General Policies - Responsible Use of Computing Policy

1. Scope
2. Purpose
3. Rules of Use
4. Schools, Institutes, Centers, and Departments
5. Electronic Information Environment
6. Web Pages
7. System Administrators (SAs)
8. Security Review Panel (SRP)
9. The Stopit Process
10. Amendments and Additions
11. Effective Date

Responsible Use of Computing Policy

1. Scope

   The Responsible Use of Computing Policy applies to all academic and operational departments and offices at all university locations, owned and leased. The policies and procedures provided herein apply to all university faculty, staff, students, visitors and contractors.

2. Purpose

   The university provides and maintains computing and telecommunications technologies to support the education, research, and work of its faculty, staff, and students. To preserve the security, availability, and integrity of George Mason computing resources, and to protect all users' rights to an open exchange of ideas and information, this policy sets forth the responsibilities of each member of the George Mason community in the use of these resources. To accomplish these ends, this policy supports investigations of complaints involving George Mason computing abuse, including sexual harassment, honor code, and federal or state law violations.

   A user of George Mason's computing resources should be aware that violations of this policy may result in revocation of access, suspension of accounts, disciplinary action, or prosecution, and that evidence of illegal activity will be turned over to the appropriate authorities. It is your responsibility to read and follow this policy and all applicable laws and procedures. If you observe someone violating this policy or another university policy, using George Mason computing resources, you can report it by e-mail to the Security Review Panel (SRP) at stopit@gmu.edu. Many local computing systems have similar e-mail reporting addresses.

3. Rules of Use

   Access to George Mason computing resources is a privilege granted on a presumption that every member of the university community will exercise it responsibly. Because it is impossible to anticipate all the ways in which individuals can damage, interrupt, or misuse computing facilities, this policy focuses on a few simple rules. These rules describe actions that you should avoid and the principles behind them. Each rule is followed by a (not exhaustive) list of examples of actions that would violate the rule.

   Rule 1: Use George Mason computing resources consistently with the stated priorities.

   These priorities are set on the use of George Mason computing resources:

   High: All educational, research, and administrative purposes of the university.

   Low: Other uses indirectly related to university purposes that have an educational or research benefit, including newsreading, web browsing, chat sessions, and personal communications.

   Forbidden: Selling access to George Mason computing resources; engaging in commercial activity not sanctioned by the Provost's Office; intentionally denying or interfering with any network resources, including spamming, jamming, and crashing any computer; using or accessing any George Mason computing resource, or reading or modifying files, without proper authorization; using the technology to in any way misrepresent or impersonate someone else; sending chain letters; violating federal or state law, or university policy.

   Note: Employees and contractors of the Commonwealth of Virginia may not use George Mason computing resources for recreation or entertainment.

   The low-priority uses of George Mason computing should be avoided during the times of peak demand, typically the mid-afternoon to late evening hours. During peak periods, other users may be prevented from doing their high-priority work if you are doing something of low priority. Those users are likely to complain to you or to the SRP if they observe you interfering with their work. Certain activities, such as broadcasting e-mail to very large distributions, will consume large amounts of resources; avoid them.
   
   Rule 2: Don't allow anyone to use your account for illegitimate purposes.

   Your account username identifies you to the entire international Internet user community. Another person using your account, whether or not you have given permission, will be acting in your name. You may be held responsible for that person's actions in your account. If that person violates any policies, his or her actions will be traced back to your username and you may be held responsible. The easiest way to protect yourself is to protect your password. If you have a legitimate reason to give someone access, keep it strictly temporary, and change your password after that person finishes using your account. Definitely do not give your password to anyone you do not trust. If someone else offers you use of an account you are not authorized to use, decline. If you discover someone's password, don't use it; report the access of the password to the owner or to stopit@gmu.edu.

   Rule 3: Honor the privacy of other users.

   The university respects the desire for privacy, and voluntarily chooses to refrain from inspecting users' files, except in certain well-defined cases (described below in Section V). System administrators who carry out standard administrative practices-e.g., backing up files, cleaning up trash or temporary files, or searching for rogue programs-do not violate privacy. Examples of privacy violations are given below to assist you to avoid violating the privacy of other users:

   1. Don't access the contents of files of another user without explicit authorization from that user. Typically, authorization is signaled by the other user setting file access permissions to allow public or group reading of files. Since some systems by default make all files readable to all users and some users don't know this, the file permissions are not reliable. It is always best to ask.

   2. Don't intercept or monitor any network communications not explicitly meant for you.

   3. Don't use the systems to transmit personal or private information about individuals unless you have explicit authorization from the individuals affected. Don't distribute such information unless you have permission from those individuals.

   4. Don't create programs that secretly collect information about users. Software on George Mason computing resources is subject to the same guidelines for protecting privacy as any other information-gathering project at the university. You may not use George Mason computing resources to collect information about individual users without their consent. Note that most systems keep audit trails and usage logs (e.g., for ftp, netscape, and login); these are not secret and are considered normal parts of system administration.

   Rule 4: Don't impersonate any other person.

   Using George Mason computing resources to impersonate someone else is wrong. If you use someone else's account without their permission, you may be committing acts of fraud because the account owner's name will be attached to the transactions you have performed. If, while using someone else's account, you communicate with others, you should clearly identify yourself as doing so.

   If you send anonymous mail or postings, you should realize that it is normal etiquette to identify that your message is anonymous or is signed by pseudonym. Because policy violators often use anonymous communication to hide their identities, many people give less credence to anonymous communication than to signed communication.

   System administrators who receive anonymous complaints and cannot locate the sender for additional information or clarification may be unable to assist the sender or provide witnesses to support claims of illegal activity.

   Rule 5: Don't use George Mason computing resources to violate other policies or laws.

   Don't use George Mason computing resources to commit violations of federal or state laws, or other university policies. Examples are given below to assist you to avoid inadvertent violations. This list is not comprehensive. In case of doubt, contact the Security Review Panel or send e-mail to stopit@gmu.edu.

   1. Don't violate copyright laws and licenses. Many programs and their documentation are owned by individual users or third parties and are protected by copyright and other laws, licenses, and contractual agreements. You must abide by these restrictions; to do otherwise may be illegal.

   2. Don't use George Mason computing resources to violate harassment laws or policies. Various types of harassment, including sexual or racial, are proscribed by university policies.

   3. Don't use George Mason computing resources to violate the Honor Code.

   4. Don't use George Mason computing resources to attack computers, accounts, or other users by launching viruses, worms, trojan horses, or other attacks on computers here or elsewhere.

   5. Don't use George Mason computing resources to harass or threaten others.

   6. Don't use George Mason computing resources to transmit fraudulent messages.

   7. Don't use George Mason computing resources to transmit, store, display, download, print or intentionally receive obscene material, or to distribute pornographic material to minors.

   All users of George Mason computing resources are subject to all federal and state obscenity laws.

4. Schools, Institutes, Centers, and Departments

   George Mason organizational units operate computers and networks to support their missions. The principles of this policy apply to all university organizational units, and any computers owned or operated by the university. Units may set additional local policies and expectations that are consistent with this policy. For example, local units may stipulate that material displayed or public access from their sites should be consistent with their public image and mission. They may set guidelines for format and content of material in home pages, ftp directories, listservs, netlibs, info servers, and the like, and may appoint an editor or moderator for such material. They may prioritize and prohibit types of use in order to efficiently manage their computing resources.
   
   

5. Electronic Information Environment

   Your personal e-mail, electronic files maintained on university equipment, and personal web pages are part of a unique electronic information environment. This environment creates unique privacy issues that involve federal and state laws as well as university policies. This section provides a starting point in your considerations on how to use this electronic information environment.

   E-mail is not secure. It is easily forwarded to a multitude of recipients and may be altered. Intruders to the network may be able to bypass your password protection. Your e-mail may also be accessible under freedom of information laws and backup computer tapes may contain deleted e-mail for over a year. Mail undelivered for any reason may be copied to the mailbox of a "postmaster" on the sender or recipient computers. For all of these reasons and others, your expectations of privacy concerning your e-mail and electronic files should take these realities into account.

   Most systems have public directories for temporary files. Examples are print spoolers, system-wide web caches, and scratch areas used by document editors. The temporary files stored in these directories are usually restricted to being readable only by the owner. To protect privacy and prevent these directories from overflowing, system administrators empty them regularly. You should never count on these files surviving after you log out.

   No user may intentionally read personal files, including those storing e-mail, without the owner's consent. In the event of a lawful investigation of misconduct, law enforcement officials and university officials involved in the investigation may inspect user files and communications. In such a case, the chair of the SRP should be notified immediately, preferably before the inspection occurs. Users whose files have been inspected will normally be notified within 14 days by e-mail or other appropriate means.

   The university reserves the right, to the fullest extent permitted by law, to inspect user files and communications for the purposes of investigating allegations of illegal activity or violations of university policies, or to protect the integrity and safety of network systems.

6. Web Pages

   The university's official web pages (www.gmu.edu) contain public information about the university's offerings, programs, and promises to students and the public. These pages project the public identity of the university and are its first electronic point of contact with the general public, students, parents, and employers. The university exercises editorial control over the content of its official web pages.

   The university is not responsible for information, including photographic images, published on or accessible through personal web pages, including personal home pages. Personal web pages, created and maintained by employees, students or university-recognized student groups, are the sole responsibility of the person or student group identified by the account. The university does not monitor the contents of these personal web pages. The individual creating or maintaining personal web pages may be held criminally or civilly liable for the materials posted on the website. For example, an individual who posts obscene material may be subject to criminal prosecution and an individual who posts copyrighted material might be liable to the owner of the copyrighted material under copyright law.

   Personal web pages contain the personal expression of their creators. The contents, including link identifiers, of these pages include academic subjects, hobbies, religion, art, and politics, as well as materials that some viewers may find offensive. Neither the contents nor the link identifiers are reviewed or endorsed by the university. If you feel you might be offended by material following a link identifier or material on the page itself, you should not continue.

   The university will investigate all complaints involving personal web pages and will remove or block material or links to material that violate federal or state law or university policy.

7. System Administrators (SAs)

   The SAs of various computers on George Mason campuses have special responsibilities. They have been granted extraordinary powers to override or alter access controls, configurations, and passwords, which they should exercise with great care and integrity. SAs manage computers and administer policies, but they do not create policies. Their actions are constrained by this policy and by the policies of local administrative units.

   A set of guidelines and standards for all SAs is created and maintained by the SRP. These guidelines will address job descriptions, integrity issues, and standard system administration actions that do not violate privacy. Managers of university units who employ SAs are responsible for ensuring that the SAs comply with and enforce the requirements of this policy and local policy in the systems for which they are responsible. SAs who violate this policy or any local policy, or who misuse their powers, are subject to disciplinary action.

   If a SA observes someone engaging in activities that would seriously compromise the security or integrity of a system or network, e.g., intrusions, break-ins, unauthorized service or access denials, or trojan horses, the SA may take immediate action to stop the threat or minimize the damage. This may include termination of processes, scanning for rogue programs, disconnection from a network, protection and holding of evidence for an investigation, or temporary suspension of an account. Account suspensions must be reported immediately to the SRP. SAs who observe suspected violations of law should immediately alert the University Police.

   Should a valid complaint be filed against an SA, the SRP will determine if the SA's action could have been accomplished only by someone with the extraordinary powers of an SA. If not, the SRP will follow the "stopit" procedure to request that the SA refrain from the action in the future; if so, the SRP will forward the latter to the SA's supervisor for appropriate action.

8. Security Review Panel (SRP)

   This policy establishes a SRP that is responsible for reviewing SA's decisions, responding to complaints, and periodically reviewing this policy. The SRP consists of three faculty members, one graduate student, one undergraduate student, one University Computing and Information Systems (UCIS) staff member, and one non-UCIS system administrator (SA). The SRP members are appointed by the vice president for information technology and services for a term not to exceed two academic years. The SRP chair will be one of the faculty members and will be appointed by the vice president for information technology and services.

   SAs will report all violations and their responses to the SRP immediately. Any member of the community can report a violation to the SRP via the "stopit" mechanism. Upon receipt of a complaint from a user or a SA, the SRP chair will assign one of the members as the "case worker" for that complaint. The three-step "stopit" process within which the SRP operates is described below in Part IX.

   The SRP is authorized to create subgroups to assist in its mission. An example is a George Mason Emergency Response Team (CERT), which coordinates responses to abuses, provides technical assistance on security matters to SAs, and issues security advisories.

   The SRP is also responsible for periodically reviewing these policies and recommending improvements and clarifications as needed. All modifications to the policies will be made after full public disclosure and a reasonable period for public comment.

9. The Stopit Process

   The process described here, called "stopit" after a similar process at MIT, uses a graduated approach to handle violations of this policy. The approach is based on two premises: The vast majority of users are responsible; and most offenders, given the opportunity to stop uncivil or disruptive behavior without having to admit guilt, will do so and will not repeat the offense.

   This policy distinguishes between incidents that pose no immediate dangers to persons or to system integrity, and incidents that do. The three-step "stopit" process described below is designed for cases in which there are no immediate dangers.

   Incidents posing immediate dangers to persons or systems require immediate action. These include active system break-ins or intrusions, denials of service, and fraud or criminal activity conducted using Masonet resources. In these cases, the responsible SA may take reasonable actions to deal with the threat, such as temporarily disconnecting the system from the network, temporarily suspending accounts, and calling law enforcement officers. The SA taking such actions will notify his or her supervisor and the SRP chair as soon as practicable.

   The "stopit" process rests on two foundations:

   Wide Distribution of Policy Information

   Notices describing the essence of this policy will be displayed in computer labs on George Mason premises; the same information will be given to new users and to each user annually. New users will be asked to sign their agreement to this policy as a condition of activating their accounts.

   Standard Reporting Mechanism

   The "stopit" e-mail address (stopit@gmu.edu) is monitored regularly by SRP members, who will respond promptly to complaints. Anyone observing harmful or disruptive behavior should report it to the stopit e-mail address or to University Police. The SRP member who responds to a complaint will normally forward it to the SA of the system on which the infraction apparently occurred. That SA will investigate the complaint, determine its validity, and take appropriate actions such as sending the first warning (see below).

   The steps of the process are as follows:

   STOPIT 1: First Warning

   The SRP member handling a case (or SA, if the case is delegated) will send a warning letter to the alleged perpetrators of improper use of George Mason computing resources, harassment, or other uncivil behavior. The letter will have this form:

   "Someone using your account did [whatever the offense is]." This is followed by an explanation of why this behavior violates which policy. "Account holders are responsible for the use of their accounts. If you were unaware that your account was being used in this way, it may have been compromised. Your system administrator can help you change your password and re-secure your account. If you are aware, then please make sure that this does not happen again."

   This warning ensures that the alleged perpetrators are aware that a policy violation may have occurred and that there was a complaint. It offers them a chance to desist without having to admit guilt and a chance to secure their account against unauthorized use.

   STOPIT 2: Second Warning

   If there is a second offense from an account that received a first-warning letter, the cognizant SRP member will issue a second warning and may require that the account holder come to a mandatory interview. The SRP chair can authorize the temporary suspension of access to the user's account if the individual fails to arrange for a mandatory interview. The user can request a hearing before the full SRP.

   STOPIT 3: Disciplinary Procedures

   If the previous "stopit" stages do not convince the perpetrators to desist, the matter will be turned over to the appropriate university authority designated for that type of offense. The SRP will make available all information and evidence it has on the case to that authority.

   If it appears from the evidence that any federal or state laws may have been violated, the SRP may suspend the account pending the outcome of the university's or law enforcement authorities' investigation.

10. Amendments and Additions

    All amendments and additions to this policy are to be reviewed and approved by the Office of the Provost and the Office of the Senior Vice President.

11. Effective Date

    The policies herein are effective October 20, 1997. This administrative policy shall be reviewed annually and revised, if necessary, and becomes effective at the beginning of the university's fiscal year, unless otherwise noted.