Rules of Abuse

Aidan Low

Paper for MIT 6.805/STS085: Ethics and Law on the Electronic Frontier, Fall 1995
The Internet is one of the fastest growing societies that has arisen in modern times, and like any society it has its own code of rules. However, this new state of "cyberspace" has not one such system of rules, but hundreds or even thousands of such systems. These rules vary immensely, from near-anarchistic code of complete freedom to authoritarian denying all rights. Studying these systems of rules reveals a great deal about the culture of each of these microcosms that collectively make up the Internet, and by examining and comparing these policies, we can better understand this culture.

History

The Internet was originally a smattering of university and military computers linked together in a nationwide "network of networks". Policies at most of these nodes in this continental web were generally fairly open, as the only people who had access to these systems were a small group of people who knew each other well. Passwords were rare, and privacy was not an issue at many of these places, like the early computer systems of MIT in the 1960s. Users trusted each other to act responsibly when using the system, and altercations between users were rare. However, there were extreme sanctions on use of the system, particularly on what could or could not be performed on the computer systems. The machine were extremely expensive, and even a small program could take days to run, so it was difficult to convince those in charge of the machine of the need to run a program, as users like the MIT Tech Railroad Club found in their efforts to use MIT's computers.

Since then, things have changed significantly. The universities that made up the original Internet have grown, and now almost every college and some high schools are connected to the Internet. Computer technology has advanced to the point of making computation time almost free. Instead of filling out proposals for a computer project four weeks in advance, an undergraduate at MIT can now simply go to a public cluster, sit down, and begin working. However, along with the expansion of the Internet and of computers in general has come a dramatic growth in the number of people who use this global network, and the rules governing the use of computer systems must change in response to this change.

A number of changes in policy have occurred in response to these shifts in technology and the growth of the Internet. The first change is a general reduction in computing facilities restrictions. While not all computer systems permit their users to do anything they like, most allow general use of the computer systems for "academic and personal uses" ranging from email to programming assignments to reading Internet newsgroups. This relaxation of rules gives users the freedom to use the computer network in new ways. Beyond being a specialized tool for various applications, the computer has become a social instrument as well, allowing users from different sides of the globe to talk to each other as never before. Another change that has taken place is a tightening of security on computer networks. While before one was likely to know anyone with whom one might share a fileserver, now that thousands of people on campus and millions all over the world are using a computer system together, adjustments have to be made. Passwords were instituted at every university computer system, and rules were made about keeping those passwords safe and not using others' passwords. Rules were passed about harassment, and about modifying the servers, about wasting computing power with chain letters and about not conning gullible freshmen into giving up their passwords. The culture of the Internet has shifted from the trust of a small-town five-and-dime to the impersonal aura of a large supermarket, but has gained the variety and inexpensiveness that are the advantages of supermarkets.

Universal Law

There are a number of policies that show up repeatedly in most policies, commonly accepted ideas about the way computer systems should be governed. The policies that are really ubiquitous are generally the obvious ones that simply make sense from the standpoint of the university providing the service. For example, the policy at Iowa State University reads, "University computer facilities are not to be used for private monetary gain unless specifically authorized for such use". Commercial activity not related to the school was banned on almost every system surveyed. This is logical, as a university has devoted large amounts of resources to its computer system, and allowing someone else to profit commercially from their investment seems unfair. Also, at a number of schools, such as the University of Delaware and Marquette University, commercial interests have access to such accounts for a price, and so using those accounts for commercial purposes would simply rob those schools of any chance to get back some of their investment. Schools must protect their investments, and spending money to establish and maintain networks for the monetary gain of another makes no sense.

Many schools also have rules against needless wastes of their system resources. These wastes can take the form of computation-intensive programs that are "wasteful", such as long-running programs that run in, the background of a machine for days, or many network games. They can also include printing multiple copies of documents, or monopolizing network bandwidth by transferring large files during peak hours, or exploiting holes in network security to damage the network or its computers. Again, this is a fairly logical rule for university systems to have. Regardless of the number of computers or of their power, if a network is being brought to its knees by wasteful use, the system is useless.

Another common theme among university policies, though not quite as logical as the first two, is confusion. Many universities have policies regarding specific acts of using the computer, though when they are fashioned in ignorance, real problems occur. For example, an old policy at Rice forbade "running file commands on large filesystems". Under this ruling, a student looking at her partition of of a large fileserver would be in violation of this rule. At the University of South Florida, the rules forbid running a computer program on the network which "interferes" or "affects the performance of" any other computer on the network. Rules phrased in this way are meaningless, as every computer program running on a network takes a little bit of bandwidth away from every other computer program, and so this rule outlaws all computer use on the network. Here, technical mistakes about the nature of the network are being made, because the authors of the policy do not understand the nature of the system that they are regulating.

However, at the University of Missouri at Rolla, a mistake is made that centers on legal matters. Their policy offers support for several policies based on the statement that "all computer software is protected by the federal copyright law", which is simply false. For example, public domain software, which makes up much of the software available on the Internet and the GNU software, is not protected by federal copyright. Basing policies on such a fundamentally flawed assumption as this can only lead to problems. Another problem occurs when the computer policy of a school conflicts with its general realspace policies. For example, Northwestern's computer policies advise the victims of harassment to speak to their Information Systems' representatives. However, the school policy on sexual harassment makes it quite clear that these people are not qualified to handle such cases, and complaints should instead be directed to the dean. Finally, even at MIT, the policy states that "under no circumstance should you use the email system to get a general announcement out to some large subset of the MIT community", though the email system is routinely used by the school to address large quantities of the school population, such as the entire entering freshman class (~1,400 people) to issue room assignments. Like many cases, the policies drafted for the computer systems here cannot be reconciled with the policies of the school. These problems arise largely because it is unclear who should be crafting these rules of use policies. If they are written by the technical people of the institution, basic problems such as the legality of various speech restrictions, privacy concerns, or conflicts with school policy often creep into the documents. If they are written by administrators and academic policy officers, then they will often make basic mistakes about the nature of the medium they are dealing with, and the more technical mistakes will be made. To create the best rules of use policies, policy officers must work together with computer system administrators to forge a policy that is rational on both the technological and legal fronts.

Ownership

A common misconception among universities is that since the physical network and the actual computers and fileservers belong to them, so then all the data stored on them belongs to them as well. This is an extremely dangerous policy, largely because of its implications on intellectual property. If a student writes a paper on a school computer, does the school then own the paper? If that student then compiles a computer program on that computer, does it then belong to the university? There are a few schools that have policies based on this "We own everything physical, so we own everything stored on it" mentality. For example, Boston University "reserves the rights to: limit or restrict any account holder's usage, inspect, copy, remove or otherwise alter any data, file, or system resources". This policy allows the school to do anything they want with a user's account and the information in their account. At Central Michigan University, the school "owns everything stored in its facilities unless it has agreed otherwise". This policy has very dangerous implications for intellectual property, as previously discussed. Similar policies exist at Rice University and other schools. This policy is clearly the most dangerous that a school can have, because with the freedom to do everything, a school has the power to violate any of the three critical rights of the online community.

A far more logical policy is to regard the computer accounts of a university as the dorm rooms of students or office space of faculty, belonging to the university but yet the private space of the individuals who live there. Though the room itself may belong to MIT, the administrators must still obtain a search warrant to gain access to it. Likewise, the accounts of students, even on school networks, should be the private spaces of those students, and entitled to all the privacy rights that go along with that. Such a policy is far more appropriate for the world of cyberspace than a policy under which authority owns everything from the account you "live" in, to the communications you send to friends, to the work you do in that house. Schools must realize that ownership of the physical medium is not ownership of the electronic data that passes through it. Just as the phone network does not own the conversations that course through its veins, university networks do not own the information stored on them.

The First Principle: Privacy

One of the most important issues in a rules of use policy is the privacy of its users. The data stored in the systems of the Internet is the property of cyberspace, and it must be protected for the citizens of this new world. At most universities, computer files are protected with the same rights as normal property on that campus, and computer accounts are treated as other "private" space on campuses, such as offices or dorm rooms. The issue of privacy for computer information is more important than for purely physical goods, as the ease of copying data makes invasions of privacy synonymous with theft. In the real world, someone looking at an invention you're building in your backyard still needs to break into your house and steal it, while in the electronic world the art of looking at your invention is synonymous with possessing it. In addition, the very nature of a computerized world makes interception of messages or data virtually untraceable. While in the real world, a wiretap might be accompanied by strange clicks on the phone lines or perhaps some device attached to the side of a house, intercepting email doesn't require any such traces. Since all email flows from one machine to another in a giant chain of connections and hand-offs, it only takes a lapse in security at one point to allow access to mass quantities of information easily and untraceably. Because of both the importance of computerized data in the world of the Internet and because of the dangers of unwanted access to that information, the protection of privacy in computer systems is critical.

Many universities regard this privacy as incredibly important, and make it a priority to provide protection for all their users, though they balance this with the needs of administering the system. At Ohio State University, the policy links the rights of privacy of online files to property rights in the real world. It is recognized that computer files are a new form of property separable from the media with which they are recorded, and that close analogies can be found between the uses of computer files and of various other forms of physical property. The Department shall use these analogies in making decisions about the appropriate use of computer files and the protection of their privacy, extending as nearly as possible exactly the same protection to computer files as is traditionally extended to the analogous physical property.... Similarly, the computers and computer files of students, staff, and faculty members, being electronic extensions of their personal work areas, may not be inspected, copied, changed, or otherwise tampered with without the permission of the owner, except for purposes relevant to the administration of the computer system. Most systems have a similar clause to this policy's final check on privacy. The issue is a complicated one, as clearly to maintain the system, users' files must sometimes be accessed, but it is unclear when this should happen. At UCLA and other schools, the policy makes it clear that user accounts will only be accessed when truly critical to save the system. At other schools, like Rensselaer or UCLA, the policy makes it clear that the users' data is private unless you're under investigation for an alleged violation of the system policy. Policies of this sort are very dangerous, as it is often not clear what constitutes an "investigation", and who can authorize such searches. In case like this it is important to declare clearly who can issue these "warrants", as Northwestern does. In their policy, it is clearly stated that "user files may be examined under the direction of the Director or Associate Director of ACNS, the Director of UMS, the Director of UCC, or the Vice President of Information Systems and Technology". By specifying clearly the persons able to deliver this analog to a search warrant, the privacy of the system is better defined, and so stronger against violations. Privacy is cyberspace is analogous to the right to own property in realspace, and the assurance of privacy is an electronic version of the Magna Carta that assured the right of the English common man to own property.

The Second Principle: Freedom of Expression

Another right that is critical in the online world is the freedom of expression. Granted by the First Amendment, this right is critical to both true freedom and to academic pursuits. Yet many schools do not recognize the extension of the First Amendment into the electronic world. Indeed, many rules of use policies restrict speech in a variety of ways.

For example, at Boston University, users are prohibited from "transmitting or making accessible offensive, annoying or harassing material" over the network. North Dakota State University has a similar policy forbidding "offensive material." Vague policies like this have traditionally been used by authorities to control speech almost at whim. Anything could be interpreted as "offensive" by someone, and so almost all speech is outlawed by this policy. However, since not all speech will be prosecuted, users never know if a communication will be allowed or not. This policy basically gives carte blanche to any authority figure who disagrees with something a student has written, which is completely unacceptable. No campus speech policy as vague as this would ever be tolerated. Again, this is an example of a computer use policy being drafted that contradicts school policy, most likely because it wasn't drafted by policy officers.

Another restriction on speech is the concept of required accountability. The digital nature of the computer world makes it very difficult to track the author of a file if that person is reasonably careful to cover their tracks. To counter this and be able to hold users responsible for what they post, many schools have decided on policies of accountability, under which users must clearly mark their documents and correspondence to make it easy to track them back to their authors. Princeton's policy allows students to "publish [their] opinions, but they must be clearly and accurately identified as coming from [them]". Rice University outlaws the modification of messages to mask the identity of their users. While requiring students to attach their names to messages may seem like a perfectly reasonable request, there are situations in which anonymity is clearly called for. The Internet, more than any other technological development, has brought together a vast world of people and allowed them to talk to each other. Many of the topics of discussion that then arise are clearly sensitive topics, for which a lack of anonymity would have a "chilling effect". While lists like alt.abuse.recovery are clearly of benefit to the citizens of the online community, a poster might not want to post if their name was attached to it. For example, a student might not want to work towards recovery from being raped as a child if he knew that everyone in his dorm might find out about this trauma. Similar arguments hold for many other lists of a sensitive nature, whether they be discussions of sex, religion, or other Alcoholics Anonymous-type groups. It is clear that accountability, while perhaps useful in the prosecution of cases of harassment or other criminal activities, can be detrimental to discourse in general. Likewise, censorship is a barrier to meaningful dialog, as it not only banish statements outright, but it also creates a "chilling effect", discouraging writers from raising unpopular views. Clearly, as centers of higher learning, universities must not adopt a policy that restricts free speech.

The Third Principle: Due Process

The third of the most important topics in a rules of use policy is due process. Like free speech, this is a right protected by the Constitution that often does not survive the transition into the world of cyberspace. Like all societies, the Internet has its own law enforcement, in the form of the system administrators of each university. Their first duty is keeping the system up and running, but they are also responsible for disciplining users who violate the system rules. However, it is important that in the line of administering this discipline they follow the proper procedure.

The most common penalty for violating rules is the suspension of the account, followed by whatever penalty is judged appropriate. However, the suspension is most often conducted before the investigation of the allegation has even begun. This is clearly a violation of due process, as this gives system administrators the ability to exile people from the system without any sort of review whatsoever. The Joint Statement on Rights and Freedoms of Students documents the proper way for universities to construct their policies, and has this to say about such academic suspensions: Pending action on the charges, the status of a student should not be altered, or his right to be present on the campus and to attend classes suspended, except for reasons relating to his physical or emotional safety and well being, or for reasons relating to the safety and well-being of students, faculty, or university property. Suspending a student from the university computer system before their guilt has been ascertained is clearly in violation of this advisory document. By allowing system administrators this power, they gain "more authority than professors have", according to Carl Kadie, the managing editor of the Computers and Academic Freedom Archive for the Electronic Frontier Foundation. Kadie, in his review of the University of Hawaii, comments that while computers may be a privilege that the school can grant or withdraw, due process is not, and the school must still grant its students the right to "a fair trial" or its academic equivalent.

Some schools have very clearly defined the correct procedure for such an investigation, and make it clear that the students have the right to the proper treatment. UCLA, for example, makes it quite plain that an investigation cannot begin without clear evidence that a user is guilty of an offense, and even after their account is subsequently suspended, they may petition to have it reinstated. A number of steps for the gathering of evidence and the process of referral of the case through the layers of the disciplinary system of UCLA is also well defined here. At Northwestern, the policy makes it clear that user files can be examined and investigations into user accounts begun, but such investigations require the authorization of the Director of the computer system or another clearly defined person. This specification of exactly who can and cannot make these decisions creates an established procedure for the prosecution of offenses against the school. Due process is an essential right in cyberspace that allows users to know what they can and cannot expect from the systems in which they exist, and is essential for an online society that fosters freedom and openness.

State, Dollar, and God

There are three main kinds of universities in this country: public, private, and religious, and they all have Internet connections and different styles of handling their computing systems. The primary difference between the first two types is that public colleges must adhere to the First Amendment, while private colleges can decide what sort of speech they choose to allow on their systems. However, this difference is often theoretical, for though public schools must follow the Constitution if the case ever comes to court, the authors of the policies are often ignorant of the actual law, so the rules of use policies often appear quite similar . Kadie comments on this, saying: Even though public universities must eventually defer to the 1st Amendment, they often don't realize that when creating policy because policies are often created by computer people not academic-policy experts. For example, at North Dakota State University, "no obscene or offensive material shall be entered into the computer or sent through any electronic system". The Constitution protects simply offensive material, so this policy would be struck down if it were ever truly tested in court. However, at private institutions, the school has the right (if it so chooses) to say, "We choose not to have X, Y, and Z on our system because we don't like them." The policy at Lehigh, for example, forbids "pornography... [and] that which is abusive, profane, or sexually offensive to the average person". This, while against the First Amendment, is completely legal, because the amendment applies only to public bodies. The clear distinction between public and private universities in their policies is that private schools have the right to censor as they choose, while public universities must grant their users the full freedom of speech as granted by the Constitution.

At the other extreme, religious schools often censor materials on their systems extensively. Many of these schools have very strict notions of what is and is not appropriate, and they treat their systems appropriately. Since the schools each adhere to the moral standard of their particular church, their policies often reflect that. For example, at Brigham Young University, the policy forbids users to "engage in any other activity that does not comply with the 'Honor Code' or with the principles of the Church of Jesus Christ of Latter-Day Saints... e.g., view, store, or transfer pornography, etc." A policy such as this might seem extremely restrictive in the context of a normal school, but in a structure such as this, these rules are typical of normal campus life as well. Similarly, users of the network at Marquette U. are expected to conform to university codes of conduct. As private institutions, they are completely within their rights to decide what should and should not be done on their servers. And though it may be detrimental to learning in general, they are also within their rights in censoring speech on their system. In general, religious schools restrict their users from speech and information that is considered not in keeping with the religious principles of the school, but this is normal as it is true of that school's realspace policies as well.

The U.S. and Abroad

All of the universities discussed so far in this paper have been in the United States, but schools all around the world have Internet access and their own rules of use policies. These policies vary from being more liberal than U.S. policies to being far more restrictive, generally varying as the culture of the particular location. For example, in the traditionally conservative United Kingdom, the network that carries the Internet newsgroups bans many of the more controversial topics of discussion. At Turkey's Middle East Technical University, the policy forbids the use of the network for political or religious activism, and also states that violators will be removed from the system without notice. This total disregard for due process and severe restrictions on free speech are sadly not unique to foreign networks, for Iowa State also bans political messages. However, neither England nor Turkey can compare to the policy of the University of Toronto at Scarborough, which holds a policy that Kadie hails as "perhaps the worst computer policy that I have ever read." The school states that there is no privacy on the system, and if any "unacademic" files are found in search sweeps (apparently conducted at will by administrators) they will be deleted immediately. Violators of the policy are immediately expelled from the network, and "if your account is revoked, you will have to find alternative ways to complete your courses." This policy is completely at odds with the three main points of a good computer use policy. It yields (literally) no privacy whatsoever to its users, controls speech by forbidding files "which may be deemed offensive by any one person, or one group", and completely avoids any sort of due process. Policies such as this must be overturned in order to allow the citizens of cyberspace the rights and freedoms that they are entitled to.

There are, however, foreign networks without such draconian policies such as this, some with policies better than most U.S. schools. The Swinburne University of Technology in Australia, a generally more liberal country, protects user e-mail by treating it exactly as private communications by telephone. It clearly states that administrators are not permitted to access user files, and that any violators of the policy will be refers to a specific disciplinary review board. Similarly, the University of Helsinki in Finland staets that "privacy shall be honored". It also details the process of notification and review that will occur in the case of violations by users. Like Swinburne, this policy is good because it clearly defines the restrictions on and rights of users of their system. By stating clearly the methods of discipline and protections of speech and privacy, both of these policies uphold the three critical tenets of a good computer policy.

Big Business and Wisdom

The Internet does have other non-military member systems beyond universities, and those are the networks of the commercial providers such as Prodigy and America On-Line. Like universities, they also have rules of use policies, which are quite similar in many respects. These services, like most universities, allow you to store files online and to communicate via "chat rooms" or private email. However, there is a significant difference between university policies and those of commercial providers which centers on the cultural differences between universities and general society. College systems are generally used by college-age students communicating with each other, and most college students will not threaten to sue universities if they find that their roommate has been looking at sexually explicit pictures online, nor will most students refuse to attend a school because there are discussion groups that use foul language there. However, this is completely the opposite in the commercial provider's world. These businesses must be extremely careful to provide an environment in which their customers will not feel too constrained but in which they will still feel secure and protected from content they don't wish to receive.

In light of this, it seems like most commercial providers have leaned towards emphasizing the latter priority over the former, and have enacted policies of extreme censorship in what is "appropriate" on their network. The Prodigy chat rooms are supervised by administrators who will expel users who use "bad language", and the system policy states that any offensive content online may be changed or eliminated at the discretion of Prodigy, though it does not appear that this applies to private email. America On-Line's policy is just as restrictive, forbidding the "[transmission] of any unlawful, harmful, threatening, abusive, harassing, defamatory, vulgar, obscene, hateful, racially, ethnically or otherwise objectionable Content". This ridiculously broad policy could be applied to any material whatsoever that is sent over America On-Line, and is a tremendous bar to free speech. This policy is legal, but clearly not reasonable for a company analogous to the phone company, which has never purported to control the content of private communications. Commercial providers maintain this extreme form of censorship in order to maintain a clean nose in the public eye, since a media "scandal" about Prodigy allowing "perverts" to discuss sex in chat rooms might be enough to swing thousands of anxious parents into moving to Compuserve.

Commercial providers also are services which reserve the right to terminate service at any time for any reasons, and so again due process is circumvented. Any of the system administrators of America On-Line have the ability to expel any user they feel to be violating the policies of America On-Line without any kind of review or even prior notice. Since these providers have contracted with users the right to enforce policy in this fashion, this is completely legal, but ethically a poor policy. Commercial providers want to be able to control their services completely, and being able to expel "troublemakers" at will gives them an incredible advantage in doing that. These businesses generally have policies similar to the more restrictive universities, though their censorship policies are more strict and they have less regard for due process.

The Future

Where will rules of use policies be in effect in the future? At present, not all universities provide free speech, privacy protection, and adequate due process for all users, but this will change. As the Internet becomes more and more of a part of everyday life, the overly constrictive policies will be tested again and again, and those without firm support will fall. In time, policies of universities will ensure these three principles of computer rights for citizens of their particular domain of cyberspace. Even commercial providers will in time come to withdraw their current censorship policies, as it is inappropriate for a content carrier to be a content mediator. Likewise, foreign networks will follow a similar transition as they, too, are used more and more. As cyberspace becomes integrated into normal life, policies which would not be tolerated in realspace will be expunged from computer systems, and eventually there may be an electronic bill of rights as well. However, until that day comes, users must continue to press their universities to provide clearly defined rights for their users, and must fight against unjust policies that do exist. The rights of online citizens are just as important as the rights of persons in the real world, and they too must be fought for.

Bibliography: