On Mon, 8 Dec 2003, Doug Nelson wrote, responding to John Valenti:
> Just curious - what do you see as an AUP requirement to notify users
> directly?
> [...]
> > Can you say when the mail system users will be directly informed of this
> > change? (it seems like the AUP requires that) And will the text of
> > that message be the same?
> > [...]
# Section V, subsection 1.4
# The content of User files is not to be surreptitiously or otherwise
# examined, nor is the User-generated message content of User network
# transactions to be monitored, without the prior written permission of
# either the User involved or the Vice Provost for Computing and
# Technology....
The NCC sub-committee for setting up anti-virus recommendations a couple
of years ago discussed the issues of "opt-in" vs "opt-out" and even
though we wanted to recommend "opt-out" in this unusual case, we were
told in no uncertain terms that non-header information in mail messages
was clearly "user-generated", and whether it technically belonged to
the sender or to the recipient in its course through the network between
the two did not matter, it could NOT be scanned, automatically or not.
Any notification of changes in the way E-mail was to be handled _had_ to
be approved by the users. We were thus forced to water down the
recommendation from "opt-out" to "opt-in" -- on any *existing* E-mail
system (i.e., pilot).
The loophole was that the soon-to-be-announced-at-that-time upgrade to
mail.msu.edu was considered as setting up a new system, so a user making
the switchover could look at the fine print (somewhere) and see that the
possibility for anti-virus scanning was part of the system and, by
continuing to make the switchover, implicitly opt in to that behavior
(whether it was actually activated at the time or not).
So, as long as the mail.msu.edu upgrade procedure or documentation mention
anti-virus scanning somewhere, it's probably not an issue (at least not a
major one).
There are two other mitigating factors:
(a) the original edict about automatic anti-virus scanning of the contents
of E-mail was from someone no longer in a position to enforce it; and
(b) even the AUP rule allows the Vice Provost to grant the kind of blanket
permission needed for the scanning (and subsequent actions), and it's
not as if the Computer Lab is doing this in a way which is secret from
the Vice Provost -- whether or not he has already explicitly told
them that virus scanning is a valid exception to the rule, he could at
a moment's notice tell them not to do it if he thought it was _not_ a
valid exception.
-------------------------------------------------------------------------
George J Perkins http://www.pa.msu.edu/people/perkins/
1209B BPS Bldg, MSU Phone: 517-355-9200 ext 2567
East Lansing, MI 48824-2320 FAX: 517-353-4500
