Sunday, January 10, 2010

What the CIPA does (not) Require

The rhetoric of censorship proponents makes it clear that they look with nearly religious awe upon Internet Filters and the CIPA, a law that requires some libraries to implement such filters.  They expect nothing less than miracles, and so can only be disappointed.  I tried to inject some reality into the understanding of Internet Filters in a series of five recent articles (starting HERE), and would now like to do the same for the CIPA (in just one article, albeit long).

The CIPA, or Children’s Internet Protection Act, is a US law that went into effect in 2001. It was quickly challenged in court on constitutional grounds, and at one point was overturned by a US District court as an unconstitutional infringement on Free Speech. On appeal, however, the US Supreme Court overruled the District Court, holding that the CIPA was constitutional (US v. ALA, 2003).  As a result, the CIPA became enforceable and remains in effect today.

The CIPA imposes a set of conditions on the acceptance of government funds under federal programs known as E-rate and LSTA, which are designed to help schools and libraries pay for telecommunications, especially internet access. Because this reduces the costs to schools and libraries, the benefit is called a discount.  In order to receive this discount, schools and libraries have to certify that they comply fully with the conditions imposed by the CIPA.

The CIPA requires the Federal Communications Commission (FCC) to administer the certification process.  The FCC must interpret the CIPA and come up with administrative rules that inform schools and libraries of the requirements and define the process of certification.  If it happens that a library certifies it is in compliance but then the FCC finds that the library is has not met all the conditions, the FCC might demand reimbursement of the discount.  

Some of the conditions required by the CIPA are:
  1. Schools and libraries must implement Internet Filtering programs that block online access to visual images that contain child pornography or obscenity.

  2. For users who are minors under 17, the Internet Filtering programs must also block online access to visual images that are Harmful to Minors.

  3. Schools and libraries must have an “Internet safety policy” that addresses “the safety and security of minors when using electronic mail, chat rooms, and other forms of direct electronic communications.”
Perhaps more interesting than what the CIPA requires are some of the things the CIPA does NOT require.  Here is a partial list:
  1. The CIPA does not require all schools and libraries to comply with its terms.  Only libraries that accept E-rate and LSTA funds to reduce their expenses for telecommunications are bound by the terms of the CIPA.  Libraries that don’t participate in those programs are free to ignore the CIPA.  Complying with the terms of the CIPA costs money, and each library must evaluate the costs and benefits based on its own financial circumstances before deciding whether or not to participate.

  2. The CIPA does not require Internet Filters that block access to any text.  This surprises many, in part because blocking objectionable text is a feature of many Internet Filtering programs.  A library might happen to implement a filter that blocks text as well as images, but that is not a requirement.  What the CIPA requires is a filter that blocks access to visual images that are a) child pornography or b) obscene, and for computer users who are minors, c) are harmful to minors.  So far as text is concerned, the CIPA allows an 8-year-old to read the writings of the Marquis de Sade

  3. The CIPA does not require that adult users be blocked from viewing material that is harmful to minors.  Such material must be blocked from access only by users who are themselves minors.  Adults need be blocked only from material that meets the legal definitions of obscenity or child pornography.

  4. The CIPA does not require Internet Filters that block access to Email messages, Instant Messages, or Chat Rooms. Some filtering programs have an ability to monitor these forms of communication while others do not, but no such blocking or monitoring is required by the CIPA.  What is required is a policy, not an Internet Filter, that addresses the safety of Email, chat rooms, and the like.  

  5. The CIPA does not require that Internet Filter programs meet any specific standards of effectiveness.  Although it is well understood that all Internet Filtering products both underblock and overblock access to internet materials, and that the degree to which these errors happen varies from program to program, there is no standard or process for certifying which commercially available filtering products comply or fail to comply with the intent of the CIPA.

  6. The CIPA does not require that Internet Filters remain in place for adult users.  The CIPA requires filters to be installed on all library-owned computers, but allows an adult user to request that a specific site be unblocked or the entire filter be disabled "for lawful purposes." 

  7. The CIPA does not require that Internet Filters be installed on patron-owned computers.  Increasingly, public libraries allow patrons to connect their personal computers to the internet through the library's communications network.  This is allowed even if the patron's computer has no filtering program installed.  Some libraries may have a filter that resides partially or completely on the network itself, rather than on each individual computer, and in that situation the patron's computer will be subject to some degree of filtering.  Other libraries may be using a filter that resides separately on each individual computer, and in this scenario the patron's computer would not be subject to any filtering.  The CIPA leaves it up to each library to choose the structure of the filters it installs, so there is no requirement one way or the other.
In addition to what the CIPA requires or does not require, there are two restrictions that come from outside the Act itself.  These are:
  1. A library can establish its own policy as to whether or not the intervention of library staff is required to unblock a site or disable the filter on a computer being used by an adult patron. Some libraries configure the filtering system to allow adult patrons to unblock the filter themselves, without staff intervention.  Other libraries allow only library employees to perform those functions, requiring adult patrons to request staff help if they want to unblock or disable the filter.  Legal experts differ in their opinions as to what the exact requirements of the CIPA are in this regard.  In its administrative orders, the FCC acknowledges that this debate exists, and declines to issue a clarifying ruling.  That leaves the matter up to each library.

  2. Adult patrons do not have to state a reason for requesting unblocking of a site or disabling of the filter, and the unblocking or disabling must be done without significant delay.  This was indicated by the Supreme Court in the US v. ALA decision that allowed enforcement of the CIPA, which decision was echoed by the FCC in its administrative order of 2003 (below).   
It is no doubt surprising to many to learn what the CIPA actually requires and does not require. Considerable confusion arises when individuals learn that CIPA requires Internet Filters and then jump to the mistaken conclusion that the filters required by the CIPA in schools and libraries must block the same material as is typically blocked by an Internet Filter installed in a private home.  Internet Filtering programs are designed to serve multiple markets, of which schools and libraries are just one of many. The result is that many Internet Filtering programs have features and functions simply not required by the CIPA.

This is, of course, my own (non-expert) analysis, based on orders and summaries published by the FCC and other sources.  Here are the links to those sources:

I close with some excerpts from FCC orders of 2001 and 2003:

From FCC 01-120:

In order to receive discounts for Internet access and internal connections services under the universal service support mechanism, school and library authorities must certify that they are enforcing a policy of Internet safety that includes measures to block or filter Internet access for both minors and adults to certain visual depictions. These include visual depictions that are (1) obscene, or (2) child pornography, or, with respect to use of computers with Internet access by minors, (3) harmful to minors. An authorized person may disable the blocking or filtering measure during any use by an adult to enable access for bona fide research or other lawful purpose.

From FCC 01-120:

In order to receive discounts, school and library authorities must also certify that they have adopted and implemented an Internet safety policy addressing (i) access by minors to inappropriate matter on the Internet and World Wide Web; (ii) the safety and security of minors when using electronic mail, chat rooms, and other forms of direct electronic communications; (iii) unauthorized access, including so-called “hacking,” and other unlawful activities by minors online; (iv) unauthorized disclosure, use, and dissemination of personal information regarding minors; and (v) measures designed to restrict minors’ access to materials harmful to minors.

From FCC 01-120:

Section 254(h)(5)(D) and (6)(D) permits a school or library administrator, supervisor, or other person authorized by the certifying authority, to disable an entity’s technology protection measure in order to allow bona fide research or other lawful use by an adult. A number of commenters, particularly libraries, express concern that each time an adult user requests that the blocking or filtering software be disabled pursuant to these provisions, school or library staff would be required to make a determination that the user was engaging only in bona fide research or other lawful purposes, and staff would then be required to disable the technology protection measure. Many commenters caution that staff would be unable to satisfactorily make such determinations, and that the requirement would render moot existing policies, have a chilling effect on adults’ Internet use, and significantly impinge on staff time and resources. We decline to promulgate rules mandating how entities should implement these provisions. Federally-imposed rules directing school and library staff when to disable technology protection measures would likely be overbroad and imprecise, potentially chilling speech, or otherwise confusing schools and libraries about the requirements of the statute. We leave such determinations to the local communities, whom we believe to be most knowledgeable about the varying circumstances of schools or libraries within those communities.

From FCC 03-188 (elipses in the original):

The Supreme Court found that CIPA does not induce libraries to violate the Constitution because public libraries’ Internet filtering software can be disabled at the request of any adult user and, therefore, does not violate their patrons’ First Amendment rights. In upholding CIPA, the Supreme Court emphasized “the ease with which patrons may have the filtering software disabled,” and that a patron who encounters a blocked site … need only ask a librarian to unblock it (or at least in the case of adults) disable the filter.” The plurality also highlighted the government’s acknowledgment at oral argument that “a patron would not ‘have to explain … why he was asking a site to be unblocked or the filtering to be disabled.’”


  1. Thank you for breaking it down, I was doing a little reading on the CIPA and it was very confusing, not to mention all the rhetoric surrounding it.

    I'll collaborate on another blog with you as soon as I can, I'm crazy busy right now though, so I can't say when.

  2. The CIPA is easily confusing. The Act itself is frustratingly vague in places, which forces the FCC to be vague about some details. Add a layer of censorious wishful thinking and you can get a real muddle that takes time to sort out.

  3. Hi,

    I am a student of journalism and I am doing a special feature on internet filtering in schools. I would like to know the amount of taxpayers' money that is spent on fitlering software. Do you have any idea on where I can find this info?



  4. I would like to know too, if there were a formal study. If you find one, feel free to post a link. Libraries and schools in your area might be able to provide you at least examples (if the budget info they post online is sufficiently detailed, you'll be able to pull it out of those documents).

    I will say that each library has to decide for itself whether or not seeking E-Rate and/or L-SAT funds from the government is worth the cost of complying with the CIPA. One-time costs include buying the filtering software, possibly buying additional hardware, and probably paying contractors to set the whole thing up. On-going costs include the regular subscription to the filtering databases (lists of sites to be blocked or allowed, etc.) as well as administrative overhead (disabling the filter when a adult user demands it, etc.).

    In some cases, the government funds received for data communications are close to fully offset by the costs of compliance, and the library chooses not to apply for the funds.

    Wish I could tell you more.