OIT Acceptable Use Supplement

This supplement gives interpretations and procedures that are specific to OIT systems. It is meant to be used with the Acceptable Use Policy for Computing and Information Technology Resources. and the Guidelines for Interpretation and Administration of the Acceptable Use Policy for Computing and Information Technology Resources.

In addition to this document, specific computers and labs may have their own rules. These should be posted clearly at the facility, or pointers included in the login message. Violations of those rules are considered violations of Acceptable Use, and may be reported using the procedure in this document.

Specific Interpretations

Copyright, file sharing, etc.

The Acceptable Use Policy requires all computer use to comply with the law. This specifically includes copyright law. Some of the most common violations of the AUP involve copyright. These include but are not limited to

• Using commercial software that you have not paid for, or using it in ways not covered in the license (e.g. using a single-user copy for a whole department).
• Making copyrighted material available to others without permission, whether through "Peer to peer" software, web sites, or other technology.

Your rights to commercial software and content such as music or movies are defined by the license agreement included with it, and by copyright law.

• For software, make sure you understand what you have purchased. Is it a single-user license, a site license, or a license for a specific number of people. This should be defined in the license you get with it. You are responsible for keeping copies of licenses and other documents, and tracking how the software is used.
• Music and movies may not be covered by formal contracts. In that case you are normally required to use it only for yourself. Before making content available to others, you are responsible for making sure you have permission to do so.

The Rutgers Library is the authority for copyright issues at Rutgers. They have a copyright web page. It focuses on issues for faculty and staff that are preparing or using content in courses and research. For a quick introduction in this area, you may find the University of Texas Crash Course in Copyright helpful. Stanford's Copyright and Fair Use site has a broader range of material about copyright.

For a discussion of how you are allowed to use copyrighted works ("fair use") that apply more to normal users, see the Electronic Frontier Foundations' Fair Use FAQ

Email-related problems

• It is a violation to send email that a reasonable person would consider harassment, including email to any person that has requested you not to send them email, or repeated email to someone you don't have a pre-existing relationship with.
• All email must contain a valid From: field, identifying an email address to which questions and complaints may be directed.

Special issues apply to email to large numbers of people. This is a potential problem, for both policy and technical reasons. Therefore, it is considered a violation of acceptable use to send substantially the same email message to more than 50 users. Exceptions are:

• For official University mail, as long as you comply with the Guidelines for Use of Email for Official Purposes.
• When the mail uses majordomo, listserv, or another facility that has been specifically engineered to handle mailing lists. These systems will also allow users to join and leave lists themselves, except in the case of a few Rutgers internal lists, where appropriate University officials have established lists that do not permit users to leave.

While this document covers only OIT facilities, there is a specific document on bulk email discussing this issue specifically. It covers all Rutgers facilities. It has rules consistent with those in this section.

Even for email to fewer than 50 users, you must abide by other restrictions. This includes the restriction against commercial use, use in support of non-Rutgers organizations, and the general requirement that all activities must abide by the law. There are now a number of laws covering unsolicted email. See the Guidelines for Use of Email for Official Purposes for more information.

Commercial Use

Commercial use is covered in both the policy and guidelines document. It is being mentioned here simply because commercial use is one of the most common violations of acceptable use. Here are some of the most common examples of things we consider commercial use:

• Using a Rutgers system to host a web page for any business, including your private consulting practice.
• Referring people to a Rutgers email address for commercial use (e.g. in print ads or commercial web pages).

There are often ambiguities about what is permitted. In such cases please feel free to send a query to help, or to consult with the Information Center on your campus.

Interfering with Other Systems

Both the policy and guidelines documents indicate that computer resources may not be used to interfere with other users.

Currently the most common problem is with actions that produce enough network traffic that they bog down the network. Here are some common causes:

• Computers that have been taken over by hackers. Note that
• Web sites or other services whose usage is higher than the network can support.
• Programs that large numbers of transactions quickly, e.g. downloading large numbers of web pages or sending many emails.

Use in support of other organizations

OIT resources should not be used to provide services for organizations that are not part of Rutgers University without permission of a responsible Rutgers official.

This is worth a bit of explanation, because it's often hard to separate your personal use from organizational use. One of the earliest cases involved a Boy Scout troop. One of our staff wanted to host a web page for the troop. Our conclusion was that this is inappropriate. This does not prohibit staff from talking about their activities with the Boy Scouts, expressing opinions about it, etc. But organizations need to purchase their own Internet service for their official web site.

One way to frame the question is whether the primary purpose is describing your personal activities or opinions, or whether it is support for the organization.

Chain letters

Rutgers (and most ISP's) will take action against any chain letter, or any other form a communication that asks each individual to send something to lots of others. Those of you who know math will recognize these as attempts to create exponential growth. If not stopped, that will quickly overwhelm any network or mail system. Thus it doesn't matter to us whether items of value are involved.

Recent Internet chain letters often start out by saying "this is absolutely legal", or "I used to think this was illegal, but I checked with a lawyer and it's not". The USPS and FBI say that this is false. These schemes (and various related ones, including some multilevel marketing scams) are considered to violate Federal laws against both gambling and wire fraud.

Issues with IRC

Many of our complaints from other sites involve users of IRC (Internet Relay Chat). Here are some of the most common:

• Using IRC software (commonly called "proxies") that let users hide their identity or appear to be coming from a different computer than they actually are.
• Using IRC software (commonly called "bots") to harrass or interfere with other users or the IRC system in general.
• Using IRC software to overload a system or otherwise interfere ("nuking", "DOSing").

People often think that nuking is a harmless prank. Unfortunately the software used to do this often operates by overloading the network on the other end. Rutgers has a very fast network. We can easily generate enough network traffic to take another institution or company off the Internet. This has happened several times.

Cooperation with System Administrators

From time to time activities may interfere with operation of the system, even though they may not clearly be prohibited by the Acceptable Use Policy. In such cases, the system administrator or other OIT staff person may contact you and ask you to stop doing something. You are expected to comply with such instructions. Once you have received such a warning, any further activity of the same kind will be treated as a violation of Acceptable Use.

This is intended to allow staff to intervene when immediate action is required to stop a concrete problem, such as overloading a system or network, interfering with other users' normal use of the system, or a security breach. It is not intended to give system administrators arbitrary authority. If you think a staff member has acted inappropriately in asking you to stop something, you may ask for the decision to be reviewed, in accordance with University policies and procedures. However you will be expected to comply with the ruling of the staff while this review is happening.

How to Report Infractions Involving OIT Systems

The majority of reports should be made through normal OIT support channels. This is the Information Center or Help Desk supporting the campus where the violation occurred. In the case of the New Brunswick student hub sites, it would be the supervisor on duty. Where one of the central OIT systems is involved, the report may also be sent via email to "help" at the system involved.

For more serious incidents, you may prefer to contact the OIT abuse handling group, abuse@rutgers.edu, the OIT Director on your campus, or the Director of Information Protection and Security, Lance Jordan, lancejor@rci.rutgers.edu, 732-445-8011.

Note that OIT has no disciplinary authority except over its own staff. OIT staff may issue warnings, and may ask users to stop behavior that is disruptive. OIT may close accounts temporarily, when that is the only reasonable way to stop a serious ongoing problem, or to get a user to contact OIT staff or a dean. But in order to take any actual disciplinary action, OIT operates through normal University procedures. For students OIT works with the appropriate dean; for staff OIT will contact the individual's department or supervisor. (For certain guest users, there may be no unit with disciplinary authority. In such cases, OIT may have no alternative but to close an account permanently when substantial problems occur.)

For certain kinds of incidents, special reporting channels are appropriate. However if you have trouble determining what approach to use, it is always appropriate to consult normal OIT support channels, abuse@rutgers.edu, or the Director of Information Protection and Security. In particular, abuse@rutgers.edu maintains contact with other groups throughout the University, and can forward reports to the appropriate person or group.

• For incidents involving the central administrative systems, reports may be made to the Security Officer, 732-445-4638, or to the Director of Administrative Computing Services, at 732-445-4646.
• For incidents primarily involving the campus network, reports may be made to network-problems@tdmx.rutgers.edu or to the Network Help Desk at 732-445-0327.
• For incidents involving systems not controlled by Computing Services, violations may be reported to the Director or Chairman of the unit managing the system, with a copy of the report to abuse@rutgers.edu or in more serious cases, the Director of Information Protection and Security, Lance Jordan, lancejor@rci.rutgers.edu 732-445-8011.