ix200@sdcc6.UUCP (02/13/87)
For the past three years I have been the liason between UCSD's Academic Computer Center and the Department of Communication, dealing with undergraduate class accounts. I am also a graduate student in Communication. As part of my graduate independent study work for this quarter I am attempting to write a code of ethics for for our use of the ACC's computer systems and our obligation(s) to the students. Or, put another way, a manual of ethics for distributed comuter systems management. Not necessarily for public consumption but just as a set of guidelines for our own use. The circumstances that prompted this are detailed below. The department's use of computers is limited to electronic mail and word processing. My job is to oversee the undergraduate course accounts and faculty course development accounts: setting up login/profile files, maintainting a few programs, answering questions, teaching people how to use mail and edit text. In the past this meant about 25 to 50 accounts per quarter. This quarter, due to the influx of more computer-oriented faculty, the numbers are in the 450 to 500 account range. With the increased numbers comes an increased level of complaints. In particular two students complained when I placed a "broadcast" (i.e. /etc/motd) message that showed up at login. The message listed my office hours and took up three lines. The students were upset about the invasion of privacy. They previously thought that their files were somehow inviolate. If someone could put broadcast messages in their account it was obvious that the same person or persons could do more, and might. Let's set aside for the moment the fact that their knowledge of the file system and file -rwx- permissions was nil. All they saw was an invasion of privacy. What I am interested in is how the issue of "access" is handled at other sites, not necessarily just academic computer centers but in the corporate world as well. Is there a codified policy for handling accounts? Are there implicit norms for the use of (for lack of a better term) higher level accounts (i.e. root)? I'm not talking about going into accounts to snoop through files. Besides the existing social norms and expectations of privacy I can't imagine anything more tedious than trying to find the few gems of insight in the mega-bytes of boring text such a search would entail :-). I am talking about the extent to which the user of a given account is informed about the relative privacy of his/her files. Any ideas/reflections/anecdotes on this subject will be appreciated. I will maintain confidentiality if requested and document sources where used. If there is a large response or sufficient inquiry I will post the paper I'm supposed to write (or mail it out) at the end of the quarter. Thank you, Bruce Jones bjones@sdcsvax.UCSD.EDU
jeff@spp2.UUCP (02/16/87)
In article <3075@sdcc6.ucsd.EDU> ix200@sdcc6.ucsd.EDU (Bruce Jones) writes: > > I am attempting to write a code of ethics for >for our use of the ACC's computer systems and our obligation(s) to >the students. >In particular two students complained when I placed a "broadcast" >(i.e. /etc/motd) message that showed up at login. ... >The students were upset about the invasion of privacy. They previously >thought that their files were somehow inviolate. If someone could put >broadcast messages in their account it was obvious that the same person >or persons could do more, and might. ... All they saw was an invasion >of privacy. > >What I am interested in is how the issue of "access" is handled at >other sites, ... I am >talking about the extent to which the user of a given account is >informed about the relative privacy of his/her files. Every time I have been given access to a computer system, there has been a stated purpose for the access, e.g., to perform some task of my employment or to perform some task related to my academic coursework. Any use of the system other than that purpose is improper, whether or not the system owner chooses to police the use or prosecute violations. This has been upheld in several court cases. Systems operated as a service for sale, e.g., Telenet, the contract specifies ownership of information and privacy conditions and remedies and penalties, e.g., how liable Telenet is should your information be disclosed, i.e., they're not. These contracts have been, generally, upheld, but some limitations have been placed on their liability provisions relating to "reasonable and prudent" practice. For systems owned by profit-making entities and operated by same for internal use, the system owner is also the owner of the information. Employees have very restricted rights, either to the information or to privacy, and dismissals for storing personal or illegally obtained information on a company system in violation of stated company policy to the contrary have been upheld. This is analogous to dismissal for having Schedule 1 drugs found in your desk drawer; the company has a right to check your drawers ( in your desk, anyway ) and to dismiss you for violation of company policy or the law. Academically owned and operated systems partake of something of both service bureaus and internal systems. There should be a written policy, approved by an appropriate authority and distributed to all users of the system. It should be carefully enforced, with flexibility and understanding and great firmness. ( Gee, I said "should." I guess that means I SHOULD label this paragraph as opinion 8-> ) -- Jeff Hull decvax,hplabs \ 13817 Yukon Avenue ihnp4,sdcrdcf -> !trwrb!trwspp!spp2!jeff Hawthorne, CA 90250 ucbvax,vortex / It was great when it all begaaaaaaan, I was a regular <USENET> faaaaaaan, ...