We can assure you that we do not de-crypt or re-encrypt any part of a user request. In order to perform the filtering function, Webshield looks at the user REQUEST URL to determine the host portion of the HTTP-part of an HTTPS request. This allows Webshield to carry out an allow/deny decision on the requested host name of the server, prior to any data being fetched from the web server (the RESPONSE). The software that Capita uses allow us to use either the full URL when asking for an allow/deny decision, or just the hostname of the web site (note this is still the REQUEST not the RESPONSE).
Following the action taken by Webshield to either allow or deny the REQUEST, if the request is valid no further interaction takes place, the data is fetched from the web server and delivered through the Webshield proxy server directly to the web browser. As stated we do not at any stage de-crypt or re-encrypt data and neither is there caching of any data, nor any data held on the Capita operated proxy servers. When the actual requested data is fetched it simply flows through the proxy server, the transmission over the Internet is secured, as is the transmission across the emPSN. We do not log, nor cache any aspects of content from the RESPONSE.
Obviously if the request is not valid/denied the user will receive a deny page from Webshield.
This process is the same for HTTP requests and for HTTPS request and our Webshield service does not differ in this sense from the previous embc service.
We are required by both duty of care responsibility, and by UK law enforcement organisations to trace requests back to their source should an investigation be triggered. The Webshield system report logs enable us to trace users and timestamp the URL requests but again this does not allow us to inspect at any time detail or content. This is also a requirement of the emPSN and therefore of the service.
I presume based on your concerns that we were inspecting content you asked if the school can opt out of this HTTPS inspection entirely and remain on the current filtering system.
The answer is you can but opting out will have an operational impact on your school users. You will lose the flexibility of per-user filtering for HTTPS web sites, which typically impacts the staff in school who are more likely to access these sites. Such that, should an HTTPS web site be denied by your site-wide policy (e.g. banking), you lose the advantage of user-based filtering (UBF) i.e. role based/ profiled access to the internet. Even if you log in, no action can be taken to relax the filtering for this web site.