Issues in a
Computer Acceptable Use Policy

Copyright 1999, 2002 by Ronald B. Standler

There are a number of issues that a university should consider when establishing a university-wide policy on proper use of computers. (The remarks below are phrased for computer systems operated by universities, but similar issues arise in employee's use of computer systems operated by for-profit businesses and also in subscriber contracts with Internet Service Providers (ISPs).) Aside from considering computer technology issues and precisely drafting such regulations, there are also legal issues in freedom of speech, privacy, computer crime, copyright and trademark, etc. that must be considered.

There are three general goals in writing an Acceptable Use Policy for computers on a university campus:

educate students, staff, and faculty about why certain activities are harmful and, therefore, prohibited.
provide legal notice of proscribed activities, so that violators of the Policy can be punished.
protect the university if a grieved student or employee sues the university (e.g., for alleged violation of his/her privacy).

The policies at most universities seem to focus on the second and third goals. I explain below why the first goal is also important.

This document is concerned mostly with e-mail and websites on computers owned by a university. Use of mainframe computers for computations raises issues that are not mentioned in this document. Furthermore, professors may establish additional rules for use of computers (a) in their research laboratory or (b) in a teaching laboratory that they supervise.

This document is not a draft policy and is not the policy that I personally prefer. It is only a list of issues and reasons to consider when preparing a policy on the proper use of computers. This document is not legal advice for your problem: see my disclaimer.

Issues to Consider
Housekeeping Issues
Links
Style
Explain Rules
Written Agreement
Enforcement of Rules
Conventional Policies
My credentials

Issues to Consider

The following list might serve as an agenda of items to discuss at a meeting to draft an Acceptable Use Policy:

It is generally prohibited to search, read, copy, alter, or delete another person's computer files.
Exceptions:
1. Any files that are publicly available (e.g., posted on the Internet) may be searched or read.
2. A person can always consent to having his/her file(s) read or modified. The person who consents will transfer a copy of the file, not the username and password of the person's computer account.
3. System administrators will routinely make backup copies of all files residing on networked and mainframe computers, for use in restoring files when the computer or hard drive crashes.
4. A system administrator may search, read, or copy files when:
  1. running anti-virus software (infected files will be deleted or modified),
  2. necessary to investigate malfunction of software or hardware,
  3. necessary to investigate possible security breach,
  4. necessary to investigate possible violations of this Acceptable Use Policy,
  5. protect public health or safety,
  6. or when necessary to respond to a search warrant or subpoena.
  The system administrator shall keep confidential the contents of files read, unless misconduct is suspected, in which case a copy of the file(s) will be given to the appropriate authorities.
5. A professor may search, read, or copy files created or modified by students or staff on computers located in the professor's research laboratory, when those students or staff are supervised by the professor.
6. On notice by the copyright owner that an infringing copy has been posted at the university website, university staff will promptly make a paper copy of the infringing work to preserve evidence, delete the infringing copy from the website, and report the poster for disciplinary action. See Copyright below.
7. The system administrator has the right to delete any file(s) belonging to faculty or staff who are no longer employed by the university, or belonging to a student who has been continuously not enrolled at the university for more than six months.
8. In unusual situations in which the content of file(s) pose the risk of harm either to one or more person(s) or to the university, the relevant department chairman or dean may direct the system administrator to copy any file(s) to a secure location not accessible by either the public or the file owner, and then delete the original file(s). If an on-campus judicial inquiry later determines that the file(s) were harmless, then the file(s) will be returned to their owner and the university will issue a formal letter of apology to the owner.
9. The university reserves the right to read and copy any file, including e-mail, that either passes through, or is stored on, any computer owned by the university.
Explicitly prohibit use of another person's computer account.
A person should never give his/her password to anyone and should never allow anyone to use his/her e-mail or computer account. This rule establishes a presumption that any use of a particular computer account is the responsibility of the one owner of that account. If a user suspects his/her account is being accessed by another person, the user should immediately inform the system administrator.
Prohibit interception or collection of password(s) by any means.
It is misconduct to ask someone for their password: not even a professor or system administrator needs to know someone's password. When a person's password is accidentally or inadvertently discovered, please immediately inform the password owner, so they can change their password and adopt better security in the future.
Prohibit sending e-mail or posting a webpage with an intent to harm a particular individual.
Includes harassment, intimidation, threats, intentional infliction of emotional distress, defamation, obscene content, violations of privacy (e.g., disclosure of private information from confidential relationships), disclosure of personal information (e.g., credit card numbers, social security number, grades, medical history, etc.), or insults directed at a specific person. It is prohibited to continue sending e-mail to anyone after the recipient asks the sender to stop sending e-mail.
Prohibit forging someone else's name to an e-mail or a webpage.
It is inherently wrongful to use someone else's name as the purported author of text (i.e., deception about origin or authorship of text). There are additional legal issues when the text harms the reputation of the purported author, which is common with false attributions.

Aside from prohibiting false attribution of text to people, should all e-mail include the name of the sender and all webpages include the name of the true author? In other words, should anonymous e-mail or webpages be banned? Anonymity is often used as a cloak for impermissible activities, however there are legal arguments for why anonymity should be permitted.
Prohibit forging an e-mail address, or including false information in an e-mail header.
No use of university's website or e-mail for personal financial gain, such as offering or selling either services or products. Prohibit use of university-owned computers for computations in personal consulting to any for-profit business.
No use of university's website or e-mail for partisan political purposes, such as advocating election of a political candidate or advocating a proposition or initiative on the ballot. Such use of university resources to participate in political events is a misuse of [choose one] the university's nonprofit status / the university's position as a state institution. However, students, faculty, or staff may send a few (i.e., not bulk e-mail) e-mails to friends, family, or politicians that express their personal opinions. If the sender includes either text or a signature file that identifies them as a member of the university community, then the text should also state that the message is their personal opinion and is not a statement on behalf of the university.
Prohibit public release of confidential or proprietary information, including violation of contractual agreements involving the university, disobeying reasonable restrictions placed by a professor who supervises staff or student(s) engaged in research, or public dissemination of proprietary software in violation of licensing agreements between the university and the software manufacturer.
Prohibit sending bulk e-mail to people.
Bulk e-mail might be defined as more than 12 e-mails sent in any continuous 24-hour period, when all of those e-mails have essentially identical content.

Such bulk e-mail commonly occurs when the sender is operating a for-profit business (i.e., nonsolicited commercial e-mail, junk e-mail, commonly called "spam"). However, bulk e-mail might also solicit donations to a charity, advocate a political candidate, forward chain letters, participate in a pyramid or Ponzi scheme, etc. There are two reasons to forbid the sending of all bulk e-mail:
1. Sending large amounts of essentially identical e-mails (e.g., thousands of messages in one day) is a burden on university computing resources, delays legitimate e-mail by clogging the e-mail server, and wastes the time of each recipient to read and delete the junk.
2. People do not like to receive junk e-mail, so having a university e-mail address on the junk e-mail can damage the good-will of the university.
However, sending bulk e-mail is permissible when it is addressed to all members of an academic department, or all members of a university committee or club, etc., when the content of the bulk e-mail is related to university business and relevant to the addressees. Non-university e-mail addresses on such mailing lists should be included only when each recipient has specifically requested mail to that address (i.e., an opt-in list).
Prohibit posting a webpage that is a copy of a work by another person, without first obtaining written permission of the copyright owner.

A person who posts infringing material on the university website agrees to reimburse the university for both any damages and reasonable legal fees that the university incurs as a result of copyright infringement litigation.
Prohibit copying pirated software to computers owned by the university.
Pirated software is software that is used in violation of the manufacturer's license agreement, most commonly because it is a copy of software purchased for, and used by, someone else.
1. do not install pirated software on any computer owned by the university.
2. do not use university-owned computers to store or distribute pirated software.
3. do not bring media containing pirated software onto the university campus.
Prohibit misuse of trademark(s) in webpages and e-mail.
Two issues: (A) use of university-owned trademarks, including the university logo or seal, and (B) misuse of trademarks owned by other corporations.
Prohibit probing or scanning of ports on anyone's computer, including off-campus computers, without authorization from the owner of that computer.
Prohibit malicious computer programs. (e.g., computer viruses, worms, etc.)
I have posted a history of some famous malicious programs, so one can see the immense damage caused by such programs, some of which were written by college students. There are several specific issues:
1. prohibit knowingly designing or creating a malicious computer program.
2. prohibit knowingly installing or storing a malicious program (e.g., virus, worm, Trojan Horse) on any university-owned computer.
3. prohibit intentional release (e.g., in e-mail, posting to a website for downloading, including in software to be distributed, etc.) of a malicious computer program to infect others, either on-campus or off-campus.
Prohibit sending e-mail(s) or posting webpage(s) that:
1. propose or conduct an unlawful activity (e.g., fraud, gambling, prostitution, ...) under either federal or state law.
2. contain instructions or information for any unlawful activity (e.g., how to steal credit card numbers, intercept passwords to computer accounts, decode premium cable television programs without paying the proper license fee, etc.).
3. contain instructions for activities that are outrageously harmful (e.g., how to make nuclear weapons, nerve gas, or bombs).
Catch-all criminal law provision.
The university is not an enclave that is immune or exempt from federal, state, or local laws. Any use of university computer resources for unlawful activity is also misconduct at the university.
Forbid waste of computer resources.
For example:
- deliberately designing a computer program that contains an infinite loop, so that the computer will run until the user's maximum time limit expires.
- denial of service attacks on any website, anywhere.
- excessive printing.
- frivolous or grossly inefficient computing.
- attempting to crash operating systems.
Personal or recreational activities
Every employer would prefer that their employees concentrate on their assigned job and not play games, not look at erotic photographs on the Internet, not send jokes to friends, not engage in stock market transactions, not surf the Internet for purely personal interests, ....

On the other hand, monitoring e-mail and Internet use by employees creates an unfriendly working environment, with loss of morale. It may be better to tolerate some waste and frivolous activities, to create a good working environment with a higher productivity. I suggest a compromise of prohibiting personal or recreational activities only when:
1. the employee is neglecting to complete assigned work in a timely way, or
2. someone else needs to use the computer equipment for coursework, scholarly research, or university administration.
No matter how hard managers huff and puff, they will never eliminate personal, recreational, or frivolous activities by students and employees. However, what can be done is to give coursework, scholarly research, and official university business a higher priority than personal, recreational, or frivolous activities.
Erotic content of a webpage
Examples might include pictures of nude people, pictures of people engaging in sexual intercourse, or erotic text. In general, such content is protected expression by the First Amendment. However, one might wish to prohibit such material on university computers for several reasons:
1. Such salacious material tends to draw a large number of visitors to the webpage(s), thus overloading the server and denying computer resources to students and faculty who are trying to do homework, scholarly research, and other projects of educational merit.
2. Posting such material on a university computer may create a hostile environment for women.
3. The nature of this material is not compatible with the educational mission of a university, and detracts from the dignified, professional image that the university wishes to project to the public.
Students or faculty who wish to post erotic material should obtain an account at a commercial website, post the material there as a private person, and not mention their affiliation with the university.
Hate speech on a webpage
Hate speech is condemnation of a group of people, most commonly ethnic or religious minorities. (The distinction between harassment and hate speech is that harassment is targeted at an individual person, while hate speech is targeted at a group of people.) In my opinion, hate speech is the most troubling category of potentially prohibited activities. On one hand, hate speech is political speech, which receives the highest level of First Amendment protection. On the other hand, by making the targeted minority less welcome, hate speech runs against enlightened policies of including minorities in the campus community and of encouraging tolerance.
No usurp authority of professors.
A professor has the right to establish specific policies for computers (a) in his/her research laboratory or (b) in a teaching laboratory that he/she supervises. Such specific, local policies should explicitly refer to the university-wide Acceptable Use Policy, then add additional regulations. Only in exceptional cases (perhaps requiring written approval of a dean), should a specific, local policy allow conduct that is prohibited in the university-wide Acceptable Use Policy.

Housekeeping Matters

There are also a number of issues that are important for the maintenance of a reliable computing environment, but which do not include issues of freedom of speech, privacy, criminal law, intellectual property (e.g., copyright and trademark), etc. For example:

Neither food nor beverages are permitted near computer terminals.
Users should not switch off hardware (e.g., printer, computer, monitor) that is connected to a network, because it may cause failure of the network or inconvenience to other users of the network. The one exception is when it appears that there is a fire inside the equipment.
Use a surge suppressor to connect electric power and telephone lines to computers and peripheral equipment (e.g., printers, monitor, etc.).

General-Use Computers

General-use computers are defined as computers that are used by many different students and staff each week. (General-use computers are distinguished from a computer located at the desk of a faculty, staff, or graduate student for use only, or mainly, by that one person.)

Users may neither disconnect nor connect hardware (e.g., keyboards, monitors, surge suppressors, printers, etc.) on general-use computers.
It is prohibited for users to move hardware from one machine to another. When it is desirable to move hardware, contact a staff member.
Users should not install software on general-use computers. Users may install properly licensed software on university-owned computers in their office that will be used exclusively by that one user.
Users should not change preference settings in programs on general-use computers.

Links

The following links are not a bibliography for this document, but are listed for the convenience of the reader. Reading policies from other universities can be useful: not only reminding the reader of issues to consider, but also showing the reader good and bad styles. By reading policies from many other universities, an author of a policy quickly becomes sympathetic to readers who are repelled by an authoritarian tone that is typical of most policies.

Note that copying or paraphrasing parts of another university's policy without a citation to the original source is plagiarism. Copying or paraphrasing substantial parts of another university's policy without written permission is copyright infringement.

Using a search engine to find computer "Acceptable Use Policy" will return hundreds of documents from the Internet. The following links are to webpages that have a large collection of links to Computer Acceptable Use Policies from many universities.

Cornell University Computer Policy and Law Program.
EDUCAUSE, a nonprofit organization that promotes "intelligent use of information technology" by colleges and universities in the USA.
Colorado College Library in Colorado Springs.
Dr. Grisham's webpage at the University of New Mexico.
Anglia Polytechnic University in England.

Style

Explain Rules

Instead of just saying "no, no, no, prohibited, forbidden, ...," include reasons why the conduct is prohibited. Understanding the reason(s) for the rule helps people remember the regulations, educates people about ethics, and softens the strident tone of many regulations. Mention ethics, professionalism, honor, trust, and sharing in a collegial way, to communicate positive values, and to offset the negative tone of a long list of prohibited activities.

It is critical that the Acceptable Use Policy be terse. Any set of rules with a length of more than one page is likely to be ignored by most people. (Only attorneys and bureaucrats love long regulations! <grin>) On the other hand, adding reasons and explanations (which are desirable, as explained in the previous paragraph), will make the Acceptable Use Policy longer than three pages. Furthermore, there are many ways that computers can be used to harm people, and a precise (i.e., legally enforceable) statement of proscribed conduct may be lengthy. The way out of this dilemma is to have the first page contain terse, one-sentence rules, followed by many pages of explanations and examples. In the copy of the Acceptable Use Policy that is posted at the university website, the rules on the first page should be linked to explanations later in the document.

In some cases, it may be reasonable to suggest alternatives (e.g., see above) that are acceptable to the university. At the end of the regulations, a sentence should explain that department chairmen, deans, and the director of the university computing center are all authorized to make exceptions to these regulations when the petitioner has a good reason.

A number of prohibitions listed above (e.g., prohibiting sending e-mail that harms an individual, use of university resources for personal financial gain or for partisan political purposes, infringement of copyright or trademark, public release of confidential or proprietary information, personal or recreational activities during working hours, etc.) are not specific to computers, but are mentioned in the Acceptable Use Policy only for completeness and to remind people of how generally prohibited activities can appear in the specific context of e-mail, webpages, or other use of computers. Such explanations are necessary because there is a widespread belief that cyberspace is a place where laws and regulations do not apply.

Explicit Awareness

While the Acceptable Use Policy should be included in the faculty/staff personnel manual and in the student handbook, a copy should also be given to each person at the time their computer username and initial password is issued. Each user should sign a written statement that he/she has received a written copy of the Acceptable Use Policy, has read the Policy, and he/she agrees to comply with the regulations in that Policy. (Such a written agreement would be useful in quickly defeating an attempted "I didn't know." defense if litigation should occur. An expelled student or terminated employee does sometimes sue a university.)

Enforcement of Rules

In addition to precisely specifying what activities are forbidden, there is the issue of how these rules will be enforced:

Will the university monitor e-mail and Internet use? There are issues of privacy, as well as keeping a high level of morale among employees, in formulating such a policy. It may be better to tolerate some waste and frivolous activities, in order to avoid having an unfriendly working environment.
To whom should suspected violations of the Acceptable Use Policy be reported?
What penalties can be imposed on violators of the Acceptable Use Policy?

To keep the Acceptable Use Policy as short as possible, and also to avoid possible contradictions or inconsistencies (e.g., when the penalties are modified in one document, but not the other), the penalties can be one or two sentences that refer to the section on misconduct in both the faculty/staff personnel manual and the student handbook, where the main discussion of penalties is located.

I believe it is a mistake to specify that violation of certain rule(s) will always result in termination of employment or expulsion of a student. The university administration needs to have flexibility in deciding a reasonable punishment for each violation, after considering all of the facts of each case, and after considering the accused person's attempts at mitigation. Furthermore, if maximum penalties are a certainty, then a suspect has no motive to cooperate with authorities.

Conventional Policies

In July 2002, I reviewed about a dozen policies from major universities in the USA. I was astounded to find glaring defects in these policies, for example:

One state university says it will punish someone for refusing to cooperate in an investigation of their misconduct (i.e., punish them for asserting their legal right to refuse self-incrimination, a right explicitly mentioned in the Fifth Amendment to the U.S. Constitution)!
Several universities list The Computer Virus Eradication Act of 1988 [or 1989] as one of the laws that students must obey. This "Act" was a bill introduced into the U.S. House of Representatives in 1988 and 1989, but it was never enacted into law. (Apparently, the appropriate committee never even held hearings on this proposed statute.) It would be desirable if people who wrote Acceptable Use Policies actually understood computer crime statutes.
One famous university says: "... do not remove ... furniture ... from [the computer laboratory]. Doing so constitutes theft and will be dealt with accordingly." Whoa!
1. Theft is a crime, which can only be prosecuted by the district attorney, not the university. No district attorney will bother prosecuting the theft of a used chair that is worth perhaps US$ 10.
2. Moving a chair from the computer laboratory to, for example, a graduate student's office does not deprive the rightful owner (i.e., the university) of the use of the chair, and so the moving of the chair is not theft.
Using bogus legal statements to threaten students is a bad policy.
Another famous university has a list of prohibited activities that is an "including, but not limited to" list. Such an open-ended list fails to give adequate legal notice of all proscribed activities, and so is legally enforceable only for the specifically listed activities. The regulation itself must be specific and complete, but it is acceptable to have an open-ended list of examples.
Most policies are not complete. For example, despite the fact that malicious computer programs (e.g., computer viruses and worms) have been well known since 1998, Acceptable Use Policies at some universities still do not explicitly prohibit the design or release of malicious computer programs.
Nearly all of the Acceptable Use Policies are unpleasant reading and many of them are tediously long. While university administrators may be satisfied with such Policies, I am sure that few students, faculty, and staff will read (or understand) the entire Policy, which makes those Policies a failure at teaching professional and ethical values. I suggest making an effort to write an Acceptable Use Policy that people will read, understand, and respect.
Many of the Acceptable Use Policies contain vague or overbroad regulations. Vague regulations are not legally enforceable, because they fail to give adequate notice of proscribed conduct. Overbroad regulations include innocent or harmless conduct (which ought to be permitted) along with malicious or harmful conduct. Vague or overbroad regulations are easy to write when the author does not personally understand computer technology and the author is either in a hurry or inexperienced at technical writing.

It would be embarrassing to write an Acceptable Use Policy, then later have a judge or an attorney say that the policy is not enforceable, because of a legal defect. And it would be awful if such a legal defect allowed a person to escape punishment by the university for their wrongful or criminal act. A draft Acceptable Use Policy should be carefully reviewed by an attorney who is familiar with computer law and who is experienced in writing documents that are easy to understand.

Writing an Acceptable Use Policy requires a broad range of knowledge and skills, including:

understanding computer technology,
understanding basic procedural criminal law, and
understanding substantive law in computer crimes, intellectual property (e.g., copyright and trademark), privacy, freedom of speech, etc.

Such a wide range of knowledge is needed for working in many aspects of computer law. Generally, writing an Acceptable Use Policy should be a team effort with contributions from scientists/engineers, professors, deans, and attorneys.

Conclusion

Again, this document is only a sketch of some issues to be considered, not a draft document. This document is not the policy that I personally prefer or recommend, but only a list of topics to discuss.

My credentials include:

programmed computers since 1968,
earned a Ph.D. in physics in 1977,
personally owned eleven different desktop computers since 1981, which I used or use in my scientific, engineering, or legal work,
was a professor of electrical engineering for ten years,
author of more than 30 published technical papers and one book,
used e-mail since 1986,
created and operated at least one website continuously since December 1996 (I personally wrote all of the HTML code at my websites.), and
am an attorney in Massachusetts who concentrates in higher-education law, computer law, and copyright law. I write in plain English, not turgid legalese.

this document is at http://www.rbs2.com/policy.htm
revised 11 Oct 2002, minor modifications 27 May 2004

return to my homepage

HTML code validated:

Issues in aComputer Acceptable Use Policy