Carnegie Mellon University

Computing and Information Resources

The Carnegie Mellon Computing Policy establishes a general policy for the use of computing, telephone and information resources on campus. The policy is supported by a number of guidelines. Members of the campus community should be aware of information contained in the policy and supporting guidelines.

Computing Policies

This policy should be reviewed in its entirety on-line:http://www.cmu.edu/policies/information-technology/computing.html

The following is a summary of the policy.

Policy Statement

The purpose of this policy is to set forth guidelines so that members of our community may use the campus network and computing facilities in ways that are responsible and respectful of privacy.  This policy sets forth the university's expectations of acceptable behavior on the part of computer systems users at Carnegie Mellon by providing guidelines for appropriate use of computing and related communication systems and examples of inappropriate use. These standards of acceptable behavior also extend beyond the campus community into the Internet.  Just as it is unacceptable to violate others' rights to privacy, property and resources within Carnegie Mellon, it is also unacceptable to violate those rights on systems that are not at Carnegie Mellon but are accessible through Carnegie Mellon's connection to the Internet.

This policy applies to all users of Carnegie Mellon computing systems, including students, faculty and staff, and any others granted the use of university computing resources. It applies to the use of all computing facilities owned, leased, operated or contracted by Carnegie Mellon University.  As used in this policy, terms such as "computing," "computing/communications systems," "computing resources," etc., refer to all computers, communication systems, and peripherals, software, telephones and systems with similar functions, which are owned by Carnegie Mellon, or which utilize Carnegie Mellon infrastructure such as telephone lines or computer networks.

Although this policy does not attempt to deal specifically with legal issues, university members are responsible to act in compliance with the law, including any federal, state and local laws governing computer and telecommunications use, as well as all other applicable university policies.

Privileges and Responsibilities

Every member of the Carnegie Mellon community who uses computing and related communications systems at Carnegie Mellon or systems that belong to Carnegie Mellon or which rely on Carnegie Mellon's infrastructure has the responsibilities described in this policy. This includes members of the Carnegie Mellon community who have restricted privileges, such as alumni who may have electronic mail forwarding access, but no access to "login" resources. Individuals with personally-owned computers, but who rely upon the university network to connect those computers (either through an on-campus or remote network connection, such as Ethernet, wireless, dialup, DSL) are expected to abide by the policies set forth in this document. Personally-owned computers operating in stand-alone mode or networked through a non-university connection are not covered under this policy, but those users are encouraged to consult the usage policies set forth by their Internet Service Provider.

A fundamental premise of this policy is that anyone sharing computing resources with other individuals should behave as a reasonable, mature and ethical person. The user must recognize that computer systems and networks do not exist in some special rule-free environment; on the contrary, use of computers is a form of communication, and every component of a computing environment and every piece of information it contains belong to the university, the university community as a whole, or some individual or group within that community.

Access to Carnegie Mellon's computing resources is contingent upon being a member of the university community and adhering to university and Computing Services policies, guidelines and procedures, including this policy.  Misuse may result in the loss of access and/or university disciplinary action. For some users and certain systems, access may be authorized by specific departments, research centers or other organizations affiliated with Carnegie Mellon. In such cases, any department- or group-specific policies and guidelines must be adhered to when using resources provided by the department or group. This is in addition to university policies and Computing Services guidelines and procedures.

Any user who suspects a violation of the university's computer use policies, or who has knowledge of potential vulnerabilities or security loopholes in a system or network at Carnegie Mellon, should immediately notify the Computing Services Help Center at 412-268-help or advisor@andrew.cmu.edu.

Maintain the Security and Confidentiality of Your Account

Users assume personal responsibility for the use made of their computer accounts.  This responsibility begins with selecting a secure password, and involves maintaining the confidentiality of that password and changing the password regularly in order to assure the continued security of your account.  For guidance in selecting a secure password, see Managing Your Andrew Password at http://www.cmu.edu/computing/accounts/passwords/.  If you believe that someone has made unauthorized use of your account, you should change your password immediately and report the incident to the Computing Services Help Center at 412-268-help or advisor@andrew.cmu.edu.

Respect for Others' Property and Privacy Rights

Users are responsible to respect copyright agreements and intellectual property ownership. Any material that is the work of another, whether explicitly copyrighted or not, should not be distributed by a user without appropriate acknowledgement and/or permission of the creator; unless permission has been granted by the owner of copyright protected materials, distribution of copyright protected material via the university network or computer systems is prohibited.  So while the university has been granted permission by software vendors to distribute certain software packages via the network, it is not generally permissible for individual users to distribute that same software to others via the university network or computer systems. See the sections in this policy on Misuse and Inappropriate Behavior. While there may be cases in which property rights to particular programs, data, etc., are ambiguous or in dispute, the user must assume that any information not created by himself or herself belongs to someone else and must respect that person's privacy and property rights to that information. (In certain situations, even information created by the user may not belong to that user but rather to the university or others.) This policy is not intended to limit "fair use" as permitted under the Copyright Act and users having questions about whether a particular use constitutes a "fair use" may consult the General Counsel for advice.

Improper/Illegal Communications

Any communications that would be improper or illegal on any other medium are equally so on the computer: libelous material, obscene messages, harassment, forgery, threats, etc. However, this is not intended to restrict the free expression of ideas. Communication conducted in accordance with the university policy on Freedom of Expression and with the statement on Academic Freedom and Responsibility enunciated in the Appointment and Tenure Policy of Carnegie Mellon University will not be considered a violation of this policy.  For further guidelines, see also the university policy on Separation of Individual's and Institution's Interests.

Responsible Sharing of Resources

Where a resource such as memory, CPU time or access to network resources belongs to the whole community collectively, it must be shared.

It is unacceptable to make such excessive use of system or network resources that other users cannot obtain access. Examples include excessive use of CPU time during a period of heavy use on a timesharing system, excessive use of disk space on a system that does not limit such utilization, the use of an excessive amount of network bandwidth in an environment of networked computers, and any activity that makes a system unusable or significantly degrades performance for others.  A novice user might be unaware that a particular action constitutes "excessive use" but, without doubt, once a system administrator makes him or her aware of the fact that such an action is unreasonable, that user will be held responsible for any further such infractions. If you are unsure whether your needs constitute excessive use, contact the system administrator. Similarly, if you need an unusual amount of disk space, CPU time or other resources, check with the system administrator to find out whether this use can be accommodated, rather than risk interfering with the work of others on the system.

Personal Use

While the university makes computer resources available primarily to achieve its goals of education and research, and for administrative activities, it realizes the need to encourage the personal use of computing for the convenience of the campus community.

We reserve the right to restrict personal use of university systems and networks by an individual or by the community at large, if the use of resources for such activities becomes excessive.  If you need unlimited access to computer networks for private or business purposes, you can subscribe to a commercial service.

Misuse and Inappropriate Behavior

The following activities are expressly prohibited at Carnegie Mellon:

  • Using a computer system without proper authorization granted through the university, college, or department management structure. Some activities such as "port scanning" are not expressly prohibited. However, if the target of such scanning requests that an individual or system stop performing such actions, the person or system performing the scans must stop scanning the target machine unless the scans are being carried out by a system administrator who has the authority and responsibility over the machine(s) being scanned or for the network being used.
  • Concealing your identity, or assuming the identity of another (e.g., by sending forged electronic mail). Note that some forms of electronic communication, such as browsing Web pages, passively "identify" users. Keeping your identity private either by not setting an identity in your browser or by using a Web-anonymizer in order to protect yourself from being put onto mailing lists is not a violation of this policy.
  • Sharing your password or account with the specific exception of staff or faculty members allowing their support personnel to access their accounts in order to provide services appropriate to their job functions. Note that some policies for the accessing of specific systems or data (see Data and Computer Security, Confidentiality of Administrative Data) explicitly forbid the sharing of passwords used to access them, and that such restrictions for those specific systems override this policy.
  • Using another person's computer account, userID, files, or data without appropriate permission, as described in the previous bullet (e.g. using an account found "logged in" on a cluster machine).
  • Deleting or tampering with another user's files or with information stored by another user on any information-bearing medium (disk, tape, memory, etc.). Even if the user's files are unprotected, with the exception of files obviously intended for public reading, such as Web pages, it is improper for another user to read them unless the owner has given permission (e.g. in an announcement in class or on a computer bulletin board).
  • Attempting to "crack" or guess other users' passwords. System administrators or those specifically designated by the administrator or owner of a system may attempt to crack passwords in order to test and enhance the security of the system. In cases where an individual or department "owns" machines which use password files controlled by another organization (e.g. Andrew machines or their like), the owner may not attempt to crack passwords without explicit permission by the owners of the password database.
  • Obtaining passwords by other means, such as password capturing programs.
  • Attempting to circumvent system security (e.g. breaking into a system or using programs to obtain "root" access), without the explicit permission of the owner of that system.
  • Denying appropriate access to resources to other users (e.g. "ping flooding" another system, sending "mail bombs," or modifying a login file in order to cause a user to not be able to log in).
  • Releasing programs such as viruses, Trojan horses, worms, etc., that disrupt other users, damage software or hardware, disrupt network performance, or replicate themselves for malicious purpose.
  • Sending commercial solicitations via electronic mail (i.e. spamming) to individuals or to newsgroups or mailing lists where such advertising is not part of the purpose of the group or list. (It is permissible to send a commercial solicitation to a "for sale" newsgroup, provided that the advertisement conforms to other policies and guidelines at Carnegie Mellon.)
  • Any "mass mailing" which is solicitous in nature, unless the mailing is in the conduct of university business.
  • Reselling of services based on the university network, such as web hosting, mailing services or the selling of shell accounts.
  • Running a proxy server which results in inappropriate or unauthorized access to university materials to non-university members.
  • Advertising commercial businesses or ventures on Web pages hosted by Carnegie Mellon, unless prior authorization has been granted.
  • Using mail messages to harass or intimidate another person (such as by repeatedly sending unwanted mail or broadcasting unsolicited mail).
  • Violations of any local, state or federal laws, such as the distribution of copyright-protected materials (e.g. the distribution of commercial software, music or films in electronic format without appropriate permissions by the owner, even if the user distributing the materials notifies others of their copyright status).
  • Tampering with, willful destruction of or theft of any computer equipment, whether it belongs to the university or to an individual. Tampering includes any deliberate effort to degrade or halt a system, to tie up a system or to compromise the system/network performance. Willful destruction includes any deliberate disabling or damaging of computer systems, peripheral equipment such as scanners or printers, or other facilities or equipment including the network, and any deliberate destruction or impairment of software or other users' files or data.
  • The unauthorized removal of university or another's computing equipment, which constitutes theft.

This list should not be considered to be complete or exhaustive. It should, however, serve as a set of examples of obviously inappropriate behaviors. If you are in doubt about the appropriateness of something that you want to do, contact the Computing Services Help Center at 412-268-HELP, or send mail to advisor+@andrew.cmu.edu and ask first.

Enforcement

Inappropriate behavior in the use of computers is punishable under the general university policies and regulations regarding faculty, students and staff. The offenses mentioned in this policy range from relatively minor to extremely serious, though even a minor offense may be treated severely if it is repeated or malicious. Certain offenses may also be subject to prosecution under federal, state or local laws.

Offenses that are minor or appear to be accidental in nature are often handled in a very informal manner such as through electronic mail. More serious offenses will involve formal procedures pursued through the Division of Student Affairs for students, Human Resources and/or the hiring university department or administrative unit for staff, or the Faculty Review Committee for faculty.

Contact

Questions concerning this policy or its intent should be directed to the Information Security Office via email (iso@andrew.cmu.edu). You should also be familiar with the various service guidelines which can be found at http://www.cmu.edu/computing/guideline/index.html.