From: kadie@eff.org (Carl M. Kadie) Date: Mon, 2 Sep 1991 19:22:41 GMT Message-ID: <1991Sep2.192241.1731@eff.org> References: <1991Sep2.161515.24831@eff.org> Subject: Computing Services Policy at Central Michigan University Summary: Central Michigan University Steals User Files This is a critique of the Computing Services Policy at Central Michigan University. The policy as written gives Central Michigan authority to steal user file. [And likely puts the University in violation of the federal FEPRA. - Carl 3/27/92] It also denies users their due process rights. The policy should be replaced by a policy created with participation of users. >Excerpts from "Everything You Ever Wanted To Know About Computing >Services At Central Michigan University (And Were Afraid To Ask)", >Computer Services Document No. CSVD0092. It is given to new users. >---- begin quote --- >_The contents of all storage media owned or stored on Computer >Services computing facilities are the property of Central Michigan >University unless a written contract signed by suitable contracting >authority exists to the contrary._ [The _..._ marks underlining in the >original document. - Carl] According to this paragraph, if a faculty member writes a journal article on a Computer Services computer, it becomes the property of Central Michigan. This is theft by Computer Services of property that rightfully belongs to the faculty member. As a practical matter, this paragraph is ridiculous. [If the University owns the data on user files then it must manage it according to the Family Education Rights and Privacy Act. The application of the Act would make it illegal for users to read some of their own files. It would also require the University to distribute annual notices. Failure to enforce these regulations is a violation of Federal law. - Carl 3/27/92] [[The rest of this paragraphy is retracted by a later article - Carl 3/27/92]] Is Computer Services claiming to own the copyright on user-created documents? If so, a faculty member who read this paragraph could not legally give a journal permission to publish the paper he or she wrote. If the faculty member did try to give a permission-to-copy, he or she would be guilty of fraud. The paragraph contradicts policy and law with regard to privacy. The contents of personal file cabinets, even if owned by the State, remain the property of their assigned user. Unreasonable searches are prohibited by the Constitution. The University of Illinois, for example, requires a warrant before a search of university-owned personal file cabinet. Principle: Personal files on university's computers (for example, files in a user's home directory) should have the same privacy protection as personal files in university-assigned space in an office or dormitory space (for example, files in a graduate student's desk). [Aside: I suggest than writers to CAF-talk mark proposed principles as I have done above. Start with the word "Principle:" as the first item on a line. Mark the end of the proposal with a blank line. This will make it easy to extract proposed principles later. - Carl] The Joint Statement on Rights and Freedoms of Students (ftp.eff.org:pub/academic/student.rights) suggests these guidelines (which Central Michigan's policy violates.) "1. Except under extreme emergency circumstances, premises occupied by students and the personal possessions of students should not be searched unless appropriate authorization has been obtained. For premises such as residence halls controlled by the institution, an appropriate and responsible authority should be designated to whom application should be made before a search is conducted. The application should specify the reasons for he search and the objects or information sought. The student should be present, if possible, during the search. For premises not controlled by the institution, the ordinary requirements for lawful search should be followed." >An individual using Computer Services facilities must do so in the >knowledge that he/she is using University resources in support of >his/her work. The University owns everything stored in its facilities >unless it has agreed otherwise. Further, the University has the right >of access to the contents at any time for any purpose for which it has >a legitimate "need to know". The University will make all reasonable >efforts to maintain the confidentiality of the storage contents and to >safeguard the contents from loss, but cannot be held liable for the >inadvertent or unavoidable loss or disclosure of the contents. >Normally, the only "need to know" access to storage media contents >will be conducted by the Director of Computer Services, the Associate >Director of Computer Services (operations), or the Systems >Programmers. If University really owns the contents of the everything on the computer, then there is no confidentiality to maintain. The computer files may, however, now be covered by the Family Educational Rights and Privacy Act. (I doubt if Computer Services really indented that.) This search policy could be improved by replacing the "need to know" language with the more mature language of the University's general search policy. >... >_The facilities are provided without charge for purposes of academic >advancement and administrative data processing for faculty, staff, and >students of Central Michigan University. Use by others or for other >purposes is strictly prohibited unless specifically authorized in >writing by the Director of Computer Services._ It sounds like Sys Programmer can decide for his or herself to search a faculty-created file, but that a faculty member must get written permission from the Directory of Computer Services before sending email to a friend. >Computer Services computing facilities are provided in support of >teaching and academic advancement and administrative data processing >at Central Michigan University. Any faculty member, staff member, >emeritus faculty/staff, or student having a current bona fide >connection with Central Michigan University is permitted, upon proper >validation by Computer Services, to use the instructional/research >portion of these facilities without charge regardless of whether or >not they are in a "computer-intensive" class or are teaching such a >class. The facilities available to the individual will be determined >by Computer Services based on intended use of the facilities by the >individual and the resources available at the time of validation. >Facilities are not provided for the use of spouses, parents, children, >or friends of validated users. >... Good. >...Detection of illegal usage or practices designed to operate to the >detriment of the user community will result in the withdrawal of >services to the individual determined to be at fault. Computer >Services will be the sole arbiter of this decision and services to the >individual will only be restored to the individual upon successful >appeal to the Director of Computer Services or his designees. >... I would suggest Computer Services policymakers look at Central Michigan's general disciplinary policy. Also, they should read the Joint Statement on Rights and Freedoms of Students section on "Procedural Standards in Disciplinary". The phrase "practices designed to operate to the detriment of the user community" is too vague. Principle: A reasonable user should be able to determine if his or her behavior will violate policy. This paragraph suggests that the only penalty for "practices designed to operate to the detriment of the user community" is permanent expulsion from the computer. This is too harsh. "[P]rocedural fair play requires that the student be informed of the nature of the charges against him, that he be given a fair opportunity to refute them" [Joint Statement]. The policy does not respect these rights. Also, due process requires that "[w]hen the misconduct may result in serious penalties and if the student questions the fairness of disciplinary action taken against him, he should be granted, on request, the privilege of a hearing before a regularly constituted hearing committee. ... No member of the hearing committee who is otherwise interested in the particular case should sit in judgment during the proceeding." [Joint Statement] In other words, Computer Services asserts that it is the prosecutor and final judge. But, no department on campus has this authority; it is a violation of user due-process rights. Principle: Suspension or expulsion from a computer is a serious penalty. Users facing these penalties should be given due process protection similar to that given to those facing other serious penalties such as a formal disciplinary warning, a failing grade for cheating, or suspension from class. >_Special information regarding audit records on the IBM 3090 computer._ >Any individual using Computer Services facilities must realize that >all mainframe computer systems maintain audit trail logs or log files >within the mainframe computer. Such information as the user >identification, date and time of the session, the software used, the >files used, the computer time, and storage used, the user account, and >other run-related information is normally available for diagnostic, >accounting, and load analysis purposes. >In the case of the IBM 3090, Computer Services normally retains the >information contained in these files for up to one year. Under certain >circumstances, this information is reviewed by the Computer Services >personnel outlined above, either at the request of an academic >department, or in situations where it is necessary to determine what >has occurred to cause a particular system problem at a particular >time. For example, analysis of audit files may indicate why a >particular data file is being erased, when it was erased, and what >user identification has erased it. Inspection of audit records may be >used to dispel or confirm a professor's suspicions of academic >dishonesty. >... >Access to audit records on the IBM 3090 will only be performed by the >Computer Services personnel designated above. The review of audit >information will only be performed when there is a legitimate "need to >know" based on a request from an academic department, an Executive >Officer of Central Michigan University, or the Director of Computer >Services, or when such a review is deemed necessary in order to >maintain a satisfactory computing environment for the University >Community. In such cases, a written record will be maintained of the >occasion, containing the name of the person accessing the audit >records, the date and time of access, whose records were accessed, the >extent (date and time range) of the information retrieved, and the >circumstances occasioning the access. This record will be kept in the >Computer Services administrative manual files under the the >designation "IBM 3090 audit record accesses". >--- end quote --- The Family Educational Rights and Privacy Act regulates university records. It does not sound as if the log and the "audit record accesses" comply with the law. Also, the phrase "or when a review is deemed necessary in order to maintain a satisfactory computer environment" is a vague catch-all that would seem to permit review at any time. It does not even say who authorized to do the "deeming". Finally, Principle: "[P]olicies and procedures should be developed at each institution within the framework of general standards and with the broadest possible participation of the members of the academic community." [Joint Statement] Following this principle, the Central Michigan policy should be replaced by a policy created with the participation of users. - Carl -- Carl Kadie -- kadie@eff.org or kadie@cs.uiuc.edu I do not represent EFF; this is just me. From: kadie@eff.org (Carl M. Kadie) Date: Wed, 4 Sep 1991 00:30:30 GMT Message-ID: <1991Sep4.003030.2331@eff.org> References: <1991Sep2.161515.24831@eff.org> <1991Sep2.192241.1731@eff.org> <1563@ra.MsState.Edu> Subject: Computing Services Policy at Central Michigan University In article <1991Sep2.192241.1731@eff.org> kadie@eff.org (Carl M. Kadie) writes: >>According to this paragraph, if a faculty member writes a journal >>article on a Computer Services computer, it becomes the property of >>Central Michigan. This is theft by Computer Services of property >>that rightfully belongs to the faculty member. >>As a practical matter, this paragraph is ridiculous. Is Computer >>Services claiming to own the copyright on user-created documents? If >>so, a faculty member who read this paragraph could not legally give a >>journal permission to publish the paper he or she wrote. If the >>faculty member did try to give a permission-to-copy, he or she would >>be guilty of fraud. fwp1@Jester.CC.MsState.Edu (Frank Peters) writes: [...] > Copyright is not ownership. Ownership is not copyright. [...] >Central Michigan University claims ownership of a particular copy of a >work stored on their media. They claim that they can read it or move >it or remove it or modify it as necessary. That is, they can do as >they wish with that particular copy of the work. I'm sorry for the mistake. I usually do know the difference between owning a copy and owning a copyright. Basic property rights include: The right to sell (lease, etc) The right to use (and to forbid the use of others) Are they really claiming the right to sell "their" copy of files created by users? Are they really claiming an unlimited right to edit user files and to forbid users from accessing "their own" files. Must a user ask permission before deleting a "university" file? I think that instead of claiming ownership, they would be wiser to get a license to do necessary system administration tasks. On most systems this license is implicit. - Carl -- Carl Kadie -- kadie@eff.org or kadie@cs.uiuc.edu I do not represent EFF; this is just me.