With the proliferation of digital gadgets at home, more and more parents turn to parental control on the WiFi router as a solution to managing children’s online experience. If you do some research, you’ll find a number of choices in this category. That’s the good news – more options are available now than before. But how do you know which one best fits your needs? Unfortunately, the subject is highly technical and information is scarce. I’m writing this post with the hope that it’ll provide some help for parents to make an informed decision.
What Parental Control Routers Cannot Do
First of all, it is important that you understand the limitations of router based parental control. Routers can only control network activity and content delivery, they cannot control your kid’s screen time. For example, if your child downloaded a movie on his or her computer, they can watch it over and over again, at any time. There’s nothing a router can do about that. Or for that matter, Minecraft. Even though Minecraft has been singled out by several products to showcase their ability to curb screen addiction, a router (or any network device) can do pretty much nothing to stop children from playing the game. When Minecraft is played offline, it generates no network traffic. How does a router (or any network device) detect and stop the playing?
By the same token, routers can only control network traffic that travels through them. Therefore, if a device uses mobile network connection (e.g., 4G LTE), the router cannot control it.
On a higher level, technology is merely a tool to assist you with your parenting. Even though it helps you to put rules in place, technology can only play a secondary role. In fact, we don’t think that parental control should be thought of as a “control”. A parental control tool should not be used to show who’s the boss, but should only be considered as a utility to temporarily protect kids from the storms of the outside world before they are ready. Someday your kids will go out of the house and face real world storms on their own. You should never lose sight of that.
What Are Your Needs?
If all you need is filtering out inappropriate web sites, OpenDNS is probably all you need. It’s free and it’s supported by pretty much every router. However, since the same filtering is applied to the whole network, parents see the same restrictions they set up for children. Parents can override DNS servers on their own devices to bypass OpenDNS filtering, but so can children.
You probably also want some time scheduling functionality, such as turning off network access for children’s devices at night. Well, OpenDNS does not do that, but many general purpose WiFi routers do. All you need to know is to identify the MAC addresses of the devices you need to manage and set them up in your router.
With OpenDNS and your existing router, you can have a completely free parental control system if all you need is content filtering and simple time scheduling. However, this system can be easily bypassed. So if you have kids that have some technology knowhow (or know how to use Google and YouTube), this is probably not enough.
Web Surfing History?
Do you want to know what web sites kids visited? Some parents get that info by looking at the browsing history of the browser. But the browser’s history records can be erased. And if incognito mode is used, not recorded at all.
Again, OpenDNS provides a free service to help you get the info. All you need to do is to create an account with OpenDNS and use the OpenDNS Home service. You can log in to the OpenDNS dashboard and see what web sites have been visited from your home network. But the history info is for your whole network, you have to deduce which site visits originated from the kids.
As of now, pcWRT does not log web history. For the time being, you have to rely on OpenDNS to provide the info. However, work is underway to log site visits at the router. You’ll be able to see web surfing history per device once we finish the work.
Update 10/24/2017: The router provides Internet activity logging as of firmware version v1.25.
Subscription or No Subscription?
So you decided that you need something more than a basic router can offer. The next question is whether there’s a recurring subscription cost after the initial hardware cost. Some people feel a sense of security with a subscription model, others think it’s a financial burden. Another downside with the subscription model is, your router stops working the moment your subscription expires. The same is true if the company decides that it’ll stop providing the service, like what happened to the Skydog router.
The pcWRT router does not require a subscription. While we don’t rule out the possibility of value added subscription services in the future, the basic functions will always be subscription free. I.e., we can’t pull the plug and render your router useless.
Do You Need Safe Search?
In our opinion, this is a necessity. Many kids stumble across inappropriate websites through search results. Also, objectionable images may creep up in Google images search results. The much touted Skydog router, despite its many advanced features, did not support safe search.
Google provides tools to set up safe search in the browser, and lock it with a Google account. But you have to do this for every browser on the device. For example, if you have a computer with Firefox, IE and Chrome installed, you have to do this three times. However, when a child switches to incognito mode, the safe search settings and locks are no longer effective.
The pcWRT router can enforce safe search on a per device basis. It cannot be turned off at the browser and cannot be bypassed by switching to the incognito mode.
Cloud or Not Cloud?
Some routers are cloud based, some are not. The pcWRT router is a standalone router just like other general purpose routers you normally use. A cloud based router lets you manage it from anywhere you have Internet access. As it currently stands, the pcWRT router only lets you manage it when you are on your home WiFi network.
In theory, you can open up the router management interface to the Internet and manage it from anywhere. A lot of WiFi routers on market today will let you do this, even via the unencrypted HTTP protocol. We advice against it since it’s a huge security concern.
The Skydog router was a cloud based router, and it provided the managing from anywhere convenience associated with it being on the cloud. But since it depends on Skydog providing the cloud service, your router becomes useless as soon as Skydog drops support. Also, any glitch in the cloud service affects your whole Internet experience. In case a security flaw is found in the cloud service, your Internet will go dark until that is fixed.
With the next update, we are adding cloud management capability to pcWRT. So you’ll have the convenience of managing the router from anywhere, while retaining the reliability of a standalone router. You’ll have the option to enable or disable the cloud management ability.
Update 10/24/2017: The router provides remote management capability as of firmware version v1.22.4.
Keyword Blocking or Domain Filtering?
There are two ways to do content filtering: blocking pages by keywords or blocking domains by categories. Some products use a combination of the two.
In general, keyword blocking is resource intensive and often results in over-blocking. For example, if ‘crap’ is listed as a bad word, then ‘skyscraper’ might be inadvertently blocked. If ‘breast’ is listed as a bad word, then you probably can’t find any chicken breast recipes. One of the main complaints from children is that some web site that they need access to is blocked for no apparent reason, which could be a ramification of keyword blocking. Additionally, keyword blocking does not work on HTTPS web sites, for which the web traffic is encrypted. The router cannot snoop the contents without breaking the HTTPS protocol.
On the other hand, blocking by domain categorization requires that you have a comprehensive database of domain names with categorization information, and that the data is constantly updated. Filtering accuracy is squarely dependent on the quality of this database.
The pcWRT router uses DNS based domain filtering. Out of the box, you can choose OpenDNS or Norton ConnectSafe. Other filtering DNS providers can be configured by manually entering the DNS server IP addresses. You can augment DNS filtering with local black and white lists. The DNS service you choose cannot be overriden by changing DNS server IP addresses on individual devices, which blocks the main bypassing technique for DNS based domain filtering.
What About Time Limits?
The simplest way to set up time limits is a single time band per day, and maybe you can vary by weekday and weekend. Many off-the-shelf general purpose WiFi routers support setting time limits this way. Depending on the specific router model, you might be able to set time restrictions for specific devices by entering their MAC addresses.
Many parents want more flexible time management capabilities. Some wanted the ability to set a cap on the total amount of time spent online per day, by device or user, and by the categories of web sites visited. However, there are some technical difficulties in arriving at accurate numbers. Most computers and mobile devices have background network activities, which could be inadequately accounted for as active online time. Some applications (for example, Facebook Messenger) constantly contacts backend servers to check for new updates, even when kids are not actively using the device. While at other times, time spent on certain web sites may be under reported because the web site contents are delivered via Content Delivery Networks (CDNs). Inaccurate time reporting could give parents a false sense of security, while at the same time, if over counted, cause resentment from kids.
The pcWRT router allows you to set flexible time schedules. You can set different schedules for different devices, multiple time slots and different time ranges every day. You may also set different schedules for different web sites, therefore, limiting the amount of time spent on social networks while not inhibiting kids from doing research for their homework. Schedules, instead of aggregated time allocations, eliminate the ambiguities in time-keeping. By following a schedule, kids may also learn how to utilize their time more effectively and develop better time management skills.
Are You Sharing Computers?
If you share a computer with kids, how do you set up control policies? The router only knows that traffic is coming from the computer, it doesn’t know who’s logged in.
Some vendors solve the problem by reassigning the computer to a different user in the router every time user is changed, before that user logs in the computer. If you are using NETGEAR, you need to create a bypass account with the router and download a user utility program to your computer. When you want to bypass the rules you created, you need to open the user utility program, log in with your bypass account, and keep the user utility program running for your entire session.
With pcWRT, you have the option to enable an authenticating proxy server and create a proxy user account for yourself. Configure your browser to use the proxy server and remember your credentials (for your computer account only). Thereafter, every time you log in your account on the computer, a different set of policies associated with the proxy user will be applied instead of the policies for the computer.
Can the Controls Be Bypassed?
Yeah. That’s why some people say it never works. Kids will find ways to bypass them anyway, why bother.
While it may be true that most of the parental controls could be bypassed with enough effort, we do think that there is a difference between the existence of a barrier and no barrier. To draw upon a parallel, most locks can be picked by a skilled locksmith within 10 minutes, would you forgo putting a lock on your front door?
With no barrier, kids roam the Internet without any effort. With a barrier, they at least have to put in some effort to get their freedom. When the barrier is high enough, they have to put in a concerted effort to defeat it. They’ll need to have the initiative to work towards a goal, learn about computer technology, and have the determination to reach the goal. The process of trying to defeat your parental control might be a good learning process for them!
With pcWRT, there are several options you can turn on to make bypassing parental controls more and more difficult. At the very least, DNS overriding blocking is enabled by default and can’t be turned off. Optionally, you can turn on blocking for bypassing with hosts files and VPNs/proxies. Finally, you can require proxy authentication for all privileged users, which essentially blocks various kinds of “spoofing” techniques.
Does It Work with Your Network?
Ultimately, whatever parental control device you buy should work with your network. There may be things that are specific to your network which could cause compatibility problems. For example, maybe you use a certain brand of WiFi repeater that won’t work with the device you bought. Maybe you want to use another WiFi router as an access point to cover the whole house. Maybe you need to connect to your employer’s VPN to get work done from home, and you don’t want the parental control device to break your VPN connection.
The pcWRT router has been used in various home network setups and was found compatible in most scenarios. If you encounter problems, please let us know so that we can fix them and make the product better!
There is some overhead associated with parental control filtering. Whether you notice any network performance degradation depends on your Internet connection speed. Some slowdown will manifest when your Internet speed exceeds a certain value.
With pcWRT, we try our best to make the overhead minimal for filtered traffic. Our users have found that pcWRT throughput was much better than some other routers they’ve used. Additionally, the pcWRT router allows you to configure some devices on your home network to bypass parental control filtering altogether, therefore, eliminating the overhead for those devices and effectively raising the overall network throughput.
While this is last in the list, we think it is the most important. Security can be compromised due to usability requirements or filtering and monitoring requirements.
For example, you may be tempted to open up the router management interface to the Internet so that you can manage your router from anywhere. Indeed, many routers allow you to do just that, even over the unencrypted HTTP protocol. But doing so exposes your router to much greater dangers of being hacked.
Sometime security products, in order to monitor traffic coming in and going out of your system, actually weaken the original security measures provided by the system. In a recent study, anti-virus and parental control software were found to make your computer less secure. In 2015, a vulnerability was found in an older version of NetNanny that could open users’ systems up to man-in-the-middle (MiTM) attacks, HTTPS spoofing and intercept. In a 2014 report, the Electronic Frontier Foundation revealed numerous security flaws in the content control software ComputerCOP, and concluded that it was neither safe nor secure.
Our number one guiding principle in designing the pcWRT router is never sacrifice security for the sake of controllability or usability. Secure coding practices are applied throughout the product, and security reviews and tests are performed before every product release. The fact that pcWRT is fundamentally a standalone router also reduces the number of attacking vectors.
Each family has different requirements and priorities. There’s no one size fits all solution. Hopefully, the information provided here will provide you some help in arriving at an informed decision.