Computer and Network Usage Policy

COMPUTER AND NETWORK USAGE POLICY                          Guide Memo 62
=================================                          June 11, 1997


This Policy was approved by the President.


Users of Stanford network and computer resources have a responsibility
not to abuse the network and resources and to respect the rights of
others.  This policy provides guidelines for the appropriate and
inappropriate use of information technologies.


The purpose of the Computer and Network Usage Policy is to ensure an
information infrastructure that promotes the basic missions of the
University in teaching, learning and research.  Computers and networks
are powerful enabling technologies for accessing and distributing the
information and knowledge developed at the University and elsewhere.  As
such, they are strategic technologies for the current and future needs
of the University.  Because these technologies give individuals the
ability to access and copy information from remote sources, users must
be mindful of the rights of others to their privacy, intellectual
property and other rights.  This Usage Policy codifies what is
considered appropriate usage of computers and networks with respect to
the rights of others.  With the privileges to use the information
resources of the University come specific responsibilities outlined in
this Policy.


Users of University information resources must respect software
copyrights and licenses,  respect the integrity of computer-based
information resources, refrain from seeking to gain unauthorized access,
and respect the rights of other computer users.  This policy covers
appropriate use of computers, networks, and information contained

Section headings are:

     2.  POLICIES


    a. Applicability - This policy is applicable to all University
       students, faculty and staff  and to others granted use of
       Stanford University information resources.  This policy refers to
       all University information resources whether individually
       controlled or shared, stand-alone or networked. It applies to all
       computer and computer communication facilities owned, leased,
       operated, or contracted by the University. This includes word
       processing equipment, personal computers, workstations,
       mainframes, minicomputers, and associated peripherals and
       software, regardless of whether used for administration,
       research, teaching or other purposes.

    b. Locally Defined and External Conditions of Use - Individual units
       within the University may define "conditions of use" for
       information resources under their control. These statements must
       be consistent with this overall policy but may provide additional
       detail, guidelines and/or restrictions. Where such "conditions of
       use" exist, enforcement mechanisms defined therein shall apply.
       These individual units are responsible for publicizing both the
       regulations they establish and their policies concerning the
       authorized and appropriate use of the equipment for which they
       are responsible. Where use of external networks is involved,
       policies governing such use also are applicable and must be
       adhered to.

    c. Legal Process - The University does not exist in isolation from
       other communities and jurisdictions and their laws. Under some
       circumstances, as a result of investigations, subpoena or
       lawsuits, the University may be required by law to provide
       electronic or other records or other information related to those
       records or relating to use of information resources.


A user of University information resources who is found to have
purposely or recklessly violated any of the following policies will be
subject to disciplinary action up to and including discharge, dismissal,
expulsion, and/or legal action.

    a. Copyrights and Licenses - Computer users must respect copyrights
       and licenses to software and other on-line information.

       (1) Copying - All software protected by copyright must not be
           copied except as specifically stipulated by the owner of the
           copyright or otherwise permitted by copyright law. Protected
           software may not be copied into, from, or by any University
           facility or system, except pursuant to a valid license or as
           otherwise permitted by copyright law.

       (2) Number of Simultaneous Users - The number and distribution of
           copies must be handled in such a way that the number of
           simultaneous users in a department does not exceed the number
           of original copies purchased by that department, unless
           otherwise stipulated in the purchase contract.

       (3) Copyrights - In addition to software, all other copyrighted
           information (text, images, icons, programs, etc.) retrieved
           from computer or network resources must be used in
           conformance with applicable copyright and other law. Copied
           material must be properly attributed.  Plagiarism of computer
           information is subject to the same sanctions as apply to
           plagiarism in any other media.

    b. Integrity of Information Resources - Computer users must respect
       the integrity of computer-based information resources.

       (1) Modification or Removal of Equipment - Computer users must
           not attempt to modify or remove computer equipment, software,
           or peripherals that  are owned by others without proper

       (2) Encroaching on Others' Access and Use - Computer users must
           not encroach on others' access and use of the University's
           computers. This includes but is not limited to: the sending
           of chain-letters or excessive messages, either locally or
           off-campus; printing excess copies of documents, files, data,
           or programs; running grossly inefficient programs when
           efficient alternatives are known by the user to be available;
           unauthorized modification of system facilities, operating
           systems, or disk partitions; attempting to crash or tie up a
           University computer or network;  and damaging or vandalizing
           University computing facilities, equipment, software or
           computer files.

       (3) Unauthorized or Destructive Programs - Computer users must
           not intentionally develop or use programs which disrupt other
           computer users or which access private or restricted portions
           of the system and/or damage the software or hardware
           components of the system. Computer users must ensure that
           they do not use programs or utilities which interfere with
           other computer users or which modify normally protected or
           restricted portions of the system or user accounts. Computer
           users must not use network links for any use other than
           permitted in network guidelines. The use of any unauthorized
           or destructive program may result in legal civil action for
           damages or other punitive action by any injured party,
           including the University, as well as criminal action.

       (4) Academic Pursuits - The University recognizes the value of
           research on game development, computer security, and the
           investigation of self-replicating code (e.g., computer
           viruses and worms).  The University may restrict such
           activities in order to protect University and individual
           computing environments, but in doing so will take account of
           legitimate academic pursuits.

    c. Unauthorized Access - Computer users must refrain from seeking to
       gain unauthorized access to information resources or enabling
       unauthorized access.

       (1) Abuse of Computing Privileges - Users of University
           information resources must not access computers, computer
           software, computer data or information, or networks without
           proper authorization, or intentionally enable others to do
           so, regardless of whether the computer, software, data,
           information, or network in question is owned by the
           University. For example, abuse of the networks to which the
           University belongs or the computers at other sites connected
           to those networks will be treated as an abuse of University
           computing privileges.

       (2) Reporting Problems - Any defects discovered in system
           accounting or system security must be reported to the
           appropriate system administrator so that steps can be taken
           to investigate and solve the problem.

       (3) Password Protection - A computer user who has been authorized
           to use a password-protected account may be subject to both
           civil and criminal liability if the user discloses the
           password or otherwise makes the account available to others
           without permission of the system administrator.

    d. Usage - Computer users must respect the rights of other computer
       users. Most University systems provide mechanisms for the
       protection of private information from examination by others.
       Attempts to circumvent these mechanisms in order to gain
       unauthorized access to the system or to another person's
       information are a violation of University policy and may violate
       applicable law. Authorized system administrators may access
       computer users' files at any time for maintenance purposes.
       System administrators will report suspected unlawful or improper
       activities to the proper authorities.

       (1) Unlawful Messages - Use of electronic communication
           facilities (such as mail or talk, or systems with similar
           functions) to send fraudulent, harassing, obscene,
           threatening, or other  messages that are a violation of
           applicable federal, state or other law or University policy
           is prohibited.

       (2) Mailing Lists - Users must respect the purpose and charters
           of computer mailing lists (including local or network news
           groups and bulletin-boards). The user of an electronic
           mailing list is responsible for determining the purpose of
           the list before sending messages to or receiving messages
           from the list. Subscribers to an electronic mailing list will
           be viewed as having solicited any material delivered by the
           list as long as that material is consistent with the list's
           purpose. Persons sending to a mailing list any materials
           which are not consistent with the list's purpose will be
           viewed as having sent unsolicited material.

       (3) Advertisements - In general, the University's electronic
           communication facilities should not be used to transmit
           commercial or personal advertisements, solicitations or
           promotions (see Commercial Use, below). Some public bulletin
           boards have been designated for selling items by members of
           the Stanford community, and may be used appropriately,
           according to the stated purpose of the list(s).

       (4) Information Belonging to Others - Users must not
           intentionally seek or provide information on, obtain copies
           of, or modify data files, programs, or passwords belonging to
           other users, without the permission of those other users.

    e. Political, Personal and Commercial Use - The University is a non-
       profit, tax-exempt organization and, as such, is subject to
       specific federal, state and local laws regarding sources of
       income, political activities, use of property and similar
       matters. It also is a contractor with government and other
       entities and thus must assure proper use of property under its
       control and allocation of overhead and similar costs.

       (1) Political Use - University information resources must not be
           used for partisan political activities where prohibited by
           federal, state or other applicable laws, and may be used for
           other political activities only when in compliance with
           federal, state and other laws and in compliance with
           applicable University policies.

       (2) Personal Use - University information resources should not be
           used for personal activities not related to appropriate
           University functions, except in a purely incidental manner.

       (3) Commercial Use - University information resources should not
           be used for commercial purposes, except in a purely
           incidental manner or except as permitted under other written
           policies of the University or with the written approval of a
           University officer having the authority to give such
           approval. Any such commercial use should be properly related
           to University activities, take into account proper cost
           allocations for government and other overhead determinations
           and provide for appropriate reimbursement to the University
           for taxes and other costs the University may incur by reason
           of the commercial use. Users also are reminded that the "EDU"
           domain on the Internet has rules restricting or prohibiting
           commercial use, and thus activities not appropriately within
           the EDU domain and which otherwise are permissible within the
           University computing resources should use one or more other
           domains, as appropriate.


While the University Trustees are the legal "owners" or "operators" of
all computers and networks purchased or leased with University funds,
oversight of any particular system is delegated to the head of a
specific subdivision of the University governance structure, such as a
Dean, Department Chair, Administrative Department head, or Principal
Investigator. For University-owned or leased equipment, that person is
the responsible administrator in the sense of the policies in this Guide

The responsible administrator  may designate another person to manage
the system. This designate is the "system administrator". The system
administrator has additional responsibilities to the University as a
whole for the system(s) under his/her oversight, regardless of the
policies of his/her department or group, and the responsible
administrator has the ultimate responsibility for the actions of the
system administrator.

    a. University Responsibilities - The system administrator should use
       reasonable efforts:

       * To take precautions against theft of or damage to the system

       * To faithfully execute all hardware and software licensing
         agreements applicable to the system.

       * To treat information about, and information stored by, the
         system's users in an appropriate manner and to take precautions
         to protect the security of a system or network and the
         information contained therein.

       * To promulgate information about specific policies and
         procedures that govern access to and use of the system, and
         services provided to the users or explicitly not provided. This
         information should describe the data backup services, if any,
         offered to the users. A written document given to users or
         messages posted on the computer system itself shall be
         considered adequate notice.

       * To cooperate with the system administrators of other computer
         systems or networks, whether within or without the University,
         to find and correct problems caused on another system by the
         use of the system under his/her control.

    b. Policy Enforcement - Where violations of this policy come to his
       or her attention, the system administrator is authorized to take
       reasonable actions to implement and enforce the usage and service
       policies of the system and to provide for security of the system.

    c. Suspension of Privileges - A system administrator may temporarily
       suspend access privileges if he or she believes it necessary or
       appropriate to maintain the integrity of the computer system or


The University's Computer Security Officer or the person designated by
the University's Chief Information Officer shall be the primary contact
for the interpretation, enforcement and monitoring of this policy and
the resolution of problems concerning it. Any issues concerning law
shall be referred to the Legal Office for advice.

    a. Policy Interpretation - The Computer Security Officer shall be
       responsible for interpretation of this policy, resolution of
       problems and conflicts with local policies, and special

    b. Policy Enforcement - Where violations of this policy come to his
       or her attention, the Computer Security Officer is authorized to
       work with the appropriate administrative units to obtain
       compliance with this policy.

    c. Inspection and Monitoring - Only the University's Computer
       Security Officer or designate can authorize the inspection of
       private data or monitoring of messages (including electronic
       mail) when there is reasonable cause to suspect improper use of
       computer or network resources.


    a. Cooperation Expected - Users, when requested, are expected to
       cooperate with system administrators in any investigation of
       system abuse. Users are encouraged to report suspected abuse,
       especially any damage to or problems with their files. Failure to
       cooperate may be grounds for cancellation of access privileges,
       or other disciplinary actions.

    b. Corrective Action - If system administrators have persuasive
       evidence of misuse of computing resources, and if that evidence
       points to the computing activities or the computer files of an
       individual, they should pursue one or more of the following
       steps, as appropriate to protect other users, networks and the
       computer system.

       * Provide notification of the investigation to the University's
         Computer Security Officer or designate, as well as the user's
         instructor, department or division chair, or supervisor.

       * Temporarily suspend or restrict the user's computing privileges
         during the investigation. A student may appeal such a
         suspension or restriction and petition for reinstatement of
         computing privileges through the Dean of Students. A staff
         member may appeal through applicable dispute resolution
         procedures. Faculty members may appeal through the Dean of
         their School.

       * With authorization from the University's Computer Security
         Officer or designate, inspect the user's files, diskettes,
         tapes, and/or other computer-accessible storage media.

       * Refer the matter for possible disciplinary action to the
         appropriate University unit, i.e., the Dean of Students Office
         for students, the supervisor for staff, and the Dean of the
         relevant School for faculty or other teaching or research

    c. Student Honor Code  and Fundamental Standard - Unless
       specifically authorized by a class instructor, all of the
       following uses of a computer are examples of possible violations
       of the Honor Code:

       * Copying a computer file that contains another student's
         assignment and submitting it for credit;

       * Copying a computer file that contains another student's
         assignment and using it as a model for one's own work;

       * Collaborating on an assignment, sharing the computer files and
         submitting the shared file, or a modification thereof, as one's
         individual work.

       In addition, student misuse of a computer, network or system may
       violate the Fundamental Standard. Examples would be, but are not
       limited to: theft or other abuse of computer time, including
       unauthorized entry into a file, to use, read, or change the
       contents; unauthorized use of another person's identification or
       password; use of computing facilities to send abusive messages;
       or use of computing facilities to interfere with the work of
       another student or the work of a faculty or staff member.

       For cases involving a student, referring the case to the Judicial
       Affairs Office is the recommended course of action. This ensures
       that similar offenses may be considered for  similar punishments,
       from quarter to quarter, year to year, and instructor to
       instructor. It also allows the detection of repeat offenders.


Chief Information Officer


    a. Student Discipline - See Student Life/Codes of
       Conduct/Fundamental Standard/Honor Code

    b. Staff Discipline - See Guide Memo 22.15, Corrective Action

    c. Faculty Discipline - See the Statement on Faculty Discipline

    d. Patents and Copyrights -  See Research Policy Handbook 5.1 and

    e. Partisan Political Activities - See Guide Memo 15.1

    f. Ownership of Documents - See Research Policy Handbook 5.2 and
       Guide Memo 15.6

    g. Incidental Personal Use - See Research Policy Handbook 4.1 and
       Guide Memo 15.2

   Provider: Libraries & Information Resources, Stanford University
   Last updated: June 11, 1997