From: kadie@sal.cs.uiuc.edu (Carl M Kadie) Newsgroups: comp.admin.policy,alt.comp.acad-freedom.talk Subject: GMU Draft Computer Policy Date: 26 Mar 1995 02:24:50 GMT Message-ID: <3l2j9i$emk@vixen.cso.uiuc.edu> [From an email correspondent - Carl] ================================ 3/22/95 Responsible Use of Computing George Mason University *** Draft For Comment *** George Mason University provides and maintains computing and telecommunications technologies to support the education, research and work of its faculty, staff, and students. GMU's computing and telecommunications technologies are collectively referred to as Masonet. By connecting thousands of computers at GMU with each other and with national and international computer networks, Masonet provides many educational benefits. The purpose of this policy is to define responsible and ethical behavior of Masonet users in order to preserve the health, availability, and integrity of Masonet resources. This policy is purposely silent on matters covered by other policies such as sexual harassment and honor code violations, and by federal and state laws on privacy and computer abuse. This policy applies to all users of Masonet resources. The priorities for use of Masonet resources are: HIGHEST: All education, research, and administrative purposes of GMU. MEDIUM: Other uses indirectly related to GMU purposes with education or research benefit, including personal communications. LOWEST: Recreation, including game-playing. FORBIDDEN: Selling GMU resources, commercial activities not sanctioned by the Provost's office, intentionally denying or interfering with service, unauthorized use or access, reading or modifying files without proper authorization, using the technology to impersonate another, violations of laws or other GMU policies. Because it is impossible to anticipate all the ways in which individuals can harm or misuse Masonet facilities, this policy focuses on a few simple rules. These rules generally indicate actions that should be avoided. If you observe someone violating this policy, or another GMU policy using Masonet resources, you can report it by email to . Many local computing systems also have a "stopit" account that you can send mail to. RULES OF USE GMU treats access to Masonet resources as a privilege that is granted on a presumption that every member of the university community will exercise it responsibly. The following rules are not complete -- just because an action is not explicitly proscribed does not necessarily mean that it is acceptable. You should read these rules for the principles behind them and stick to the principles. 1. Use Masonet Consistently With the Stated Priorities. The low priority uses of Masonet should be avoided during the times of peak demand, typically the mid afternoon to late evening hours. During peak periods, other users may be prevented from doing their high priority work if you are doing something of low priority. Those users are likely to complain to you or to if they observe you interfering with their work. Certain activities such as chain letters or broadcast email to very large distributions will consume large amounts of resources; avoid them. 2. Don't Allow Anyone to Use Your Account for Illegitimate Purposes. Your Masonet username identifies you to the entire international Internet user community. Another person using your account, whether or not you have given permission, will be acting in your name. Anyone who knows your password can use your account. You are responsible for that person's actions in your account. If that person violates any policies, his or her actions will be traced back to your username and you may be held responsible. The easiest way to protect yourself is to not give away your password. If you need to give someone access, give it on a temporary basis, and change your password after that person finishes using your account. You should also not give your password to anyone you do not trust. If someone else offers you use of an account for which you are not authorized, decline. If you discover someone's password, don't use it; report the access to the password to the owner or to . 3. Honor the Privacy of Other Users. GMU treats the contents of all files, email, and communications as private, and will strive to protect the privacy of all users. Many aspects of privacy of files and communications are also protected by Federal and State laws. Examples: o Don't access the files or directories of another user without explicit authorization from that user. Typically, authorization is signalled by the other user's setting file access permissions to allow public or group reading of files. Since some systems by default make all files readable to all users and some users don't know this, the file permissions are not reliable. It is always best to ask. o Don't intercept or monitor any network communications not explicitly meant for you. o Don't use the systems or transmit personal or private information about individuals unless you have explicit authorization from the individuals affected. Don't distribute such information unless you have permission from those individuals. o Don't create programs that secretly collect information about users. Software on Masonet is subject to the same guidelines for protecting privacy as any other information-gathering project at GMU. You may not user GMU computer and telecommunication systems to collect information about individual users without their consent. Note that some system utilities log user information (ftp, mosaic, login, etc.). This is considered normal system administration functions. 4. Don't Impersonate Any Other Person. Using Masonet resources to impersonate someone else is improper. If you use someone else's account, you may be committing acts of fraud because the account owner's name will be attached to the transactions you have performed. If you send anonymous mail or postings, you should realize that it is customarily considered polite to identify that your message is anonymous or is signed by pseudonym. You should be aware that most people will give less credence to anonymous communication than to signed communication. 5. Don't Use Masonet To Violate Other Policies or Laws. Computer networks offer new ways to commit actions that violate laws or policies that are covered elsewhere. Here are reminders of typical other policies: o Don't copy copyrighted documents. Many programs and their documentation are owned by individual users or third parties and are protected by copyright and other laws, licenses, and contractual agreements. You must abide by these restrictions; to do otherwise may be a crime. o Don't use Masonet to threaten or harass anyone. Various types of harassment, including sexual or racial, are proscribed by GMU policies. o Don't use Masonet to violate the Honor Code. o Don't use Masonet to launch viruses, worms, trojan horses, or other attacks on computers here or elsewhere. SCHOOLS, INSTITUTES, CENTERS, AND DEPARTMENTS Organizational units on the campus operate computers and networks to support their missions. The principles of this policy apply to all GMU organizational units, and any computers connected to Masonet. Units may set additional local policies and expectations that are consistent with this policy. PRIVACY All users of Masonet enjoy a right of privacy. No other user, system administrator, or official may read email, files, or communications without the consent of their owners. Only in rare and exceptional cases where a severe threat is present and there is no alternative to ameliorating the threat may the Security Review Panel authorize the reading of email, files, or communications. No system administrator or official may do this without the authorization of the Panel. SYSTEM ADMINISTRATORS (SAs) The system administrators of various computers around campus have special responsibilities. They should exercise their extraordinary powers to override or alter access controls, accounts, configurations, and passwords with great care and integrity. SAs manage computers and administrate policies, but they do not create policies. Their actions are constrained by this policy and by the policies of local administrative units. In particular, local units should set policies concerning accounts on their machines, and SAs must follow these policies. UCIS maintains a set of guidelines and standards for all SAs and will offer help for new SAs. Managers of GMU units who employ SAs are responsible for ensuring that the SAs comply with and enforce the requirements of this policy in the systems for which they are responsible. SAs who violate this policy or any local policy, or who misuse their powers, will face disciplinary action. If an SA observes someone engaging in activities that would seriously compromise the health or integrity of a system or network -- e.g., someone launching a virus attack or attempting to gain root access -- the SA may take immediate action to stop the threat or minimize damage. This may include termination of processes, disconnection from a network, or temporary suspension of an account. Account suspensions must be reported immediately to the Security Review Panel. ??? Only in exceptional cases, authorized by the Security Review Panel (described below) as part of an investigation, may personal files or communications be inspected without the knowledge of the owner. ??? Thus, SAs may not read email, files, or communications as part of an investigation without explicit authorization from the Security Review Panel. NOTE: The above sentence enclosed in ??? is a preliminary statement that we are putting forth for discussion. We actively solicit discussion and comments on this statement. As we see it, this is a privacy versus security problem. Obviously, any reading of user files can be construed as a violation of privacy. On the other hand, it is sometimes necessary to look at the contents of files to gather evidence about sophisticated attacks on the health, security, and privacy of the network. Is it reasonable for the SRP to authorize reading of user's files? SECURITY REVIEW PANEL (SRP) This policy establishes a Security Review Panel consisting of three faculty members, two student members, one non-UCIS system administrator, and one UCIS staff member. Its chair will be one of the faculty members and will be appointed by the Provost. SAs will report all violations and their responses to this panel immediately. Any member of the community can report a violation to the panel via the mechanism. On receipt of a complaint from a user or an SA, the panel chair will assign one of the members as the panel's "case worker" for that complaint. The five-step "stopit process" within which the panel operates is described in a companion document. If a user's account is disabled as a result of a suspected violation, the user has a right to a resolution and reactivation of the account in the case of a mistake within 2 working days. The panel is also responsible for reviewing these policies periodically and recommending improvements and clarifications as needed. ================================= Subject: RUC stopit! document 3/22/95 Responsible Use of Computing The Stopit Process George Mason University *** Draft For Comment *** George Mason University's Responsible Use of Computing (RUC) document provides rules of use for the campus computing and telecommunications technologies (collectively referred to as Masonet). This document, which complements the RUC, defines the process for handling policy violations. The process described here, called "stopit" after a similar process at MIT, uses a graduated approach to deal with violations of the policy. The approach is based on the premises that the vast majority of the users are responsible and that most offenders, given the opportunity to stop uncivil or disruptive behavior without having to admit guilt, will do so and will not repeat the offense. Many offenses are not direct threats to the integrity of Masonet itself, but are violations of other campus rules, state laws, or federal laws for which there are enforcement processes already in place. The stopit process is designed to direct complaints to the appropriate authorities quickly. The stopit process has five stages. STOPIT 1: Wide Distribution of Policy Information A poster describing the essence of the responsible use policy will be displayed in each computer lab on the campus; the same information will be given to new users and to each user annually. The essence of the policy is that certain behaviors may interrupt or hurt other members of GMU community; all users should refrain from such behaviors. Anyone observing a harmful or disruptive behavior can report it to or to the campus police. STOPIT 2: Standard For Registering Complaints The address is monitored regularly by members of the Security Review Panel (SRP), who will make sure that complaints are responded to rapidly. In many cases, the SRP member who responds to a complaint will alert the existing authority who handles the type of complaint -- e.g., accusations of sexual harassment go to the campus sexual harassment board, honor code violations to the honor committee, thefts of equipment to the campus police, repetitive misconduct to the Dean of Students, chain-letters to the network Postmaster. Users do not need to know who the proper authority is for a particular complaint, they simply write to . STOPIT 3: Warning Letter The third mechanism, which almost always follows STOPIT 2, is a letter to the alleged perpetrators of improper Masonet use, harassment, or other uncivil behavior. The letter will have this form: "Someone using your account did [whatever the offense is]." This is followed by an explanation of why this behavior violates which policy. "Account holders are responsible for the use of their accounts. If you were unaware that your account was being used in this way, it may have been compromised. The system administrator of the machine hosting your account can help you change your password and re-secure your account. If you were aware that your account was being used to [do whatever it was], then please make sure that this does not happen again." Finally, the letter will identify an SRP member who has been assigned to the case. This stage makes sure the persons are informed of the policy violation and complaint and offers them the chance to desist without having to admit guilt. STOPIT 4: Mandatory Interview with SRP Member If the recipient of a STOPIT 3 letter wishes to contest what is said in the letter, he or she may talk to the SRP member assigned to the case. If that recipient repeats the offense, or commits a new offense, he or she will be invited to a mandatory interview with the SRP member assigned to the case. The SRP chair can authorize the temporary suspension of access to an account if the individual fails to arrange for the mandatory interview. Individuals may request a hearing before the full SRP. STOPIT 5: Disciplinary Procedures If none of the previous stopit stages convinces the offender to desist, the matter will be referred to the normal university disciplinary procedure for the type of offense. The SRP will make available all information and evidence it has on the case to the disciplining authority. -- Carl Kadie -- I do not represent any organization; this is just me. = Email: kadie@cs.uiuc.edu = = URL: