Unsafe safeguarding

Fortinet, a vendor of school cyber-security products, took between 10 and 18 months to remove a hardcoded encryption key from three products that were exposing customer data to passive interception, according to ZDNet this week.

Fortinet’s security advisory is available here.

The FortiGuard solutions are widely used in UK schools. For example, according to the company, in the United Learning group with more than 70 academies and independent schools across the country with over 45,000 students.

While some companies have been mighty annoyed in the past when it was suggested that information from their tools may be passed on to police, Fortinet readily recognises in its own marketing materials, that “the ability to provide accurate reports to law enforcement and security organisations on demand is a key requirement of the Prevent agenda.”

Who is accountable to the child and their family when those data are inaccurate, misinterpreted, or are easily intercepted by others?

It leaves us asking whether it is adequate for these safeguarding-in-schools software companies, handling such sensitive data and profiles about individual children, to be self certified to the UK Safer Internet Centre ’Appropriate Filtering’ definition.

Are they appropriate for use with children, and fit for purpose at all?