Acceptable use policy
Encyclopedia
An acceptable use policy (AUP; also known as acceptable usage policy or Fair Use Policy) is a set of rules
applied by the owner/manager of a network
, website
or large computer system that restrict the ways in which the network site
or system may be used. AUP documents are written for corporations, businesses, universities, schools, internet service providers, and website owners often to reduce the potential for legal action that may be taken by a user, and often with little prospect of enforcement.
Acceptable Use Policies are an integral part of the framework of information security
policies; it is often common practice to ask new members of an organization to sign an AUP before they are given access to its information systems. For this reason, an AUP must be concise
and clear, while at the same time covering the most important points about what users are, and are not, allowed to do with the IT systems of an organization. It should refer users to the more comprehensive security policy where relevant. It should also, and very notably, define what sanctions
will be applied if a user breaks the AUP. Compliance
with this policy should, as usual, be measured by regular audits.
for example, as used by Google Gmail and Yahoo!, although not in every instance, as in the case of IBM.com where the Terms of Use is about the way in which IBM presents the site for you, and how they will interact with you using the site with little to no instruction as to how you, the user, will use the site.
In some cases, AUP documents are named Internet and E-mail policy, Internet AUP, or Network AUP and also Acceptable IT Use Policy. These documents, even though named differently, largely provide policy statements as to what behaviour is acceptable from users of the local network/Internet connected via the local network.
of self-regulation and offers the user connection to the local network and also connection to the Internet providing that the user accepts the fact she/he is going to be personally responsible for actions taken when connected to the network or Internet. This may mean that the organisation is not going to provide any warning system should the user contravene policy, maintaining that it is up to the user to know when his/her actions are in violation of policy.
Often Acceptable Use Policy documents provide a statement about the use of the network and/or Internet and its uses and advantages to the business, school or other organisation sponsoring connection to the Internet. Such a statement may outline the benefit of email systems, ability to gain information from website
s, connection with other people through the use of instant messaging
, and other similar benefits of various protocols including the relatively new VoIP services.
The most important part of an AUP document is the code of conduct governing the behaviour of a user whilst connected to the network/Internet. The code of conduct
may include some description of what may be called netiquette which includes such items of conduct as using appropriate/polite language while online, avoiding illegal
activities, ensuring that activities the user may embark on should not disturb or disrupt any other user on the system, and caution not to reveal personal information
that could be the cause of identity theft
.
Most AUP statements outline consequences of violating the policy. Such violations are met with consequences depending on the relationship of the user with the organisation. Common actions that schools and universities take is to withdraw the service to the violator and sometimes if the activities are illegal the organization may involve appropriate authorities, such as the local police. Employers will at times withdraw the service from employees, although a more common action is to terminate employment when violations may be hurting the employer in some way, or may compromise security
. Earthlink, an American Internet service provider
has a very clear policy relating to violations of its policy. The company identifies six levels of response to violations:
Central to most AUP documents is the section detailing unacceptable uses of the network, as displayed in the University of Chicago AUP. Unacceptable behaviours may include creation and transmission of offensive
, obscene, or indecent
document
or image
s, creation and transmission
of material which is designed to cause annoyance
, inconvenience or anxiety
, creation of defamatory material, creation and transmission that infringes copyright
of another person, transmission of unsolicited commercial
or advertising
material and deliberate unauthorised access to other services accessible using the connection to the network/Internet. Then there is the type of activity that uses the network to waste time, as indicated in SurfControl's advice on writing AUPs, of technical staff to troubleshoot a problem for which the user is the cause, corrupting or destroying other user's data, violating the privacy of others online, using the network in such a way that it denies the service to others, continuing to use software or other system for which the user has already been warned about using, and any other misuse of the network such as introduction of viruses.
Disclaimer
s are often added in order to absolve an organisation from responsibility under specific circumstances. For example, in the case of Anglia Ruskin University a disclaimer is added absolving the University for errors or omissions or for any consequences arising from the use of information contained on the University website. While disclaimer
s may be added to any AUP, disclaimers are most often found on AUP documents relating to the use of a website while those offering a service fail to add such clauses. PsychologyUK, a magazine forum site, includes the type of disclaimer that can be used in an AUP for a website or online service of some type.
Particularly when an AUP is written for a college or school setting, AUPs remind students (or when in the case of a company, employees) that connection to the Internet, or use of a website, is a privilege, as demonstrated in the Loughborough University's Janet Service AUP and not a right. Through emphasising this "privilege" aspect, Northern Illinois University then make the connection that any abuse of that privilege can result in legal action from the University.
In a handbook for writing AUP documents, the Virginia Department of Education indicate that there are three other areas needing to be addressed in an AUP:
Through a cursory reading of AUP statements found by a Google Search the variation of the inclusion of these items in AUP documents is highly variable. However, those statements in a school or university setting are more likely to include a statement to address at least the "personal safety" issue.
And of course with the ever widening of the number of jurisdictions covered by the Internet, the AUP document needs to indicate the jurisdiction, meaning the laws that are applicable and govern the use of an AUP. Even if a company is only located in one jurisdiction and the AUP applies to only its employees naming the jurisdiction saves difficulties of interpretation should legal action be required to enforce its statements.
Norm (sociology)
Social norms are the accepted behaviors within a society or group. This sociological and social psychological term has been defined as "the rules that a group uses for appropriate and inappropriate values, beliefs, attitudes and behaviors. These rules may be explicit or implicit...
applied by the owner/manager of a network
Computer network
A computer network, often simply referred to as a network, is a collection of hardware components and computers interconnected by communication channels that allow sharing of resources and information....
, website
Website
A website, also written as Web site, web site, or simply site, is a collection of related web pages containing images, videos or other digital assets. A website is hosted on at least one web server, accessible via a network such as the Internet or a private local area network through an Internet...
or large computer system that restrict the ways in which the network site
Website
A website, also written as Web site, web site, or simply site, is a collection of related web pages containing images, videos or other digital assets. A website is hosted on at least one web server, accessible via a network such as the Internet or a private local area network through an Internet...
or system may be used. AUP documents are written for corporations, businesses, universities, schools, internet service providers, and website owners often to reduce the potential for legal action that may be taken by a user, and often with little prospect of enforcement.
Acceptable Use Policies are an integral part of the framework of information security
Information security
Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction....
policies; it is often common practice to ask new members of an organization to sign an AUP before they are given access to its information systems. For this reason, an AUP must be concise
Concise
Concise is a municipality in the district of Jura-Nord Vaudois in the canton of Vaud in Switzerland.-Geography:Concise has an area, , of . Of this area, or 24.4% is used for agricultural purposes, while or 66.3% is forested...
and clear, while at the same time covering the most important points about what users are, and are not, allowed to do with the IT systems of an organization. It should refer users to the more comprehensive security policy where relevant. It should also, and very notably, define what sanctions
Sanctions (law)
Sanctions are penalties or other means of enforcement used to provide incentives for obedience with the law, or with rules and regulations. Criminal sanctions can take the form of serious punishment, such as corporal or capital punishment, incarceration, or severe fines...
will be applied if a user breaks the AUP. Compliance
Compliance (regulation)
In general, compliance means conforming to a rule, such as a specification, policy, standard or law. Regulatory compliance describes the goal that corporations or public agencies aspire to in their efforts to ensure that personnel are aware of and take steps to comply with relevant laws and...
with this policy should, as usual, be measured by regular audits.
Terminology
AUP documents are similar to and often doing the same job as a document labelled Terms of ServiceTerms of Service
Terms of service are rules which one must agree to abide by in order to use a service. Unless in violation of consumer protection laws, such terms are usually legally binding...
for example, as used by Google Gmail and Yahoo!, although not in every instance, as in the case of IBM.com where the Terms of Use is about the way in which IBM presents the site for you, and how they will interact with you using the site with little to no instruction as to how you, the user, will use the site.
In some cases, AUP documents are named Internet and E-mail policy, Internet AUP, or Network AUP and also Acceptable IT Use Policy. These documents, even though named differently, largely provide policy statements as to what behaviour is acceptable from users of the local network/Internet connected via the local network.
Common elements of AUP statements
In general, AUP statements/documents often begin with a statement of the philosophy of the sponsoring organisation and intended reason as to why Internet use is offered to the users of that organisation's network. For example, the sponsoring organisation adopts a philosophyPhilosophy
Philosophy is the study of general and fundamental problems, such as those connected with existence, knowledge, values, reason, mind, and language. Philosophy is distinguished from other ways of addressing such problems by its critical, generally systematic approach and its reliance on rational...
of self-regulation and offers the user connection to the local network and also connection to the Internet providing that the user accepts the fact she/he is going to be personally responsible for actions taken when connected to the network or Internet. This may mean that the organisation is not going to provide any warning system should the user contravene policy, maintaining that it is up to the user to know when his/her actions are in violation of policy.
Often Acceptable Use Policy documents provide a statement about the use of the network and/or Internet and its uses and advantages to the business, school or other organisation sponsoring connection to the Internet. Such a statement may outline the benefit of email systems, ability to gain information from website
Website
A website, also written as Web site, web site, or simply site, is a collection of related web pages containing images, videos or other digital assets. A website is hosted on at least one web server, accessible via a network such as the Internet or a private local area network through an Internet...
s, connection with other people through the use of instant messaging
Instant messaging
Instant Messaging is a form of real-time direct text-based chatting communication in push mode between two or more people using personal computers or other devices, along with shared clients. The user's text is conveyed over a network, such as the Internet...
, and other similar benefits of various protocols including the relatively new VoIP services.
The most important part of an AUP document is the code of conduct governing the behaviour of a user whilst connected to the network/Internet. The code of conduct
Code of Conduct
A code of conduct is a set of rules outlining the responsibilities of or proper practices for an individual, party or organization. Related concepts include ethical codes and honor codes....
may include some description of what may be called netiquette which includes such items of conduct as using appropriate/polite language while online, avoiding illegal
Law
Law is a system of rules and guidelines which are enforced through social institutions to govern behavior, wherever possible. It shapes politics, economics and society in numerous ways and serves as a social mediator of relations between people. Contract law regulates everything from buying a bus...
activities, ensuring that activities the user may embark on should not disturb or disrupt any other user on the system, and caution not to reveal personal information
Personally identifiable information
Personally Identifiable Information , as used in information security, is information that can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual...
that could be the cause of identity theft
Identity theft
Identity theft is a form of stealing another person's identity in which someone pretends to be someone else by assuming that person's identity, typically in order to access resources or obtain credit and other benefits in that person's name...
.
Most AUP statements outline consequences of violating the policy. Such violations are met with consequences depending on the relationship of the user with the organisation. Common actions that schools and universities take is to withdraw the service to the violator and sometimes if the activities are illegal the organization may involve appropriate authorities, such as the local police. Employers will at times withdraw the service from employees, although a more common action is to terminate employment when violations may be hurting the employer in some way, or may compromise security
Security
Security is the degree of protection against danger, damage, loss, and crime. Security as a form of protection are structures and processes that provide or improve security as a condition. The Institute for Security and Open Methodologies in the OSSTMM 3 defines security as "a form of protection...
. Earthlink, an American Internet service provider
Internet service provider
An Internet service provider is a company that provides access to the Internet. Access ISPs directly connect customers to the Internet using copper wires, wireless or fiber-optic connections. Hosting ISPs lease server space for smaller businesses and host other people servers...
has a very clear policy relating to violations of its policy. The company identifies six levels of response to violations:
- issue warnings: written or verbal
- suspend the Member's newsgroup posting privileges
- suspend the Member's account
- terminate the Member's account
- bill the Member for administrative costs and/or reactivation charges
- bring legal action to enjoin violations and/or to collect damages, if any, caused by violations.
Central to most AUP documents is the section detailing unacceptable uses of the network, as displayed in the University of Chicago AUP. Unacceptable behaviours may include creation and transmission of offensive
Morality
Morality is the differentiation among intentions, decisions, and actions between those that are good and bad . A moral code is a system of morality and a moral is any one practice or teaching within a moral code...
, obscene, or indecent
Decency
Decency is the quality or state of conforming to social or moral standards of taste and propriety.-See also:*Taste *Communications Decency Act*Public indecency*Indecent exposure*Sodomy law*Norm *Grotesque body...
document
Document
The term document has multiple meanings in ordinary language and in scholarship. WordNet 3.1. lists four meanings :* document, written document, papers...
or image
Image
An image is an artifact, for example a two-dimensional picture, that has a similar appearance to some subject—usually a physical object or a person.-Characteristics:...
s, creation and transmission
Transmission (telecommunications)
Transmission, in telecommunications, is the process of sending, propagating and receiving an analogue or digital information signal over a physical point-to-point or point-to-multipoint transmission medium, either wired, optical fiber or wireless...
of material which is designed to cause annoyance
Annoyance
Annoyance is an unpleasant mental state that is characterized by such effects as irritation and distraction from one's conscious thinking. It can lead to emotions such as frustration and anger...
, inconvenience or anxiety
Anxiety
Anxiety is a psychological and physiological state characterized by somatic, emotional, cognitive, and behavioral components. The root meaning of the word anxiety is 'to vex or trouble'; in either presence or absence of psychological stress, anxiety can create feelings of fear, worry, uneasiness,...
, creation of defamatory material, creation and transmission that infringes copyright
Copyright
Copyright is a legal concept, enacted by most governments, giving the creator of an original work exclusive rights to it, usually for a limited time...
of another person, transmission of unsolicited commercial
Commerce
While business refers to the value-creating activities of an organization for profit, commerce means the whole system of an economy that constitutes an environment for business. The system includes legal, economic, political, social, cultural, and technological systems that are in operation in any...
or advertising
Advertising
Advertising is a form of communication used to persuade an audience to take some action with respect to products, ideas, or services. Most commonly, the desired result is to drive consumer behavior with respect to a commercial offering, although political and ideological advertising is also common...
material and deliberate unauthorised access to other services accessible using the connection to the network/Internet. Then there is the type of activity that uses the network to waste time, as indicated in SurfControl's advice on writing AUPs, of technical staff to troubleshoot a problem for which the user is the cause, corrupting or destroying other user's data, violating the privacy of others online, using the network in such a way that it denies the service to others, continuing to use software or other system for which the user has already been warned about using, and any other misuse of the network such as introduction of viruses.
Disclaimer
Disclaimer
A disclaimer is generally any statement intended to specify or delimit the scope of rights and obligations that may be exercised and enforced by parties in a legally recognized relationship...
s are often added in order to absolve an organisation from responsibility under specific circumstances. For example, in the case of Anglia Ruskin University a disclaimer is added absolving the University for errors or omissions or for any consequences arising from the use of information contained on the University website. While disclaimer
Disclaimer
A disclaimer is generally any statement intended to specify or delimit the scope of rights and obligations that may be exercised and enforced by parties in a legally recognized relationship...
s may be added to any AUP, disclaimers are most often found on AUP documents relating to the use of a website while those offering a service fail to add such clauses. PsychologyUK, a magazine forum site, includes the type of disclaimer that can be used in an AUP for a website or online service of some type.
Particularly when an AUP is written for a college or school setting, AUPs remind students (or when in the case of a company, employees) that connection to the Internet, or use of a website, is a privilege, as demonstrated in the Loughborough University's Janet Service AUP and not a right. Through emphasising this "privilege" aspect, Northern Illinois University then make the connection that any abuse of that privilege can result in legal action from the University.
In a handbook for writing AUP documents, the Virginia Department of Education indicate that there are three other areas needing to be addressed in an AUP:
- a statement that the AUP is in compliance with state and national telecommunication rules and regulations
- a statement regarding the need to maintain personal safety and privacy while accessing the Internet
- a statement regarding the need to comply with Fair Use Laws and other copyright regulations while accessing the Internet
Through a cursory reading of AUP statements found by a Google Search the variation of the inclusion of these items in AUP documents is highly variable. However, those statements in a school or university setting are more likely to include a statement to address at least the "personal safety" issue.
Enforceability
6.3 This Policy shall be governed by the laws of England and the parties submit to the exclusive jurisdiction of the Courts of England and Wales.
And of course with the ever widening of the number of jurisdictions covered by the Internet, the AUP document needs to indicate the jurisdiction, meaning the laws that are applicable and govern the use of an AUP. Even if a company is only located in one jurisdiction and the AUP applies to only its employees naming the jurisdiction saves difficulties of interpretation should legal action be required to enforce its statements.