CAUSE/EFFECT

Copyright 1998 CAUSE. From CAUSE/EFFECT Volume 20, Number 4, Winter 1997-98, pp. 58-62. Permission to copy or disseminate all or part of this material is granted provided that the copies are not made or distributed for commercial advantage, the CAUSE copyright and its date appear, and notice is given that copying is by permission of CAUSE, the association for managing and using information resources in higher education. To disseminate otherwise, or to republish, requires written permission. For further information, contact Jim Roche at CAUSE, 4840 Pearl East Circle, Suite 302E, Boulder, CO 80301 USA; 303-939-0308; e-mail: [email protected]


Revising Acceptable Use Policy to Account for Cultural Developments on the Net

by Rob Reilly

Given the changes in user demographics, there is a rapidly growing need to better understand the culture that is developing on computer networks. Today's acceptable use policies (AUPs) should be based upon a balancing of logistical and operational issues with the cultural needs of the user. Those who craft computer-use policy should move away from the model of a "network as a superhighway" and toward a model of a "network as a commonly shared resource."

Background and foreground

Originally, the Internet was a smattering of military and university computer systems connected to create a nationwide network. Policies were well understood, but often vague and even unwritten. Users trusted each other. Passwords and privacy were rare. The network that existed then was largely populated by a like-minded group of computer specialists and scientists with strong computer backgrounds.

In the intervening years there have been significant changes in the Internet. Now practically every college is connected to the Internet. With this has come a dramatic growth in the number of people who use this global network. No longer is the Internet a community of like-minded computer specialists and other scientists. However, the rules, customs, and metaphors governing the use of university computer systems have not changed. But they should change in response to the evolving nature of the network user and the network1 itself, as the Internet is becoming a community of users rather than primarily an information resource.

Those who craft an acceptable use policy (AUP) for online computer systems should adjust their paradigm for formulating policy. The current paradigm seems to view the network as a mechanical entity -- as an Information Superhighway. Metaphorically referring to computer networks as a superhighway may not be the best model for behavior. Actually, behavior seen on a superhighway is not ideal behavior, even for a superhighway. The new paradigm should reflect the social and communal needs of the computer network as a shared resource.2

The society that inhabits the Internet and local area networks, like any emerging society, needs to establish and understand its own set of rules. Presently, however, cyberspace has, not one set of rules and customs, but thousands. These rules and customs vary from "near-anarchistic code[s] of complete freedom to authoritarian [codes which deny virtually] ... all rights."3 AUPs generally lack content that would cause them to be social contracts -- to deal with cultural issues. Beyond its mechanical orientation, the AUP should set philosophical guideposts for the community of users in the way the U.S. Constitution establishes a social contract with all citizens -- in the way the student and faculty handbooks establish a social contract for the campus community. A culture is developing on the Net, and the AUP must become the campus social contract relating to computing.

One social contract by which we live in our real world community is the U.S. Constitution. While many members of the U.S. community may not be able to elucidate Constitutional principles, they are aware of them. U.S. citizens understand concepts of the Constitution, and tend to live by them. These Constitutional concepts are not meant primarily as rules for law enforcement officials, but as foundational principles upon which our entire U.S. community is based. So, too, should an AUP provide philosophical and ethical guideposts for the developing community of users on the Internet and on university computers.

To accomplish this, AUPs should not only address the mechanical/operational concerns of computer networks (e.g., change your password frequently; do not share your password with anyone; do not run wasteful, computation-intensive programs), but should also address communal and individual interests (e.g., respect the privacy of all users, promote ethical responsibility, protect freedom of speech and the right of access, specify principles for use of shared resources, establish procedures for implementing and protecting due process).

Tragedy of the unmanaged common

Since the barrier between the natural and computer sciences is often high and opaque, it is best to first discuss the "tragedy of the commons" as Hardin4 outlined the concept. This will be followed by a discussion of the possible implications of the tragedy for online computer systems, and the crafting of an AUP as a social contract.

In 1968, biologist Garrett Hardin brought to science's attention a little-known work by the nineteenth century amateur mathematician William Forster Lloyd on population growth and control. Lloyd examined the fate of a common pasture shared among rational, utility-maximizing herdsmen.5

Shepherds grazed their sheep on the individual parcels of land they owned. But there was another pasture, a large public stretch of land held in reserve, owned in common by the villagers and known, logically enough, as the common. Then, some shepherds became greedy. They began guiding their sheep to the common each day, preferring to wear out the public pasture because they thought it cost them nothing and saved their own small patches. Soon, others did the same. It wasn't long before the common was turned into a muddy wasteland -- useless to anyone. And as the shepherds watched their individual pastures fall to overgrazing, they realized that their village had been sacked by its own people. They'd stolen their shared livelihood, economic security, cultural center, and much of their village's beauty from themselves and their children.6

Once a resource is being utilized at a rate near its carrying capacity, additional use will degrade its value. Users will then enter into a cycle of escalating demands on the resource to gain advantage or try to break even.

The inexorable working out of the resource's ruin is Hardin's tragedy of the village common. In human affairs, this problem has never been more evident than it is today. Its effects are pollution, global warming, ozone depletion, overfishing, extinction of species, abuse of aquifers, and destruction of the rain forests -- and in the not too distant future, perhaps computer resources will be added to this list.7

But what relevance does this have for acceptable use policy?

Relating this to the creation of an AUP is relatively easy because at the heart of these models/research projects is the problem of the free-rider or the overgrazer, and the issue of regulating use of a shared resource -- in our case, that resource is the computing resources. Currently there is, among other things, a lack of wisdom (applied knowledge/intelligence) about the Internet, about cyberspace, about handling legal issues, about handling cultural issues.

As Ostrom notes, the challenge becomes how a group can "organize and govern themselves to obtain collective benefits in situations where the temptation to free-ride and/or to break commitments is substantial."8 Ostrom studied a "wide range of communities that had a long history of successfully producing and maintaining collective goods. She also studied a number of communities that had failed partially or completely in meeting this challenge."9 In comparing the communities, Ostrom found that groups that are able to organize and govern themselves are marked by the following design principles:

Applying Ostrom's observations along with a foundational understanding of the legal principles of privacy, search and seizure, and due process seems to provide a powerful model upon which the crafting of a public higher education institution's AUP can be based. The new paradigm for AUPs should include issues that are found in a social contract, in addition, of course, to those issues that are traditional policy components.

The AUP as a social contract -- A transformational approach

The social contract reflects the agreement between the people and the government on how much power the people consent for the government to have and exert. The social contract between the people and the government exists so long as the government uses its powers within the due process of law and the people agree to the outcome of the due process. With the due process of law as a vehicle for maintaining the social contract, the government uses its power without compromising certain natural and inalienable rights of the individuals in a way unspecified by the Constitution, our social contract.

The AUP should be crafted to emulate other social contracts that regulate aspects of environmental sharing (e.g., the U.S. Constitution, a faculty handbook, and a student handbook). Those who craft the AUP should certainly consider the logistical needs inherent in maintaining a secure and continually functional computer network. In addition, they should also realize that a computer network is much more than a thing or a place where hackers and pornographers roam freely,11 or where the primary focus is the survivability and functionality of the system. They should view the network as a community of people who congregate to seek or exchange information, knowledge, and wisdom.

For many people, the Internet has been like a worldwide, multimillion-member think-tank, available twenty-four hours a day to answer any question, from the trivial to the scholarly. This magical knowledge-multiplying quality comes from the ongoing cooperative effort of many thousands of people, who freely contribute their expertise in response to questions. That precious power of a large group of people to act as a collective think-tank for each other is vulnerable to human folly. A relatively small number of malefactors hold the power to mess up a good thing for a far larger number of cooperative citizens.12

The acceptable use policy should be a vehicle by which to develop and manage an "electronic common" that will preserve the power of cooperation and foster the growth of knowledge and wisdom without infringing on individual freedom.

Considerations in the "charge" to an AUP committee

The following points should serve as the basis for the charge to an AUP committee.

(1) Lacking legal clarity on a number of network-related issues, a university needs to establish policy to clarify the "ground rules" for the entire community of users.

Sergent notes that because computer networks are so new, there has not been time for any conventions to evolve.13 Thus, it is important to define the ground rules for the users of computers and the computer network. Here is a suggested foundational philosophy statement by which to craft an AUP:

Our network of computers and Internet access are finite resources that are intended to facilitate and support our mission as an institution of higher education. Overuse of these resources, or use not conforming to our mission or the missions of the various campus departments, is inappropriate.

As far as actual enforcement is concerned, this statement is vague and overly broad, and thus, would not be a campus policy that could be violated. However,it is a foundational statement for use of computing resources in the same way that "life, liberty, and the pursuit of happiness" is a foundational statement in our society.

(2) The university should first define what a computer user's expectations of privacy should be. In determining the scope and limits of a person's privacy, it is important to consider the rights and responsibilities of a person as a citizen of a free country.14 It is equally important to view an individual's right to privacy as it relates to the community (computer network's culture) of which that person is a member.15

The privacy statement should be very clear and unambiguous. It should inform the users what they can expect in the way of privacy as members of the network community. Establishing the basic notions of what/where public spaces and private spaces are in regard to online computer systems is critical in order to build a foundation upon which resolution of other issues will be based (e.g., invasion of privacy, disputes concerning search-and-seizure issues, monitoring of accounts).

It is important for a university to establish its position that a computer account is not necessarily a private and secluded place. Establishing private places will create a situation where users have a reasonable expectation that those private places will not be invaded (or monitored, searched, etc.). If the situation is such that the computer users have an expectation of privacy in their accounts, then any rummaging about or intermeddling with that privacy is likely to be considered a search within the meaning of the Fourth Amendment.16

A university should establish the belief (policy) that computer accounts and disk space are not immune from observation by appropriate university employees conducting tasks related to the rendition of service to the computer system and its users. In a hotel room, for example, the level of privacy is far lower than in a private home because of the need for daily maid service.

(3) The university administration has been established to ensure that everyone's rights and responsibilities are properly addressed and protected. The stakeholders in the creation of policy should be constantly reasserting, in their minds, that crafting policy is a positive activity and should benefit and protect all the users, the administration, and the computer system itself.

(4) The notion should be established throughout the AUP that "personal property rights" as we know them in the outside world do not necessarily apply to a university computer system.

(5) If rules and regulations are set for computer lab/cluster usage, and even computer network use in general, they should ensure that :

Currently, AUPs tend to direct their attention exclusively to the mechanical and logistical happenings on the computer network -- they are analogous to a car owner's manual. The AUP should now move beyond the car owner's manual model and become more a social contract. AUP developers should view the computer network as a place where communities of users will develop a culture and where cultural issues will arise.

The AUP committee should, as much as possible, attempt to create statements that:

The Internet is a growing and evolving community. A culture is developing. The paradigm for AUP creation or revision should change to reflect the view that the Net is a shared community resource. The AUP committee should become familiar with the concept of managing a shared resource.


Sidebar:

An AUP Resource

Many institutions have acceptable use policies and have shared them with CAUSE. If you're trying to craft or revise yours, check the CAUSE Web site at http://www.educause.edu/asp/doclib/subject_docs.asp?Term_ID=110 to see how others have established their policies. We also welcome additional contributions.


Endnotes:

1 Bruce Sterling, The Hacker Crackdown (New York: Bantam Books, 1995), 247.

Back to the text

 2 Robert A. Reilly, "Redefining the Model of the Network: A Superhighway to a Town Common Model" (paper presented to the Massachusetts Educational Computer Conference, Northern Essex Community College, Lowell, Mass. 11 June, 1997).

Back to the text

3 Aidan Low, "Right to Privacy in the Age of Telecommunication," (http://www.swiss.ai.mit.edu/6805/student-papers/fall95-papers/low-rules.html)

Back to the text

4 Garret Hardin, "The Tragedy of the Commons," Science 162 (1968): 1243-1248.

Back to the text

5 Roy M. Turner, "The Tragedy of the Commons and Distributed AI Systems," (paper presented at the 12th International Workshop on Distributed Artificial Intelligence, University of New Hampshire, Durham, N.H., January, 1991). Available at http://cdps.umcs.maine.edu/Papers/1993/TofCommons/TR.html

Back to the text

6 Garret Hardin.

Back to the text

7 Readers should not seize upon the fact that resources cited (e.g., Ogallala Aquifer) are far less replenishable compared to computing tools and networks, which apparently can be renewed. Readers should focus on the inherent application of this model in managing a community of users involved with the use of a shared resource.

Back to the text

8 Elinor Ostrom., Governing the Commons: The Evolution of Institutions for Collective Action, (London: Cambridge University Press, 1990): 27.

Back to the text

9 Peter Kollock and Marc Smith, "ManagingVirtual Communities: Cooperation and Conflict in Computer Communities, Computer-Mediated Communication: Linguistic, Social, and Cross-Cultural Perspectives, Susan Herring, ed. (Amsterdam: John Benjamins, 1991): 109-128. Available at http://www.sscnet.ucla.edu/soc/faculty/kollock/papers/vcommons.htm

Back to the text

10 Peter Kollock and Marc Smith.

Back to the text

11 Howard Reingold, "Federal Judges Defend Free Speech on the Internet" (posted to the Virtual Communities Conference on the WELL [Whole Earth 'Lectronic Link], San Francisco, Calif., 15 June 1996).

Back to the text

12Howard Reingold, "The Tragedy of the Electronic Commons" (posted to the Virtual Communities Conference on the WELL [Whole Earth 'Lectronic Link], San Francisco, Calif., 1996)

Back to the text

13 Randolph Sergent, "Note: A Fourth Amendment Model for Computer Networks and Data Privacy", 81 Va. Law Review 1181, 1199 n.98 (May 1995).

Back to the text

14 Barber v. Time, Inc., 159 S.W.2d 291 (1942), 348 Mo. 1199.

Back to the text

15 McGovern v. Van Riper, 54 A.2d 469 (1947), 140 N.J. Eq. 341.

Back to the text

16 State of Maine v. Barclay, 398 A.2d 794, 796 (1979); State v. Richards, 269 A.2d 129, 134 (1970).

Back to the text

17 Dr. Carl Kadie (personal e-mail 28 January 1997).

Back to the text


Robert A. Reilly ([email protected]) is a Post Doctoral Research Associate in the Office of Information Technologies at the University of Massachusetts, Amherst, and a member of the UMass system-wide information technology policy committee.

 ...to the table of contents




[Comments] [Search] [Home]