Rise Up, Oh Heart, For There is Another Battle to Win — Windows 10′s Parental Controls: Watching and...

thain1982

Windows 10′s Parental Controls: Watching and Warning

With Windows 10, Microsoft has made their family account settings more visible and easier to access than ever before. These settings have been available since Vista (requiring separate downloads in Vista and 7, natively available in 8), but somewhat more obscure and not as feature-rich as they are now, and, for the most part? These are really smart, fantastic tools for parents, including things like screen time limitations, web and application filters, and prepaid balances for a child’s Xbox/Microsoft account to allow them to make purchases without having unfettered access to their parent’s credit or debit card.

Unfortunately, the family settings also include (and, again, have always included) activity/web reporting, and there is a very justified concern that this kind of reporting could lead to the careless (and dangerous) outing of LGBTQIA kids to bigoted parents.

To be honest, the way this information was presented made it sound somewhat Orwellian in scope, so I decided that I would investigate by setting up an old throwaway Live account I made to share pictures of my daughter with family as a child account.

Most of the administration is done through the web interface at account.live.com, under the family tab. Once you click through to the child’s account, this is the first screen you see, exactly as it appears on a new child account:

As you can see, both Activity Reporting and emailed reports are enabled by default. Parents have to intentionally turn these features off if they are using a child account.

Somewhat more surprising, web filtering (under the web browsing tab) is NOT turned on by default. I went ahead and enabled it for my tests to see what was allowed and blocked by default (whitelisting and blacklisting sites is very easy).

For some strange reason, my child account would not allow me to take screenshots, but I captured screens with my phone.

This notification greets child accounts EVERY TIME THEY LOG IN, which immediately made me feel better about what MS is doing (more editorializing in a bit). Any time a child logs in to their account, they know if they are being watched, which is a big deal.

Next, I decided to do some testing of blocked and reported content. The parent account had already installed Chrome and Firefox, so I loaded up all three browsers and tried visiting various webpages.

Major news sites largely loaded with no issue, and visits to most of the common gaming sites were no trouble. Strangely enough, Kotaku must have been flagged as having potentially objectionable content, because I got this screen when I tried to visit:

Other sites that were more likely to be outright blocked, such as Reddit, did not return any error at all - they simply did not load. Google.com also did not load (I presume this is because because Microsoft can’t force Google to load only “safe search” results), though Google accounts loaded just fine, as did Google ad services.

Because I wanted to get a good idea of what the parental controls were and were not capable of, I tried to go into InPrivate/Incognito mode in all three browsers. The keyboard shortcuts were disabled, and any options to open new windows in these private modes were simply missing. I didn’t expect so simple a workaround as using a different browser to work, but it’s always worth checking for the basic vulnerabilities in a system first.

Next, I tried to download and install the IPVanish VPN client. I did not actually try to visit any websites with it active, because installation AND program use both require admin privileges, which the child account does not have, so a child wanting to use a VPN would have to either know their parent’s password (in which case these family settings could be bypassed anyway) or have their parents supply the password every time they logged in. Even if the VPN hides their activity, the necessity for parental involvement makes it worthless as a tool to avoid parental invasions of privacy.

Finally, I tried a few web-based proxies (specifically: hide.me and proxfree). Bing will happily search up free proxies for restricted accounts, and using the proxies, I sailed right through to previously inaccessible sites with ease. Kotaku and reddit both loaded right up.

PARENTAL RESULTS

With a nice browsing history worked up, I logged back in to my parental account to see what my snooping eyes could see and found out something interesting: parental accounts do NOT get real-time web reports. All night long, my parental account had a blank screen for web history. The next morning, it had populated the previous day’s activity. This means that parents can’t just sit and monitor a child in real time, so no “catching them in the act.”

The following morning, the parental account had a full history

You’ll notice that it shows attempts to visit questionable websites that require permission, but it does NOT show attempts to visit sites that it simply refused to load, like reddit. You’ll also notice that in the right-hand bar, there are “block” and “allow” buttons that enable instant white and blacklisting.

Here, you see that the hide.me visits are reported. The good news is that, since this reports shows EVERYTHING, including EVERY SINGLE AD AFFILIATE, a parent who doesn’t know what they’re looking for could very easily miss this proxy in the noise. Parents who DO know what they’re looking for, though? Chances are good they’ll see the proxy visits if they take the time to actually sift through the entire report.

Each root site listed can be expanded into a more detailed view. Fortunately, hide.me was as good as its word. Here is the detailed view from those 4 visits:

Parents can block proxies as a child uses them, but there are a LOT of proxies out there, so that is a Sisyphean task, at best.

Another important thing to note is that, while unique URLs visited are reported, a child’s search history on Bing is kept private.

Past the web history, these are the other stats collected on a child account:

There is no explicit data given to parents here (no screencaps or DVRed activity), but parents can easily block apps their children should not be using, and the screen time limit is a very good tool for younger children.

Tim’s Theory:

Once I saw that Microsoft warns child accounts at every single login that they are being watched, I started developing a theory:

Microsoft understands the privacy concern of spying on kids, and they’re trying to get in front of it and give kids the power to protect themselves where they might not otherwise have it.

There have been tools to allow parents to spy on their kids for as long as there has been internet access for parents to spy on. A lot of these tools are just prettied up versions of spyware that you would never, ever want on your computer, but a parent who is determined to spy on their kid usually doesn’t care.

By integrating parental controls that include spying by default, Microsoft can give parents a “safe” monitor while also warning kids that they are being watched. This means the computer and its users are safer (no keylogging, screencapturing, or camera hijacking for third parties to gain back-door access to), a child’s privacy is safer (passwords, even for logging in to the computer, are not revealed to a parent).

By not turning on web filtering by default, MS may be trying to subtly suggest that, rather than blocking your kids, you should be talking to them.

By not blocking even well-known proxy servers when web filtering is turned on, MS is giving kids an escape route from watchful eyes.

I would be far more comfortable if the spying were not turned on by default, but I feel like MS turns it on by default (and makes it sit right at the top of the page in the family controls) to make parents think about what they’re doing to their child’s privacy.

Everyone has to learn how to protect their privacy online, and, unfortunately, that includes kids. There are ways to be smart about “forbidden” websites. Kids at risk of having secrets exposed to their parents need to be made aware of how to be safe.

The biggest and best advice to keep yourself safe when being watched? Do a LOT of “not secret” browsing. Flood that report with “normal” websites, and keep your proxy visits to a minimum. Make it look like noise in the report. When you are on the proxy for something, make sure you go to a non-proxy tab every so often and click through to a new thing.

Also, don’t use just one proxy. Make yourself a list of proxies. Here are a few to start with:

http://hide.me
http://www.proxfree.com
https://www.vpnbook.com/webproxy
http://www.proxy4free.com/list/webproxy1.html

You should not have to protect yourself from your parents, but knowing you’re being watched is a more valuable tool than you might think.

And if you’re a parent reading this? Instead of stalking your kids, try talking to them, instead. They deserve their privacy.

Source: thain1982