Policies on electronic mail - a summary --------------------------------------- Attached is an edited summary of the responses I received on my recent query. The majority of respondents didn't have a formal mail policy, although there was some unspoken agreement on it. At least one formal mail policy is attached. Some organisations seem to have come to grips with the problem extremely well - as the following (rough) quote from the Sun Microsystems internal handbook 'Email Survival' illustrates. 'Accessing another persons personal electronic mail or files without their specific permission is considered gross misconduct. The ease with which this might be done in no way justifies this intrusion. Printed copy awaiting pickup from a printer is equally confidential material. Any misconduct of this type may result in the termination of your employment with Sun'. Thanks to all who helped out. Also, some people requested anonymity so I decided it would be best to strip out all identifying information from the summary. If you would like to discuss something with any particular correspondent, no doubt I can arrange it! -- Todd Hooper (Postmaster) Computing Centre Curtin University of Technology Internet: hooper_ta@cc.curtin.edu.au Western Australia ACSnet : hooper_ta@cc.cut.oz.au Phone : +61 9 351 7467 (24 hour messaging system) Fax +61 9 351 2673 --- Comments from commercial site administrators and users --- We take e-mail very seriously -- both on our own systems and on those that we administer on behalf of our clients. I view e-mail in the same light as paper mail. Accordingly, we make every effort to ensure timely delivery and privacy. Our staff are encouraged to use the facility and we make no distinction between business and personal correspondence. We are sufficiently small that abuses of this privilege can be dealt with at a personal level. In the three years that we've had network access, only one user has been troublesome. In this case, the user was sending inappropriate quantities of data via the e-mail system and that person has been encouraged to seek alternative methods (magnetic media) of data interchange. So far, I have not found it necessary to formulate written policy on this subject although recent activities that have been reported in the U.S. have prompted me to consider doing so. --- [1] We're a commercial site, an employee-owned firm. [2] All email is private to the extent we can make it so under fairly standard System V setups. Directories for spooling are locked, although a dedicated person could probably find a hole somewhere. Privacy is only knowingly compromised when a user needs file repair, and even then the user is warned that someone will probably see the mailfile or spooled message as surgery if performed. [3] We don't consider net-correspondence or personal routing to be a problem. In fact, we helped an employee figure out a path to his daughter during the summer. [4] Nobody at our site has precipitated a net flame-war, so the issue of abuse has not come up. Were it to occur I suppose we would give the party in question a reprimand on the first offense, and we would have to handle additional problems on an ad-hoc basis. We try to be flexible; so far we haven't [KNOCK WOOD] had a major test. -- This is certainly [not] an official educational mail policy, it is merely a note reguarding my experience. Although I realise that you, as a systems administrator, have a duty to maintain security on your site, particularly now with AARNet connectivity, I feel that the reading of someone elses personal mail is a gross injustice. Despite the fact that you probably have every right to read the mail (they have chosen to place them on your machine), it is degrading and leads to animosity between staff and students. As a sysadm myself now, I will never read someones mail even if i suspect them of breaching security. --- On mail abuse. Of all organisational e-mail setups I've come across (not that many, but I think sufficient to make correlation), at least 30% of all intra-orgainisational email traffic is of a social nature. In one instance, numerous mis/comms managers of a major international bank that I've dealt with confessed, under social/relaxed settings that they reckon more than 1/2 of all mail in their system were invitations, replies, greetings and felicitations and such like. They were using IBM/Profs and a population of ~7000 users worldwide. My thought: I don't think there is any feasible active policy you just have to rely on your employees to be professional about it. --- Responses from academic site administrators and users --- As far as we are concerned e-mail and e-news is there to be used, the more students use it the better since they begin to use the computer systems voluntarily.. not just to do their projects. (some of them are even buyng e-mail accounts on commerical systems) There aren't any charges or accounting.. --- I've had no problems here in ******. Hopefull, the mail is private. there have been no rules set down for the use of personal mail, and in fact one of the groups I use could only be called personal. The news also is personal I guess, as alt.sex or such could hardly be called work! (something for tea breaks). There is of course lots of official things passing through, and who determines what is personal and what is strictly university work? --- No official policies at ******. In general, anyone (staff or student) is permitted to use mail to anywhere. Privacy - people are warned that mail is not secure and confidential information should be sent by other means. Abuse - the universal threat: misuse of computer systems may result in disabling of accounts (and consequent failure for students because of inability to complete assigned work. We always warn people, and one warning has proven sufficient so far.) Personal messages - no rules, just the general statement that applies to computing generally "People doing University work have priority for use of terminals, etc". This is sort of enforceable, in the sense that anyone wanting to use a terminal can complain to the person doing private work, and then to the system manager if necessary. We rarely have complaints. As far as checking for private mail, there are hundreds of messages a day go from here, and I don't have the time or inclination to read it. I don't really see any problems with people sending private messages, after all, universities are supposed to be places of open thinking, etc, etc, etc. (It would be different if it was costing us anything, such as people printing out dozens of invitations on our laser printer!) --- .......................................There is no point in adopting rules you cannot enforce. In particular there is no way of enforcing rules agains the use of email for personal messages unless you want to adopt the distastful and tediously boring practice of reading all messages. New computer users are given a statement describing their computer access as a privilege, not a right, and with some guidelines as to proper use. There is always the implication that if they abuse their privileges they can lose them. If a user starts sending abusive email, you would probably hear a complaint from the recipient and could take action. If users send multi-megabyte email messages you (or your postmaster) will probably see the error messages when they bounce, and again can take appropriate action. In our case appropriate action is usually a warning, followed up by account suspension in the rare cases of repeat offenders. As for privacy of email, I follow the practice that in principle email should be private, but that in practice they should not assume this. I post occasional warnings that I as postmaster, and presumably postmasters at other sites, will sometimes see a copy of their mail when an error occurs, sometimes due to no fault of the sender. I also inform users that system administrators technically have access to all files on the system, and may occasionally need to read user files to resolve system problems. My personal policy is to never divulge the contents of email I happen to see, even when that email contents suggests gross abuse. However I have no such hesitation in divulging information obtained from system log files, which list such information as sender and recipient addresses, message length, etc. Since these log files are publicly readable (even though most users do not even know they exist), I consider them public information. --- There has been a discussion on TECHREP@BITNIC.BITNET on electronic mail privacy/policy lately. If you are not a TECHREP, I would suggest you subscribe to TECHNEWS@BITNIC.BITNET as it is an open re-distribution of the TECHREP list. Send your subscription request to LISTSERC@BITNIC.BITNET in a mail message with the first line being "SUB TECHREP (or TECHNEWS) " I enclosed a copy of a message that may be of intrest to you that appeared earlier this week..... =-=-=-=-=-=-=-=-=-=-=-= From SYSTEM NOTEBOOK C0 =-=-=-=-=-=-=-=-=-=-=-=-=-=-= >----------------------------Original message---------------------------- >On Tue, 30 Oct 90 15:03:22 GMT said: >>Could anyone tell me if there is a published statement concerning >>the privacy or non-privacy rights of electronic mail on Bitnet? >> >>We are going to be granting access to all our students, and our >>attorneys have suggested that we should have a published statement >>concerning this matter. > >We are currently preparing a system/network usage policy document >to inform our students (and other users) regarding what will be >considered 'abuse', etc. We plan on including these statements: > > > *** IMPORTANT INFORMATION *** > > Pursuant to the ELECTRONIC AND COMMUNICATIONS PRIVACY ACT of > 1989, TITLE 18, UNITED STATES CODE, Sections 2510 and following, > notice is hereby given that there are no facilities provided by > this system for sending or receiving confidential messages. The > System Administrator and assigns may read all messages and files > of any user. > > > Computer accounts are paid for by the State of Texas and are for > educational purposes ONLY. In general educational use is > interpreted loosely. But, use for economic gain or computer or > network abuse will not be tolerated. If there is a complaint > regarding your usage of networks or UTA computers, UTA Academic > Computing Services has the right and will review trace > information, backups, and your account contents to determine your > complicity. Possession of command files that are solely for the > purpose of pestering other persons or having blatently obscene > material in your accounts, are generally considered just cause for > administrative action against you. You do NOT have a right to keep > these types of materials on UTA computers. > > >We would appreciate any feedback on possible problems with these >statements. > >Thanks, >Bob Carr >Manager of Systems Support >UT Arlington > --- I'd be most interested in a summary. The official policy at ***** is that we have to use our computer accounts for "educational pursuits" (or equally legal sounding stuff). A fairly high level of privacy exists, although the university reserves the right to read our email. --- There are paragraphs alluding to many aspects of the e-mail issue in various Internet RFC documents (I can't cite them by chapter and verse off-hand, but one that comes to mind is the Security Policy Handbook that is in fairly advanced draft right now ... it is prepared by the Secuirty Policy Handbook Working Group (SPWG) and you can get it by anonymous FTP from cert.sei.cmu.edu (look for an "obvious" subdirectory). Let me advance the following by way as a rough guess at to what you will find: (1) Many sites will have no official policies. (2) Some sites will have official policies prepared to satisfy the legal staff and bean-counters: these policies will sound very nice and complete but in fact be largely impractical to implement. (3) Some sites will have policies based on experience and knowledge of the technical staff: these policies will point out that e-mail ain't secure unless encrypted and that security is inversely proportional to ease and convenience of use of a system. I suspect, too, that the top levels of administrations that tend to think in terms of official policies, are also the ones who least understand the technology and what really can and can't be done. --- I am sysadmin of ******** We have 70+ users. We have no policy in place. Users are free to use email for whatever purpose they like. and they do use it. We use standard Unix mail which means each user's mailbox is private with the exception of root, who can look at anyone's mail. --- It was interesting that you should raise this on info-nets. So I would like to share with you my thoughts on the subject, having worked and researched in the human factor in global email since 1982. I think that the coming of AARNet and the tremedous promotion work that Geoff Huston and his group is doing will advance the use of email in Australia. It mighe not be a good idea at this early stage to insist that email should be used for "official" business, as it will be extremely difficult to define what is official, work, and what is personal and private use. To do so will dampen the learning and usage enthusiasm of the lay people. I have been a member of a number of overseas conferencing systems, and quite frankly, a lot of the messages have only social values, but they are important all the same, as they are crucial to group dynamcis and group affinity. --- OK, here's the Dartmouth policy plus a disclaimer from the manual for the Dartmouth-developed e-mail application: DARTMOUTH COLLEGE COMPUTING CODE OF ETHICS The Computing Code of Ethics was formulated and is endorsed by Dartmouth's Council on Computing, a faculty committee that advises Dartmouth on questions of policy concerning the allocation and use of all computing resources. The council takes an active role in determining the standard computing environment on campus and participates in planning and reviewing projects that will significantly affect computing at Dartmouth. The Council on Computing wholly endorses the Dartmouth Computing Code of Ethics as follows: Computer use. The Computing Code of Ethics states that every user of Dartmouth College Computing has two fundamental rights: privacy and a fair share of resources. It is unethical for any other user to violate these rights. Violation of the Computing Code of Ethics is considered a violation of the Academic Honor Principle and may subject a student to disciplinary action. Kiewit Network privacy. Each user number and associated password belongs to an individual, department, or school. No one else should use a user number without explicit permission from the owner. All use should be in accordance with Dartmouth policy on computer use set forth in this document. Owners accept the burden for the responsible use and dissemination of their user number. Programs and files belong to the owner of the user number or catalog containing the programs and files. They are presumed to be private and confidential unless the owner has explicitly made them available to the public. When necessary for the maintenance of a system or network, Kiewit Computation Center personnel may access others' files. Some programs gather information about the users who run them. If such information could be used to identify the user and the user's use of the program, the user should be warned and given a chance to leave the program before data collection begins. Use of a the network and/or electronic mail facilities for transmitting rude, abusive, harassing, or malicious messages is unethical. Personally owned computer resources. The unauthorized copying of any software that is licensed or protected by copyright is theft and thus unethical. Programs and files that belong to the owner of a personal computer enjoy the same rights of privacy afforded to programs and files resident on the Kiewit Network computers. They are presumed to be private and confidential. Resources. No one should deliberately attempt to degrade Kiewit system, network, or personal computer performance, nor to deprive other users of the resources of or the authorized access to any Dartmouth- or individually-owned computer. Loopholes in the Kiewit computer system or network or knowledge of a special password should not be used to damage computer systems or networks, to obtain unauthorized resources, or take resources from other users. No Dartmouth-owned computing resource should be used for unauthorized commercial purposes. When necessary for the maintenance of a system or network, Kiewit Computation Center personnel may restrict availability of shared resources. ELECTRONIC MAIL INFORMATION (Not Part of the Computing Code of Ethics) Privacy information. The privacy of electronic mail is somewhere between that of a letter and a postcard. Electronic mail is not entirely confidential. There may be instances where the postmaster may have to gain access to a message to determine if something is wrong with the address, or the message may be delivered inadvertently to the wrong address. -- I'm the postmaster here for the Department of Computer Science, and thus for a bunch of student systems as well as the staff network. We don't really have an official policy that I know of for electronic mail, but I think some of the unofficial ideas we've been working with may be of interest to you. I'm interested in any other replies you receive, so if you don't get enough to post to the net, could you email me a copy please ? During the period ******* through to *******, network access for students was completely open. They were allowed to send mail anywhere they liked, and FTP from the States, telnet into machines over there and try to break into people's computers :-(. At some point this "feature" was mentioned to the bigwigs here, who immediately determined that undergraduate students should not have AARnet access. The very idea of undergrads being able to send mail overseas was quite unthinkable. Naturally, the implementation of such a restriction required a bit of thought, because students do need access to utilities like telnet and so on to communicate between machines on campus. Eventually we decided to try not running routed on the machines, thereby making attempts to reach systems outside the physically connected network return the message : Network unreachable. This has been fairly successful, although because our campus network is subnetted, we have needed on occasion to add a special static route into Multigate boxes to talk to Macintosh labs and so on. The one big disadvantage of it is that no-one on the machine can reach off camous, so staff users can't mail overseas from such a crippled machine, for instance. Apart from trying to follow the commandments of the powers-that-be, we were also pleased to be able to stop students from FTPing vast numbers of raster images from US sites. (Since disk quotas were mistakenly not turned on at the beginning of the semester, I mean VAST numbers). In any case, although I've never sighted an "official" policy or even an official memo telling us what we should and should not let the students do, I thought you might find what we've been doing interesting, since it is my vague understanding that not many other AARnet member sites are restricting student access (?). [deleted] Your message also mentions other issues such as mail abuse, privacy of mail etc. Again we don't seem to have a clearcut official policy although we do have a "Principles of Responsible Use" document which students are expected to pay some attention to. It explicitly says "users should not...attempt to intercept any network communications, such as electronic mail...". It goes on to say "Actions taken by users intentionally to interfere with or alter the integrity of the system are out of bounds. Such actions include ...impersonation of other individuals in communications...". I think that this document is a locally written thing, and isn't circulated to the other larger student site on campus. As far as privacy of mail goes, I was quite surprised to hear most of our lecturers agreeing that as far as they were concerned, students' mail was an "open book". Some of the first year lecturers in particular are very concerned with plagiarism, and seem to often browse through student mailboxes to try and detect it. I'm pretty sure that they want to treat it as an open book, but have no intention of telling the students that that is the case. As a postmaster, my immediate reaction is that such an attitude is rather unethical.