Xref: eff alt.comp.acad-freedom.talk:2057 comp.admin.policy:1142 misc.legal:10741 alt.society.civil-liberty:498 Newsgroups: alt.comp.acad-freedom.talk,comp.admin.policy,misc.legal,alt.society.civil-liberty Path: eff!kadie From: kadie@eff.org (Carl M. Kadie) Subject: Re: Ohio State ACS policy (was Re: Re; XXXXX Expulsion. What Happened?) Message-ID: <1991Nov9.152336.10203@eff.org> Organization: The Electronic Frontier Foundation References: <91309.07: 56: 40.921770.NMETRO@ricevm1.rice.edu> <1991Nov7.153727.28800@eff.org> <1991Nov9.140334.9055@eff.org> Date: Sat, 9 Nov 1991 15:23:36 GMT Lines: 210 This is a critique of the policy that was just posted. It is an expanded version of a critique that was posted in late July to CAF-talk. It mentions no particular cases. Everything in quotes ("") is from the Joint Statement on Rights and Freedoms of Students. > Policy on Abuse of Computers and Networks > The Office of Academic Computing > The Ohio State University > Approved June 6, 1990 No details are given as to how this policy was created. (Maybe someone can post a note with this information.) A policy "should be developed at each institution within the framework of general standards and with the broadest possible participation of the members of the academic community." In other words, this policy should be consistent with the University's general policies and should be developed with the help of the system's users. >The use of computers and computer networks in no wat exempts us from the >nominal requirements of ethical behavior in the University community. Use >of a computer network that is shared by many users imposes certain >obligations. >In particular, data, software, and computer capacity have value and must be >treated accordingly. >Legitimate use of a computer or computer network does not extend to whatever >we are capable of doing with it. Although some rules are built into the >computer's operating system, these restrictions do not limit completely what >we can do and see. We are responsible for our actions whether or not the >rules are built into the system, and whether or not we can circumvent those >rules. Agreed. >The following specific principles of computer and network systems operated >under the direction of the Office of Academic Computing are applicable to Ohio >State students, faculty, staff, and contract employees. As users we must: > o Respect the privacy and rules governing the use of any > information accessible through the computer system or > network, even when that information is not securely > protected. The policy could be improved by mentioned that ACS will respect the privacy and freedom of expression of its users. > o Respect the ownership of proprietary software. For example, > do not make unauthorized copies of such software for your > own use, even when that software is not physically protected > against copying. > o Respect the finite capacity of systems, and limit your own > use so as not to interfere unreasonably with the activity of > other users. What is unreasonable? Who decides? Is any warning given? > o Respect the procedures established to manage the use of the > system. What procedures? How are they decided? Are they posted? >Those who cannot accept these standards of behavior may be denied access to >the relevant computer systems and networks. Will they be expelled from the computer forever? Can they ask for a hearing? Are the standards every made explicit? Who decides that the user cannot accept the standards? Is there any due process build in? Are students told of their rights? This policy lacks due process protections. The gist of the policy seems to be that 'if we decide that you break a rule (that we created, and you may not even know about), we can expel you from the computer forever.' Note that (at most schools) faculty can not (by themselves) expel a students from a class. It would be very strange of nonacademic University employees could (by themselves) expel students from a computer. Here are excerpts from the Joint Statement about due process. " VI. Procedural Standards in Disciplinary Proceedings In developing responsible student conduct, disciplinary proceedings play a role substantially secondary to example, counseling, guidance, and admonition. At the same time, educational institutions have a duty and the corollary disciplinary powers to protect their educational purpose through the setting of standards of scholarship and conduct for the students who attend them and through the regulation of the use of institutional facilities. In the exceptional circumstances when the preferred means fail to resolve problems of student conduct, proper procedural safeguards should be observed to protect the student from the unfair imposition of serious penalties." "The jurisdictions of faculty or student judicial bodies, the disciplinary responsibilities of institutional officials and the regular disciplinary procedures, including the student's right to appeal a decision, should be clearly formulated and communicated in advance." "In all situations, procedural fair play requires that the student be informed of the nature of the charges against him, that he be given a fair opportunity to refute them, that the institution not be arbitrary in its actions, and that there be provision for appeal of a decision." "The institution has an obligation to clarify those standards of behavior which it considers essential to its educational mission and its community life. [...] Offenses should be as clearly defined as possible and interpreted in a manner consistent with the aforementioned principles of relevance and reasonableness. Disciplinary proceedings should be instituted only for violations of standards of conduct formulated with significant student participation [...]." "2. Students detected or arrested in the course of serious violations of institutional regulations, or infractions of ordinary law, should be informed of their rights. No form of harassment should be used by institutional representatives to coerce admissions of guilt or information about conduct of other suspected persons." "C. Status of Student Pending Final Action Pending action on the charges, the status of a student should not be altered, or his right to be present on the campus and to attend classes suspended, except for reasons relating to his physical or emotional safety and well being, or for reasons relating to the safety and well-being of students, faculty, or university property." "When the misconduct may result in serious penalties and if the student questions the fairness of disciplinary action taken against him, he should be granted, on request, the privilege of a hearing before a regularly constituted hearing committee." The law on due process is explained in _Teacher's and the Law_, 3rd edition, by Louis Fischer, et al. Published in 1991 by Longman. (The book is aimed at K-12 teachers). It says: --- begin quote --- On the other hand, oppressive, authoritarian procedures that do not respect students' rights to know why they are being disciplined and do not provide opportunities for students to present their defense in a fair way are crumbling as a result of the application of the Constitution to the schools. In sum, on may think of the right of due process as applying to student disciplinary matters on a continuum represented in the following diagram: May act without due process: Trivial or vary minor matters, or emergencies. The latter must be followed by due process as soon as possible. Some modicum of due process is necessary: Disciplinary matters that may lead to short-term suspensions or entry on the students' record. Extensive, careful due process is required: Disciplinary matters that may result in long-term suspension or expulsion, or in a significant penalty such as a short suspension during final exams. ---- end of quote --- >Violators may also be subject to >penalties under the regulations of the University and under laws of the State >of Ohio or the United States of America to the extent applicable. >I have read the above conditions and agree to abide by these standards. >Signature: ________________________________________________ Date: ____________ The Univerisity should not (and likely, legally can't) require computer users to sign a statement that impinges on the rights guaranteed by the First, Fifth, and 14th Amendments. In sum, * There is no indication that the policy was created with user participation. * The policy lacks privacy and freedom of expression guarantees. * The policy is vague. A user would have trouble guessing if a particular action is acceptable. * It seems to claim that the ACS staff does not need to follow due process procedures to expel a user from the ACS computers. This gives the ACS staff more power than professors to penalize students. (It also gives them unchecked power to penalize faculty.) * It asks users to sign away their rights. This critique mentioned no particular cases; I look forward to a vigorous defense of the policy by ACS (or ACS staff or others.) - Carl -- Carl Kadie -- kadie@eff.org, kadie@cs.uiuc.edu, or (anonymous) ap.4352@hri.com I do not represent EFF; this is just me. Newsgroups: alt.comp.acad-freedom.talk Path: eff!eff-gate!usenet From: nbc2134@dsacg2.dsac.dla.mil (Robert F Solon) Subject: Re: Ohio State ACS policy Message-ID: <9111091632.AA12547@dsacg2.dsac.dla.mil> Sender: nbc2134@dsacg2.dsac.dla.mil Organization: EFF mail-news gateway Date: 9 Nov 91 06:32:11 GMT Approved: usenet@eff.org Lines: 89 In reply to the mail from ... ------------------------------------------------------------------------------- > >Here is the policy (first posted to CAF-talk on July 24th): > >[From: Mitchell D Dysart - Carl] > > Policy on Abuse of Computers and Networks > The Office of Academic Computing > The Ohio State University > Approved June 6, 1990 > >The use of computers and computer networks in no wat exempts us from the >nominal requirements of ethical behavior in the University community. Use >of a computer network that is shared by many users imposes certain obligations. >In particular, data, software, and computer capacity have value and must be >treated accordingly. > >Legitimate use of a computer or computer network does not extend to whatever >we are capable of doing with it. Although some rules are built into the >computer's operating system, these restrictions do not limit completely what >we can do and see. We are responsible for our actions whether or not the >rules are built into the system, and whether or not we can circumvent those >rules. > >The following specific principles of computer and network systems operated >under the direction of the Office of Academic Computing are applicable to Ohio >State students, faculty, staff, and contract employees. As users we must: > > o Respect the privacy and rules governing the use of any > information accessible through the computer system or > network, even when that information is not securely > protected. Does that mean ACS will respect the albeit unofficial rules that govern Usenet? Will calling people names in alt.flame be cause for disciplinary action? > > o Respect the ownership of proprietary software. For example, > do not make unauthorized copies of such software for your > own use, even when that software is not physically protected > against copying. I think this is a good idea. > > o Respect the finite capacity of systems, and limit your own > use so as not to interfere unreasonably with the activity of > other users. This is too. > > o Respect the procedures established to manage the use of the > system. > This isn't. It doesn't list the procedures involved, not does it refere users to a document or documents where they are stated. Certainly if anything is overbroad, this is. >Those who cannot accept these standards of bahavior may be denied access to >the relevant computer systems and networks. Violators may also be subject to >penalties under the regulations of the University and under laws of the State >of Ohio or the United States of America to the extent applicable. > At least reference should be made as to where the university regulations are; that's not ever stated here. Generally, this policy has a lot of loopholes that can be probed, by both administrators as well as users. It should be tightened up and made much more explicit. Bob Bob Solon, DSAC-BCC Administrative Information Branch -- APCAPS "We Code, You Explode!!" Xref: eff alt.comp.acad-freedom.talk:2120 comp.admin.policy:1186 misc.legal:10819 alt.society.civil-liberty:591 Newsgroups: alt.comp.acad-freedom.talk,comp.admin.policy,misc.legal,alt.society.civil-liberty Path: eff!iWarp.intel.com|uunet!paladin.american.edu!darwin.sura.net!mojo.eng.umd.edu!russotto From: russotto@eng.umd.edu (Matthew T. Russotto) Subject: Re: Ohio State ACS policy (was Re: Re; XXXXX Expulsion. What Happened?) Message-ID: <1991Nov11.045906.26633@eng.umd.edu> Date: Mon, 11 Nov 91 04:59:06 GMT Organization: College of Engineering, Maryversity of Uniland, College Park References: <1991Nov7.153727.28800@eff.org>> <1991Nov9.140334.9055@eff.org> In article <1991Nov9.140334.9055@eff.org> kadie@eff.org (Carl M. Kadie) writes: > >If Academic Computer Services (ACS) can't comment on particular cases, >perhaps they will discuss on their relatively new policy instead. > >Here is the policy (first posted to CAF-talk on July 24th): > >The following specific principles of computer and network systems operated >under the direction of the Office of Academic Computing are applicable to Ohio >State students, faculty, staff, and contract employees. As users we must: > > o Respect the privacy and rules governing the use of any > information accessible through the computer system or > network, even when that information is not securely > protected. Makes users liable for any complaint from any foreign system administrator, even if they were not aware of the rules which the foreign sysadmin claims they have broken-- even if they accessed the system through an unpassworded "guest" account. > o Respect the ownership of proprietary software. For example, > do not make unauthorized copies of such software for your > own use, even when that software is not physically protected > against copying. No problem with this one. > o Respect the finite capacity of systems, and limit your own > use so as not to interfere unreasonably with the activity of > other users. This looks like license to punish for _ANYTHING_! (WHAT! You were running TWO copies of gnuemace while compiling your program? CPU HOG!) > o Respect the procedures established to manage the use of the > system. This is a blank check-- means the users have to abide by any policies unilaterally established in the future. >Those who cannot accept these standards of bahavior may be denied access to >the relevant computer systems and networks. Violators may also be subject to >penalties under the regulations of the University and under laws of the State >of Ohio or the United States of America to the extent applicable. With no procedure established for determining who is a violator, this document gives the admins everything and the users nothing. There is no value to the users for signing this document (except that ACS will deny access to those who refuse to sign-- which in itself is a violation of the OSU rules (as reported) which state that every student gets an email account). -- Matthew T. Russotto russotto@eng.umd.edu russotto@wam.umd.edu Your superior intellect is no match for our puny weapons! -- The Simpsons Just say NO to police searches and seizures. Make them use force. (not responsible for bodily harm resulting from following above advice) Newsgroups: alt.comp.acad-freedom.talk Path: eff!eff-gate!usenet From: SKAPUR@ccmail.sunysb.edu (Sanjay Kapur) Subject: Re: Ohio State ACS policy (was Re: Re; XXXXX Expulsion. What Happened?) Message-ID: <8702F5953E41331B@ccmail.sunysb.edu> Sender: SKAPUR@ccmail.sunysb.edu Reply-To: Sanjay Kapur Organization: EFF mail-news gateway Date: 11 Nov 91 13:13:00 GMT Approved: usenet@eff.org Lines: 72 >From: russotto@eng.umd.edu (Matthew T. Russotto) >> o Respect the privacy and rules governing the use of any >> information accessible through the computer system or >> network, even when that information is not securely >> protected. > >Makes users liable for any complaint from any foreign system administrator, >even if they were not aware of the rules which the foreign sysadmin claims >they have broken-- even if they accessed the system through an unpassworded >"guest" account. > Just because someone leaves the doors to their house open does not mean you can enter and take a shower or eat from the pantry. You still need the homeowner's permission. Just because the doors are open does not mean you can go in and break open the jewellery box and admire the jewellery. The assumption that any unpassworded guest account is an invitation to enter is totally unwarranted. Even more unwarranted and illegal is the assumption that entry made through such an account is an open invitaion to attempt to break security. > >> o Respect the finite capacity of systems, and limit your own >> use so as not to interfere unreasonably with the activity of >> other users. > >This looks like license to punish for _ANYTHING_! (WHAT! You were running >TWO copies of gnuemace while compiling your program? CPU HOG!) The operating word here is "unreasonably". This clause seems to be meant for a fair distribution of resources. I guess some people do not believe in fairness if you object to this clause. > >> o Respect the procedures established to manage the use of the >> system. > >This is a blank check-- means the users have to abide by any policies >unilaterally established in the future. > If you do not like this, what would you propose every time a new operating system version or hardware release came along? >>Those who cannot accept these standards of bahavior may be denied access to >>the relevant computer systems and networks. Violators may also be subject to >>penalties under the regulations of the University and under laws of the State >>of Ohio or the United States of America to the extent applicable. > >With no procedure established for determining who is a violator, this document >gives the admins everything and the users nothing. There is no value to the >users for signing this document (except that ACS will deny access to those >who refuse to sign-- which in itself is a violation of the OSU rules (as >reported) which state that every student gets an email account). The promised account seems to be for pure email and from what I understand only email internal to OSU. Technically it is not a violation of OSU rules if the account owner is denied access to Usenet, off-OSU mail, programming etc. >-- >Matthew T. Russotto russotto@eng.umd.edu russotto@wam.umd.edu >Your superior intellect is no match for our puny weapons! -- The Simpsons >Just say NO to police searches and seizures. Make them use force. >(not responsible for bodily harm resulting from following above advice) Sanjay Kapur |Internet: Sanjay.Kapur@sunysb.edu Systems Staff, Computing Services, |Bitnet: SKAPUR@USB State University of New York, |SPAN/HEPnet: 44132::SKAPUR Stony Brook, NY 11794-2400 |Phone:(516)632-8029, FAX:(516)632-8046 Xref: eff alt.comp.acad-freedom.talk:2136 comp.admin.policy:1193 misc.legal:10836 alt.society.civil-liberty:616 Path: eff!world!uunet!cs.utexas.edu!asuvax!ukma!morgan From: morgan@ms.uky.edu (Wes Morgan) Newsgroups: alt.comp.acad-freedom.talk,comp.admin.policy,misc.legal,alt.society.civil-liberty Subject: Re: Critique of Ohio State ACS policy Message-ID: <1991Nov11.161317.12947@ms.uky.edu> Date: 11 Nov 91 16:13:17 GMT References: <1991Nov9.140334.9055@eff.org> <1991Nov9.152336.10203@eff.org> Organization: The Puzzle Palace, UKentucky Lines: 101 In general, I agree with Carl's critique. However, some of his suggestions might be rather difficult to implement. kadie@eff.org (Carl M. Kadie) writes: > >> o Respect the finite capacity of systems, and limit your own >> use so as not to interfere unreasonably with the activity of >> other users. > >What is unreasonable? Who decides? Is any warning given? "Unreasonable" is an adjective whose application will change "on the fly". For instance, a user running 15 background jobs at 3 in the morning is causing fewer problems than one who runs 15 background jobs at 1 in the afternoon. A user writing experimental TCP/IP programs on a one-user workstation is causing fewer problems that one running identical programs on a 200-user system. I think that, once again, user education is the answer to this particular problem. I have found that users, once they are made aware of the "system impact" of background jobs and memory-intensive programs, are more than willing to limit their own use, in order to help their fellow users. The same rationale applies to disk quotas. Many of our users have dis- covered /tmp and /usr/tmp, using them as "freebie" disk space. After I explain the importance of those directories, they have invariably adjusted their use. All it takes is information. >> o Respect the procedures established to manage the use of the >> system. > >What procedures? How are they decided? Are they posted? Administrative procedures are extremely liquid. If the network is sick, we may arbitrarily (and temporarily) limit the number of inbound/outbound TCP/IP connections. If we have disk drive problems, we may arbitrarily (and temporarily) move users around on the file systems or change their quotas. If we find a collision in the user namespace, we may even have to change their userid. None of these ad hoc procedures are subject to debate or modification; we make every effort to inform our users, but we are often forced to make these decisions on the fly. I certainly agree that certain administrative procedures should be clearly explained to the users from the beginning. Electronic mail management, Usenet management, and such things as CPU/connect time/disk quotas should be clearly understood by all users. Almost all administrative procedures should be made available to users on a "by request" basis. Our "users' policy" should be relatively con- cise; it should, of course, direct the user to sources of more informa- tion. With the discussion in this newsgroup, it seems that the policy document handed to a user should cover almost every contingency and every possible situation. I don't really see any good in passing out some 20-page policy statement to users. We should certainly tell them how to get more information, but we certainly don't want to flood them; most students are flooded with enough bureaucratic crud as it stands today. Perhaps we should be creating a "Policy Roadmap", which would direct stu- dents to the individual policy statements. Since much of computing policy is derived from general University policy, this would be a much more effec- tive approach. It might look something like this (All rules are fictitious): - Abuse of Computer Systems Paragraph X.Y(a) of the University Rules and Regulations states that "Students shall not misuse or abuse University property, facilites, or computer systems". This Computing Center determines those actions which constitute "misuse or abuse". Those actions include, but are not limited to: - Game playing - Violation of CPU/connect time/disk quotas - Sharing your userid/password with other people - Sending (or attempting to send) anonymous elec- tronic mail. - Harassing users through either electronic mail or interactive messages. Naturally, there are many possible means of misuse or abuse. What is appropriate on one system may not be on another. For a complete list of inappropriate actions, please contact a computing center staff member. If you believe that your action may be in violation of these rules, you are expected to contact the computing center staff *before* initiating the action. We will do our best to accomodate your needs. Some actions normally considered to be abusive may be necessary in an academic environment. For instance, a class in probability theory might use a game as an instructional tool. If you believe that you have an academic need for a normally prohibited activity, you are expected to contact the computing center for per- mission BEFORE the activity is initiated. We are pre- pared to make exceptions to our policies for legitimate academic needs, but we must be informed of those needs. -- morgan@ms.uky.edu |Wes Morgan, not speaking for| ....!ukma!ukecc!morgan morgan@engr.uky.edu |the University of Kentucky's| morgan%engr.uky.edu@UKCC morgan@ie.pa.uky.edu |Engineering Computing Center| morgan@wuarchive.wustl.edu