Examples reflecting the application of guidelines on use of University of Waterloo computing and network resources

This document provides selected examples to assist in the application and interpretation of the Guidelines. While such examples may appear straightforward, there is often a fine balance in interpreting the principles that apply to the situation. One should be cautious about making decisions not supported by policy. In situations where ambiguity exists, the issues should be escalated to the next appropriate supervisory level.

Free inquiry and expression

The following examples describe inappropriate responses to situations based on the guiding principle concerning freedom of expression and academic freedom (especially as it pertains to electronic formats being limited to no greater extent than a printed or oral communication). In all cases, even those in which the material may be deemed offensive, the appropriate University policy should be consulted.

A department Chair orders a faculty member to remove an article that is critical of the University from his personal web page, which is housed on a UWaterloo server.

The student newspaper publishes both electronic and printed versions. An article is published in both that many individuals find offensive. The electronic version is ordered removed from the campus network, but no restriction is placed on the printed version.

Privacy

A system user’s account is normally accessed only with the user’s informed consent. However, circumstances may arise that justify access absent the user’s consent.

An individual no longer at the University has left data on a UWaterloo computer, and another UWaterloo researcher would like to use them. The researcher asks the administrator of the system to transfer the data to his account. The system administrator cannot do so unless consent has been received from the individual who left the data.

A professor suspects plagiarism on the part of a student. The student insists he spent many hours preparing the paper and agrees that the issue can be resolved by asking the system administrator to produce copies of log records kept in the normal course of operation.  The professor and student jointly ask the administrator to provide the information in question.  In the absence of this joint request, formal disciplinary action would be required before it would be appropriate for the system administrator to reveal the information.

The following examples represent not only a violation of an individual’s privacy, but also could result in criminal charges.

A system administrator uses his privileges to read electronic mail stored on someone else’s account without permission.

A user obtains, or tries to obtain, covert or illicit access to another person’s account (e.g., stealing or attempting to crack another person’s password).

The following examples describe circumstances where the actions are quite appropriate and do not constitute a violation of a user’s presumption of privacy.

A group of UWaterloo users share data and working files stored on a department server. Permission to access a particular directory within the shared space does not include one of the members of the group. She asks the system administrator to provide her with access to the directory.

The manager of a system notices that a program run by a user has “run away”, causing the disk to become full, thereby impeding the computing access of others. He terminates the program and deletes some of the newly generated files in order to regain adequate space. He informs the user of his actions and the reasons for them.

Local police are seeking evidence against a user and they serve the University with a valid search warrant. Only that information specified in the warrant is provided to the police and the owner of that information is advised of its disclosure, when appropriate.

Aware that breaches of security represent a significant problem, a system administrator runs a program that looks for filenames in users’ filespaces that are suggestive of an exploit (e.g., viruses, bugs, worms). Files with suspicious names are investigated further to the extent necessary to protect the network.

A student in a public lab makes a formal complaint to the lab administrator that she is receiving harassing e-mails and has a reasonable idea as to their origin. She requests that the administrator investigate immediately, before evidence can be destroyed. The system administrator makes copies of all the potentially relevant files, without looking at them, and then consults with the Associate Dean on how to proceed.

A systems administrator sets storage quotas on e-mail accounts of users in order to manage finite resources. An automatic quota management program is implemented that warns users when they have exceeded their quotas and gives them a reasonable period of grace to reduce their usage below their quota. Following the grace period, the automated process reduces the size of the users’ inboxes by removing all but the headers (i.e., subject and sender) of the largest messages until quota limits are met.

Appropriate use of resources

The following examples represent situations that are commensurate with the guiding principle concerning UWaterloo’s encouragement of “the use of computing and network resources to enhance the working and learning environment of its members”. In each of the examples, the assumption has been made that these activities are not specifically excluded in the definition of access privileges accorded the UWaterloo user.

A user sends electronic mail to friends and/or relatives.

A user designs a small personal web page that is housed on a UWaterloo server.

Circumstances differ in different units on campus. Resource allocators may differ in what is deemed allowable based on guidelines and/or practice within the unit.

Students in one faculty may be encouraged to develop personal web pages (housed on a UWaterloo server) while students in another faculty are restricted from doing so.

A principal investigator may determine that a computer purchased with grant monies may be used only for research purposes, or may choose to allow student research assistants to also use the computer to complete their course assignments in UW-ACE.

Normally, one should not share access to a computer account. This is particularly important for those with special access privileges and/or access to confidential information. However, if such access is provided, the owner of the account must assume supervisory responsibility and may be held accountable for the actions of others. With this understanding, the following example would also be seen to be an appropriate use of resources.

An individual allows a colleague visiting UWaterloo for the day to use his account to log in remotely to his computer.

Inappropriate use of resources

Each of the following examples represents a violation of the guiding principle concerning the responsibility of users to be accountable for their actions and statements. In particular, Policy 33, Ethical Behaviour, states that, “no member of the University community (faculty, staff, student) unduly interfere with the study, work or working environment of other members of the University”.

During a time when many students require workstation access to complete their projects, a student locks a public workstation, then leaves for an extended period of time, thereby making the workstation unavailable to others.

A student monopolizes a public workstation by playing recreational games during a time when other students are waiting to use the workstation for academic purposes.

A user publishes a forged message, making it appear as though the message came from someone else.

A user plays very loud music on a workstation in a public terminal room, disturbing other users.

A user distributes a chain letter or pyramid scheme through the campus network.

A user installs a peer-to-peer file-sharing service to copy and distribute large recreational files. The load on shared-resource links and routers has a severe impact and degrades network usability for the rest of the UWaterloo community.

A system administrator employs tools to probe machines for vulnerabilities. The probes extend beyond that part of the campus network for which the administrator is responsible.

Violations of University policy and/or the law

The following examples are violations of University policy and most are contrary to federal law. When such violations become apparent, they will normally in the first instance be dealt with according to University policies. Further action, as provided by statute, may also be taken. It is incumbent on users to be aware of University policies and relevant legislation.

A UWaterloo user sends death threats to another person via electronic mail.

A student gains access to the University computer where course marks are stored, and surreptitiously makes changes to them.

A user exploits a vulnerability in a computer and thereby renders it unusable by others.

A user distributes copyrighted material to others without the consent of the copyright holder.

A UWaterloo user sells access to his computer account to a local business which wants to use it to gain cheap access to the Internet.

A member of the UWaterloo community uses a personal web page, housed on a UWaterloo server, to advertise and sell personal items or to advertise a personal business.

A website is provided on a UWaterloo server to a group or organization that has not been approved or sponsored by the owner of the server.

Harassment

The following examples may constitute a violation of Policy 33, Ethical Behaviour, especially as it pertains to impeding the ability of others to study or work. Users should exercise discretion when printing, transmitting or displaying material (e.g., pornography, hate propaganda) when such actions might be in violation of Policy 33.

An individual uses e-mail to send repeatedly a very large file to another person. The effect on this person is that it restricts his ability to work on his system.

Mary tells John she does not want to receive any further e-mail communication from him, but John persists in sending messages.

A student in a public lab repeatedly displays images in full view of others in the lab. The student has been informed that some individuals in the lab find the images offensive and he is asked to stop displaying them.  In spite of requests, the student continues to display the images.