From: University Policy Office Subject: PROVOST: Shared Computing Date: Fri, 29 Apr 1994 16:47:23 -0400 (EDT) Message-ID: <+cmu.andrew.official.cmu-policy+AhkL:0200UfA010mdJ@andrew.cmu.edu> ************************************************************** Editor's notes... POLICY TITLE: Statement on Individual Responsibilities in Shared Computing Environments DATE OF ISSUANCE: This policy was adopted on September 15, 1987. It appears in the faculty handbook, sixth edition (September 1993). ACCOUNTABLE DEPARTMENT/UNIT: Office of the Provost. Questions about policy content should be directed to Susan Dunkle, associate provost for research and academic administration, x8-8746. MISC: Text of the policy is an excerpt from the faculty handbook and appears in its original form. ************************************************************** ---------------- Published Policy ---------------- STATEMENT ON INDIVIDUAL RESPONSIBILITIES IN SHARED COMPUTING ENVIRONMENTS Adopted September 15, 1987 As computing has come to occupy a central role in this university and in society at large, a number of seemingly new ethical issues have arisen. Some types of misconduct by computer users, such as theft of equipment and improper use of proprietary software, are already addressed by criminal and civil law. Beyond reiterating Carnegie Mellon's policy that its members should act in compliance with the law, this statement does not attempt to deal systematically with legal issues. Rather, its purpose is to clarify some standards of behavior that are expected of computer users within the university, and, indeed, it does not pretend to cover all moral issues involving the use of computers. The need for such standards arises from the sharing of resources, which is essential to mainframe systems and to the loosely-coupled network of stand-alone computers now being developed. When a community shares a resource some members may take unfair advantage of others. This danger is increased when one function of the shared resource is to store certain private resources, such as the programs, data and correspondence of users. It might be possible to solve these problems mainly through technological means, i.e., by building more and more security features into computer systems to prevent each possible type of misbehavior. Such measures, however, could have an adverse educational impact by preventing students from legitimate exploration of the computer's full range of capabilities. Furthermore, one of the duties of the university is to foster maturity and professionalism, and this requires an environment in which members of the university community can make mature ethical choices, instead of simply receiving an error message when they have done something wrong. On the other hand, some technical safeguards against malicious or accidental misuse of the system are obviously necessary. Accordingly, this document attempts to clarify the university's expectations of ethical behavior on the part of computer users. RIGHTS AND RESPONSIBILITIES The fundamental premise of this statement is that anyone sharing computing resources with other individuals should behave as a reasonable, mature and ethical person would in any other type of human interaction. The user must recognize that the computer does not exist in some special rule-free environment; on the contrary, every component of a computing system and every piece of information it contains belong either to the university community as a whole or to some individual or group within that community. Though there may be cases in which property rights to particular programs, data, etc., are ambiguous or in dispute, the user may not assume that any information he or she finds on the computer belongs to no one. Rather, the user must assume that any information not created by himself or herself belongs to someone else and respect that person's rights to that information just as if it were any other type of property. Those rights include privacy and freedom from malicious damage. Where a resource such as memory or CPU time belongs to the whole community collectively, the user must recognize the community's right to have that resource used only for purposes consistent with the university's overall objectives. RESPONSIBLE SHARING OF RESOURCES While the university makes computer resources available primarily to achieve its goals of education and research, it realizes the need to encourage the personal use of computing for the convenience of the campus community. The extent to which these resources are used for personal reasons is limited to strictly nonprofit-oriented tasks. Thus, it is reasonable to allow the use of computing resources for computer mail, document preparation or other activity that can facilitate convenience or enhance productivity. Any personal use of computing resources that produces individual financial gain is prohibited unless an account has been issued which releases this restriction. The extent to which these resources are used to produce intellectual property and profit from the development of such property is covered in the Intellectual Property Policy and need not be discussed here.[1] It is unethical to make so excessive a use of system resources that other users cannot obtain access to these resources. Examples include excessive use of CPU time during a period of heavy use on a timesharing system, excessive use of disk space on a system that does not limit such utilization, and use of an excessive amount of network bandwidth in an environment of networked personal computers. A novice user might well be unaware that a particular type of action constitutes "excessive use," but once a system administrator makes him or her aware of the fact that such an action is unreasonable, that user is to be held responsible for any further such infractions. Any communications that would be improper or illegal on any other medium are equally so on the computer: libelous material, obscene or offensive messages, threats, etc. RESPONSIBLE USE OF EQUIPMENT Computer equipment is provided by the university for the benefit of the university community. Tampering, willful destruction or theft of any computer equipment, like any other piece of property, whether it belongs to the university or to an individual, is expressly prohibited. Tampering includes any deliberate effort to degrade or halt the system, to tie up the system or to compromise the system/network performance. Willful destruction includes any deliberate disabling or damaging of personal computers, system terminals or other facilities/equipment, including the network, and any deliberate destruction or impairment of software. The unauthorized removal of university or personal equipment constitutes theft. PRIVACY The user must presume that the contents of any other user's directory are his or her private property just as one would presume that the contents of someone's apartment or office are personal. The only exception to this rule is that in some environments such files as "plan files" and "configuration files" may be considered to be public even if a user has not expressly designated them as such. Of course a user can explicitly grant access to his or her files. This is analogous to someone inviting others to come into his or her office at any time to consult certain books. If, however, no such invitation were issued, then it would not be proper to wander in and consult the books EVEN IF THE DOOR WERE UNLOCKED. Furthermore, even if such an invitation were given, it would not authorize one to tear pages out of the books or to look into a file cabinet and begin reading private correspondence. But what if a confidential letter were lying open on a desk? A prudent person who had invited others to wander in and out of his or her office would be well advised not to leave such material lying about, even though, to be sure, a scupulous visitor would avert his or her eyes. The same general principles apply in the case of computer privacy. Under no circumstances is it permissible for a user to circumvent protection codes or to obtain or use another user's password without the latter's explicit permission.[2] Under no circumstances is it permissible to delete or tamper with another user's files or with information stored by another user on any information bearing medium (disk, tape, memory, etc.). Even if a user's files are unprotected, it is improper for another user to read them unless the owner has given permission (e.g., in an announcement in class or on a computer bulletin board). However, users who issue general or vague invitations to browse through their files incur a special obligation to protect any material that they do not wish others to see. Indeed, all users are urged to maintain protection levels on their files consistent with the access they are actually willing to give to other users. DEGREES OF IMPROPER BEHAVIOR Improper behavior in the use of computers is punishable under the general university policies and regulations regarding faculty, students and staff. The offenses mentioned in this statement range from relatively minor to extremely serious, though even a minor offense may be treated severely if it is repeated or malicious. The least serious offenses are those that merely cause temporary inconvenience, such as excessive CPU use during peak load periods. Somewhat more serious are those violations of privacy in which no breach of system security occurs and no actual tampering with another's files takes place. Actions in which protection codes are circumvented or passwords obtained or used without authorization are more serious still. Even more serious are offenses in which either information or physical property is tampered with, stolen or destroyed, or in which information obtained by invasion of another user's privacy is then disseminated or otherwise used to cause embarrassment, distress or other harm. Most serious of all are offenses that compromise the integrity of the academic process, such as altering grade records or plagiarism. Appropriate disciplinary action depends not only on the nature of the offense, but also on the intent and previous history of the offender. For students in particular, the range of penalties available includes reprimands, loss of computing privileges, course failures, disciplinary probation, suspension or dismissal from the university and/or criminal prosecution. --------- Footnotes --------- [1]For faculty and staff this paragraph has been superseded by the Conflict of Interest/Commitment Policy, Organization Announcement No. 316, September 14, 1988. See posting PROVOST: Conflict of Interest. [2]There may be technical reasons why a small number of system personnel must have access to all information on the system, much as custodial personnel must have keys to all offices in university buildings. Such persons bear a special responsibility not to abuse such privileges. It is improper for them to peruse a user's files for any purpose unrelated to their official functions or to appropriate or divulge any information which the user has protected from general public access.