Much of the content available for downloading from the world wide web (www) is unsuitable for viewing by children. This includes in particular material of an adult or otherwise disturbing nature. Even adult users may wish to be protected from viewing material that they deem to be offensive. Organisations and businesses also often wish to restrict access to such material to prevent employees from viewing this material during working hours. Users that have restrictions imposed upon them, or choose to apply restrictions to themselves, are referred to below as “restricted users”. Content that should not be provided to such users is referred to as “restricted content”.
Access to unsuitable material may be controlled by implementing software procedures on client computers and/or local area network servers. For example, software may be run on a client computer which integrates or interfaces with a web browser application to filter outgoing web access requests and received web pages and data. Such mechanisms often rely on parsing incoming and outgoing data to detect the occurrence of suspicious text and or images, for example by matching this data against a database of known suspicious data. Another mechanism for restricting access involves maintaining at the client computer a database of suspicious websites (e.g. by recording uniform resource locators, URLs) corresponding to known websites to which access should be restricted, intercepting web download requests generated by a web browser, and blocking access when the URLs of the outgoing requests match those in the stored database. An alternative approach is to define at the client computer a white list of approved URLs, and to restrict access to only those URLs.
The known approaches are very effective at blocking access to websites, such as adult websites, which are wholly dedicated to distributing restricted content and which have no other content which a restricted user might otherwise wish to view. There are however certain websites which restricted users may wish to view for legitimate purposes but which also provide restricted content. Examples of such sites include Google™ and Youtube™ as well as other search engines and file sharing sites. In such cases, for example, an employee at an organisation implementing access restrictions may wish to view a particular video on Youtube which is not offensive and required for a valid work purpose. This should be allowed, whilst at the same time the user should be prevented from viewing restricted content. The approach described above of restricting access at the client to certain websites is unlikely to be effective in this situation, as it is highly unlikely that the restriction list maintained at the client will include web URLs in sufficient detail to discriminate between restricted and unrestricted pages within the website. Content filtering on the other hand may allow certain restricted content to pass, while blocking certain unrestricted content.
As well as implementing restrictions on the client side, some websites including Google and Youtube offer a further level of protection by allowing users to register a status with a website based “parental” control mechanism. These mechanism generally rely upon a username and password in order to set and modify the registered status. Once registered, data is stored at the client computer, e.g. by way of a cookie, such that any request sent from the client computer to the website is handled according to the status previously registered at the website. A possible problem with at least some of these website-based control mechanisms is that they allow a restricted user to create a new, alternative user profile set for unrestricted access, effectively over-riding a restrictive profile previously established at the website by a parent or administrator. Assuming that access to the website is not otherwise restricted on the client side, the creation of the alternative profile allows the restricted user to gain unrestricted access to the website. Even if the restricted user is unable to create such a fake profile at a website, the existing security approaches rely of course upon a parent or administrator initially creating a restricted profile at the website. It will be appreciated that, for many parents and administrators, this may not be the case particularly for sites that are not known or used by the parent/administrator.