Abstract: We describe our statement of ethics, and present a brief discussion of what ethics is in the context of Internet security. We include for reference the codes of ethics of ACM, and IEEE.
This article is part of Internet Security Lectures
We describe our statement of ethics, and present a brief discussion of what ethics is in the context of Internet security. In this article, there are many more questions than there are answers. Our goal in including the topic of ethics in a course on Internet security is not to provide answers to ethical dliemmas you may have but to raise your level of awareness.
From http://www.m-w.com/cgi-bin/dictionary: Main Entry: eth·ic Pronunciation: 'e-thik Function: noun Etymology: Middle English ethik, from Middle French ethique, from Latin ethice, from Greek EthikE, from Ethikos Date: 14th century 1 plural but singular or plural in construction : the discipline dealing with what is good and bad and with moral duty and obligation 2 a : a set of moral principles or values b : a theory or system of moral values <the present-day materialistic ethic> c plural but singular or plural in construction : the principles of conduct governing an individual or a group <professional ethics> d : a guiding philosophy
The Macquarie Dictionary says: ethics - a system of moral principles, by which human actions and proposals may be judged good or bad or right or wrong (may refer to a particular class of actions - e.g. professional) [derived from a Greek word meaning moral] morals - principles or habits with respect to right or wrong conduct [derived from a Latin word meaning manners or customs]
As you can see the dictionaries are not helpful in distinguishing between
"ethics" and "morals". A few years ago, sociologist Raymond
Baumhart asked business people "What does ethics mean to you?" Among
their replies were the following:
"Ethics has to do with what my feelings tell me is right or wrong."
"Ethics has to do with my religious beliefs."
"Being ethical is doing what the law requires."
"Ethics consists of the standards of behavior our society accepts."
"I don't know what the word means."
These replies might be typical of our own. The meaning of "ethics" is
hard to pin down, and the views many people have about ethics are difficult to
articulate. Like Baumhart's first respondent, many people tend to equate
ethics with their feelings. But being ethical clearly is not a matter of
following one's feelings. A person following his or her feelings may recoil from
doing what is right. In fact, feelings frequently deviate from what is ethical.
Ethics and religion are often coupled in ones mind because of our upbringing.
But ethics is not confined to religion, nor is it the same as religion.
Most religions, of course, advocate high ethical standards. Ethics applies as
much to the behavior of the atheist as to that of the saint.
Being ethical also is not following the law. The law often incorporates
ethical standards to which most citizens subscribe. But laws, like feelings, can
deviate from what is ethical. American pre-Civil-War slavery laws and the
apartheid laws of South Africa, are grotesquely obvious examples of laws
that deviate from what is ethical.
In the context of security and privacy, let us focus on ethics only.
Practical ethics through basic philosophy includes three elements: ethical
thought; ethical definition; and ethical values. If a
person conceives of, say, engineering activity, as only making money, for
example, then one's definition of practical ethics, one's actions and values
will, be guided by this basic philosophical position. Ethics is defined as
a set of rules that clarify right conduct from wrong conduct.
Here are a few examples. Each of you need to discover your own answers, and the answers that our community gives, and how they change.
Presently she is designing a database management system for the personnel office of'a medium-sized company. Diane has involved the client in the design process, informing the CEO, the director of computing, and the director of personnel about the progress of the system. It is now time to make decisions about the kind and degree of security to build into the system. Diane has described several options to the client. Because the system is going to cost more than they planned, the client has decided to opt for a less secure system. She believes the information they will be storing is extremely sensitive. It will include performance evaluations, medical records for filing insurance claims, salaries, and so forth.
With weak security, employees working on microcomputers may be able to figure out ways to get access to this data, not to mention the possibilities for on-line access from hackers. Diane feels strongly that the system should be much more secure. She has tried to explain the risks, but the CEO, director of computing and director of personnel all agree that less security will do. What should she do? Should she refuse to build the system as they request? (Adapted from: Johnson, D. G. Computer Ethics, Second Ed. Prentice Hall, Englewood Cliffs, N.J., 1993.)[From http://www.onlineethics.org/privacy/scene3.html]
Being ethical is not the same as doing "whatever our society
accepts." In any society, most people accept standards that are, in fact,
ethical. But standards of behavior in society can deviate from what is ethical.
An entire society can become ethically corrupt. Nazi Germany is a good example
of an ethically corrupt society.
Suppose you have come across a behavior of a colleague that in your mind is clearly unethical. Should you squeal? Why is it that squealing has such a negative connotation?
Under what circumstances is it either permissible or required for a technician repairing a computer to report the contents of files found there? A recent case of the firing of a Harvard administrator who had pornographic files on his university-owned computer raises questions of privacy and whistle-blowing.
Ownership of many things, such as your car, books, computer, etc., is usually quite clear. Do you own the air? When you buy a piece of software, what is it that you own? The use of it -- or, beyond that? If you could reverse engineer the source code of the program, is the source now yours?
We are also usually clear that we must not enter someone's house just because they left their back door wide open. If my files are read open, should you assume that you are allowed to read? What if they were also writeable? If my computer account has no password, should you login as me?
Nearly all present day effort in Internet security in "securing" computer systems, networks, web sites, etc. hopes to protect that which is theirs.
You stole it from me, so I can steal it back. Is this attitude ethical?
To computer wizards, the term "hacker" is reserved for unusually clever programmers. To them, the electronic burglars who break into computers aren't hackers but "crackers."
Theft of services: The first reason is theft of service, if a system offers some type of service and a hacker has a use for it, they will hack the system. Examples of such systems are on-line information networks (CompuServe, America On-line, and Prodigy).
Take valuable files: The second reason a hacker may hack into a system is to take valuable files, e.g., credit-card numbers, or info on operation of telecommunication systems.
Vengeance and hate: Another reason for hacking is vengeance and hatred.
Thrill and excitement: The forth reason hackers break into systems is for the thrill and excitement of being somewhere you are not authorized to be.
For knowledge and experiment: The final reason why hackers do what they do is just for knowledge and experiment. Hackers learn great deal every time they break into a new type of system.
Commitment to ethical professional conduct is expected of every member (voting members, associate members, and student members) of the Association for Computing Machinery (ACM).
This Code, consisting of 24 imperatives formulated as statements of personal responsibility, identifies the elements of such a commitment. It contains many, but not all, issues professionals are likely to face.Section 1 outlines fundamental ethical considerations, while Section 2 addresses additional, more specific considerations of professional conduct. Statements in Section 3 pertain more specifically to individuals who have a leadership role, whether in the workplace or in a volunteer capacity such as with organizations like ACM. Principles involving compliance with this Code are given in Section 4.
The Code shall be supplemented by a set of Guidelines, which provide explanation to assist members in dealing with the various issues contained in the Code. It is expected that the Guidelines will be changed more frequently than the Code.
The Code and its supplemented Guidelines are intended to serve as a basis for ethical decision making in the conduct of professional work. Secondarily, they may serve as a basis for judging the merit of a formal complaint pertaining to violation of professional ethical standards.
It should be noted that although computing is not mentioned in the imperatives of Section 1, the Code is concerned with how these fundamental imperatives apply to one's conduct as a computing professional. These imperatives are expressed in a general form to emphasize that ethical principles which apply to computer ethics are derived from more general ethical principles.
It is understood that some words and phrases in a code of ethics are subject to varying interpretations, and that any ethical principle may conflict with other ethical principles in specific situations. Questions related to ethical conflicts can best be answered by thoughtful consideration of fundamental principles, rather than reliance on detailed regulations.
As an ACM member I will ....
1.1 Contribute to society and human well-being.
This principle concerning the quality of life of all people affirms an obligation to protect fundamental human rights and to respect the diversity of all cultures. An essential aim of computing professionals is to minimize negative consequences of computing systems, including threats to health and safety. When designing or implementing systems, computing professionals must attempt to ensure that the products of their efforts will be used in socially responsible ways, will meet social needs, and will avoid harmful effects to health and welfare.
In addition to a safe social environment, human well-being includes a safe natural environment. Therefore, computing professionals who design and develop systems must be alert to, and make others aware of, any potential damage to the local or global environment.
1.2 Avoid harm to others.
"Harm" means injury or negative consequences, such as undesirable loss of information, loss of property, property damage, or unwanted environmental impacts. This principle prohibits use of computing technology in ways that result in harm to any of the following: users, the general public, employees, employers. Harmful actions include intentional destruction or modification of files and programs leading to serious loss of resources or unnecessary expenditure of human resources such as the time and effort required to purge systems of "computer viruses."
Well-intended actions, including those that accomplish assigned duties, may lead to harm unexpectedly. In such an event the responsible person or persons are obligated to undo or mitigate the negative consequences as much as possible. One way to avoid unintentional harm is to carefully consider potential impacts on all those affected by decisions made during design and implementation.
To minimize the possibility of indirectly harming others, computing professionals must minimize malfunctions by following generally accepted standards for system design and testing. Furthermore, it is often necessary to assess the social consequences of systems to project the likelihood of any serious harm to others. If system features are misrepresented to users, coworkers, or supervisors, the individual computing professional is responsible for any resulting injury.
In the work environment the computing professional has the additional obligation to report any signs of system dangers that might result in serious personal or social damage. If one's superiors do not act to curtail or mitigate such dangers, it may be necessary to "blow the whistle" to help correct the problem or reduce the risk. However, capricious or misguided reporting of violations can, itself, be harmful. Before reporting violations, all relevant aspects of the incident must be thoroughly assessed. In particular, the assessment of risk and responsibility must be credible. It is suggested that advice be sought from other computing professionals. See principle 2.5 regarding thorough evaluations.
1.3 Be honest and trustworthy.
Honesty is an essential component of trust. Without trust an organization cannot function effectively. The honest computing professional will not make deliberately false or deceptive claims about a system or system design, but will instead provide full disclosure of all pertinent system limitations and problems.
A computer professional has a duty to be honest about his or her own qualifications, and about any circumstances that might lead to conflicts of interest.
Membership in volunteer organizations such as ACM may at times place individuals in situations where their statements or actions could be interpreted as carrying the "weight" of a larger group of professionals. An ACM member will exercise care to not misrepresent ACM or positions and policies of ACM or any ACM units.
1.4 Be fair and take action not to discriminate.
The values of equality, tolerance, respect for others, and the principles of equal justice govern this imperative. Discrimination on the basis of race, sex, religion, age, disability, national origin, or other such factors is an explicit violation of ACM policy and will not be tolerated.
Inequities between different groups of people may result from the use or misuse of information and technology. In a fair society,all individuals would have equal opportunity to participate in, or benefit from, the use of computer resources regardless of race, sex, religion, age, disability, national origin or other such similar factors. However, these ideals do not justify unauthorized use of computer resources nor do they provide an adequate basis for violation of any other ethical imperatives of this code.
1.5 Honor property rights including copyrights and patent.
Violation of copyrights, patents, trade secrets and the terms of license agreements is prohibited by law in most circumstances. Even when software is not so protected, such violations are contrary to professional behavior. Copies of software should be made only with proper authorization. Unauthorized duplication of materials must not be condoned.
1.6 Give proper credit for intellectual property.
Computing professionals are obligated to protect the integrity of intellectual property. Specifically, one must not take credit for other's ideas or work, even in cases where the work has not been explicitly protected by copyright, patent, etc.
1.7 Respect the privacy of others.
Computing and communication technology enables the collection and exchange of personal information on a scale unprecedented in the history of civilization. Thus there is increased potential for violating the privacy of individuals and groups. It is the responsibility of professionals to maintain the privacy and integrity of data describing individuals. This includes taking precautions to ensure the accuracy of data, as well as protecting it from unauthorized access or accidental disclosure to inappropriate individuals. Furthermore, procedures must be established to allow individuals to review their records and correct inaccuracies.
This imperative implies that only the necessary amount of personal information be collected in a system, that retention and disposal periods for that information be clearly defined and enforced, and that personal information gathered for a specific purpose not be used for other purposes without consent of the individual(s). These principles apply to electronic communications, including electronic mail, and prohibit procedures that capture or monitor electronic user data, including messages,without the permission of users or bona fide authorization related to system operation and maintenance. User data observed during the normal duties of system operation and maintenance must be treated with strictest confidentiality, except in cases where it is evidence for the violation of law, organizational regulations, or this Code. In these cases, the nature or contents of that information must be disclosed only to proper authorities.
1.8 Honor confidentiality.
The principle of honesty extends to issues of confidentiality of information whenever one has made an explicit promise to honor confidentiality or, implicitly, when private information not directly related to the performance of one's duties becomes available. The ethical concern is to respect all obligations of confidentiality to employers, clients, and users unless discharged from such obligations by requirements of the law or other principles of this Code.
As an ACM computing professional I will ....
2.1 Strive to achieve the highest quality, effectiveness and dignity in both the process and products of professional work.
Excellence is perhaps the most important obligation of a professional. The computing professional must strive to achieve quality and to be cognizant of the serious negative consequences that may result from poor quality in a system.
2.2 Acquire and maintain professional competence.
Excellence depends on individuals who take responsibility for acquiring and maintaining professional competence. A professional must participate in setting standards for appropriate levels of competence, and strive to achieve those standards. Upgrading technical knowledge and competence can be achieved in several ways: doing independent study; attending seminars, conferences, or courses; and being involved in professional organizations.
2.3 Know and respect existing laws pertaining to professional work.
ACM members must obey existing local, state, province, national, and international laws unless there is a compelling ethical basis not to do so. Policies and procedures of the organizations in which one participates must also be obeyed. But compliance must be balanced with the recognition that sometimes existing laws and rules may be immoral or inappropriate and, therefore, must be challenged. Violation of a law or regulation may be ethical when that law or rule has inadequate moral basis or when it conflicts with another law judged to be more important. If one decides to violate a law or rule because it is viewed as unethical, or for any other reason, one must fully accept responsibility for one's actions and for the consequences.
2.4 Accept and provide appropriate professional review.
Quality professional work, especially in the computing profession, depends on professional reviewing and critiquing. Whenever appropriate, individual members should seek and utilize peer review as well as provide critical review of the work of others.
2.5 Give comprehensive and thorough evaluations of computer systems and their impacts, including analysis of possible risks.
Computer professionals must strive to be perceptive, thorough, and objective when evaluating, recommending, and presenting system descriptions and alternatives. Computer professionals are in a position of special trust, and therefore have a special responsibility to provide objective, credible evaluations to employers, clients, users, and the public. When providing evaluations the professional must also identify any relevant conflicts of interest, as stated in imperative 1.3.
As noted in the discussion of principle 1.2 on avoiding harm, any signs of danger from systems must be reported to those who have opportunity and/or responsibility to resolve them. See the guidelines for imperative 1.2 for more details concerning harm,including the reporting of professional violations.
2.6 Honor contracts, agreements, and assigned responsibilities.
Honoring one's commitments is a matter of integrity and honesty. For the computer professional this includes ensuring that system elements perform as intended. Also, when one contracts for work with another party, one has an obligation to keep that party properly informed about progress toward completing that work.
A computing professional has a responsibility to request a change in any assignment that he or she feels cannot be completed as defined. Only after serious consideration and with full disclosure of risks and concerns to the employer or client, should one accept the assignment. The major underlying principle here is the obligation to accept personal accountability for professional work. On some occasions other ethical principles may take greater priority.
A judgment that a specific assignment should not be performed may not be accepted. Having clearly identified one's concerns and reasons for that judgment, but failing to procure a change in that assignment, one may yet be obligated, by contract or by law, to proceed as directed. The computing professional's ethical judgment should be the final guide in deciding whether or not to proceed. Regardless of the decision, one must accept the responsibility for the consequences.
However, performing assignments "against one's own judgment" does not relieve the professional of responsibility for any negative consequences.
2.7 Improve public understanding of computing and its consequences.
Computing professionals have a responsibility to share technical knowledge with the public by encouraging understanding of computing, including the impacts of computer systems and their limitations. This imperative implies an obligation to counter any false views related to computing.
2.8 Access computing and communication resources only when authorized to do so.
Theft or destruction of tangible and electronic property is prohibited by imperative 1.2 - "Avoid harm to others." Trespassing and unauthorized use of a computer or communication system is addressed by this imperative. Trespassing includes accessing communication networks and computer systems, or accounts and/or files associated with those systems, without explicit authorization to do so. Individuals and organizations have the right to restrict access to their systems so long as they do not violate the discrimination principle (see 1.4). No one should enter or use another's computer system, software, or data files without permission. One must always have appropriate approval before using system resources, including communication ports, file space, other system peripherals, and computer time.
As an ACM member and an organizational leader, I will ....
3.1 Articulate social responsibilities of members of an organizational unit and encourage full acceptance of those responsibilities.
Because organizations of all kinds have impacts on the public, they must accept responsibilities to society. Organizational procedures and attitudes oriented toward quality and the welfare of society will reduce harm to members of the public, thereby serving public interest and fulfilling social responsibility. Therefore, organizational leaders must encourage full participation in meeting social responsibilities as well as quality performance.
3.2 Manage personnel and resources to design and build information systems that enhance the quality of working life.
Organizational leaders are responsible for ensuring that computer systems enhance, not degrade, the quality of working life. When implementing a computer system, organizations must consider the personal and professional development, physical safety, and human dignity of all workers. Appropriate human-computer ergonomic standards should be considered in system design and in the workplace.
3.3 Acknowledge and support proper and authorized uses of an organization's computing and communication resources.
Because computer systems can become tools to harm as well as to benefit an organization, the leadership has the responsibility to clearly define appropriate and inappropriate uses of organizational computing resources. While the number and scope of such rules should be minimal, they should be fully enforced when established.
3.4 Ensure that users and those who will be affected by a system have their needs clearly articulated during the assessment and design of requirements; later the system must be validated to meet requirements.
Current system users, potential users and other persons whose lives may be affected by a system must have their needs assessed and incorporated in the statement of requirements. System validation should ensure compliance with those requirements.
3.5 Articulate and support policies that protect the dignity of users and others affected by a computing system.
Designing or implementing systems that deliberately or inadvertently demean individuals or groups is ethically unacceptable. Computer professionals who are in decision making positions should verify that systems are designed and implemented to protect personal privacy and enhance personal dignity.
3.6 Create opportunities for members of the organization to learn the principles and limitations of computer systems.
This complements the imperative on public understanding (2.7). Educational opportunities are essential to facilitate optimal participation of all organizational members. Opportunities must be available to all members to help them improve their knowledge and skills in computing, including courses that familiarize them with the consequences and limitations of particular types of systems. In particular, professionals must be made aware of the dangers of building systems around oversimplified models, the improbability of anticipating and designing for every possible operating condition, and other issues related to the complexity of this profession.
As an ACM member I will ....
4.1 Uphold and promote the principles of this Code.
The future of the computing profession depends on both technical and ethical excellence. Not only is it important for ACM computing professionals to adhere to the principles expressed in this Code, each member should encourage and support adherence by other members.
4.2 Treat violations of this code as inconsistent with membership in the ACM.
Adherence of professionals to a code of ethics is largely a voluntary matter. However, if a member does not follow this code by engaging in gross misconduct, membership in ACM may be terminated.
This Code and the supplemental Guidelines were adopted by the ACM Council on October 16, 1992.
We, the members of the IEEE, in recognition of the importance of our technologies in affecting the quality of life throughout the world, and in accepting a personal obligation to our profession, its members and the communities we serve, do hereby commit ourselves to the highest ethical and professional conduct and agree:
1. to accept responsibility in making engineering decisions consistent with the safety, health and welfare of the public, and to disclose promptly factors that might endanger the public or the environment;2. to avoid real or perceived conflicts of interest whenever possible, and to disclose them to affected parties when they do exist;
3. to be honest and realistic in stating claims or estimates based on available data;
4. to reject bribery in all its forms;5. to improve the understanding of technology, its appropriate application, and potential consequences;
6. to maintain and improve our technical competence and to undertake technological tasks for others only if qualified by training or experience, or after full disclosure of pertinent limitations;
7. to seek, accept, and offer honest criticism of technical work, to acknowledge and correct errors, and to credit properly the contributions of others;8. to treat fairly all persons regardless of such factors as race, religion, gender, disability, age, or national origin;
9. to avoid injuring others, their property, reputation, or employment by false or malicious action;
10. to assist colleagues and co-workers in their professional development and to support them in following this code of ethics.
Approved by the IEEE Board of Directors, August 1990
This is an evolving draft available at http://ils.unc.edu/gbnewby/code.
Preamble: Hackers are diverse, from all cultures and backgrounds. Every hacker is unique, yet we all share some characteristics. While not every hacker follows this Code, many believe it is a fair description of our shared traditions, goals and values.
Steven Levy published this book in 1984. Anchor Books; ISBN: 0385191952; 1st Ed. edition (November 1984). Editorial Reviews of Amazon.com describes the book as follows.
Steven Levy's classic book explains why the misuse of the word "hackers" to describe computer criminals does a terrible disservice to many important shapers of the digital revolution. Levy follows members of an MIT model railroad club--a group of brilliant budding electrical engineers and computer innovators--from the late 1950s to the mid-1980s. These eccentric characters used the term "hack" to describe a clever way of improving the electronic system that ran their massive railroad. And as they started designing clever ways to improve computer systems, "hack" moved over with them. These maverick characters were often fanatics who did not always restrict themselves to the letter of the law and who devoted themselves to what became known as "The Hacker Ethic." The book traces the history of hackers, from finagling access to clunky computer-card-punching machines to uncovering the inner secrets of what would become the Internet. This story of brilliant, eccentric, flawed, and often funny people devoted to their dream of a better world will appeal to a wide audience.
Levy in this book lists the following hacker tenets:
Do you subscribe any of them? Why? Why not?
I expect all those attending our class to abide by the following statement. I welcome improvements to the statement.
|
In this course I am learning network and computer security principles. It is a 10-week long course, with a prerequisite of general understanding of operating systems and computer networks. I realize that this learning is just a beginning.
|
These lecture materials are gleaned from many sources. All are presented after careful reading. In some cases, I may have neglected proper attribution. I assure the reader it is not because I claim authorship. Indeed, in the lectures there is hardly any thing new that I have contributed. Suggestions for improvement are always welcome.
| 05/27/08 05:55:39 PM |
| Open Content Copyright © 2002 pmateti@cs.wright.edu | Other Internet Security Lectures by Mateti |