Newsgroups: comp.admin.policy
Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!n8emr!bluemoon!sbrack
From: sbrack@bluemoon.uucp (Steven S. Brack)
Subject: Re: Ohio State University CIS Policies
Message-ID: <soc2314w164w@bluemoon.uucp>
Sender: bbs@bluemoon.uucp (BBS Login)
Organization: Blue Moon BBS ((614) 868-998[0][2][4])
References: <ROMIG.91Jun4110418@brachiosaur.cis.ohio-state.edu>
Date: Tue, 04 Jun 91 17:10:51 EDT

romig@brachiosaur.cis.ohio-state.edu (Steve Romig) writes:

> Carl says:
> >    (I understand that these polices will revised soon.)
> 
> Yes.  The email/news policy in particular, since there are freely
> available email accounts on campus that don't have such policies
> "restricting" email use.

        The fact that MAGNUS (OSU's news & mail machine) seems to have
        little policy "in place."  This allows for ad hoc decisions to
        be made, as users don't know what policy is until they violate
        it.

> >    The policies are better than most. The privacy policy is especially
> >    good. In my opinion, the weakest policy covers email and netnews.
> 
> Thanks.  I don't especially like the email/news policy myself, but as
> one of the sysadmins, I appreciate the reason for its being there if
> nothing else.

        OSU's CIS department has a very well-rounded administrative
        policy on academic computing.  But, the quality of system policy
        varies greatly from department to department at Ohio State.  CIS
        is one of the best.

> >    It says that undergrads are prohibited from posting or emailing off
> >    campus.  This rule is enforced very selectively. To quote an OSU sys
> >    admin: "it's just something that's usable as a weapon against the
> >    occasional real jerk." (I think such selective enforcement is
> >    despicable.)
> 
> Sigh.  The main point of the policies is that we have some written
> down "rules of conduct" to which we can refer when someone starts
> "acting like a jerk".  The main cases I've been involved with have
> revolved around "appropriate use" sorts of things.  People trying to
> crack passwords.  People wasting disk space with a.s.p bitmaps.
> Sexual harrassment with aforementioned bitmaps.  And so on.

        All these cases represent inappropriate use of class-related
        accounts.  What standards should be applied to accounts on
        machines not related to classes?

> Far as I know, the email policy has never come into play.  But yes, in
> general the policies are enforced selectively, in the sense that we
> aren't scanning through the mail logs to see that undergrads aren't
> using email, we don't watch through news postings to see that they
> aren't posting news, heck, we don't even enforce the quotas in a
> consistent basis, unless there's a problem that needs to be dealt
> with.  If a file system fills up or gets nearly full, we get more
> serious about quotas with the people that are over quota.  If someone
> starts displaying xrated bitmaps in a harrassing fashion, we get more
> serious about appropriate use with them.  If someone were to get
> involved in mailing chain letters across the Internet, for instance,
> we'd get more serious about email use with the offender.

        I am acquainted with a Math TA who recieved harrassing e-mail
        from (I believe) the user in question.  She later received
        similar e-mail that was sent anonymously.  She was told nothing 
        could be done about the second incident.

> Selective enforcement isn't ideal, but its a fact of life.  Speeding
> tickets are selective - not all speeders are caught and fined.  Is
> that fair?  No.

        But the police try to catch everybody, where the admins in 
        question selectively enforce the policy.

> >    It is vague, prohibiting "other unsociable [email] acts".
> 
> Intentionally.  It isn't a law, its a policy.  There's a difference.

        There are so many different ways of using/abusing e-mail that
        a specific set of activities can't be prohibited without allowing
        some abuses to slip through.

> >    The fatal flaw in the policies is the lack of any notion of due
> >    process. It looks like a student or a faculty member could be
> >    suspending or expelled from the computer system at the whim of sys
> >    admin without recourse to a formal hearing.
> 
> Well, its a policy, not a law - it describes, even vaguely, the proper
> and appropriate use of our facilities.  It doesn't describe at all how
> violations of that policy are to be handled, which is why it doesn't
> go into due process.
> 
> As far as enforcement goes, the sysadmins here will deal (hopefully
> politely and tactfully) with any policy violations that they come
> across, which typically involves pointing out (in person or by email)
> to the offender that they're "being a jerk" and would they please cut
> it out.  We don't have the authority to suspend or expel users from
> the system.  Anything serious enough to warrant anything like that is
> handled as an academic misconduct sort of thing, through whatever the
> usual channels are (involves faculty, the student, usually the
> chairman, and sometimes the Ombudsperson.  The sysadmins usually
> aren't involved in cases like that, except to provide technical info
> or evidence.  I should point out that far as I know, things have gone
> up to the chairman maybe 3 times (2 breakin incidents and the sexual
> harrassment case) in the last several years.

        That's really the simplest way to approach system administration.
        Let the users know what you expect of them, inform them when they
        do not live up to those expectations, & save more severe
        punishments for those users who willfully continue after being
        warned.



===========================================================================
Steven S. Brack     sbrack@bluemoon.uucp        The Ohio State University
sbrack%bluemoon@nstar.rn.com                        sbrack@isis.cs.du.edu
===========================================================================
