On This Page:
These guidelines are meant to assist the University community in the interpretation and administration of the Acceptable Use Policy for Computing and Information Technology Resources. They outline the responsibilities each member of the community (client) accepts when using computing and information technology resources. This is put forth as a minimum set of standards for all areas of the University and may be supplemented with unit specific guidelines. However, such additional guidelines must be consistent with this policy and can not supersede this document.
1. Client (User) Responsibilities
Use of the University of Massachusetts Amherst Office of Information Technologies (OIT) resources is granted based on acceptance of the following specific responsibilities:
Use only those computing and information technology resources for which you have authorization.
For example, it is a violation:
- To use resources you have not been specifically authorized to use
- To use someone else's account and password or share your account and password with someone else
- To access files, data, or processes without authorization
- To purposely look for or exploit security flaws to gain system or data access
Protect the access and integrity of computing and information technology resources.
For example, it is a violation:
- To use excessive bandwidth
- To release a virus or worm that damages or harms a system or network
- To prevent others from accessing an authorized service
- To send email that may cause problems and disrupt service for other users
- To attempt to deliberately degrade performance or deny service
- To corrupt or misuse information
- To alter or destroy information without authorization
Abide by applicable laws and university policies and respect the copyrights and intellectual property rights of others, including the legal use of copyrighted software.
For example, it is a violation:
- To download, use or distribute copyrighted materials, including pirated software
- To make more copies of licensed software than the license allows
- To operate and participate in pyramid schemes
- To distribute pornography to minors
- To upload, download, distribute or possess child pornography
Use computing and information technology resources only for their intended purposes.
For example, it is a violation:
- To use computing or network resources for advertising or other commercial purposes
- To distribute copyrighted materials without express permission of the copyright holder
- To send forged email
- To misuse Internet Relay Chat (IRC) software to allow users to hide their identity, or to interfere with other systems or users
- To send terrorist threats or "hoax messages"
- To send chain letters
- To intercept or monitor any network communications not intended for you
- To attempt to circumvent security mechanisms
- To use privileged access for other than official duties
- To use former privileges after graduation, transfer or termination, except as stipulated by the university
Respect the privacy and personal rights of others.
For example, it is a violation:
- To use electronic resources for harassment or stalking other individuals
- To tap a phone line or run a network sniffer without authorization
- To access or attempt to access other individual's password or data without explicit authorization
- To access or copy another user's electronic mail, data, programs, or other files without permission
- To disclose information about students in violation of University Guidelines
2. System Administrator Responsibilities
System Administrators and providers of University computing and information technology resources have the additional responsibility of ensuring the integrity, confidentiality, and availability of the resources they are managing. Persons in these positions are granted significant trust to use their privileges appropriately for their intended purpose and only when required to maintain the system. Any private information seen in carrying out these duties must be treated in the strictest confidence, unless it relates to a violation or the security of the system.
3. Security Caveat
Be aware that although computing and information technology providers throughout the University are charged with preserving the integrity and security of resources, security sometimes can be breached through actions beyond their control. Users are therefore urged to take appropriate precautions such as:
- Safeguarding their account and password
- Taking full advantage of file security mechanisms
- Backing up critical data on a regular basis
- Promptly reporting any misuse or violations of the policy
- Using virus scanning software with current updates
- Using personal firewall protection
- Installing security patches in a timely manner
Every member of the University community has an obligation to report suspected violations of the above guidelines or of the Acceptable Use Policy for Computing and Information Technology Resources. Reports should be directed to the unit, department, school, or administrative area responsible for the particular system involved.
If a suspected violation involves a student, a judicial referral may be made to the Dean of Students Office of the college of the student's enrollment. Incidents reported to the Dean will be handled through the University Code of Student Conduct.
If a suspected violation involves a staff or faculty member a referral will be made to the individual's supervisor.
5. Specific Interpretations
This section gives interpretations and procedures that are specific to OIT systems. It is meant to be used with the Acceptable Use Policy for Computing and Information Technology Resources and the preceding sections of these Acceptable Use Interpretation Guidelines.
In addition to this document, specific computers and labs may have their own rules. These should be posted clearly at the facility, or pointers included in the login message. Violations of those rules are considered violations of Acceptable Use, and may be reported using the procedure in this document.
Interfering with Systems and Networks
Both the policy and guidelines documents indicate that computer resources may not be used to interfere with or inhibit other users. However enough cases have come up recently that it seems worthwhile to elaborate on this point.
Problems often occur when someone creates a program that does something lots of times. For example, if you write a program that looks at the same web page thousands of times, this will normally cause a problem. Both the servers that handle web pages, and the network that gets the pages for you, are designed for normal human use. They are not designed to cope with programs that ask for the same thing many times. Similarly, sending the same request via email a large number of times (even in the same email message) will often cause problems. So will repeatedly opening and closing network connections, continuously sending "ping" packets, etc.
Networks can only handle a limited amount of traffic. UMass Amherst is fortunate to have a fairly robust connection to the Internet. However smaller educational institutions and commercial sites may not have connections that are as robust. It is possible for a single person at UMass to do things that will effectively shut down network access for a smaller site. If you do this, you are liable not only for University discipline, but also for prosecution. Generally you should be safe if you only use standard system tools in the ways they are intended to be used: viewing web pages yourself, logging in to a computer and using it for legitimate purposes, etc. If you start writing programs or scripts that use these tools repeatedly or in unusual ways, it is your responsibility to make sure that what you are doing will not cause problems for the rest of the network.
Although the parameters are subject to change, the maximum outbound traffic from on campus residents to off campus destinations should not exceed 1 Gigabyte of data during a twenty-four (24) hour period. If you exceed that threshold, your bandwidth may be limited, or your connection may be temporarily disconnected. Users who have a legitimate need to transfer this amount of data may be contacted to verify that their usage is appropriate, and not the result of a compromised (hacked) computer or network.
Individuals, departments or students operating computers or networks that consume an excessive amount of bandwidth are subject to having their consumption limited to ensure adequate capacity for the majority of users. For administrative systems, a good-faith attempt will be made to contact a responsible party prior to curtailment or disconnection of a computer or service. In all cases, the legitimate business needs of the University will be considered the highest priority traffic, and the use of resources for entertainment or other personal uses will not be considered essential and may be severely limited.
Disruption of Core Network Services
While it is normally safe to use standard system tools, the same does not necessarily apply to all customized system tools. For example, certain members of the IRC community distribute programs for disrupting IRC connections. Such a tool is in itself suspicious, since disrupting someone else's activity is generally a violation of Acceptable Use. What's worse, some of these tools work by creating a network overload. Thus they may not only disrupt the person you are trying to disrupt -- they may interfere with the entire system or the network itself. The use of such tools is not appropriate.
The University Office of Information Technologies (OIT) will be the sole provider of network “services” such as DNS and DHCP on OIT networks. Any computer or equipment that replicates or disrupts these services will be immediately disconnected. Computers or devices that require a static IP address must have one properly assigned by OIT. All residential computers must use an IP address assigned by DHCP (there are no exceptions). Static addresses may be requested for administrative computers from firstname.lastname@example.org. Such requests must be made by an employee of the University that is responsible for managing the computer or device.
The university's telecommunications network accommodates many thousands of users on and off campus. The network is constantly monitored to track volume and performance. In the event that the campus network experiences significant degradation due to excessive utilization of resources or a network based attack from internal or external computers or networks, the University reserves the right to take any measure necessary to insure stability and performance. These measures may include rate-limiting, filtering, or disconnection of any computer, network, or building that is involved. Whenever possible, prior notice will be given; however in emergency, after-hours, or widespread network disruptions this may not always be possible.
When the University receives a notice of infringement from a copyright holder or designated agent in compliance with the DMCA (Digital Millennium Copyright Act), the University will take any measures necessary to remove the ability to access the infringing material via the network without prior notice. This activity is illegal, and a violation of the OIT AUP and will not be tolerated from either the Residential, or the Academic computer networks.
File Sharing provides a convenient way to transfer information, and facilitate collaboration on projects. It can also make it convenient for a hacker or virus to invade a computer! Many of the latest viruses take advantage of shared directories that aren’t adequately protected. Today’s hackers can take advantage of these same vulnerabilities to place files called trojans in a computer to use in gathering information and attacking other machines.
File sharing is not prohibited by OIT, but it is recommended that this tool be used only when other, safer solutions, such as Secure FTP are inadequate, and that the shared folders are protected by secure passwords which are only shared with trusted friends and associates.
Issues with IRC
Many of our complaints from other sites involve users of IRC (Internet Relay Chat). Here are some of the most common:
- Using IRC software (commonly called "proxies") that let users hide their identity or appear to be coming from a different computer than they actually are
- Using IRC software (commonly called "bots") to harass or interfere with other users or the IRC system in general
- Using IRC software to overload a system or otherwise interfere ("nuking", "DOSing")
People often think that nuking is a harmless prank. Unfortunately the software used to do this often operates by overloading the network on the other end. OIT provides a very fast network. We can easily generate enough network traffic to take another institution or company off the Internet.
Commercial or Political Use of OIT Resources
Commercial or political use is covered in both the policy and guidelines documents. This is being mentioned here simply because commercial use is one of the most common violations of acceptable use. Here are some of the most common examples of things we consider commercial use:
- Using a UMass system to host a web page for any business, including your private consulting practice, your political campaign, or to campaign for another person
- Referring people to a UMass email address for commercial or political use (e.g. in print ads or commercial web pages)
There are often ambiguities about what is permitted. Do not plan to "ask forgiveness" after the fact! You are best advised to "ask permission" before starting to develop any information that may be interpreted as "commercial" in nature. In such cases, please feel free to call the OIT Help Center at 414-545-9400 or fill out our Help Request form.
- It is a violation to send email that a reasonable person would consider harassment, including email to any person that has requested you not to send them email, or repeated email to someone you don't have a pre-existing relationship with
- All email must contain a valid From: field, identifying an email address to which questions and complaints may be directed
Bulk Email or SPAM
Special issues apply to email to large numbers of people. This is a potential problem, for both policy and technical reasons. Therefore, it is considered a violation of acceptable use to send substantially the same email message to more than 50 users. Exceptions are:
- When the use has been approved by the system administrator, after verifying that it does not violate policies
- When the mail uses majordomo, listserv, or another facility that has been specifically engineered to handle mailing lists. These systems will also allow users to join and leave lists themselves, except in the case of a few UMass internal lists, where appropriate University officials have established lists that do not permit users to leave
While this document covers only OIT Resources, there is another document on bulk email, discussing this issue in more depth and covering computing resources as well. Those rules are consistent with this document.
This includes the restriction against commercial or political use and the general requirement that all activities must abide by the law. There are now laws against unsolicited commercial email in some areas.
Chain letters are letters that come to you asking that you participate in a pyramid scheme to make money, receive goods, or in some cases simply send well wishes on to "5 of your friends" for good luck. If you know math you will recognize that chain letters attempt to create exponential growth. If not stopped, they will quickly overwhelm any network or mail system. Thus it doesn't matter whether items of value are involved or not. Chain letters have been illegal if sent through the United States Postal Service (USPS) for many years.
Many Internet chain letters often start out by saying "this is absolutely legal", or "I used to think this was illegal, but I checked with a lawyer and it's not". The USPS and FBI say that this is false. These schemes (and various related ones, including some multilevel marketing scams) are considered to violate Federal laws against both gambling and wire fraud. We (and most ISP's) will take action against any chain letter, or any other form a communication that asks each individual to send something to lots of others.
The best action for you to take is to simply delete any message that appears to be a "chain letter." In this way you protect both yourself and the sender.
Issues with Netnews
We expect our users to follow community standards in use of netnews. This includes (but is not limited to):
- biding by any rules specified in the charters of the newsgroup
- Abiding by rulings of the moderator in moderated groups (and not attempting to bypass moderation for moderated groups)
- Posting only to relevant groups
- Not sending substantially the same posting to more than 10 groups
In some other areas it is hard to codify acceptable behavior in a policy such as this, because certain standards differ from group to group. These standards often include the level of personal attack and strong language that are allowed. In certain groups there are other standards. We expect our users to follow prevailing standards. If you consistently violate those standards, readers may complain to the system administrator. If a system administrator or other OIT staff person instructs you that your postings are inappropriate, we will expect cooperation. (See the next section.) This policy is intended to deal with violations of group charters or similar standards for a group. University policy does not permit content-based censorship. Thus this rule may not be used by staff to control what views may be expressed by users.
Cooperation with System Administrators
From time to time activities may interfere with operation of the system, even though they may not clearly be prohibited by the Acceptable Use Policy. In such cases, the system administrator or other OIT staff person may contact you and ask you to stop doing something. You are expected to comply with such instructions. Once you have received such a warning, any further activity of the same kind will be treated as a violation of Acceptable Use.
This is intended to allow staff to intervene when immediate action is required to stop a concrete problem, such as overloading a system or network, interfering with other users' normal use of the system, or a security breach. It is not intended to give system administrators arbitrary authority. If you think a staff member has acted inappropriately in asking you to stop something, you may ask for the decision to be reviewed, in accordance with University policies and procedures. However you will be expected to comply with the ruling of the staff while this review is happening.