INFORMATION SECURITY

 Acceptable Use Policy FAQ                      Printer-friendly version

Case Western Reserve University
Acceptable Use of Computing and Information Technology Resources

Frequently Asked Questions (FAQ)

Version 2.2
Last Revision Date:  February 6, 2009
Approval Date: February 19, 2009
Approval Authority:  ITSPAC

What is meant by the phrase "...no inherent expectation of privacy"?

The University provides information technology(IT) and networks with the intent of making information available in an academic setting. Users should understand that this openness brings with it some inherent risks based on the nature of Internet threat sources. Where sensitive information is processed in an official capacity, the IT policies of the university are intended to provide reasonable and appropriate protections to ensure the confidentiality and integrity of such data, while still making that information available to authorized persons.  

What if I'm using my personally purchased computer? Does this policy still apply?

Yes, the policy applies when you are connected to any Case network (wired or CaseGuest wireless) and using the connectivity and bandwidth that Case provides to the community. This policy applies to all information technology resources used to conduct University business, and/or to manage sensitive University information.

What are considered legitimate methods of Case account sharing?

The practice of individual user account sharing is prohibited.

Case systems have been designed to be self-help by nature. With systems administrators and mailing lists, there are rare instances where a user will legitimately need to share their account credentials (CaseID and password). If you share your CaseID and password, you are reminded that your credentials provide access to your payroll, human resources, and benefits functions, as well as email. That means the person you have shared your credentials with can gather your sensitive information and perpetrate Identity Theft crimes against you.

Well, I made a mistake and I did share my account. What do I need to do now?

To avoid the untoward circumstances of account sharing, you should change your password immediately and be watchful for signs that someone else is using your account.

I have observed a violation of this Acceptable Use Policy. What do I do?

AUP violations should be reported to your manager, department chair, or dean (as applicable) who will then have the option to notify Case Information Technlogy Policy (policy[at]case[dot]edu). Depending upon the severity of the violation (e.g. illegal activity, threats of violence, etc.), actions are taken that may include network triage. If an initial investigation produces evidence which indicates an AUP violation has taken place, Case ITS will work through the appropriate supervisory channels. Sanctions for violations are clearly delineated in the AUP document.

If you feel threatened or in personal danger by any online behavior from a Case user via Case IT systems, please call Case Protective Services at 368-3333.

What is an example of a sanction for a person for violation of the Acceptable Use Policy?

I need to give email sharing permission to my department assistant because I am awaiting a tenure or promotion recommendation and will be out of town. Is this consistent with Case policies?

The sharing of email and similar information is permitted, it is just the sharing of your user credentials that is prohibited. A viable alternative is to set email forwarding rules to to the department assistant, or using a mailing list or personal alias to share specific incoming mail messages.

When the user agreement says that there is routine monitoring, does this mean that my department chair can access my email or hard drive whenever he/she wishes to do so? Don't I have the right to privacy?

Your department chair cannot access your Case email, network backups, or local hard drive (without your cooperation) under the existing policies without first working through the recognized administrative processes for approval. For faculty, this would mean working through the dean of the pertinent school, then Chief Information Officer (CIO). For staff, Human Resources needs to be involved first and then the CIO is contacted. For graduate and professional school students, either the appropriate dean or Student Affairs would be required to request CIO approval. For undergraduate students, the Dean for Student Affairs would have to approve it before requesting assistance from the CIO. 

Any direct active monitoring of individuals by departmental staff without approval is considered to be a violation of the AUP as well.  

Routine monitoring means that network usage is noted, unusual connections (indicative of malicious outside users hijacking the current systems) may be investigated, and under those circumstances, email, voice mail, voice connections may be seen by authorized Case employees. The auditing of network and system logs, such as in HIPAA security rule requirements, is another example of routine monitoring. In the event law enforcement needs a right to access, the university cooperates with law enforcement authorities in consultation with the university counsel. There should be no expectation of an inherent right to privacy--such rights cannot be guaranteed within the myriad IT uses at Case. For example, it is possible that emails can be mis-directed or corrupted from a virus.

The only staff authorized to conduct direct active monitoring activities are in ITS, and then only with the focus of investigating a security issue or network use/misuse.

What is the process for gaining approval for monitoring of individuals?

The University may also specifically monitor the activity and accounts of individual users of university computing resources, including individual login sessions and communications, without notice, when (a) the user has given permission or has voluntarily made them accessible to the public, for example by posting to a publicly-accessible web page or providing publicly-accessible network services; (b) it reasonably appears necessary to do so to protect the integrity, security, or functionality of the university or other computing resources or to protect the university from liability; (c) there is reasonable cause to believe that the user has violated, or is violating, this policy; (d) an account appears to be engaged in unusual or unusually excessive activity, as indicated by the monitoring of general activity and usage patterns; or (e) it is otherwise required or permitted by law. Any such individual monitoring, other than that specified in "(a)", required by law, or necessary to respond to perceived emergency situations, must be authorized in advance by the Chief Information Officer or the Chief Information Officer's designees.

What about Peer to Peer (P2P) filesharing?

P2P systems can use less bandwidth, enable faster file transfers, reduce redundancy, and enable peers to connect directly with one another without going through a central authority.   The software for P2P systems do not have central file repositories neither do they have central authorities to verify the quality and legality of files within their systems. This shifts the burden of responsibility to users who must personally ensure that they only share and download safe and legal materials.

Sharing and downloading copyrighted material, without permission of the owner is illegal and thus a violation of the AUP.  Most people know that; but when movies, songs, games and other files are discovered via P2P networks it can sometimes be difficult to tell whether they were shared legally or not. When in doubt users should do further research to find out if the copyright holder authorized the distribution. 

New provisions of the Higher Educational Opportunity Act (HEOA) of 2008 require universities to "effectively combat" illegal P2P file sharing.   In light of the HEOA provisions, the  Recording Industry Association of America (RIAA)  has recently halted the process of litigation of students for illegally sharing copyrighted materials, but they will continue to monitor file sharing networks for copyright violations.  They will notify network service providers, such as Case, who are still obligated to take appropriate actions on copyright violation notifications.