Policies and Recommendations

1  Introduction

This policy is intended to promote the responsible and ethical use of the computing resources of Wake Forest University. Copies of the policy shall be provided to all users of the Academic Computing System, and every effort shall be made to ensure that all users read the policy at least once.

The policy applies to all computer and computer communication facilities owned, leased, operated, or contracted by the University. This includes, but is not limited to, word-processing equipment, microcomputers, minicomputers, mainframes, computer networks, computer peripherals, and software, whether used for administration, research, teaching, or other purposes. The policy extends to any use of University facilities to access computers elsewhere.

The administrators of various on-campus and off-campus computing facilities, and those responsible for access to those facilities, may promulgate additional regulations to control their use, if not inconsistent with this policy. System administrators are responsible for publicizing any such additional regulations.

2  Basic Principles

The University's computing resources are for instructional and research use by the students, faculty, and staff of Wake Forest University. Ethical standards which apply to other University activities (Honor Code, the Social Rules and Responsibilities, and all local, state, and federal laws) apply equally to use of campus computing facilities.

As in all aspects of University life, users of computing facilities should act honorably and in a manner consistent with ordinary ethical obligations. Cheating, stealing, making false or deceiving statements, plagiarism, vandalism, and harassment are just as wrong in the context of computing systems as they are in all other domains.

Use of campus facilities is restricted to authorized users. For the purposes of this document, an ``authorized user'' shall be defined as an individual who has been assigned a login ID and password by Information Systems staff (on any relevant system), or by an authorized agent. Individual users are responsible for the proper use of their accounts, including the protection of their login IDs and passwords. Users are also responsible for reporting any activities which they believe to be in violation of this policy, just as students are responsible for reporting Honor Code violations.

Individuals should use only those computing facilities they have been authorized to use. They should use these facilities:

• in a manner consistent with the terms under which they were granted access to them;

• in a way that respects the rights and privacy of other users;

• so as not to interfere with or violate the normal, appropriate use of these facilities; and

• in a responsible manner.

Inappropriate activities which are already covered under other University policies are to be handled in the same way, and by the same authorities, as if a computer had not been involved, following established guidelines. In such cases the Information Systems Department will follow the advice of the appropriate authorities, although it reserves the right to add additional, computer-oriented punishments when the abuse involves the use of campus computing resources. Violations that relate exclusively to this policy and other computer usage policies (such as forging mail and interfering with the use of campus computer resources) shall be handled by Information Systems directly.

3  System Monitoring

This statement serves as notice to all users of campus computing systems that regular monitoring of system activities may occur. (But see also section 4 below.)

Only the following persons are authorized to engage in system monitoring; the Chief Information Officer or Assistant Chief Information Officer, Director of Networking, Director of Systems, Assistant Manager of Systems, and any Systems Administrator or Network Administrator (on the systems or networks they administer).

Detailed records of all system monitoring that takes place (routine or not) shall be kept, and may be inspected by the Provost or an appointed representative of the Provost at any time.

The following may be monitored by the above-mentioned staff:

1. Any system log files which contain information pertaining to processes executed on a given system.

2. System directories, temporary storage areas, work areas, and all areas outside of users' personal files. (Personal files are defined as any files created by and/or owned by the user.)

3. Unsuccessful attempts to log into an account or a network.

4. Attempts to gain unauthorized access to departmental or personal machines within the campus community.

5. Attempts to disguise the source of electronic mail.

6. Personal computers associated with reported incidents of harassment or other violations of acceptable use policies, or user complaints.

7. Any activity which in the opinion of the above-mentioned staff appears to compromise the security or integrity of the operating system.

In addition mail messages with invalid recipient or sender fields are commonly sent to the ``Postmaster'', who will examine them to determine the cause of the problem. Complaints brought by users may also result in examination of relevant files and emails, pursuant to approval by the appropriate authority. (See section 4.) In the latter case, the email recipient must give permission in writing before such an investigation can proceed.

4  Privacy

All users, including the members of the Information Systems staff, should respect the privacy of other authorized users. Thus they should respect the rights of other users to security of files, confidentiality of data, and the ownership of their own work.

Nonetheless, in order to enforce the policies set out here, the Information Systems staff listed in section 3 are permitted to monitor activity on local computing systems. In general, the staff may routinely search a University-owned file system for potential violations of these ploicies. When there is clear evidence of a violation deemed serious by the appropriate authorities,  they may view users' files, monitor keystrokes, and otherwise observe users' activities. In cases deemed especially serious by the appropriate authorities, Information Systems staff may read users' email, but only after obtaining permission from the appropriate authority. 

If a member of the University community outside of Information Systems reports activities in apparent violation of the policies described here, IS will inform the appropriate authorities of the complaint. Upon approval, an investigation of a user's computing activites, emails, and files may be initiated by Information Systems. In such a situation, a record of the investigation shall be placed in a permanent file to be kept in Information Systems, beyond the standard log of all systems monitoring. This record shall state why the user was investigated, what files were examined, and the results of the investigation. Information Systems staff shall not reveal the contents of users' files, users' activities, or the record of investigations except under in the following cases (and then only with the approval of the Assistant Vice President for Information Systems or the Provost):

1. Evidence of Honor Code or Social Rules and Regulations violations will be referred to the Dean of the appropriate college, or to the Dean of Students.

2. Evidence of improper activities by University employees will be referred to the Director of Human Resources or the appropriate University officers.

3. Evidence of violations of law will be referred to the appropriate law enforcement officials.

Should Information Systems receive an inquiry concerning whether a user has had computer-related disciplinary action taken against him or her, IS staff will provide only a confirmation of the disciplinary action taken and the dates of the action. No information regarding the reasons for the action will be provided to anyone except the user and the authorities involved, and no names may be given. (For example, if someone asks about the person that broke into their account, they are only told the punishment and dates of the punishment - not who broke into the account. IS staff are committed to abide by existing privacy laws.)

5  Prohibited Activities

The following list is intended to aid in interpreting the principles set out above; the list should not be construed as comprehensive. Examples of actions in violation of the approved principles are:

1. Providing copyrighted or licensed material to others while maintaining copies for one's own use, unless there is a specific provision in the license which allows this. This activity is forbidden even if the material is provided without cost for an educational purpose.

2. Using software or documentation known to have been obtained in violation of the Copyright Law or a valid license provision. Use of a copyrighted program obtained from another party, for which no license exists that allows such a transfer, will be presumed to be knowing and the burden of demonstrating that the use was innocent will rest with the user.

3. Using a copyrighted program on more than one machine at the same time, unless this is permitted by a specific license provision.

4. Copying any copyrighted material or licensed program contents, unless allowed under the fair-use doctrine or explicitly permitted by the copyright owner. (For further information, see http://zsr.wfu.edu/research/guides/copyright/ )

5. Interfering with others' legitimate use of computing facilities.

6. Using the computer access privileges of others.

7. Providing any unauthorized user with access to a personal login ID, or in any way allowing others access to a machine under one's own name. This includes providing access to campus computing resources without the express written permission of Information Systems.

8. Intentionally creating, modifying, reading or copying files (including mail) to or from any areas to which the user has not been granted access. This includes accessing, copying, or modifying the files of others without their explicit permission.

9. Disguising one's identity in any way, including the sending of falsified messages, removal of data from system files, and the masking of process names. This prohibition includes sending electronic mail fraudulently.

10. The establishment of any function which provides unauthorized access, via the Internet connection or otherwise, without the written permission of Information Systems. For example, users may not install games which allow users to access academic computers without a valid login ID.

11. Sending harassing or libelous messages via any digital means.

12. Sending chain letters via electronic mail.

13. Using University facilities to gain unauthorized access to computer systems off-campus.

14. Use of campus computer facilities for commercial purposes without prior written permission.

15. Attempting to interfere with the normal operation of computing systems in any way, or attempting to subvert the restrictions associated with such facilities.

6  Disciplinary Actions

Substantial evidence of a violation of the principles described in this policy statement may result in disciplinary action. As stated above, in cases where a policy already exists, and the only difference is that a computer was used to perform the activity, such action will be taken through appropriate University channels such as administrative procedures, the Honor and Ethics Council, the Graduate Council, or other supervisory authority to which the individual is subject. Violation of State or Federal statutes may result in civil or criminal proceedings. Otherwise, however, those who engage in computer violations are subject to Information Systems.

System administrators, with due regard for the right of privacy of users and the confidentiality of their data, have the right to suspend or modify computer access privileges, examine files, passwords, accounting information, printouts, tapes, and any other material that may aid in maintaining the integrity and efficient operation of the system. Users whose activity is viewed as a threat to the operation of a computing system, who abuse the rights of other users, or who refuse to cease improper behavior may have disciplinary action taken against them.

Violation of the the policies articulated here may result one or more of the following, plus any additional actions deemed appropriate by Information Systems:

1. Suspension of one's ability to perform interactive logins on relevant machines on-campus.

2. Suspension of one's ability to login to a campus network.

3. Suspension of one's ability to send email.

4. Suspension of one's ability to receive email.

5. Increased monitoring of further computer activity (beyond normal systems monitoring).

Upon taking action, Information Systems will notify the user in writing within 24 hours. The notice will clearly state which policies allegedly were violated. The suspended user must contact the Assistant Vice-President of Information Systems or his designated representative (the ``policy enactor'') regarding the suspension. After discussing the alleged violation, the policy enactor may undo any or all of the disciplinary action, or continue action for up to one year. If the user has not contacted the Representative within seven days of the disciplinary action, the Representative will render a decision and notify the user as specified below.

In the event that the user and the policy enactor are unable to resolve the matter to the user's satisfaction, he or she may appeal to the Director of Information Systems within seven days. The Director of Information Systems may modify or sustain the decision. When disciplinary action is taken, a written notice will be sent to the user and the Office of the Provost explaining the length of the punishment and the violations which occurred. Copies of this notice will be sent to administrators of other campus computing systems on a need-to-know basis. Information Systems also will forward this notice to the authorities specified above if there is reason to believe a violation of other University policies or law has occurred.

If a revoked privilege is needed by a student to complete classwork, the student must obtain a note signed by the professor in question explaining why the privilege is required, to be sent to the policy enactor. Only the minimum privileges needed for the student's class activities will be restored. Any further abuse by the student in question will lead to the privilege being revoked anyway. Information Systems reserves the right to monitor previous offenders for further abuse.

Any disciplinary action taken by Information Systems may be revoked and/or modified by the Provost of the University or anyone the Provost designates to deal with such matters.

7  Changes to This Policy

Information Systems may, in consultation with the Committee on Information Technology, change or amend this policy from time to time. When changes are made, they will be announced through whatever messaging system is currently in use. As with all matters of law and ethics, ignorance of the rules does not excuse violations.