From: kadie@sal.cs.uiuc.edu (Carl M Kadie)
Newsgroups: comp.admin.policy,alt.comp.acad-freedom.talk
Subject: Re: GMU Draft Computer Policy
Date: 26 Mar 1995 03:26:09 GMT
Message-ID: <3l2msh$osk@vixen.cso.uiuc.edu>
Summary: I think the policy is pretty good and very interesting. That
comments are solicited, suggests good participation in policy
making. Due process is respected (although perhaps overly
ambitiously). Privacy protection is exceptional. Free expression is
not explicitly mentioned, but seems to be covered implicitly by
general university policies that are mentioned.
Detailed comments:
> Responsible Use of Computing
> George Mason University
> *** Draft For Comment ***
[...]
>This policy is purposely silent on matters covered by other policies
>such as sexual harassment and honor code violations, [...]
I like this. I think it is very unwise to apply a double standard
to computer media.
It would be nice to explictly mention that other parts of the
university code protects free expression and due process, etc..
[...]
>The priorities for use of Masonet resources are:
>
> HIGHEST: All education, research, and administrative purposes of
> GMU.
>
> MEDIUM: Other uses indirectly related to GMU purposes with
> education or research benefit, including personal
> communications.
>
> LOWEST: Recreation, including game-playing.
I like this. Priorities seems much better than blanket bans
on games or person communications.
[...]
>GMU treats access to Masonet resources as a privilege that is granted
>on a presumption that every member of the university community will
>exercise it responsibly.
The comment that computer use is just a "privilege" seems meaningless.
>You are responsible for that person's actions in your account.
Even if that person break university security and use your account?
That seems unlikely.
[...]
>If you send anonymous mail or postings, you should realize that it is
>customarily considered polite to identify that your message is
>anonymous or is signed by pseudonym. You should be aware that most
>people will give less credence to anonymous communication than to
>signed communication.
I like this. It talks about anonymous communications without banning it.
[...]
> o Don't copy copyrighted documents.
Some copyrighted material can be copyrighted (shareware, GNU material, etc.)
It would be better to say "Don't violate materials' copyright."
(Also, although some copyright violation can be a "crime", most is a "tort".
The word "illegal" would cover both crimes and torts.
>PRIVACY
>
>All users of Masonet enjoy a right of privacy. No other user, system
>administrator, or official may read email, files, or communications
>without the consent of their owners. Only in rare and exceptional
>cases where a severe threat is present and there is no alternative to
>ameliorating the threat may the Security Review Panel authorize the
>reading of email, files, or communications. No system administrator
>or official may do this without the authorization of the Panel.
This seems good.
[...]
>[University Sys Admins] who violate this policy or any local policy,
>or who misuse their powers, will face disciplinary action.
Wow. Excellent evenhandedness.
>If an SA observes someone engaging in activities that would seriously
>compromise the health or integrity of a system or network -- e.g.,
>someone launching a virus attack or attempting to gain root access --
>the SA may take immediate action to stop the threat or minimize
>damage.
Excellent. Recognizes that emergencies happen, but that not
everything is an emergency.
[...]
>On receipt of a complaint from a user or an
>SA, the panel chair will assign one of the members as the panel's
>"case worker" for that complaint. The five-step "stopit process"
>within which the panel operates is described in a companion
>document.
GMU is very ambitious to set up a whole disciplinary system just for
preliminary computer problems. But ... running a disciplinary system
correctly (and legally, if you are a state university) is very hard.
[...]
>If a user's account is disabled as a result of a suspected violation,
>the user has a right to a resolution and reactivation of the account
>in the case of a mistake within 2 working days.
Cool.
>The panel is also responsible for reviewing these policies
>periodically and recommending improvements and clarifications as
>needed.
Where does this panel get it's authority? From the University
Senate? From the Chancellor? A panel with university-wide
jurisdiction generally needs to tie into the university's
general governing authorities.
[...]
=====
>Subject: RUC stopit! document
[...]
>The third mechanism, which almost always follows STOPIT 2, is a
>letter to the alleged perpetrators of improper Masonet use,
>harassment, or other uncivil behavior. The letter will have this
>form:
>
>"Someone using your account did [whatever the offense is]." This is
>followed by an explanation of why this behavior violates which
>policy.
[...]
It should say "Someone *apparently* using your account *allegedly*
did [...] . An anonymous accuser alleges that this may violate [...]"
My fear of the original wording is that it could wrongly intimidate
someone's whose speech is protected by university free-expression
policies.
- Carl
--
Carl Kadie -- I do not represent any organization; this is just me.
= Email: kadie@cs.uiuc.edu =
= URL:
***********************************************************************
From: sethf@athena.mit.edu (Seth Finkelstein)
Newsgroups: comp.admin.policy,alt.censorship,alt.comp.acad-freedom.talk
Subject: Re: GMU Draft Computer Policy
Date: 26 Mar 1995 12:03:12 GMT
Message-ID: <3l3l60$41r@senator-bedfellow.MIT.EDU>
In article <3l2j9i$emk@vixen.cso.uiuc.edu> kadie@sal.cs.uiuc.edu (Carl M Kadie) writes:
>[From an email correspondent - Carl]
I agree with most of Carl Kadie's comments, and the policy is
overall quite good. It was clearly based on MIT's policies, which are
among the best around. So I commend George Mason University for adopting them.
But one particular aspect caught my eye - the adoption of
"stopit". Now, "stopit" has the laudable aspect of keeping minor
rule-breaking from turning into major cases. But it suffers from a deep
problem when it tries to apply the same procedure and standards to both
physical and content-based incidents. It's often relatively easy to tell
when someone is trying to steal passwords or get illegal access. And
there's almost no reason for people to bring "political" cases over
those issues. However, when one get away from relatively clearcut
physical violations of system integrity, into the area of content-based
"violations", the determinations of the complaint-handlers become much
more subjective. They need to either process every complaint as if it
were valid, which leads to absurd results, or apply their own biases,
in which case we get back to the old problem of delicate political
judgments being made (at least on one level) by very unqualified people.
I describe the theory of "stopit" as replacing every case as a
full-blown jury trial with "plea-bargaining". It's no less a judicial
system, but it's a *modern* judicial system. For accusations involving
physical infractions that are not serious, it's fine to drop the formal
charges after warning the accused, or to dispose of the case with
informal probation (too many institutions way overreact to trivia). But
when this system of "if you don't want to go to court, don't do it
again" starts being employed against *SOCIAL* accusations, the results
can be quite harmful.
In the following, I'll address how "stopit" gets abused when the
charges are political or ideological. I've been working on some of this
analysis for the MIT Student Association for Freedom of Expression (Web
page URL http://www.mit.edu:8001/activities/safe/home.html) as it's of
particular importance to establishing electronic rights at MIT. Below I'm
addressing only expression-based accusations. I think "stopit" works
well if the determinations to be made are fairly objective and clear,
but miserably when applied to very subjective matters.
>Subject: RUC stopit! document
>
>The process described here, called "stopit" after a similar process
>at MIT, uses a graduated approach to deal with violations of the
>policy. The approach is based on the premises that the vast majority
>of the users are responsible and that most offenders, given the
>opportunity to stop uncivil or disruptive behavior without having to
>admit guilt, will do so and will not repeat the offense. Many
Yes. But this is unfortunately structurally similar to the
premise that most people, when threatened with costly punishment but
given a less-costly "out", will not fight the authorities, but take the
"out", even if the charge is not justified. This can lead to abuse.
>offenses are not direct threats to the integrity of Masonet itself,
>but are violations of other campus rules, state laws, or federal laws
>for which there are enforcement processes already in place. The
In other words, they don't have anything to do with computers
_per se_, they have to do with communications uses that happen to
involve computers.
>stopit process is designed to direct complaints to the appropriate
>authorities quickly. The stopit process has five stages.
Note this means "in practice, make it very easy to make a
political complaint if a computer happens to be involved". You can't
use "stopit" if someone writes a newspaper column you object to,
but you can if someone posts a netnews article you don't like.
>STOPIT 1: Wide Distribution of Policy Information
>
>A poster describing the essence of the responsible use policy will be
>displayed in each computer lab on the campus; the same information
>will be given to new users and to each user annually. The essence of
>the policy is that certain behaviors may interrupt or hurt other
^^^^^^^^^^^^^^^^^
These often turn out to be rather elastic terms, where
expressing certain viewpoints is declared to be "hurtful".
>members of GMU community; all users should refrain from such
>behaviors. Anyone observing a harmful or disruptive behavior can
>report it to or to the campus police.
As the saying goes, God and the Devil are in the details. What
is a bad behavior seems rather vague. It could be narrowly defined, but
too frequently this is a loophole used to cover anything the interpreter
thinks simply shouldn't be done.
>STOPIT 2: Standard For Registering Complaints
>...
What standard? I didn't see any standard (like evidence or
threshold). I saw "Process When A Complaint is Registered" (a VERY
different thing).
>STOPIT 3: Warning Letter
>
>The third mechanism, which almost always follows STOPIT 2, is a
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>letter to the alleged perpetrators of improper Masonet use,
Now, let's remember STOPIT 2 is just the registering of a complaint.
>"Someone using your account did [whatever the offense is]." This is
>followed by an explanation of why this behavior violates which policy.
Note at this point nothing but an accusation is made, yet the
authorities will relay the *accuser's* description and phrasing in this
official letter, because of course that is all they've seen.
> "Account holders are responsible for the use of their accounts. ...
>and re-secure your account. If you were aware that your account was
>being used to [do whatever it was], then please make sure that this
>does not happen again." Finally, the letter will identify an SRP
^^^^^^^^^^^^^^^^^^^^^^
>member who has been assigned to the case.
This sure sounds judgmental and threatening to me. Someone would
have to be very secure and dedicated to combat it, even if they felt they
were in the right.
>This stage makes sure the persons are informed of the policy
>violation and complaint and offers them the chance to desist without
>having to admit guilt.
i.e., it lets them plea-bargain the charge, because it's too
difficult to fight it. They can give in, and avoid further attention, or
else they have to go through the wringer.
>STOPIT 4: Mandatory Interview with SRP Member
>
>If the recipient of a STOPIT 3 letter wishes to contest what is said
>in the letter, he or she may talk to the SRP member assigned to the case
So the mere making of an accusation puts the defendant in the
position of 1) plea-bargain to a guilty (really a no-contest), as we'll
see in the next sentence, OR 2) start going to "court".
This is GREAT for the makers of frivolous charges. It encourages
a "fishing" mentality. The accuser cannot lose - with one simple
message, they place the defendant in a situation where he or she must
either accede to the demand, or go through a long hassle. At worse, the
complainant will simply not have their complaint upheld, after the
defendant has been through these stages. There is no structural
disincentive described to prevent the abuse of this process.
>If that recipient repeats the offense, or commits a new
>offense, he or she will be invited to a mandatory interview with the
>SRP member assigned to the case. The SRP chair can authorize the
In other words, given a first complaint, if there's another one
(say by a friend of the first accuser ...), the defendant is in deeper
trouble - they get a mandatory "interview". This is why the response to
the *first* accusation matters, and has an important effect. In
practice, the burden of proof is reversed, so the defendant either must
take initiative immediately, or later be called to a hearing, where they
must establish they did nothing wrong, not the accuser prove any sort of
justification or probable cause (the mere complaint is enough).
Let's take a not-so-hypothetical example to see how this works
(this is disguised and altered a little, but is based on real threats
made that I know about). Suppose, during a campus election, X sends some
very critical comments about a candidates to a mailing list (where they
are acceptable as a topic). Y, a friend of the candidate, is incensed by
X's comments, calling them "false and defamatory". Can Y bring a legal
action against X? No, Y knows the courts would laugh, and it would cost
*Y* to do so. Even the university disciplinary committee wouldn't look
at the case. But instead, Y can send to "stopit", accusing X of "posting
an offensive public message which was false and defamatory". X will then
receive a letter from an official source, stating, per above
"Someone using your account posted an offensive public message which was
false and defamatory ... If you were aware that your account was being
used to post such a message, then please make sure that this does not
happen again."
[They can throw in some qualifiers ("alleged" ), but it's still intimidating]
It sound very bad for X. X can now either 1) Stop criticizing
the candidate 2) Start hassling over the process 3) Ignore the letter.
But if X does the last, and Y complains again, or gets a friend to do
it, X is *required* to justify the messages to a review panel. It sure
seems like the easiest thing to do is shut up. And that's the classical
"chilling effect".
I didn't use the example of accusation of "sexual harassment
through creation of a hostile environment", because that's way overdone,
but the similar application should be obvious. It's the same principle -
just making an accusation gets a threatening letter sent.
>temporary suspension of access to an account if the individual fails
>to arrange for the mandatory interview. Individuals may request a
I call this the "offer you can't refuse".
>STOPIT 5: Disciplinary Procedures
>
>If none of the previous stopit stages convinces the offender to
>desist, the matter will be referred to the normal university
>disciplinary procedure for the type of offense. The SRP will make
So if you don't take the plea-bargain, it's trial time. It's
better than having the system administrators do the trial, but it also
has the effect of adding another quasi-judicial layer. And the way this
stage can be abused, by using it in turn to threaten people, creates a problem.
Thus, while "stopit" is an improvement over making everything a
Federal case, there are many "behaviors" which should not be cases at
all, at any level. Institutions dedicated to freedom of expression and
academic freedom should make this very clear, rather than substituting
repression by intimidation for repression by formal rulings.
--
Seth Finkelstein sethf@mit.edu
Disclaimer : I am not the Lorax. I speak only for myself.
(and certainly not for Project Athena, MIT, or anyone else).