Summary
Use of the Cambridge University Data Network (CUDN) and Information Services' (UIS) facilities (and, where applicable, the use of IT facilities of other institutions) is subject to the Rules made by the Information Services Committee, which are published in Ordinances and are included with new user registrations. Now that so much IT activity involves networking, these Rules will almost always apply.
The following notes amplify the Rules and give advice on what is and is not permitted in certain circumstances. It is important to note that they are neither exhaustive nor exclusive. The fact that a certain action is not mentioned does not imply that it is permitted. It should also be noted that individual institutions like Departments and Colleges may have their own additional regulations.
It must also be understood that computer systems and networks are not designed to prevent every form of misbehaviour and it is therefore naive to think that just because something is possible it is necessarily permitted.
Users should understand that both the Rules and these notes have been drafted with a view to maintaining good order, which means not only preventing illegal or undesirable behaviour, but also ensuring that the use of shared facilities such as a computer or a network for bona fide academic work is neither jeopardised nor disrupted.
The maintenance of good order for the sake of the majority requires constant vigilance by those responsible for the operation of shared facilities. Small, even trivial, misdemeanours repeated on a large scale can result in the waste of large amounts of valuable staff time. For this reason, actions which result in significant waste of effort can be just as unacceptable as more flagrant breaches of the Rules. Being inebriated at the time of the misdemeanour is not an excuse.
Finally, users are also expected to be guided by common sense. Over-pedantic interpretation of the Rules or these guidelines is no substitute for common sense; a failure to act sensibly may in itself be regarded as a breach of the Rules.
Authorisation and allocation of resources
Apart from localised activities on a workstation like word processing, almost all IT work now involves networking and therefore use of the CUDN. The details of persons authorized to use the CUDN are given in the CUDN authorisation notice which effectively limits use to current staff and students; others require special permission. Casual visitors may be allowed access, but only under appropriate supervision to ensure facilities are not abused (similar to allowing a visitor to use one's telephone).
IT and communication resources are provided for use in accordance with the aims of the University and Colleges (currently promulgated via the University's Mission Statement); in general, this means bona fide academic and related purposes, and it will be the responsibility of the relevant Department, Faculty or College to determine whether an activity is academic work in doubtful cases. However, in line with the aim "to provide a stimulating and broadening educational environment", authorized users may use facilities for small amounts of personal use such as correspondence. Where other recreational use is permitted, this is on the understanding that authorized academic use must have priority at all times. Currently, games playing is not permitted on UIS machines. Commercial activity is strictly forbidden unless specifically authorized.
Increasingly, network access from shared machines is controlled by user identifier and password, though there are still some places where the CUDN (and thence the Internet) can be used without such control; nevertheless, this does not mean authorization restrictions are in any way relaxed at such places. Control by user identifier and password is also used for the majority of shared IT facilities, as well as College, Departmental and Faculty shared systems.
User identifiers and passwords are issued to individuals for a specific purpose, usually in connection with University of Cambridge work, and the Rules explicitly forbid the giving, lending or borrowing of an identifier and password for any UIS facility FOR ANY REASON except where previously sanctioned by the UIS. As a matter of policy, UIS facilities do not have guest identifiers open to use by any member of the public.
Some systems are provided for specific purposes. In such cases the systems should only be used with the appropriate client software and in the advertised manner.
Users who have finished their course, or are no longer employed by the University, are not entitled to continue to make use of UIS resources unless specifically authorized to do so.
Consultancy and profit-making activities
If you intend to use University or College IT facilities for private gain or commercial purposes and the institution comes under the Information Services Committee (ISC) Rules, then you must obtain permission from the authorised officer (normally the Head of Department in a University institution, but variable in Colleges). If the institution has not elected to come under the ISC rules, it will have its own policy regarding use of the institution's equipment for private gain or commercial purposes.
Whether or not the institution has elected to come under the ISC Rules, if use of the CUDN is involved (and it nearly always will be) then authorisation is also required from the Director of the UIS (authorised officer for the CUDN) as the CUDN comes under the ISC Rules. See also the sections on Networks and Email below. Note that use of JANET is restricted to activities "in furtherance of the aims and policies" of the University and Colleges. Even then, use by any non-University/College organisation, even if University/College equipment is used, will require the UIS to obtain a JANET proxy or sponsored connection licence.
The ISC has agreed that, for private consultancy work using departmental equipment, authorisation of the Head of Department is also sufficient to allow use of the CUDN - in this case specific authorisation by the Director of the UIS is not required.
Without ISC authorisation (i.e. from the Director of the UIS), you may not use University facilities for carrying on a business activity. In particular, this includes all network activities such as email and the web. However, responding to occasional email enquiries to redirect the enquirer to a non-University email address that you use for your business activities is unlikely to be viewed as improper. Use of web pages on University or College systems for such activities certainly requires ISC authorisation and usually an appropriate JANET licence as well.
Networks
It should be always be borne in mind that networks are generally not secure and material in transmission such as mail messages or web pages may well be seen by others.
The Cambridge University Data Network (CUDN), the Joint Academic Network (JANET) and the academic parts of the Internet are provided for appropriate use by authorized users of connected systems; see above under Authorization and allocation of resources. Thus, for example, staff and students of the University may use the network to access freely available services such as library catalogues, information services, WWW and FTP sites, etc.
Formally, the CUDN may be used only in accordance with its authorisation notice as published by the "authorized officer" who, in this case, as specified in the ISC Rules, is the Director of the UIS.
Where the CUDN is being used to access another network, any activity contrary to the acceptable use policy of that network will be regarded as unacceptable use of the CUDN. Similarly, use of remote facilities via networks must be strictly in accordance with what is permitted by the remote host installation.
More specifically, the CUDN is often used to access JANET, which, of course, may only be used in accordance with its own acceptable use policy. This basically specifies use for legal purposes which further the aims and policies of its connected institutions (for full details, see the JANET Acceptable Use Policy as published by the United Kingdom Education and Research Networking Association (UKERNA)). The University has a responsibility to ensure that its own IT user community uses JANET services in an acceptable manner and any abuse of JANET will automatically be treated as abuse of the CUDN.
Misuse
The JANET Acceptable Use Policy states that JANET may not be used for any of the following activities - neither may the CUDN:
- the creation or transmission (other than for properly supervised and lawful research purposes) of any offensive, obscene or indecent images, data or other material, or any data capable of being resolved into indecent images or material;
- the creation or transmission of material which is designed or likely to cause annoyance, inconvenience or needless anxiety;
- the creation or transmission of defamatory material;
- the transmission of material such that this infringes the copyright of another person;
- the transmission of unsolicited commercial or advertising material;
- deliberate unauthorized access to facilities or services locally or on other networks;
- deliberate activities with any of the following characteristics:
- wasting staff effort or networked resources, including time on end systems accessible locally or via other networks and staff effort involved in the support of such systems;
- corrupting or destroying another user's data;
- violating the privacy of other users;
- disrupting the work of other users;
- using the network in a way that denies service to other users (for example, deliberate or reckless overloading of access links or of switching equipment);
- continuing to use an item of networking software or hardware after being asked to stop doing so because it is causing disruption;
- other misuse of networks or networked resources, such as the introduction of viruses.
Port scanning (the scanning of another machine to determine which services are running) is regarded as a hostile action; it is commonly used by malicious hackers attempting to find vulnerable systems. Port scanning therefore causes unnecessary worry and is prohibited, whether the target machine is on the CUDN or elsewhere, unless specifically authorized by the Director of the UIS (in particular, note that probing is carried out by the Service at the behest of the ISC - see below).
Connection of individual users' machines (updated)
Individuals who connect their machines to a College or Departmental network, thereby becoming a part of the University of Cambridge domain, have a responsibility to all network users to keep their machines secure. Any insecure machine on a network provides opportunities for hackers to penetrate otherwise secure machines. Owners must make sure that their machines are properly registered and are encouraged to seek advice from their local IT support staff and/or the UIS about the security of their systems. Offering network services can provide an opportunity for hackers to attack and such services should be turned off unless required (note that the as-supplied default state can be "on").
Care needs to be taken that services are not unwittingly offered to third parties contrary to the Authorization for use of the CUDN. In particular, some software for peer-to-peer (P2P) working and for voice over IP (VoIP) makes the host computer and the CUDN available for the world at large to use for relaying purposes; indeed, the licence for such software can require the end-user to make them available even though the end-user has no power to make that commitment regarding use of the network. The result of a computer being used as such a relay will be an uncontrolled increase of network traffic and this will be charged to the user's institution - such charge could be substantial.
The ISC has authorized the UIS to probe regularly all computers on University and College networks in order to find security weaknesses; the results are made available to IT support staff in institutions. Refusal to rectify security loopholes or unreasonable delay in so doing is likely to lead to individual machines or vulnerable sections of network being isolated from the CUDN; in particularly difficult cases, the entire institution may need to be disconnected until the problem is resolved.
Connected machines must not contain unlawful material such as pornography or unauthorized copyrighted items (including photographs, text, music (particularly MP3) and video). See below under Copyright.
Responsibility of institutions
IT support staff should note that institutions whose networks are connected to the CUDN are responsible for taking all reasonable steps to ensure that their users are diligent in maintaining their systems so as to minimize any security risks, and that users do not engage in any activity which results in unauthorized use of the network or other infringement of the Rules. Negligence in fulfilling these responsibilities is likely to result in the institution's network being disconnected from the CUDN. IT support staff are also expected to play their part in implementing network-wide policies, e.g. by policing and discouraging the generation of frivolous traffic.
Prevent Duty guidance
Under the Prevent Duty, encouragement of terrorism and inviting support for proscribed terrorist organisations are both criminal offences. Users are not permitted to create, download, store, transmit or display material that promotes or incites hatred, terrorism or hate crimes. Researchers in this field should take advice from Dr. Rhys Morgan, Head of Policy, Integrity and Governance in the Research Office.
Further information:
Prevent Duty Guidance: for higher education institutions in England and Wales
Mail and mail addresses
This section gives guidance about the use of electronic mail over networks. Many of the general comments above about the use of networks also apply to the use of electronic mail; note especially that transmission is not secure and electronic mail messages may well be seen by people other than the intended recipients - system administrators of mail machines, for example. In many ways an electronic mail message is equivalent to an open note or a postcard which might be seen by postal or delivery workers. Electronic mail should therefore never be used for the transmission of private or sensitive material like examination questions - at least not without encryption.
Messages can be defamatory and can form contracts, so it is important in some circumstances to take the same care composing electronic mail messages as formal communications. Note also that mail messages, like other documents, can be disclosed to the person they are about under the Data Protection Act and in the event of legal proceedings.
Junk mail and offensive mail
Chain letters and other unwanted mail which circulate on the international networks cause various problems, including delays to the transmission of genuine academically related mail. Whilst the receipt of junk mail is unavoidable, users must not initiate or pass on such mail either to other Cambridge users or to users of other systems. Similarly, Cambridge systems must not be used for the transmission of offensive mail to other users whether inside or outside Cambridge.
Mailing lists
Users who join mailing lists must take care not to allow mail to accumulate and overload their mailboxes. A busy mailing list can generate huge amounts of data in a short space of time, and it is particularly important for users to unsubscribe from such lists whenever they are not in regular touch with networking facilities. On UIS systems, where staff monitor the amount of outstanding mail regularly, trying to locate those who have left Cambridge either temporarily or permanently without closing their accounts can waste large amounts of staff time. Accounts are likely to be cancelled if incoming mail builds up unreasonably.
When replying to mail received as a member of a mailing list, take care to note whether your reply is to the individual sending the message (the normal case) or to the whole list. A careless reply to the whole list when an individual response is intended can be very annoying and time wasting to other list members.
Mail forgery
Mail should not normally be issued other than by standard mechanisms (e.g. using Mail User Agents such as Thunderbird, Apple Mail, etc.); in particular, entering mail using SMTP "by hand" is not a standard mechanism, and must certainly not be used to disguise or falsify the sender of mail.
The forging of mail by interfering with the headers of the original message or by arranging for erroneous information to appear there in order to masquerade as another user is explicitly forbidden, both in the context of actual mail activities and at other times when a mail address may be quoted. Although the forgery of e-mail addresses cannot be condoned, it is recognised that the automated grabbing of email addresses from news postings and subsequent unsolicited junk email is a very real problem for many people. Until the situation improves, obscuring email addresses in news postings to make automatic spamming difficult will be tolerated as long as the sender's true email address is made clear to the human reader. However, such devices are against the rules of some news hierarchies and use of them can cause the whole University to be blocked; anti-spamming techniques will therefore not be tolerated for those news hierarchies.
Private workstations
Unless explicitly authorized to do so, workstations belonging to individuals may not issue mail, except in conjunction with a system officially registered for the purpose or an appropriate Departmental or College system.
World Wide Web
The web is a system for publishing information online. The UIS uses the web for the main University information service; many Departments and Colleges run a web service on their own systems; some individuals publish material on their private machines. All these systems operate within the constraints imposed by the laws, rules and regulations governing the University and Colleges. It is most important to realise that the laws which govern traditional publishing may apply equally to online material.
At the highest level there are legal responsibilities regarding publishing such as copyright, libel, official secrets, race relations, equal opportunities, data protection, protection of children and minors, confidentiality etc.
Within what is permitted to be published by law, there are also restrictions covered by the University Statutes and Ordinances, and, where relevant, by similar statutes for Colleges. Within these come the further restrictions imposed by the appropriate sections of these guidelines, the associated ISC Rules and any directives issued by Departments or Colleges relevant to the publication of material by their staff, students etc.
For more detail, see the ISC's Guidelines for Web Information Providers.
Copyright
The wide accessibility of data networks makes it very easy to publish material. Note that multimedia facilities allow images, music and films as well as text to be published, so there is much more scope for infringement of copyright than by traditional copying methods. Data included in items posted on the web or made available by anonymous file transfer may be considered as published.
There is much material, particularly MP3 music files and films lifted from DVDs, on the networks in breach of copyright law and care needs to be taken that such material is not retrieved or made available, accidentally or deliberately. It is very easy to download MP3 music files with no indication whether copyright has been infringed; worse, programs which distribute such files commonly turn the computer receiving them into a server for further distribution, so the user is then liable for distributing copyright material as well as receiving it. If in doubt, do not retrieve it, and certainly do not redistribute it. The British Phonographic Industry regularly monitors networks for illegal material and reserves the right to take action against those who infringe its members' copyright.
If specific complaints are received from the copyright agency about a machine in a College, or if UIS staff, in investigating CUDN traffic flows, come across a computer in a College which appears prima facie to be providing copyright material (e.g. films, music) to the Internet at large, then the relevant Senior Tutor will be informed (with a copy to the College's computer officer).
Confidentiality
The Rules imply that all information held in a computer facility is prima facie confidential unless obviously intended for unrestricted dissemination. No-one should attempt to access information unless he or she has explicit or implicit permission to do so. Implicit permission may, for example, consist of a reference in a manual or other documentation to the contents of a particular file. It is particularly important to note that the fact that information may be readable (or even alterable) does not in itself imply permission for it to be read. Some files (for example those called /info, etc.) may be available for public scrutiny, but browsing through file spaces is not generally permitted. Information in transit on a network is similarly confidential and the unauthorized monitoring of network traffic is explicitly forbidden.
Nevertheless, users need to be aware that their communications may be intercepted by IT staff as permitted by UK legislation. The legislation allows the interception of network traffic without consent for purposes such as recording evidence of transactions, ensuring regulatory compliance, detecting crime or unauthorized use, and ensuring the efficient operation of University communications systems. The UIS does not need to gain consent before intercepting for these purposes although staff and students do need to be informed (via documentation such as this) that interceptions may take place.
UIS staff responsible for the management of systems may, in the course of their duties, need to bypass normal protection mechanisms in order to access user files or jobs, either to trace a system problem, or to monitor possible system abuse. Staff may also suspend authorization when abuse of a system is suspected. Established procedures are followed and staff are required both to record their activities, and to maintain the confidentiality of any scanned material.
Data stored on UIS systems is regarded as the property of the owner and will not usually be released to a third party except with explicit permission. However, if there is evidence of criminal activity or abuse of the system, confidential material may be released at the discretion of the Director of the UIS.
All access to "personal data" (i.e. information which relates to a living person) must be covered by an appropriate registration under the Data Protection Act, 1998. See the Act itself for the full description of "personal data". Anyone who is considering keeping such "personal data" on a Computing Service machine MUST seek advice from the UIS before installing the data.
Antisocial behaviour
Any willful action that could cause either loss of service generally or interference with the work of another user, in Cambridge or elsewhere, is in breach of the Rules. This includes the sending of offensive or unnecessary messages (particularly chain mail), masquerading as another real or fictitious user (for example, forgery of the source of mail messages or news articles), running "Trojan Horse" or other password capturing programs, etc. The introduction of a computer virus, worm or similar device into any system will be interpreted as interference with other users, even if the effect is not destructive. Users are also warned against excessive use of obviously limited resources (such as the CUDN and JANET) and engaging in excessive activity for non-academic purposes at peak times.
A number of rooms of workstations are provided for use by staff and students of the University. Courses have priority in many of these areas, as made clear by displayed notices, and on such occasions those not attending a course must give way to those that are. At all times, users must remember that these rooms are work areas, and should treat them as such. Games and other noisy activities are strictly not permitted.
The use of any UIS facility to transmit, store or display pornographic or other offensive material is forbidden, unless for properly supervised lawful research purposes.
Discipline
There is an approved disciplinary procedure for dealing with users who may be in breach of the Rules. Minor cases are dealt with summarily by the Director and more serious ones by a Disciplinary Panel of the ISC. If found guilty, users face a fine up to the maximum amount permitted in Ordinance and/or the suspension of authorization to use computing and network facilities. Note also, however, that offenders may also be required to re-imburse costs which may amount to a much larger sum. The matter may also, if appropriate, be taken to higher authority within the University. Breaches of the Rules by non-members of the University will be referred to the relevant authority.
These disciplinary sanctions are no empty threat. Staff keep a general watch to ensure that good order is maintained and have authority to investigate in detail any suspicious circumstances. A number of cases each year are dealt with under the summary procedure; while Disciplinary Panel cases are rarer they have been common enough for the procedure to have become well established.
Note also that the ISC Rules mention legislation which is relevant to Information Technology. At the very least, the Telecommunications Act 1984, the Data Protection Act 1998, the Copyright, Designs and Patents Act 1988, the Computer Misuse Act 1990 and the Criminal Justice and Public Order Act 1994 (which has a section on the transmission of obscene material over networks) all apply here. For a fuller list, see Authorisation for Use of the CUDN.
Users called upon to answer for their behaviour are warned that, unless there is clear evidence that they are not involved, they will be held responsible for all actions carried out using their personal identifier and for all information stored in file spaces of which they are the owner or manager. Claiming ignorance of the true purpose of a program that has been "borrowed from a friend" is not an adequate defence, particularly if it contains evidence of malicious intent.
Finally, users are warned that, although the distinction between an over-enthusiastic desire to explore the potentialities of computing and a clear breach of the Rules may on occasions be a fine one, the carrying out of borderline activities on an excessive and unreasonable scale will certainly cause the Committee to take a hard line. In addition, users should note that disciplinary proceedings will always be brought in any case of attempting to obtain unauthorized access, or of aiding and abetting such an attempt.
Last updated: June 2023