Policy on Responsible Use of Computing Resources

Policy on Responsible Use of University Computing and Network Resources

The Ohio State University

May 10, 2000

General Statement

As a part of the physical and social learning infrastructure, The Ohio State University acquires, develops, and maintains computers, computer systems, and networks. These computing resources are intended for university-related purposes, including direct and indirect support of the university's instruction, research, and service missions; of university administrative functions; of student and campus life activities; and of the free exchange of ideas among members of the university community and between the university community and the wider local, national, and world communities.

The rights of academic freedom and freedom of expression apply to the use of university computing resources. So, too, however, do the responsibilities and limitations associated with those rights. The use of university computing resources, like the use of any other university-provided resource and like any other university-related activity, is subject to the normal requirements of legal and ethical behavior within the university community. Thus, legitimate use of a computer, computer system, or network does not extend to whatever is technically possible. Although some limitations are built into computer operating systems and networks, those limitations are not the sole restrictions on what is permissible. Users must abide by all applicable restrictions, whether or not they are built into the operating system or network and whether or not they can be circumvented by technical means.

Applicability

This policy applies to all users of university computing resources, whether affiliated with the university or not, and to all uses of those resources, whether on campus or from remote locations. Additional policies may apply to specific computers, computer systems, or networks provided or operated by specific units of the university or to uses within specific units. Consult the operators or managers of the specific computer, computer system, or network in which you are interested or the management of the unit for further information.

Policy

All users of university computing resources must:

Comply with all federal, Ohio, and other applicable law; all generally applicable university rules and policies; and all applicable contracts and licenses. Examples of such laws, rules, policies, contracts, and licenses include the laws of libel, privacy, copyright, trademark, obscenity, and child pornography; the Electronic Communications Privacy Act and the Computer Fraud and Abuse Act, which prohibit "hacking", "cracking", and similar activities; the university's code of student conduct; the university's sexual harassment policy; and all applicable software licenses. Users who engage in electronic communications with persons in other states or countries or on other systems or networks should be aware that they may also be subject to the laws of those other states and countries and the rules and policies of those other systems and networks. Users are responsible for ascertaining, understanding, and complying with the laws, rules, policies, contracts, and licenses applicable to their particular uses.
Use only those computing resources that they are authorized to use and use them only in the manner and to the extent authorized. Ability to access computing resources does not, by itself, imply authorization to do so. Users are responsible for ascertaining what authorizations are necessary and for obtaining them before proceeding. Accounts and passwords may not, under any circumstances, be shared with, or used by, persons other than those to whom they have been assigned by the university.
Respect the privacy of other users and their accounts, regardless of whether those accounts are securely protected. Again, ability to access other persons' accounts does not, by itself, imply authorization to do so. Users are responsible for ascertaining what authorizations are necessary and for obtaining them before proceeding.
Respect the finite capacity of those resources and limit use so as not to consume an unreasonable amount of those resources or to interfere unreasonably with the activity of other users. Although there is no set bandwidth, disk space, CPU time, or other limit applicable to all uses of university computing resources, the university may require users of those resources to limit or refrain from specific uses in accordance with this principle. The reasonableness of any particular use will be judged in the context of all of the relevant circumstances.
Refrain from using those resources for personal commercial purposes or for personal financial or other gain. Personal use of university computing resources for other purposes is permitted when it does not consume a significant amount of those resources, does not interfere with the performance of the user's job or other university responsibilities, and is otherwise in compliance with this policy. Further limits may be imposed upon personal use in accordance with normal supervisory procedures.
Refrain from stating or implying that they speak on behalf of the university and from using university trademarks and logos without authorization to do so. Affiliation with the university does not, by itself, imply authorization to speak on behalf of the university. Authorization to use university trademarks and logos on university computing resources may be granted only by the Office of University Relations or the Office of Trademarks and Licensing Services, as appropriate. The use of suitable disclaimers is encouraged.

Enforcement

Users who violate this policy may be denied access to university computing resources and may be subject to other penalties and disciplinary action, both within and outside of the university. Violations will normally be handled through the university disciplinary procedures applicable to the relevant user. For example, alleged violations by students will normally be investigated, and any penalties or other discipline will normally be imposed, by the Office of Student Judicial Affairs. However, the university may temporarily suspend or block access to an account, prior to the initiation or completion of such procedures, when it reasonably appears necessary to do so in order to protect the integrity, security, or functionality of university or other computing resources or to protect the university from liability. The university may also refer suspected violations of applicable law to appropriate law enforcement agencies.

Security and Privacy

The university employs various measures to protect the security of its computing resources and of their users' accounts. Users should be aware, however, that the university cannot guarantee such security. Users should therefore engage in "safe computing" practices by establishing appropriate access restrictions for their accounts, guarding their passwords, and changing them regularly.

Users should also be aware that their uses of university computing resources are not completely private. While the university does not routinely monitor individual usage of its computing resources, the normal operation and maintenance of the university's computing resources require the backup and caching of data and communications, the logging of activity, the monitoring of general usage patterns, the scanning of systems and network ports for anomalies and vulnerabilities, and other such activities that are necessary for the rendition of service. The university may also specifically monitor the activity and accounts of individual users of university computing resources, including individual login sessions and communications, without notice, when (a) the user has given permission or has voluntarily made them accessible to the public, for example by posting to a publicly-accessable web page or providing publicly-accessable network services; (b) it reasonably appears necessary to do so to protect the integrity, security, or functionality of the university or other computing resources or to protect the university from liability; (c) there is reasonable cause to believe that the user has violated, or is violating, this policy; (d) an account appears to be engaged in unusual or unusually excessive activity, as indicated by the monitoring of general activity and usage patterns; or (e) it is otherwise required or permitted by law. Any such individual monitoring, other than that specified in "(a)", required by law, or necessary to respond to perceived emergency situations, must be authorized in advance by the Chief Information Officer or the Chief Information Officer's designees.

The university, in its discretion, may disclose the results of any such general or individual monitoring, including the contents and records of individual communications, to appropriate university personnel or law enforcement agencies and may use those results in appropriate university disciplinary proceedings. Communications made by means of university computing resources are also generally subject to Ohio's Public Records Statute to the same extent as they would be if made on paper.

Policy Version 1.0

Approved by the University Coordinating Council on May 10, 2000

Policy Review and Update Task Group

John Biancamano, Office of Legal Affairs

Steve Gordon, Deparment of City and Regional Planning, Ohio Supercomputer Center, and Greater Columbus Free-Net

Bob Kalal, Office of the Chief Information Officer

Mail Comments or Questions to the Task Group.