PURDUE UNIVERSITY ENGINEERING COMPUTER NETWORK POLICY ON ACCESS AND USAGE August, 1992 PURDUE UNIVERSITY ENGINEERING COMPUTER NETWORK POLICY ON ACCESS AND USAGE Last revision: August, 1992 1. Introduction The Purdue University Schools of Engineering operate and develop the Engineering Computer Network (ECN) to support their instructional and research missions. The ECN computing systems include Digital Equipment and Gould UNIX timesharing systems, over 500 Sun Microsystems UNIX worksta- tions, over 400 Apple Macintosh personal computers, and several systems from other vendors. Peripheral equipment includes over 1,200 terminals, over 100 laser printers, over 30 high-speed line printers, several plotters and other special output devices, numerous telecommunications modems, and other special-purpose peripherals. These systems are interconnected via over 40 local-area networks within the Schools of Engineering, which are in turn connected to form the Engineering Computer Network. Network connec- tions are also maintained to the rest of the Purdue University campus including the Purdue University Computer Center, as well as to off-campus networks such as USENET, the National Science Foundation network (NSFNET), and the Internet. The policy presented here applies to all computer systems of the ECN, regardless of their operating system or manufacturer. As used in this policy statement, the term ``user'' refers to any person consuming resources on ECN facilities. The term ``ECN'' refers to computing and associated facilities specifically assigned by the Schools of Engineering to ``ECN staff'' for operations and maintenance. The term ``ECN staff'' includes a group of full-time professional staff and part-time student employees who work in the areas of basic software system support, hardware maintenance, operations, and user support. 2. Advisories The ECN makes available to faculty, staff, students and others, computing facilities consisting of hardware, software and documentation. The use and operation of these facilities is subject to the following advisories. 2.1 Every effort is made by the ECN staff to prevent loss of data in the event of hardware or software failure or through human error. This is done by making daily backup copies of data stored on the ECN to magnetic tape or other media. It must be recognized, however, that in rare cases it may not be possible to restore the latest version of every data file from these backups, and some data loss may occur. Because these cases are outside of the ECN staff's control, the staff cannot be held liable for any loss of data arising directly or indirectly from the failure of hardware, software, or from human error. 2.2 Because the goals of the ECN are primarily educational in nature, computer systems are generally open to perusal and investigation by users, and security controls may be less restrictive than they would be in other environments. Although an appropriate effort is made to maintain system security, unauthorized access to information is pos- sible through malicious mischief. The ECN staff cannot guarantee against loss of privacy, theft of information, damage, or loss of data arising directly or indirectly from the absence or failure of system security protection mechanisms. 2.3 Most of the software used on the ECN is purchased from third-party vendors, usually without source code. This limits the ECN staff's ability to repair bugs in this software, or to modify the software. In many cases, several software packages of similar purpose are pro- vided to attempt to serve a broader range of needs. However, the ECN can make no warranty, express or implied, regarding the comput- ing services offered or their fitness for any particular purpose. 3. Access to ECN Facilities When applying for access to ECN facilities, a valid University identifica- tion card must be presented. Students may also be required to present a current class schedule. 3.1 The facilities of the ECN are made available to the faculty, staff, and students of the Schools of Engineering, generally without charge. Facilities may also be made available to student organiza- tions and faculty and staff of other Schools by special arrangement. 3.2 Only properly authorized persons may access ECN facilities; proper authorization is provided by ECN staff members or their designates in the form of an account issued in the name of the authorized per- son. 3.3 A user may not permit any other person, including other authorized users, to access ECN facilities through his or her account. 3.4 Those persons who have been issued keys, access cards, or combina- tions to obtain access to ECN facilities may not use these items to allow other persons to access the facilities. Keys, access cards, and combinations may not be lent or given to others. 4. User Rights and Responsibilities A user of the Engineering Computer Network has the following rights and responsibilities. 4.1 To enable the ECN staff to accurately maintain information about the user of each account, each user is responsible for supplying current information to the appropriate ECN staff member (usually the depart- mental Site Specialist) including school or department affiliation, degree program (undergraduate or graduate), expected graduation or termination date, and University position (faculty, staff, graduate staff, or student). 4.2 Providing false or misleading information for the purpose of obtain- ing access to ECN facilities is a violation of University policy. 4.3 Each user is responsible for any and all activity initiated in or on ECN facilities by his or her account. 4.4 Users are responsible for selecting a secure password for their account and for keeping that password secret at all times. Pass- words should not be written down, stored on-line, or given to oth- ers. Passwords should never be given out to someone claiming to be an ECN staff member; authorized ECN staff members have full-access privileges and do not need to know individual users' passwords. 4.5 Users are responsible for protecting their own files and data from reading and/or writing by other users, using whatever protection mechanisms are provided by the operating system in use. Users are responsible for picking up their printer output in a timely fashion to avoid theft or disposal. 4.6 Users are responsible for reporting any system security violation, or suspected system security violation, to the ECN staff immedi- ately. 4.7 Most ECN facilities are made available on an unmonitored basis. It is the responsibility of every user to act in such a manner as to not cause damage to the physical equipment. Accidental damage, or damage caused by other parties, should be reported to the ECN staff as soon as possible so that corrective action can be taken. 4.8 Users who borrow hardware, software, or documentation from ECN lend- ing collections are responsible for its proper care and for return- ing it in a timely fashion. 4.9 Users are responsible for obeying all official notices posted in terminal rooms, attached to ECN equipment, and displayed in the log-on message of the day. 4.10 Users who are affiliated with the Schools of Engineering may not be denied access to ECN facilities by someone who is not using the facilities for instructional, research, or administrative purposes or who is not a faculty, staff, or student member of the Schools of Engineering. A user affiliated with the Schools of Engineering may ask the offending person to relinquish the resource, or may ask an ECN staff member to intervene on his or her behalf. 4.11 Users have the right not to be harassed while using ECN facilities, whether it be physical, verbal, electronic, or any other form of abuse. Harassment should be reported to the ECN staff. 4.12 Above all, users of the ECN facilities are responsible at all times for using them in a manner that is ethical, legal, and not to the detriment of others. 5. ECN Staff Rights and Responsibilities The ECN staff generally may do whatever is necessary to carry out its responsibility to maintain effective operation of the ECN facilities. 5.1 The ECN staff has the responsibility to make every reasonable effort to maintain the privacy of a user's files, electronic mail, and printer listings. 5.1.1 Student files as kept on ECN facilities are considered ``edu- cational records'' as covered by the Family Educational Rights and Privacy Act of 1974 (Title 20, Section 1232(g) of the United States Code, also referred to as the Buckley Amendment). However, this does not preclude disclosure of these files to University officials with a legitimate educa- tional interest. Whenever appropriate and possible, the ECN staff will seek prior approval from the student before any such disclosures are made. 5.2 In the normal course of examining and repairing system problems, and when investigating instances of improper use of ECN facilities, the ECN staff may need to examine users' files, electronic mail, and printer listings. The ECN staff has the right to do this, subject to item 5.1 above. 5.3 Investigations that discover improper use may cause the ECN staff to: limit the access of those found using facilities or services improperly; disclose information found during the investigation to University or law enforcement authorities; initiate disciplinary actions as prescribed by University policies and procedures. The ECN staff has the right to do this, subject to item 5.1 above. 5.4 In order to protect against hardware and software failures, backups of all data stored on ECN systems are made on a regular basis. The ECN staff has the right to examine the contents of these backups to gather sufficient information to diagnose and correct problems with system software, or to investigate instances of improper use of ECN facilities, subject to item 5.1 above. 5.5 With reasonable cause for suspicion, the ECN staff has the right to monitor any and all aspects of a system, to determine if a user is acting in violation of the policies set forth in this document, sub- ject to item 5.1 above. 5.6 The ECN staff may alter the priority or terminate the execution of any process that is consuming excessive system resources or objec- tionably degrading system response, with or without prior notifica- tion. 5.7 The ECN staff may remove or compress disk files that are not related to Schools of Engineering missions or which are consuming large amounts of disk space, with or without prior notification. 5.8 The ECN staff may terminate login sessions that have been idle (unused) for long periods of time, in order to free resources. This applies particularly to limited resources such as dial-in connec- tions. The definition of a ``long period'' of time may vary from system to system, depending on resource availability. 5.9 The ECN staff has the responsibility to provide advance notice of system shutdowns for maintenance, upgrades, or changes so that users may plan around periods of system unavailability. However, in the event of an emergency, the ECN staff may shut down a system with little or no advance notification. Every effort will be made to give users a chance to save their work before the system is taken out of service. 5.10 ECN staff members have the responsibility to report any violations of University policy, state law, or federal law pertaining to the use of University computer facilities to the appropriate authorities whenever such violations come to their attention. 5.11 The ECN staff may refuse or restrict access to any person who has violated the policies set forth in this document, or who has violated the policies of other computer facilities belonging to the University. 6. Proper Use The ECN facilities are provided for use by faculty, staff, and students to support the missions of the Schools of Engineering. All faculty, staff, and students using ECN facilities are responsible for using these facili- ties in an effective, ethical, and lawful manner. 6.1 Many resources, such as disk space, CPU cycles, printer queues, batch queues, login sessions, and software licenses, are shared by all users. No user may monopolize these resources. 6.1.1 Users should consume as little disk space as practical, mak- ing use of available means for compressing files and archiv- ing unused files off-line. 6.1.2 Users should not load the system in such a way that others cannot perform useful work. Only a single instance of large, resource-intensive programs should be executed at one time. 6.1.3 Long printer jobs (such as theses) should not be printed dur- ing periods of peak printer demand. 6.1.4 Many software packages have a limited number of licenses, requiring users to share the licenses. The number of licenses available for each software package is documented in the ECN Software List, ECN Document No. 61, available from ECN Site Specialists. Users should relinquish licensed software when no longer using the license. 6.1.5 The resources of workstations located in public labs should be respected; jobs may not be run that would interfere with the use of that workstation by the person sitting at the key- board. 6.2 ECN facilities are provided for academic use (instruction and research) and some administrative uses. 6.2.1 The license agreements for some pieces of software may specifically restrict the software to instructional use. This restriction, when applicable, is documented in the ECN Software List, ECN Document No. 61, available from ECN Site Specialists. This document, or if necessary the ECN staff, should be consulted beforehand when planning the use of ECN-supplied third-party software for research or administra- tive tasks in lieu of purchasing research or administrative licenses for this software. 6.2.2 ECN facilities may not be used for any activity that is com- mercial in nature without first obtaining written approval to do so from the Manager of the Engineering Computer Network. Commercial activities include consulting, typing services, developing software for sale, and in general any activity which is paid for by non-University funds. 6.3 The ECN staff recognizes the academic value of research on computer security and the investigation of self-replicating code. However, the use and development of this type of software, if not properly supervised, can inadvertently affect the operation and integrity of ECN systems. 6.3.1 Users may not intentionally develop or use programs which harass other users of the system. 6.3.2 Users may not intentionally develop or use programs which attempt to bypass system security mechanisms, steal passwords or data, or ``crack'' passwords. 6.3.3 Users may not intentionally develop or use programs that, by design, attempt to consume all of an available system resource (memory, swap space, disk space, network bandwidth, etc.). 6.3.4 Users may not intentionally develop or use programs designed to replicate themselves or attach themselves to other pro- grams, commonly called worms or viruses. 6.3.5 Users may not intentionally develop or use programs designed to evade software licensing or copying restrictions. Users who believe that they have a legitimate reason to use or develop programs in the above categories must give prior notice to the ECN staff. Special arrangements can be made to provide an ade- quate environment for conducting the research without risking damage to or impairment of other systems. 6.4 Files owned by individual users are to be considered private pro- perty, whether or not they are accessible by other users. 6.4.1 Just as an unlocked door or window does not implicitly grant permission to strangers to enter your house, the ability to read another user's files does not implicitly grant permission to read those files. 6.4.2 Under no circumstances may a user alter a file that does not belong to him or her without prior permission of the file's owner. The ability to alter another user's files does not implicitly grant permission to alter those files. 6.5 Because this is an educational environment, computer systems are generally open to perusal and investigation by users. This access must not be abused either by attempting to harm the systems, or by stealing copyrighted or licensed software. 6.5.1 System-level files (not owned by individuals) may be used and viewed for educational purposes if their access permissions so allow. 6.5.2 Most system-level files are part of copyrighted or licensed software, and may not be copied, in whole or in part, except as needed as part of an educational exercise. 6.5.3 The same standards of intellectual and academic honesty and plagiarism apply to software as to other forms of published work. 6.5.4 Making copies of software having a restricted-use license is theft. So is figuring out how to ``beat'' the license. 6.5.5 Deliberate alteration of system files is vandalism or mali- cious destruction of University property. 6.6 Game playing, and the development of computer games, is permitted on ECN systems (subject to departmental policies). However, these activities must be limited to times when demand for system resources is low. Work in pursuit of the goals of the Schools of Engineering has priority over game playing and development. 6.7 Harassing or defamatory material may not be sent via electronic mail or posted to electronic bulletin boards and news groups. 6.8 ECN facilities and network connections may not be used for the pur- poses of making unauthorized connections to, breaking into, or adversely affecting the performance of other systems on the net- work, whether these systems are University-owned or not. The abil- ity to connect to other systems via the network does not imply the right to make use of or even connect to these systems unless prop- erly authorized by the owners of those systems. 6.9 Other organizations operating computing and network facilities that are reachable via the ECN may have their own policies governing the use of those resources. When accessing remote resources from ECN facilities, users are responsible for obeying both the policies set forth in this document and the policies of the other organizations. In particular, use of the NSFNET backbone to access remote resources is governed by the NSFNET Backbone Services Acceptable Use Policy, reprinted in this pamphlet. Most NSFNET regional networks have acceptable use policies similar to those of the NSFNET backbone. 7. Software Copyrights and Licenses The software used on ECN facilities is operated under license agreements with AT&T, Sun Microsystems, Apple Computer, and others. 7.1 United States copyright and patent laws protect the interests of authors, inventors, and software developers in their products. Software license agreements serve to increase compliance with copy- right and patent laws. It is against federal law and ECN policy to violate the copyrights or patents on computer software. It is against ECN policy and may be a violation of state or federal law to violate software license agreements. 7.2 The ECN's UNIX source code license binds each and every user to respect the proprietary nature of the UNIX operating system and its source code. The specifics of the operating system may not be taught, nor may the system or any part thereof (including source code) be moved to, or copies released to any non-licensed site. 7.3 Software in use on ECN facilities, unless it is stored in areas specifically marked as containing copyable software, may not be copied to magnetic tape, hard or floppy disks, or otherwise removed from ECN facilities. These specifically marked areas will be iden- tified through means such as the ECN Newsletter, and will contain a special file called README describing the software and the terms for making copies. Backup copies of licensed software are maintained by the ECN staff; users may not make copies of licensed software. 7.4 Source code for licensed software may not be included in software that is released for use outside the ECN. 8. Enforcement The disposition of situations involving a violation of the policies set forth in this document and the penalties that may be imposed for these vio- lations are as described below. 8.1 Minor infractions of this policy, when likely accidental in nature, such as poorly chosen passwords, overloading systems, excessive disk space consumption, and so on are typically handled internally to ECN in an informal manner by electronic mail or in-person discussions. More serious infractions are handled via formal procedures: 8.1.1 Infractions such as sharing accounts or passwords, harass- ment, or repeated minor infractions as described above may result in the temporary or permanent loss or modification of ECN access privileges, and notification of a student's academic advisor. 8.1.2 More serious infractions, such as unauthorized use, attempts to steal passwords or data, attempts to steal licensed software, violations of University policies, or repeated vio- lations as described in section 8.1.1 may result in the tem- porary or permanent loss of ECN access privileges. In all cases, the offender's associated School or department will be notified of the infraction. If the offender is a student at the University, the case will also be referred to the Dean of Students office for appropriate action. 8.1.3 Offenses which are in violation of local, state or federal laws usually result in immediate loss of all ECN computing privileges, and will be reported to the appropriate Univer- sity and law enforcement authorities. 8.2 Penalties may be imposed under University regulations, Indiana law, or the laws of the United States. 8.2.1 Section B-2 of the Purdue University Regulations Governing Student Conduct, Disciplinary Proceedings, and Appeals, as passed by the Board of Trustees of Purdue University, states, in part: 2. Misconduct Subject to Disciplinary Penalties. The following actions constitute misconduct for which students may be subject to administrative action or disciplinary penalties. a. Dishonesty in connection with any University activity. Cheating, plagiarism, or knowingly furnishing false information to the University are examples of dishonesty. ..... d. Physical abuse of any person or conduct which threatens or endangers the health or safety of any other person, whether or not such conduct occurs on University property. e. Theft or attempted theft of, or the unau- thorized use or possession of, or the unauthor- ized exertion of control over, or causing damage to property of any kind belonging to the Univer- sity, a member of the University community, a campus visitor, or a person or agency partici- pating in a University activity. f. Unauthorized entry or access to, or unau- thorized use or occupancy of, any University property including without limitation lands, buildings, structures, telecommunications, com- puter or data processing equipment, programs, systems, or software, or other facilities or services. ..... i. Lewd, indecent, or obscene conduct or expression on University property or in connec- tion with a University activity. ..... l. Any conduct which substantially threatens or interferes with the maintenance of appropriate order and discipline in the operation of the University, or any conduct on University pro- perty or in connection with a University activity which invades the rights of others. ``Administrative action'' means the issuance of an oral or written warning, admonition, reprimand, and/or use of coun- seling procedures. ``Disciplinary penalty'' means expulsion, suspension, probated suspension, disciplinary probation, and other educationally sound sanctions. 8.2.2 Title 35, Article 43 of the Indiana Code contains the follow- ing: 35-43-1-4(b) Computer tampering ..... A person who knowingly or intentionally alters or damages a computer program or data, which comprises part of a computer system or computer network without the consent of the owner of the computer system or computer network commits computer tampering, a Class D felony. 35-43-2-3(b) Computer trespass ..... A person who knowingly or intentionally accesses: (1) a computer system; (2) a computer network; or (3) any part of a computer system or computer network; without the consent of the owner of the computer system or computer net- work, or the consent of the owner's licensee, commits computer trespass, a Class A mis- demeanor. In the State of Indiana, a Class D felony is punishable by a term of one-half to three years in prison and a fine of not more than $10,000. A Class A misdemeanor is punishable by a maximum of one year in prison and a fine of not more than $5,000. 8.2.3 Title 18, Section 1029 of the United States Code imposes penalties of fines and up to ten years in prison for: (a) Whoever- (1) knowingly and with intent to defraud pro- duces, uses, or traffics in one or more counter- feit access devices; (2) knowingly and with intent to defraud traffics in or uses one or more unauthorized access devices during any one-year period, and by such conduct obtains anything of value aggre- gating $1,000 or more during that period; (3) knowingly and with intent to defraud possesses fifteen or more devices which are counterfeit or unauthorized access devices; ..... (e) As used in this section- (1) the term ``access device'' means any card, plate, code, account number, or other means of account access that can be used, alone or in conjunction with another access device, to obtain money, goods, services, or any other thing of value, ..... (2) the term ``counterfeit access device'' means any access device that is counterfeit, fictitious, altered, or forged, ..... (3) the term ``unauthorized access device'' means any access device that is lost, stolen, expired, revoked, canceled, or obtained with intent to defraud; 8.2.4 Title 18, Section 1030 of the United States Code imposes penalties of fines and up to ten years in prison for: (a) Whoever- ..... (3) intentionally, without authorization to access any computer of a department or agency of the United States, accesses such a computer of that department or agency that is exclusively for the use of the Government of the United States or, in the case of a computer not exclusively for such use, is used by or for the Government of the United States and such conduct affects the use of the Government's operation of such computer; (4) knowingly and with intent to defraud, accesses a Federal interest computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained con- sists only of the use of the computer; (5) intentionally accesses a Federal interest computer without authorization, and by means of one or more instances of such conduct alters, damages, or destroys information in any such Federal interest computer, or prevents author- ized use of any such computer or information, and thereby- (A) causes loss to one or more others of a value aggregating $1,000 or more during any one year period; or (B) modifies or impairs, or potentially modifies or impairs, the medical examination, medical diagnosis, medical treatment, or medi- cal care of one or more individuals; or (6) knowingly and with intent to defraud traffics (as defined in section 1029) in any password or similar information through which a computer may be accessed without authorization, if- (A) such trafficking affects interstate or foreign commerce; or (B) such computer is used by or for the Government of the United States; ..... the term ``Federal interest computer'' means a computer- (A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects the use of the financial institution's operation or the Government's operation of such computer; or (B) which is one of two or more computers used in committing the offense, not all of which are located in the same state; 8.2.5 Title 18, Section 2701 of the United States Code imposes penal- ties of a fine of not more than $250,000 or imprisonment for not more than one year, or both, for anyone who: (1) intentionally accesses without authorization a facility through which an electronic communica- tion service is provided; or (2) intentionally exceeds an authorization to access that facility; and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system ..... As defined in Title 18, Section 2510 of the United States Code, ``electronic communication'' means any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, pho- toelectronic or photooptical system that affects interstate or foreign commerce, ..... 8.2.6 Title 18, Section 2511 of the United States Code imposes penal- ties of a fine or imprisonment for not more than five years, or both, for any person who: (a) intentionally intercepts, endeavors to intercept, or procures any other person to inter- cept or endeavor to intercept, any wire, oral, or electronic communication; ..... Other regulations and laws may be applied as well, depending on the nature of the offense. Approved: ______________________ William R. Simmons, Manager Engineering Computer Network I agree to abide by all elements of the Purdue University Engineering Com- puter Network Policy on Access and Usage. I understand that upon violation of this policy, the Engineering Computer Network retains the right to deny access privileges, and that if warranted, further disciplinary action may be taken by the University, including prosecution under applicable state and federal laws. Signature: _________ Date: ____________ Printed Name: _________ ID Number:____________ The NSFNET Backbone Services Acceptable Use Policy is reprinted here for the convenience of ECN users. This policy is not a part of the ECN Policy on Access and Usage, but must be abided by when using ECN resources to access the NSFNET. THE NSFNET BACKBONE SERVICES ACCEPTABLE USE POLICY GENERAL PRINCIPLE: (1) NSFNET Backbone services are provided to support open research and education in and among US research and instructional institutions, plus research arms of for-profit firms when engaged in open scho- larly communication and research. Use for other purposes is not acceptable. SPECIFICALLY ACCEPTABLE USES: (2) Communication with foreign researchers and educators in connection with research or instruction, as long as any network that the foreign user employs for such communication provides reciprocal access to US researchers and educators. (3) Communication and exchange for professional development, to maintain currency, or to debate issues in a field or subfield of knowledge. (4) Use for disciplinary-society, university-association, government- advisory, or standards activities related to the user's research and instructional activities. (5) Use in applying for or administering grants or contracts for research or instruction, but not for other fundraising or public relations activities. (6) Any other administrative communications or activities in direct sup- port of research and instruction. (7) Announcements of new products or services for use in research or instruction, but not advertising of any kind. (8) Any traffic originating from a network of another member agency of the Federal Networking Council if the traffic meets the acceptable use policy of that agency. (9) Communication incidental to otherwise acceptable use, except for illegal or specifically unacceptable use. UNACCEPTABLE USES: (10) Use for for-profit activities (consulting for pay, sales or adminis- tration of campus stores, sale of tickets to sports events, and so on), or use by for-profit institutions unless covered by the General Principle or as a specifically acceptable use. (11) Extensive use for private or personal business. This statement applies to use of the NSFNET Backbone only. NSF expects that connecting networks will formulate their own use policies. The NSF Division of Networking and Communications Research and Infrastructure will resolve any questions about this Policy or its interpretation.