Frequently Asked Questions About the
Policy on Responsible Use of College Computing Resources
Why doesn't the policy prohibit
all personal use of College computing resources? Why doesn't the policy permit
unrestricted personal use of College computing resources?The general guiding principle behind the policy is that "cyberspace is not a separate legal jurisdiction"; that existing, generally applicable laws, rules, and policies therefore already apply equally to the use of College computing resources; and that new rules and policies are therefore necessary only in those rare instances when the use of College computing resources implicates unique new issues. In accordance with that principle, the provisions concerning personal use of College computing resources are intended to mirror existing policies and practices concerning personal use of other College resources. Thus, the policy provides that College-provided computing resources, like College-provided telephones, photocopiers, stationery, office supplies, tools, and so forth, are provided for "College-related purposes".
Use of such resources for personal commercial purposes or for personal financial or other gain is clearly improper and, under some circumstances, may be illegal. Recognizing, however, the difficulty of drawing a bright line between other types of personal uses and "College-related" uses, the minimal costs typically associated with occasional personal use, the typically inordinate costs associated with attempting to enforce a flat prohibition, and the benefits that may accrue to the College from increased experience and familiarity of its users with available computing resources, the policy also provides that "incidental" personal use of College computing resources is, in general, permitted- just as it typically is with other types of College resources. "Incidental" uses of College computing resources are defined as uses that do not consume a significant amount of those resources, do not interfere with the performance of the user's job or other College responsibilities, are not made for personal commercial purposes or for personal financial or other gain, and are otherwise in compliance with applicable laws, rules, policies, contracts, and licenses.
Also recognizing, however, that circumstances vary among the different administrative units of the College, the personal use provisions of the policy are set forth simply as a "default" rule. The policy expressly provides that further limits may be imposed upon personal use in accordance with normal supervisory procedures. Thus, individual administrative units of the College may, if they deem it appropriate, impose additional use restrictions on, or prohibit all personal use of, the College-provided computing resources under their control.
Does the restriction on use of College computing resources for personal commercial purposes or personal financial or other gain prohibit faculty from using such resources in connection with their consulting work?Use of College computing resources in connection with such consulting is not considered "personal" in the sense intended by the Policy on Responsible Use of College Computing Resources and is therefore not within the scope of the prohibition.
The use of College resources in connection with consulting work, and the consulting work itself, must be approved, in advance, by the relevant department chair and dean, and arrangements must be made to compensate the College if the use of its resources will be significant. Use of College computing resources in connection with consulting that has
not been approved in accordance with this procedure is prohibited.
In short, the use of College computing resources in connection with consulting work is subject to the same requirements and limitations as is the use of any other College resources in connection with consulting work.
Why must monitoring be authorized? The purpose of the advance authorization provision of the policy is to make clear that authority to engage in investigatory monitoring of College computing resources is not implied or inherent in any job position, to ensure consistency in the development and application of the standards for monitoring, and to enable the College to monitor the effectiveness of the policy itself.
Does the restriction on individualized monitoring prohibit a supervisor or co-worker from accessing an employee's computer files for work-related purposes?The policy's provisions on monitoring govern only the monitoring and investigation of actual or suspected misconduct or misuse of College computing resources, not the ordinary, everyday functioning of an office. Thus, for example, to the extent that a PC or network server serves as the functional equivalent of a desk drawer or file cabinet, supervisors and co-workers continue to have the same access to it for normal, noninvestigatory, work-related purposes; for example, to retrieve a file or document needed while the employee who maintains the file or document is away from the office- as they always have. Obtaining such access is not considered "monitoring" for purposes of the policy and does not require advance authorization.
If, however, a supervisor or co-worker discovers evidence of possible misconduct or misuse while accessing College computing resources under the control of another for normal, noninvestigatory, work-related purposes, further monitoring or investigation of those computing resources for purposes of dealing with the suspected misconduct or misuse
does require the advance authorization, unless the monitoring is required by law or is necessary to respond to perceived emergency situations. Evidence discovered in the course of normal, noninvestigatory, work-related activity may be used as a basis for seeking such authorization.
Does the policy prohibit "spam"? The problem of "spam" is an extraordinarily complicated one. Few people would agree on a definition of exactly what constitutes "spam"; technical restrictions against it are therefore necessarily imprecise, as well as easily evaded; and the College's legal ability to deal with that indefinable and technically insoluble problem is further complicated by the College's status as a public institution subject to the restrictions of the First Amendment. For all of these reasons, the policy does not prohibit "spam"
per se.
The policy does, however, prohibit the use of College computing resources for personal commercial purposes or for personal financial or other gain, and it also prohibits uses that consume an unreasonable quantity of those resources or that unreasonably interfere with the activity of other users. Most of what most people consider to be "spam" falls within either or both of these categories and thus
is prohibited by the policy. In addition, "spammers" who refuse to honor a recipient's request to be removed from the "spammers'" mailing lists are engaged in what the College considers to be harassment. Under any of these circumstances, the College may attempt to block further incoming messages from persons outside the College who engage in such activities and may restrict or terminate the computing privileges of persons inside the College who engage in such activities. In addition, the Office of Information Technology can assist individual members of the College community in establishing individual mechanisms to filter out "spam".
Is my E-mail Private? RISD will endeavor to protect the privacy of senders and recipients of e-mail messages, but users should be aware that e-mail may not be secure. Although the College has taken additional steps to help ensure the security of all e-mail stored in College post offices, and the mechanisms for reading and sending e-mail messages (by providing various encrypted e-mail programs), some users may elect not to use these more secure methods. Furthermore, copies of e-mail messages may be archived as part of normal backup procedures and be retrievable for several months longer even after users have deleted them. RISD may also be subject to new federal guidelines requiring the College to archive e-mail for longer periods of time.
Access to e-mail messages by other than their intended user, are subject to the same authorizations as other account access restrictions.