Acceptable Use Policy Silliness

technology college

Like many schools, my college has an Acceptable Use Policy [PDF] (AUP). This seven page long document, that I, as a user, claim to have read and agreed to when I log in to the wi-fi every day, is as impenetrable as Telecom documentation. But since I have been agreeing to this text for the past two years and I have two more years where I have little choice but to agree to follow it, I attempted to actually read the document to see what it says.

The first thing that I noticed about this document is that it is nearly impossible to not break. Even if a student isn't looking to get into trouble[1], an angry SysAdmin could bring the hammer down. For example

College community members must respect the privacy of, or other restrictions placed upon, data or information stored or transmitted across computers and network systems, even when data or information resources are not securely protected.

and this is an example of a violation of this clause

disseminating in any form, to an entity, data or information obtained from any system regardless of whether or not one is authorized to access said data or information;

While It makes sense to prohibit Steve the Cracker from setting up a laptop in the library with backtrack on it listening to the packets moving across and pulling out the Facebook passwords of students,[2] the example bugs me. I have access to private data.[3] If I discuss the outcome of running a check with say the Arbitration Committee or a fellow CheckUser, I will have violated my school's AUP.

Depending on how broad one wants to read the term "system", this example could have a chilling effect. Websites are often considered systems or networks in laws. It would break the AUP to download a book in the public domain from Project Gutenberg, print the book out, and mail it to a friend. I would gain information from a system (the servers of Project Gutenberg) and disseminate it to an entity (mail a paper copy to a friend).

Another example that I find troubling is a section on passwords from the same list of examples. It states:

providing your own password, obtaining, sharing, using, or attempting to use passwords or other information that pertain to someone else’s account;

I get that prohibiting Steve the Cracker from running L0pht Crack on a laptop and pointing it at the school's or another network.[4] That is common sense. But "providing your own password" is an example of a prohibited action. Every few months I get a reminder that I will be locked out of my account if I do not change my password. It seems that by following the IT Department's prompts, to keep my account unlocked, I violate the AUP.

Like almost every agreement having to do with internet access, the AUP bans having a server on the network in this clause:

establishing of any type of network service, e.g. Web servers or music servers, notauthorized by the College’s Chief Information Officer [is prohibited]

As Wired points out, the definition of a server or network service is a gray area since many programs and apps act as both a client and a server. Popular and widely used services such as Spotify can not be used without breaking the AUP.[5]

I hope that the document gets a full review in the near future since it does not seem to stand up to the way that the modern internet works and how modern users use the internet.

Notes

[1] I mean who goes looking for trouble... []
[2] This is entirely a hypothetical and should not be attempted under any circumstance.[]
[3]Via the Checkuser and Oversight flags on the english language wikipedia. [Verify] Because my permisions may change in the future here is the text of the verify link: Guerillero (talk | contribs | block)‏‎ (checkuser, course online volunteer, oversight, administrator) (Created on 5 November 2009 at 16:07)[]
[4]Again, please do not do this.[]
[5]"Spotify uses a peer-to-peer network along with streaming servers to stream music." Spotify FAQ: Why does Spotify use so many internet connections?[]