IT Homework

S T U D E N T L E A R N I N G O B J E C T I V E S

After completing this chapter, you will be able to answer the following questions:

1. What ethical, social, and political issues are raised by information systems?

2. What specific principles for conduct can be used to guide ethical decisions?

3. Why do contemporary information systems technology and the Internet pose challenges to the protection of individual privacy and intellectual property?

4. How have information systems affected everyday life?

Ethical and Social Issues in Information Systems 12C H A P T E R

416

417

CHAPTER OUTLINE Chapter-Opening Case: Behavioral Targeting and Your

Privacy: You’re the Target

12.1 Understanding Ethical and Social Issues Related to Systems

12.2 Ethics in an Information Society

12.3 The Moral Dimensions of Information Systems

12.4 Hands-on MIS Projects

Business Problem-Solving Case: Google, Microsoft, and IBM: The Health of Your Medical Records’ Privacy

BEHAVIORAL TARGETING AND YOUR PRIVACY: YOU’RE THE TARGET

Ever get the feeling somebody is trailing you on the Web, watching your every click? Wonder why you start seeing display ads and pop-ups just after you’ve been scouring the Web for a car, a dress, or cosmetic product? Well, you’re right: your behavior is being tracked, and you are being targeted on the Web so that you are exposed to certain ads and not others. The Web sites you visit track the search engine queries you enter, pages visited, Web content viewed, ads clicked, videos watched, content shared, and the products you purchase. Google is the largest Web tracker, monitoring thousands of Web sites. As one wag noted, Google knows more about you than your mother does. In March 2009, Google began displaying ads on thousands of Google-related Web sites based on their previous online activities. To parry a growing public resentment of behavioral targeting, Google said it would give users the ability to see and edit the information that it has compiled about their interests for the pur- poses of behavioral targeting.

418 Part IV: Building and Managing Systems

Behavioral targeting seeks to increase the efficiency of online ads by using information that Web visitors reveal about themselves online, and if possible, combine this with offline identity and consumption information gathered by companies such as Acxiom. One of the original promises of the Web has been that it can deliver a marketing message tailored to each consumer based on this data, and then measure the results in terms of click-throughs and purchases.

Firms are experimenting with more precise targeting methods. Snapple used behavioral targeting methods (with the help of an online ad firm Tacoda) to identify the types of people attracted to Snapple Green Tea. Answer: people who like the arts and literature, travel internationally, and visit health sites. Microsoft offers MSN advertisers access to personal data derived from 270 million worldwide Windows Live users.

The growth in the power, reach, and scope of behavioral targeting has drawn the attention of privacy groups and the Federal Trade Commission (FTC). In November 2007, the FTC opened hearings to consider proposals from privacy advocates to develop a “do not track list,” to develop visual online cues to alert people to tracking, and to allow people to opt out. In the Senate, hearings on behavioral targeting are ongoing throughout 2009. While Google, Microsoft, and Yahoo pleaded for legislation to protect them from consumer lawsuits, the FTC refused to consider new legislation to protect the privacy of Internet users. Instead, the FTC proposed industry self-regulation. In 2009, a consortium of advertising firms (the Network Advertising Initiative) responded positively to FTC proposed principles to regulate online behavioral advertising. All of these regulatory efforts emphasize trans- parency, user control over their information, security, and the temporal stability of privacy promises (unannounced and sudden changes in information privacy may not be allowed).

Perhaps the central ethical and moral question is understanding what rights individuals have in their own personally identifiable Internet profiles. Are these “ownership” rights, or merely an “interest” in an underlying asset? How much privacy are we willing to give up in order to receive more relevant ads? Surveys suggest that over 70 percent of Americans do not want to receive targeted ads.

Sources: Joseph Turow, et. al. “Americans Reject Tailored Advertising,” Rose Foundation for Communities and Development and The Annenberg School For Communication, September, 2009; Robert Mitchell, “What Google Knows About You,” Computerworld, May 11, 2009; Stephanie Clifford, “Many See Privacy on Web as Big Issue, Survey Says,” The New York Times, March 16, 2009; Miguel Helft, “Google to Offer Ads Based on Interests,” The New York Times, March 11, 2009; and David Hallerman, “Behavioral Targeting: Marketing Trends,” eMarketer, June 2008.

The growing use of behavioral targeting techniques described in the chapter-opening case shows that technology can be a double-edged sword. It can be the source of many benefits (by showing you ads relevant to your interests) but it can also create new opportunities for invading your privacy, and enabling the reckless use of that information in a variety of deci- sions about you.

The chapter-opening diagram calls attention to important points raised by this case and this chapter. Online advertising titans like Google, Microsoft, and Yahoo are all looking for ways to monetize their huge collections of online behavioral data. While search engine marketing is arguably the most effective form of advertising in history, banner display ad marketing is highly inefficient because it displays ads to everyone regardless of their interests. Hence the search engine marketers cannot charge much for display ad space. However, by tracking the online movements of 200 million U.S. Internet users, they can develop a very clear picture of who you are, and use that information to show you ads that might be of interest to you. This would make the marketing process more efficient, and more profitable for all the parties involved.

But this solution also creates an “ethical dilemma,” pitting the monetary interests of the online advertisers and search engines against the interests of individuals to maintain a sense of control over their personal information, their privacy. Two closely held values are in conflict here. As a manager, you will need to be sensitive to both the negative and positive impacts of information systems for your firm, employees, and customers. You will need to learn how to resolve ethical dilemmas involving information systems.

Chapter 12: Ethical and Social Issues in Information Systems 419

12.1 Understanding Ethical and Social Issues Related to Systems

In the past 10 years, we have witnessed, arguably, one of the most ethically challenging periods for U.S. and global business. Table 12.1 provides a small sample of recent cases demonstrating failed ethical judgment by senior and middle managers. These lapses in management ethical and business judgment occurred across a broad spectrum of industries.

In today’s new legal environment, managers who violate the law and are convicted will most likely spend time in prison. U.S. federal sentencing guidelines adopted in 1987 mandate that federal judges impose stiff sentences on business executives based on the

TABLE 12.1

Rcent Examples of Failed Ethical Judgment by Senior Managers

Pfizer, Eli Lilly, and Major pharmaceutical firms paid billions of dollars to settle U.S. federal charges that AstraZeneca (2009) executives fixed clinical trials for antipsychotic and pain-killer drugs, marketed them

inappropriately to children, and claimed unsubstantiated benefits while covering up negative outcomes.

Galleon Group (2009) The founder of the Galleon Group was criminally charged with insider trading and paying $250 million to Wall Street banks in return for market information that other investors did not get.

Bear Stearns (2009) Two hedge fund managers were indicted for criminal conspiracy, securities fraud, and wire fraud as prosecutors contend that they misled investors about the health of their funds. They face as many as 20 years in prison if convicted.

Siemens (2009) The world’s largest engineering firm paid over $4 billion to German and U.S. authorities for a decades-long, worldwide bribery scheme approved by corporate executives to influence potential customers and governments.

Mabey & Johnson Ltd. Executives of a supplier of steel bridging based in the United Kingdom, were sentenced for (2009) offenses involving overseas bribery (in Ghana and Jamaica between 1993 and 2001) and

breaching UN sanctions against Iraq (in 2001 and 2002).

420 Part IV: Building and Managing Systems

monetary value of the crime, the presence of a conspiracy to prevent discovery of the crime, the use of structured financial transactions to hide the crime, and failure to cooperate with prosecutors (U.S. Sentencing Commission, 2004).

Although in the past business firms would often pay for the legal defense of their employ- ees enmeshed in civil charges and criminal investigations, now firms are encouraged to coop- erate with prosecutors to reduce charges against the entire firm for obstructing investigations. These developments mean that, more than ever, as a manager or an employee, you will have to decide for yourself what constitutes proper legal and ethical conduct.

Although these major instances of failed ethical and legal judgment were not master- minded by information systems departments, information systems were instrumental in many of these frauds. In many cases, the perpetrators of these crimes artfully used financial reporting information systems to bury their decisions from public scrutiny in the vain hope they would never be caught. We deal with the issue of control in information systems in Chapter 7. In this chapter, we talk about the ethical dimensions of these and other actions based on the use of information systems.

Ethics refers to the principles of right and wrong that individuals, acting as free moral agents, use to make choices to guide their behaviors. Information systems raise new ethical questions for both individuals and societies because they create opportunities for intense social change, and thus threaten existing distributions of power, money, rights, and obliga- tions. Like other technologies, such as steam engines, electricity, the telephone, and the radio, information technology can be used to achieve social progress, but it can also be used to commit crimes and threaten cherished social values. The development of information technology will produce benefits for many and costs for others.

Ethical issues in information systems have been given new urgency by the rise of the Internet and electronic commerce. Internet and digital firm technologies make it easier than ever to assemble, integrate, and distribute information, unleashing new concerns about the appropriate use of customer information, the protection of personal privacy, and the protec- tion of intellectual property.

Other pressing ethical issues raised by information systems include establishing account- ability for the consequences of information systems, setting standards to safeguard system quality that protects the safety of the individual and society, and preserving values and institutions considered essential to the quality of life in an information society. When using information systems, it is essential to ask, “What is the ethical and socially responsible course of action?”

A MODEL FOR THINKING ABOUT ETHICAL, SOCIAL, AND POLITICAL ISSUES

Ethical, social, and political issues are closely linked. The ethical dilemma you may face as a manager of information systems typically is reflected in social and political debate. One way to think about these relationships is given in Figure 12-1. Imagine society as a more or less calm pond on a summer day, a delicate ecosystem in partial equilibrium with individu- als and with social and political institutions. Individuals know how to act in this pond because social institutions (family, education, organizations) have developed well-honed rules of behavior, and these are supported by laws developed in the political sector that prescribe behavior and promise sanctions for violations. Now toss a rock into the center of the pond. What happens? Ripples, of course.

Imagine instead that the disturbing force is a powerful shock of new information technology and systems hitting a society more or less at rest. Suddenly, individual actors are confronted with new situations often not covered by the old rules. Social institutions cannot respond overnight to these ripples—it may take years to develop etiquette, expectations, social responsibility, politically correct attitudes, or approved rules. Political institutions also require time before developing new laws and often require the demonstration of real harm before they act. In the meantime, you may have to act. You may be forced to act in a legal gray area.

We can use this model to illustrate the dynamics that connect ethical, social, and political issues. This model is also useful for identifying the main moral dimensions of the information society, which cut across various levels of action—individual, social, and political.

FIVE MORAL DIMENSIONS OF THE INFORMATION AGE

The major ethical, social, and political issues raised by information systems include the following moral dimensions:

• Information rights and obligations. What information rights do individuals and organizations possess with respect to themselves? What can they protect? What obliga- tions do individuals and organizations have concerning this information? • Property rights and obligations. How will traditional intellectual property rights be protected in a digital society in which tracing and accounting for ownership are difficult and ignoring such property rights is so easy? • Accountability and control. Who can and will be held accountable and liable for the harm done to individual and collective information and property rights? • System quality. What standards of data and system quality should we demand to protect individual rights and the safety of society? • Quality of life. What values should be preserved in an information- and knowledge- based society? Which institutions should we protect from violation? Which cultural values and practices are supported by the new information technology?

We explore these moral dimensions in detail in Section 12.3.

KEY TECHNOLOGY TRENDS THAT RAISE ETHICAL ISSUES

Ethical issues long preceded information technology. Nevertheless, information technology has heightened ethical concerns, taxed existing social arrangements, and made some laws obsolete or severely crippled. There are four key technological trends responsible for these ethical stresses and they are summarized in Table 12.2.

The doubling of computing power every 18 months has made it possible for most organizations to use information systems for their core production processes. As a result, our

Chapter 12: Ethical and Social Issues in Information Systems 421

Figure 12-1 The Relationship Between Ethical, Social, and Political Issues in an Information Society The introduction of new information technology has a ripple effect, raising new ethical, social, and political issues that must be dealt with on the individual, social, and political levels. These issues have five moral dimensions: information rights and obligations, property rights and obligations, system quality, quality of life, and accountability and control.

dependence on systems and our vulnerability to system errors and poor data quality have increased. Social rules and laws have not yet adjusted to this dependence. Standards for ensuring the accuracy and reliability of information systems (see Chapter 7) are not univer- sally accepted or enforced.

Advances in data storage techniques and rapidly declining storage costs have been responsible for the multiplying databases on individuals—employees, customers, and potential customers—maintained by private and public organizations. These advances in data storage have made the routine violation of individual privacy both cheap and effective. Massive data storage systems are inexpensive enough for regional and even local retailing firms to use in identifying customers.

Advances in data analysis techniques for large pools of data are another technological trend that heightens ethical concerns because companies and government agencies are able to find out highly detailed personal information about individuals. With contemporary data management tools (see Chapter 5), companies can assemble and combine the myriad pieces of information about you stored on computers much more easily than in the past.

Think of all the ways you generate computer information about yourself—credit card purchases, telephone calls, magazine subscriptions, video rentals, mail-order purchases, banking records, local, state, and federal government records (including court and police records), and visits to Web sites. Put together and mined properly, this information could reveal not only your credit information but also your driving habits, your tastes, your associations, and your political interests.

Companies with products to sell purchase relevant information from these sources to help them more finely target their marketing campaigns. Chapters 3 and 6 describe how companies can analyze large pools of data from multiple sources to rapidly identify buying patterns of customers and suggest individual responses. The use of computers to combine data from multiple sources and create electronic dossiers of detailed information on individ- uals is called profiling.

For example, several thousand of the most popular Web sites allow DoubleClick (owned by Google), an Internet advertising broker, to track the activities of their visitors in exchange for revenue from advertisements based on visitor information DoubleClick gathers. DoubleClick uses this information to create a profile of each online visitor, adding more detail to the profile as the visitor accesses an associated DoubleClick site. Over time, DoubleClick can create a detailed dossier of a person’s spending and computing habits on the Web that is sold to companies to help them target their Web ads more precisely.

ChoicePoint gathers data from police, criminal, and motor vehicle records; credit and employment histories; current and previous addresses; professional licenses; and insurance claims to assemble and maintain electronic dossiers on almost every adult in the United States. The company sells this personal information to businesses and government agencies. Demand for personal data is so enormous that data broker businesses such as ChoicePoint are flourishing.

422 Part IV: Building and Managing Systems

TABLE 12.2

Technology Trends That Raise Ethical Issues

Trend Impact

Computing power doubles every More organizations depend on computer systems 18 months for critical operations

Data storage costs rapidly declining Organizations can easily maintain detailed databases on individuals

Data analysis advances Companies can analyze vast quantities of data gathered on individuals to develop detailed profiles of individual behavior

Networking advances and the Internet Copying data from one location to another and accessing personal data from remote locations are much easier

A new data analysis technology called nonobvious relationship awareness (NORA) has given both the government and the private sector even more powerful profiling capabil- ities. NORA can take information about people from many disparate sources, such as employment applications, telephone records, customer listings, and “wanted” lists, and correlate relationships to find obscure hidden connections that might help identify criminals or terrorists (see Figure 12-2).

Chapter 12: Ethical and Social Issues in Information Systems 423

Figure 12-2 Nonobvious Relationship Awareness (NORA) NORA technology can take information about people from disparate sources and find obscure, nonobvious relationships. It might discover, for example, that an applicant for a job at a casino shares a telephone number with a known criminal and issue an alert to the hiring manager.

Credit card purchases can make personal infor- mation available to mar- ket researchers, telemar- keters, and direct mail companies. Advances in information technology facilitate the invasion of privacy.

NORA technology scans data and extracts information as the data are being generated so that it could, for example, instantly discover a man at an airline ticket counter who shares a phone number with a known terrorist before that person boards an airplane. The technology is considered a valuable tool for homeland security but does have privacy implications because it can provide such a detailed picture of the activities and associations of a single individual.

Finally, advances in networking, including the Internet, promise to greatly reduce the costs of moving and accessing large quantities of data and open the possibility of mining large pools of data remotely using small desktop machines, permitting an invasion of privacy on a scale and with a precision heretofore unimaginable.

12.2 Ethics in an Information Society

Ethics is a concern of humans who have freedom of choice. Ethics is about individual choice: When faced with alternative courses of action, what is the correct moral choice? What are the main features of ethical choice?

BASIC CONCEPTS: RESPONSIBILITY, ACCOUNTABILITY, AND LIABILITY

Ethical choices are decisions made by individuals who are responsible for the consequences of their actions. Responsibility is a key element of ethical action. Responsibility means that you accept the potential costs, duties, and obligations for the decisions you make. Accountability is a feature of systems and social institutions: It means that mechanisms are in place to determine who took responsible action, who is responsible. Systems and institutions in which it is impossible to find out who took what action are inherently incapable of ethical analysis or ethical action. Liability extends the concept of responsibility further to the area of laws. Liability is a feature of political systems in which a body of laws is in place that permits individuals to recover the damages done to them by other actors, systems, or organizations. Due process is a related feature of law-governed societies and is a process in which laws are known and understood and there is an ability to appeal to higher authorities to ensure that the laws are applied correctly.

These basic concepts form the underpinning of an ethical analysis of information systems and those who manage them. First, information technologies are filtered through social institutions, organizations, and individuals. Systems do not have impacts by themselves. Whatever information system impacts exist are products of institutional, organi- zational, and individual actions and behaviors. Second, responsibility for the consequences of technology falls clearly on the institutions, organizations, and individual managers who choose to use the technology. Using information technology in a socially responsible man- ner means that you can and will be held accountable for the consequences of your actions. Third, in an ethical, political society, individuals and others can recover damages done to them through a set of laws characterized by due process.

ETHICAL ANALYSIS

When confronted with a situation that seems to present ethical issues, how should you ana- lyze it? The following five-step process should help.

1. Identify and describe clearly the facts. Find out who did what to whom, and where, when, and how. In many instances, you will be surprised at the errors in the initially reported facts, and often you will find that simply getting the facts straight helps define the solution. It also helps to get the opposing parties involved in an ethical dilemma to agree on the facts.

2. Define the conflict or dilemma and identify the higher-order values involved. Ethical, social, and political issues always reference higher values. The parties to a dispute all

424 Part IV: Building and Managing Systems

claim to be pursuing higher values (e.g., freedom, privacy, protection of property, and the free enterprise system). Typically, an ethical issue involves a dilemma: two diametri- cally opposed courses of action that support worthwhile values. For example, the chapter-ending case study illustrates two competing values: the need to improve health- care record keeping and the need to protect individual privacy.

3. Identify the stakeholders. Every ethical, social, and political issue has stakeholders: players in the game who have an interest in the outcome, who have invested in the situation, and usually who have vocal opinions. Find out the identity of these groups and what they want. This will be useful later when designing a solution.

4. Identify the options that you can reasonably take. You may find that none of the options satisfy all the interests involved, but that some options do a better job than others. Sometimes arriving at a good or ethical solution may not always be a balancing of consequences to stakeholders.

5. Identify the potential consequences of your options. Some options may be ethically correct but disastrous from other points of view. Other options may work in one instance but not in other similar instances. Always ask yourself, “What if I choose this option consistently over time?”

CANDIDATE ETHICAL PRINCIPLES

Once your analysis is complete, what ethical principles or rules should you use to make a decision? What higher-order values should inform your judgment? Although you are the only one who can decide which among many ethical principles you will follow, and how you will prioritize them, it is helpful to consider some ethical principles with deep roots in many cultures that have survived throughout recorded history.

1. Do unto others as you would have them do unto you (the Golden Rule). Putting yourself into the place of others, and thinking of yourself as the object of the decision, can help you think about fairness in decision making.

2. If an action is not right for everyone to take, it is not right for anyone (Immanuel Kant’s Categorical Imperative). Ask yourself, “If everyone did this, could the organization, or society, survive?”

3. If an action cannot be taken repeatedly, it is not right to take at all (Descartes’ rule of change). This is the slippery-slope rule: An action may bring about a small change now that is acceptable, but if it is repeated, it would bring unacceptable changes in the long run. In the vernacular, it might be stated as “once started down a slippery path, you may not be able to stop.”

4. Take the action that achieves the higher or greater value (Utilitarian Principle). This rule assumes you can prioritize values in a rank order and understand the consequences of various courses of action.

5. Take the action that produces the least harm or the least potential cost (Risk Aversion Principle). Some actions have extremely high failure costs of very low probability (e.g., building a nuclear generating facility in an urban area) or extremely high failure costs of moderate probability (speeding and automobile accidents). Avoid these high-failure-cost actions, paying greater attention to high-failure-cost potential of moderate to high probability.

6. Assume that virtually all tangible and intangible objects are owned by someone else unless there is a specific declaration otherwise. (This is the ethical “no free lunch” rule.) If something someone else has created is useful to you, it has value, and you should assume the creator wants compensation for this work.

Although these ethical rules cannot be guides to action, actions that do not easily pass these rules deserve some very close attention and a great deal of caution. The appearance of unethical behavior may do as much harm to you and your company as actual unethical behavior.

Chapter 12: Ethical and Social Issues in Information Systems 425

PROFESSIONAL CODES OF CONDUCT

When groups of people claim to be professionals, they take on special rights and obligations because of their special claims to knowledge, wisdom, and respect. Professional codes of conduct are promulgated by associations of professionals, such as the American Medical Association (AMA), the American Bar Association (ABA), the Association of Information Technology Professionals (AITP), and the Association of Computing Machinery (ACM). These professional groups take responsibility for the partial regulation of their professions by determining entrance qualifications and competence. Codes of ethics are promises by professions to regulate themselves in the general interest of society. For example, avoiding harm to others, honoring property rights (including intellectual property), and respecting privacy are among the General Moral Imperatives of the ACM’s Code of Ethics and Professional Conduct.

SOME REAL-WORLD ETHICAL DILEMMAS

Information systems have created new ethical dilemmas in which one set of interests is pitted against another. For example, many of the large telephone companies in the United States are using information technology to reduce the sizes of their workforces. Voice recog- nition software reduces the need for human operators by enabling computers to recognize a customer’s responses to a series of computerized questions. Many companies monitor what their employees are doing on the Internet to prevent them from wasting company resources on non-business activities (see the Chapter 7 Interactive Session on Management).

In each instance, you can find competing values at work, with groups lined up on either side of a debate. A company may argue, for example, that it has a right to use information systems to increase productivity and reduce the size of its workforce to lower costs and stay in business. Employees displaced by information systems may argue that employers have some responsibility for their welfare. Business owners might feel obligated to monitor employee e-mail and Internet use to minimize drains on productivity. Employees might believe they should be able to use the Internet for short personal tasks in place of the telephone. A close analysis of the facts can sometimes produce compromised solutions that give each side “half a loaf.” Try to apply some of the principles of ethical analysis described to each of these cases. What is the right thing to do?

12.3 The Moral Dimensions of Information Systems

In this section, we take a closer look at the five moral dimensions of information systems first described in Figure 12-1. In each dimension we identify the ethical, social, and political levels of analysis and use real-world examples to illustrate the values involved, the stakeholders, and the options chosen.

INFORMATION RIGHTS: PRIVACY AND FREEDOM IN THE INTERNET AGE

Privacy is the claim of individuals to be left alone, free from surveillance or interference from other individuals or organizations, including the state. Claims to privacy are also involved at the workplace: Millions of employees are subject to electronic and other forms of high-tech surveillance (Ball, 2001). Information technology and systems threaten individual claims to privacy by making the invasion of privacy cheap, profitable, and effective.

The claim to privacy is protected in the U.S., Canadian, and German constitutions in a variety of different ways and in other countries through various statutes. In the United States, the claim to privacy is protected primarily by the First Amendment guarantees of freedom of speech and association, the Fourth Amendment protections against unreasonable search and seizure of one’s personal documents or home, and the guarantee of due process.

426 Part IV: Building and Managing Systems

Table 12.3 describes the major U.S. federal statutes that set forth the conditions for handling information about individuals in such areas as credit reporting, education, financial records, newspaper records, and electronic communications. The Privacy Act of 1974 has been the most important of these laws, regulating the federal government’s collection, use, and disclosure of information. At present, most U.S. federal privacy laws apply only to the federal government and regulate very few areas of the private sector.

Most American and European privacy law is based on a regime called Fair Information Practices (FIP) first set forth in a report written in 1973 by a federal government advisory com- mittee (U.S. Department of Health, Education, and Welfare, 1973). FIP is a set of principles governing the collection and use of information about individuals. FIP principles are based on the notion of a mutuality of interest between the record holder and the individual. The individ- ual has an interest in engaging in a transaction, and the record keeper—usually a business or government agency—requires information about the individual to support the transaction. Once information is gathered, the individual maintains an interest in the record, and the record may not be used to support other activities without the individual’s consent. In 1998, the FTC restated and extended the original FIP to provide guidelines for protecting online privacy. Table 12.4 describes the FTC’s Fair Information Practice principles.

The FTC’s FIP are being used as guidelines to drive changes in privacy legislation. In July 1998, the U.S. Congress passed the Children’s Online Privacy Protection Act (COPPA), requiring Web sites to obtain parental permission before collecting information on children under the age of 13. (This law is in danger of being overturned.) The FTC has recommended additional legislation to protect online consumer privacy in advertising networks that collect records of consumer Web activity to develop detailed profiles, which are then used by other companies to target online ads. Other proposed Internet privacy legislation focuses on protecting the online use of personal identification numbers, such as social security numbers; protecting personal information collected on the Internet that deals with individuals not covered by COPPA; and limiting the use of data mining for homeland security.

In February 2009, the FTC began the process of extending its fair information practices doctrine to behavioral targeting. The FTC held hearings to discuss its program for voluntary industry principles for regulating behavioral targeting. The online advertising trade group Network Advertising Initiative (discussed later in this section), published its own self-

Chapter 12: Ethical and Social Issues in Information Systems 427

TABLE 12.3

Federal Privacy Laws in the United States

General Federal Privacy Laws Privacy Laws Affecting Private Institutionst

Freedom of Information Act of 1966 as Amended (5 USC 552) Fair Credit Reporting Act of 1970

Privacy Act of 1974 as Amended (5 USC 552a) Family Educational Rights and Privacy Act of 1974

Electronic Communications Privacy Act of 1986 Right to Financial Privacy Act of 1978

Computer Matching and Privacy Protection Act of 1988 Privacy Protection Act of 1980

Computer Security Act of 1987 Cable Communications Policy Act of 1984

Federal Managers Financial Integrity Act of 1982 Electronic Communications Privacy Act of 1986

Driver’s Privacy Protection Act of 1994 Video Privacy Protection Act of 1988

E-Government Act of 2002 The Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Children’s Online Privacy Protection Act of 1998 (COPPA)

Financial Modernization Act (Gramm–Leach-Bliley Act) of 999

regulatory principles that largely agreed with the FTC. Nevertheless, the government, privacy groups, and the online ad industry are still at loggerheads over two issues. Privacy advocates want both an opt-in policy at all sites and a national Do Not Track list. The industry opposes these moves and continues to insist on an opt-out capability being the only way to avoid tracking (Federal Trade Commission, 2009). Nevertheless, there is an emerg- ing consensus among all parties that greater transparency and user control (especially making opt-out of tracking the default option) is required to deal with behavioral tracking.

Privacy protections have also been added to recent laws deregulating financial services and safeguarding the maintenance and transmission of health information about individuals. The Gramm-Leach-Bliley Act of 1999, which repeals earlier restrictions on affiliations among banks, securities firms, and insurance companies, includes some privacy protection for con- sumers of financial services. All financial institutions are required to disclose their policies and practices for protecting the privacy of nonpublic personal information and to allow customers to opt out of information-sharing arrangements with nonaffiliated third parties.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA), which took effect on April 14, 2003, includes privacy protection for medical records. The law gives patients access to their personal medical records maintained by healthcare providers, hospitals, and health insurers and the right to authorize how protected information about themselves can be used or disclosed. Doctors, hospitals, and other healthcare providers must limit the disclosure of personal information about patients to the minimum amount necessary to achieve a given purpose.

The European Directive on Data Protection In Europe, privacy protection is much more stringent than in the United States. Unlike the United States, European countries do not allow businesses to use personally identifiable information without consumers’ prior consent. On October 25, 1998, the European Commission’s Directive on Data Protection went into effect, broadening privacy protection in the European Union (EU) nations. The directive requires companies to inform people when they collect information about them and disclose how it will be stored and used. Customers must provide their informed consent before any company can legally use data about them, and they have the right to access that information, correct it, and request that no further data be collected. Informed consent can be defined as consent given with knowledge of all the facts needed to make a rational decision. EU member nations must translate these principles into their own laws and cannot transfer personal data to countries, such as the United States, that do not have similar privacy protection regulations.

428 Part IV: Building and Managing Systems

TABLE 12.4

Federal Trade Commission Fair Information Practice Principles

1. Notice/awareness (core principle). Web sites must disclose their information practices before collecting data. Includes identification of collector; uses of data; other recipients of data; nature of collection (active/inactive); voluntary or required status; consequences of refusal; and steps taken to protect confidentiality, integrity, and quality of the data.

2. Choice/consent (core principle). There must be a choice regime in place allowing consumers to choose how their information will be used for secondary purposes other than supporting the transaction, including internal use and transfer to third parties.

3. Access/participation. Consumers should be able to review and contest the accuracy and completeness of data collected about them in a timely, inexpensive process.

4. Security. Data collectors must take responsible steps to assure that consumer information is accurate and secure from unauthorized use.

5. Enforcement. There must be in place a mechanism to enforce FIP principles. This can involve self-regulation, legislation giving consumers legal remedies for violations, or federal statutes and regulations.

Working with the European Commission, the U.S. Department of Commerce developed a safe harbor framework for U.S. firms. A safe harbor is a private, self-regulating policy and enforcement mechanism that meets the objectives of government regulators and legisla- tion but does not involve government regulation or enforcement. U.S. businesses would be allowed to use personal data from EU countries if they develop privacy protection policies that meet EU standards. Enforcement would occur in the United States using self-policing, regulation, and government enforcement of fair trade statutes.

Internet Challenges to Privacy Internet technology has posed new challenges for the protection of individual privacy. Information sent over this vast network of networks may pass through many different computer systems before it reaches its final destination. Each of these systems is capable of monitoring, capturing, and storing communications that pass through it.

It is possible to record many online activities, including what searches have been conducted, which Web sites and Web pages have been visited, the online content a person has accessed, and what items that person has inspected or purchased over the Web. Much of this monitoring and tracking of Web site visitors occurs in the background without the visitor’s knowledge. It is conducted not just by individual Web sites but by advertising networks such as aQuantive, Yahoo, and DoubleClick that are capable of tracking all brows- ing behavior at thousands of Web sites. Tools to monitor visits to the World Wide Web have become popular because they help businesses determine who is visiting their Web sites and how to better target their offerings. (Some firms also monitor the Internet usage of their employees to see how they are using company network resources.) The commercial demand for this personal information is virtually insatiable.

Web sites can learn the identities of their visitors if the visitors voluntarily register at the site to purchase a product or service or to obtain a free service, such as information. Web sites can also capture information about visitors without their knowledge using cookie technology.

Cookies are small text files deposited on a computer hard drive when a user visits Web sites. Cookies identify the visitor’s Web browser software and track visits to the Web site. When the visitor returns to a site that has stored a cookie, the Web site software will search the visitor’s computer, find the cookie, and know what that person has done in the past. It may also update the cookie, depending on the activity during the visit. In this way, the site can customize its contents for each visitor’s interests. For example, if you purchase a book on the Amazon.com Web site and return later from the same browser, the site will welcome you by name and recommend other books of interest based on your past purchases. DoubleClick, described earlier in this chapter, uses cookies to build its dossiers with details of online purchases and to examine the behavior of Web site visitors. Figure 12-3 illustrates how cookies work.

Chapter 12: Ethical and Social Issues in Information Systems 429

Figure 12-3 How Cookies Identify Web Visitors Cookies are written by a Web site on a visitor’s hard drive. When the visi- tor returns to that Web site, the Web server requests the ID number from the cookie and uses it to access the data stored by that server on that visitor. The Web site can then use these data to display personalized information.

Web sites using cookie technology cannot directly obtain visitors’ names and addresses. However, if a person has registered at a site, that information can be combined with cookie data to identify the visitor. Web site owners can also combine the data they have gathered from cookies and other Web site monitoring tools with personal data from other sources, such as offline data collected from surveys or paper catalog purchases, to develop very detailed profiles of their visitors.

There are now even more subtle and surreptitious tools for surveillance of Internet users. Marketers use Web bugs as another tool to monitor online behavior. Web bugs are tiny graphic files embedded in e-mail messages and Web pages that are designed to monitor who is reading the e-mail message or Web page and transmit that information to another computer. Other spyware can secretly install itself on an Internet user’s computer by piggybacking on larger applications. Once installed, the spyware calls out to Web sites to send banner ads and other unsolicited material to the user, and it can also report the user’s movements on the Internet to other computers. More information is available about Web bugs, spyware, and other intrusive software in Chapter 7.

Google has started using behavioral targeting to help it display more relevant ads based on users’ search activities. One of its programs enables advertisers to target ads based on the search histories of Google users, along with any other information the user submits to Google that Google can obtain, such as age, demographics, region, and other Web activities (such as blogging). An additional program allows Google to help advertisers select keywords and design ads for various market segments based on search histories, such as helping a clothing Web site create and test ads targeted at teenage females.

Google has also been scanning the contents of messages received by users of its free Web- based e-mail service called Gmail. Ads that users see when they read their e-mail are related to the subjects of these messages. Profiles are developed on individual users based on the content in their e-mail. Google’s Chrome Web browser, introduced in 2008, has a Suggest feature that automatically suggests related queries and Web sites as the user enters a search. Critics pointed out this was a key-logger device that would record every keystroke of users forever. Google subsequently announced it would anonymize the data in 24 hours.

The United States has allowed businesses to gather transaction information generated in the marketplace and then use that information for other marketing purposes without obtaining the informed consent of the individual whose information is being used. U.S. e-commerce sites are largely content to publish statements on their Web sites informing visitors about how their information will be used. Some have added opt-out selection boxes to these information policy statements. An opt-out model of informed consent permits the collection of personal information until the consumer specifically requests that the data not be collected. Privacy advocates would like to see wider use of an opt-in model of informed consent in which a business is prohibited from collecting any personal information unless the consumer specifically takes action to approve information collection and use.

The online industry has preferred self-regulation to privacy legislation for protecting consumers. In 1998, the online industry formed the Online Privacy Alliance to encourage self-regulation to develop a set of privacy guidelines for its members. The group promotes the use of online seals, such as that of TRUSTe, certifying Web sites adhering to certain privacy principles. Members of the advertising network industry, including DoubleClick, have created an additional industry association called the Network Advertising Initiative (NAI) to develop its own privacy policies to help consumers opt out of advertising network programs and provide consumers redress from abuses.

Individual firms like AOL, Yahoo!, and Google have recently adopted policies on their own in an effort to address public concern about tracking people online. AOL established an opt-out policy that allows users of its site to not be tracked. Yahoo follows NAI guidelines and also allows opt-out for tracking and Web beacons (Web bugs). Google has reduced retention time for tracking data.

In general, most Internet businesses do little to protect the privacy of their customers, and consumers do not do as much as they should to protect themselves. Many companies with Web sites do not have privacy policies. Of the companies that do post privacy polices

430 Part IV: Building and Managing Systems

on their Web sites, about half do not monitor their sites to ensure they adhere to these policies. The vast majority of online customers claim they are concerned about online pri- vacy, but less than half read the privacy statements on Web sites (Laudon and Traver, 2009).

In one of the more insightful studies of consumer attitudes towards Internet privacy, a group of Berkeley students conducted surveys of online users, and of complaints filed with the Federal Trade Commission involving privacy issues. Here’s some of their results. User concerns: people feel they have no control over the information collected about them, and they don’t know who to complain to. Web site practices: Web sites collect all this informa- tion, but do not let users have access; the policies are unclear; they share data with “affili- ates” but never identify who the affiliates are and how many there are. (MySpace, owned by NewsCorp, has over 1,500 affiliates with whom it shares online information.) Web bug trackers: they are ubiquitous and we are not informed they are on the pages we visit. The results of this study and others suggest that consumers are not saying “take my privacy, I don’t care, send me the service for free.” They are saying “We want access to the informa- tion, we want some controls on what can be collected, what is done with the information, the ability to opt out of the entire tracking enterprise, and some clarity on what the policies really are, and we don’t want those policies changed without our participation and permis- sion.” (The full report is available at knowprivacy.org).

Technical Solutions In addition to legislation, new technologies are available to protect user privacy during interactions with Web sites. Many of these tools are used for encrypting e-mail, for making e-mail or surfing activities appear anonymous, for preventing client computers from accepting cookies, or for detecting and eliminating spyware.

There are now tools to help users determine the kind of personal data that can be extracted by Web sites. The Platform for Privacy Preferences, known as P3P, enables automatic communication of privacy policies between an e-commerce site and its visitors. P3P provides a standard for communicating a Web site’s privacy policy to Internet users and for comparing that policy to the user’s preferences or to other standards, such as the FTC’s FIP guidelines or the European Directive on Data Protection. Users can use P3P to select the level of privacy they wish to maintain when interacting with the Web site.

Chapter 12: Ethical and Social Issues in Information Systems 431

Web sites are posting their privacy policies for visitors to review. The TRUSTe seal designates Web sites that have agreed to adhere to TRUSTe’s established privacy prin- ciples of disclosure, choice, access, and security.

The P3P standard allows Web sites to publish privacy policies in a form that computers can understand. Once it is codified according to P3P rules, the privacy policy becomes part of the software for individual Web pages (see Figure 12-4). Users of Microsoft Internet Explorer Web browsing software can access and read the P3P site’s privacy policy and a list of all cookies coming from the site. Internet Explorer enables users to adjust their comput- ers to screen out all cookies or let in selected cookies based on specific levels of privacy. For example, the “Medium” level accepts cookies from first-party host sites that have opt-in or opt-out policies but rejects third-party cookies that use personally identifiable information without an opt-in policy.

However, P3P only works with Web sites of members of the World Wide Web Consortium who have translated their Web site privacy policies into P3P format. The technology will display cookies from Web sites that are not part of the consortium, but users will not be able to obtain sender information or privacy statements. Many users may also need to be educated about interpreting company privacy statements and P3P levels of privacy. Critics point out that only a small percentage of the most popular Web sites use P3P, most users do not understand their browser’s privacy settings, and there is no enforcement of P3P standards—companies can claim anything about their privacy policies.

PROPERTY RIGHTS: INTELLECTUAL PROPERTY

Contemporary information systems have severely challenged existing laws and social practices that protect private intellectual property. Intellectual property is considered to be intangible property created by individuals or corporations. Information technology has made it difficult to protect intellectual property because computerized information can be so easily copied or distributed on networks. Intellectual property is subject to a variety of protections under three different legal traditions: trade secrets, copyright, and patent law.

Trade Secrets Any intellectual work product—a formula, device, pattern, or compilation of data—used for a business purpose can be classified as a trade secret, provided it is not based on informa- tion in the public domain. Protections for trade secrets vary from state to state. In general, trade secret laws grant a monopoly on the ideas behind a work product, but it can be a very tenuous monopoly.

Software that contains novel or unique elements, procedures, or compilations can be included as a trade secret. Trade secret law protects the actual ideas in a work product, not only their manifestation. To make this claim, the creator or owner must take care to bind

432 Part IV: Building and Managing Systems

Figure 12-4 The P3P Standard P3P enables Web sites to translate their privacy policies into a standard format that can be read by the user’s Web browser software. The browser software evalu- ates the Web site’s pri- vacy policy to determine whether it is compatible with the user’s privacy preferences.

employees and customers with nondisclosure agreements and to prevent the secret from falling into the public domain.

The limitation of trade secret protection is that, although virtually all software programs of any complexity contain unique elements of some sort, it is difficult to prevent the ideas in the work from falling into the public domain when the software is widely distributed.

Copyright Copyright is a statutory grant that protects creators of intellectual property from having their work copied by others for any purpose during the life of the author plus an additional 70 years after the author’s death. For corporate-owned works, copyright protection lasts for 95 years after their initial creation. Congress has extended copyright protection to books, periodicals, lectures, dramas, musical compositions, maps, drawings, artwork of any kind, and motion pictures. The intent behind copyright laws has been to encourage creativity and authorship by ensuring that creative people receive the financial and other benefits of their work. Most industrial nations have their own copyright laws, and there are several interna- tional conventions and bilateral agreements through which nations coordinate and enforce their laws.

In the mid-1960s, the Copyright Office began registering software programs, and in 1980, Congress passed the Computer Software Copyright Act, which clearly provides protection for software program code and for copies of the original sold in commerce, and sets forth the rights of the purchaser to use the software while the creator retains legal title.

Copyright protects against copying of entire programs or their parts. Damages and relief are readily obtained for infringement. The drawback to copyright protection is that the underlying ideas behind a work are not protected, only their manifestation in a work. A com- petitor can use your software, understand how it works, and build new software that follows the same concepts without infringing on a copyright.

“Look and feel” copyright infringement lawsuits are precisely about the distinction between an idea and its expression. For instance, in the early 1990s, Apple Computer sued Microsoft Corporation and Hewlett-Packard for infringement of the expression of Apple’s Macintosh interface, claiming that the defendants copied the expression of overlapping windows. The defendants countered that the idea of overlapping windows can be expressed only in a single way and, therefore, was not protectable under the merger doctrine of copyright law. When ideas and their expression merge, the expression cannot be copyrighted.

In general, courts appear to be following the reasoning of a 1989 case—Brown Bag Software vs. Symantec Corp.—in which the court dissected the elements of software alleged to be infringing. The court found that similar concept, function, general functional features (e.g., drop-down menus), and colors are not protectable by copyright law (Brown Bag Software vs. Symantec Corp., 1992).

Patents A patent grants the owner an exclusive monopoly on the ideas behind an invention for 20 years. The congressional intent behind patent law was to ensure that inventors of new machines, devices, or methods receive the full financial and other rewards of their labor and yet make widespread use of the invention possible by providing detailed diagrams for those wishing to use the idea under license from the patent’s owner. The granting of a patent is determined by the United States Patent and Trademark Office and relies on court rulings.

The key concepts in patent law are originality, novelty, and invention. The Patent Office did not accept applications for software patents routinely until a 1981 Supreme Court decision that held that computer programs could be a part of a patentable process. Since that time, hundreds of patents have been granted and thousands await consideration.

The strength of patent protection is that it grants a monopoly on the underlying concepts and ideas of software. The difficulty is passing stringent criteria of nonobviousness (e.g., the work must reflect some special understanding and contribution), originality, and novelty, as well as years of waiting to receive protection.

Chapter 12: Ethical and Social Issues in Information Systems 433

Challenges to Intellectual Property Rights Contemporary information technologies, especially software, pose severe challenges to existing intellectual property regimes and, therefore, create significant ethical, social, and political issues. Digital media differ from books, periodicals, and other media in terms of ease of replication; ease of transmission; ease of alteration; difficulty in classifying a software work as a program, book, or even music; compactness—making theft easy; and difficulties in establishing uniqueness.

The proliferation of electronic networks, including the Internet, has made it even more difficult to protect intellectual property. Before widespread use of networks, copies of software, books, magazine articles, or films had to be stored on physical media, such as paper, computer disks, or videotape, creating some hurdles to distribution. Using networks, information can be more widely reproduced and distributed. The Fifth Annual Global Software Piracy Study conducted by the International Data Corporation and the Business Software Alliance found that 38 percent of the software installed in 2007 on PCs worldwide was obtained illegally, representing $48 billion in global losses from software piracy. Worldwide, for every two dollars of software purchased legitimately, one dollar’s worth was obtained illegally (Business Software Alliance, 2008).

The Internet was designed to transmit information freely around the world, including copyrighted information. With the World Wide Web in particular, you can easily copy and distribute virtually anything to thousands and even millions of people around the world, even if they are using different types of computer systems. Information can be illicitly copied from one place and distributed through other systems and networks even though these parties do not willingly participate in the infringement.

Individuals have been illegally copying and distributing digitized MP3 music files on the Internet for a number of years. File-sharing services such as Napster, and later Grokster, Kazaa, and Morpheus, sprung up to help users locate and swap digital music files, including those protected by copyright. Illegal file sharing became so widespread that it threatened the viability of the music recording industry. The recording industry won some legal battles for shutting these services down, but has not been able to halt illegal file sharing entirely. As more and more homes adopt high-speed Internet access, illegal file sharing of videos will pose similar threats to the motion picture industry.

Mechanisms are being developed to sell and distribute books, articles, and other intellectual property legally on the Internet, and the Digital Millennium Copyright Act (DMCA) of 1998 is providing some copyright protection. The DMCA implemented a World Intellectual Property Organization Treaty that makes it illegal to circumvent technol- ogy-based protections of copyrighted materials. Internet service providers (ISPs) are required to take down sites of copyright infringers that they are hosting once they are notified of the problem.

Microsoft and other major software and information content firms are represented by the Software and Information Industry Association (SIIA), which lobbies for new laws and enforcement of existing laws to protect intellectual property around the world. The SIIA runs an antipiracy hotline for individuals to report piracy activities, offers educational programs to help organizations combat software piracy, and has published guidelines for employee use of software.

ACCOUNTABILITY, LIABILITY, AND CONTROL

Along with privacy and property laws, new information technologies are challenging existing liability laws and social practices for holding individuals and institutions account- able. If a person is injured by a machine controlled, in part, by software, who should be held accountable and, therefore, held liable? Should a public bulletin board or an electronic service, such as America Online, permit the transmission of pornographic or offensive material (as broadcasters), or should they be held harmless against any liability for what users transmit (as is true of common carriers, such as the telephone system)? What about the Internet? If you outsource your information processing, can you hold the external vendor

434 Part IV: Building and Managing Systems

liable for injuries done to your customers? Some real-world examples may shed light on these questions.

Computer-Related Liability Problems During the last week of September 2009, thousands of customers of TD Bank, one of the largest banks in North America, scrambled to find their payroll checks, social security checks, and savings and checking account balances. The bank’s 6.5 million customers were temporarily out of funds because of a computer glitch. The problems were caused by a failed effort to integrate systems of TD Bank and Commerce Bank. A spokesperson for TD Bank, said that “while the overall integration of the systems went well, there have been some speed-bumps in the final stages, as you might expect with a project of this size and complexity.” (Vijayan, 2009). Who is liable for any economic harm caused to individuals or businesses that could not access their full account balances in this period?

This case reveals the difficulties faced by information systems executives who ultimately are responsible for any harm done by systems developed by their staffs. In general, insofar as computer software is part of a machine, and the machine injures someone physically or economically, the producer of the software and the operator can be held liable for damages. Insofar as the software acts like a book, storing and displaying information, courts have been reluctant to hold authors, publishers, and booksellers liable for contents (the exception being instances of fraud or defamation), and hence courts have been wary of holding software authors liable for booklike software.

In general, it is very difficult (if not impossible) to hold software producers liable for their software products that are considered to be like books, regardless of the physical or economic harm that results. Historically, print publishers, books, and periodicals have not been held liable because of fears that liability claims would interfere with First Amendment rights guaranteeing freedom of expression.

What about software as a service? ATM machines are a service provided to bank customers. Should this service fail, customers will be inconvenienced and perhaps harmed economically if they cannot access their funds in a timely manner. Should liability protec- tions be extended to software publishers and operators of defective financial, accounting, simulation, or marketing systems?

Software is very different from books. Software users may develop expectations of infallibility about software; software is less easily inspected than a book, and it is more difficult to compare with other software products for quality; software claims actually to perform a task rather than describe a task, as a book does; and people come to depend on services essentially based on software. Given the centrality of software to everyday life, the chances are excellent that liability law will extend its reach to include software even when the software merely provides an information service.

Telephone systems have not been held liable for the messages transmitted because they are regulated common carriers. In return for their right to provide telephone service, they must provide access to all, at reasonable rates, and achieve acceptable reliability. But broadcasters and cable television stations are subject to a wide variety of federal and local constraints on content and facilities. Organizations can be held liable for offensive content on their Web sites, and online services, such as America Online, might be held liable for postings by their users. Although U.S. courts have increasingly exonerated Web sites and ISPs for posting material by third parties, the threat of legal action still has a chilling effect on small companies or individuals who cannot afford to take their cases to trial.

SYSTEM QUALITY: DATA QUALITY AND SYSTEM ERRORS

The debate over liability and accountability for unintentional consequences of system use raises a related but independent moral dimension: What is an acceptable, technologically feasible level of system quality? At what point should system managers say, “Stop testing, we’ve done all we can to perfect this software. Ship it!” Individuals and organizations may

Chapter 12: Ethical and Social Issues in Information Systems 435

be held responsible for avoidable and foreseeable consequences, which they have a duty to perceive and correct. And the gray area is that some system errors are foreseeable and correctable only at very great expense, an expense so great that pursuing this level of perfection is not feasible economically—no one could afford the product.

For example, although software companies try to debug their products before releasing them to the marketplace, they knowingly ship buggy products because the time and cost of fixing all minor errors would prevent these products from ever being released. What if the product was not offered on the marketplace, would social welfare as a whole not advance and perhaps even decline? Carrying this further, just what is the responsibility of a producer of computer services—should it withdraw the product that can never be perfect, warn the user, or forget about the risk (let the buyer beware)?

Three principal sources of poor system performance are (1) software bugs and errors, (2) hardware or facility failures caused by natural or other causes, and (3) poor input data quality. A Chapter 7 Learning Track discusses why zero defects in software code of any complexity cannot be achieved and why the seriousness of remaining bugs cannot be estimated. Hence, there is a technological barrier to perfect software, and users must be aware of the potential for catastrophic failure. The software industry has not yet arrived at testing standards for producing software of acceptable but not perfect performance.

Although software bugs and facility catastrophes are likely to be widely reported in the press, by far the most common source of business system failure is data quality. Few companies routinely measure the quality of their data, but individual organizations report data error rates ranging from 0.5 to 30 percent.

QUALITY OF LIFE: EQUITY, ACCESS, AND BOUNDARIES

The negative social costs of introducing information technologies and systems are begin- ning to mount along with the power of the technology. Many of these negative social consequences are not violations of individual rights or property crimes. Nevertheless, these negative consequences can be extremely harmful to individuals, societies, and political institutions. Computers and information technologies potentially can destroy valuable elements of our culture and society even while they bring us benefits. If there is a balance of good and bad consequences of using information systems, who do we hold responsible for the bad consequences? Next, we briefly examine some of the negative social consequences of systems, considering individual, social, and political responses.

Balancing Power: Center Versus Periphery An early fear of the computer age was that huge, centralized mainframe computers would centralize power at corporate headquarters and in the nation’s capital, resulting in a Big Brother society, as was suggested in George Orwell’s novel 1984. The shift toward highly decentralized computing, coupled with an ideology of empowerment of thousands of workers, and the decentralization of decision making to lower organizational levels, have reduced the fears of power centralization in institutions. Yet much of the empowerment described in popular business magazines is trivial. Lower-level employees may be empow- ered to make minor decisions, but the key policy decisions may be as centralized as in the past.

Rapidity of Change: Reduced Response Time to Competition Information systems have helped to create much more efficient national and international markets. The now-more-efficient global marketplace has reduced the normal social buffers that permitted businesses many years to adjust to competition. Time-based competition has an ugly side: The business you work for may not have enough time to respond to global competitors and may be wiped out in a year, along with your job. We stand the risk of developing a “just-in-time society” with “just-in-time jobs” and “just-in-time” workplaces, families, and vacations.

436 Part IV: Building and Managing Systems

Maintaining Boundaries: Family, Work, and Leisure Parts of this book were produced on trains and planes, as well as on vacations and during what otherwise might have been “family” time. The danger to ubiquitous computing, telecommuting, nomad computing, and the “do anything anywhere” computing environ- ment is that it is actually coming true. The traditional boundaries that separate work from family and just plain leisure have been weakened.

Although authors have traditionally worked just about anywhere (typewriters have been portable for nearly a century), the advent of information systems, coupled with the growth of knowledge-work occupations, means that more and more people will are working when traditionally they would have been playing or communicating with family and friends. The work umbrella now extends far beyond the eight-hour day.

Even leisure time spent on the computer threatens these close social relationships. Extensive Internet use, even for entertainment or recreational purposes, takes people away from their family and friends. Among middle school and teenage children, it can lead to harmful anti-social behavior. The Interactive Session on People explores this topic.

Weakening these institutions poses clear-cut risks. Family and friends historically have provided powerful support mechanisms for individuals, and they act as balance points in a society by preserving private life, providing a place for people to collect their thoughts, allowing people to think in ways contrary to their employer, and dream.

Dependence and Vulnerability Today, our businesses, governments, schools, and private associations, such as churches, are incredibly dependent on information systems and are, therefore, highly vulnerable if these systems fail. With systems now as ubiquitous as the telephone system, it is startling to remember that there are no regulatory or standard-setting forces in place that are similar to telephone, electrical, radio, television, or other public utility technologies. The absence of standards and the criticality of some system applications will probably call forth demands for national standards and perhaps regulatory oversight.

Computer Crime and Abuse New technologies, including computers, create new opportunities for committing crime by creating new valuable items to steal, new ways to steal them, and new ways to harm others.

Chapter 12: Ethical and Social Issues in Information Systems 437

Although some people enjoy the convenience of working at home, the “do anything anywhere” com- puting environment can blur the traditional bound- aries between work and family time.

438 Part IV: Building and Managing Systems

INTERACTIVE SESSION: PEOPLE The Perils of Texting: Path to Prison

In February 2009 the British Crown Court sentenced Phillipa Curtis, 21, to 21 months in prison for killing Victoria McBryde after plowing into her car on a modern super highway, killing her instantly. In the hour before the crash, Ms. Curtis had exchanged over two dozen text messages with friends concerning her encounter with a celebrity singer. Defense attorneys argued Phillipa was not texting at the moment of the crash, and had not opened the last text. But the British rules say that “reading or composing text over a period of time is a gross avoidable distraction,” categorized the same way as drunken driving. Police and prosecu- tors argued the car she hit was clearly visible from 300 yards, the lights were on, and it was a clear night. The prosecution argued that in light of the long preceding text conversation, with the ping of an incoming mes- sage, Curtis was distracted from driving. The jury agreed in 50 minutes to a guilty verdict.

Cell phones have become a staple of modern society. Everyone has them, and people carry and use them at all hours of the day. For the most part, this is a good thing: the benefits of staying connected at any time and at any location are considerable. But if you’re like most Americans, you may regularly talk on the phone or even text while at the wheel of a car. This dangerous behavior has resulted in increasing numbers of accidents and fatalities caused by cell phone usage. The trend shows no sign of slowing down, not only because legislation barring the use of mobile devices while driving has been bogged down, but because most people don’t fully understand the risks.

In 2003, a federal study of 10,000 drivers by the National Highway Traffic Safety Administration (NHTSA) set out to determine the effects of using cell phones behind the wheel. The results were conclusive: talking on the phone is equivalent to a 10-point reduc- tion in IQ and a .08 blood alcohol level, which law enforcement considers intoxicated. Hands-free sets were ineffective in eliminating risk, the study found, because the conversation itself is what distracts drivers, not holding the phone. Cell phone use caused 955 fatalities and 240,000 accidents in 2002. Related studies indicated that drivers who talked on the phone while driving increased their crash risk fourfold, and drivers who texted while driving increased their crash risk by a whopping 23 times.

But the NHTSA study was not published immedi- ately due to pressure from congressmen who worried that legislation banning or restricting phone usage in vehicles would be unpopular among voters who regularly multitask while driving. The NHTSA was urged to simply gather information, rather than recom-

mend policy changes. The eventually published mate- rials consisted of stripped-down versions of the agency’s original research. Since the study, mobile device usage has grown by an order of magnitude, making this already dangerous situation worse. In fact, from 1995 to 2008, the number of wireless subscribers in America increased by 800 percent, to 270 million, and Americans’ usage of wireless minutes increased by almost 6,000 percent.

This increase in cell phone usage is accompanied by the increases you would expect in phone-related fatalities and accidents: in 2008, it’s estimated that cell phones caused 2,600 fatalities and 330,000 accidents, up considerably from 2002. Studies show that drivers know that using the phone while driving is one of the most dangerous things you can do on the road, but refuse to admit that it’s dangerous when they them- selves do it. A survey by Vlingo, a developer of voice-driven mobile phone applications, found that 26 percent of phone users admitted to texting while driving, but 83 percent said that the practice should be illegal, which means at least some portion of people are engaging in a practice that they feel should be outlawed.

Of users that text while driving, the more youthful demographic groups, such as the 18–29 age group, are by far the most frequent texters. About three quarters of Americans in this age group regularly text, compared to just 22 percent of the 35–44 age group. Correspondingly, the majority of accidents involving mobile device use behind the wheel involve young adults. Among this age group, texting behind the wheel is just one of a litany of problems raised by frequent texting: anxiety, distrac- tion, failing grades, repetitive stress injuries, and sleep deprivation are just some of the other problems brought about by excessive use of mobile devices. Teenagers are particularly prone to using cell phones to text because they want to know what’s happening to their friends and are anxious about being socially isolated.

Seventy-five billion texts were sent in the United States in June 2009, compared to 7.2 billion in June 2005. Texting is clearly here to stay, and in fact has supplanted phone calls as the most commonly used method of mobile communication. People are unwill- ing to give up their mobile devices because of the pres- sures of staying connected. Neurologists discovered that the response to multitasking suggests that people develop addictions to the digital devices they use most, getting quick bursts of adrenaline, without which dri- ving becomes boring.

Chapter 12: Ethical and Social Issues in Information Systems 439

Despite the obstacles, lawmakers are increasingly recognizing the need for much stronger legislation bar- ring drivers from texting behind the wheel. Though most people aren’t willing to give up their phones entirely, and many legislators believe that it’s not state or federal government’s role to prohibit poor decision- making, many states have made inroads with laws prohibiting texting while operating vehicles. In Utah, drivers crashing while texting can receive 15 years in prison, by far the toughest sentence for texting while driving in the nation. Utah’s law assumes that drivers understand the risks of texting while driving, whereas in other states, prosecutors must prove that the driver knew about the risks of texting while driving before doing so.

Utah’s tough law was the result of a horrifying accident in which a speeding college student, texting at the wheel, rear-ended a car in front. The car lost control, entered the opposite side of the road, and was hit head-on by a pickup truck hauling a trailer, killing

the driver instantly. In September 2008, a train engineer in California was texting within a minute prior to the most fatal train accident in almost two decades. Californian authorities responded by banning the use of cell phones by train workers while on duty. It’s likely that more accidents of this magnitude will have to occur before Americans are persuaded to give up texting while driving.

Sources: Elisabeth Rosenthal, “When Texting Kills, Britain Offers Path to

Prison,” The New York Times, November 9, 2009; Jennifer Steinhauer and Laura M. Holson, “As Text Messages Fly, Danger Lurks,” The New York Times, September 20, 2008; Katie Hafner, “Texting May be Taking a Toll on Teenagers,”

The New York Times, May 26, 2009; Tara Parker-Pope, “Texting Until Their Thumbs Hurt,” The New York Times, May 26, 2009; Tom Regan, “Some Sobering Stats on Texting While Driving,” The Christian Science Monitor, May 28, 2009; Matt Richtel, “Drivers and Legislators Dismiss Cellphone Risks,” The New York Times, July 19, 2009; “Matt Richtel, U.S. Withheld Data on Risks of Distracted Driving,” The New York Times, July 21, 2009; Matt Richtel, “In Study, Texting Lifts Crash Risk by Large Margin,” The New York Times, July 28, 2009; Matt Richtel, “Utah Gets Tough With Texting Drivers,” The New York Times, August 29, 2009; Matt Richtel, “Driver Texting Now an Issue in the Back Seat,” The New York Times, September 9, 2009.

1. Which of the five moral dimensions of informa- tion systems described in the text is involved in this case?

2. What are the ethical, social, and political issues raised by this case?

3. Which of the ethical principles described in the text are useful for decision making about texting while driving?

1. Many people at state and local levels are calling for a federal law against texting while driving. Use a search engine to explore what steps the federal government has taken to discourage texting while driving.

2. Most people are not aware of the widespread impact of texting while driving across the United States. Do a search on “texting while driving.” Examine all the search results for the first two pages. Enter the information into a 2-column table. In the left-hand column put the locality of report and year. In the right-hand column give a brief description of the search result, e.g. accident, report, court judgment, etc. What can you conclude from these search results and table?

CASE STUDY QUESTIONS MIS IN ACTION

Computer crime is the commission of illegal acts through the use of a computer or against a computer system. Computers or computer systems can be the object of the crime (destroy- ing a company’s computer center or a company’s computer files), as well as the instrument of a crime (stealing computer lists by illegally gaining access to a computer system using a home computer). Simply accessing a computer system without authorization or with intent to do harm, even by accident, is now a federal crime.

Computer abuse is the commission of acts involving a computer that may not be illegal but that are considered unethical. The popularity of the Internet and e-mail has turned one form of computer abuse—spamming—into a serious problem for both individuals and businesses. Spam is junk e-mail sent by an organization or individual to a mass audience of Internet users who have expressed no interest in the product or service being marketed. Spammers tend to market pornography, fraudulent deals and services, outright scams, and other products not widely approved in most civilized societies. Some countries have passed

laws to outlaw spamming or to restrict its use. In the United States, it is still legal if it does not involve fraud and the sender and subject of the e-mail are properly identified.

Spamming has mushroomed because it only costs a few cents to send thousands of messages advertising wares to Internet users. According to Sophos, a leading vendor of security software, spam accounted for 97 percent of all e-mail traffic during the first quarter of 2009 (Sophos, 2009). Spam costs for businesses are very high (an estimated at over $50 billion per year) because of the computing and network resources consumed by billions of unwanted e-mail messages and the time required to deal with them.

Internet service providers and individuals can combat spam by using spam filtering software to block suspicious e-mail before it enters a recipient’s e-mail inbox. However, spam filters may block legitimate messages. Spammers know how to skirt around filters by continually changing their e-mail accounts, by incorporating spam messages in images, by embedding spam in e-mail attachments and electronic greeting cards, and by using other people’s computers that have been hijacked by botnets (see Chapter 7). Many spam messages are sent from one country while another country hosts the spam Web site.

Spamming is more tightly regulated in Europe than in the United States. On May 30, 2002, the European Parliament passed a ban on unsolicited commercial messaging. Electronic marketing can be targeted only to people who have given prior consent.

The U.S. CAN-SPAM Act of 2003, which went into effect on January 1, 2004, does not outlaw spamming but does ban deceptive e-mail practices by requiring commercial e-mail messages to display accurate subject lines, identify the true senders, and offer recipients an easy way to remove their names from e-mail lists. It also prohibits the use of fake return addresses. A few people have been prosecuted under the law, but it has had a negligible impact on spamming. Although Facebook and MySpace have won judgments against spammers, most critics argue the law has too many loopholes and is not effectively enforced (Associated Press, 2009).

Employment: Trickle-Down Technology and Reengineering Job Loss Reengineering work is typically hailed in the information systems community as a major benefit of new information technology. It is much less frequently noted that redesigning business processes could potentially cause millions of middle-level managers and clerical workers to lose their jobs. One economist has raised the possibility that we will create a society run by a small “high tech elite of corporate professionals . . . in a nation of the permanently unemployed” (Rifkin, 1993).

Other economists are much more sanguine about the potential job losses. They believe relieving bright, educated workers from reengineered jobs will result in these workers moving to better jobs in fast-growth industries. Missing from this equation are unskilled, blue-collar workers and older, less well-educated middle managers. It is not clear that these groups can be retrained easily for high-quality (high-paying) jobs. Careful planning and sensitivity to employee needs can help companies redesign work to minimize job losses.

The Interactive Session on Organizations explores another consequence of reengineered jobs. In this case, Wal-Mart’s changes in job scheduling for more efficient use of its employ- ees did not cause employees to lose their jobs directly. But it did impact their personal lives and forced them to accept more irregular part-time work. As you read this case, try to identify the problem this company is facing, what alternative solutions are available to management, and whether the chosen solution was the best way to address this problem.

Equity and Access: Increasing Racial and Social Class Cleavages Does everyone have an equal opportunity to participate in the digital age? Will the social, economic, and cultural gaps that exist in the United States and other societies be reduced by information systems technology? Or will the cleavages be increased, permitting the better off to become even more better off relative to others?

These questions have not yet been fully answered because the impact of systems technology on various groups in society has not been thoroughly studied. What is known is that information, knowledge, computers, and access to these resources through educational institutions and public

440 Part IV: Building and Managing Systems

Chapter 12: Ethical and Social Issues in Information Systems 441

INTERACTIVE SESSION: ORGANIZATIONS Flexible Scheduling Good or Bad for Employees?

With nearly 1.4 million workers domestically, Wal-Mart is the largest private employer in the United States. Wal-Mart is also the nation’s number one retailer in terms of sales, registering nearly $379 billion in sales revenue for the fiscal year ending January 31, 2008. Wal-Mart achieved its lofty status through a combination of low prices and low opera- tional costs, enabled by a superb continuous inventory replenishment system.

Now Wal-Mart is trying to lower costs further by changing its methods for scheduling the work shifts of its employees. In early 2007, Wal-Mart revealed that it was adopting a computerized scheduling system, a move that has been roundly criticized by workers’ rights advocates for the impact it may have on employees’ lives.

Traditionally, scheduling employee shifts at big box stores such as Wal-Mart was the domain of store managers who arranged schedules manually.

They based their decisions in part on current store promotions as well as on weekly sales data from the previous year. Typically, the process required a full day of effort for a store manager. Multiply that labor intensity by the number of stores in a chain and you have an expensive task with results that are margin- ally beneficial to the company.

By using a computerized scheduling system, such as the system from Kronos that Wal-Mart adopted, a retail enterprise can produce work schedules for every store in its chain in a matter of hours. Meanwhile, store managers can devote their time to running their individual stores more effectively.

The Kronos scheduling system tracks individual store sales, transactions, units sold, and customer traffic. The system logs these metrics over 15-minute increments for seven weeks at a time, and then measures them against the same data from the previous year. It can also integrate data such as the number of in-store customers at certain hours or the average time required to sell a television set or unload a truck and predict the number of workers needed at any given hour.

A typical result of this type of scheduling might call for a sparse staff early in the day, a significant increase for the midday rush, scaling back toward the end of the afternoon, and then fortifying the staff once again for an evening crowd. However, for a chain like Wal-Mart, which operates thousands of 24-hour stores and has also run into trouble previously for its labor practices, the transition to a computerized scheduling system has resulted in controversy.

For Wal-Mart, using Kronos translates to improved productivity and customer satisfaction. Management reported a 12-percent gain in labor productivity in the quarter ending January 31, 2008.

For Wal-Mart employees, known to the company as associates, the change may decrease the stability of their jobs and, possibly, create financial hardship.

The scheduling generated by Kronos can be unpredictable, requiring associates to be more flexi- ble with their work hours. Stores may ask them to be on call in case of a rush, or to go home during a slow spell. Irregular hours, and inconsistent paychecks, make it more difficult for employees to organize their lives, from scheduling babysitters to paying bills. Alerts from the system may also enable store managers to avoid paying overtime or full-time wages by cutting back the hours of associates who are approaching the thresholds that cause extra benefits to kick in. Associates are almost always people who need all the work they can get.

According to Paul Blank of the Web site WakeUpWalMart.com, which is supported by the United Food and Commercial Workers union, “What the computer is trying to optimize is the most number of part-time and least number of full-time workers at lower labor costs, with no regard for the effect that it has on workers’ lives.” Sarah Clark, speaking on behalf of Wal-Mart, insists the system’s goal is simply to improve customer service by shortening checkout lines and better meeting the needs of shoppers.

To assist in the deployment of its computerized scheduling system in all of its stores, Wal-Mart requests that its associates submit “personal avail- ability” forms. Language on the form instructs associates that “Limiting your personal availability may restrict the number of hours you are scheduled.” Anecdotal evidence suggests that some workers have indeed seen their hours cut and their shifts bounced around. Experienced associates with high pay rates have expressed concern that the system enables managers to pressure them into quitting. If they are unwilling to work nights and weekends, managers have a justification for replacing them with new workers who will make much less per hour. Sarah Clark denies that the system is used in this manner.

Critics of the system can cite the Clayton Antitrust Act of 1914, which states, “The labor of a human being is not a commodity or article of commerce.” Wal-mart employees writing on blogs complain that the flexible scheduling system does not allow them time to have a second job because they have to be available for their Wal-mart job. But flexible scheduling when done right

442 Part IV: Building and Managing Systems

1. What is the ethical dilemma facing Wal-Mart in this case? Do Wal-Mart’s associates also face an ethical dilemma? If so, what is it?

2. What ethical principles apply to this case? How do they apply?

3. What are the potential effects of computerized scheduling on employee morale? What are the consequences of these effects for Wal-Mart?

4. For what kinds of workers is flexible scheduling a positive benefit, and why?

by taking into account the outside demands on employ- ees can be very helpful. For instance, flexible schedul- ing can allow two parents to share a job, or allow women with young children a schedule that fits in with raising children. No legal battles over computerized scheduling appear imminent, so interpreting whether Wal-Mart’s strategy equals treating its labor force as a commodity will have to wait.

In the meantime, Wal-Mart is once again at the forefront of technology trends in its industry. Ann

Visit the Web site at www.WakeUpWalMart.com and then answer the following questions:

1. What are this group’s major points of contention with Wal-Mart?

2. How well does the Web site serve their cause? Does the site help their cause or hurt it?

3. What other approach could the organization take to bring about change?

Using Wal-Mart’s Web site and Google for research, answer the following questions:

4. How does Wal-Mart address the issues raised by organizations such as WakeUpWalMart.com?

5. Are the company’s methods effective?

6. If you were a public relations expert advising Wal-Mart, what suggestions would you make for handling criticism?

Taylor Stores, Limited Brands, Gap, Williams- Sonoma, and GameStop have all installed similar workforce scheduling systems.

Sources: Vanessa O’Connell, “Retailers Reprogram Workers in Efficiency Push,”

Jennifer Turano, “Two Workers, Wearing One Hat,” The New York Times, October 4, 2009; The Wall Street Journal, September 10, 2008; Kris Maher, “Wal-Mart Seeks New Flexibility in Worker Shifts,” The Wall Street Journal, January 3, 2007; www.kronos.com, accessed July 15, 2008; Bob Evans, “Wal-Mart’s Latest

‘Orwellian’ Technology Move: Get Over It,” InformationWeek, April 6, 2007; and “More Opinions on Wal-Mart’s Flexible Scheduling,” InformationWeek, April 17, 2007.

CASE STUDY QUESTIONS MIS IN ACTION

libraries are inequitably distributed along ethnic and social class lines, as are many other infor- mation resources. Several studies have found that certain ethnic and income groups in the United States are less likely to have computers or online Internet access even though computer owner- ship and Internet access have soared in the past five years. Although the gap is narrowing, higher- income families in each ethnic group are still more likely to have home computers and Internet access than lower-income families in the same group.

A similar digital divide exists in U.S. schools, with schools in high-poverty areas less likely to have computers, high-quality educational technology programs, or Internet access availability for their students. Left uncorrected, the digital divide could lead to a society of information haves, computer literate and skilled, versus a large group of information have-nots, computer illiterate and unskilled. Public interest groups want to narrow this digital divide by making digital information services—including the Internet—available to virtually everyone, just as basic telephone service is now.

Health Risks: RSI, CVS, and Technostress The most common occupational disease today is repetitive stress injury (RSI). RSI occurs when muscle groups are forced through repetitive actions often with high-impact loads

(such as tennis) or tens of thousands of repetitions under low-impact loads (such as working at a computer keyboard).

The single largest source of RSI is computer keyboards. The most common kind of computer-related RSI is carpal tunnel syndrome (CTS), in which pressure on the median nerve through the wrist’s bony structure, called a carpal tunnel, produces pain. The pressure is caused by constant repetition of keystrokes: in a single shift, a word processor may perform 23,000 keystrokes. Symptoms of carpal tunnel syndrome include numbness, shoot- ing pain, inability to grasp objects, and tingling. Millions of workers have been diagnosed with carpal tunnel syndrome.

RSI is avoidable. Designing workstations for a neutral wrist position (using a wrist rest to support the wrist), proper monitor stands, and footrests all contribute to proper posture and reduced RSI. Ergonomically correct keyboards are also an option. These measures should be supported by frequent rest breaks and rotation of employees to different jobs.

RSI is not the only occupational illness computers cause. Back and neck pain, leg stress, and foot pain also result from poor ergonomic designs of workstations. Computer vision syndrome (CVS) refers to any eyestrain condition related to computer display screen use. Its symptoms, which are usually temporary, include headaches, blurred vision, and dry and irritated eyes.

The newest computer-related malady is technostress, which is stress induced by computer use. Its symptoms include aggravation, hostility toward humans, impatience, and fatigue. According to experts, humans working continuously with computers come to expect other humans and human institutions to behave like computers, providing instant responses, attentiveness, and an absence of emotion. Technostress is thought to be related to high levels of job turnover in the computer industry, high levels of early retirement from computer- intense occupations, and elevated levels of drug and alcohol abuse.

The incidence of technostress is not known but is thought to be in the millions and growing rapidly in the United States. Computer-related jobs now top the list of stressful occupations based on health statistics in several industrialized countries.

To date, the role of radiation from computer display screens in occupational disease has not been proved. Video display terminals (VDTs) emit nonionizing electric and magnetic fields at low frequencies. These rays enter the body and have unknown effects on enzymes, molecules, chromosomes, and cell membranes. Long-term studies are investigating low- level electromagnetic fields and birth defects, stress, low birth weight, and other diseases. All manufacturers have reduced display screen emissions since the early 1980s, and European countries, such as Sweden, have adopted stiff radiation emission standards.

Chapter 12: Ethical and Social Issues in Information Systems 443

Repetitive stress injury (RSI) is the leading occu- pational disease today. The single largest cause of RSI is computer key- board work.

The computer has become a part of our lives—personally as well as socially, culturally, and politically. It is unlikely that the issues and our choices will become easier as informa- tion technology continues to transform our world. The growth of the Internet and the infor- mation economy suggests that all the ethical and social issues we have described will be heightened further as we move into the first digital century.

12.4 Hands-On MIS Projects

The projects in this section give you hands-on experience in analyzing the privacy implications of using online data brokers, developing a corporate policy for employee Web usage, using blog creation tools to create a simple blog, and using Internet newsgroups for market research.

MANAGEMENT DECISION PROBLEMS

1. USAData’s Web site is linked to massive databases that consolidate personal data on millions of people. Anyone with a credit card can purchase marketing lists of consumers broken down by location, age, income level, and interests. If you click on Consumer Leads to order a consumer mailing list, you can find the names, addresses, and sometimes phone numbers of potential sales leads residing in a specific location and purchase the list of those names. One could use this capability to obtain a list, for example, of everyone in Peekskill, New York, making $150,000 or more per year. Do data brokers such as USAData raise privacy issues? Why or why not? If your name and other personal information were in this database, what limitations on access would you want in order to preserve your privacy? Consider the following data users: government agencies, your employer, private business firms, other individuals.

2. As the head of a small insurance company with six employees, you are concerned about how effectively your company is using its networking and human resources. Budgets are tight, and you are struggling to meet payrolls because employees are reporting many overtime hours. You do not believe that the employees have a sufficiently heavy work load to warrant working longer hours and are looking into the amount of time they spend on the Internet.

444 Part IV: Building and Managing Systems

WEB USAGE REPORT FOR THE WEEK ENDING JANUARY 9, 2009

User Name Minutes Online Web Site Visited

Kelleher, Claire 45 www.doubleclick.net

Kelleher, Claire 107 www.yahoo.com

Kelleher, Claire 96 www.insweb.com

McMahon, Patricia 83 www.itunes.com

McMahon, Patricia 44 www.insweb.com

Milligan, Robert 112 www.youtube.com

Milligan, Robert 43 www.travelocity.com

Olivera, Ernesto 40 www.CNN.com

Talbot, Helen 125 www.etrade.com

Talbot, Helen 27 www.nordstrom.com

Talbot, Helen 35 www.yahoo.com

Talbot, Helen 73 www.ebay.com

Wright, Steven 23 www.facebook.com

Wright, Steven 15 www.autobytel.com

Each employee uses a computer with Internet access on the job. You requested the pre- ceding weekly report of employee Web usage from your information systems department.

• Calculate the total amount of time each employee spent on the Web for the week and the total amount of time that company computers were used for this purpose. Rank the employees in the order of the amount of time each spent online.

• Do your findings and the contents of the report indicate any ethical problems employees are creating? Is the company creating an ethical problem by monitoring its employees’ use of the Internet?

• Use the guidelines for ethical analysis presented in this chapter to develop a solution to the problems you have identified.

ACHIEVING OPERATIONAL EXCELLENCE: CREATING A SIMPLE BLOG

Software skills: Blog creation Business skills: Blog and Web page design

In this project, you’ll learn how to build a simple blog of your own design using the online blog creation software available at Blogger.com. Pick a sport, hobby, or topic of interest as the theme for your blog. Name the blog, give it a title, and choose a template for the blog. Post at least four entries to the blog, adding a label for each posting. Edit your posts, if necessary. Upload an image, such as a photo from your hard drive or the Web to your blog. (Google rec- ommends Open Photo, Flickr: Creative Commons, or Creative Commons Search as sources for photos. Be sure to credit the source for your image.) Add capabilities for other registered users, such as team members, to comment on your blog. Briefly describe how your blog could be useful to a company selling products or services related to the theme of your blog. List the tools available to Blogger (including Gadgets) that would make your blog more useful for business and describe the business uses of each. Save your blog and show it to your instructor.

IMPROVING DECISION MAKING: USING INTERNET NEWSGROUPS FOR ONLINE MARKET RESEARCH

Software Skills: Web browser software and Internet newsgroups Business Skills: Using Internet newsgroups to identify potential customers

This project will help develop your Internet skills in using newsgroups for marketing. It will also ask you to think about the ethical implications of using information in online discussion groups for business purposes.

You are producing hiking boots that you sell through a few stores at this time. You think your boots are more comfortable than those of your competition. You believe you can under- sell many of your competitors if you can significantly increase your production and sales. You would like to use Internet discussion groups interested in hiking, climbing, and camp- ing both to sell your boots and to make them well known. Visit groups.google.com, which stores discussion postings from many thousands of newsgroups. Through this site you can locate all relevant newsgroups and search them by keyword, author’s name, forum, date, and subject. Choose a message and examine it carefully, noting all the information you can obtain, including information about the author.

• How could you use these newsgroups to market your boots? • What ethical principles might you be violating if you use these messages to sell your

boots? Do you think there are ethical problems in using newsgroups this way? Explain your answer.

• Next use Google or Yahoo.com to search the hiking boots industry and locate sites that will help you develop other new ideas for contacting potential customers.

• Given what you have learned in this and previous chapters, prepare a plan to use newsgroups and other alternative methods to begin attracting visitors to your site.

Chapter 12: Ethical and Social Issues in Information Systems 445

446 Part IV: Building and Managing Systems

Review Summary

1 What ethical, social, and political issues are raised by information systems? Information technology is introducing changes for which laws and rules of accept-

able conduct have not yet been developed. Increasing computing power, storage, and net- working capabilities—including the Internet—expand the reach of individual and organi- zational actions and magnify their impacts. The ease and anonymity with which information is now communicated, copied, and manipulated in online environments pose new challenges to the protection of privacy and intellectual property. The main ethical, social, and political issues raised by information systems center around information rights and obligations, property rights and obligations, accountability and control, system qual- ity, and quality of life.

2 What specific principles for conduct can be used to guide ethical decisions? Six ethical principles for judging conduct include the Golden Rule, Immanuel Kant’s

Categorical Imperative, Descartes’ rule of change, the Utilitarian Principle, the Risk Aversion Principle, and the ethical “no free lunch” rule. These principles should be used in conjunction with an ethical analysis.

3 Why do contemporary information systems technology and the Internet pose challenges to the protection of individual privacy and intellectual property?

Contemporary data storage and data analysis technology enables companies to easily gather personal data about individuals from many different sources and analyze these data to create detailed electronic profiles about individuals and their behaviors. Data flowing over the Internet can be monitored at many points. Cookies and other Web monitoring tools closely track the activities of Web site visitors. Not all Web sites have strong privacy protection poli- cies, and they do not always allow for informed consent regarding the use of personal infor- mation. Traditional copyright laws are insufficient to protect against software piracy because digital material can be copied so easily and transmitted to many different locations simulta- neously over the Internet.

4 How have information systems affected everyday life? Although computer systems have been sources of efficiency and wealth, they have some negative impacts.

Computer errors can cause serious harm to individuals and organizations. Poor data quality is also responsible for disruptions and losses for businesses. Jobs can be lost when comput- ers replace workers or tasks become unnecessary in reengineered business processes. The ability to own and use a computer may be exacerbating socioeconomic disparities among different racial groups and social classes. Widespread use of computers increases opportuni- ties for computer crime and computer abuse. Computers can also create health problems, such as RSI, computer vision syndrome, and technostress.

LEARNING TRACKS

The following Learning Tracks provide content relevant to the topics covered in this chapter:

1. Developing a Corporate Code of Ethics for Information Systems

2. Creating a Web Page

Chapter 12: Ethical and Social Issues in Information Systems 447

Review Questions

1. What ethical, social, and political issues are raised by information systems?

• Explain how ethical, social, and political issues are connected and give some examples. • List and describe the key technological trends that heighten ethical concerns. • Differentiate between responsibility, accountability, and liability.

2. What specific principles for conduct can be used to guide ethical decisions?

• List and describe the five steps in an ethical analysis. • Identify and describe six ethical principles.

3. Why do contemporary information systems technology and the Internet pose challenges to the protection of individual privacy and intellectual property?

• Define privacy and fair information practices. • Explain how the Internet challenges the protection of individual privacy and intellectual

property. • Explain how informed consent, legislation, industry self-regulation, and technology

tools help protect the individual privacy of Internet users. • List and define the three different regimes that protect intellectual property rights.

4. How have information systems affected everyday life?

• Explain why it is so difficult to hold software services liable for failure or injury. • List and describe the principal causes of system quality problems. • Name and describe four quality-of-life impacts of computers and information systems. • Define and describe technostress and RSI and explain their relationship to information

technology.

Ethical “no free lunch” rule, 425

Ethics, 420

Fair Information Practices (FIP), 427

Golden Rule, 425

Immanuel Kant’s Categorical Imperative, 425

Information rights, 421

Informed consent, 428

Intellectual property, 432

Liability, 424

Nonobvious relationship awareness (NORA), 423

Opt-in, 430

Opt-out, 430

P3P, 431

Patent, 433

Privacy, 426

Profiling, 422

Repetitive stress injury (RSI), 432

Responsibility, 424

Risk Aversion Principle, 425

Safe harbor, 429

Spam, 439

Spyware, 430

Technostress, 443

Trade secret, 432

Utilitarian Principle, 425

Web bugs, 430

Accountability, 424

Carpal tunnel syndrome (CTS), 443

Computer abuse, 439

Computer crime, 439

Computer vision syndrome (CVS), 443

Cookies, 429

Copyright, 433

Descartes’ rule of change, 425

Digital divide, 442

Digital Millennium Copyright Act (DMCA), 434

Due process, 424

Key Terms

448 Part IV: Building and Managing Systems

Collaboration and Teamwork

Developing a Corporate Ethics Code With three or four of your classmates, develop a corporate ethics code on privacy that addresses both employee privacy and the privacy of customers and users of the corporate Web site. Be sure to consider e-mail privacy and employer monitoring of worksites, as well as corporate use of information about employees concerning their off-the-job behavior (e.g., lifestyle, marital arrangements, and so forth). If possible, use Google Sites to post links to Web pages, team communication announcements, and work assignments; to brain- storm; and to work collaboratively on project documents. Try to use Google Docs to develop your solution and presentation for the class.

Video Cases

Video Cases and Instructional Videos illustrating some of the concepts in this chapter are available. Contact your instructor to access these videos.

Discussion Questions

1. Should producers of software-based ser- vices, such as ATMs, be held liable for eco- nomic injuries suffered when their systems fail?

2. Should companies be responsible for unemployment caused by their information systems? Why or why not?

Chapter 12: Ethical and Social Issues in Information Systems 449

BUSINESS PROBLEM-SOLVING CASE

Google, Microsoft, and IBM: The Health of Your Medical Records’ Privacy

tors to be sent automatically to Google Health (Google’s online medical record system) or other per- sonal health records systems online. It’s a broad- reaching software platform that will bring data porta- bility and medical records interoperability in direct conflict with a huge industry entrenched in siloed data.

Estimates are that the Health Information Technology initiative will create over 200,000 jobs in MIS and systems, and the 10-year cost is $75–$100 billion. The project should pay for itself with an estimated savings of $175–$200 billion a year. The Health Information Technology initiative is arguably the largest manage- ment information systems project in the history of the United States since the computerization of the Social Security System records in the 1950s. What’s involved is not just dropping PCs on doctors’ desktops and operat- ing tables. Instead, a massive investment in organization and management, cultural change, software, and interface design is required. In short, the skills you learn in this book will be highly valued!

The bad news is that the health of your personal privacy will probably decline, significantly. You will most likely lose control over what private medical information about you is distributed, and you will not be able to restrict its distribution. Your medical records will be a very efficient, instantly accessible, “semi public” document accessible by millions of health care workers whom you will never meet or know about. And you won’t ever really know who has access to your records, or understand how they are or might be used.

The health-care industry is notoriously bad at keep- ing medical records private. Georgia Blue-Cross intro- duced a change in its medical information system without testing, and sent thousands of patient records to the wrong fax machine in a neighboring state. A former billing clerk at Cedars-Sinai Medical Center in Los Angeles was arrested in November 2008 and charged with stealing patient records and using the identities to steal from insurers. In 2009, the Kaiser Permanente Bellflower Medical Center in Los Angeles was hit with a $187,500 fine for failing to prevent unauthorized access to confidential patient informa- tion—employees were improperly accessing the med- ical records of Nadya Suleman and her eight children. This is the second penalty against the hospital. Even Britney Spears has not been spared: UCLA Medical Center was embarrassed to disclose that employees had sifted through the medical files of more than 30

During a typical trip to the doctor, you will see shelves full of folders and papers devoted to the storage of med- ical records. Every time you visit, your records are cre- ated or modified, and often duplicate copies are gener- ated throughout the course of a visit to the doctor or a hospital. Take a look at your doctor’s office and chances are you’ll see a bevy of clerks bent over desks filled with paper forms, mostly insurance claim documents. The majority of medical records are currently paper-based, making effective communication and access to the records difficult: only 8 percent of the nation’s 5,000 hospitals and 17 percent of the nation’s 800,000 doctors use computerized health care records of any kind. Americans made well over a billion visits to doctors and hospitals over the past year, with each American making approximately four visits on average. As a result, there are millions of paper medical records lining the corridors of thousands of local medical practices, and for the most part, they cannot be systematically examined, and they are difficult to share.

Now for some good news: the administrative waste could be largely eliminated by a massive investment in a nationwide health care record system based on standard- ized record formats, and the participation of all elements in the health care provider industry.

The United States spends about $2 trillion on health- care, and about $700 billion or one-third is “waste,” loosely defined as costs that could be shed if the health- care industry followed best practices. This waste is a major reason why the United States has the highest-cost medical system per capita in the world. Among the many sources of waste are fraud, duplicate tests, unnecessary care, medical mistakes, administrative inefficiency, redundant paperwork, and a paper-based health records system. The outdated administrative procedures and records situation causes an estimated 25 percent of the total “waste,” or about $175 billion a year.

There’s more good news about medical records: the new Obama administration in February 2009 set aside $19 billion to fund a Health Information Technology program as a part of the American Recovery and Reinvestment Act of 2009. The goal: computerize all health records by 2014. And the major technology companies are banding together and offering up solu- tions, responding to the opportunity of billions of dol- lars of government contracts. IBM, Google, Microsoft, and a consortium of medical device makers and other companies have formed an alliance to create a software platform that will allow medical data from at-home devices like glucose meters and blood pressure moni-

450 Part IV: Building and Managing Systems

“health profile” for medications, conditions, and allergies; reminder messages for prescription refills or doctor visits; directories for nearby doctors; and person- alized health advice. The application will also be able to accept information from many different record keeping technologies currently in use by hospitals and other institutions. The intent of the system is to make patients’ records easily accessible and more complete and to streamline record keeping.

Google has proven that it is very good at what it does. It is, among other things, one of the largest advertising firms in the world, and the largest Web tracker of individuals in the United States. But what if Google were seeking personal information about you? You might not feel as good about Google’s quest to organize the world’s information when you consider that some of that information is information you’d prefer remain pri- vate. Google’s development of its Google Health appli- cation illustrates the conflict between its self-avowed mission and the individual’s right to privacy. Would you trust Google with your health records know- ing that a potential employer, or current employer, might be able to access those records?

Proponents of electronic health records argue that computer technology, once fully implemented, would enhance security rather than threaten it. They also believe that it is more important to first get the system up and running than to worry about privacy matters. Congressional Representative Joe Barton of Texas, an advocate of legislation that would speed the develop- ment of such records, said that “privacy is an important issue, but more important is that we get a health information system in place.” Lawmakers like Barton feel that the benefits of systems like Google Health outweigh the privacy risks, and that further legislation to impose privacy controls can be added after the fact. Some experts disagree with that stance, saying that unless an electronic system has sufficient privacy controls from the outset, it is less likely to become universally used. Even if the system’s security controls are sufficient, it is important that consumers are aware of those controls and confident that they can use the system without fear of their records being accessed by unauthorized parties. Creating an electronic health system without the proper security controls would not only be an unacceptable privacy risk, but would be doomed to failure because potential users would be unwilling to cooperate with the information requirements of the system.

Google is not the only company to set its sights on online medical records. Microsoft and Revolution Health Group LLC, founded by AOL co-founder Steve Case, among others, are also launching similar sites where users can maintain online health profiles. As of yet it is too early to tell whether any of these ventures will be

celebrities, including singer Britney Spears, actress Farah Fawcett, and California First Lady Maria Shriver. There are occasional horror stories like those of Patricia Galvin that reinforce the worries many peo- ple have about the privacy of their medical records. Galvin attempted to acquire disability benefits for her chronic back pain but was turned down on the basis of her psychologist’s notes, which were supposed to be confidential. The number of monthly medical privacy complaints received by the Department of Health and Human Services has been steadily approaching 750 per month over the past several years, up from 150 in 2003. People fear that a switch to electronic medical records could be even more vulnerable to security breaches and privacy violations.

Privacy advocacy group Privacyrights.org documented 248 serious personal data record breaches in 2009, and about 24 percent of those involved medical service providers—doctors, hospitals, and insurance companies. In October 2009, the New York Times published a table illustrating 32 different groups who have “legitimate” access to your medical records, a staggering array of doctors, business associates, government agencies, and data miners (including pharmaceutical companies and their sales staffs). It is conceivable that over a million people have direct access to medical records throughout the United States.

These privacy concerns are far from unfounded. HIPAA—the Health Insurance Portability and Accountability Act of 1996—provides very limited protections for personal medical records. HIPAA basi- cally legitimizes rather than constrains the near unlim- ited flow of information between healthcare providers, health insurers, and clearinghouses for payment process- ing. HIPAA makes it all legal and then asks you to sign off on it as a condition of receiving medical treatment! There are no federal privacy protections for patients who set up personal health records online, say at Google or other Web sites offering medical record services. Even hospitals and practices that currently use electronic storage formats report a high incidence of security breaches, with a quarter of healthcare technology professionals reporting at least one security breach in the past year. According to a 2006 Federal Trade Commission study, about 249,000 Americans had their personal information misused for the purpose of obtaining medical treatment, supplies, or services.

Google has put itself center stage in the health records arena. In March 2008, Google announced an application that it hopes will alleviate the inefficiency of the current medical record storage system: Google Health. Google Health will allow consumers to enter their basic medical data into an online repository and invite doctors to send relevant information to Google electronically. The service is free to users. Features will include a

Chapter 12: Ethical and Social Issues in Information Systems 451

successful in the long term. The federal office in charge of creating a national network of electronic health records, the Office of the Coordinator of Health Information Technology, announced in March of 2008 that it plans to integrate its system with both Google and Microsoft’s healthcare databases, among others.

One way or another, private industry and government will likely move forward slowly towards a national medical record information system. The ethical and moral dilemma posed by this national system involves an inherent conflict between two closely held values: medical care efficiency and effectiveness versus the privacy of your personal medical information.

Sources: Amalia R. Miller and Catherine E. Tucker, “Electronic Discovery and

Electronic Medical Records: Does the Threat of Litigation Affect Firm Decisions to

Adopt Technology?” FTC Seminar, April 27, 2009; Natasha Singer, “When 2+2 Equals

A Privacy Question,” The New York Times, October 18, 2009. David Pogue. “Computerized Health Records,” The New York Times, October 15, 2009; and Reuters News. “Healthcare In the U.S. Wastes Up to $800 Billion A Year,” The New York Times, October 26, 2009.

Case Study Questions

1. What concepts in the chapter are illustrated in this case? Who are the stakeholders in this case?

2. What are the problems with America’s current med- ical record keeping system? How would electronic medical records alleviate these problems?

3. What management, organization, and technology fac- tors are most critical to the creation and development of electronic medical records?

4. What are the pros and cons of electronic patient records? Do you think the concerns over digitizing our medical records are valid? Why or why not?

5. Should people entrust Google with their electronic medical records? Why or why not?

6. If you were in charge of designing an electronic med- ical record keeping system, what are some features you would include? What are features you would avoid?