Law and Policy in IT: Internet 101

Hello, readers -- welcome to the unofficial launch of my new blog on Inside Higher Ed. I'll provide a fuller introduction to what I'm hoping to say and do here in the coming days, but I'm diving right into the substance by blogging from the scene of the annual Institute for Computer Policy and Law, which my center at Cornell puts on with Educause. My first post is below -- look forward to having you follow along here and via the conference's live streaming feed.

The Institute for Computer Policy and Law commenced this afternoon! This is its 15th year, started originally by Steve Worona, then of Cornell but now of EDUCAUSE, and Margie Hodges-Shaw, the first IT Policy Advisor at Cornell. Steve McDonald, General Counsel for the Rhode Island School of Design, is a charter member and has given presentations every year. More information about the conference may be found here.

Today Steve McDonald is giving two sessions: Internet 101 and 102. Well known in both the NACUA and IT Policy community in higher education, Steve has staked his reputation on a perfect combination of intelligence and common sense. His first presentation today, Internet 101, is a model of that mode. For example, he has coined the "Typewriter Policy" theory, which holds that a policy on the Internet should be no more or less than what an institution would have promulgated with a typewriter.

In the first generation of the public Internet, Steve saved many an IT professional from any number of other higher education offices, befuddled by new circumstances involving computers, foisting responsibility for malfeasance onto the IT department. Is the employee who spends all day playing FarmVille violating an IT Policy? No, it is a work performance issue.

How about the employee who uses university resources to view pornography? Depends on your institution's policy. If the institution specifically prohibits some use, then yes, unless there is an exception, research, for example. From a legal perspective no law is broken, taking note that adult pornography is not illegal, child pornography and obscenity are. Does the viewing create a hostile work environment? Sexual harassment should apply. A faculty member using institutional resources for consulting? The consulting policy should be reviewed, etc.

Steve boils his wisdom down to five points.

• First, "Forget about Computers." All behavior that is illegal or a violation of policy in physical space applies to cyberspace.
• Second, "Treat pornography as you would the Bible." If you do not punish students or employees for accessing the Bible, do not punish them for accessing pornography.
• Third, "Even publics should be private." A private institution, where the Constitution does not apply, should post a privacy policy anyway in order to set the expectations appropriate. A small amount that does not interfere with university resources might be okay, given that people use institutional resources to check email occasionally or read the New York Times during their lunch break, but not for remunerative businesses or certainly not anything that violates law or policy.
• Fourth: "Don't go looking for trouble." There is no legal requirement that institutions stop things from happening. There are legal risks to monitor or stop things from happening. In most non-extreme case, institutions should do what every ISP or other distributors do: wait for the complaint.
• Finally, "Teach your children well." The important point of all. Much of what academic administrators want a "policy" to do is teach appropriate use of the Internet. Depending on a number of factors, that use might be different from physical space. Think of the scope and amplification issues that Facebook or other social networking have raised, for example. But still the Golden Rule applies. Do unto others what you would want them to do with or about you.