Like most kids, Aahil Valliani has been frustrated by the filters that his school uses to block inappropriate websites. Often, he has no idea why certain sites are blocked, especially when his web browsing is tied to his schoolwork.

Many students in this situation find a way around their districts’ web filters. They access the internet on their phones instead, or use proxy servers or virtual private networks to essentially access a different, unfiltered internet. Aahil, searching for a more systemic solution, teamed up with his younger brother and father to start a company called Safe Kids, raise almost $2 million in venture funding, and design a better filter.

As The Markup, which is part of CalMatters, reported in April, almost all schools filter the web to comply with the federal Children’s Internet Protection Act and qualify for discounted internet access, among other things. Most schools The Markup examined used filters that sort all websites into categories and block entire categories at once. Others scan webpages for certain off-limits keywords, blocking websites on which they appear regardless of the context. In both cases, the filters are blunt tools that result in overblocking and sometimes keep kids from information about politicized topics like sex education and LGBTQ resources.

Aahil, now 17, points out that schools’ overly strict controls disappear as soon as kids graduate. “That’s a recipe for disaster,” he said. Kids, he contends, need to learn how to make good choices about how to use the internet safely when trusted adults are nearby so they are ready to make good decisions on their own later.

The Safe Kids filter turns web blocking into a teachable moment, explaining why sites are blocked and nudging students to stay away from them of their own accord. It uses artificial intelligence to assess the intent of a student’s search, reducing the number of blocks students see while conducting legitimate academic research. One example: if a student searches for Civil War rifles for a class assignment, Safe Kids would allow it. If a student tries to shop for an AK-47, it wouldn’t. Other filters would block both.

The filter also keeps student browsing data private, storing only categories of websites accessed, not URLs or search terms themselves. And it works through a Chrome browser extension, which means students can’t simply get around it with a proxy server or VPN while using that browser.

Safe Kids got its start during the early COVID-19 lockdowns. Sitting around the dinner table with his father, a tech entrepreneur; his mother, a self-employed fashion designer; and his younger brother Zohran, a budding computer scientist, Aahil got his family to strategize how to help all the kids getting sucked into dark corners of the web and battling the mental health consequences of their internet use.

Their idea, building off of the invasive and ineffective filters the brothers saw in school, essentially puts better training wheels on the internet. Aahil said his father did a bit of hand-holding in these early days, helping find board members and angel investors, as well as the data scientists who would train the AI machine learning model behind the filter and psychologists who could craft and test the filter’s hallmark pop-ups directing students toward more appropriate browsing. The company also spent time and money getting their designs patented. Aahil has three patents under his name and Safe Kids has five.

As Aahil and his family were preparing to chase seed funding for Safe Kids, the ACLU of Northern California was demanding the Fresno Unified School District a product called Gaggle, which districts use to monitor students’ internet use, block potentially harmful content, and step in if student browsing patterns indicate they may need mental health supports. The problem, according to ACLU attorneys, was that Gaggle amounted to intrusive surveillance, trampling on students’ privacy and free speech rights.

The Electronic Frontier Foundation levied similar accusations against another web filter called GoGuardian after getting records from 10 school districts, including three in California, that revealed the extent of the software’s blocking, tracking and flagging of student internet use during the 2022-23 school year, when Aahil was piloting Safe Kids. Jason Kelley, a lead researcher on EFF’s GoGuardian investigation, , looked into Safe Kids in response to an inquiry by The Markup. Accustomed to pointing out how bad filters are, he offered surprised praise for Safe Kids, commending its focus on privacy, its open source code that offers transparency about its model, and its context-specific blocking.

“This is, really, I think, an improved option for all the things that we are generally concerned about,” Kelley said.

So far, Safe Kids has not been able to break into the school market. Still, Aahil hopes to one day sign a contract with a school district, and he is marketing to parents in the meantime, offering them a way to put guardrails on their kids’ home internet use. While Safe Kids started out charging for its filter, Aahil said an open source, free version will be released next month.

One of the company patents is for a  “pause, reflect, and redirect” method that leans on child psychology to teach kids healthy browsing habits when they try to access an inappropriate website.

“When kids go to a site the first time, we consider that a mistake,” Aahil said. “We tell kids why it’s not good for them and kids can make a choice.”

For example, if a student tries to play games during a lesson, a pop-up would say, “This isn’t schoolwork, is it?” Students can click a “take me back” button or “tell me more” link to get more information about why a given site is blocked. When students repeatedly try to access inappropriate content, their browsing is further restricted until they address the issue with an adult. If that content indicates a student might be in crisis, the user is advised to get help from an adult, and in a school setting, a staff member would get an automated alert.

The teen expects to keep building the company, even as he shifts his focus to college admissions this fall. A rising senior at the selective Thomas Jefferson High School for Science and Technology in Alexandria, Virginia, one of the nation’s best public high schools, Aahil plans to major in business or economics and make a career out of entrepreneurship.

Safe Kids stands out in a web filtering market where products’ blunt restrictions on the web have barely become more sophisticated over the last 25 years.

Nancy Willard, director of Embrace Civility LLC, has worked on issues of youth online safety since the mid-1990s. She submitted testimony for the congressional hearings that resulted in passage of the Children’s Internet Protection Act in 2000 and describes the filtering company representatives that showed up as snake oil salesmen, selling a technology that addresses a symptom, not the root of a problem.

“We need to prepare kids to manage themselves,” Willard said. When traditional filters block certain websites with no explanation, kids don’t learn anything, and they’re often tempted to just circumvent the software.

“This approach helps increase student understanding, and hopefully there’s a way also in the instructional aspects (to increase) their skills,” she said about Safe Kids.

Students on Chromebooks in particular can’t circumvent Safe Kids and its design aims to keep them from wanting to. Now Aahil and his family just need to find buyers.

Kelley said he’s not surprised Safe Kids hasn’t been able to yet, given the “hardening” of school security and student safety efforts over the last decade. “We’ve gone from having cameras and some pretty standard filters to having metal detectors, and locked doors, and biometrics, and vape detectors in the bathrooms, and these much more strict filters and content moderating control software,” he said, “and all this is hard to undo.”

This was originally published on .

It wasn’t until after 7 p.m. that evening when the boys, 5-year-old William and 8-year-old Joseph, arrived on a school bus unharmed.Their delayed return was the result of what officials at Kentucky’s Jefferson County Public Schools a “transportation disaster”: A tech-enabled bus routing system implemented to improve efficiency backfired and some kids didn’t make it home until nearly 10 p.m. 

“I was wondering, ‘Is my son safe?’ ” Bramel told The 74. “Are they safe? Are they OK? Did anything happen?”

Months later, Bramel is once again upset and concerned that his kids had been left vulnerable. Again, technology is the culprit. After the bus delay fiasco, school officials in Louisville signed up for a GPS tracking system offered by the Montana-based company Education Logistics, commonly known as Edulog. Through an app, the system gives parents real-time information about the location of their children’s school buses. 

The service offers parents valuable updates about bus arrivals and departures and tools like it have been embraced by families and heralded by school officials across the country, especially when there are busing snafus. Bramel said he now regularly relies on the Edulog service. Yet in Louisville and at districts nationwide, cybersecurity researchers found, vulnerabilities could have left sensitive data open to exploitation by bad actors. 

James Sebree, a senior staff research engineer at Maryland-based cybersecurity company Tenable, said his inquiry into Edulog’s Parent Portal began after a friend voiced security concerns as it was being rolled out at his child’s school. . Because the Edulog apps lacked sufficient authentication and access controls, anybody could access a large swath of sensitive information about students and families with little more than a free account. Among the exposed records were the real-time location of school buses, pick-up and drop-off times, information about scheduled delays, logs of students who were assigned to specific routes and their parents’ contact information. 

“It was startling to see the extent to which we were able to access information by bypassing the client-side restrictions, particularly when that information involved minors,” Sebree said in an email to The 74. Sebree said his firm isn’t aware of any instances where the data was actually exploited by bad actors and that Edulog worked quickly to patch the vulnerabilities once Tenable alerted them to the issues in early September. But the bug while it existed, he said, was relatively easy to exploit. 

“GPS data in conjunction with parental contact information, if compromised,” he said, “ could lead to scary situations for parents and students.”

School districts nationwide have increasingly turned to GPS tracking systems to help keep parents in the loop about arrival and departure times, particularly amid a national that’s led to chaos in many places and education leaders having to rethink their transportation logistics. 

In Louisville, the school bus woes forced leaders to cancel classes for several days right at the beginning of the new academic year. Last March, Chicago Public Schools to address widespread transportation hurdles of its own, including canceled routes and unreliable service. In some instances, the district has called on taxis and paid $500 transportation stipends to parents to get kids to and from school. 

As school districts increasingly turn to thousands of third-party education technology vendors to streamline instruction and across all parts of their operations, the Edulog vulnerability highlights how such arrangements can introduce new privacy and security risks, especially when for-profit companies collect sensitive information like real-time location data involving students. 

Edulog claims more than 6 million students are transported on school buses equipped with its software. Recent customers include the school districts in Wichita, Kansas, Newport News, Virginia, and Greenwich, Connecticut, according to data from GovSpend, which tracks government procurement. 

In , the company acknowledged that it had been notified of “a potential vulnerability” and that they had “researched the issue and resolved it in the next build of the product.” Yet the company is not contractually obligated to notify their customer districts or parents that the weakness was uncovered, Lam Nguyen-Bull, Edulog’s chief experience officer and general counsel, told The 74 in an interview. At the same time, she recognized the student safety risks involved in the potential breach of real-time GPS data is “certainly a concern.” 

“That’s something that districts have to weigh, as it is any time you get into a service like this: What are you willing to risk and is it worth the cost?” she said. “You can take as many cautions as possible, but a creative and dedicated person will always be able to find a vulnerability.” 

Mark Hebert, the Jefferson County Public Schools spokesperson, said in an email the Louisville district relies on Edulog’s “Lite” version, which offers parents bus location information “but little else.” 

Yet for Bramel, news that the bus tracker that he found so handy carried privacy risks brought newfound anxiety. Bramel said that he had heard rumors about a Edulog security lapse but hadn’t received formal outreach from the district, leaving him to wonder about the types of information that could have been exposed. 

He said school transportation in Louisville remains so erratic that he’s considered moving out of the district boundaries altogether. Allowing anyone access to real-time school bus information, he said, could have been catastrophic. 

“That’s infuriating because that puts my child at risk, that’s their life in danger,” he said. “A perpetrator could be meeting up or something like that. Human trafficking is still going on.” 

The privacy implications of bus trackers

Edulog’s Nguyen-Bull noted that privacy issues have been present ever since GPS services were first introduced to consumers in the late 1980s. Such implications are perhaps amplified in the context of students and schools, but ultimately, she said, they take a back seat for most people.

“The truth is, we generally are lazy beings, right?” Nguyen-Bull said. “We go for convenience.” 

Edulog has been providing school districts with bus routing services since 1977, but Nguyen-Bull said it was consumers who ultimately began to push for real-time GPS tracking about a decade ago. 

Numerous companies now offer such services for school buses, including in big urban districts like , which just launched its long-awaited tracker last week; and Los Angeles. The services, however, haven’t always lived up to the expectations of parents or school bus drivers, with both reporting accuracy concerns. The power of real-time information has also introduced new safety risks, Nguyen-Bull said. If the app says a bus is expected to arrive five minutes late, she said that “personal optimizers” will use that information to delay their trek to the bus stop. 

“That creates problems where kids are rushing across streets or they’re not being careful in how they approach the bus,” she said, adding that the issue is compounded in instances when the GPS information is inaccurate. “We’ve become so reliant on our phones that we don’t actually look up and see what the reality is.” 

Meanwhile, over the last year the federal government has placed a heightened emphasis on cybersecurity risks introduced to the education sector through third-party technology vendors like Edulog. In September, the federal Cybersecurity and Infrastructure Security Agency to sign a voluntary pledge and commit to building products with robust security protections. Companies that sign the pledge agree to “radical transparency” and to “take ownership of customer security outcomes.” 

In a December blog post, the federal cybersecurity agency noted that school districts should not be required to “bear the cybersecurity burden alone,” and advocated for shifting many responsibilities to vendors. 

“Cybersecurity issues facing K-12 could be much more effectively and cheaply dealt with earlier in the supply chain, by focusing on a relatively smaller number of linchpin companies serving very large numbers of students and educators instead of school district by school district, school by school,” the post noted. 

But Nguyen-Bull said her company was uninterested in signing the pledge, calling it meaningless without any clear cybersecurity standards. Yet she also balked at the idea of regulations that would set specific cybersecurity requirements. 

“We’re not just going to sign random pledges that ask for slightly different things if we don’t know if we can track those things,” she said. “As a small family-run business, we don’t have five compliance people tracking all of the different pledges and ensuring that we check all of the boxes.”

Sebree, of the cybersecurity firm Tenable, said that transparency about security lapses is key, telling The 74 in an email that vendors “have an ethical responsibility” to inform customers in a timely manner so they can make knowledgeable decisions. 

“Notifying their customers that a vulnerability had been discovered and fixed, even if no evidence of a breach was found, would have been the most transparent action here,” he said. “Customers deserve to know when their data has been at risk so they can make decisions in the future with all of the information in hand.” 

Louisville father Bramel said that he and other parents should also have been notified — either by the district or the company itself — about the extent that information had been exposed to preserve trust.

“When you’ve got to rely on this system to cover your kids and they can’t have open communication, what other issues are going on besides that issue?” Bramel asked. “I’m honestly shocked there aren’t lawsuits and stuff like that happening right now … because this is completely uncalled for.”