgg API feature could allow that.

    Thanks for a thoughtful response.

    Steve

    Reply

By submitting a comment you agree to license your comment under the following terms: Creative Commons License


This comment will be licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.