How to Create A Bad Acceptable Use Policy Document (And Have It Survive)!
by Dr. Rob Reilly
In the past few years there has been fervor to create Acceptable Use Policy (AUPs) documents, which govern the use of computers and computer networks. This 'fervor' has been driven by various state and federal agencies that mandate the creation of an AUP for one reason or another; and administrators are, justifiably, much more comfortable when there is policy to deal with an issue.
Creating an AUP for computer resources may be new ground, but the notion of crafting policy is hardly a strange or a new concept for educational administrators; actually, creating policy documents would seem to be a fairly routine process within educational organizations. After all, day-in and day-out, educational administrators create policy documents for virtually everything and then deal with those policy issues. They are always creating state and federally mandated policy statements/documents. At times it seems that a significant portion of an administrator's workday involves issues that are 'covered' in one policy manual or another. And… it seems that there is always some committee or another revising some policy document (to include various curriculum frameworks, which follow the same developmental protocols as any 'policy' statement does). But given all this, it seems that most AUPs have severe shortcomings!
I've been a member of a committee to create an AUP for my school district; I have spoken to my colleagues in other school districts who have also created AUP documents. And if the truth-be-told, my doctoral dissertation addressed the creation of AUP documents; but at that time K-12 systems were not creating AUPs, so I had to focus on AUPs in higher education. I selected this as my dissertation topic as it was a new area, it was an interesting one and I was, after all, my school district's technology coordinator and I knew that this would be a hot topic in K-12 sooner than later; and I assumed that if my doctoral committee wanted to dispute anything I posed, they'd have to do some research also---I thought that it would be more difficult for them to give me a harder-time than I was in-store-for anyway. But anyway---I did quite a bit of research, I read quite a few AUPs, I took lots of notes, I became quite familiar with AUP development, I made lots of observations and comments about AUPs to my doctoral committee who, I might add, always managed to stay one-step ahead of me (well so much for my attempt to diminish extra aggravation during my doctoral process). So, I'm fairly familiar with AUPs.
I recently read an article in an excellent online publication that deals with curriculum and related issues. It has terrific a-to-z lesson plans for specific topics. But there was an article in its February issue that dealt with K-12 Acceptable Use Policy---they don't usually deal with policy, per se, they deal with curriculum. As I read it I began to wonder if this policy really exists and what has happened when anyone is brought before the bar of justice for violating it. I found it difficult to believe that any administrator (outside of the technology committee) had reviewed this policy. At least to me, it seemed that this AUP for a K-12 school system was created by techies who want to have dictatorial control over their network and who have not even read their own school district's policy manual. But as I think back to the time (not so long ago) when I reviewed lots and lots of AUPs from higher education, most of those were created by techies who wanted dictatorial control over the computer network and who had never read their institution's policy manual. It was certainly interesting to note that this practice had taken but a few years to filter down to K-12 education!
Let's talk about a few of the AUP statements in the article I read.
The AUP in question states that: "Technology tools and the Internet are available to students and staff to enhance the curriculum and promote educational excellence." Ok, so this is fine, what could be wrong here? Then it immediately goes on to state that: "Use of school technology materials and the Internet access will be provided to those who agree to act in a considerate and responsible manner." I grant you that this does not seem to be much of a problem either. But it does raise a 'red flag' in regard to the philosophy that the makers of this AUP have. The AUP continues (all this in is the same paragraph---it get Draconian very quickly): "Information sent or received by e-mail, the Internet, or other means over the computers available to the students and staff is the property of the district and may be accessed at any time by the district for review." The trend seems ominous. The trend shown here is all too common---open the AUP with a general statement of the goodness and value of technology and then to subtly take far too much control.
The next paragraph goes on to establish that the use of the technology resources is a "privilege" and that "privilege" can be removed at any time. I must admit that the folks who wrote the AUP did a very neat job of making their position very clear to everyone. No one can say that they did not understand the policy or its consequences. The trouble is that use of the computer resources and the Internet is NOT a "privilege" it's a right. Once tax dollars are spend for 'something' and then that 'something' is generally available to all it then becomes a right. Actually this was a good tactic; asserting the notion that something is a "privilege" makes it far easier to take that 'something' away from someone. But the courts have held this to be a "hollow argument."
Also in this AUP the Chief Technology Officer is vested with the authority to remove or suspend computer/Internet access. While this has a superficial justification, it is simply bad policy to endow the Chief Technology Officer with the authority that is typically vested in the building principal or superintendent.
This particular AUP also does not differentiate between staff members and students. In one instance the school has an employer-to-employee relationship and in the other instance the school has a government-as-educator relationship. In law these are two completely different situations and must be addressed as such.
Let me cite a few more examples and then make my point (if you have not already gotten it).
This AUP also states that you can be punished if you "can identify a security problem within the network" and do not report it to the Chief Technology Officer. I am not aware of any concept or any law that requires one to do this. Geesh, if I witness a murder, I am not liable for punishment for failing to report it. This AUP statement is just plain scary---I'd not want to work for these folks!
In this AUP you can also be punished if you know of a flaw in the computer system and then "demonstrate the problem to other users." This can't stand as a policy. Granted it's not helpful to 'spread the word,' but it's certainly not illegal in any other situation. This AUP statement seems to nicely dispense with the First Amendment.
Here's a really good one: "Any user identified as a security risk or having a history of problems in using other computer systems may be denied access to district network services." Gadzooks! This is guilt-by-innuendo and/or guilt-by-previous-guilt!! Need I say anything about this?
I am certainly very much in favor of the premise that school systems have the responsibility and the right to ensure that their computer resources can be protected from deliberate or unintentional misuse or damage, but AUPs must have policy statements that are, at least, in keeping with the student and staff handbooks, and certainly are in keeping with laws and statutes. The single most prevalent problem with AUP is that they do NOT follow their own school district's policy for similar violations (e.g., if a student send an inappropriate message over the school's email system to another student that student can loose their Internet access, but if the same event occurred using a piece of paper as the conduit for the message, detention may result, not the removal of an educational service/resource).
So, to create bad acceptable use policy and have it survive just don't bother to read your school district's policy handbooks (both the student and staff versions), don't bother to gain an understanding of policy formulation. If you do this the AUP will probably survive because administrators are generally very technology-illiterate and either don't get involved in the committee work or they simply don't understand how Draconian some policy actually is because they don't seem to be able to map computer AUP statements back onto policy they are very familiar with (e.g., student from the previous paragraph sending an inappropriate message).
But if you're in the market for a good AUP, then be sure to:
have a few non-techie staff members on the technology committee,
have a few computer literate and illiterate parents on the technology committee,
have everyone review the staff and student handbooks, and,
always relate AUP policy statements back to real-classroom situations (e.g., substitute the words 'history book' or the words 'math class' for the word 'computer' or the word 'Internet' in AUP statements and see if the policy still makes sense.