1、PAS 74:2008Internet safety Access control systems for the protection of children online SpecificationICS 35.040; 35.080NO COPYING WITHOUT BSI PERMISSION EXCEPT AS PERMITTED BY COPYRIGHT LAWPUBLICLY AVAILABLE SPECIFICATIONLicensed Copy: Wang Bin, ISO/EXCHANGE CHINA STANDARDS, 11/07/2008 03:21, Uncont
2、rolled Copy, (c) BSIPublishing and copyright informationThe BSI copyright notice displayed in this document indicates when the document was last issued. BSI 3 April 2008ISBN 978 0 580 49979 1Amendments issued since publicationAmd. no. Date Text affectedPAS 74:2008Licensed Copy: Wang Bin, ISO/EXCHANG
3、E CHINA STANDARDS, 11/07/2008 03:21, Uncontrolled Copy, (c) BSI BSI 2008 iPAS 74:2008ContentsForeword iiIntroduction 11 Scope 22 Terms and definitions 33 Abbreviations 64 Internet-based content 75 Internet-based communications 86 Security of settings 107 Installation and implementation including ini
4、tial configuration 108 Configuration 129 Maintenance 1210 Uninstall/removal 1311 System support 1412 Product description and user documentation 1413 User education materials 1714 Conformity declaration 18AnnexesAnnex A (normative) Overview of the test laboratory process 19Annex B (normative) Categor
5、ies of inappropriate content 20Annex C (normative) Criteria to be used for checking compliance against Clause 4: Internet-based content 23Annex D (normative) Criteria to be used for checking compliance against Clause 5: Internet-based communications 25Annex E (normative) Categories of Internet-based
6、 communication services 26Annex F (normative) Criteria to be used for checking compliance against Clause 6: Security of settings 26Annex G (normative) Criteria to be used for checking compliance against Clause 7: Installation 27Annex H (normative) Criteria to be used for checking compliance against
7、Clause 8: Configuration 28Annex I (normative) Criteria to be used for checking compliance against Clause 9: Maintenance 29Annex J (normative) Criteria to be used for checking compliance against Clause 10: Uninstall/removal 30Annex K (normative) Criteria to be used for checking compliance against Cla
8、use 11: System support 30Annex L (normative) Criteria to be used for checking compliance against Clause 12: Product description and user documentation 31Bibliography 33Summary of pagesThis document comprises a front cover, an inside front cover, pages i and ii, pages 1 to 33 and a back cover.License
9、d Copy: Wang Bin, ISO/EXCHANGE CHINA STANDARDS, 11/07/2008 03:21, Uncontrolled Copy, (c) BSIPAS 74:2008ii BSI 2008ForewordThis Publicly Available Specification (PAS) has been prepared by The British Standards Institution (BSI) in consultation with the Home Office and Ofcom and associated groups to p
10、rovide a specification for access control systems for the protection of children online.Acknowledgement is given to the following organizations that were involved in the development of this specification:Becta Borderware Technology BSI Product ServicesChild Exploitation and Online Protection Centre
11、(CEOP)Cyberpatrol from SurfControlThe Home OfficeThe Home Secretarys Task Force on Child Protection on the InternetIntertek Research and Performance TestingMicrosoftMobile Broadband GroupNCHOfcom (Office of Communications)The Childrens CharitiesIn this Publicly Available Specification, the word shal
12、l indicates a requirement. The word should indicates a recommendation. Paragraphs marked NOTE are for guidance in understanding or clarifying the associated requirement.This PAS has been prepared and published by BSI, which retains its ownership and copyright. BSI reserves the right to withdraw or a
13、mend this PAS on receipt of authoritative advice that it is appropriate to do so. This Publicly Available Specification will be reviewed at intervals not exceeding two years and any amendments arising from the review will be published in an amended Publicly Available Specification and publicized in
14、Update Standards. Feedback on this Publicly Available Specification and future work will be gratefully received. This specification is not intended to restrict new developments in design and materials.This Publicly Available Specification is not to be regarded as a British Standard. It will be withd
15、rawn if its content is published in, or as, a British Standard.This publication does not purport to include all the necessary provisions of a contract. Users are responsible for its correct application.Compliance with a Publicly Available Specification does not in itself confer immunity from legal o
16、bligations.Licensed Copy: Wang Bin, ISO/EXCHANGE CHINA STANDARDS, 11/07/2008 03:21, Uncontrolled Copy, (c) BSI BSI 2008 1PAS 74:2008IntroductionThe Home Secretarys Task Force for Child Protection on the Internet was created in 2001. Its aim is to make the UK the safest place in the world for childre
17、n to use the Internet and to help protect children across the world from abuse fuelled by criminal misuse of new technologies. The Task Force brings together representatives from law enforcement agencies, child protection organizations, the Internet industry, Government and representatives from oppo
18、sition parties.The Task Forces work to date includes the development of models of good practice for providers of Internet chat, instant messaging, web-based services and search services, guidance on the moderation of interactive services, and is currently developing good practice guidance for provid
19、ers of social networks and user-generated content services. The Task Force also contributed to the development of codes of practice for new forms of content on mobile phones and passive location services and worked on public awareness campaigns and guidance for young people, and their parents and ca
20、rers, for using the Internet and related technologies safely. In addition to the above, the Task Force recommended the creation of the Child Exploitation and Online Protection Centre (CEOP).Recognizing the role of parents and carers in developing a safe Internet environment, a subgroup of the Task F
21、orce was created in 2003 to specifically consider rating, filtering and monitoring products (access control systems) for use in the home.At this time numerous commercial products were emerging, but there were concerns over their quality and effectiveness. Additionally, there was no permanent, indepe
22、ndent source of evaluation for such products, meaning that parents/carers often faced difficulties in understanding the many issues, and in finding reliable products which met their requirements.In 2004, the subgroup coordinated a short-term project to produce a guide for parents on available option
23、s for managing their childrens use of the Internet. Longer-term aims included the development of a solution for keeping parents informed of the risks, and suitable products and services for managing them, which could also keep pace with technological changes. The subgroup decided to develop a third-
24、party conformity certification scheme against which access control systems could be tested, providing impartial advice to parents on product features, capabilities, ease of use and confidence in their quality.This Publicly Available Specification has been developed primarily for use by software deve
25、lopers working with access control systems. It sets out the minimum performance requirements for the access control systems to obtain a third-party conformity certification. An overview of the laboratory procedures is given in Annex A.It must be recognized however, that no access control system can
26、be effective 100% of the time and that, despite rigorous controls, there may still be occasions when inappropriate materials may be accessed. In such instances, providing education on the issues, and developing strategies for protecting themselves, is essential in helping children and young people b
27、ecome safe and discriminating users of Internet-based content and services. Licensed Copy: Wang Bin, ISO/EXCHANGE CHINA STANDARDS, 11/07/2008 03:21, Uncontrolled Copy, (c) BSIPAS 74:20082 BSI 2008This Publicly Available Specification is primarily aimed at the development of access control systems fo
28、r use in the consumer market in the UK. It covers both those products installed locally (i.e. by a parent/carer on a home computer) and remotely managed products/services (i.e. those products or services offered by Internet Service Providers). The development of this Publicly Available Specification
29、 has been jointly sponsored by the Home Office and Ofcom.1 ScopeThis Publicly Available Specification specifies requirements for products, services, tools and other systems that allow UK adult Internet users to easily control childrens access to inappropriate Internet-based content and services.It s
30、pecifies requirements on: a) ease of installation, configuration and use;b) effectiveness;c) minimum features;d) ease of updating;e) quality of instructions;f) consumer communications and support.By using a certified product or service, parents/carers will have confidence in the ability of the acces
31、s control system to:a) block inappropriate content (see Clause 4);b) block communications via Internet-based services that are inappropriate (see Clause 5);c) prevent unauthorized users from changing or disabling the access control settings (see Clause 6);d) provide an appropriate level of protectio
32、n (as specified by this PAS) upon implementation/installation either through the use of default settings or configuration in accordance with user documentation (see Clause 7);e) configure the product or service where such a capability is offered (see Clause 8);f) remain up to date (within the terms
33、of any licensing or subscription requirements) (see Clause 9).Furthermore, where the access control system can be installed, parents/carers will have confidence in their ability to uninstall/remove the product or service (see Clause 10).Licensed Copy: Wang Bin, ISO/EXCHANGE CHINA STANDARDS, 11/07/20
34、08 03:21, Uncontrolled Copy, (c) BSI BSI 2008 3PAS 74:2008By using a certified product or service, parents/carers will:a) have confidence in the ability to obtain suitable system support should they encounter problems with implementing, maintaining or installing/removing the access control system (s
35、ee Clause 11);b) have confidence in the level and quality of information they will receive in the product description and user documentation provided with the product or service and will have confidence in the quality of the instructions to enable them to effectively install and configure the access
36、 control system to an effective level of protection (see Clause 12);c) have access to user education materials providing information and links to information that enable parents/carers and children to stay informed of the issues and risks of using the Internet (see Clause 13).2 Terms and definitions
37、For the purposes of this Publicly Available Specification, the following terms and definitions apply.2.1 access control systemsoftware product or service, including user documentation, designed to provide safeguards against inappropriate content and contact when using the Internet and/or related tec
38、hnologies through a process of filtering and blocking NOTE Although this term is primarily used within this PAS to describe software used on a computer, access control systems can apply to any type of communications device providing access to Internet-based content and services, such as mobile phone
39、s, handheld devices and Internet-enabled games consoles.2.2 blockingprevention of access to content or services in its entirety (e.g. chat)2.3 certification bodythird-party body contracted to provide certification to a customer2.4 chatreal time communication between two or more users over the Intern
40、et in virtual meeting places or chat rooms (see also 2.13)2.5 communicationany process where data (such as messages, files or administration information) is conveyed between computer systems2.6 contentany material, such as text, images, sound, animation or video, which can be accessed or received us
41、ing the Internet2.7 emailsystem of sending messages (which may include text, images, sound, animation or video) over the Internet for immediate or later retrievalLicensed Copy: Wang Bin, ISO/EXCHANGE CHINA STANDARDS, 11/07/2008 03:21, Uncontrolled Copy, (c) BSIPAS 74:20084 BSI 20082.8 end userperson
42、 who is protected by the access control systemNOTE It is anticipated that in most instances the end user will be a child, young person or vulnerable adult, but if the access control system or system software allows for multiple user accounts to be created it could be any person using the computer/de
43、vice.2.9 filteringselective blocking of content (e.g. web pages) against specified criteria2.10 hate materialmaterial which promotes hatred and intolerance (see also 2.25 and B.3)2.11 inappropriate content material which, while not illegal, may not be considered suitable for a particular person NOTE
44、 The content covered by this definition are listed in Annex B.2.12 inexperienced userperson who has basic IT skills considered to include a basic knowledge of navigating an operating system, system desktop (user interface) and running productivity tools, but includes little to no experience of confi
45、guring system changes for both hardware and software NOTE It is assumed that the parent/carer is an inexperienced user (see 2.19).2.13 instant messagecollaborative messaging system which allows communication and sharing of files in real time over the Internet (see also chat), usually one-to-one2.14
46、Internetglobal interconnected network of networked computers, providing an infrastructure through which applications such as web browsing, email, chat and instant messaging operate2.15 Internet Service Providerprovider of Internet services such as Internet connectivity and web site hosting2.16 manuf
47、acturerorganization which develops the access control system2.17 newsgrouparea categorized by its subject on Usenet, where users can post or read comments about that subject2.18 overblockingprevention of access to acceptable content as a result of the controls imposed by an access control system2.19
48、 parent/carerperson who authorizes the implementation and configuration of the access control systemNOTE 1 It is anticipated that in most instances the local administrator will be a parent (or other responsible adult) who wishes to provide access controls on a computer or other Internet-enabled devi
49、ce within the home setting. NOTE 2 It is assumed that the parent/carer is an inexperienced user (see 2.12).Licensed Copy: Wang Bin, ISO/EXCHANGE CHINA STANDARDS, 11/07/2008 03:21, Uncontrolled Copy, (c) BSI BSI 2008 5PAS 74:20082.20 post, postingprocess of contributing to a forum or newsgroup or publishing comments or other material, typically on a website which is viewable by others2.21 product descriptionreadily accessible information stating the properties of the access control systemNOTE The product description c
