Policy And Guidelines:
Some Comments as the University of Delaware’s Draft Responsible Computing Policy Nears Approval

Richard Gordon

About four years ago, our department director called two of us into her office. One of our student consultants had broken into a computer at another university, securing root privileges for himself, using his work account and an account in the Computer Science Lab to do the deed. At the time, the University did not have any formal policy about computer crime, unauthorized access to computing resources, or responsible use of computing resources. As I write these prefatory notes [in 1991], it still does not. However, the “Policy for Responsible Computing Use at the University of Delaware” is nearing final approval: The policy has been on the agenda of the full Faculty Senate twice in the past seven months but has been referred back to committee both times. We anticipate its passage some time in 1992.

The attached “Recommended Guidelines for Responsible Computing at the University of Delaware” began as a 2-page draft computing ethics statement.2 Since 1987, the document has benefited from review by and input from faculty senators, senior vice presidents, interested faculty and students, deans, Computing Center staff, and colleagues at other universities and colleges. As the issues under discussion multiplied, we had to clarify the distinction between policy and procedures and implementation. Thus, we now have two documents before the University community:

• a one-page policy requiring formal Faculty Senate approval
• longer guidelines containing non-binding recommendations for implementing the policy.

The policy statement sets forth an ethical framework for computing use on our campus. It stresses that all users are responsible for the integrity of the computing and information resources and outlines who can authorize access to those resources. It defines “abuse” as unauthorized access or use of the University’s computing resources and outlines, in general terms, possible disciplinary actions. The policy tries to state things in positive terms, although the language is, at times, sterner than that suggested by some faculty members

The longer, non-binding guidelines document will be issued by our department, Computing and Network Services (CNS), to help individual users, system administrators, and the general university community understand the implications of the policy and understand how the policy translates into action. CNS is soliciting input from users around the campus, but the University administration is not requiring that this document be put through a formal, campus-wide approval process. The current draft has ten sections.

• The guidelines begin with a “Preface,” informally stating that all users are responsible for the well-being of the computing resources and stressing that an open network and a free exchange of ideas depend on everybody’s cooperation.
• A second prefatory section defines some of the terms used in the document.
• The body begins with a reprint of the actual one-page policy.
• User responsibilities are outlined, stressing what one ought to do as opposed to stressing forbidden practices. This section also stresses user self-reliance and the supervisor’s role in teaching his or her staff or students good computing practices.
• The section on system administrator responsibilities sets forth the proposition that in the ordinary course of events, “[a] system administrator’s use of the University’s computing resources is governed by the same guidelines as any other user’s computing activity.” It then offers general guidelines, particularly useful to new system administrators, for a system administrator’s additional responsibilities.
• The section on misuse of computing resources lists examples of prohibited activity.
• The section titled “User Confidentiality and System Integrity” attempts to answer a controversial pair of questions: When should a system administrator examine user information and what should he or she do about those situations in which he or she sees user information? This section is a direct result of the sometimes heated exchanges that have occurred between faculty members and system administrators.
• The section on penalties for misuse of computing states that these matters need to be referred to the appropriate due process. It also reminds all parties that federal and state laws may apply.
• The section on academic honesty, begins by paraphrasing a sentence from Brown University’s statement on Ethical and Responsible Computing: computer-assisted plagiarism is still plagiarism. Our Dean of Students endorsed this section very early in the review process.
• The final section lists the works we have consulted as we prepared this draft. This section may be cut from the final version; however, it has helped us educate the campus and stimulate discussion of the points we make in the other sections.

It is easy to get people to agree to statements like “Don’t abuse computing resources.” But translating that sentiment into policy and then delineating the procedural implications of the policy can be difficult. Our task was complicated because we have been trying to develop one responsible computing policy that applies to the entire University. However, because the University is a relatively large organization,3 and because the computing resources on campus are “owned” in a number of different ways,4 we decided that no one set of implementation rules and procedures could meet all campus needs. Therefore, we recast our procedures document and called it “Recommended Guidelines for Responsible Computing.”

During our National Conference on Computing & Values working group’s first meeting, one participant wondered aloud why one needs to have a “computing ethics policy.” There are many arguments for such a policy; at the University of Delaware, we stressed four of them when we presented our draft responsible computing documents for review:

First, a policy for responsible computing defines who is authorized to grant access to resources and, therefore, defines what constitutes authorized and unauthorized access to a computing resource. Doing so also helps draw distinctions between access to the computer and access to information stored on the computer.

Second, a policy for responsible computing protects an organization, its computing resources, its clients or students, and its employees. By adopting such a policy, an organization outlines the rights and responsibilities of all parties involved – providing important legal protection for everybody.

Third, a responsible computing policy should emphasize that we are not inventing new rules for acceptable behavior as much as we are applying existing definitions of acceptable and unacceptable behavior to a new area. Most of our students, for example, do not need a reminder that it is wrong to tear pages from a book housed in our library or to take money from a neighboring dormitory room; however, many of our students do need to be reminded that copying software from a University lab or browsing mainframe directories for unprotected files is ordinarily not acceptable behavior.

Fourth and – in my opinion – most important for a university, a policy for responsible computing educates. If promulgated widely with additional training or supporting material, such a policy helps a university train its employees, faculty, and students about authorized access, permissible computing practices, and good computing and data management. This function helps the university itself and helps students prepare for the computing environments they will encounter after graduation. Furthermore, the review process itself can be educational because the application of “ethics” or “rules of conduct” to computing is a relatively new area of discussion on most campuses.

As a matter of fact, the review process to date has helped faculty and students learn more about system administrators’ points of view and has helped remind system administrators about faculty and student concerns. For example, from a system administrators point of view, many faculty and students have unrealistic expectations for the confidentiality of the information stored on a computer; from many faculty members’ point of view, too many system administrators are prying into areas that they ought not be looking into. That is, we have had to educate some users about the realities of working on a shared system. (For example, if one of your jobs threatens to kill other user jobs or crash a timesharing system, a system administrator must investigate.) We have also had to remind some system administrators that they must initiate notification procedures in those rare instances when a user’s information has been reviewed.

The review process has also taught us more about certain work relationships at our University. For instance, faculty members and academic staff learned some valuable lessons about the administrative point of view during our discussions about the policy statement’s opening sentences. As at many universities and colleges, anything that might possibly imply a curtailment of students’ and faculty’s “academic freedom” sets off alarms for many faculty members and students. Knowing that the effort to put a policy into effect could be construed as limiting academic freedom, one Faculty Senate committee recommended that the policy include language like the following: “The University of Delaware aims to provide the best possible computing and information resources to students, faculty, and staff and manages these resources in such a way that members of the University community can participate in an open exchange of ideas with each other, with colleagues at other universities, and with appropriate off-campus information resources.” This open approach requires that all members of the University community who use the University’s computing and information resources act cooperatively and responsibly. However, this language caused the University Treasurer to object on the grounds that his staff were bound more by rules of confidentiality than by rules of openness. Other University administrators agreed; since our goal is to have one all-encompassing policy, we changed the language to that in the accompanying draft guidelines. However, the preface to the guidelines still conveys the message that we are, for the most part, trying to maintain an “open” computing environment.

Finally, as we lead discussions about the draft policy and guidelines, we find that we are helping the University community learn more about computing and information technology in general. At first, a lot of faculty, students, and staff misunderstood the aims of the policy because they relied too heavily on analogies and inexact comparisons to “understand” computing technology. But as we discussed issues raised by the policy, our users learned more about, for example, how electronic mail really works, how one person’s work can affect other user’s work on a time-sharing system, and even why software piracy is wrong, even in the face of the argument, “But I didn’t steal it. You still have your copy. I just copied it.”

And so, the most important consequence of our efforts is that the campus is more aware of security issues, responsible computing practices, the relationships between the users of the resources, the relationships between the users and the providers, the relationships between the users and the resources themselves. And by having both a policy statement and a set of recommended guidelines, we have provided information about how the policy statement translates into user and system administrator actions.

If you are in the process of developing a responsible computing policy for your organization, we recommend that you consult the Site Security Handbook: RFC 1244, available in the computer file /pub/ssphwg/rfc1244.txt on cert.sei.cmu.edu. Released by the Internet Engineering Task Force in July 1991, this document provides a wealth of information with which you can educate senior decision-makers, faculty, staff, and students about responsible computing issues, data management, and computing security.

We hope that the accompanying draft document, “Recommended Guidelines for Responsible Computing at the University of Delaware,” will help other organizations discuss, develop, and implement policies and procedures for responsible computing at their own institutions.

University of Delaware

End Notes

1. Some portions of these comments were presented at the National Conference on Computing & Values [NCCV] (Southern Connecticut State University) in an enrichment presentation entitled “‘Look What They’ve Done to My Policy, Ma: A Report on the Development of a Responsible Computing Policy at the University of Delaware” (August 13, 1991). In addition, the draft guidelines and an article about the approval process for our responsible computing policy will be appearing in a forthcoming issue of Computer Security Journal, published by the Computer Security Institute, 600 Harrison Street, San Francisco, California, 94107. A short adaptation of one section of the NCCV talk, on what we might have done differently if we were starting the process now, will be appearing in a forthcoming issue of Computer Security Alert, also published by the Computer Security Institute.
2. Working with me at the time were Andrew Frake, now at Johns Hopkins University; Anne W. Grant, now at the University of Wisconsin, Madison; and Michael Eck, now a graduate student at the University of Delaware. The structure of the current draft documentation owes much to Lynda Ruggerio, one of my colleagues in Computing and Network Services.
3. The University of Delaware has approximately 18,000 students and approximately 5,000 faculty, professional staff, and salaried staff.
4. At least one computing resource falls into each of the following categories at our University: 1) “centrally” owned; 2) owned by an individual department; 3) shared between several departments within one college or division; 4) owned by individual students, faculty, or staff; 5) purchased by grant money obtained from non-University sources; 6) donated by corporations or foundations for use in specific projects.

Go to: Recommended Guidelines for Responsible Computing at the University of Delaware

Home > Teaching Resources > Computer Ethics Issues in Academic Computing > Policies and Guidelines: Some Comments as the University of Delaware’s Draft Responsible Computing Policy Nears Approval

Back to the Main Site

HOME | IN THE NEWS | RESEARCH RESOURCES
TEACHING RESOURCES | STUDENT RESOURCES | LINKS

The Research Center on Computing & Society
at Southern Connecticut State University
501 Crescent Street | New Haven, CT 06515
Director: (203) 392-6790 | e-mail: webmaster@computerethics.org

© 2000 – 2004 – Research Center on Computing & Society