PAUL Project Policy development for Acceptable Use in Libraries

David McMenemy

Computer and Information Sciences

University of Strathclyde

• Research is being conducted between June 2014 to March 2015

• Aims to develop an Acceptable Use Policy that could be used by all public libraries in the region (incorporating wi-fi)

• Also training materials that can be used in implementing the AUPs (and in training staff on issues related to AUPs more generally)– e.g. importance of monitoring, filtering, privacy, etc in

terms of user rights/organizational needs

The project

• AUPs are one of the most important documents we ask library users to sign

• They represent a crucial contract between library service and citizen

• They communicate the values we have in terms of access to technologies

• Yet little reflection takes place in our professional literature on this crucial aspect of service access

Importance of acceptable use policies (AUPs)

• AUPs differ wildly, even in the same sector and country

• Key differences can be found in length (see next slide), style and tone

• We have a duty to ensure the document properly protects the organisation against misuse

• Equally we have a duty as librarians to ensure users understand what they are signing

The context

Length of AUPs in 2012/13*

• *From Gallagher and McMenemy (2015) forthcoming• AUP of Library 18 is now only 4 pages, showing revision an ongoing issue

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 320

2

4

6

8

10

12

14

16

18

Local Authority

No,

of p

ages

in A

UP

• Early advice on developing computing use policies can be found as far back as 1994

• This was clearly before the advent of the Internet as a public access issue, however even then problems had been identified with managing access to technology in this way

Literature on AUP development

• Participation: who is involved in the design of the policy

• Partitioning: the design of the document vis a vis distinct sections.

• Philosophy: what the facility can be used for• Privacy: what level of privacy can be expected?• Persnickety: what are the do’s and don’ts when using

the service• Phog Phactor: ensuring readability of the document• Publication: how is it going to be communicated to

users?

Scott and Voss (1994) – “7 Ps”

• “It is impossible for an effective AUP to deal with every clause and remain readable. For this reason, some sections of an AUP carry more weight than others, denoting importance” (Laughton, 2008).

• He suggests emphasis on 3 areas:– 1. Educating users about activities that may be harmful to

the organization– 2. Providing legal notice of unacceptable behaviour and

the penalties for such behaviour– 3. Protecting an organization from liabilities it may incur

from misuse of the Internet and other computer facilities (Laughton, 2008).

Laughton (2008)

• AUPs that are “confusing and written as if they are targeted at lawyers and legal professionals” are less effective than those that are designed with the user in mind.

Laughton (2008)

Suggestions on AUP content:

1. Statement on the intended use and an outline on the advantages of the Internet

2. List of responsibilities for users

3. Code of conduct administering the use of the Internet

4. Description of what constitutes acceptable and unacceptable use of the Internet

5. Disclaimer absolving the organization from possible responsibility of any misuse of the Internet (Kelehear, 2005, p.33).

Kelehear (2005)

• An extensive reflection on the challenges of providing public access computing

• Worth reading for the depth of discussion, examples of potential issues, and advice on best practice

• Suggestions synthesised from a large range of AUPs at the time

• Suggested content of an AUP follows:

Sturges (2002)

1. Aims and objectives –What is the purpose of the service? Is it purely educational, or is recreational use allowed?

2. Eligibility – Who the service is provided for? How do young people access, and with whose permission?

3. Scope – The limits of the service.

4. Illegal use – An understanding of the types of use against the law in the geographic region.

5. Unacceptable use – A description of what is deemed unacceptable by the particular institution.

6. Service commitments –services that will be provided by the particular institution.

7. User commitments - agreements that must be adhered to by the user. (Sturges, 2002, p.122-123)

Sturges (2002)

• Literature review informs study• Sturges’ (2002) schema was selected to code and

analyse the AUPs.• Pilot study conducted in June/July using 20 UK

AUPs to test methodology (presented at Standards session IFLA in Lyon)

• All AUPs are imported into NVivo qualitative analysis software and coded

Methodology (1)

• 21 of the 32 Scottish AUP documents obtained to date and coded. Remaining being obtained for completion of analysis.

• Survey will be issued to HoS to gauge feedback on topics/coverage they wish to see in a model AUP

• From all above draft AUP will be complete by end of year

Methodology (2)

• Another important element of the exercise is to ascertain how the AUPs communicate their message to users.

• The tone of the documents are being examined related to how acceptable and unacceptable use is communicated to users

• All libraries anonymised in study• Some findings to date follow:--

Analysis

• Should focus on the purpose of providing the service

• Important element in communicating to users what the library envisages the service being used for. i.e. culture, leisure, education, etc

• Genuinely consistent across the AUPs, however some services avoided this category

Aims and objectives

• Library 18 “provides access through the Internet to a wide range of resources that meet learning, information, leisure and cultural needs of the community”

• Library 27 “provides access to computers and the internet to support the educational, recreational and cultural needs of the community”

• Library 32 “provides computer and internet access to support the educational, cultural and recreational needs of the community.”

Aims and objectives

• Mostly consistent, people who are library members or who live, work or study in the area

• Some authorities allowed people not in these categories to use the service, while some did not

• Special requirements for non members are stated in several, e.g. Production of ID

• Emphasis in policies on parents/guardians being responsible for childrens’ access

Eligibility

• Understandably the emphasis in most documents is around Internet services

• However the ICTs can be used for a range of services, and some non Internet uses pose risks to the service e.g. intellectual property breaches

• Mentioning other services in the AUP may also raise awareness in users of the potential of the ICTs beyond this limited scope

Scope of service

• Specific Acts of Parliament are often cited:– The Copyright, Designs and Patents Act 1988– Data Protection Act 1998– The Civic Government(Scotland) Act 1982– Sexual Offences Act 2003– Public Order Act 1986– Computer Misuse Act 1990– Human Rights Act 1998

• Rarely are summaries provided re content

Illegal use

• Library 27 “does not prohibit specific online activities as long as they are not considered to be illegal, offensive, obscene, abusive or troublesome to other computer users or to <library service name>”

• The code then lists a number of specific Acts that should not be breached and ends with “and any other local, regional, national and international law, order or regulation”

Illegal use

• Library 1 “Any illegal activities, including the viewing or transmission of illegal material. Contravening of any current law, including Copyright.”

• Library 2 “You must comply with the relevant laws that apply in the UK. You should also be mindful of the fact that the Internet is a global medium…Material which is legal in this country may be illegal in another and vice versa.”

• Library 32 provides a short synopsis of what can be legally copied under UK copyright law

Illegal use

• The value of rhyming off a series of Acts of parliament is questionable in such a document

• In most the onus seems to be on the user to educate themselves re a series of Acts?

• Library 32’s short advice on copyright in their policy seems potentially very informative and suggests some laws can be summarised effectively and succinctly

Illegal use

• Again, general consistency as to behaviour and types of content deemed unacceptable was found

• A positive statement was seen in Lib 8 policy in the pilot study:– “not opposed to satire or controversial thought as

such, but only sites whose content would, if circulated, interfere with the freedom of others to a greater extent than acceptable in a democratic society, are defamatory, pornographic etc.”

• Therefore even while defining unacceptable, libraries can reinforce their commitment to important values

Unacceptable use

• Library 6 “does not prohibit specific online activities as long as they are not considered to be illegal, offensive, obscene, abusive or troublesome to other public access users.”

• Library 8 “Must not access or transmit information via the Internet, including email, which is not acceptable to the Council”

Unacceptable use

• Library 19 “Transmission of any material in violation of any laws is prohibited. This includes, but is not limited to: copyrighted material; threatening or obscene material; pornographic material; racist material; or material protected by trade secret.”

• Most policies also raised themes such as tampering with equipment as being unacceptable

Unacceptable use

• Policies could be clearer in defining terms related to unacceptable use

• While terms like illegal and racist have clarity, terms like offensive are more vague

• And phrases like “not acceptable to the council” also lack clarity of definition.

Unacceptable use

• This category largely ignored• As a relatively new service for users, more

emphasis needs to be placed on this in AUPs• Lib 32 “works closely with the IT Department to

ensure the effective running of the computers, however we cannot guarantee that a particular service will be available at any time... Any failure or breakdown of a system, hardware or software will be dealt with as a matter of urgency”

Service commitments

• Respecting the rights of the wider community was a key emphasis

• Library 6 “we ask you to act courteously and to respect the needs of other users”

• Library 25 “users must respect the privacy of other users, and refrain from attempting to view or read material being used by others”

User commitments

• One of the most challenging aspects of managing Internet access is around the issues of monitoring of access

• When issues of monitoring and privacy of use are at stake, it is important for the library service to communicate this to users in such a way that it is not off-putting.

• However, the key is to raise their awareness that it IS happening

Around issues of monitoring

• Library 1 “Staff are permitted to view computer screens at any time during a session.”

• Library 2 “reserves the right to monitor access to the computers and Internet sites visited electronically for statistical and security purposes.”

• Library 6 “can and will monitor access to Internet sites, and access to any material in breach of the terms of this policy may be subject to further action. To fulfil our legal obligations, we reserve the right to check your Internet logs without informing you.”

Monitoring

• The AUP is able to get across important pointers as to how the user can be careful in their use of the service

• Library 1 “Users should be aware that some risks are attached to on-line activities. In particular broadcasting specific personal or private details over the Internet may lead to the receiving of unwanted email or attention.”

Advising the user

• Library 8 “users should be aware that risks are attached to some online activities: Broadcasting personal or private details over the network may lead to the receiving of unwanted mail or unwanted attention. Online financial transactions are increasingly common on the Internet and are often conducted safely over secure connections.”

• The tone of the documents can be made more positive with the provision of useful advice

Advice

• Some very good examples of AUPs evident• Regrettable that a number of policies focus on

negatives, but where advice is offered it is practical and informative

• Some challenges evident in producing a universal AUP (e.g. differing filtering and monitoring policies, etc)

• Overall, however, enough consistency of themes/content to indicate universal policy is possible

Conclusions/observations so far…

• Complete analysis of AUPs• Survey of HoS• Draft the model AUP

– (1st draft then revised based on feedback)

• Produce training materials on AUPs for services• The training materials will be usable even if an

authority does not adopt model AUP

To do…

Thank you!

Questions?

d.mcmenemy@strath.ac.uk