1. Why is the AUP being revised?
The current AUP was last revised in the summer of 1992. In 1992 the “Internet”, as we know it today, was still an emerging technology with relatively few points of connection. For example, Mosaic (the first widely used browser for the emerging “World Wide Web”) was introduced in 1993, Microsoft’s Internet Explorer launched in 1995, and the graduate research project which resulted in the formation of Google began in March 1996.
At the time the original AUP was drafted, the university was one of the very few channels in Michigan through which anyone could connect to the Internet to do online messaging (what became “email”), data and document sharing, or what became “Web publishing.” In the almost 20 years since the AUP’s last revision, the Internet environment itself, and the laws, commercial services, and social expectations related to Internet usage, have changed greatly; the AUP must respond to these changes.
2. What are the “local” rules to which Section 1.2 of the Policy refers, and how might they differ from the AUP?
“Local” rules may apply to specific systems or services, or to particular environments or offices. For example: use of systems or services that involve MSU Confidential Data types, as defined by the Institutional Data Policy, may be restricted to certain business purposes; systems used for payment card processing may be restricted only to that specific purpose; offices where employees and their workspace are highly visible to the public may prohibit use of office workstations to play games or to engage in personal shopping or other non-business activities.
3. Why can’t I use the MSU IT resources to do whatever I want? Don’t I have a First Amendment right to do so?
The university’s IT resources are not a public forum. The resources are provided for university-related purposes. Although the university permits a de minimis amount of personal use as a matter of convenience to members of the university community, the primary purpose of the resources is to support the university’s teaching, research, and public service missions, its administrative functions, and student and campus life activities. Other avenues and resources outside the university exist for members of the university community to conduct their personal business and express their personal views.
4. What does Section 2.3.1 mean when it states that personal use is prohibited if it “inaccurately creates the appearance that the University is endorsing, supporting or affiliated with any organization, product, service, statement, or position”?
This concept is reflected in other university policies that also require members of the university community to carefully differentiate their official activities from their personal activities and to make clear that, when speaking as private citizens, they do not act on behalf of the University. (For example, see the Faculty Handbook Academic Freedom and Faculty Rights and Responsibilities sections and Academic Freedom for Students and Michigan State University.)
When someone sends messages or publishes content online from the msu.edu Internet domain, MSU’s identity becomes intertwined with the content in a way that may raise questions about whether MSU endorses the content. The easiest way to avoid such confusion is to use non-university IT resources whenever you engage in private (i.e., non-university) activities.
5. Can I use MSU IT resources to access Facebook or other social media for private (non-university) reasons?
Yes, as long as these activities comport with the limits on “incidental personal use” described in Section 2.3 of the Policy. In other words, while the university does not prohibit the use of its IT resources to engage in social media for non-university reasons, it will not permit abuse of this privilege. For example, extensive personal use of social media during work hours (using MSU IT resources or not) may well disrupt the work environment or interfere with an employee’s job performance, which is prohibited by Section 2.3.1. If that occurs, it will be addressed by the unit supervisor as a personnel issue.
6. What other laws and policies besides the Acceptable Use Policy govern the use of MSU IT resources?
Section 3.2.1 of the Policy requires Users to comply with all applicable federal and state laws and all applicable University rules, ordinances, and policies. This means that Users who are employees and students of MSU are subject to the other policies and rules of the University when they use MSU IT resources. So, if a use of MSU IT resources violates another University rule or policy, like one of the General Student Regulations or the Sexual Harassment Policy, the User may be sanctioned through the appropriate student or employee disciplinary procedure (see Section 4.2), as well as risking loss of access to MSU IT resources under Section 4.1 of the Policy.
Individuals may be held responsible by the relevant external legal authorities for the use of MSU IT resources to violate federal and state laws. Such violations may be criminal (e.g., child pornography, stalking) or civil (e.g., defamation, invasion of privacy) in nature. While the university may provide access to personal communications or electronically stored information in connection with an investigation or adjudication of alleged violations of external law (see Sections 4.3, 6.1.3-5, and 6.2 of the Policy), if the individual who allegedly violates the external law is not an MSU employee acting within the scope of his or her employment or an MSU student whose conduct would also violate an MSU Policy or rule, the university will generally defer to external legal and judicial authorities as the appropriate forums for the resolution of such matters.
7. Does MSU routinely monitor my use of MSU IT resources? What are MSU’s typical practices for detecting and investigating possible violations of the AUP?
MSU and its systems administrators do not routinely monitor individual use of IT resources or actively seek out individual violations of the AUP. Generally, the university does not undertake investigations without a triggering event such as a complaint or a technical system or service performance problem. For example, practical and effective means by which the university identifies security threats include using automated tools to watch for unusual resource use patterns by individual accounts and malware and other attack “signatures.” Sometimes these use patterns or signatures expose individual activities that are in violation of the AUP. When this occurs, a follow-up investigation may result.
Current practices with respect to illegal sharing of copyrighted music, movie, or video files provide another illustration of this point. The university does not presently employ tools or techniques to seek out and identify people who are doing this on the MSU network. However, the university will investigate if a triggering event occurs. Examples of triggering events include a copyright owner or its agent filing a complaint; the use of a disproportionate amount of local network bandwidth by an individual (Section 3.5) that is impeding others’ use of the network; or an employee’s workstation runs out of storage space because it turns out to be full of illicit files.
Similarly, while the university does not presently employ any techniques to seek out and identify people who are storing, displaying, or disseminating pornography or other sexually explicit materials on MSU IT resources, it will investigate if a triggering event occurs. Examples of triggering events include complaints from coworkers who have been subjected to pornographic images in the workplace; the use of a disproportionate amount of local network bandwidth by an individual (Section 3.5) that is impeding others’ use of the network; or an employee’s workstation runs out of storage space because it is full of pornographic files.
8. Under Section 3.5, what constitutes an “unreasonable” interference by one individual with other individual’s use of MSU IT resources?
When one individual places a disproportionate burden or load on a system with limited service capacity, like the university’s, that individual may interfere with other individual’s access to or use of the system. An example of “reasonable” interference might be when a single individual makes a legitimate query of a database that temporarily consumes the majority of the system’s processing capacity, slowing or blocking the work of other people. Another example might be transferring a very large data file, such that the bandwidth of certain network segments is largely consumed by one indivial, which slows or blocks the work of other people. Such interference would be “unreasonable” if the same individual did this repeatedly or was careless in formulating the most efficient query or data transfer mechanisms to meet the individual’s needs.
9. Why are there restrictions on fund-raising, advertising, soliciting, and partisan political activities?
Restrictions on use of IT resources for partisan political purposes are based on state and federal law. For example, with certain very limited exceptions, the Michigan Campaign Finance Act prohibits a public body like MSU or an individual acting for a public body like MSU from using public resources to assist, oppose, or influence the nomination or election of a candidate for public office or the qualification, passage, or defeat of a ballot question. (A “ballot question” is a question that is submitted or that is intended to be submitted to a popular vote at an election, whether or not it qualifies for the ballot.) The Internal Revenue Code places even stronger restrictions on participation in campaigns for public office by tax-exempt organizations like MSU and their representatives. This provides the basis for the distinction between Section 3.7.1 and Section 3.7.2.
Additional information on this topic may be found on the Office of the Vice President for Governmental Affairs website in the document titled “Information on Participation in Campaigns for Public Office and Ballot Measures: The University, University Employees, and other Members of the University Community.”
Other restrictions, such as those on use of MSU IT Resources for advertising, soliciting, or fund-raising, are based on the likelihood that such personal activities will cause confusion or competition with the University’s own activities.
10. Can I use MSU IT resources to engage in any activities related to campaigns for public office and ballot questions without violating this Policy?
Yes. The following are examples of activities related to campaigns for public office and ballot questions for which members of the university community may use MSU IT resources without violating this Policy:
- Engaging in scholarly research about past or current political campaigns or the issues that underlie them.
- Disseminating the results of such research in a manner consistent with normal academic practice.
- Issuing invitations from a student organization to guest speakers or candidates, provided that speakers on both sides of a ballot initiative and all candidates for a public office have equal opportunities to appear on campus.
- Engaging in nonpartisan educational activities related to ballot measures or to political campaigns. (See the Governmental Affairs website for specific examples.)
- Hosting political activities at apartments or residence hall rooms of individuals who reside in University housing, as long as the residence is not used for a political fund-raising event.
- Researching or communicating about pending legislation.
11. Can a faculty member use MSU IT resources in connection with course assignments that require student involvement in campaign activities?
Yes. University faculty and students may use MSU IT resources in connection with course assignments that require student involvement in campaign activities, as long as the faculty member does not specify the candidates or ballot measures on whose behalf the students should campaign and where, for example, students write papers or make class presentations evaluating their experiences.
12. Can registered student organizations continue to conduct fund-raising activities using MSU IT Resources?
Yes. The revised Policy has not altered the current rules regarding fund-raising by registered student organizations. (RSOs are considered “affiliated with the university” for purposes of Section 3.9.) RSOs should continue to follow the normal approval process for conducting fund-raising activities. Questions about that process should be directed to the Department of Student Life.
13. May a MSU faculty member use MSU IT resources to engage in activities which have been approved under MSU’s Outside Work for Pay policy?
It depends. The faculty Outside Work for Pay Policy states: “When engaged in outside work for pay, faculty members must make it clear that (a) they are acting in their individual capacities and not on behalf of the university; and (b) that the university does not endorse, sponsor, or support the outside work.”
The faculty Policy also states: “University facilities, supplies and materials, equipment, services, or employees may be used for outside work for pay, but only if (a) such use would not be contrary to university policy or collective bargaining agreements, (b) such use would not adversely affect the use or availability of such facilities, supplies and materials, equipment, services, or personnel for unit and other University activities and operations; and (c) the university is reimbursed in full for the fair market value of the use of the facilities, supplies and materials, equipment, services, or employees.”
Any use of MSU IT resources for outside work for pay must comply with these policy provisions.
14. Why can’t someone use MSU IT resources to help out another organization, especially one that supports a good cause, just because it’s not affiliated with the university?
As a public institution, MSU must take care that its stewardship of its resources will withstand public scrutiny. MSU IT resources should not be used, just because they are available, to support non-affiliated organizations that should be acquiring their own IT resources, especially when IT resources are easily available outside the University, as they now are. (See FAQ 9 for more on this topic.)
15. May MSU IT resources be used to support a professional organization or scholarly publication that exists outside MSU?
Generally, yes. The great majority of professional organizations to which the university and members of the university community belong exist to promote missions that are consonant with the university’s goals. Similarly, the dissemination of scholarship is an important part of the university’s mission which professional journals also serve. Because of the considerations noted in FAQ 9, however, Section 3.9 of the Policy requires that the individual first obtain approval for such uses from the university. For faculty, approval should be obtained from the relevant department chair/separately reporting director. For staff, approval should be obtained from the unit supervisor. Students or student groups may obtain approval from the Vice President for Student Affairs and Services.
16. How does this Policy affect academic assignments and projects that might have the effect of supporting a business or professional organization?
The Policy does not interfere with a faculty member’s ability to assign academic projects that might benefit a business or professional organization, or a student’s use of MSU IT resources while participating in an academically-approved internship or similar experience with a business or organization outside of MSU. Such assignments are commonplace in certain campus units, such as the Broad College of Business. If faculty members are unclear about the appropriateness of a particular assignment under this or any other university policy, they are encouraged to seek guidance from the Office of the Provost.
17. I’m using my own personally-owned computer when I access MSU’s IT resources. If I don’t use “safe computing” practices on my own device, how does that hurt MSU and other users?
Security weaknesses in any one device or piece of software connected to the MSU network may present a security threat to all devices and services connected to the network. The “public health” of the network, just like the public health of communities, requires that individuals follow sound security practices with their own devices, software, and activities.
For network security purposes, the university may need to scan software or stored data on devices connecting to the MSU network, whether those devices are owned by the university or privately. Pursuant to Sections 5 and 6 of the Policy, the university will, insofar as possible, limit such scanning in scope, time, and frequency; employ it to address specific security threats; and conduct it “robotically” (i.e., using software tools) rather than via direct human scrutiny of personal accounts.
18. If I violate the AUP or a local rule and my access to MSU IT resources is limited, suspended, or terminated, how quickly may I get it restored?
The timeframe for restoration of use privileges will depend on the seriousness of the violation. For example, a computer that has been blocked from accessing a network because the computer is harboring malware not intentionally installed by the owner (i.e., an “infected” computer) that is attacking systems or devices may have the block removed as soon as the individual can show network administrators that the malware has been eradicated. At another extreme, an individual who has intentionally committed a particularly egregious AUP violation may lose privileges indefinitely.
19. What are examples of an individual’s “electronic records” referred to by Section 6.1.3 of the Policy?
An individual’s “electronic records” include, but are not limited to, email, administrative accounts, and network traffic, and also the devices on which these are stored or processed.
20. May a university academic or administrative unit use “live” data in the development or testing of a new service?
Sometimes it is necessary for a quantity of “live” data (i.e., active records) to be used to develop or test a new service, software, or system. In these instances, the approval of the CIO and Director of Information Technology or his/her designee should be sought prior to the use to assure that proper security measures are being taken to appropriately protect the privacy of the individuals whose data are involved. Prior to granting approval, the CIO and Director of Information Technology will consult with the university offices that are the official stewards of the subject data type. Only university organizational units may undertake this sort of data use; an individual may not use live data for these purposes except when they are acting on behalf of a university unit.
21. What are some examples of the types of situations referred to by Section 188.8.131.52 of the Policy?
The university might disclose individual information to the police in cases where a student has been reported missing and law enforcement personnel are investigating the matter. The university might be compelled to disclose individual information to defend against a lawsuit that has been filed against the university.
22. Does Section 6.1.3 of the Policy mean that the university might disclose my personal emails or other personal documents in response to a FOIA request?
The university’s position is that personal electronic records of faculty, staff, and students are not “public records” under the Michigan Freedom of Information Act. Individuals should be aware, however, that such a determination may ultimately rest with a court of law and not with the university. Therefore, individuals are strongly encouraged to store their personal documents and communications on personal devices and third party email accounts rather than on MSU IT Resources.
23. My MSU email address is my only email address and I use it for everything. Can I continue to do that?
Yes, although it is not recommended. Numerous free and easy-to-use alternatives are now available to the public, and individuals are strongly encouraged to set up an alternative email account for personal use. An individual who chooses to continue using his/her MSU account for both personal and business purposes should create a “personal” folder within the MSU account to store personal items. Segregating personal and business items will enhance the privacy of items contained within the personal folder and mitigate against unintentional access to those personal items. Individuals may not store university records or data in personal folders.
24. How often will this Policy be reviewed?
The CIO and Director of Information Technology will periodically review the Policy to assure that it reflects best practices and is in compliance with applicable laws and regulations. Such reviews are expected to occur no less frequently than once every three years. Reviews may, of course, occur more frequently, if circumstances require, and will include input from the appropriate academic governance committees.
25. What are examples of the “private devices attached to the university’s network” to which Sections 3.7.3 and 3.10.1 refer?
A “private device” means a privately-owned computer, tablet, smartphone, etc., that is connected to and using the university’s network to move data, messages, voice or video signals, etc. between itself and the Internet. The prohibition of Section 3.10.1 does not apply when the sole use of MSU IT resources is this network-communications use involving a private device. Nor, in similar circumstances, do the prohibitions in Section 3.7, assuming the message conveyed across the university’s network from the private device does not suggest that the University endorses or supports that message (e.g., by use of the msu.edu Internet domain).
Updated on 27 January 2012
Revised 13 June 2013 to change “Vice Provost for Libraries and IT Services” and “VPLITS” to “CIO and Director of Information Technology.”
Revised 20 June 2012 to change “Vice Provost for Libraries, Computing and Technology” and “VPLCT” references to “Vice Provost for Libraries and IT Services” and “VPLITS.”
Revised 10 June 2016 to change “University” to “university” and “user” to “individual”.