💾 Archived View for spam.works › mirrors › textfiles › computers › email captured on 2023-06-14 at 16:02:01.

View Raw

More Information

-=-=-=-=-=-=-

Policies on electronic mail - a summary
---------------------------------------

Attached is an edited summary of the responses I received on my recent
query. 

The majority of respondents didn't have a formal mail policy, although
there was some unspoken agreement on it. 

At least one formal mail policy is attached. Some organisations seem
to have come to grips with the problem extremely well - as the following
(rough) quote from the Sun Microsystems internal handbook 'Email Survival'
illustrates.

'Accessing another persons personal electronic mail or files without 
their specific permission is considered gross misconduct. The ease with 
which this might be done in no way justifies this intrusion. Printed copy 
awaiting pickup from a printer is equally confidential  material. Any 
misconduct of this type may result in the termination of your employment
with Sun'.

Thanks to all who helped out. Also, some people requested anonymity
so I decided it would be best to strip out all identifying information
from the summary. If you would like to discuss something with any
particular correspondent, no doubt I can arrange it!

--
Todd Hooper (Postmaster)                                   Computing Centre
                                            Curtin University of Technology
Internet: hooper_ta@cc.curtin.edu.au                      Western Australia
ACSnet  : hooper_ta@cc.cut.oz.au
Phone   : +61 9 351 7467 (24 hour messaging system) Fax +61 9 351 2673

--- Comments from commercial site administrators and users ---

We take e-mail very seriously -- both on our own systems and on those that
we administer on behalf of our clients. I view e-mail in the same light as
paper mail. Accordingly, we make every effort to ensure timely delivery
and privacy. Our staff are encouraged to use the facility and we make no
distinction between business and personal correspondence.

We are sufficiently small that abuses of this privilege can be dealt with
at a personal level. In the three years that we've had network access,
only one user has been troublesome. In this case, the user was sending
inappropriate quantities of data via the e-mail system and that person has
been encouraged to seek alternative methods (magnetic media) of data
interchange.

So far, I have not found it necessary to formulate written policy on this
subject although recent activities that have been reported in the U.S.
have prompted me to consider doing so.

---

[1]  We're a commercial site, an employee-owned firm.

[2]  All email is private to the extent we can make it so under fairly
standard System V setups.  Directories for spooling are locked, although
a dedicated person could probably find a hole somewhere.  Privacy is
only knowingly compromised when a user needs file repair, and even
then the user is warned that someone will probably see the mailfile
or spooled message as surgery if performed.

[3]  We don't consider net-correspondence or personal routing to be a
problem.  In fact, we helped an employee figure out a path to his
daughter during the summer.

[4]  Nobody at our site has precipitated a net flame-war, so the issue
of abuse has not come up.  Were it to occur I suppose we would give
the party in question a reprimand on the first offense, and we would
have to handle additional problems on an ad-hoc basis.  We try to
be flexible; so far we haven't [KNOCK WOOD] had a major test.

--

This is certainly [not] an official educational mail policy, it is merely a
note reguarding my experience.

Although I realise that you, as a systems administrator, have a duty to
maintain security on your site, particularly now with AARNet connectivity,
I feel that the reading of someone elses personal mail is a gross injustice.
Despite the fact that you probably have every right to read the mail (they
have chosen to place them on your machine), it is degrading and leads to
animosity between staff and students.  As a sysadm myself now, I will
never read someones mail even if i suspect them of breaching security.

---

On mail abuse.  Of all organisational e-mail setups I've come
across (not that many, but I think sufficient to make correlation),
at least 30% of all intra-orgainisational email traffic is 
of a social nature.

In one instance, numerous mis/comms managers of a major international bank
that I've dealt with confessed, under social/relaxed settings that they
reckon more than 1/2 of all mail in their system were invitations, replies,
greetings and felicitations and such like.  They were using IBM/Profs and
a population of ~7000 users worldwide.

My thought: I don't think there is any feasible active policy 
you just have to rely on your employees to be professional about it.

--- Responses from academic site administrators and users ---

As far as we are concerned e-mail and e-news is there to be used, the more
students use it the better since they begin to use the computer systems
voluntarily.. not just to do their projects.
(some of them are even buyng e-mail accounts on commerical systems)

There aren't any charges or accounting..

---

I've had no problems here in ******.  Hopefull, the mail is
private.  there have been no rules set down for the use of
personal mail, and in fact one of the groups I use could
only be called personal.  The news also is personal I guess,
as alt.sex or such could hardly be called work!  (something
for tea breaks).

There is of course lots of official things passing through,
and who determines what is personal and what is strictly
university work?

---

No official policies at ******.  In general, anyone (staff or student) is 
permitted to use mail to anywhere.

Privacy - people are warned that mail is not secure and confidential
information should be sent by other means. 

Abuse - the universal threat: misuse of computer systems may result in
disabling of accounts (and consequent failure for students because of 
inability to complete assigned work.  We always warn people, and one warning 
has proven sufficient so far.) 

Personal messages - no rules, just the general statement that applies to 
computing generally "People doing University work have priority for use of 
terminals, etc".  This is sort of enforceable, in the sense that anyone 
wanting to use a terminal can complain to the person doing private work, and 
then to the system manager if necessary.  We rarely have complaints.  As far 
as checking for private mail, there are hundreds of messages a day go from 
here, and I don't have the time or inclination to read it.  I don't really see 
any problems with people sending private messages, after all, universities are 
supposed to be places of open thinking, etc, etc, etc.  (It would be different 
if it was costing us anything, such as people printing out dozens of 
invitations on our laser printer!)

---

.......................................There is no point in adopting
rules you cannot enforce.  In particular there is no way of enforcing rules
agains the use of email for personal messages unless you want to adopt the
distastful and tediously boring practice of reading all messages.

New computer users are given a statement describing their
computer access as a privilege, not a right, and with some guidelines as to
proper use.  There is always the implication that if they abuse their privileges
they can lose them.  If a user starts sending abusive email, you would probably
hear a complaint from the recipient and could take action.  If users send
multi-megabyte email messages you (or your postmaster) will probably see the
error messages when they bounce, and again can take appropriate action.  In
our case appropriate action is usually a warning, followed up by account
suspension in the rare cases of repeat offenders.

 As for privacy of email, I follow the practice that in principle email should
be private, but that in practice they should not assume this.  I post occasional
warnings that I as postmaster, and presumably postmasters at other sites, will
sometimes see a copy of their mail when an error occurs, sometimes due to no
fault of the sender.  I also inform users that system administrators technically
have access to all files on the system, and may occasionally need to read user
files to resolve system problems.

 My personal policy is to never divulge the contents of email I happen to see,
even when that email contents suggests gross abuse.  However I have no
such hesitation in divulging information obtained from system log files, which
list such information as sender and recipient addresses, message length, etc.
Since these log files are publicly readable (even though most users do not even
know they exist), I consider them public information.

---

There has been a discussion on TECHREP@BITNIC.BITNET on electronic mail
privacy/policy lately.  If you are not a TECHREP, I would suggest you
subscribe to TECHNEWS@BITNIC.BITNET as it is an open re-distribution of the
TECHREP list.

Send your subscription request to LISTSERC@BITNIC.BITNET in a mail message
with the first line  being "SUB TECHREP (or TECHNEWS) <Your Name>"

I enclosed a copy of a message that may be of intrest to you that appeared
earlier this week.....

=-=-=-=-=-=-=-=-=-=-=-= From SYSTEM NOTEBOOK C0 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=

>----------------------------Original message----------------------------
>On Tue, 30 Oct 90 15:03:22 GMT <GLWARNER@SAMFORD> said:
>>Could anyone tell me if there is a published statement concerning
>>the privacy or non-privacy rights of electronic mail on Bitnet?
>>
>>We are going to be granting access to all our students, and our
>>attorneys have suggested that we should have a published statement
>>concerning this matter.
>
>We are currently preparing a system/network usage policy document
>to inform our students (and other users) regarding what will be
>considered 'abuse', etc.  We plan on including these statements:
>
>
>                     *** IMPORTANT INFORMATION ***
>
>    Pursuant to the ELECTRONIC  AND  COMMUNICATIONS  PRIVACY  ACT of
>  1989, TITLE 18, UNITED STATES CODE, Sections 2510  and  following,
>  notice is hereby given that there  are  no  facilities provided by
>  this  system for sending or receiving confidential messages.   The
>  System Administrator and assigns  may  read all messages and files
>  of any user.
>
>
>    Computer accounts are paid for by the State of Texas and are for
>  educational  purposes   ONLY.  In   general  educational   use  is
>  interpreted loosely.  But, use  for economic  gain or  computer or
>  network  abuse will  not be  tolerated.  If there  is a  complaint
>  regarding your  usage of networks  or UTA computers,  UTA Academic
>  Computing   Services  has   the  right   and  will   review  trace
>  information, backups, and your  account contents to determine your
>  complicity. Possession  of command files  that are solely  for the
>  purpose  of pestering  other persons  or having  blatently obscene
>  material in your accounts, are generally considered just cause for
>  administrative action against you. You do NOT have a right to keep
>  these types of materials on UTA computers.
>
>
>We would appreciate any feedback on possible problems with these
>statements.
>
>Thanks,
>Bob Carr
>Manager of Systems Support
>UT Arlington
>

---

I'd be most interested in a summary.  The official policy at ***** is
that we have to use our computer accounts for "educational pursuits"
(or equally legal sounding stuff).  A fairly high level of privacy
exists, although the university reserves the right to read our email.

---

There are paragraphs alluding to many aspects of the e-mail issue
in various Internet RFC documents (I can't cite them by chapter and
verse off-hand, but one that comes to mind is the Security Policy
Handbook that is in fairly advanced draft right now ... it is
prepared by the Secuirty Policy Handbook Working Group (SPWG) and
you can get it by anonymous FTP from cert.sei.cmu.edu (look for
an "obvious" subdirectory).

Let me advance the following by way as a rough guess at to what you
will find:
(1) Many sites will have no official policies.
(2) Some sites will have official policies prepared to satisfy the
    legal staff and bean-counters: these policies will sound very
    nice and complete but in fact be largely impractical to
    implement.
(3) Some sites will have policies based on experience and knowledge
    of the technical staff: these policies will point out that e-mail
    ain't secure unless encrypted and that security is inversely
    proportional to ease and convenience of use of a system.

I suspect, too, that the top levels of administrations that tend to
think in terms of official policies, are also the ones who least
understand the technology and what really can and can't be done.

---

I am sysadmin of ********

We have 70+ users.

We have no policy in place.

Users are free to use email for whatever purpose they like.

and they do use it.

We use standard Unix mail which means each user's mailbox is private
with the exception of root, who can look at anyone's mail.

---

It was interesting that you should raise this on info-nets. So I
would like to share with you my thoughts on the subject, having worked
and researched in the human factor in global email since 1982.

I think that the coming of AARNet and the tremedous promotion work
that Geoff Huston and his group is doing will advance the use of
email in Australia. It mighe not be a good idea at this early stage
to insist that email should be used for "official" business, as it
will be extremely difficult to define what is official, work, and what
is personal and private use. To do so will dampen the learning and usage
enthusiasm of the lay people. I have been a member of a number of overseas
conferencing systems, and quite frankly, a lot of the messages have only
social values, but they are important all the same, as they are crucial
to group dynamcis and group affinity.

---

OK, here's the Dartmouth policy plus a disclaimer from the manual
for the Dartmouth-developed e-mail application:

         DARTMOUTH COLLEGE COMPUTING CODE OF ETHICS

The Computing Code of Ethics was formulated and is endorsed by
Dartmouth's Council on Computing, a faculty committee that
advises Dartmouth on questions of policy concerning the
allocation and use of all computing resources.  The council takes
an active role in determining the standard computing environment
on campus and participates in planning and reviewing projects
that will significantly affect computing at Dartmouth.  The
Council on Computing wholly endorses the Dartmouth Computing Code
of Ethics as follows:

Computer use.  The Computing Code of Ethics states that every
user of Dartmouth College Computing has two fundamental rights: 
privacy and a fair share of resources.  It is unethical for any
other user to violate these rights.  Violation of the Computing
Code of Ethics is considered a violation of the Academic Honor
Principle and may subject a student to disciplinary action.

Kiewit Network privacy.  Each user number and associated password
belongs to an individual, department, or school.  No one else
should use a user number without explicit permission from the
owner.  All use should be in accordance with Dartmouth policy on
computer use set forth in this document.  Owners accept the
burden for the responsible use and dissemination of their user
number.

Programs and files belong to the owner of the user number or
catalog containing the programs and files.  They are presumed to
be private and confidential unless the owner has explicitly made
them available to the public.  When necessary for the maintenance
of a system or network, Kiewit Computation Center personnel may
access others' files.

Some programs gather information about the users who run them. 
If such information could be used to identify the user and the
user's use of the program, the user should be warned and given a
chance to leave the program before data collection begins.

Use of a the network and/or electronic mail facilities for
transmitting rude, abusive, harassing, or malicious messages is
unethical.

Personally owned computer resources.  The unauthorized copying of
any software that is licensed or protected by copyright is theft
and thus unethical.

Programs and files that belong to the owner of a personal
computer enjoy the same rights of privacy afforded to programs
and files resident on the Kiewit Network computers.  They are
presumed to be private and confidential.

Resources.  No one should deliberately attempt to degrade Kiewit
system, network, or personal computer performance, nor to deprive
other users of the resources of or the authorized access to any
Dartmouth- or individually-owned computer.

Loopholes in the Kiewit computer system or network or knowledge
of a special password should not be used to damage computer
systems or networks, to obtain unauthorized resources, or take
resources from other users.

No Dartmouth-owned computing resource should be used for
unauthorized commercial purposes.

When necessary for the maintenance of a system or network, Kiewit
Computation Center personnel may restrict availability of shared
resources.

                   ELECTRONIC MAIL INFORMATION
           (Not Part of the Computing Code of Ethics)

Privacy information.  The privacy of electronic mail is somewhere
between that of a letter and a postcard.  Electronic mail is not
entirely confidential.  There may be instances where the
postmaster may have to gain access to a message to determine if
something is wrong with the address, or the message may be
delivered inadvertently to the wrong address.

--

I'm the postmaster here for the Department of Computer Science,
and thus for a bunch of student systems as well as the staff network.
We don't really have an official policy that I know of for electronic
mail, but I think some of the unofficial ideas we've been working with
may be of interest to you. I'm interested in any other replies you
receive, so if you don't get enough to post to the net, could you email
me a copy please ?

During the period ******* through to *******, network access for students was 
completely open. They were allowed to send mail anywhere they liked, and 
FTP from the States, telnet into machines over there and try to break into
people's computers :-(.

At some point this "feature" was mentioned to the bigwigs here, who
immediately determined that undergraduate students should not have
AARnet access. The very idea of undergrads being able to send mail
overseas was quite unthinkable. Naturally, the implementation of such a
restriction required a bit of thought, because students do need access
to utilities like telnet and so on to communicate between machines on
campus. Eventually we decided to try not running routed on the
machines, thereby making attempts to reach systems outside the
physically connected network return the message : Network unreachable.

This has been fairly successful, although because our campus network is
subnetted, we have needed on occasion to add a special static route
into Multigate boxes to talk to Macintosh labs and so on. The one big
disadvantage of it is that no-one on the machine can reach off camous,
so staff users can't mail overseas from such a crippled machine, for
instance. Apart from trying to follow the commandments of the
powers-that-be, we were also pleased to be able to stop students from
FTPing vast numbers of raster images from US sites. (Since disk quotas
were mistakenly not turned on at the beginning of the semester, I mean
VAST numbers).

In any case, although I've never sighted an "official" policy or even
an official memo telling us what we should and should not let the
students do, I thought you might find what we've been doing
interesting, since it is my vague understanding that not many other
AARnet member sites are restricting student access (?). 

[deleted]

Your message also mentions other issues such as mail abuse, privacy of
mail etc. Again we don't seem to have a clearcut official policy
although we do have a "Principles of Responsible Use" document which
students are expected to pay some attention to. It explicitly says
"users should not...attempt to intercept any network communications,
such as electronic mail...".  It goes on to say "Actions taken by users
intentionally to interfere with or alter the integrity of the system
are out of bounds. Such actions include ...impersonation of other
individuals in communications...". I think that this document is a
locally written thing, and isn't circulated to the other larger student
site on campus.

As far as privacy of mail goes, I was quite surprised to hear most of
our lecturers agreeing that as far as they were concerned, students'
mail was an "open book". Some of the first year lecturers in particular
are very concerned with plagiarism, and seem to often browse through
student mailboxes to try and detect it. I'm pretty sure that they want
to treat it as an open book, but have no intention of telling the
students that that is the case. As a postmaster, my immediate reaction
is that such an attitude is rather unethical.