NES Terms and Conditions
Regulations for Use of the UK National E-Infrastructure Service
A grid is a fundamentally co-operative environment, within which collections of expensive high-end computational resources (e.g. systems, networking, codes and data) are available to research communities. Responsible behaviour by its users will foster the trust of resource providers, which in turn is essential for its development and success.
All users and potential users of the National E-Infrastructure Service (hereafter referred to as the Grid) need to be aware of this document.
Definitions of some of the terms used in this document are contained in Appendix I Definitions of Terms. It is suggested that if you are reading this for the first time, you familiarise yourself with them.
1. Purpose of this Document
- These regulations are provided to guide and inform you about what constitutes acceptable (i.e. permitted) use of Grid resources.
- The regulations are not intended to constrain you unnecessarily, but to make you aware and protect you as far as reasonable, along with all the participating institutions, from the consequences of any misuse or illegal activity.
- These regulations apply to every user of the Grid.
- The regulations apply to the use of all equipment connected to the Grid. This includes servers, network(s), and user workstations (whether institutionally or privately owned) and any other equipment or facilities connected to the Grid.
- These regulations apply to use of all software and data within the Grid.
3. Registering to use the NES
- You will require an identity certificate if you are a member of a e-Science project or are otherwise participating in an e-Science or Grid related activity. The definitive information on obtaining an identity certificate is provided in the Certificate Overview Section.
- Once you have received your identity certificate, you may wish to join one or more virtual organisations (VOs). A responsible person in the VO will make arrangements for you to have access to the Grid resources you need.
- You are granted Resources within the National e-Infrastructure Service so that you can use the Grid for the purposes you described in your application. These resources are not provided for other purposes.
- You must respect the regulations of the various Grid resources you use in your work. Your need to do this arises from co-operative agreements that have been made between all the organisations participating in the Grid.
- You must not interfere with others' work or attempt to invade their privacy.
- You must not attempt to disrupt the working of the Grid or any other system.
- It is important to understand that when you use the Grid you are bound by three sets of Grid-related regulations, the ICT regulations of your own institution, those of the Grid itself (as described here), and the Acceptable Use Policy of JANET , the network that connects Grid resources between organisations. Thus you must have read and understood these before using Grid resources.
- Grid resource providers aim to provide a stable high quality service. If there is evidence that the actions of particular users are impacting this, resource providers are empowered to take reasonable measures to terminate or reprioritise jobs in order to protect the overall operation of their services. Implicated users will be contacted by service providers as early as is reasonable.
- You are also bound by a number of laws and directives, some of which are alluded to in Appendix II Laws and Directives
- You must be aware of the obligations placed upon you by the e-Science Certification Authority's Certificate Policy and Certification Practices Statement, namely you must:
- Read and adhere to the procedures published in that document;
- Generate a key pair using a trustworthy method;
- The Grid CA requires that private keys corresponding to user certificates must be encrypted. The encryption must use a "strong passphrase" as described in their documentation;
- Use the certificate for the permitted purposes only;
- Authorise the processing and conservation of your personal data for administrative purposes, as required under the Data Protection Act 1998;
- Take every precaution to prevent any loss, disclosure or unauthorised access to or use of the private key associated with your certificate This must neither be shared with anyone else nor be used in such a way that it is likely to become accessible to anyone else.
- If anyone else does obtain a copy of the unencrypted private key (this is usually referred to as a key compromise), or you have good reason to believe they have, you must contact the Grid CA or your RA without delay to have your certificate revoked. You must also inform the Principal Investigator of your project. This is a serious matter: if someone else has your identifying information, it may be difficult for you to deny any actions they carry out in your name.
- Copyright legislation applies to software and data and you must respect it.
- The terms of software and data licences must be respected.
- You must not move proprietary data to, from, or via Grid systems without the prior agreement of its owner.
- Once you have registered to use the Grid, it is your responsibility to remain aware of these regulations and of any changes made to them.
- In order to keep the Grid operating correctly in both the technical and legal senses, it may become necessary to investigate network traffic (including e.g. emails) as well as examine information held on systems that are, or have been, connected to the Grid. Note that the process of accepting a Grid user identity implies directly that you have given your agreement for this, as described under the provisions of the Regulation of Investigatory Powers Act. Note that this agreement applies to, for example, a privately owned machine if it is or has been used on the Grid.
- As a user, whenever you use the Grid, you are bound by all the above regulations and the legislation in force at the time.
- The regulations and legislation which applies to you will be enforced by your own project (virtual organisation) as well as your own institution, even if a breach of either has been evidenced from elsewhere.
- Note that for breaches of some legislation, the police can be involved.
- Ignorance of regulations or legislation is not a defence.
- Penalties will be levied for confirmed breaches of regulations.
- Disciplinary and investigative processes may also involve your project or virtual organisation, your RA, the CA, and any Grid member-institutions involved in or affected by your actions.
- Note that all Grid institutions have agreed to co-operate in investigating disciplinary cases.
- Organisations and VOs reserve the right to revoke access to Grid resources if a breach concerning you is under investigation.
6. Non-research use of Grid resources
- The UK Grid has been constructed for academic research work.
- If you wish to use the Grid for any other purpose this must be authorised in a documentary form in advance by the leader/principal investigator of your project/virtual organisation. You will be expected to provide detailed information in support of your requirement.
- Projects/Virtual Organisations must obtain prior agreement from the providers of all resources (e.g. computers, software, data, networks, and any other facilities) before these are used for any purposes other than academic research work.
In turn, their processes and terminology have been based upon RFC2527, the Certificate Policy and Certification Practices Framework of the IETF Internet X.509 Public Key Infrastructure working group.
Anyone may freely copy from this document provided that they include an acknowledgement of the source.
Appendix I: Terminology
- The process of establishing that individuals, organisations, or things are who or what they claim to be. In the context of a PKI, authentication can be the process of establishing that an individual or organisation applying for or seeking access to something under a certain name is, in fact, the proper individual or organisation. This process corresponds to the second process involved with identification, as shown in the definition of identification above. Authentication can also refer to a security service that provides assurances that individuals, organisations, or things are who or what they claim to be or that a message or other data originated from a specific individual, organisation, or device. Thus, it is said that a digital signature of a message authenticates the message's sender.
- When this word is used with its first letter in upper case (i.e. Grid), it is taken to mean the National e-Infrastructure Service and otherwise it refers to the grid as a concept.
- Certification Authority (CA):
- An authority trusted by one or more subscribers to create and assign public key certificates and to be responsible for them during their lifetime.
- Grid Overview Organisation:
- An organisation, which has a special responsibility for a grid. Its activities may be expected to include:
- Recording which organisations have made arrangements for their staff to be able to use the grid
- Maintaining knowledge of which VOs have negotiated use of grid resources, and of the contacts involved
- If they are also the CA, issuing and maintaining grid identity certificates to subscribers.
- ICT Regulations:
- These are the regulations for the use of computer and information technology (CIT) systems and services that are in effect at an organisation. Organisations have procedures in place to apply their ICT regulations (e.g. a disciplinary process). All organisations must possess such regulations if they are to participate in the Grid.
- The process of establishing the identity of an individual or organisation, i.e., to show that an individual or organisation is a specific individual or organisation. In the context of a public key infrastructure (PKI), identification refers to two processes: (1) establishing that a given name of an individual or organisation corresponds to a real-world identity of an individual or organisation, and (2) establishing that an individual or organisation applying for or seeking access to something under that name is, in fact, the named individual or organisation. A person seeking identification may be a certificate applicant, an applicant for employment in a trusted position within a PKI participant, or a person seeking access to a network or software application, such as a CA administrator seeking access to CA systems.
- This is a 'real world' entity, and in the context of the Grid can be a:
- Research Council, or one of its labs, facilities, etc., or an
- Education institution, e.g. an HEI or FEI, or a
- Legal entity such as a company or research institute.
- Provider organisation:
- An organisation that provides resources for the Grid.
- Registration Authority (RA):
- An individual or group of people appointed by an organisation that is responsible for Identification and Authentication of certificate subscribers, but that does not sign or issue certificates (i.e. an RA is delegated certain tasks on behalf of a CA).
- A person or server to whom a digital certificate is issued. In the case where a subscriber is a person, they are usually referred to as a user.
- User organisation:
- An organisation that uses Grid resources, and which has made arrangements so that certain of its staff or students may use the Grid. Normally a Grid user must be a member of a user organisation.
- The process of identification of certificate applicants. Validation is a subset of Identification and refers to identification in the context of establishing the identity of certificate applicants.
- Virtual organisation (VO):
- is a purpose-oriented group of people drawn together from different organisations to collectively further a common objective (e.g. a major scientific experiment, a pilot project or a regional centre). VOs are not generally permanent entities in the sense that when one has met its objectives, it is normally closed down. VOs are often international, and may have a number of income streams.
A VO is recognised to have a principal investigator (PI) who has overall responsibility for its operation and direction. However, if the VO is for example international, or has a number of income streams, it may have more than one PI. Additional to the PI(s), within a VO there are normally also one or more 'responsible persons' who may lead various of its principal activities or manage particular resources (e.g. be a grant-holder, or administer access to ICT resources) for all or part of the VO. In these regulations it is recognised that a PI can delegate the responsibility for administering Grid resources and their use to a responsible person within the VO.
This legislation includes, but is not limited to:
1. Copyright, Designs and Patents Act 1988
Copyright legislation applies to software and data and because of this:
Many items of software and data are only made available under licence agreements, which restrict their use, e.g. to academic research and teaching. The terms of these licences must be respected.
2. Computer Misuse Act
The Computer Misuse Act became law in August 1990. Under the Act attempting to gain unauthorised access and the introduction of viruses are criminal offences. Three new offences were created under the Act:
- Unauthorised access to computer material
- Unauthorised access with intent to commit or facilitate commission of further offences
- Unauthorised modification of computer material
- In the first category, a person is guilty of an offence if ... "he causes a computer to perform any function with intent to secure access to any program or data held in any computer AND the access or intended access is unauthorised AND he knows at the time when he causes the computer to perform that function that that is the case".
- Imprisonment can arise from breaking this law.
- National e-InfrastructureService institutions can assume that anyone using someone else's identity, whether registered or not, is committing an offence at least under the first category of this Act. This applies equally to accesses to or from any other computer, whether in this country or abroad.
- The copying of any data not specifically authorised, even into your own files is an offence in the first category above.
3. Data Protection Act
The Data Protection Act, 1998, provides for the registration and protection of personal data (i.e. that which relates to an identifiable living individual).
- The principles of the the Data Protection Act
- The only personal data which users are permitted to store on National e-Infrastructure Service resources is research data that has been registered under the Data Protection Act.
- Using the terminology of the Act, the data controller (usually the person who put the data on the Grid system) is responsible for ensuring that this data is registered and used in accordance with the Act. This would be effected through their own organisation, via its Data Protection Officer (every organisation has one).
- Note that registration with a National e-Infrastructure Service RA will imply that the user has given permission for their details to be stored in a database and to be used for mailing, accounting, reporting, and other administrative purposes connected with running the computer service.
4. Use of High Performance Computers Directive
Following guidance issued by the U.K. Department of Trade and Industry on the use of High Performance Computers, users are not permitted to use the National e-Infrastructure Service resources for any research, development, manufacture and procurement of weapons of mass destruction and their delivery systems, in support of internal repression or international aggression, or any other restricted usage as may be listed from time to time.
These universal criteria support:
- The UK's international obligations and commitments to enforce United Nations Organisation for Security and Co-operation in Europe and European Union arms embargoes, together with any national embargoes or other commitments regarding the application of strategic export controls;
- The UK's international obligations under the nuclear non-proliferation treaty, the biological weapons convention, the chemical weapons convention and the missile weapon convention;
- The UK's commitments to the international export control regimes -- the Australia group, the missile technology control regime, the nuclear suppliers group and the Wassenaar arrangement which limits usage for proscribed countries including Iran, Iraq, Libya and North Korea;
- The EU common criteria for arms exports, the guidelines for conventional arms transfers agreed by the permanent five members of the UN Security Council, and the OSCE principles governing conventional arms transfers.
Other legislation that may be applicable includes:
5. The Malicious Communications Act 1988
This Act applies particularly in relation to the transmission of grossly obscene or offensive messages.
6. The Obscene Publications Acts
These are a series of Acts relating to publishing obscene materials.
The Regulation of Investigatory Powers Act 2000 contains provisions about Lawful Business Practices and states that individuals have a right to respect for their private life and correspondence. However this is not an absolute right and the Act recognises situations where other needs take priority. For example some actions which are essential to keep a network functioning may result in communications being seen by the network operator. The Act makes clear that users of networks should expect such actions to take place routinely: there is no requirement on the network operator to give warning of the possible loss of privacy. Organisations that provide computer networks may also examine activity on their own networks for some business purposes. However, before this may be done, all users must be informed that their communications may be monitored. The Lawful Business Practice regulations supporting the Act set out the purposes for which monitoring may be used. These include ensuring compliance with acceptable use policies and other organisational rules but, again, only if users have been informed of the rules in advance. Organisations should therefore ensure that their rules for use of the network, including the JANET Acceptable Use Policy, are clearly and widely advertised. For more information see JANET acceptable use policies the JANET article on Regulatory Powers.
Appendix III: Additions to the Terms and Conditions of Use for the UK National e-Infrastructure Service
1. Removal procedure for users
The UK NES, under its Terms and Conditions of Use, reserves the right to suspend a user's account if it is deemed that the user is not acting according to the acceptable use of the service or is acting in a manner that is detrimental to the service.
The period of suspension will be determined on a case by case basis and may include permanent exclusion or a requirement that the user make a fresh application for further use.
1. Suspension of a user from the UK NES will include suspension of that user's access to all NES facilities. Individual provider organisations in the NES may, at their discretion, subsequently grant to the user further access to their facilities.
2. The NES operations team will not normally suspend a user without having made reasonable efforts to contact the user, explain the issues, and where possible, advise the user how to use the resources in an acceptable manner.
3. If a user continues to ignore such advice, a letter or email of formal warning will be sent to the user after which continued action by the user will result in immediate suspension. Suspension will be notified to the user in writing or by email.
4. The period leading to suspension is not defined and will be determined on a case by case basis, depending upon the severity of impact on the NES service of the action being taken by the user.
5. Notwithstanding the above, if the NES operations team deem that a user's account is being used in a manner that is jeopardising the continued operation of any part of the NES, the NES operations team may take immediate remedial action, including suspension of the user's account. If such an action is necessary, the user will be notified immediately by email.
6. In all cases the user will be granted the right to appeal against the decision to suspend access by writing to the Director of the NES firstname.lastname@example.org
2. Project based registration
The following text is the addition to the core TACU in relation to the registration of projects. A project is seen as a collection of people, who are recommended to be NES users but may not be. Where they are not and a project is designated the project lead/PI or whoever accepts these terms and conditions on behalf of the project accepts that they will be held responsible for any actions taken by end users using the service the project provides. An example of a project based service is seen as something akin to users accessing the service through an OGSA-DAI service, a portal, where the portal acts on their behalf and is seen from the NES end as a single user, an Oracle database service using a remote JDBC or similar connection.
The following additions to the NES Terms and Conditions of Use, apply to those persons who accept these on behalf of a Project, collaboration or Virtual Organisation, hereafter referred to as a VO. In accepting these Terms and Conditions of Use, the person agrees to be the VO representative and to be responsible for any actions relating to or caused by end users making use of services provided by the VO.
1. These additions apply to a VO that provides an external service to end users, who may or may not be NES registered users, in such a way that the VO appears to the NES as if it were a single user.
2. The VO representative will normally be the project's Principle Investigator (PI) or equivalent and accepts responsibility for the actions of end users using the remote service that they provide.
Examples of VO services include, but are not restricted to, those providing Authentication or Authorisation services, access to database services, for example an OGSA-DAI service or a remote web service accessing database services on the NES as a single user, a portal based service for job control or data access(where the portal acts on the end users' behalf, but appears to the NES as a single user), and any other services that provide capabilities to multiple end users through a single account on the NES.
3. The VO Representative will ensure that end users fully comply with any relevant license conditions applicable to the software being used and are entitled to use any software made available by the VO.
4. The NES requires that VO's provide the ability to record the access of the service that they provide by end users and agree to provide this access information if requested
28th October 2009 - Checked and updated external Links
4 April 2004 Version 4.01a of John Duke's document.
27 April 2005 Addition of Appendix III - Amendments to TACU
Help and Support
if you require assistance please contact the NES support centre.