Strategic management

profileodohj83
EthicsinIT1.pdf

1. Ethics for IT Professionals and IT Users

2. Privacy

Ethics in IT

Reference: Professional Ethics for Computer Science by Klaus Mueller (Stony Brook University)

Ethics for IT Professionals and IT Users

Objective:

• What key characteristics distinguish a professional from other kinds of workers, and what is the role of an IT professional?

• What relationships must an IT professional manage, and what key ethical issues can arise in each?

• How do codes of ethics, professional organizations, certification, and licensing affect the ethical behavior of IT professionals?

• What are the key tenets of four different codes of ethics that provide guidance for IT professionals?

• What are the common ethical issues that face IT users? • What approaches can support the ethical practices of IT users?

2

IT Professionals Profession is a calling that requires:

• specialized knowledge • long and intensive academic preparation

Partial list of IT specialists:

• Programmers • systems analysts • software engineers • database administrators • local area network (LAN) administrators • chief information officers (CIOs)

3

Are IT Workers Professionals? Legal perspective:

• IT workers are not recognized as professionals • Not licensed • IT workers are not liable for malpractice

IT professionals have many different relationships with:

• Employers • Clients and Suppliers • Other professionals • IT users • Society at large

4

Relationships Between IT Professionals and Employers

IT professionals must set an example and enforce policies

regarding the ethical use of IT

Software piracy is the act of illegally making copies of

software or enabling others to access software to which they

are not entitled

Software piracy is an area in which IT professionals can be

tempted to violate laws and policies

The Business Software Alliance (BSA) is a trade group that

represents the world’s largest software and hardware

manufacturers

• its mission is to stop the unauthorized copying of software produced by its members

• penalties can be up to $100,000 per copyrighted work 5

Relationships Between IT Professionals and Employers

Trade secret:

• information used in business • generally unknown to the public • company has taken strong measures to keep

confidential

• employees must sign a non-disclosure agreement (NDA)

• problems due to high IT employee turn-over

Whistle-blowing: attracts attention to a negligent, illegal,

unethical, abusive, or dangerous act that threatens the

public interest 6

Relationships Between IT Professionals and Clients

• IT professional provides hardware, software, or services at a certain cost and within a given time frame

• Client provides compensation, access to key contacts and work space

• Relationship is usually documented in contractual terms

Ethical problems arise if a company recommends its own

products and services to remedy problems they detected

• but a company is unable to provide full and accurate reporting of a project’s status

• company hired as consultants may recommend its affiliated products

7

Legal Overview

Fraud, misrepresentation

• crime of obtaining goods, services, or property through deception or trickery

• fraud is proven in court

Breach of contract

• one party fails to meet the terms of a contract • schedule slippage, cost overruns, better product may

be released by competitor during contract execution

• can generate trials which are often settled out of court to minimize reputation damage

8

Relationships Between IT Professionals and Suppliers

Develop good relationships with suppliers

• deal fairly with them and don’t make unreasonable demands Bribery: providing money, property, or favors to someone in

business or government to obtain a business advantage

U.S. Foreign Corrupt Practices Act (FCPA) makes it a crime to bribe

a foreign official, a foreign political party official, or a candidate for

foreign political office

IT projects are joint efforts in which vendors and customers work

together: difficult to assign blame

Bribery

• at what point does a gift become a bribe? • no gift should be hidden • perceptions of donor and recipient can differ

9

Relationships Between IT and other professionals

Professionals owe each other adherence to a

profession’s code of conduct

• there is a sense of mentorship and community

Ethical problems between members of the IT

profession

• resumé inflation • inappropriate sharing of corporate information

due to IT access

10

Relationships Between IT Professionals and IT Users

IT user is a person for whom a hardware or

software product is designed

IT professionals’ duty

• understand users’ needs and capabilities • deliver products and services that best meet

those needs

• establish an environment that supports ethical behavior by users

11

Relationships Between IT Professionals and Society

Actions of an IT professional can affect society

• society expect professionals to not cause harm (=trust)

• society expects professionals to provide benefits

• so there must be a sense of responsibility, also not to damage a professional sector’s

reputation

Corporations are taking actions to ensure good

business ethics among employees 12

Professional Codes of Ethics

A professional code of ethics states the principles and core values

that are essential to the work of a particular occupational group

• a law does not provide complete guide to ethical behavior Main parts:

• outlines what the professional organization aspires to become • lists rules and principles by which members of the organization

are expected to abide

Benefits for individual, profession, and society

• improves ethical decision making • promotes high standards of practice and ethical behavior • enhances trust and respect from the general public • provides an evaluation benchmark

13

Professional Organizations No universal code of ethics for IT professionals

No single, formal organization of IT professionals has emerged as

preeminent

Professional organizations enable

• building of professional and working relationships • sharing of useful information (stay up-to-date) • provides a stamp of adhering to defined standards Most prominent organizations include:

• Association for Computing Machinery (ACM) • Association of Information Technology Professionals (AITP) • Computer Society of the Institute of Electrical and Electronics

Engineers (IEEE-CS)

• Project Management Institute (PMI) 14

Certification Indicates a professional possesses a particular set of skills,

knowledge, or abilities in the opinion of a certifying

organization

Can also apply to products

Generally voluntary

Carries no requirement to adhere to a code of ethics

Can serve as a benchmarks for mastery of a certain skill set

and knowledge

• good way to document and structure the acquisition of new skills and knowledge

• get re-certified to stay up-to-date

15

Vendor vs. Industry association Certification

Vendor certifications (Cisco, IBM, Microsoft, etc.):

• some certifications substantially improve IT workers’ salaries and career prospects

• relevant for narrowly defined roles or certain aspects of broader roles

• require passing a written exam • workers are commonly recertified as newer technologies

become available

Industry association certifications:

• require a certain level of experience and a broader perspective than vendor certifications

• lag in developing tests that cover new technologies 16

Government Licensing • Generally administered at the state level in the United

States (examples: CPAs, doctors, lawyers, etc.) but also

engineers that perform engineering services for the public

Case for licensing IT professionals

• encourage IT professionals to follow the highest standards of the profession

• practice a code of ethics where violators would be punished by law

• without it there is no incentive for heightened care and no concept of malpractice

• licensing of IT professionals may improve today’s very complex IT systems

17

Government Licensing Adverse issues associated with government licensing of IT

professionals:

• there are few international or national licensing programs for IT professionals

• no universally accepted core body of knowledge • unclear who should manage content and administration of

licensing exams

• no administrative body to accredit professional education programs

• no administrative body to assess and ensure competence of individual professionals

18

IT Professional Malpractice

Negligence:

• not doing something that a reasonable man would do, or doing something that a reasonable man

would not do

Duty of care:

• the obligation to protect people against any unreasonable harm or risk

Courts consistently reject attempts to sue individual

parties for computer-related malpractice

19

Common Ethical issues for IT Users

Employees’ ethical use of IT is a growing concern:

Software piracy: copying work software for use at

home (even when doing some work at home) is

considered piracy

Inappropriate use of computing resources

• surf work-unrelated websites • send questionable email Inappropriate sharing of information

• private data • confidential information

20

Supporting the Ethical Practices of IT Users

Policies that protect against abuses:

• establish boundaries of acceptable and unacceptable behavior

• enable management to punish violators Policy components include:

• defining and limiting appropriate use of IT resources • establishing guidelines for use of company software • structuring information systems to protect data and

information

• installing and maintaining a corporate firewall 21

Privacy Protection and the Law Ethical conundrum:

• IT technology allows businesses to gather information • must balance the needs of those who use this

information against the privacy rights of those people

whose information may be used

• Systems collect and store key data from every interaction with customers

– purchasing habits, contacts, search terms, etc.

• Many people object to data-collection policies of government and business

– strips people of the power to control their own personal information

– but IT does it on a regular basis.... 22

Privacy Protection and the Law (cont.)

Privacy

• key concern of Internet users • top reason why non-users still avoid the Internet

(according to US Census data)

Reasonable limits must be set

• information and communication technologies must be developed to protect privacy, rather than diminish it

Historical perspective on the right to privacy

• Fourth Amendment (1789) - reasonable expectation of privacy protection against unreasonable searches and

seizures

23

Key Privacy and Anonymity Issues

• Government electronic surveillance • Data encryption • Identity theft • Customer profiling • Need to treat customer data responsibly • Workplace monitoring • Spamming • Advanced surveillance techniques

24

Government Electronic Surveillance

• USA Patriot Act of 2001: “Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct

Terrorism”

• passed just after 9/11 – although more than 340 pages and quite complex, passed into law just five

weeks after being introduced

• gives sweeping new powers to – domestic law enforcement wiretaps without court order – international intelligence agencies

• critics argue it removes checks & balances that previously gave courts opportunity to ensure that law enforcement agencies did

not abuse their powers

• contains several “sunset” provisions for increased searches & electronic surveillance (terminated on 12/31/05)

• amendment to FISA: Foreign Intelligence Surveillance Act 25

Data Encryption Cryptography : science of encoding messages

• only sender and intended receiver can understand the messages • key tool for ensuring confidentiality, integrity, authenticity of

electronic messages and online business transactions

Encryption: process of converting electronic messages into a form

understood only by the intended recipients

Encryption key

• a (large random) value applied using an algorithm to encrypt or decrypt text

• length of key determines strength of encryption algorithm

26

Data Encryption

Public key encryption system uses two keys: public and private key

• message recipient’s public key �readily available and used for encryption

• message recipient’s private key � mathematically related to public key

� kept secret and used for decryption

RSA - a public-key encryption algorithm (RSA keys typically 1024–

2048 bits long)

Private key encryption system

– single key to encode and decode messages – issue of secretly distributing private key to sender/receiver

paramount

27

Public Key Encryption

28

Data Encryption

Despite potential management and administration headaches

most people agree encryption eventually must be built into

– networks – file servers – tape backup systems

Seagate Technology hard drive

– automatically encrypts all data – must know password to access data

U.S. Arms Export Control Act controls the export of encryption

technology, hardware, and software

– violators face 10-year jail term and $1M fine

29

Identity Theft Theft of key pieces of personal information to gain access to a

person’s financial accounts

• using this info, ID thief may apply for new credit or financial accounts, register for college courses, etc—all in someone else’s

name

Information includes:

– name – address – date of birth – Social Security number – passport number – driver’s license number – mother’s maiden name

30

Identity Theft (Cont.) Fastest growing form of fraud in the United States

• victims spend >600 hours over several years recovering from ID theft

Lack of initiative by companies in informing people whose data was

stolen

“The personal information of 90,000 people in a Stony Brook

University database was accidentally posted to Google & left

there until it was discovered almost two weeks later.”

Phishing : attempt to steal personal identity data

• by tricking users into entering information on a counterfeit Web site (spoof emails)

• spear-phishing - a variation in which employees are sent phony e- mails that look like they came from high-level executives within

their organization 31

Identity Theft (Cont.) Spyware

• keystroke-logging software downloaded to user’s computer without consent

• enables the capture of: – account usernames – passwords – credit card numbers – other sensitive information

• operates even if an infected computer is not connected to the Internet

• records keystrokes until users reconnects; data collected then emailed to spy or posted to a web site

Identity Theft and Assumption Deterrence Act of 1998 was passed to

fight Identity fraud

• makes it a Federal felony (3-25 yrs in prison) 32

Identity Theft (Cont.) Spyware

• keystroke-logging software downloaded to user’s computer without consent

• enables the capture of: – account usernames – passwords – credit card numbers – other sensitive information

• operates even if an infected computer is not connected to the Internet

• records keystrokes until users reconnects; data collected then emailed to spy or posted to a web site

Identity Theft and Assumption Deterrence Act of 1998 was passed to

fight Identity fraud

• makes it a Federal felony (3-25 yrs in prison) 33

Consumer Profiling Companies can collect info about consumers without their explicit

permission!

Companies openly collect personal information about Internet users

• when they register at web sites, complete surveys, fill out forms or enter contests online

Cookies

• text files a web site places on user’s hard drive so that it can remember info

• examples: site preferences, contents of electronic shopping cart • cookie are sent back to server unchanged by browser each time it

accesses that server

Tracking software

• identify visitors to your web site from e.g. pay-per-click accounts

34

Consumer Profiling (Cont.) Similar methods used outside the Web environment

• marketing firms warehouse consumer data • foer example, credit card purchases, frequent flier points, mail-

order catalogue purchases, phone surveys

Databases contain a huge amount of consumer behavioral data

Affiliated Web sites:

• group of web sites served by single advertising network • DoubleClick tracks ad clicks and web purchases: useful for

marketers and sellers

Customized service for each consumer

• marketers use cookies to recognize return visitors and store useful info about them

35

Consumer Profiling (Cont.) Types of data collected while surfing the Web

• GET data: affiliated web sites visited and info requested • POST data: form data • Click-stream data: monitoring of consumer surfing activity

Four ways to limit or even stop the deposit of cookies on hard drives

• set the browser to limit or stop cookies • manually delete them from the hard drive • download and install a cookie-management program • use anonymous browsing programs that don’t accept cookies

– e.g. anonymizer.com allows you to hide your identity while browsing

36

Consumer Profiling (Cont.) Personalization software used by marketers to optimize number,

frequency, and mixture of their ad placements

• Rules-based: uses business rules tied to customer-provided preferences or online behavior to determine most appropriate page

views

• Collaborative filtering: consumer recommendations based on products purchased by customers with similar buying habits

• Demographic filtering: considers user zip codes, age, sex when making product suggestions

• Contextual commerce: associates product promotions/ads with content user is currently viewing

Platform for Privacy Preferences (P3P)

• shields users from sites that don’t provide desired level of privacy protection

• P3P software in a browser will download privacy policy for each site visited and notify users if policy does not match their preferences 37

Treating Consumer Data Responsibly Strong measures are required to avoid customer relationship problems

Code of Fair Information Practices and 1980 OECD privacy guidelines

• companies collect only personal info necessary to deliver its products/services

• protects this info • informs customers if it intends to use this info for research or

marketing

• provides a means for customers to opt out

Chief privacy officer (CPO)

• executive to oversee data privacy policies and initiatives • avoids violating government regulations and assures customers that

their privacy will be protected

38

Workplace Monitoring Ethical conundrum: ensure worker productivity without violating

privacy rights of employees

Employers monitor workers

• record email, surfing activity, files, even videotaping employees on the job

• ensures that corporate IT usage policy is followed Fourth Amendment cannot be used to limit how a private employer

treats its employees

• public-sector employees have far greater privacy rights: • “reasonable expectation of privacy” Katz v. U.S. 1998 Supreme Court

ruling

Privacy advocates want federal legislation

• to keep employers from infringing upon privacy rights of employees • inform employees of electronic monitoring devices; restrict type of

info collected 39

Spamming Transmission of same e-mail message to large number of people

The Controlling the Assault of Non-Solicited Pornography and

Marketing (CAN-SPAM) Act 2004 says it is legal to spam but

• spammers cannot disguise their identity • there must be a label in the message specifying that the e-mail is an

ad or solicitation

• they must include a way for recipients to indicate they do not want future mass mailings (i.e. opt out)

• may have actually increased the flow of spam as it legalizes the sending of unsolicited e-mail

40

Advanced Surveillance Technology Provides exciting new data-gathering capabilities vs. personal-privacy

issues

• advocates: people have no legitimate expectation of privacy in public places

• critics: creates potential for abuse – intimidation of political dissenters, blackmail of people caught with “wrong” person or in

“wrong” place

Camera surveillance: U.S. cities plan to expand surveillance systems

• London has one of world’s largest public surveillance systems • “Smart surveillance system” singles out people acting suspiciously Facial recognition software: identifies criminal suspects and other

undesirable characters

Global Positioning System (GPS) chips Placed in many devices to

precisely locate users 41