Policy on Responsible and Ethical Use of Computing Resources

Final version, approved by the CIT October 26, 1998.
Revisions approved by the CIT November 4, 2002

1 Introduction

I was employed by Wake Forest University in systems-related work for over 5 years, so I chose to do my policy analysis on their information usage guidelines. The original document is located at http://www.wfu.edu/Organizations/CIT/ethical_use.html . My comments are included in red throughout this copy.

This policy is intended to promote the responsible and ethical use of the computing resources of Wake Forest University. Copies of the policy shall be provided to all users of the Academic Computing System, and every effort shall be made to ensure that all users read the policy at least once.

The policy applies to all computer and computer communication facilities owned, leased, operated, or contracted by the University. This includes, but is not limited to, word-processing equipment, microcomputers, minicomputers, mainframes, computer networks, computer peripherals, and software, whether used for administration, research, teaching, or other purposes. The policy extends to any use of University facilities to access computers elsewhere.

1. The previous statement clearly establishes the scope of the systems covered under this policy. It helps to prevent people from claiming they did not know that their particular computer was covered under these regulations.

The administrators of various on-campus and off-campus computing facilities, and those responsible for access to those facilities, may promulgate additional regulations to control their use, if not inconsistent with this policy. System administrators are responsible for publicizing any such additional regulations.

2. A clause which gives IS administration the flexibility to change or amend this policy as future circumstances may require. Gives scalability to the policy.

2 Basic Principles

The University's computing resources are for instructional and research use by the students, faculty, and staff of Wake Forest University. Ethical standards which apply to other University activities (Honor Code, the Social Rules and Responsibilities, and all local, state, and federal laws) apply equally to use of campus computing facilities.

3. The preceding paragraph, and paragraph 3 of this section, clearly delineates the user domain to which the system is available and to which this policy is applicable. This lays the framework for excluding and possibly prosecuting "outsiders" who have been accessing the system, but to which no specific violations of system security policies can be attributed.

As in all aspects of University life, users of computing facilities should act honorably and in a manner consistent with ordinary ethical obligations. Cheating, stealing, making false or deceiving statements, plagiarism, vandalism, and harassment are just as wrong in the context of computing systems as they are in all other domains.

4. This statement links this specific IS policy to the more encompassing organizational behavioral standards. This is especially effective in a university as often college students seem to check their moral/ethical compasses, at the door, before logging on to a PC.

Use of campus facilities is restricted to authorized users. For the purposes of this document, an ``authorized user'' shall be defined as an individual who has been assigned a login ID and password by Information Systems staff (on any relevant system), or by an authorized agent.

See note 3.

Individual users are responsible for the proper use of their accounts, including the protection of their login IDs and passwords. Users are also responsible for reporting any activities which they believe to be in violation of this policy, just as students are responsible for reporting Honor Code violations.

Individuals should use only those computing facilities they have been authorized to use. They should use these facilities:

5. This statement establishes the individual's responsibility for maintaining system security, establishes "levels" of accessibility and privilege based upon the duties and responsibilities granted to an individual, and introduces the concept of the right to privacy of other system users.

Inappropriate activities which are already covered under other University policies are to be handled in the same way, and by the same authorities, as if a computer had not been involved, following established guidelines. In such cases the Information Systems Department will follow the advice of the appropriate authorities, although it reserves the right to add additional, computer-oriented punishments when the abuse involves the use of campus computing resources. Violations that relate exclusively to this policy and other computer usage policies (such as forging mail and interfering with the use of campus computer resources) shall be handled by Information Systems directly.

6. Once again, a linkage to the behavior and security standards of the organization, as a whole. The paragraph also establishes spheres of responsibility for implementing punishment for systems abuse. It alludes to possible double-edged punishment from both academic/administrative units and the IS department itself.

3 System Monitoring

This statement serves as notice to all users of campus computing systems that regular monitoring of system activities may occur. (But see also section 4 below.)

Only the following persons are authorized to engage in system monitoring; the Chief Information Officer or Assistant Chief Information Officer, Director of Networking, Director of Systems, Assistant Manager of Systems, and any Systems Administrator or Network Administrator (on the systems or networks they administer).

Detailed records of all system monitoring that takes place (routine or not) shall be kept, and may be inspected by the Provost or an appointed representative of the Provost at any time.

The following may be monitored by the above-mentioned staff:

  1. Any system log files which contain information pertaining to processes executed on a given system.
  2. System directories, temporary storage areas, work areas, and all areas outside of users' personal files. (Personal files are defined as any files created by and/or owned by the user.)
  3. Unsuccessful attempts to log into an account or a network.
  4. Attempts to gain unauthorized access to departmental or personal machines within the campus community.
  5. Attempts to disguise the source of electronic mail.
  6. Personal computers associated with reported incidents of harassment or other violations of acceptable use policies, or user complaints.
  7. Any activity which in the opinion of the above-mentioned staff appears to compromise the security or integrity of the operating system.

In addition mail messages with invalid recipient or sender fields are commonly sent to the ``Postmaster'', who will examine them to determine the cause of the problem. Complaints brought by users may also result in examination of relevant files and emails, pursuant to approval by the appropriate authority. (See section 4.) In the latter case, the email recipient must give permission in writing before such an investigation can proceed.

7. This serves as prior notice to the user population that electronic monitoring can and will be implemented on the information system. It also acts to restrict system monitoring to a small group of high-level system administrators to help allay peoples fears that their personal communications might be intercepted by friends or colleagues. As we know, system administrators may have a few coworkers, but they certainly have no friends in the organization:=) The policy is pretty specific as to the type of monitoring which will be done. It is actually far more informative than it legally has to be under the workplace exemptions granted by the Electronic Communications Privacy Act. Of course the catch all statement in point 7, gives the IS department the fudge room it needs to employ whatever other technologies it may deem necessary in response to a perceived crisis.

4 Privacy

All users, including the members of the Information Systems staff, should respect the privacy of other authorized users. Thus they should respect the rights of other users to security of files, confidentiality of data, and the ownership of their own work.

8. A general statement about rights of privacy which is pretty much negated in the specifics below.

Nonetheless, in order to enforce the policies set out here, the Information Systems staff listed in section 3 are permitted to monitor activity on local computing systems. In general, the staff may routinely search a University-owned file system for potential violations of these ploicies. When there is clear evidence of a violation deemed serious by the appropriate authorities, they may view users' files, monitor keystrokes, and otherwise observe users' activities. In cases deemed especially serious by the appropriate authorities, Information Systems staff may read users' email, but only after obtaining permission from the appropriate authority.

9. Here they actually introduce the possibility of Desktop Monitoring Software, which from my past experience with other colleges and universities is quite unusual. However, having worked there, I know this is pretty much in line with the corporate as opposed to academic image which the WFU administration wishes to project. A question I would have is, "if the DMS is installed, what precautions are being taken to prevent them from being abused by "non-authorized" users.

If a member of the University community outside of Information Systems reports activities in apparent violation of the policies described here, IS will inform the appropriate authorities of the complaint. Upon approval, an investigation of a user's computing activites, emails, and files may be initiated by Information Systems. In such a situation, a record of the investigation shall be placed in a permanent file to be kept in Information Systems, beyond the standard log of all systems monitoring. This record shall state why the user was investigated, what files were examined, and the results of the investigation. Information Systems staff shall not reveal the contents of users' files, users' activities, or the record of investigations except under in the following cases (and then only with the approval of the Assistant Vice President for Information Systems or the Provost):

  1. Evidence of Honor Code or Social Rules and Regulations violations will be referred to the Dean of the appropriate college, or to the Dean of Students.
  2. Evidence of improper activities by University employees will be referred to the Director of Human Resources or the appropriate University officers.
  3. Evidence of violations of law will be referred to the appropriate law enforcement officials.

Should Information Systems receive an inquiry concerning whether a user has had computer-related disciplinary action taken against him or her, IS staff will provide only a confirmation of the disciplinary action taken and the dates of the action. No information regarding the reasons for the action will be provided to anyone except the user and the authorities involved, and no names may be given. (For example, if someone asks about the person that broke into their account, they are only told the punishment and dates of the punishment - not who broke into the account. IS staff are committed to abide by existing privacy laws.)

10. Admission that archived data of computer abuse will be maintained. Although they do a good job of laying out when and under what circumstances this information will be used, it would be comforting if they spelled out the security implemented to protect these files from all but "authorized users." Again, although this practice seems reactionary in a university, it is standard practice in the business world. The American Management Assoc. took a survey in 2001 that showed that over 80% of American firms monitor and document computer abuse in a similar fashion.

5 Prohibited Activities

The following list is intended to aid in interpreting the principles set out above; the list should not be construed as comprehensive. Examples of actions in violation of the approved principles are:

  1. Providing copyrighted or licensed material to others while maintaining copies for one's own use, unless there is a specific provision in the license which allows this. This activity is forbidden even if the material is provided without cost for an educational purpose.
  2. Using software or documentation known to have been obtained in violation of the Copyright Law or a valid license provision. Use of a copyrighted program obtained from another party, for which no license exists that allows such a transfer, will be presumed to be knowing and the burden of demonstrating that the use was innocent will rest with the user.
  3. Using a copyrighted program on more than one machine at the same time, unless this is permitted by a specific license provision.
  4. Copying any copyrighted material or licensed program contents, unless allowed under the fair-use doctrine or explicitly permitted by the copyright owner. (For further information, see http://www.wfu.edu/Library/copyright )
  5. 11. I think WFU is onboard with the National Business Software Alliance to get price breaks from software vendors for strictly enforcing copyright laws. I know they are serious about these first four points. A student or staff member risks serious disciplinary action if he/she turns in a laptop for upgrade or repair that has pirated software on it.
  6. Interfering with others' legitimate use of computing facilities.
  7. Using the computer access privileges of others.
  8. Providing any unauthorized user with access to a personal login ID, or in any way allowing others access to a machine under one's own name. This includes providing access to campus computing resources without the express written permission of Information Systems.
  9. 12. Puts personal responsibility with the user for protecting his account and password and by proxy, the system itself.
  10. Intentionally creating, modifying, reading or copying files (including mail) to or from any areas to which the user has not been granted access. This includes accessing, copying, or modifying the files of others without their explicit permission.
  11. Disguising one's identity in any way, including the sending of falsified messages, removal of data from system files, and the masking of process names. This prohibition includes sending electronic mail fraudulently.
  12. 13. Point 9 is very important as universities are often sources of fraudulent email activity and redirected spamming.
  13. The establishment of any function which provides unauthorized access, via the Internet connection or otherwise, without the written permission of Information Systems. For example, users may not install games which allow users to access academic computers without a valid login ID.
  14. Sending harassing or libelous messages via any digital means.
  15. Sending chain letters via electronic mail.
  16. Using University facilities to gain unauthorized access to computer systems off-campus.
  17. 14. An attempt to subvert would-be hackers, both on and off-campus who like to "home-base" on a university system.
  18. Use of campus computer facilities for commercial purposes without prior written permission.
  19. Attempting to interfere with the normal operation of computing systems in any way, or attempting to subvert the restrictions associated with such facilities.
  • 15. A pretty comprehensive list of "do nots" with a wide-open clause in the first sentence of this section to allow the addition or reinterpretation of any guideline. However, giving their commitment to software copyright, I am surprised that they have not made any explicit statement about using the university system for setting up file sharing servers to distribute copyrighted audio/video materials. Perhaps Jack V. needs to include them on the circuit of his morality crusade.:=)
    •

    6 Disciplinary Actions

    Substantial evidence of a violation of the principles described in this policy statement may result in disciplinary action. As stated above, in cases where a policy already exists, and the only difference is that a computer was used to perform the activity, such action will be taken through appropriate University channels such as administrative procedures, the Honor and Ethics Council, the Graduate Council, or other supervisory authority to which the individual is subject. Violation of State or Federal statutes may result in civil or criminal proceedings. Otherwise, however, those who engage in computer violations are subject to Information Systems.

    System administrators, with due regard for the right of privacy of users and the confidentiality of their data, have the right to suspend or modify computer access privileges, examine files, passwords, accounting information, printouts, tapes, and any other material that may aid in maintaining the integrity and efficient operation of the system. Users whose activity is viewed as a threat to the operation of a computing system, who abuse the rights of other users, or who refuse to cease improper behavior may have disciplinary action taken against them.

    Violation of the the policies articulated here may result one or more of the following, plus any additional actions deemed appropriate by Information Systems:

    1. Suspension of one's ability to perform interactive logins on relevant machines on-campus.
    2. Suspension of one's ability to login to a campus network.
    3. Suspension of one's ability to send email.
    4. Suspension of one's ability to receive email.
    5. Increased monitoring of further computer activity (beyond normal systems monitoring).

    Upon taking action, Information Systems will notify the user in writing within 24 hours. The notice will clearly state which policies allegedly were violated. The suspended user must contact the Assistant Vice-President of Information Systems or his designated representative (the ``policy enactor'') regarding the suspension. After discussing the alleged violation, the policy enactor may undo any or all of the disciplinary action, or continue action for up to one year. If the user has not contacted the Representative within seven days of the disciplinary action, the Representative will render a decision and notify the user as specified below.

    In the event that the user and the policy enactor are unable to resolve the matter to the user's satisfaction, he or she may appeal to the Director of Information Systems within seven days. The Director of Information Systems may modify or sustain the decision. When disciplinary action is taken, a written notice will be sent to the user and the Office of the Provost explaining the length of the punishment and the violations which occurred. Copies of this notice will be sent to administrators of other campus computing systems on a need-to-know basis. Information Systems also will forward this notice to the authorities specified above if there is reason to believe a violation of other University policies or law has occurred.

    If a revoked privilege is needed by a student to complete classwork, the student must obtain a note signed by the professor in question explaining why the privilege is required, to be sent to the policy enactor. Only the minimum privileges needed for the student's class activities will be restored. Any further abuse by the student in question will lead to the privilege being revoked anyway. Information Systems reserves the right to monitor previous offenders for further abuse.

    Any disciplinary action taken by Information Systems may be revoked and/or modified by the Provost of the University or anyone the Provost designates to deal with such matters.

    16. This section lays out the disciplinary and appeals process pretty well. I am glad that they relegated the final appeal to a student's suspension to an Academic official (the Provost), as opposed to leaving it with the Director of Information Systems (who is however, a very pleasant and reasonable guy who is working on his Ph.D. at UNC-SILS.)

    7 Changes to This Policy

    Information Systems may, in consultation with the Committee on Information Technology, change or amend this policy from time to time. When changes are made, they will be announced through whatever messaging system is currently in use. As with all matters of law and ethics, ignorance of the rules does not excuse violations.

    File translated from TEX by TTH, version 1.67.

    The only things I thought to be significant omissions from this policy were statements referring to remote-access restrictions and virus protection and prevention. SANS includes these two subjects as suggested components in its Short Primer for Developing Security Policies. Although these points are covered elsewhere on the WFU-IS web site, I think there really should be some guidelines laid down in this document, as it establishes the primary themes for regulating the computing experience at WFU.