Computer Policies in a Campus Environment
 

Far too often we find ourselves discussing, and eventually arguing, over topics and concepts with which we have no direct knowledge. After the initial reservations we typically have regarding public speaking have been quieted by the feeling of community and shared openness of a class or committee, we sometimes enter a state of euphoria where we'll say anything that comes to mind regarding a given topic, because in our minds it "sounds good." Simply, people left to theorize about things over which they have no practical knowledge often make necessarily impractical observations, predictions, and explanations regarding real-world situations. This applies to the creation of policy equally to a discussion on policy. Because of this, I won't bore you with my thoughts on a subject I feel I have a decent grasp, but over which I have no direct exposure. Instead, I am going to present a general discussion on computer-oriented policies and their impact on computer usage, followed by the story of a specific, ill-conceived public policy and how its implementation went horribly wrong.

        Computers are an interesting development in technology. Never before has man had a tool quite as versatile as your common computer, and never before have men been forced to regulate anything like it. The same device I'm using to write this article can be used, simultaneously, to serve interactive media to hundreds of visitors, correspond one-on-one or one-to-many with friends and family, and join forces with thousands of other similar devices to help prove mathematical theorems.

Try doing all of that with your everyday toaster, common hammer, or sporty automobile.

        Toaster ovens have one main purpose. The same is true of hammers and ultimately even automobiles. Computers, on the other hand, are labeled as "multi-purpose devices," and they have certainly lived up to that classification. This leads to an interesting problem with regulating the use of computers. With hammers and toasters, they're generally regarded as harmless enough to disregard. Automobiles, on the other hand, have very strict rules regarding their operation. Because of the narrow scope of activities these rules address (i.e., driving on a street), they can afford to be both general enough to limit loopholes, while specific enough to avoid misinterpretation. This is typically true of most forms of law attempting to regulate activities of a specific nature. This is only possible because automobiles can only be used to engage in activities of a specific nature.

Computers can be used to engage in activities of wildly varying natures.

        For example, one potential use of computer technology is to serve informative content to a target audience through the world wide web. This activity is similar to both traditional print media and traditional radio/television programming. Everything that makes up the fabric of the world wide web (including much of the content itself!) is uniquely computer-oriented, and couldn't exist without the aid of software specifically designed to render images, display text, generate statistics, etc. Meanwhile, on an entirely opposite side of the arena, computers can be used to damage the flow of information, disrupt commerce, and generally cause hurt to specific individuals and groups of people.

        How, one might ask, can we possibly hope to write laws focused enough to prevent the latter action, not hinder the former, and yet be broad enough to allow for expansion and limit loopholes? To answer this question, we must break it down into several smaller questions.

• Why do we want to allow for and encourage the activities of trade, information dissemination, and recreation?
  • In what way does computer-aided commerce benefit society as a whole?
  • How does the free flow of information outweigh in significance the right to learn through experimentation?
  • When does recreation become an "attack", and why does your hurt invalidate my fun?
  • How much "damage" is actually damaging?
  • Is there a simple test to determine when your use of computer resources undermines my ability to produce work?
• Why do we want to restrict the ability to cause damage and disruption?
  • If what we are engaged in (commerce, learning, or fun) is as critical as we claim it is, is it everyone else's responsibility to allow us to conduct it?
    • Is it even feasible to ensure our activities are not vulnerable to outside intrusion and disruption?

        These questions are, for now, just slightly beyond our ability to fully answer. For example, if nobody is allowed to experiment with techniques used to break into systems, nobody will fully understand the vulnerabilities that may exist in present systems. However, if the systems put into place were vulnerability-free to begin with, nobody would need to experiment to find these nonexistent problems. The proliferation of services such as BUGTRAQ and VULN-DEV (and the constant stream of bugs and vulnerabilities published through those services) shows the need for this type of "peer review." Does the existence of vulnerabilities, then, necessitate that public policy allow potentially threatening live testing of systems? Or, does it imply that the actual creation and publication of software systems needs to be regulated to guarantee that vulnerabilities do not exist? These questions have no easy answers, and are beyond the scope of this article to discuss further.

        Campus Environments. Policy. Ethics. Yes, I'm getting to that. The problem I'm encountering is a problem shared with policy makers: The question is too broad, the implications of every action are innumerable, and the simple task of defining the arena of discourse proves so difficult that most give up and treat all areas of "computing" as being components of a few specific activities.

        Given the problems described above, rather than discussing computer policy as a whole, let us instead look at existing policy and determine its implications. For example, the following is an excerpt taken from the Rensselaer Policy on Electronic Citizenship, published by Rensselaer Polytechnic Institute's Office of Computer and Information Services.

        No one should monitor, access, copy, print, alter, transmit or destroy anyone else's electronic files without explicit permission. This statement covers a lot of ground. The concept of monitoring is usually associated in everyday life with the act of checking on something, as in to make sure it's functioning properly (like with a baby monitoring device, or a school's hall monitor). This idea seems to differ from the use of the word "monitor" here, though, as arguably the above examples of monitors are positive, whereas this clause intends to restrict one's ability to "monitor" other people.

        If we can assume this statute is in place to prevent an activity we would consider to be detrimental to the general populace, what activities does it hope to disallow? As I'm sure the more technical readers can answer, the use of utilities like tcpdump, Sniffit, etc. on a public network can be considered detrimental, and is arguably the set of activities this regulation hopes to restrict. These utilities, however, exist as diagnostic tools, and can be used to aid in such generally useful tasks as locating networking faults, and deciphering unknown modes of communication between two arbitrary network nodes. However, due to the nature of their implementation, it may be true that at any given time during the normal course of these utilities' operation, arbitrary unsolicited pieces of network traffic may be displayed to the user (that is, no matter how restrictive one's use of these utilities may be, there may come a time where someone else's private network transmissions are "caught" and displayed). This raises several important issues: Does the use of network monitoring and diagnostic tools for non-pervasive tasks constitute unauthorized monitoring if those tools fail (or are unable) to restrict what network content is reported? Is it ethical to continue using such a tool that you know may place you in violation of local policy, and hence your fellow network users' expectations of privacy?

        No one should monitor, access, copy, print, alter, transmit or destroy anyone else's electronic files without explicit permission. Disregarding the statement at the end of the second paragraph (which will be addressed later), this is another very vague and sweeping restriction. Public FTP archives, for example, are simply repositories of electronic files "owned" by private individuals that have been made available to anyone who is able to access them. Such sites don't explicitly give permission to people to download the files stored on them, or even to connect to the service at all. It is just common practice to believe that FTP archives whose maintainers have allowed so-called "anonymous" access to their contents are free for general consumption.

        The same situation applies to other resources available to a networked population. Web sites, for example, behave in much the same way. Most web sites you can find on the Internet are free for general consumption, and you can tell that because you can view them. Other such services include Usenet Newsgroups, Internet Relay Chat, etc. So then, what services are being addressed by this regulation? Again, my technologically accelerated readers will readily list such items as private files in one's UNIX account directories, protected files on one's own private computer, and so on. Generally, anything someone has not made available to you is not covered by this rule.

        This logic leads to several puzzling questions, however. For starters, if the only items it disallows you from accessing are those that you cannot access to begin with, what effect is it trying to achieve? The obvious case is where a vulnerability is discovered allowing one to bypass the access controls which have been put in place to stop or control your ability to view a file. Beyond this case, however, things get confusing. For example, what if a given service implementation, by default, allows full access to data for any external party (such as a Windows FTP server package that by default allows full read access to your C:\ drive in order to provide an example configuration)? The owner of the data stored on this service in this case may not have explicitly allowed you to access the data, but instead may have merely neglected to explicitly restrict your access to the data. In this situation, it may become difficult to determine what is, and what is not, actually intended to be public data. Perhaps foreseeing this potential problem, the authors of this policy included the chilling verbiage: Simply being able to access a file or other information does not necessarily imply permission to do so. Unfortunately, we may be trading the protection of a few for the loss in utility for the many, since we have already determined that the easiest and most widely accepted method of determining access intention is by determining access privileges.

        So, in review, there exist services that are assumed to be intended for general consumption based on one's ability to gain access to its content. This fact probably led to the adoption of the statement: Such applications as web pages and ftp sites, and by extension IRC servers, Usenet servers, etc. are by their nature intended for public use and do not require explicit permission. A somewhat self-conflicting policy such as this one is unfortunately very common, as it is very difficult to write computer policies that can both be broad enough to cover all possible abuses, yet specific enough to minimize confusion due to varying interpretations. The very fact that this policy exists implies that there is a perceived problem, yet its ambiguity leaves much to be desired.

MIT's Athena Rules of Use (including MITnet)

        This policy seems very similar to RPI's policy (presented above). While it is quick to point out that security can not be guaranteed by technological means, and insists that users take their share in protecting their own data, its wording could be used to create a degree of limitation on computer use probably not intended. The phrase remotely log into (or otherwise use) most likely was intended to refer to attempts at gaining access to privileged files that have been improperly secured (and would thus apply in this situation if the files targetted were exclusively improperly shared, such as writeable C drive shares, etc.). The statement, Typically, this authorization is signaled by the other user's setting file-access permissions to allow public or group reading of the files, establishes a standard of what one may assume was intended to be public.

Rochester Institute of Technology's Code of Conduct for Computer Use

        It's short. It's to the point. It's terribly unapplicable. Arguably the wording without permission of the owner can be extended to imply the sentiments expressed in other policies, though the standard for what is to be considered permitted "by default" (that is, what you may assume you have permission to access automatically) is left out of the policy entirely.

        Many colleges, such as Georgia Tech, Caltech, Columbia University, Stanford University, and various other technical institutions, either fail to address the issue entirely, or address it in an ambiguous manor similar to other discussed institutes.

What happens when you combine some celery, several network administrators, and one popular, if questionable service? --- a few disgruntled students, and a whole lot of controversy.

To read the full story, please see http://celery.n.ml.org/~n/resnet/.

Briefly, during the 1999-2000 school year at RPI, I ran a campus search engine on my personal computer (from my dorm room). Several hundred different people used the service daily, and I never received any complaints about it hurting anyone. Then one day, out of the blue, I was contacted by a representative of Network Support Services and given the ultimatum to either shut down, or suffer drastic consequences. After meeting with him and various other administrators, I complied and ceased operation of my popular service. Since then I have spoken with various members of the administration, faculty at RPI, and other students. The Computer Science department at RPI has unofficially offered its support, and in order to "get around" the problem a faculty member of the CS department has offered to host continual Independent Studies with me concerning the search engine project.

The specific policy I was said to be in violation of was section 4.1.1 of the COMEC Guidelines (which I discussed in the previous sections). I was initially charged with connecting to people's computers without their explicit permission, which was later changed to whatever any given administrator felt appropriate at the time (to combat my arguments against whatever it had been).

Several important issues were brought up by the "celery situation." Since I was personally involved with this fiasco, I acknowledge that my readers may assume I am biased towards what happened. I hope to present a clear and descriptive (rather than distorted and emotional) examination of the event, but I do assume that my readers understand a) that what happened was bad, and b) why it was bad (based on my previous rhetoric). The rest of this essay will be about ways to construct policy to avoid situations like this in the future.

        So, what exactly went wrong from a policy standpoint? A violation of someone's code of ethics occurred, and the violator was punished. The actual problem to be addressed, however, asks, In what way did policy come into play with this situation? Assuming the violator meant no ill intent (and he didn't), and assuming the administration had no hidden agenda, the fact that this situation could come up is a problem.

        To prevent problems like this from happening in the future, the policy involved (section 4.1.1 of the COMEC guidelines quoted above) needs to be rewritten. A balance needs to be found and formalized between protecting the rights of the minority, those individuals who lack the knowledge or proper equipment to adequately state and secure the private nature of their data, and the utility of the majority. It is obvious to us that data one might stumble upon that is not meant to be seen by them should be avoided, and disregarded if discovered. Similar to a self-defense law, the best way to enumerate this concept is by adopting a "reasonable person" standard. If a "reasonable person" would be able to determine that certain files or pieces of data presented in a given situation were intended to be private (i.e., information about credit card transactions carelessly left in shared text files, private email boxes stored insecurely, etc.), then they should immediately cease accessing and reviewing those files' contents. Hence, we can now safely eliminate the clause stating "Simply being able to access a file or other information does not necessarily imply permission to do so." If we can access a file, and a reasonable person in that situation would interpret the file as being of a non-inherently private nature, then it becomes fair game for our perusal and consumption.

        Is it enough to simply work at "fixing" public policies by rewriting them as time progresses, and their inadequacies are made apparent? Or, is an entirely different approach necessary in order to ensure everyone is able to productively use shared computer resources? While computer technologies have progressed at incredible rates, public policies regarding them have been forced together by the twin evils of inadequate experience and forethought. For now, we must stumble forward, enjoying the limited policy successes we have, and fretting over the many problems yet to come up.