Acceptable Use Policy (AUP) Basics

Questions and Answers

Why is understanding the reasons behind each rule in an Acceptable Use Policy crucial for its effectiveness?

Understanding the reasons helps people remember the regulations, educates about ethics, and softens the tone of the regulations.

How can a university balance the need for a comprehensive Acceptable Use Policy with the desire to keep it concise and easily accessible?

Have a terse first page with one-sentence rules linked to detailed explanations and examples later in the document.

What is the significance of obtaining explicit user awareness and agreement to an Acceptable Use Policy?

It helps defeat an 'I didn't know' defense in case of litigation.

Why is it considered a mistake to specify automatic termination or expulsion as the penalty for violating certain rules in an Acceptable Use Policy?

The university needs flexibility to decide a reasonable punishment based on the specific facts of each case.

Why are vague or overbroad regulations in an Acceptable Use Policy considered legally problematic?

Vague regulations don't give adequate notice of proscribed conduct, and overbroad regulations include innocent conduct.

What areas of knowledge and skills are essential for writing a comprehensive and effective Acceptable Use Policy?

Understanding computer technology, procedural criminal law, and substantive law in computer crimes, intellectual property, privacy, and freedom of speech.

Why is it important to explain the reasons behind the prohibitions listed in an Acceptable Use Policy, rather than simply stating the prohibitions themselves?

Explaining the reasons helps people remember the rules, educates them about ethics, and softens the tone of regulations.

What is often the effect of Acceptable Use Policies being tediously long?

Few students, faculty, and staff will read (or understand) the entire policy.

What is the main risk with having an 'including, but not limited to' list of prohibited activities in an Acceptable Use Policy?

It is legally enforceable only for the specifically listed activities, failing to give adequate legal notice of all proscribed activities.

What is the recommended approach for handling situations where a user's file(s) pose a risk of harm to others or the university?

The relevant department chairman or dean may direct the system administrator to copy the file(s) to a secure location and delete the originals.

What is the presumptive responsibility if someone's computer account is used inappropriately?

Any use of a particular computer account is the responsibility of the one owner of that account.

What action should be taken if a person's password is accidentally discovered by someone else?

Immediately inform the password owner, so they can change their password and adopt better security in the future.

What is the crucial factor that distinguishes harassment from hate speech, according to the text?

Harassment is targeted at an individual person, while hate speech is targeted at a group of people.

What should someone include in an email if it expresses personal opinions and identifies them as a member of the university community?

The text should also state that the message is their personal opinion and is not a statement on behalf of the university.

What should a university do upon receiving notice from a copyright owner that infringing material has been posted on its website?

University staff will promptly make a paper copy of the infringing work to preserve evidence, delete the infringing copy from the website, and report the poster for disciplinary action.

Under what circumstances is sending bulk email permissible according to the text?

When it is addressed to all members of an academic department, or all members of a university committee or club, etc., when the content of the bulk e-mail is related to university business and relevant to the addressees.

What action can a professor take regarding files on computers in their research laboratory?

A professor may search, read, or copy files created or modified by students or staff on computers located in the professor's research laboratory, when those students or staff are supervised by the professor.

According to the policy, what is the main reason for routinely backing up all files residing on networked and mainframe computers?

For use in restoring files when the computer or hard drive crashes.

What principle should guide the handling of personal or recreational activities on university computers?

Give coursework, scholarly research, and official university business a higher priority than personal, recreational, or frivolous activities.

From the text, in what situation may a system administrator search, read, or copy files?

When running anti-virus software; necessary to investigate malfunction of software or hardware; necessary to investigate possible security breach; necessary to investigate possible violations of this Acceptable Use Policy; protect public health or safety; or when necessary to respond to a search warrant or subpoena.

According to the Acceptable Use Policy, what constitutes misuse of trademarks in webpages and e-mail?

Use of university-owned trademarks, including the university logo or seal, and misuse of trademarks owned by other corporations.

What is the recommended course of action for students or faculty who wish to post erotic material online?

They should obtain an account at a commercial website, post the material there as a private person, and not mention their affiliation with the university.

What does the Acceptable Use Policy say about computers that are considered 'general use'?

Users may neither disconnect nor connect hardware; it is prohibited to move hardware; users should not install software; users should not change preference settings.

What files does the system administrator have the right to delete?

Any file(s) belonging to faculty or staff who are no longer employed by the university, or belonging to a student who has been continuously not enrolled at the university for more than six months.

Why might universities choose to prohibit erotic content on their computer systems, despite First Amendment protections?

Such material overloads the server, creates a hostile environment for women, and is incompatible with the educational mission of a university.

What is the key distinction between permissible and prohibited bulk email?

Bulk email is allowed when addressed to members of a university group and relates to university business, but prohibited for unsolicited commercial emails or other non-university related content.

Why does the Acceptable Use Policy prohibit probing or scanning ports on any computer without authorization?

This is prohibited as it is a potential precursor to unauthorized access or malicious activity.

Aside from harming an individual's reputation, what other problems can arise from falsely attributing text to someone else?

Deception about origin or authorship of text. There are additional legal issues when the text harms the reputation of the purported author, which is common with false attributions.

Besides copyright infringement, what other legal issues are involved when confidential or proprietary information is publicly released?

Violation of contractual agreements involving the university, disobeying reasonable restrictions placed by a professor, or public dissemination of proprietary software in violation of licensing agreements.

What should a university do when misconduct is suspected after a system administrator accesses files for legitimate reasons?

The system administrator shall keep confidential the contents of files read, unless misconduct is suspected, in which case a copy of the file(s) will be given to the appropriate authorities.

What are some examples of activities that constitute a waste of computer resources?

Deliberately designing a computer program that contains an infinite loop, denial of service attacks on any website, excessive printing, frivolous or grossly inefficient computing, attempting to crash operating systems.

What does the Acceptable Use Policy prohibit regarding the creation or distribution of malicious computer programs?

Prohibit knowingly designing or creating a malicious computer program; knowingly installing or storing a malicious program on any university-owned computer; intentional release of a malicious computer program to infect others.

What types of content are prohibited from being sent in emails or posted on webpages under the Acceptable Use Policy?

Content that proposes or conducts an unlawful activity; contains instructions or information for any unlawful activity; contains instructions for activities that are outrageously harmful.

What is needed in order for specific, local policies to allow conduct that would typically be prohibited in the university-wide Acceptable Use Policy?

Only in exceptional cases (perhaps requiring written approval of a dean), should a specific, local policy allow conduct that is prohibited in the university-wide Acceptable Use Policy.

What housekeeping matters are mentioned in terms of the Acceptable Use Policy?

Neither food nor beverages are permitted near computer terminals; users should not switch off hardware; use a surge suppressor to connect electric power and telephone lines to computers and peripheral equipment.

Why must the university protect public release of confidential or proprietary information?

Includes violation of contractual agreements involving the university, disobeying reasonable restrictions placed by a professor who supervises staff or student(s) engaged in research, or public dissemination of proprietary software in violation of licensing agreements between the university and the software manufacturer.

What makes hate speech a particularly troubling category of potentially prohibited activities?

On one hand, hate speech is political speech, which receives the highest level of First Amendment protection. On the other hand, by making the targeted minority less welcome, hate speech runs against enlightened policies of including minorities in the campus community and of encouraging tolerance.

What can a university employee do if they are engaging in partisan politics on email?

If the sender includes either text or a signature file that identifies them as a member of the university community, then the text should also state that the message is their personal opinion and is not a statement on behalf of the university.

What is the Acceptable Use Policy's stance on personal use of the university's website or email for personal financial gain?

No use of university's website or e-mail for personal financial gain, such as offering or selling either services or products. Prohibit use of university-owned computers for computations in personal consulting to any for-profit business.

Flashcards

Unauthorized File Access

Generally prohibited action involving another person's computer files.

Exception: Public Files

Allowed access to publicly available files.

Exception: Consent

Allowed access to files when permission is granted.

System Administrator Backups

Routine creation of backup copies for restoration purposes.

Anti-Virus Actions

System administrator action to remove or change infected files.

Troubleshooting Access

System administrator action in case of software or hardware issues.

Security Breach Investigation

System administrator action in case of possible security issues.

AUP Violation Investigation

System administrator action in case of breaking AUP.

Public Safety Override

System administrator action in case of health/safety risks.

Legal Mandate

System administrator action following warrant or subpoena.

Admin Confidentiality Duty

Maintaining privacy of file contents unless misconduct is suspected.

Professor Supervision Access

Access granted to professor for supervised work.

Copyright Infringement Protocol

Action on copyright owner notice to remove illegal content.

Inactive Account File Purge

Removal of files for inactive users.

Emergency File Handling

Handling emergency file access for significant risk.

University Access Right

Rights of university to read and copy any institution-owned file.

Account Sharing Prohibition

Prohibition of using another's credentials.

Compromised Account Protocol

Action to take if account is in the hands of someone else.

Password Interception Ban

Prohibition on obtaining passwords using any means.

Accidental Password Discovery

Password protection and immediate owner notification.

Harmful Email/Web Ban

Prohibition on harmful emails or web postings.

Email Harassment Prohibition

Banned activity for a continued email harassment.

Forgery/Impersonation Ban

Prohibition name forgery on digital communication.

False Email Header Prohibition

Prohibition on faking sender information.

No Commercial Use Rule

Prohibition for use of university recourses for profit.

Political Use Restriction

Restricting political endorsements on university resources.

Bulk Email Restriction

Banned usage of bulk email sending.

Copyright Work Rules

Need permission of the owner to post any web pages.

Pirated Software Restrictions

Copying software is a violation of licenses.

Trademarks Misuse Restrictions

Illegally copying or using a trademark in a webpage.

Scanning Computer Ports Restrictions

Illegally scanning any PC port without authorization.

Malicious Programs Restrictions

Computer viruses, worms, etc.

No Unlawful Activities Rules

Prohibition on unlawful activities.

Computer Resources Rules

Do not waste the computer resources.

Recreational Activities Limitations

Personal activities are not allowed if it disturbs jobs.

Computer Area Restrictions

No food or drink near computers.

Equipment Restrictions

Don't turn off connected equipment.

Surge Suppressor Restrictions

Use a surge suppressor on any device.

Hardware Restriction on General Use

No moving equipment on general use computers.

Software Restrictions on General Use

Do not set up any software on general use computers.

Study Notes

• An Acceptable Use Policy (AUP) should be created for discussion and drafting.

General Prohibitions and Exceptions

• Accessing another person's computer files to search, read, copy, alter, or delete is typically not allowed, unless the files are publicly available or the user consents.
• System administrators routinely back up all files on networked and mainframe computers for restoration purposes after system failures.
• System administrators can access files for tasks like running anti-virus software, investigating malfunctions/security breaches, ensuring policy compliance, protecting public safety, or complying with legal warrants, keeping file content confidential unless misconduct is suspected.
• Professors can access files created by supervised students/staff on lab computers.
• Copyright infringing material found on the university website will be copied for evidence, removed, and the poster reported.
• System administrators can delete files of inactive faculty/staff or students.
• Department heads or deans can order the copying and deletion of files posing harm risks, with potential file restoration and apology if deemed harmless by an inquiry.
• Universities can access any file on university-owned computers.

Account Usage

• Using another person's computer account is explicitly forbidden.
• Users should protect their passwords and report suspected unauthorized access.
• Users are responsible for activity occurring under their account.

Password Protection

• Intercepting passwords through any means is prohibited.
• Requesting passwords from others is misconduct.
• When a password is inadvertently discovered, the owner should be notified immediately.

Email and Webpage Content

• Sending emails or posting webpages intended to harm individuals is not allowed, including harassment, threats, defamation, privacy violations, or insults.
• Sending unsolicited emails after a request to stop is prohibited.
• Falsifying authorship of emails or webpages is forbidden.
• Anonymous emails and webpages face scrutiny due to potential misuse.

Email Addresses and Headers

• Forging email addresses or including false information in email headers is prohibited.

Financial and Political Use

• Using the university's website or email for personal financial gain is not allowed.
• Using university computers for personal consulting to for-profit businesses is prohibited.
• Using university resources for partisan political purposes is prohibited.
• Personal opinions can be expressed via email, disclaiming endorsement by the university.

Confidentiality and Bulk Email

• Releasing confidential information or violating contractual agreements is prohibited.
• Sending bulk email is generally forbidden due to resource burden and recipient annoyance.
• Bulk email is allowable for university-related communications within departments or committees, with opt-in requirements for non-university addresses.

Copyright and Trademarks

• Posting copyrighted material without permission is prohibited.
• Users posting infringing material are responsible for legal repercussions.
• Copying pirated software to university computers is forbidden.
• Misusing trademarks in webpages and emails is prohibited, including the university's and others' trademarks.

Network Activity and Malicious Programs

• Probing computer ports without authorization is prohibited.
• Malicious computer programs are forbidden, including their design, storage, and release.

Illegal and Harmful Content

• Sending emails or posting webpages promoting unlawful activities is prohibited.
• Content with instructions for unlawful or outrageously harmful activities is forbidden.

Legal Compliance and Resource Waste

• University computer use must comply with all laws.
• Wasting computer resources, such as infinite loops, denial-of-service attacks, or excessive printing, is forbidden.

Personal Use and Erotic Content

• Personal or recreational activities on computers should not interfere with assigned work or equipment needs.
• Erotic content may be prohibited due to resource strain, hostile environment creation, and incompatibility with the university's mission.

Hate Speech and Authority

• Hate speech faces scrutiny due to First Amendment considerations and inclusivity concerns.
• Professors retain authority over computer policies in their labs.

Housekeeping and General Use

• Food and beverages are prohibited near computer terminals.
• Users should not switch off network-connected hardware.
• Surge suppressors should be used for computers.
• General-use computer restrictions include no hardware changes, software installations, or preference setting changes.

Policy Style and Enforcement

• The AUP should explain the reasons behind rules to promote understanding and ethical behavior.
• Terse rules should be supplemented with detailed explanations and examples.
• Alternatives should be suggested, and exceptions should be allowed by authorized personnel.
• The AUP should address computer-specific issues and general prohibitions.
• Users should acknowledge the AUP in writing upon receiving credentials.
• A decision should be made whether the university will actively monitor usage.
• Reporting procedures and penalties for violations should be established.
• Penalties should be flexible based on circumstances and mitigation attempts.

Common Policy Pitfalls

• Policies should avoid infringing on constitutional rights and citing non-existent laws.
• Policies should avoid bogus legal statements and overly broad regulations.
• Policies should be complete, addressing modern threats, and written to be readable and understandable.

Policy Creation Expertise

• Creating an AUP requires knowledge of computer technology, criminal law, and relevant areas like intellectual property and free speech.
• AUP creation should involve a team of experts, including scientists, engineers, professors, deans, and attorneys.