Issues in a
Computer Acceptable Use Policy
Copyright 1999, 2002 by Ronald B. Standler
There are a number of issues that a university should
consider when establishing a university-wide policy on proper use of computers.
(The remarks below are phrased for computer systems operated
by universities, but similar issues arise in employee's use of computer systems
operated by for-profit businesses and also in subscriber contracts with
Internet Service Providers (ISPs).)
Aside from considering computer technology issues and
precisely drafting such regulations,
there are also legal issues in freedom of speech, privacy,
computer crime, copyright and trademark, etc.
that must be considered.
There are three general goals in writing an Acceptable Use Policy
for computers on a university campus:
The policies at most universities seem to focus on the second and third goals.
I explain below why the first goal
is also important.
- educate students, staff, and faculty about why certain
activities are harmful and, therefore, prohibited.
- provide legal notice of proscribed activities, so that
violators of the Policy can be punished.
- protect the university if a grieved student or employee sues the
university (e.g., for alleged violation of his/her privacy).
This document is concerned mostly with e-mail and websites on
computers owned by a university.
Use of mainframe computers for computations raises issues
that are not mentioned in this document.
Furthermore, professors may establish additional rules for use
of computers (a) in their research laboratory
or (b) in a teaching laboratory that they supervise.
This document is not a draft policy and is not the
policy that I personally prefer. It is only a list of
issues and reasons to consider when preparing a policy
on the proper use of computers.
This document is not legal advice for your problem:
see my disclaimer.
Table of Contents
Issues to Consider
Enforcement of Rules
Issues to Consider
The following list might serve
as an agenda of items to discuss at a meeting to draft
an Acceptable Use Policy:
- It is generally prohibited to search, read, copy, alter,
or delete another person's computer files.
- Any files that are publicly available (e.g., posted on the Internet)
may be searched or read.
- A person can always consent to having his/her file(s) read or modified.
The person who consents will transfer a copy of the file,
not the username and password of the person's computer account.
- System administrators will routinely make backup copies of all
files residing on networked and mainframe computers,
for use in restoring files when the computer or hard drive crashes.
- A system administrator may search, read, or copy files when:
The system administrator shall keep confidential the
contents of files read, unless misconduct is suspected,
in which case a copy of the file(s) will be given to the
- running anti-virus software (infected files will be deleted or modified),
- necessary to investigate malfunction of software or hardware,
- necessary to investigate possible security breach,
- necessary to investigate possible violations of this Acceptable Use Policy,
- protect public health or safety,
- or when necessary to respond to a search warrant or subpoena.
- A professor may search, read, or copy files created or modified
by students or staff on computers located in the professor's
research laboratory, when those students or staff are supervised
by the professor.
- On notice by the copyright owner that an infringing copy
has been posted at the university website, university staff will
promptly make a paper copy of the infringing work to preserve evidence,
delete the infringing copy from the website,
and report the poster for disciplinary action.
See Copyright below.
- The system administrator has the right to delete any file(s)
belonging to faculty or staff who are no longer employed by
the university, or belonging to a student who has been
continuously not enrolled at the university for more than six months.
- In unusual situations in which the content of file(s)
pose the risk of harm either to one or more person(s)
or to the university,
the relevant department chairman or dean
may direct the system administrator to copy any file(s)
to a secure location not accessible by either the public or
the file owner, and then delete the original file(s).
If an on-campus judicial inquiry later determines that the
file(s) were harmless, then the file(s) will be returned to
their owner and the university will issue a formal letter of
apology to the owner.
- The university reserves the right to read and copy any file,
that either passes through, or is stored on, any computer
owned by the university.
- Explicitly prohibit use of another person's computer account.
A person should never give his/her password to anyone
and should never allow anyone to use his/her e-mail or computer account.
This rule establishes a presumption that any use of a particular
computer account is the responsibility of the one owner of that account.
If a user suspects his/her account is being accessed by another person,
the user should immediately inform the system administrator.
- Prohibit interception or collection of password(s) by any means.
It is misconduct to ask someone for their password: not even a
professor or system administrator needs to know someone's password.
When a person's password is accidentally or inadvertently discovered,
please immediately inform the password owner, so they can change
their password and adopt better security in the future.
- Prohibit sending e-mail or posting a webpage with an intent to harm
a particular individual.
Includes harassment, intimidation, threats,
intentional infliction of emotional distress,
defamation, obscene content, violations of privacy
(e.g., disclosure of private information from confidential relationships),
disclosure of personal information (e.g., credit card numbers,
social security number, grades, medical history, etc.),
or insults directed at a specific person.
It is prohibited to continue sending e-mail to anyone after the
recipient asks the sender to stop sending e-mail.
- Prohibit forging someone else's name to an e-mail or a webpage.
It is inherently wrongful to use someone else's name as
the purported author of text
(i.e., deception about origin or authorship of text).
There are additional legal issues when the text harms the reputation
of the purported author, which is common with false attributions.
Aside from prohibiting false attribution of text to people,
should all e-mail include the name of the sender
and all webpages include the name of the true author?
In other words, should anonymous e-mail or webpages be banned?
Anonymity is often used as a cloak for impermissible activities,
however there are legal arguments for why anonymity should be permitted.
- Prohibit forging an e-mail address, or
including false information in an e-mail header.
- No use of university's website or e-mail for personal financial gain,
such as offering or selling either services or products.
Prohibit use of university-owned computers for computations
in personal consulting to any for-profit business.
- No use of university's website or e-mail for partisan political purposes,
such as advocating election of a political candidate or advocating
a proposition or initiative on the ballot.
Such use of university resources to participate in political events
is a misuse of [choose one] the university's nonprofit status /
the university's position as a state institution.
However, students, faculty, or staff may send a few
(i.e., not bulk e-mail) e-mails to friends, family,
or politicians that express their personal opinions.
If the sender includes either text or a signature file that
identifies them as a member of the university community,
then the text should also state that the message is their personal
opinion and is not a statement on behalf of the university.
- Prohibit public release of confidential or proprietary information,
including violation of contractual agreements involving the
university, disobeying reasonable restrictions placed by
a professor who supervises staff or student(s) engaged in research,
or public dissemination of proprietary software in violation
of licensing agreements between the university and the software manufacturer.
- Prohibit sending bulk e-mail to people.
Bulk e-mail might be defined as more than 12 e-mails sent
in any continuous 24-hour period, when all of those e-mails have
essentially identical content.
Such bulk e-mail commonly occurs when the sender is operating a
for-profit business (i.e., nonsolicited commercial e-mail,
junk e-mail, commonly called "spam").
However, bulk e-mail might also solicit donations to a charity,
advocate a political candidate, forward chain letters,
participate in a pyramid or Ponzi scheme, etc.
There are two reasons to forbid the sending of all bulk e-mail:
- Sending large amounts of essentially identical e-mails
(e.g., thousands of messages in one day)
is a burden on university computing resources,
delays legitimate e-mail by clogging the e-mail server,
and wastes the time of each recipient to read and delete the junk.
- People do not like to receive junk e-mail, so having
a university e-mail address on the junk e-mail can damage the
good-will of the university.
However, sending bulk e-mail is permissible when it is addressed
to all members of an academic department, or all members of a university
committee or club, etc., when the content of the bulk e-mail is
related to university business and relevant to the addressees.
Non-university e-mail addresses on such mailing lists should be
included only when each recipient has specifically requested
mail to that address (i.e., an opt-in list).
- Prohibit posting a webpage that is a copy of a work by another person,
without first obtaining written permission of the copyright owner.
A person who posts infringing material on the university website
agrees to reimburse the university for both any damages and
reasonable legal fees that the university incurs as a result
of copyright infringement litigation.
- Prohibit copying pirated software to computers owned by the university.
Pirated software is software that is used in violation of the
manufacturer's license agreement, most commonly because it is
a copy of software purchased for, and used by, someone else.
- do not install pirated software on any computer owned by the university.
- do not use university-owned computers to store or distribute pirated software.
- do not bring media containing pirated software onto the university campus.
- Prohibit misuse of trademark(s) in webpages and e-mail.
Two issues: (A) use of university-owned trademarks, including the
university logo or seal, and (B) misuse of trademarks owned by
- Prohibit probing or scanning of ports on anyone's
computer, including off-campus computers, without authorization
from the owner of that computer.
- Prohibit malicious computer programs.
(e.g., computer viruses, worms, etc.)
I have posted a history of some famous
malicious programs, so one can see
the immense damage caused by such programs, some of which were
written by college students.
There are several specific issues:
- prohibit knowingly designing or creating a malicious computer program.
- prohibit knowingly installing or storing a malicious program
(e.g., virus, worm, Trojan Horse) on any university-owned computer.
- prohibit intentional release
(e.g., in e-mail, posting to a website for downloading,
including in software to be distributed, etc.)
of a malicious computer program to infect others,
either on-campus or off-campus.
- Prohibit sending e-mail(s) or posting webpage(s) that:
- propose or conduct an unlawful activity (e.g., fraud, gambling, prostitution, ...)
under either federal or state law.
- contain instructions or information for any unlawful activity
(e.g., how to steal credit card numbers, intercept
passwords to computer accounts, decode premium cable television
programs without paying the proper license fee, etc.).
- contain instructions for activities that are outrageously harmful
(e.g., how to make nuclear weapons, nerve gas, or bombs).
- Catch-all criminal law provision.
The university is not an enclave that is immune or exempt
from federal, state, or local laws.
Any use of university computer resources for unlawful activity
is also misconduct at the university.
- Forbid waste of computer resources.
- deliberately designing a computer program that contains
an infinite loop, so that the computer will run until the user's
maximum time limit expires.
- denial of service attacks on any website, anywhere.
- excessive printing.
- frivolous or grossly inefficient computing.
- attempting to crash operating systems.
Personal or recreational activities
Every employer would prefer that their employees concentrate
on their assigned job and not play games, not look at
erotic photographs on the Internet, not send jokes to friends,
not engage in stock market transactions, not surf the Internet for
purely personal interests, ....
On the other hand, monitoring e-mail and Internet use by employees
creates an unfriendly working environment, with loss of morale.
It may be better to tolerate some waste and frivolous activities,
to create a good working environment with a higher productivity.
I suggest a compromise of prohibiting personal or
recreational activities only when:
No matter how hard managers huff and puff, they will never
eliminate personal, recreational, or frivolous activities
by students and employees. However, what can be done is to give
coursework, scholarly research, and official university business
a higher priority than personal, recreational, or frivolous activities.
- the employee is neglecting to complete assigned work in a
timely way, or
- someone else needs to use the computer equipment
for coursework, scholarly research, or university administration.
- Erotic content of a webpage
Examples might include pictures of nude people,
pictures of people engaging in sexual intercourse, or erotic text.
In general, such content is protected expression by the First Amendment.
However, one might wish to prohibit such material on university computers
for several reasons:
Students or faculty who wish to post erotic material should
obtain an account at a commercial website, post the material there
as a private person, and not mention their affiliation with the
- Such salacious material tends to draw a large number of
visitors to the webpage(s), thus overloading the server
and denying computer resources to students and faculty
who are trying to do homework, scholarly research, and other projects
of educational merit.
- Posting such material on a university computer may create
a hostile environment for women.
- The nature of this material is not compatible with
the educational mission of a university, and detracts
from the dignified, professional image that the university
wishes to project to the public.
- Hate speech on a webpage
Hate speech is condemnation of a group of people,
most commonly ethnic or religious minorities.
(The distinction between harassment and hate speech is
that harassment is targeted at an individual person, while
hate speech is targeted at a group of people.)
In my opinion, hate speech is the most troubling category
of potentially prohibited activities.
On one hand, hate speech is political speech,
which receives the highest level of First Amendment protection.
On the other hand, by making the targeted minority less welcome,
hate speech runs against enlightened policies of
including minorities in the campus community and of encouraging tolerance.
- No usurp authority of professors.
A professor has the right to establish specific policies for
computers (a) in his/her research laboratory
or (b) in a teaching laboratory that he/she supervises.
Such specific, local policies should explicitly refer
to the university-wide Acceptable Use Policy,
then add additional regulations.
Only in exceptional cases (perhaps requiring written approval of a dean),
should a specific, local policy allow conduct that is prohibited
in the university-wide Acceptable Use Policy.
There are also a number of issues that are important for the
maintenance of a reliable computing environment, but which
do not include issues of freedom of speech, privacy, criminal law,
intellectual property (e.g., copyright and trademark), etc.
- Neither food nor beverages are permitted near computer terminals.
- Users should not switch off hardware
(e.g., printer, computer, monitor) that is connected to a network,
because it may cause failure of the network or inconvenience to
other users of the network. The one exception is when it appears
that there is a fire inside the equipment.
- Use a surge suppressor to connect electric power and
telephone lines to computers and peripheral equipment
(e.g., printers, monitor, etc.).
General-use computers are defined as computers that are used
by many different students and staff each week.
(General-use computers are distinguished from a computer located
at the desk of a faculty, staff, or graduate student for use only,
or mainly, by that one person.)
- Users may neither disconnect nor connect hardware
(e.g., keyboards, monitors,
surge suppressors, printers, etc.) on general-use computers.
It is prohibited for users to move hardware from one machine
to another. When it is desirable to move hardware, contact
a staff member.
- Users should not install software on general-use computers.
Users may install properly licensed software on university-owned computers
in their office that will be used exclusively by that one user.
- Users should not change preference settings in programs
on general-use computers.
The following links are not a bibliography for this document,
but are listed for the convenience of the reader.
Reading policies from other universities can be useful:
not only reminding the reader of issues to consider,
but also showing the reader good and bad styles.
By reading policies from many other universities, an author of a policy
quickly becomes sympathetic to readers who are repelled by an
authoritarian tone that is typical of most policies.
Note that copying or paraphrasing parts of another university's policy
without a citation to the original source is plagiarism.
Copying or paraphrasing substantial parts of another university's policy
without written permission is copyright infringement.
Using a search engine to find
computer "Acceptable Use Policy"
will return hundreds of documents from the Internet.
The following links are to webpages that have a large collection of links to
Computer Acceptable Use Policies from many universities.
Instead of just saying "no, no, no, prohibited, forbidden, ...,"
include reasons why the conduct is prohibited.
Understanding the reason(s) for the rule helps people remember the regulations,
educates people about ethics, and
softens the strident tone of many regulations.
Mention ethics, professionalism, honor, trust,
and sharing in a collegial way,
to communicate positive values, and to offset the
negative tone of a long list of prohibited activities.
It is critical that the Acceptable Use Policy be terse.
Any set of rules with a length of more than one page is likely
to be ignored by most people.
(Only attorneys and bureaucrats love long regulations! <grin>)
On the other hand, adding reasons and explanations
(which are desirable, as explained in the previous paragraph),
will make the Acceptable Use Policy longer than three pages.
Furthermore, there are many ways that computers can be
used to harm people, and a precise (i.e., legally enforceable)
statement of proscribed conduct may be lengthy.
The way out of this dilemma is to have
the first page contain terse, one-sentence rules, followed
by many pages of explanations and examples.
In the copy of the Acceptable Use Policy that is posted
at the university website,
the rules on the first page should be linked to explanations
later in the document.
In some cases, it may be reasonable to suggest alternatives
(e.g., see above) that are acceptable
to the university.
At the end of the regulations, a sentence should
explain that department chairmen, deans, and the director of the university
computing center are all authorized to make exceptions to these regulations
when the petitioner has a good reason.
A number of prohibitions listed above
(e.g., prohibiting sending e-mail that harms an individual,
use of university resources for personal financial gain or for
partisan political purposes, infringement of copyright or trademark,
public release of confidential or proprietary information,
personal or recreational activities during working hours, etc.)
are not specific to computers, but are mentioned in the
Acceptable Use Policy only for completeness and
to remind people of how generally prohibited activities can
appear in the specific context of e-mail, webpages, or other use of computers.
Such explanations are necessary because there is a widespread belief
that cyberspace is a place where laws and regulations do not apply.
While the Acceptable Use Policy should be included in the
faculty/staff personnel manual and in the student handbook,
a copy should also be given to each person
at the time their computer username and initial password is issued.
Each user should sign a written statement that he/she
has received a written copy of the Acceptable Use Policy,
has read the Policy,
and he/she agrees to comply with the regulations in that Policy.
(Such a written agreement would be useful in quickly defeating
an attempted "I didn't know." defense if litigation should occur.
An expelled student or terminated employee does sometimes sue a university.)
Enforcement of Rules
In addition to precisely specifying what activities are forbidden,
there is the issue of how these rules will be enforced:
- Will the university monitor e-mail and Internet use?
There are issues of privacy, as well as keeping a high level of
morale among employees, in formulating such a policy.
It may be better to tolerate some waste and frivolous activities,
in order to avoid having an unfriendly working environment.
- To whom should suspected violations of the Acceptable Use Policy
- What penalties can be imposed on violators of the Acceptable Use Policy?
To keep the Acceptable Use Policy as short as possible,
and also to avoid possible contradictions or inconsistencies
(e.g., when the penalties are modified in one document, but not the other),
the penalties can be one or two sentences that refer to the
section on misconduct
in both the faculty/staff personnel manual and the student handbook,
where the main discussion of penalties is located.
I believe it is a mistake to specify that violation of certain rule(s)
will always result in termination of employment or
expulsion of a student. The university administration needs to
have flexibility in deciding a reasonable punishment for each
violation, after considering all of the facts of each case,
and after considering the accused person's attempts at mitigation.
Furthermore, if maximum penalties are a certainty, then
a suspect has no motive to cooperate with authorities.
In July 2002, I reviewed about a dozen policies from major
universities in the USA. I was astounded to find glaring defects in
these policies, for example:
It would be embarrassing to write an Acceptable Use Policy,
then later have a judge or an attorney say that the policy is
not enforceable, because of a legal defect.
And it would be awful if such a legal defect allowed a person
to escape punishment by the university for their wrongful or
criminal act. A draft Acceptable Use Policy should be
carefully reviewed by an attorney who is familiar with
computer law and who is experienced in writing documents
that are easy to understand.
- One state university says it will punish someone for refusing
to cooperate in an investigation of their misconduct
(i.e., punish them for asserting their legal right to refuse
self-incrimination, a right explicitly mentioned in the Fifth
Amendment to the U.S. Constitution)!
- Several universities list The Computer Virus Eradication Act of 1988
[or 1989] as one of the laws that students must obey.
This "Act" was a bill introduced into the U.S. House of Representatives
in 1988 and 1989, but it was never enacted into law.
(Apparently, the appropriate committee never even held hearings on this
It would be desirable if people who wrote Acceptable Use Policies
actually understood computer crime statutes.
- One famous university says: "... do not remove ... furniture ...
from [the computer laboratory]. Doing so constitutes theft and
will be dealt with accordingly." Whoa!
Using bogus legal statements to threaten students is a bad policy.
- Theft is a crime, which can only be prosecuted by the
district attorney, not the university.
No district attorney will bother prosecuting the theft
of a used chair that is worth perhaps US$ 10.
- Moving a chair from the computer laboratory to, for example,
a graduate student's office does not deprive the rightful owner
(i.e., the university) of the use of the chair, and so the moving
of the chair is not theft.
- Another famous university has a list of prohibited activities
that is an "including, but not limited to" list.
Such an open-ended list fails to give adequate legal notice
of all proscribed activities, and so is legally enforceable
only for the specifically listed activities.
The regulation itself must be specific and complete, but
it is acceptable to have an open-ended list of examples.
- Most policies are not complete. For example,
despite the fact that malicious computer programs (e.g., computer
viruses and worms) have been well known since 1998,
Acceptable Use Policies at some universities still do not
explicitly prohibit the design or release of malicious computer
- Nearly all of the Acceptable Use Policies are unpleasant
reading and many of them are tediously long.
While university administrators may be satisfied with such
Policies, I am sure that few students, faculty, and staff
will read (or understand) the entire Policy, which makes those
Policies a failure at teaching professional and ethical values.
I suggest making an effort to write an
Acceptable Use Policy that people will read,
understand, and respect.
- Many of the Acceptable Use Policies contain vague or overbroad
regulations. Vague regulations are not legally enforceable,
because they fail to give adequate notice of proscribed conduct.
Overbroad regulations include innocent or harmless conduct
(which ought to be permitted) along with malicious or harmful conduct.
Vague or overbroad regulations are easy to write when the author
does not personally understand computer technology and
the author is either in a hurry or
inexperienced at technical writing.
Writing an Acceptable Use Policy requires a broad range of
knowledge and skills, including:
Such a wide range of knowledge is needed for working in
many aspects of computer law.
Generally, writing an Acceptable Use Policy should be
a team effort with contributions from scientists/engineers,
professors, deans, and attorneys.
- understanding computer technology,
- understanding basic procedural criminal law, and
- understanding substantive law in computer crimes,
intellectual property (e.g., copyright and trademark),
privacy, freedom of speech, etc.
Again, this document is only a sketch of some issues to be considered,
not a draft document.
This document is not the policy that I personally prefer or
recommend, but only a list of topics to discuss.
My credentials include:
- programmed computers since 1968,
- earned a Ph.D. in physics in 1977,
- personally owned eleven different desktop computers since 1981, which
I used or use in my scientific, engineering, or legal work,
- was a professor of electrical engineering for ten years,
- author of more than 30 published technical papers and one book,
- used e-mail since 1986,
- created and operated at least one website continuously since
December 1996 (I personally wrote all of the HTML code
at my websites.), and
- am an attorney in Massachusetts who concentrates in higher-education law,
computer law, and copyright law.
I write in plain English, not turgid legalese.
this document is at http://www.rbs2.com/policy.htm
revised 11 Oct 2002, minor modifications 27 May 2004
return to my homepage
HTML code validated: