Developing a Campus Computing and Information Policy: Issues and Concerns


Copyright 1991 CAUSE From _CAUSE/EFFECT_ Volume 14, Number 4, Winter 
1991. Permission to copy or disseminate all or part of this material is 
granted provided that the copies are not made or distributed for 
commercial advantage, the CAUSE copyright and its dateappear, and notice 
is given that copying is by permission of CAUSE, the association for 
managing and using information resources in higher education. To 
disseminate otherwise, or to republish, requires written permission. For 
further information, contact CAUSE, 4840 Pearl East Circle, Suite 302E, 
Boulder, CO 80301, 303-449-4430, e-mail info@CAUSE.colorado.edu


            DEVELOPING A CAMPUS COMPUTING AND INFORMATION POLICY: 
                           ISSUES AND CONCERNS
                           by Timothy J. Foley

************************************************************************

Timothy J. Foley is Associate Director for Computing and Consulting
Services at Lehigh University. He has been at Lehigh for twelve years,
starting as the Educational Coordinator in the Computing Center. He
holds bachelor's and master's degrees in mathematics, and a doctorate in
educational technology from Lehigh. He has presented numerous papers at
national and international conferences on the problems and issues of
managing campus-wide information systems.

************************************************************************

ABSTRACT: The creation or revision of computing and information policies 
has taken on a renewed emphasis with increased computer literacy on 
college and university campuses, and with connectivity to national and 
international networks now the norm rather than the exception. 
Electronic mail, computer conferencing, and bulletin boards have become 
common. Many campuses allow the posting of information without any 
filtering to both on-campus and off-campus messaging systems. While 
these facilities are useful, they have raised serious concerns relating 
to system information and resource management. This article discusses 
the development of Lehigh University's information policy, addressing 
possible legal liabilities, censorship, resource management, information 
ownership, user responsibilities, and scope and approval of policy.


Many campuses across the country have begun to implement a campus-wide
information system (CWIS) that is used by the majority of the campus
community for such facilities as electronic mail, bulletin boards,
conferencing; to obtain information about various aspects of campus
life; and to access both campus and external services. A discussion
group on BITNET called CWIS-L has been formed for institutions that are
using or thinking about implementing a CWIS.

Most such systems have been designed with the basic premise of
making available to users many types of information traditionally
provided in non-electronic (usually print) form. The responsibility for
the content and accuracy of information has in many cases been
distributed to the end user rather than being handled at a centralized
location. With the proliferation of campus-wide information systems,
questions have arisen concerning moral, ethical, and legal obligations
which in the past have been overlooked or not even considered.

Lehigh University, an independent, coeducational university with an
FTE of 6,647, implemented a CWIS four years ago that is now used by over
95 percent of the campus. As a result of the development of this system,
Lehigh had to develop an information policy to address the growing
campus concerns relating to publicly available electronic information.
This article describes Lehigh's CWIS and relates the computing center's
experiences in developing a computing and information policy.

Lehigh's CWIS

Between 1985 and 1986, Lehigh distributed microcomputers to its
entire faculty and placed hundreds of microcomputers at public campus
sites. Connectivity to campus computer systems was provided through a
digital PBX with over 8,000 data connections. During this time, the
University also decided that one real value of all this connectivity
would be the ability to provide information resources to the entire
community.

Development work on an online information system that was to serve
as a centralized campus communication facility was begun in May of 1986.
The system, which was available by January of 1987, was called LUNA
(Lehigh University Network Applications), and provided the following
services: centralized electronic mail, bulletin board and conferencing
facilities, access to external networks (such as BITNET and the
Internet), online forms processing, access to high-quality print
services, and online survey facilities.

The system has been highly successful, with the number of users
growing from an initial 200 to over 7,000 individuals by July of 
1991.[1] It should be noted that users open their own accounts on the 
information system by running a program, and that this program provides 
the user an electronic agreement to our information policy.

Managing information on the CWIS

The function of information management for LUNA is distributed
throughout the campus to the individuals, groups, or departments
responsible for the information. Information posted on the system for
general access is monitored by the person responsible for the specific
information. This person must have the approval of a faculty member,
department head, or group advisor before posting information. This
method of information management has resulted in the establishment of
over 350 information topics on the system over the last four years. For
example:

  *  The research program development office maintains a bulletin board
of research funding opportunities.

  *  The student affairs office utilizes the online survey facility to
get feedback on the quality of education at Lehigh.

  *  The faculty software committee participates in a conference on
software funding requests.

  *  The computing center maintains electronic libraries of public
domain and site-licensed microcomputer software.

  *  The human resources office maintains a listing of all available
jobs on campus.

  *  The library maintains online forms for interlibrary loans, media
center requests, and bibliographic search and reference questions.

Figure 1 shows some of the more popular topics and the number of
times they were accessed over a one-month period last year. As can be
seen, the most popular topic on campus was items for sale; this topic
continues to have the most general appeal. The second most accessed
topic is file transfer. Its popularity is due, in part, to the large
amount of public domain and site license software available for
downloading. Other items such as interlibrary loans are also heavily
used; more than 100 such loans are processed electronically per week.

[FIGURE NOT AVAILABLE IN ASCII TEXT VERSION]

Initially, very restrictive controls were placed on an individual's
ability to post publicly available information on the system. All
information was at first screened by one of our staff members for
appropriateness for our system. We immediately found ourselves dealing
with challenging messages--for example, one female student's posting of
"I want sex," which actually turned out to have been posted by her ex-
boyfriend. After about six months of use, we relaxed our restrictions to
allow the instant posting of messages to conference and bulletin board
areas.

After a series of instances involving obscene, abusive, and
offensive postings, the computing center realized that our current
computer policies did not fully address many areas of abuse that were
occurring on the information system. One student, for example, posted a
message describing techniques for killing cats under our LITFORUM
conference which was sponsored by an English professor. Lehigh's
president then received a call from a local animal rights group asking
that the message be removed. Another example was the Human Diversity
conference which discussed issues of homosexuality. After some very
abusive comments were posted to the conference, the computing center
received a call from the dean of students inquiring about the faculty
member responsible for the conference.

It wasn't long before another issue surfaced. Once Lehigh decided
to make the information from Usenet (a collection of bulletin boards
available over the Internet) publicly available, the off-campus
materials being posted on its system became an issue. The topics on
Usenet range from discussions on hot sex to cold fusion (two of the most
popular topics in April of 1990). Control of the postings in individual
topic areas was virtually impossible due to the magnitude of the
information received--about 500 megabytes per month. Quotes such as the
following made the computing center more aware of the possible legal
liabilities that the University might face related to information posted
on our computing systems:

"The age of innocence is gone. Running a bulletin board means taking on
certain legal and moral obligations." Jonathan Wallace, a New York based
attorney specializing in technology law[2]

"Running a BBS is becoming a business. And with that maturity is going
to come a lot of potential legal liability." Paul Bernstein, a Chicago
attorney[3]

"One could see the headlines now: University found guilty of providing
X-rated materials to minors." Usenet message posted by a 16-year old
attending Rutgers.

Because of the magnitude of the issues and the large base of system
users, the computing center realized that any policy decision regarding
what was and was not appropriate on the information system should be
based on a faculty, student, and staff recommendation rather than a
parochial decision of the center. Work was then begun on a draft of an
information policy to be presented to our Computing Center Advisory
Committee. In drafting the policy, we considered the areas of legal
liabilities, censorship, information ownership, user responsibilities,
resource management, and scope of policy. The rest of this article
offers a discussion of the many issues in these areas that must be
considered in creating an information policy.

Legal liabilities

Is an institution responsible for publicly available information
placed on its computer systems? Wallace and Morrison state that
information system operators should take "reasonable" steps to discover
and remove any types of illegal material or libelous information that
have been placed on an information system.[4] The following are examples
of illegal materials which may lead to a lawsuit or criminal charges:
(1) pirated software, (2) credit card numbers, (3) "Trojan Horse"
programs, (4) pornographic materials, (5) trade secrets. Knowing that
the actual monitoring of the information on the system would be
unmanageable by one group, the computing center has required each
bulletin or conference coordinator to sign an authorization form in
which they agree to follow the guidelines of our information policy.

The consequences of having illegal or "alleged illegal" material on
your information system can be seen in the March 1, 1990, seizure by the
Secret Service of forty computers and 23,000 diskettes from Steve
Jackson Games, an Austin Texas manufacturer who had a game that was
described as a handbook for computer crime.[5] The Electronic Frontier
Foundation (EFF), which was established by Lotus Development Corporation
founder Mitch Kapor and an associate, John Barlow, is trying to get the
government to fully disclose all the facts of the seizure. The
foundation was established to address the social and legal issues
associated with computer communication and information dissemination.[6]
Kapor pointed out at a recent conference on computing and values that
the major concerns of the foundations were the possibilities of illegal
searches and seizures and not necessarily the protection of hackers
attempting to break into other people's computing systems.[7] The 
emerging electronic frontier as described by Barlow presents many 
questions which people are trying to address using analogies to our 
current paper- and telephone-based communication systems which may not 
be appropriate[8] 

Information policies also need to inform users of their legal 
liabilities. Denning states that our current laws allow a person to be 
convicted of a felony for simply entering a system through an account 
without an authorized password.[9] Many users are unaware of the serious 
nature and possible consequences of their actions and should be made 
aware of both federal and state laws involving computer abuse. An 
information policy should give examples of laws and penalties that can 
be incurred. (Lehigh's policy, which is included at the end of this 
article, provides such a statement.)

Censorship

Does the institution have a right to "censor" information which is
posted on its computing systems? Should standards be set for topics to
be discussed or language to be used in computer communications? The
answers to these questions vary from institution to institution. For
example, Brown University feels that anything sent from the University's
computing system must concur with campus standards on foul and
inappropriate language, while Carnegie Mellon leaves these messages on
their systems along with any discussions they provoke.[10]

Lehigh decided that the answer to both of these questions is yes,
when they apply to any publicly available information. An analogy can be
made to the publisher of a magazine that shapes the content of its
articles based on certain standards. The University has the right to
delete messages and limit the subject matter and type of speech
permissible on its information system.[11] Information posted on our
systems that is publicly available to the entire Lehigh community must
follow the guidelines posted in our information policy.

To attempt to balance the perception of oppression of thought and
expression, the computing center created a private conferencing facility
which was not subject to our information policy. An underground
electronic press has sprung up as a result. Private messages and
conferences are not subject to our information policy unless the
messages infringe on another person's rights or are clearly illegal.
Some examples are: the sending of abusive or obscene mail or the private
conference that gave step-by-step instructions on building an HBO
decoder. In general, the computing center feels that private messages
and conferences are the responsibility of the individuals involved. We
do not monitor private mail or private conferences, but do take action
when informed of abusive mail or illegal activities.

Information ownership

Who owns the information placed on a campus information system? The
perspective on this issue also varies from institution to institution.
Some schools have received legal advice that the files on their
computing systems are the property of the institution and the
institution has legal access to anything on the system.[12] Most
institutions, however, do not treat the privacy of individual files
lightly, and require system administrators to have approval of campus
officials before reading the files on a user's account. My personal
opinion on this is that computing staff should be subject to a certain
code of ethics concerning privacy and confidentiality and should be
required to sign a code of conduct agreement as a condition of their
employment.

At Lehigh, text files, messages, and programs placed on our
information system for public consumption are regarded as the property
of the sender. Users are advised that they must abide by all copyright
laws with regard to programs and text files. For example, the practice
of excerpting magazine or newspaper articles and placing them on an
information system is technically a violation of copyright laws and is
not allowed.

The computing center regards all private messages and files as
belonging to each individual user. The Electronic Communications Privacy
Act of 1986 (ECPA) makes the disclosure of any private messages to a
third party a federal misdemeanor. The Electronic Mail Association last
year issued a white paper recommending that companies adopt a formal
policy regarding the privacy policies of all media communications.[13]
Lehigh's information policy does allow for the monitoring of individual
files when there is a clear threat to system security by an individual,
but not without prior approval by the director of the computing center.
It is important for users to understand that private communications will
not be monitored without extenuating circumstances.

User responsibilities

Not living in Clifford Stoll's golden age, where ethical behavior
is assumed, where technically competent programmers respect the privacy
of others, and where we don't need to put locks on our computers, users
need to be informed of their ethical and legal responsibilities.[14] 
Many new computer users are totally unaware of the consequences and
implications of their actions related to using computers. For example, a
freshman sends an obscene message out over the Internet to users around
the world with a few keystrokes and then claims that he never really
thought about how many people would be reading the message.

Part of the development of any information policy is the mechanism
that needs to be in place to inform users of their responsibilities to
abide by these policies. As stated previously, it is important for users
to be aware of the seriousness of computer abuse and information
regarding the laws associated with computer abuse, and these laws should
be clearly stated in an information policy.

At Lehigh, our computing and information policy statement is agreed
to by the user when he or she first opens an account which accesses our
information system. The policy is also contained in the "Introduction to
the Computing Center" section of the Student Handbook, and on
authorization forms for other campus computers. It is also maintained as
a topic on the information system. Conference and bulletin board
moderators also sign a form agreeing to regularly monitor their topic
areas to make sure that they are in compliance with the computing and
information policy. The computing center also provides the policy
statement and EDUCOM's guidelines for the ethical use of software to
instructors to incorporate into their classes.

Resource management

Policy statements must also cover the issues related to resource
management. Users need to be made aware of inappropriate or unwarranted
uses of systems resources--such as sending unsolicited junk mail or 
chain letters, computer hacking, and excessive printing or creating
unnecessary network traffic--and the consequences of such behavior.

As an information system gains in popularity as a tool for campus-
wide communications, users begin to make special requests for mass
mailings, log-in messages, or even special placement within the
information system. A policy must be developed and the information
system manager must cope with the political aspects of information flow
management--for example, minimizing "junk mail" while maintaining a good
working relationship with campus constituents who feel that the
information they want posted is very important to everyone.

With over 5,000 log-ins per day, the computing center at Lehigh has
tried to follow the policy of only posting log-in messages or sending
mass mailings that are relevant to the user community at large. This
policy does get modified at times, however, depending on who is asking
for the log-in request or mass mailing. For example, requests from the
Provost's or President's office announcing memorial services for
emeritus faculty members are generally posted. In such cases, the
computing center informs the user community of the sender of the message
so that any complaints about "junk mail" can be directed to the
requestor and not to the computing center. Another request that is
frequently made is for placement on the main menu. Our policy on this is
not to include departmental information choices on the the main menu
except for the research department and the library, which were the first
users of the facility and provided the center with useful application
ideas, such as online forms and the overall bulletin board structure.
Requests for special placement have also been reduced by the
implementation of an update facility which tells a user what topics have
changed within any specified time frame.

Another concern we encountered related to resource management was
the traffic created by larger external information systems such as
Usenet. The computing center initially withheld Usenet availability due
to the large amount of traffic and the nature of some of the postings.
The Computing Center Advisory Committee has since recommended that the
center make topic areas available from Usenet that are directly related
to the educational process; other topics can be added, but they must
requested by a faculty or staff member.

Scope and approval of policy

Our experience at Lehigh has brought home the importance of making
sure that campus administration is aware of the possible consequences
and problems associated with running and maintaining an information
system. A decision must also be made as to which computing systems and
networks are to be covered by the information policy, i.e., all systems
on campus or just central facilities. A comprehensive policy which
applies to all computing systems on campus would be ideal, but getting
approval throughout the institution for such a policy can be a major
undertaking. A staff member at the University of Delaware, for example,
has been working on getting approval for Delaware's "Policy for
Responsible Computing Use," which does address all on-campus computing.
This process at Delaware has taken four years and is still waiting final
approval![15]

At Lehigh, the computing center decided to have our policy apply
only to the facilities the center has direct control over; we have not
yet attempted to have it accepted by departmental computing facilities.
As mentioned, the first step in the approval chain was approval by the
Computing Center Advisory Committee (CCAC), a signal to users that the
policy was derived from their representatives rather than just being
arbitrarily implemented by the computing center. Our policy statement
was approved by the CCAC with a recommendation that it be reviewed by
the University's legal representative. The provost, however, felt that
the policy statement only needed the CCAC's approval and that legal
opinions were unnecessary.

It's important to note that not all policies can or should be
included in the written information policy statement. Many other
computing policies are set forth in specific internal procedures and
documents. At Lehigh, topics such as account limits, types of system
bulletins, mass mailing limits, and so forth, are all contained in
documents which have been approved by our advisory committee. These
documents are shown to users when they question how policies have been
determined. Other policy documents also exist for administrative
computing, especially concerning confidentiality of data.

In general, it is probably best to have the broad information
policy approved at the highest level possible, and also to have the
document reviewed by the institution's attorneys to try to minimize any
possible legal liabilities. Contacting the campus risk management
department and internal auditor concerning the content of the
information policy might also be useful.

Computing and information policies are an important element in managing
computing resources on college and university campuses. Having a written
policy to refer to when handling both legal and ethical issues is
essential. A significant side benefit of creating such a policy is that
the thought processes and issues discussed in the process help to
sensitize administrators, faculty, staff, and students to the possible
problems and concerns associated with the computerization of our
campuses.

************************************************************************

Anyone interested in subscribing to the CWIS-L list server should send
an electronic mail message to
listserv@wuvmd.bitnet with the following text: subscribe CWIS-L
firstname lastname.

========================================================================

Footnotes

1  T. Foley, "Managing Campus-wide Information Systems: Issues and
Problems," in Proceedings of ACM SIGUCCS User Services Conference XVI,
1989, pp. 169-174.
2  B. Meeks, "As BBSes Mature, Liability Becomes an Issue," Infoworld,
22 January 1990, pp. 14-15.

3  Ibid.

4  J. Wallace and R. Morrison, Syslaw (New York: LLM Press, 1988), pp.
24-25.

5  S. Mace, "Kapor and Wozniak Establish Electronic Policy Foundation,"
Infoworld, 16 July 1990, p. 6.

6  For more information about the Electronic Frontier Foundation, write
to EFF, One Cambridge Center, Suite 300, Cambridge, MA 02142.

7  M. Kapor and J. Barlow, "Electronic Frontier Foundation Address,"
National Conference on Computing and Values, August 1991. See also
Kapor's article, "Civil Liberties in Cyberspace," Scientific American,
September 1991, pp. 158-164.

8  J. Barlow, "Coming into the Country," Communications of the ACM,
March 1991, p. 19.


9  D. Denning, "The United States vs. Craig Neidorf: a debate on
electronic publishing, constitutional rights and hacking,"
Communications of the ACM, March 1991, p. 24.

10  J. Turner, "Messages on Computer Networks Pose Problems," The
Chronicle of Higher Education, 24 January 1990, p. 16.

11  Wallace and Morrison, pp. i-iii.

12  Turner, p. 16.

13  B. Brown, "EMA urges users to adopt policy on E-mail privacy,"
Network World, 29 October 1990, p. 2.


14  Clifford Stoll, The Cuckoo's Egg: Tracking a Spy Through the Maze of
Computer Espionage (New York: Doubleday, 1989), p. 320.

15  R. Gordon, "Look What They've Done to My Policy, Ma! A Report on the
Development of a Responsible Computing Policy at the University of
Delaware," National Conference on Computing and Values, August 1991.

========================================================================