D.5. Information Technology

Information technology is vital to the mission and function of Middlebury; our networks and central computing facilities are common resources upon which the whole community depends. Middlebury establishes policies governing its information technology equipment, networks, services, and systems that bind all students, faculty, staff as well as any other users of IT systems or services.  The policies described briefly in this overview are those most likely to impact most members of the Middlebury community; more detailed information about these and other policies can be found at the ITS website.

1.  Responsible Use of Computing and Network Services and Facilities

Responsible citizenship in the Middlebury community obliges users of computer and network facilities to use them responsibly and ethically, with awareness of the impacts of one's actions on others, and respect for the rights of others. While technology makes available new educational, social, and recreational possibilities, we must recognize that the ethical and legal issues relating to technology are similar to those in our daily lives.

ITS actively monitors computers and networks to identify and block malicious activities. We expect all members of our community to behave in a proper and responsible manner. However, if certain malicious, illegal, or inappropriate activities are identified, we are obligated to investigate and act, including cooperating with legal authorities, if necessary. (See Network Monitoring & Technology Incident Response policies for further details.)

Middlebury has implemented network security devices to protect the College’s data, systems, and reputation. While not intended to disallow legitimate traffic to and from the Internet, there may be situations where a specific application fails due to security controls. If you have legitimate need for specific network activities, contact ITS so that your request may be considered.

a. Responsible use of our computing resources and network infrastructure comprises three main themes: (a) ethical and law-abiding behavior, (b) conservation of our common resources, and, (c) respect for others.

i. Ethical and Law-Abiding Behavior: Inappropriate actions using computers can involve violation of the law, with resulting prosecution and criminal penalties. Theft, plagiarism, "breaking and entering," fraud, invasions of privacy, harassment, or distribution of illegal material are just as serious when committed with a computer as by any other means.

Theft includes the unauthorized copying of copyrighted software, reproduction or distribution of copyrighted music or video recordings without the purchase of legal copies or the explicit permission of the artist or publisher (including downloading and sharing music via popular peer-to-peer systems), and other forms of copyright violation. Unauthorized use and/or distribution of others' intellectual property (including, but not limited to, copyrighted text, images, sound, and software) violates federal or state laws or regulations and can result in civil or criminal penalties, even if the material is distributed for free, with no monetary gain to the distributor (the student, faculty, or staff member). Middlebury College intends to comply fully with the Digital Millennium Copyright Act of 1998.

An example: Sharing Music & Videos

Many members of the Middlebury community have questions about the sharing of music and movies in digital format over the Internet. File sharing may violate U.S. copyright law and subject you to a lawsuit for copyright infringement, and it may also be a violation of Middlebury policy.  You should understand the risks of certain types file sharing given potential legal action. Most commercially produced music, movies, games and software are copyrighted and are not to be freely shared without permission. This is the law. Members of our community must follow college policies for appropriate use of technology resources under the law as described in the College Handbook. see: Responsible Use of Computing and Network Service and FacilitiesNetwork Policies.

Sources for legal downloading may be found at:
www.educause.edu/legalcontent

RIAA's Music Matters list of legal music sites

The Digital Millennium Copyright Act (DMCA) specifies procedures that Middlebury must follow when notified that an individual using our network is violating copyright laws. If the copyright holder contacts Middlebury about a violation, if we are able to trace the network address for the alleged time of violation, we notify the user of that network address, and require removal of the offending material from the computer. For repeated notifications, we block network access from the identified network address.

"Break and enter" includes unauthorized attempts to gain access or circumvent security features of computer systems or networks. Access to our systems/servers, networks, and any information contained on them or transported by them is for authorized users only.

Fraud includes misrepresenting yourself or falsifying your identity to gain use of computers, sending electronic messages under a false address, and using others' accounts without permission.

Violations of privacy include accessing other people's data or electronic mail, or spying on their communications. Abusive or threatening messages to others can be prosecuted as harassment. Offering illegal material by electronic means can be prosecuted in the same manner as offering illegal material on the street or a conventional market.

Should ITS receive a formal complaint of illegal activity involving a personal computer on our network (for example, a violation of copyright by unauthorized file-sharing under the terms of the Digital Millennium Copyright Act), ITS staff will make every effort to identify and inform the owner of the machine of the problem. The offending machine may be blocked from Internet access until the situation is rectified, in order to stop the alleged illegal activity and/or to try to protect the owner from further liability.

ii. Conservation of Our Common Resources: As members of the Middlebury College community, we must be aware of the impact that our actions have on others and avoid activities that undermine or damage the integrity and efficient functioning of the network and computing infrastructure. Deliberate interference with the functioning of any computing or communications equipment will be regarded as vandalism and result in quick and decisive action.

In addition, we must avoid other actions that impair the performance of the network and computer systems for others. The communications infrastructure is finite, as are all resources. Those who use network bandwidth, CPU utilization, or memory allocation for personal activities, such as games and chain-mail lists, or use programs that digitally distribute music and/or video for personal recreation, etc., hamper the activities of others engaged in educational and scholarly activities that are the priorities of the College. Improperly or inappropriately configured or malfunctioning personal computers or communications electronic gear may similarly degrade performance.  Many "home networking" appliances, such as wireless devices or hubs, can cause serious problems if attached to our campus network; their use is prohibited without prior approval from ITS.

Individuals should maintain their computers with up-to-date operating system patches and virus protection to avoid contracting and spreading computer viruses or other malicious software. Malfunctioning, misconfigured, or infected machines whose behavior or traffic is significantly degrading performance of the network may be blocked from network access until the problem can be rectified. ITS also may prioritize traffic to ensure optimum performance of mission-critical applications.

iii. Respect for Others: As citizens in our community, we must respect the rights and privacy of one another. We are obliged to avoid actions that create a public nuisance, such as inappropriate postings to social media sites, mailing lists, or unwarranted mass mailings. The same standards of civilized discourse and etiquette that govern our face-to-face interactions should apply in cyberspace. All users of our computing and networking facilities bear the responsibility to avoid libel, obscenity, undocumented allegations, attacks on personal integrity, and harassment.

b. ITS is committed to responsible behavior in its management and maintenance of the computing and communications systems.

i. Information Technology Services (ITS) respects the privacy and confidentiality of users' files and messages. (See Privacy and Security of Files, Data and Communications policy statement for further details.)

ii. ITS endeavors to protect users from the unauthorized activities of others and will educate users about how they can protect themselves from breaches of their privacy or the security of their computers.

iii. ITS strives to maintain the systems and networks in optimal performance for the good of the community and will address and correct situations that impair their efficient functioning or hamper users' appropriate activities.

We all must recognize that our actions as network-linked computer users have consequences. Users whose activities or malfunctioning equipment undermine the performance of common resources may be disconnected from the network or denied access to central systems until the problem is corrected. Irresponsible or unethical activities may result in penalties or the loss of privileges. Additionally, deliberate abuse or activities in violation of the rules and regulations of the College may result in penalties consistent with the judicial procedures and policies of the College. Users should be aware that activities that may seem benign to them (like sharing pirated music recordings) or harmless pranks (like gaining unauthorized access to remote computers) are increasingly being aggressively prosecuted and litigated by the wronged parties.

The laws and policies governing acceptable use of computer networks and the Internet are rapidly evolving; pending legislation and court cases may have major impacts. Users who have specific questions about responsible and acceptable use are encouraged to seek guidance from ITS.

2. E-mail Policies

E-mail is the official method for communicating with Middlebury students, faculty, and staff. Official e-mail communications are intended to meet and serve academic and administrative needs. Middlebury expects that such communications, many of which are time-critical, will be received and read in a timely fashion. To enable this process, all students, faculty, and staff are issued a standardized Middlebury e-mail account.  Students, faculty, and staff who choose to forward e-mail from their Middlebury e-mail accounts are responsible for ensuring that all information, including attachments, is transmitted in its entirety to the preferred account.

Middlebury has adopted guidelines for appropriate use of All Campus Email messages and such messages may only be sent by specific authorized individuals. More information is available here

3. Network Monitoring Policy

a. Purpose
The purpose of network monitoring is to identify and block malicious activity in order to protect Middlebury’s data, systems, and reputation.

b. Scope
The scope includes all computing systems and network infrastructure owned or managed by Middlebury.

c. Policy
In order to protect data, designated ITS staff may use network monitoring technologies to log network activity and to scan data moving across the network. These technologies may include anti-virus software, firewalls, intrusion protection and intrusion detection systems, vulnerability management systems, and database and application monitoring systems. This information may be centrally correlated for analysis.

Server logs may be monitored for malicious activity on a routine schedule. Other network traffic may be logged as necessary for troubleshooting and resolution of network issues. Automated scans for unencrypted sensitive data are conducted on a regular basis with findings logged for appropriate management or removal. Only malicious or extraordinary activity is to be logged. These measures are not to be used for tracking and/or monitoring an individual’s network activity.

Confidentiality of all information gathered as a result of network monitoring will be maintained at all times.  Access to information obtained through network monitoring will be limited to designated staff and in the event of an investigation, College officials, legal counsel, or law enforcement. This information will be kept in a protected storage area. Events and incidents identified through network security monitoring will be managed in the spirit of the Technology Incident Response Policy.

Any substantive changes to the network monitoring methodology or scope must be approved by Middlebury’s senior management.

d. Non-Compliance
Any employee who is found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. Violation of this policy may also be a violation of the Federal Computer Fraud and Abuse Act.

4. Privacy and Security within Middlebury’s Systems

a. Overview

Handling confidential and private information appropriately is a core Middlebury value, consistent with our commitment to a workplace and academic community founded on trust and respectful behavior.  However, Middlebury information systems and computing resources exist to support the non-profit academic and administrative activities of the institution, and Middlebury has compelling institutional interests, such as managing its information systems and networks in compliance with the law and protecting the safety of members of our community, that are balanced against an individual’s interest in privacy of information stored on Middlebury devices or within Middlebury networks.  This Policy articulates the way those interests are balanced and the procedural mechanisms to safeguard information.

Please note that documents addressing the fluid issue of technology can rarely be exhaustive or dictate outcomes in all circumstances, but this Policy articulates fundamental expectations for all members of the Middlebury community and principles that underlie decision-making in these areas.   All users are also expected to conduct themselves in accordance with Middlebury’s policy on Responsible Use of Computing and Network Services and Facilities.

b. Scope of this Policy

This Policy applies to all participants in all of Middlebury’s programs, including students, faculty and staff, as well as any others who may regularly or incidentally use any of Middlebury’s information systems, devices and/or networks. 

c. Definitions

“User electronic information” includes, but is not limited to, emails, voice mails, and text messages, and their associated metadata, that are located in files and accounts associated with a particular user, as well as information generated by automated processes triggered by that user’s use of Middlebury systems.

d. Policy

  1. Use of Middlebury Devices, Systems and Networks
    1. Middlebury provides devices, IT systems and networks for institutional purposes to support its teaching and learning mission. 
    2. Incidental personal use of the Middlebury’s email system as well as for data storage on Middlebury file servers such as MiddFiles is permitted but not encouraged.
    3. Individuals bear the responsibility to avoid libel, obscenity, undocumented allegations, attacks on personal integrity, and acts of harassment.  Please see Middlebury’s policy on “Responsible Use of Computing and Network Services and Facilities” for additional information regarding expectations of your use of Middlebury computing resources.
    4. Unencrypted personally identifiable information (individual names associated with driver's license, social security, credit card or bank account numbers and access codes) and other confidential information related to Middlebury activities must not be stored on individual faculty, staff, or student employee computers, or personally-owned devices. Employees must not reconfigure a Middlebury-supplied laptop and personal computer to bypass the prompt for an authorized Middlebury username and password upon start-up: passwords must be keyed in, rather than set to be entered automatically. Loss or theft of any device (including a laptop, personal computer, tablet, or smartphone) that may contain institutional data must be immediately reported to ITS.
      see also, Banner Security Procedures for additional policies & practices related to data integrity and stewardship. 
  2. Monitoring
    1. ITS is committed to maintaining the confidentiality, integrity and availability of information stored in Middlebury devices, networks and systems.  Middlebury uses a variety of automatic mechanisms to monitor its networks and systems at the aggregate, institutional level, and follows best practices to identify and diagnose system or security vulnerabilities and problems.   
    2. Middlebury does not routinely monitor the activity and accounts of individual users except under certain circumstances described in this Policy. 
    3. ITS may monitor and/or access electronic information when necessary to address system or security vulnerabilities and problems, or to otherwise preserve the integrity of Middlebury systems.  This includes but is not limited to ongoing maintenance, inspection, protecting against threats such as attacks, malware, and viruses; to protect the institution; and to ensure the integrity, security and availability of information in compliance with the law, contractual obligations, etc. Routine network monitoring may also include anti-virus software, firewalls, intrusion detection and prevention, vulnerability management systems, and database and application monitoring systems.  Middlebury must also ensure that essential operations can be maintained, which may include disaster recovery preparation, access to restricted data necessary for business purposes and other exceptional steps to ensure continued operations. 
    4. By choosing to attach privately-owned personal computers or other resources to Middlebury’s networks and systems, users consent to Middlebury’s monitoring activities under this Policy.
    5. No independent authorization is required for information technology personnel to conduct routine system protection, maintenance, management or business continuity activities as outlined above. 

 3.   Access

    1. a. As a general matter, Middlebury does not guarantee the confidentiality of any content housed within or transmitted through its systems or networks, because in certain circumstances Middlebury may need to access information for legitimate institutional purposes, an illustrative but not exhaustive list of which are described below.

   i.    Health and Safety Matters:  In situations where the safety of any human being is seriously threatened, Middlebury reserves the right to access information to reduce the health and safety risk.

   ii.    As Required By Law: Middlebury must comply with legal process, including lawful demands for information in government investigations, law enforcement proceedings, etc. and it has obligations to preserve and produce information that is required in connection with threatened or pending litigation.  Subpoenas, court orders, or other demands for information should be directed to the Office of the General Counsel.

    iii.    Institutional Investigations of Illegal Behavior or Misconduct:  Under its policies, Middlebury may and often is required to gather information to investigate a possible violation of law or a breach of Middlebury policy.  Access under such circumstances is restricted under the associated Procedure for Authorization, which ensures that appropriate senior leadership, such as the Vice-President for Human Resources, or the Dean of the Faculty, is informed in order to authorize access.  Senior leaders may consult with the General Counsel, as needed. 

    iv.    Operational Necessity: Middlebury may access information necessary to carry out essential business functions, which may include circumstances of unexpected absence, death or other unavailability.

4. Authorization Procedures

A. Investigations: Other than in an emergency, access to identifiable electronic information in connection with an investigation must be authorized by the responsible senior leader in advance, or be pursuant to the user’s consent.  Senior leaders responsible for approving uses for such purposes are:

  1. The Vice President for Human Resources for all staff
  2. The Dean of the Faculty for College faculty
  3. The Vice President of Student Affairs/Dean of the College for College students
  4. The Vice President of Advancement for alumni, parents and friends
  5. The VPAA/Dean of the Institute for MIIS faculty
  6. The Executive Director of Enrollment, Advising & Student Services for MIIS students
  7. The VPAA/Dean of the Schools for faculty or students of the Schools

            ITS will notify the senior leader about a pending need for authorization.  The senior leader is responsible for weighing the needs of Middlebury against the privacy interests of the individual, in the context of applicable legal restrictions, and may take into consideration technological tools utilizing non-consumptive or data analytical techniques.  Senior leaders may consult with the General Counsel and others as needed.  Information provided under this exception will be limited to the information that is necessary to effectuate the institution’s purpose and must be maintained as confidential to the maximum extent possible. 

            B.  Emergencies: Emergency access to information needed to reduce a serious threat to a person’s health or safety may be authorized by an appropriate member of the Senior Leadership Group, who is responsible for notifying appropriate offices after the emergency has resolved of the actions taken.  Notice will ordinarily be given to an identified user within a reasonable period of time, although Middlebury may exercise discretion in such notifications.

            Questions about this policy and its application should be directed to the Assistant Vice President for ITS and/or the Executive Vice President for Finance and Administration, or the General Counsel.

            5. Website Policies

            Middlebury’s websites are overseen by the Office of Communications and Marketing in collaboration with Information and Technology Services. Department web editors who receive training are authorized to make edits, updates and other changes to unrestricted pages. Editing of some pages will be restricted to the Office of Communications and Marketing or other authorized editors.

            All institutional and departmental information should reside on the Middlebury website using the middlebury.edu domain to ensure that the pages comply with Middlebury’s brand and style guidelines as well as the institution’s intellectual property and copyright policies.

            Materials and information created and posted on the Middlebury website are the intellectual property of the institution and/or its employees as provided in Middlebury’s Intellectual Property Policy.

            Faculty, staff, and students may create personal, group, and curricular websites and blogs outside the Middlebury website environment in keeping with institutional guidelines.  Use of the Middlebury domain for personal websites is a privilege and is subject to restrictions to protect the institution’s legal status, avoid confusion, and reduce risks to the institution.  Abuse of the privilege may result in an individual’s ability to make such uses being terminated. 

            a. Requirements for All Web Pages

            a.i. Materials and information created and posted on the Middlebury website must comply with copyright and fair use laws such as the Digital Millennium Copyright Act of 1998 and all relevant institutional policies, including those governing use of computing resources, nondiscrimination, harassment, use of Middlebury facilities and services for commercial purposes, and student and employee conduct.

            a.ii. Any use of the Middlebury website for illegal or inappropriate activities or harassment is prohibited. Illegal activities shall be defined as a violation of local, state, and/or federal laws. Inappropriate use shall be defined as a violation of the intended use of the Middlebury’s computing resources and policies, and/or the purpose and goals of the Middlebury website. Harassment is defined and addressed in the Middlebury Anti-Harassment/Discrimination Policy Statement found in the Middlebury Handbook.

            a.iii. Unauthorized use of Middlebury’s websites for commercial purposes is prohibited. Personal or institutional web pages may not be used for direct advertising for personal profit or gain. Direct links to non-Middlebury commercial entities, unless directly related to research or the curriculum, are prohibited unless approval is granted by Office of Communications and Marketing.

            a.iv. Unauthorized use and/or distribution of others' intellectual property (including but not limited to text, images, sound, and software) violates Middlebury policies and the Honor Code, and is prohibited.

            a.v. Exploiting Middlebury’s website for malicious purposes is prohibited. Discovered exploits should be reported to infosec@middlebury.edu, immediately. Public disclosure of means to exploit Middlebury’s website is prohibited and is subject to disciplinary action.

            b. As stated in the Middlebury Anti-Harassment/Discrimination Policy Statement, Middlebury recognizes that the protection of free and open speech and the open exchange of ideas are essential to any academic or artistic community and crucial for the activity of scholars and artists. Free, honest intellectual inquiry, debate, and constructive dialogue are vital to the academic mission of the institution and must be protected, even when the views expressed are unpopular or controversial.

            b.i. Middlebury also recognizes that contents of electronic publications or electronic communications can be used specifically to intimidate or coerce and to inhibit genuine discourse, free inquiry, and learning. Such abuses are unacceptable. As an educational institution, Middlebury is committed to maintaining an environment where bigotry and intolerance, including discrimination on the basis of gender, sexual orientation, gender identity and expression, race, ethnicity, religious beliefs, physical ability, or age have no place, and where any form of coercion or harassment that insults the dignity of others and interferes with their freedom to learn or work is unacceptable.

            b. Requirements for Departmental/Institutional Sub-Sites

            b.i. Middlebury’s website is built using the institution’s middlebury.edu domain. This website is an integrated-information system that provides information about the institution to external and internal audiences and enables access to institutional services and resources for research and scholarship for faculty, staff, and students.

            b.ii. All appropriate departments at Middlebury must have a presence on the institutional website. Departmental sub-sites must conform to the design and content standards as defined by the Office of Communications and Marketing.

            b.iii. Departmental or institutional content hosted on other institution-supported websites and systems (such as blogs and wikis and course web pages) must follow the same guidelines as as those applying to the institution’s primary website.

            Policies and guidelines for other types of sites, including student organization sites and personal pages can be found here.