This chapter provides a thorough guide to many security issues. The authors encourage writing strong enforcement statements of acceptable use policies (AUPs) and provide examples of wordings and a best practices checklist. They cover how to limit authority and separate duties and how to pinpoint accountability. The chapter is from Network Security: The Complete Reference, by Mark Rhodes-Ousley, Roberta Bragg and Keith Strassberg; ISBN:0-072-22697-8, McGraw-Hill/Osborne, 2003.
Early enforcement policies for AUPs primarily consisted of withholding or canceling service. If, for example, copyright or trade secret infringement were violated or a subscriber harassed or intimidated another user, knowingly released a virus, or unlawfully accessed someone else's information, the ISP simply dropped that customer and refused to provide them service. This type of policy is still in use by many ISPs today. Example enforcement policies of this type are those of Focal Communications, MOREnet, and Plain Communications.
The following examples of AUP enforcement statements are taken from public website statements. Similar statements exist in private AUPs. The examples are provided in hopes they may provide some impetus to write strong enforcement statements and sound AUPs.
From www.focal.com/policy/abuse.html: "Focal may in its discretion, without liability, and without notice terminate or suspend service based on it(s) determination that a violation of the Policy has occurred."
From www.more.net/about/policies/aup.html: "Reported and perceived violations of the Acceptable Use Policy will be reviewed by the MOREnet Executive Director. Violations that are not promptly remedied by the member institution or project participant may result in action including the termination of MOREnet service or the forfeiture of MOREnet membership.?"
From www.plain.co.nz/policy/enforcement.html: "Upon the first verifiable violation of one of these policies, and a single formal letter of complaint, Plain will issue a written warning to the customer. Upon the second verifiable violation of one of these policies, and formal letters of complaints from three different sources, Plain will suspend the customer's service until the customer submits to Plain, in writing, an agreement to cease-and-desist. Upon the third verifiable violation of one of these policies, and one more letter of complaint, Plain will terminate the customer's service."
As organizations learn more about the types of abuse that regularly occurs, and the need to have strong enforcement, many ISPs and others are taking an even stronger stance. They are defining monitoring steps that they take, imposing penalties on employees and stating full cooperation with appropriate authorities. Examples of such enforcement statements can be found at Empowering Media, Cafe.com, Efficient Networks, the University of Miami School of Law, Ricochet Networks, and the University of California, Davis:
From www.hostasite.com: "Violators of the policy are responsible, without limitations, for the cost of labor to clean up and correct any damage done to the operation of the network and business operations supported by the network, and to respond to complaints incurred by Empowering Media. Such labor is categorized as emergency security breach recovery and is currently charged at $195 USD per hour required."
From www.cafe.com: "If we suspect violations of any of the above, we will investigate and we may institute legal action, immediately deactivate Service to any account without prior notice to you, and cooperate with law enforcement authorities in bringing legal proceedings against violators."
From www.speedstream.com/legal_use.html: "In order for Efficient Networks to comply with applicable laws, including without limitation the Electronic Communications Privacy Act 18 U.S.C. 2701 et seq., to comply with appropriate government requests, or to protect Efficient Networks, Efficient Networks may access and disclose any information, including without limitation, the personal identifying information of Efficient Networks visitors passing through its network, and any other information it considers necessary or appropriate without notice to you. Efficient Networks will cooperate with law enforcement authorities in investigating suspected violation of the Rules and any other illegal activity. Efficient Networks reserves the right to report to law enforcement authorities any suspected illegal activity of which it becomes aware. In the case of any violation of these Rules, Efficient Networks reserves the right to pursue all remedies available by law and in equity for such violations. These Rules apply to all visits to the Efficient Networks Web site, both now and in the future."
From www.law.miami.edu/legal/usepolicy.html: "In addition, offenders may be referred to their supervisor, the Dean, or other appropriate disciplinary authority for further action. If the individual is a student, the matter may be referred to the Honor Council. Any offense that violates local, state, or federal laws may result in the immediate loss of all University computing privileges and may be referred to appropriate University disciplinary authorities and/or law enforcement authorities."
From www.ricochet.com/DOCS/P_Acceptableusepolicy.pdf: "RNI may involve, and shall cooperate with, law enforcement authorities if criminal activity is suspected, and each User consents to RNI's disclosure of information about such User to any law enforcement agency or other governmental entity or to comply with any court order. In addition, Users who violate this AUP may be subject to civil or criminal liability. RNI SHALL NOT BE LIABLE FOR ANY LOSSES OR DAMAGES SUFFERED BY ANY USER OR THIRD PARTY RESULTING DIRECTLY OR INDIRECTLY FROM ANY ACT TAKEN BY RNI PURSUAL TO THIS AUP."
From www.ucdavis.edu/text_only/aup_txt.html: "Any offense which violates local, state or federal laws may result in the immediate loss of all University computing privileges and will be referred to appropriate University offices and/or law enforcement authorities."
Remember: this chapter is from Network Security: The Complete Reference, by Mark Rhodes-Ousley, Roberta Bragg and Keith Strassberg (McGraw-Hill/Osborne, ISBN 0-072-22697-8, 2003).