EIS Test
micael14
chapter_3.pdf
Chapter
Ethics and Privacy
3
c03EthicsandPrivacy.indd Page 60 02/12/11 9:19 AM F-497c03EthicsandPrivacy.indd Page 60 02/12/11 9:19 AM F-497 208/MHBR201/ben29421_disk1of1/0073529421/ben29421_pagefiles208/MHBR201/ben29421_disk1of1/0073529421/ben29421_pagefiles
[ LEARNING OBJECTIVES ] [ CHAPTER OUTLINE ] [ WEB RESOURCES ]
1. Defi ne ethics, list and describe the three fundamental tenets of ethics, and describe the four categories of ethical issues related to information technology.
2. Identify three places that store personal data, and for each one, discuss at least one potential threat to the privacy of the data stored there.
Student Companion Site wiley.com/college/rainer
• Student PowerPoints for note taking
• Interactive Case: Ruby’s Club Assignments
• Complete glossary
WileyPlus
All of the above and
• E-book
• Mini-lecture by author for each chapter section
• Practice quizzes
• Flash Cards for vocabulary review
• Additional “What’s in IT for Me?” cases
• Video interviews with managers
• Lab Manual for Microsoft Offi ce 2010
• How-to Animations for Microsoft Offi ce 2010
3.1 Ethical Issues 3.2 Privacy
POMFIN HRMKT MISACCT Ensure correctness of
annual reports Adhere to regulatory
environment Monitor labor laws
overseas Monitor appropriate use of IT in workplace
Monitor correct use of sensitive company
data
Ensure privacy of customers
What’s In ITFor Me? T H I S C H A P T E R W I L L H E L P P R E P A R E Y O U T O . . .
61
c03EthicsandPrivacy.indd Page 61 02/12/11 9:19 AM F-497c03EthicsandPrivacy.indd Page 61 02/12/11 9:19 AM F-497 208/MHBR201/ben29421_disk1of1/0073529421/ben29421_pagefiles208/MHBR201/ben29421_disk1of1/0073529421/ben29421_pagefiles
62 CHAPTER 3 Ethics and Privacy
[ What to Do About
WikiLeaks?]
The Problem (?)
O ne of the major controversies generated by the Vietnam War occurred in 1971, when The New York Times and other sources publicized excerpts from a secret Defense Department study—quickly labeled The Pentagon Papers—that detailed the history of U.S. involvement
in Southeast Asia. These documents had been copied by defense analyst Daniel Ellsberg, one of the contributors to the study. Given the existing technologies, Ellsberg had to photocopy thousands of documents by hand. Today, whistleblowers—employees with insider knowledge of an organization—can capture huge amounts of incriminating documents on a laptop, memory stick, or por- table hard drive. They can send the information through personal e-mail accounts or online drop sites, or they can simply submit it directly to WikiLeaks (www.wikileaks.org). WikiLeaks was offi cially unveiled in December 2006. Julian Assange, one of the founders, was reportedly inspired by the leak of the Pentagon Papers. Assange intended WikiLeaks to serve as a dropbox for anyone, anywhere, who disagreed with any organization’s activities or secrets. According to its Web site, WikiLeaks focuses on material of ethical, political, and his- torical signifi cance. In its fi rst year, the organization’s database expanded to 1.2 million docu- ments. In addition, WikiLeaks receives approximately 10,000 new documents every day. Since its inception, WikiLeaks has had signifi cant impacts on both businesses and governments. We discuss several examples below. In January 2008, WikiLeaks posted documents alleging that the Swiss bank Julius Baer (www.juliusbaer.com) hid its clients’ profi ts from even the Swiss government by concealing them in what seemed to be shell companies in the Cayman Islands. The bank fi led a lawsuit against WikiLeaks for publishing data that it claimed had been stolen from its clients. Baer later dropped the lawsuit—but only after generating embarrassing publicity for itself. In October 2008, Iceland’s Kaupthing Bank collapsed, saddling the country with $128 billion in debts. Ten months later, Bogi Agustsson, the anchor for Icelandic national broadcaster RUV, appeared on the evening news and explained that a legal injunction had prevented the station from airing an exposé on the bank. Viewers who wanted to see the material, he suggested, should visit WikiLeaks. People who took Agustsson’s advice found a summary of Kaupthing’s loans posted on the Web site, detailing more than $6 billion funneled from the bank to its owners and companies they owned, often with little or no collateral. WikiLeaks promptly became a household name in Iceland. The following year, WikiLeaks published documents from a pharmaceutical trade group implying that its lobbyists were receiving confi dential documents from, and exerting infl uence over, a World Health Organization (WHO) project to fund drug research in the developing world. The resulting attention helped to terminate the project. In September 2009, commodities company Trafi gura (www.trafi gura.com) requested an injunction from the courts preventing the British media from mentioning a damaging internal report. The report indicated that the company had dumped tons of toxic waste in the Ivory Coast that sickened 100,000 local inhabitants. Although Trafi gura could prevent the offi cial media from reporting this story, it could not stop WikiLeaks from publishing the information. The public became aware of the transgression, and Trafi gura eventually had to pay out more than $200 million in settlements. As consequential as these business leaks were, probably the most controversial WikiLeaks exposé involved the U.S. government. From November 2009 to April 2010, U.S. Army Private First Class Bradley Manning downloaded hundreds of thousands of diplomatic cables to a CD at an outpost in Iraq. He then passed the information to WikiLeaks. In doing so, Manning violated 18 U.S. Code Section 1030(a)(1), which criminalizes unauthorized computer downloads. Begin- ning on November 28, 2010, WikiLeaks published the contents of more than 250,000 diplomatic cables, the largest unauthorized release of contemporary classifi ed information in history. Among these cables were 11,000 documents marked “secret.” The U.S. government’s defi nition of a secret document is one that, if released, would cause “serious damage to national security.”
FSTOP/Image Source
c03EthicsandPrivacy.indd Page 62 22/11/11 9:15 AM user-F408c03EthicsandPrivacy.indd Page 62 22/11/11 9:15 AM user-F408 /Users/user-F408/Desktop/Merry_X-Mas/New/Users/user-F408/Desktop/Merry_X-Mas/New
CASE 63
Diplomatic fl aps quickly ensued. For example, North Korean leader Kim Jong Il learned that China would consider supporting the unifi cation of the peninsula under the leadership of the South Korean government. Similarly, Iranian President Mahmoud Ahmadinejad discov- ered that his Arab neighbors were pleading with the United States to launch an attack against Tehran’s nuclear program. Not surprisingly, the release of the cables also had wide-ranging repercussions within the United States. The government ordered a clampdown on intelligence sharing between agen- cies, and it established new measures to control electronically stored documents. U.S. Secre- tary of State Hilary Clinton charged that the massive cable leak “puts people’s lives in danger, threatens national security, and undermines our efforts to work with other countries to solve shared problems.” From the opposite perspective, many individuals and groups, including Daniel Ellsberg, supported WikiLeaks’ actions. The problem, then, boils down to this: How can governments, organizations, and even indi- viduals prevent future disclosures? Is it possible to accomplish this task, given that the sources of WikiLeaks’ information appear to be internal?
The Solution (?) In the initial moments after the State Department cables were released, unknown hackers tried to shut down WikiLeaks by exposing its Web site to denial-of-service attacks (discussed in Chapter 4). It is unclear whether the hackers were working on behalf of the U.S. government, but they seemed to endorse the government’s claims that the disclosures threatened national security. WikiLeaks’ supporters retaliated with anonymous hacktivism, attacking the Web sites of companies such as Amazon, which had thrown WikiLeaks off its servers, and MasterCard and PayPal, which had frozen the organization’s accounts and prevented its supporters from donat- ing to the cause. Ultimately, all attempts to stifl e WikiLeaks have proved futile. When the organization is blocked from one host server, it simply jumps to another. Further, the number of mirror Web sites—essentially clones of WikiLeaks’ main content pages—had mushroomed to 1,300 by the end of 2010. Prior to 9/11, the U.S. State Department had operated its own internal cable system and encrypted documents to ensure security. After the attacks, the State Department system was merged into a new digital records system controlled by the Department of Defense. Since the WikiLeaks disclosures, the State Department has temporarily severed its connection to the new system while it takes steps to prevent future unauthorized downloads. In other attempts at thwarting WikiLeaks, governments and companies have turned to cyber security. Since 2007, every major security software vendor (for example, McAfee, www.mcafee. com, Symantec, www.symantec.com, and Trend Micro, www.trendmicro.com) has spent hun- dreds of millions of dollars to acquire companies in the data leak prevention (DLP) industry. These companies produce software that locates and tags sensitive information and then guards against its being stolen or illegally duplicated. Unfortunately, to date, DLP software has not been effective. The failure of DLP software has prompted organizations to turn to network forensics, which is the process of constantly collecting every digital “fi ngerprint” on an organization’s servers to trace and identify an intruder who has broken into the system. Although this software gathers data and makes them easily available, it does not identify the culprit.
The Results How can organizations and governments respond to WikiLeaks? Lawsuits will not work, because WikiLeaks, as a mere conduit for documents, is legally protected in the United States. Moreover, even if a company or a government somehow won a judgment against WikiLeaks, that would not shut down the company, because its assets are spread all over the world.
c03EthicsandPrivacy.indd Page 63 15/11/11 4:15 PM F-497c03EthicsandPrivacy.indd Page 63 15/11/11 4:15 PM F-497 208/MHBR201/ben29421_disk1of1/0073529421/ben29421_pagefiles208/MHBR201/ben29421_disk1of1/0073529421/ben29421_pagefiles
64 CHAPTER 3 Ethics and Privacy
In fact, WikiLeaks has a nation-size ally—Iceland. Since WikiLeaks discovered the corrupt loans that helped destroy Iceland’s biggest bank, the country has set out to become the conduit for a global fl ood of leaks. Birgitta Jonsdottir, a member of Iceland’s parliament, created the Icelandic Modern Media Initiative (IMMI). This initiative seeks to bring to Iceland all the laws that support protecting anonymous sources, freedom of information, and transparency from around the world. It would then set up a Nobel-style international award for activities support- ing free expression. IMMI also would make Iceland the world’s most friendly legal base for whistleblowers. As of May 2011, IMMI had yet to become law. Should WikiLeaks falter, other Web sites around the world are ready to take its place. For example, Greenleaks (www.greenleaks.org) is a Web site for whistleblowers on environmental issues. OpenLeaks (www.openleaks.org) is a Web site that will not openly publish information sent to it, but will give it to reporters and human rights organizations to disseminate. Perhaps the most controversial site is Anonymous, the hacker collective. What is the best protection against unauthorized leaks? Icelandic WikiLeaks staffer Kristinn Hrafnsson suggested, rather drily, that companies—and perhaps governments to some extent— reform their practices to avoid being targeted.
What We Learned from This Case The WikiLeaks case addresses the two major issues you will study in this chapter: ethics and privacy. Both issues are closely related to IT and raise signifi cant questions. For example, are WikiLeaks’ actions ethical? Does WikiLeaks violate the privacy of governments, organizations, and individuals? The answers to these questions are not straightforward. In fact, IT has made fi nding answers to these questions even more diffi cult. You will encounter numerous ethical and privacy issues in your career, many of which will involve IT in some manner. This chapter will give you insights into how to respond to these issues. Further, it will help you to make immediate contributions to your company’s code of ethics and its privacy policies. You will also be able to provide meaningful input concerning the potential ethical and privacy impacts of your organization’s information systems on people within and outside the organization. For example, suppose your organization decides to adopt Web 2.0 technologies (which you will see in Chapter 9) to include business partners and customers in new product develop- ment. You will be able to analyze the potential privacy and ethical implications of implement- ing these technologies. All organizations, large and small, must be concerned with ethics. IT’s About [Small] Business 3.1 illustrates an ethical problem in a small bank. Small business owners face a very diffi cult situation when their employees have access to sensitive customer information. There is a delicate balance between access to information and its appropriate use and the temptation for workers to be nosey and curious about what they can fi nd. This balance is best maintained by hiring honest and trustworthy employees who abide by the organization’s code of ethics. Ultimately this leads to another question: Does the small business even have a code of ethics to fall back on in this type of situation?
Sources: Compiled from R. Somaiya, “Former WikiLeaks Colleagues Forming New Web Site, OpenLeaks,” The New York Times, February 6, 2011; A. Greenberg, “WikiLeaks’ StepChildren,” Forbes, January 17, 2011; M. Calabresi, “Winning the Info War,” Time, December 20, 2010; A. Greenberg, “WikiLeaks’ Julian Assange,” Forbes, December 20, 2010; J. Dougherty and E. Labott, “The Sweep: WikiLeaks Stirs Anarchy Online,” CNN.com, December 15, 2010; E. Robinson, “In WikiLeaks Aftermath, An Assault on Free Speech,” The Washington Post, December 14, 2010; M. Calabresi, “The War on Secrecy,” Time, December 13, 2010; I. Shapira and J. Warrick, “WikiLeaks’ Advocates Are Wreaking ‘Hacktivism’,” The Washington Post, December 12, 2010; F. Rashid, “WikiLeaks, Anonymous Force Change to Federal Government’s Security Approach,” eWeek, December 12, 2010; E. Mills, “Report: Ex-WikiLeakers to Launch New OpenLeaks Site,” CNET.com, December 10, 2010; G. Keizer, “Pro-WikiLeaks Cyber Army Gains Strength; Thousands Join DDos Attacks,” Computerworld, December 9, 2010; J. Warrick and R. Pegoraro, “WikiLeaks Avoids Shutdown as Supporters Worldwide Go on the Offensive,” The Washington Post, December 8, 2010; F. Rashid, “PayPal, PostFinance Hit by DoS Attacks, Counter-Attack in Progress,” eWeek, December 6, 2010; “Holder: ‘Signifi cant’ Actions Taken in WikiLeaks Investigation,” CNN.com, December 6, 2010; “WikiLeaks Back Online After Being Dropped by U.S. Domain Name Provider,” CNN.com, December 3, 2010; “WikiLeaks Reports Another Electronic Disruption,” CNN.com, November 30, 2010; “Feds Open Criminal Investigation into WikiLeaks Disclosures,” CNN.com, November 29, 2010; L. Fadel, “Army Intelligence Analyst Charged in WikiLeaks Case,” The Washington Post, July 7, 2010; www.wikileaks.org, accessed February 11, 2011; G. Goodale, “WikiLeaks Q&A with Daniel Ellsberg, the Man Behind the Pentagon Papers,” The Christian Science Monitor, July 29, 2010, accessed May 12, 2011.
c03EthicsandPrivacy.indd Page 64 15/11/11 4:15 PM F-497c03EthicsandPrivacy.indd Page 64 15/11/11 4:15 PM F-497 208/MHBR201/ben29421_disk1of1/0073529421/ben29421_pagefiles208/MHBR201/ben29421_disk1of1/0073529421/ben29421_pagefiles
SECTION 3.1 Ethical Issues 65
3.1 Ethical Issues Ethics refers to the principles of right and wrong that individuals use to make choices that guide their behavior. Deciding what is right or wrong is not always easy or clear cut. Fortu- nately, there are many frameworks that can help us make ethical decisions.
Ethical Frameworks There are many sources for ethical standards. Here we consider four widely used standards: the utilitarian approach, the rights approach, the fairness approach, and the common good approach. There are many other sources, but these four are representative. The utilitarian approach states that an ethical action is the one that provides the most good or does the least harm. The ethical corporate action would be the one that produces the great- est good and does the least harm for all affected parties—customers, employees, shareholders, the community, and the environment. The rights approach maintains that an ethical action is the one that best protects and respects the moral rights of the affected parties. Moral rights can include the rights to make one’s own choices about what kind of life to lead, to be told the truth, not to be injured, and to a degree of privacy. Which of these rights people are actually entitled to—and under what circumstances—is widely debated. Nevertheless, most people acknowledge that individuals are entitled to some moral rights. An ethical organizational action would be one that protects and respects the moral rights of customers, employees, shareholders, business partners, and even competitors. The fairness approach posits that ethical actions treat all human beings equally, or, if un- equally, then fairly, based on some defensible standard. For example, most people might
ShaNiqua had worked at MidTown bank for 10 years. She recently overheard a conversation between two employees regarding a customer’s account. She asked a co-worker what she should do about it
because she felt this conversation was not appropriate. The advice she received? Leave it alone because bank manag- ers are trying to deal with the situation. ShaNiqua is afraid that if she tells what she knows she could get in trouble. On the other hand, she is afraid that if she does not tell, those employees could be talking about her account next! In ShaNiqua’s small town, everyone knows everyone else. This situation becomes a problem when curious bank tellers begin “snooping” into personal bank accounts. While there has never been any report of theft by employees or complaints fi led by cus- tomers, there have been numerous rumors of employees talking to their friends and family about various bank accounts, spending habits, and recent purchases. Adding to this problem, the number of new accounts the bank has opened in the past fi ve years has steadily declined, while their competition has grown. Possible solutions to the problem include restricting access to bank accounts, or hiring auditors to reconcile any unnecessary
account access and monitor all employee activity. Any decision is likely to have unanticipated results due to the delicate bal- ance of providing access to information to enable employees to perform their jobs and restricting access for security purposes. Ultimately, the best solutions may simply be (1) to educate em- ployees of the legal implications of misusing customer informa- tion and (2) to create very strong policies to guard against this type of activity. At the time of this writing, the bank has yet to determine the direction it will take. This is a totally new situation for them, and they are having diffi culty determining how to handle it. However, the nature of their predicament provides much that we can learn.
Questions 1. Was the advice that ShaNiqua initially received good or bad?
Support your answer. 2. You are the manager of the bank. What would you do in this
case? Be specifi c.
Source: Compiled from personal interviews with the author. Names have been changed at the request of the interviewees.
3.1 MidTown Bank
IT’s about [small] business
c03EthicsandPrivacy.indd Page 65 15/11/11 4:15 PM F-497c03EthicsandPrivacy.indd Page 65 15/11/11 4:15 PM F-497 208/MHBR201/ben29421_disk1of1/0073529421/ben29421_pagefiles208/MHBR201/ben29421_disk1of1/0073529421/ben29421_pagefiles
66 CHAPTER 3 Ethics and Privacy
believe it is fair to pay people higher salaries if they work harder or if they contribute a greater amount to the fi rm. However, there is less certainty regarding CEO salaries that are hundreds or thousands of times larger than those of other employees. Many people question whether this huge disparity is based on a defensible standard or is the result of an imbalance of power and hence is unfair. Finally, the common good approach highlights the interlocking relationships that underlie all societies. This approach argues that respect and compassion for all others is the basis for ethical actions. It emphasizes the common conditions that are important to the welfare of everyone. These conditions can include a system of laws, effective police and fi re departments, health care, a public educational system, and even public recreation areas. If we combine these four standards, we can develop a general framework for ethics (or ethical decision making). This framework consists of fi ve steps.
• Recognize an ethical issue ° Could this decision or situation damage someone or some group? ° Does this decision involve a choice between a good and a bad alternative? ° Is this issue about more than what is legal? If so, how? • Get the facts ° What are the relevant facts of the situation? ° Do I know enough to make a decision? ° Which individuals and/or groups have an important stake in the outcome? ° Have I consulted all relevant persons and groups? • Evaluate alternative actions ° Which option will produce the most good and do the least harm? (the utilitarian
approach) ° Which option best respects the rights of all stakeholders? (the rights approach) ° Which option treats people equally or proportionately? (the fairness approach) ° Which option best serves the community as a whole, and not just some members? (the
common good approach) • Make a decision and test it ° Considering all the approaches, which option best addresses the situation? • Act and refl ect on the outcome of your decision ° How can I implement my decision with the greatest care and attention to the concerns
of all stakeholders? ° How did my decision turn out, and what did I learn from this specifi c situation?
Now that we have created a general ethical framework, we will focus specifi cally on ethics in a corporate environment.
Ethics in the Corporate Environment Many companies and professional organizations develop their own codes of ethics. A code of ethics is a collection of principles intended to guide decision making by members of the organization. For example, the Association for Computing Machinery (www.acm.org), an orga- nization of computing professionals, has a thoughtful code of ethics for its members (see www. acm.org/constitution/code.html). Keep in mind that different codes of ethics are not always consistent with one another. Therefore, an individual might be expected to conform to multiple codes. For example, a person who is a member of two large professional computing-related organizations may be simultaneously required by one organization to comply with all applicable laws and by the other organization to refuse to obey unjust laws. Fundamental tenets of ethics include responsibility, accountability, and liability. Responsi- bility means that you accept the consequences of your decisions and actions. Accountability refers to determining who is responsible for actions that were taken. Liability is a legal concept
c03EthicsandPrivacy.indd Page 66 15/11/11 4:15 PM F-497c03EthicsandPrivacy.indd Page 66 15/11/11 4:15 PM F-497 208/MHBR201/ben29421_disk1of1/0073529421/ben29421_pagefiles208/MHBR201/ben29421_disk1of1/0073529421/ben29421_pagefiles
SECTION 3.1 Ethical Issues 67
that gives individuals the right to recover the damages done to them by other individuals, orga- nizations, or systems. Before you go any further, it is very important that you realize that what is unethical is not necessarily illegal. For example, a bank’s decision to foreclose on a home can be techni- cally legal, but it can raise many ethical questions. In many instances, then, an individual or organization faced with an ethical decision is not considering whether to break the law. As the foreclosure example illustrates, however, ethical decisions can have serious consequences for individuals, organizations, and society at large. In recent years we have witnessed a large number of extremely poor ethical decisions, not to mention outright criminal behavior. During 2001 and 2002, three highly publicized fi ascos occurred at Enron, WorldCom, and Tyco. At each company, executives were convicted of vari- ous types of fraud for using illegal accounting practices. These actions led to the passage of the Sarbanes-Oxley Act in 2002. Sarbanes-Oxley requires publicly held companies to implement fi nancial controls and company executives to personally certify fi nancial reports. More recently, the subprime mortgage crisis exposed unethical lending practices through- out the mortgage industry. The crisis also highlighted pervasive weaknesses in the regulation of the U.S. fi nancial industry as well as the global fi nancial system. It ultimately contributed to a deep recession in the global economy. Improvements in information technologies have generated a new set of ethical problems. Computing processing power doubles about every two years, meaning that organizations are more dependent than ever on their information systems. Organizations can store increasing amounts of data at decreasing cost, enabling them to store more data on individuals for longer periods of time. Computer networks, particularly the Internet, enable organizations to collect, integrate, and distribute enormous amounts of information on individuals, groups, and institu- tions. As a result, ethical problems are arising concerning the appropriate collection and use of customer information, personal privacy, and the protection of intellectual property, as IT’s About Business 3.2 illustrates.
Ethics and Information Technology All employees have a responsibility to encourage ethical uses of information and information technology. Many of the business decisions you will face at work will have an ethical dimen- sion. Consider the following decisions that you might have to make:
• Should organizations monitor employees’ Web surfi ng and e-mail? • Should organizations sell customer information to other companies? • Should organizations audit employees’ computers for unauthorized software or illegally
downloaded music or video fi les?
The diversity and ever-expanding use of IT applications have created a variety of ethi- cal issues. These issues fall into four general categories: privacy, accuracy, property, and accessibility.
1. Privacy issues involve collecting, storing, and disseminating information about individuals. 2. Accuracy issues involve the authenticity, fi delity, and accuracy of information that is col-
lected and processed. 3. Property issues involve the ownership and value of information. 4. Accessibility issues revolve around who should have access to information and whether a fee
should be paid for this access.
Table 3.1 lists representative questions and issues for each of these categories. In addition, Online Ethics Cases presents 14 ethics scenarios for you to consider. These scenarios will pro- vide a context for you to consider situations that involve ethical or unethical behavior. Many of the issues and scenarios discussed in this chapter, such as photo tagging and geo- tagging, involve privacy as well as ethics. In the next section, you will learn about privacy issues in more detail.
c03EthicsandPrivacy.indd Page 67 15/11/11 4:15 PM F-497c03EthicsandPrivacy.indd Page 67 15/11/11 4:15 PM F-497 208/MHBR201/ben29421_disk1of1/0073529421/ben29421_pagefiles208/MHBR201/ben29421_disk1of1/0073529421/ben29421_pagefiles
68 CHAPTER 3 Ethics and Privacy
People today live with a degree of surveillance that would have been unimaginable just a few generations ago. For example, sur- veillance cameras track you at airports, subways, banks, and other public venues. In addition, inexpensive digital sensors are now everywhere. They are incorporated into laptop webcams, video- game motion sensors, smartphone cameras, utility meters, pass- ports, and employee ID cards. Step out your front door and you could be captured in a high-resolution photograph taken from the air or from the street by Google or Microsoft, as they update their mapping services. Drive down a city street, cross a toll bridge, or park at a shopping mall, and your license plate will be recorded and time-stamped. Several developments are helping to increase the monitoring of human activity, including low-cost digital cameras, motion sen- sors, and biometric readers. In addition, the cost of storing digital data is decreasing. The result is an explosion of sensor data col- lection and storage. In addition, technology to analyze the increasing amounts of digital sensor data is becoming more effi cient as well as less expensive. For instance, Affectiva (www.affectiva.com) recently introduced biometric wristbands that monitor tiny changes in sweat-gland activity to gauge emotional reactions. Marketing con- sultants are using the bands to discover what pleases or frustrates shoppers. At a recent International Consumer Electronics Show, Intel and Microsoft introduced an in-store digital billboard that can memo- rize your face. These billboards can keep track of the products you are interested in based on purchases or your browsing behavior. One marketing analyst has predicted that your experience in every store will soon be customized. Clearly, privacy concerns must be addressed, particularly with the capacity of databases to share data and therefore to put to- gether the pieces of a puzzle that can identify us in surprising ways. For example, attorneys have begun to use bridge toll records to establish travel patterns of spouses in divorce proceedings. Police looking to issue traffi c citations now correlate photos, taken by cameras located at intersections, with vehicle ownership records. One of the most troubling privacy problems involves a practice advocated by Google and Facebook. These companies are using facial-recognition software—Google Picasa and Facebook Photo Albums—in their popular online photo-editing and sharing services. Both companies encourage users to assign names to people in
photos, a practice referred to as photo tagging. Facial-recognition software then indexes facial features. Once an individual in a photo is tagged, the software looks for similar facial features in untagged photos. This process allows the user to quickly group photos in which the tagged person appears. Signifi cantly, the individual is not aware of this process. Once you are tagged in a photo, that photo could be used to search for matches across the entire Internet or in private databases, including databases fed by surveillance cameras. The technology could be used by a car dealer who takes a picture of you when you step on the car lot. The dealer could then quickly profi le you on the Web to gain an edge in making a sale. Even worse, a stranger in a restaurant could photograph you with a smartphone, and then go online to profi le you. One privacy attorney says that losing the right to anonymity would have a chilling effect on where you go, whom you meet, and how you live your life. Another problem arises with smartphones equipped with global positioning system (GPS) sensors. These sensors routinely geotag photos and videos, embedding images with the longitude and latitude of the location shown in the image. You could be in- advertently supplying criminals with useful intelligence by posting personal images on social networks or photo-sharing Web sites. These actions would show the criminals exactly where you live.
Questions 1. Apply the general framework for ethical decision making to the
practices of photo tagging and geotagging. 2. Discuss and provide examples of the benefi ts and the draw-
backs of photo tagging and geotagging. 3. Are users responsible for their loss of privacy if they do not
know that their photos can be tagged and that they can be located with GPS sensors?
Sources: Compiled from Autopia Blog, “Cellphone Networks and the Future of Traffi c,” Wired, March 2, 2011; “Hello, Big Brother: Digital Sensors Are Watching Us,” USA Today, January 26, 2011; B. Acohido, “Helpful Digital Sensors,” USA Today, January 25, 2011; D. Priest and W. Arkin, “Top Secret America,” The Washington Post, December 20, 2010; P. Elmer-DeWitt, “How the iPhone Spills Your Secrets,” Fortune, December 18, 2010; T. Carmody, “The Internet of Cars: New R&D For Mobile Traffi c Sensors,” Wired, Sep- tember 29, 2010; T. Harbert, “Beeps, Blips, and IT: Making Sense of Sensor Data,” Computerworld, June 24, 2008; www.eff.org, accessed March 17, 2011.
3.2 Big Brother Is Watching You
IT’s [about business]
c03EthicsandPrivacy.indd Page 68 15/11/11 4:15 PM F-497c03EthicsandPrivacy.indd Page 68 15/11/11 4:15 PM F-497 208/MHBR201/ben29421_disk1of1/0073529421/ben29421_pagefiles208/MHBR201/ben29421_disk1of1/0073529421/ben29421_pagefiles
SECTION 3.2 Privacy 69
A Framework for Ethical Issues
Privacy Issues
What information about oneself should an individual be required to reveal to others? What kind of surveillance can an employer use on its employees? What types of personal information can people keep to themselves and not be forced to reveal to others? What information about individuals should be kept in databases, and how secure is the information there?
Accuracy Issues
Who is responsible for the authenticity, fi delity, and accuracy of the information collected? How can we ensure that the information will be processed properly and presented accurately to users? How can we ensure that errors in databases, data transmissions, and data processing are accidental and not intentional? Who is to be held accountable for errors in information, and how should the injured parties be compensated?
Property Issues
Who owns the information? What are the just and fair prices for its exchange? How should we handle software piracy (copying copyrighted software)? Under what circumstances can one use proprietary databases? Can corporate computers be used for private purposes? How should experts who contribute their knowledge to create expert systems be compensated? How should access to information channels be allocated?
Accessibility Issues
Who is allowed to access information? How much should companies charge for permitting access to information? How can access to computers be provided for employees with disabilities? Who will be provided with equipment needed for accessing information? What information does a person or an organization have a right to obtain, under what conditions, and with what safeguards?
Table
3.1
3.2 Privacy In general, privacy is the right to be left alone and to be free of unreasonable personal intru- sions. Information privacy is the right to determine when, and to what extent, information about you can be gathered and/or communicated to others. Privacy rights apply to individuals, groups, and institutions. The defi nition of privacy can be interpreted quite broadly. However, court decisions in many countries have followed two rules fairly closely:
1. The right of privacy is not absolute. Privacy must be balanced against the needs of society. 2. The public’s right to know supersedes the individual’s right of privacy.
These two rules illustrate why determining and enforcing privacy regulations can be diffi cult. The right to privacy is recognized today in all U.S. states and by the federal government, either by statute or in common law.
c03EthicsandPrivacy.indd Page 69 15/11/11 4:15 PM F-497c03EthicsandPrivacy.indd Page 69 15/11/11 4:15 PM F-497 208/MHBR201/ben29421_disk1of1/0073529421/ben29421_pagefiles208/MHBR201/ben29421_disk1of1/0073529421/ben29421_pagefiles
70 CHAPTER 3 Ethics and Privacy
Rapid advances in information technologies have made it much easier to collect, store, and integrate data on individuals in large databases. On an average day, data about you are gener- ated in many ways: surveillance cameras on toll roads, in public places, and at work; credit card transactions; telephone calls (landline and cellular); banking transactions; queries to search engines; and government records (including police records). These data can be integrated to produce a digital dossier, which is an electronic profi le of you and your habits. The process of forming a digital dossier is called profi ling. Data aggregators, such as LexisNexis (www.lexisnexis.com), ChoicePoint (www.choicepoint. com), and Acxiom (www.acxiom.com), are good examples of profi ling. These companies col- lect public data such as real estate records and published telephone numbers, in addition to nonpublic information such as Social Security numbers; fi nancial data; and police, criminal, and motor vehicle records. They then integrate these data to form digital dossiers on most adults in the United States. They ultimately sell these dossiers to law enforcement agencies and companies that conduct background checks on potential employees. They also sell them to companies that want to know their customers better, a process called customer intimacy. However, data on individuals can be used in more controversial manners. For example, a controversial new map in California identifi es the addresses of donors who supported Proposi- tion 8, the referendum that outlawed same-sex marriage in California (see www.eightmaps. com). Gay activists created the map by combining Google’s satellite mapping technology with publicly available campaign records that listed Proposition 8 donors who contributed $100 or more. These donors are outraged, claiming that the map invades their privacy and could expose them to retribution.
Electronic Surveillance According to the American Civil Liberties Union (ACLU), tracking people’s activities with the aid of computers has become a major privacy-related problem. The ACLU notes that this monitoring, or electronic surveillance, is rapidly increasing, particularly with the emergence of new technologies. Electronic surveillance is conducted by employers, the government, and other institutions. In general, employees have very limited legal protection against surveillance by employers. The law supports the right of employers to read their employees’ e-mail and other electronic documents and to monitor their employees’ Internet use. Today, more than three-fourths of organizations are monitoring employees’ Internet usage. In addition, two-thirds use software to block connections to inappropriate Web sites, a practice called URL fi ltering. Further, organiza- tions are installing monitoring and fi ltering software to enhance security by stopping malicious software and to increase productivity by discouraging employees from wasting time. In one organization, the chief information offi cer (CIO) monitored about 13,000 employ- ees for three months to determine the type of traffi c they engaged in on the network. He then forwarded the data to the chief executive offi cer (CEO) and the heads of the human resources and legal departments. These executives were shocked at the questionable Web sites the em- ployees were visiting, as well as the amount of time they were spending on those sites. The executives quickly made the decision to implement a URL fi ltering product. Surveillance is also a concern for private individuals regardless of whether it is conducted by corporations, government bodies, or criminals. As a nation the United States is still strug- gling to defi ne the appropriate balance between personal privacy and electronic surveillance, especially when threats to national security are involved.
Personal Information in Databases Modern institutions store information about individuals in many databases. Perhaps the most vis- ible locations of such records are credit-reporting agencies. Other institutions that store personal information include banks and fi nancial institutions; cable TV, telephone, and utilities compa- nies; employers; mortgage companies; hospitals; schools and universities; retail establishments; government agencies (Internal Revenue Service, your state, your municipality); and many others.
c03EthicsandPrivacy.indd Page 70 15/11/11 4:15 PM F-497c03EthicsandPrivacy.indd Page 70 15/11/11 4:15 PM F-497 208/MHBR201/ben29421_disk1of1/0073529421/ben29421_pagefiles208/MHBR201/ben29421_disk1of1/0073529421/ben29421_pagefiles
SECTION 3.2 Privacy 71
There are several concerns about the information you provide to these record keepers. Some of the major concerns are:
• Do you know where the records are? • Are the records accurate? • Can you change inaccurate data? • How long will it take to make a change? • Under what circumstances will personal data be released? • How are the data used? • To whom are the data given or sold? • How secure are the data against access by unauthorized people?
Information on Internet Bulletin Boards, Newsgroups, and Social Networking Sites Every day you see more and more electronic bulletin boards, newsgroups, electronic discussions such as chat rooms, and social networking sites (discussed in Chapter 9). These sites appear on the Internet, within corporate intranets, and on blogs. A blog, short for “Weblog,” is an informal, personal journal that is frequently updated and intended for general public reading. How does society keep owners of bulletin boards from disseminating information that may be offensive to readers or simply untrue? This is a diffi cult problem because it involves the con- fl ict between freedom of speech on the one hand and privacy on the other. This confl ict is a fundamental and continuing ethical issue in U.S. society. There is no better illustration of the confl ict between free speech and privacy than the Internet. Many Web sites contain anonymous, derogatory information on individuals, who typ- ically have little recourse in the matter. Approximately one-half of U.S. fi rms use the Internet in examining job applications, including searching on Google and on social networking sites. Consequently, derogatory information that can be found on the Internet can harm a person’s chances of being hired. This problem has become so serious that a company called Reputation Defender (www.reputationdefender.com) will search for damaging content online and destroy it on behalf of clients. Social networking sites also can present serious privacy concerns. IT’s About Business 3.3 takes a look at Facebook’s problems with its privacy policies.
Privacy Codes and Policies Privacy policies or privacy codes are an organization’s guidelines for protecting the privacy of its customers, clients, and employees. In many corporations, senior management has begun to understand that when they collect vast amounts of personal information, they must protect it. In addition, many organizations give their customers some voice in how their information is used by providing them with opt-out choices. The opt-out model of informed consent permits the company to collect personal information until the customer specifi cally requests that the data not be collected. Privacy advocates prefer the opt-in model of informed consent, which prohibits an organization from collecting any personal information unless the customer spe- cifi cally authorizes it. One privacy tool currently available to consumers is the Platform for Privacy Preferences (P3P), a protocol that automatically communicates privacy policies between an electronic commerce Web site and visitors to that site. P3P enables visitors to determine the types of personal data that can be extracted by the Web sites they visit. It also allows visitors to compare a Web site’s privacy policy to the visitors’ preferences or to other standards, such as the Federal Trade Commission’s (FTC) Fair Information Practices Standard or the European Directive on Data Protection. Table 3.2 provides a sampling of privacy policy guidelines. In Table 3.2 the last section, “Data Confi dentiality,” refers to security, as you will see in Chapter 4. All the good privacy intentions in the world are useless unless they are supported and enforced by effective security measures.
c03EthicsandPrivacy.indd Page 71 15/11/11 4:15 PM F-497c03EthicsandPrivacy.indd Page 71 15/11/11 4:15 PM F-497 208/MHBR201/ben29421_disk1of1/0073529421/ben29421_pagefiles208/MHBR201/ben29421_disk1of1/0073529421/ben29421_pagefiles
72 CHAPTER 3 Ethics and Privacy
International Aspects of Privacy As the number of online users has increased globally, governments throughout the world have enacted a large number of inconsistent privacy and security laws. This highly complex global legal framework is creating regulatory problems for companies. Approximately 50 countries have some form of data-protection laws. Many of these laws confl ict with those of other coun- tries, or they require specifi c security measures. Other countries have no privacy laws at all. The absence of consistent or uniform standards for privacy and security obstructs the fl ow of information among countries, which is called transborder data fl ows. The European Union (EU), for one, has taken steps to overcome this problem. In 1998 the European Community Commission (ECC) issued guidelines to all its member countries regarding the
In December 2009, Facebook adopted a new privacy policy that declared certain information, including lists of friends, to be pub- licly available, with no privacy settings. Previously, Facebook users could restrict access to this information. As a result of this change, users who had set their list of friends as private were forced to make the list public without even being informed. Fur- ther, the option to make the list private again was removed. For example, a user whose Family and Relationships information was set to be viewable by Friends Only would default to being viewable by Everyone (publicly viewable). Therefore, information such as the gender of your partner, relationship status, and family relations became viewable even to people who did not have a Facebook account. Facebook CEO Mark Zuckerberg justifi ed this policy by asserting that privacy is no longer a social norm. To compound this issue, the new Facebook policy can also ex- pose endorsements of various organizations and groups that you make when you click the “Like” button. In addition, Facebook’s “Instant Personalization” shares some of your data, without your advance permission, with other Web sites. The results of the privacy fi asco? The Facebook privacy policy was protested by many people as well as privacy organizations such as the Electronic Frontier Foundation (www.eff.org). In fact, Iranian dissidents began deleting their Facebook accounts so that the government could not track their contacts. In another instance, four college students decided to build a social network that would not force people to surrender their privacy. They used an online Web site called Kickstarter (www. kickstarter.com), which helps creative people fi nd support, to raise $10,000. When they introduced their software, called Diaspora (www.diaspora.com), in May 2010, they made the source code openly available. Users can employ this software to set up personal servers, create their own information hubs, and control the information they share. The Diaspora “crew” at- tracted more than 2,000 followers of “joindiaspora” on Twitter in just a few weeks. Facebook responded by rolling back requirements that some content be public, such as promotional pages that users respond to, or “Like,” in Facebook “language.” Facebook is also providing
a virtual one-click “off switch” that lets users block all access to their information from third-party applications and Web sites. Fur- ther, instead of being forced to make public every status update and photo for “friends” or other individuals, users can put informa- tion such as employment history and vacation videos into buckets designated either for friends, friends of friends, or everyone on the Internet. In February 2011, Facebook revealed a new draft of its privacy policy. The revised policy does not modify the social network’s data-handling practices; rather, it organizes its content around more practical headings such as “your information and how it is used” and “how advertising works.” Facebook maintains that the new policy is much more of a user guide to managing personal data.
Questions 1. Why did Facebook change its privacy policies in December
2009? 2. Make the argument in support of the privacy policy changes
that Facebook instituted in December 2009. 3. Make the argument against the privacy policy changes that
Facebook instituted in December 2009. 4. Discuss the trade-offs between conveniently sharing informa-
tion and protecting privacy.
Sources: Compiled from J. Angwin and G. Fowler, “Microsoft, Facebook Offer New Approaches to Boost Web Privacy,” The Wall Street Journal, February 26–27, 2011; C. Kang, “Facebook CEO Announces Revamped Privacy Settings,” The Washington Post, May 27, 2010; M. Wagner, “Who Trusts Facebook Now?” Computerworld Blogs, May 27, 2010; J. Perez, “Facebook Earns Praise for Privacy Changes,” Computerworld, May 26, 2010; S. Gaudin, “Amid Backlash, Facebook Unveils Simpler Privacy Con- trols,” Computerworld, May 26, 2010; S. Gaudin, “Facebook CEO Says Mistakes Made, Privacy Changes Coming,” Computerworld, May 24, 2010; R. Pegoraro, “Facebook Meets the ‘Unlike’ Button,” Washington Post, May 17, 2010; J. Sutter, “Some Quitting Facebook As Privacy Con- cerns Escalate,” CNN.com, May 13, 2010; J. Dwyer, “Four Nerds and a Cry to Arms Against Facebook,” The New York Times, May 11, 2010; B. Johnson, “Privacy No Longer a Social Norm, Says Facebook Founder,” The Guardian, January 11, 2010.
3.3 Your Privacy on Facebook
IT’s [about business]
c03EthicsandPrivacy.indd Page 72 15/11/11 4:15 PM F-497c03EthicsandPrivacy.indd Page 72 15/11/11 4:15 PM F-497 208/MHBR201/ben29421_disk1of1/0073529421/ben29421_pagefiles208/MHBR201/ben29421_disk1of1/0073529421/ben29421_pagefiles
SECTION 3.2 Privacy 73
rights of individuals to access information about themselves. The EU data-protection laws are stricter than U.S. laws and therefore could create problems for multinational corpora- tions, which could face lawsuits for privacy violation. The transfer of data into and out of a nation without the knowledge of either the authori- ties or the individuals involved raises a number of privacy issues. Whose laws have jurisdiction when records are stored in a different country for reprocessing or retransmission purposes? For example, if data are transmitted by a Polish company through a U.S. satellite to a British corporation, which country’s privacy laws control the data, and when? Questions like these will become more complicated and frequent as time goes on. Governments must make an effort to develop laws and standards to cope with rapidly changing information technologies in order to solve some of these privacy issues. The United States and the EU share the goal of privacy protection for their citizens, but the United States takes a different approach. To bridge the different privacy approaches, the United States Department of Commerce, in consultation with the EU, developed a “safe har- bor” framework to regulate the way that U.S. companies export and handle the personal data (such as names and addresses) of European citizens. See www.export.gov/safeharbor and http:// ec.europa.eu/justice_home/fsj/privacy/index_en.htm.
Privacy Policy Guidelines: A Sampler
Data Collection
Data should be collected on individuals only for the purpose of accomplishing a legitimate business objective. Data should be adequate, relevant, and not excessive in relation to the business objective. Individuals must give their consent before data pertaining to them can be gathered. Such consent may be implied from the individual’s actions (e.g., applications for credit, insurance, or employment).
Data Accuracy
Sensitive data gathered on individuals should be verifi ed before they are entered into the database. Data should be kept current, where and when necessary. The fi le should be made available so that the individual can ensure that the data are correct. In any disagreement about the accuracy of the data, the individual’s version should be noted and included with any disclosure of the fi le.
Data Confi dentiality
Computer security procedures should be implemented to ensure against unauthorized disclosure of data. These procedures should include physical, technical, and administrative security measures. Third parties should not be given access to data without the individual’s knowledge or permission, except as required by law. Disclosures of data, other than the most routine, should be noted and maintained for as long as the data are maintained. Data should not be disclosed for reasons incompatible with the business objective for which they are collected.
Table
3.2
c03EthicsandPrivacy.indd Page 73 15/11/11 4:15 PM F-497c03EthicsandPrivacy.indd Page 73 15/11/11 4:15 PM F-497 208/MHBR201/ben29421_disk1of1/0073529421/ben29421_pagefiles208/MHBR201/ben29421_disk1of1/0073529421/ben29421_pagefiles
74 CHAPTER 3 Ethics and Privacy
For the Accounting Major Public companies, their accountants, and their auditors have signifi cant ethical responsibilities. Accountants now are being held professionally and personally responsible for increasing the transparency of transactions and assuring compliance with Generally Accepted Accounting Principles (GAAP). In fact, regulatory agencies such as the SEC and the Public Company Accounting Oversight Board (PCAOB) require accounting departments to adhere to strict ethical principles.
For the Finance Major As a result of global regulatory requirements and the passage of Sarbanes-Oxley, fi nancial managers must follow strict ethical guidelines. They are responsible for full, fair, accurate, timely, and understandable disclosure in all fi nancial reports and documents that their companies submit to the Securities and Exchange Commission and in all other public fi nancial reports. Further, fi nancial managers are responsible for compliance with all applicable governmental laws, rules, and regulations.
For the Marketing Major Marketing professionals have new opportunities to collect data on their customers, for example, through business-to-consumer electronic commerce (discussed in Chapter 7). Business ethics clearly mandate that these data should be used only within the company and should not be sold to anyone else. Marketers do not want to be sued for invasion of privacy over data collected for the marketing database.
Customers expect their data to be properly secured. However, profi t-motivated criminals want that data. Therefore, marketing managers must analyze the risks of their operations. Failure to protect corporate and customer data will cause signifi cant public relations problems and outrage customers. Customer relationship management (discussed in Chapter 11) operations and tracking customers’ online buying habits can expose unencrypted data to misuse or result in privacy violations.
For the Production/Operations Management Major POM professionals decide whether to outsource (or offshore) manufacturing operations. In some cases, these operations are sent overseas to countries that do not have strict labor laws. This situation raises serious ethical questions. For example, is it ethical to hire employees in countries with poor working conditions in order to reduce labor costs?
For the Human Resources Management Major Ethics is critically important to HR managers. HR policies explain the appropriate use of information technologies in the workplace. Questions such as the following can arise: Can employees use the Internet, e-mail, or chat systems for personal purposes while at work? Is it ethical to monitor employees? If so, how? How much? How often? HR managers must formulate and enforce such policies while at the same time maintaining trusting relationships between employees and management.
For the MIS Major Ethics might be more important for MIS personnel than for anyone else in the organization, because these individuals have control of the information assets. They also have control over a huge amount of the employees’ personal information. As a result, the MIS function must be held to the highest ethical standards. In fact, as you will see in the chapter-closing case about Terry Childs, regardless of what he actually did, what one thinks of what he did, and whether his conviction was justifi ed, a person in his situation has the opportunity to behave improperly, and shouldn’t.
F E o
F E u
F P o h
F P r
F A fi f
F M f C
What’s In ITFor Me?
c03EthicsandPrivacy.indd Page 74 15/11/11 4:15 PM F-497c03EthicsandPrivacy.indd Page 74 15/11/11 4:15 PM F-497 208/MHBR201/ben29421_disk1of1/0073529421/ben29421_pagefiles208/MHBR201/ben29421_disk1of1/0073529421/ben29421_pagefiles
Discussion Questions 75
[ Summary ] 1. Defi ne ethics, list and describe the three fundamental tenets of ethics,
and describe the four categories of ethical issues related to information technology. Ethics refers to the principles of right and wrong that individuals use to make choices that guide their behavior.
Fundamental tenets of ethics include responsibility, accountability, and liability. Responsibility means that you accept the consequences of your decisions and actions. Accountability refers to determining who is responsible for actions that were taken. Liability is a legal concept that gives individuals the right to recover the damages done to them by other individuals, organizations, or systems.
The major ethical issues related to IT are privacy, accuracy, property (including intel- lectual property), and access to information. Privacy may be violated when data are held in databases or transmitted over networks. Privacy policies that address issues of data collec- tion, data accuracy, and data confi dentiality can help organizations avoid legal problems
2. Identify three places that store personal data, and for each one, discuss at least one personal threat to the privacy of the data stored there. Privacy is the right to be left alone and to be free of unreasonable personal intrusions. Threats to privacy include advances in information technologies, electronic surveillance, personal information in databases, Internet bulletin boards, newsgroups, and social networking sites. The privacy threat in Internet bulletin boards, newsgroups, and social networking sites is that you might post too much personal information that many unknown people can see.
[ Chapter Glossary ] accountability A tenet of ethics that refers to determining who is responsible for actions that were taken. code of ethics A collection of principles intended to guide decision making by members of an organization. digital dossier An electronic description of an individual and his or her habits. electronic surveillance Tracking people’s activities with the aid of computers. ethics The principles of right and wrong that individuals use to make choices to guide their behaviors. information privacy The right to determine when, and to what extent, personal information can be gathered by and/or communicated to others. liability A legal concept that gives individuals the right to re- cover the damages done to them by other individuals, organi- zations, or systems.
opt-in model A model of informed consent in which a busi- ness is prohibited from collecting any personal information unless the customer specifi cally authorizes it. opt-out model A model of informed consent that permits a company to collect personal information until the customer specifi cally requests that the data not be collected. privacy The right to be left alone and to be free of unreason- able personal intrusions. privacy codes (see privacy policies) privacy policies (also known as privacy codes) An organi- zation’s guidelines for protecting the privacy of customers, clients, and employees. profi ling The process of forming a digital dossier. responsibility A tenet of ethics in which you accept the con- sequences of your decisions and actions.
[ Discussion Questions ] 1. In 2008, the Massachusetts Bay Transportation Author-
ity (MBTA) obtained a temporary restraining order bar- ring three Massachusetts Institute of Technology (MIT) students from publicly displaying what they claimed to be a way to get “free subway rides for life.” Specifi - cally, the 10-day injunction prohibited the students from
revealing vulnerabilities of the MBTA’s fare card. The students were scheduled to present their fi ndings in Las Vegas at the DEFCON computer hacking conference. Are the students’ actions legal? Are their actions ethical? Discuss your answer from the students’ perspective then from the perspective of the MBTA.
c03EthicsandPrivacy.indd Page 75 15/11/11 4:15 PM F-497c03EthicsandPrivacy.indd Page 75 15/11/11 4:15 PM F-497 208/MHBR201/ben29421_disk1of1/0073529421/ben29421_pagefiles208/MHBR201/ben29421_disk1of1/0073529421/ben29421_pagefiles
76 CHAPTER 3 Ethics and Privacy
2. Frank Abagnale, the criminal played by Leonardo Di- Caprio in the motion picture Catch Me If You Can, ended up in prison. After he left prison, however, he worked as a consultant to many companies on matters of fraud.
a. Why do these companies hire the perpetrators (if caught) as consultants? Is this a good idea?
b. You are the CEO of a company. Discuss the ethical implications of hiring Frank Abagnale as a consultant.
[ Problem-Solving Activities ] 1. An information security manager routinely monitored the
Web surfi ng among her company’s employees. She dis- covered that many employees were visiting the “sinful six” Web sites. (Note: The “sinful six” are Web sites with mate- rial related to pornography, gambling, hate, illegal activi- ties, tastelessness, and violence.) She then prepared a list of the employees and their surfi ng histories and gave the list to management. Some managers punished their employ- ees. Some employees, in turn, objected to the monitoring, claiming that they should have a right to privacy. a. Is monitoring of Web surfi ng by managers ethical? (It is
legal.) Support your answer. b. Is employee Web surfi ng on the “sinful six” ethical?
Support your answer. c. Is the security manager’s submission of the list of abus-
ers to management ethical? Why or why not? d. Is punishing the abusers ethical? Why or why not? If
yes, then what types of punishment are acceptable? e. What should the company do in this situation? (Note:
There are a variety of possibilities here.) 2. Access the Computer Ethics Institute’s Web site at www.
cpsr.org/issues/ethics/cei. The site offers the “Ten Commandments of Computer Ethics.” Study these rules and decide whether any others should be added.
3. Access the Association for Computing Machinery’s code of ethics for its members (see www.acm.org/constitution/code.
html). Discuss the major points of this code. Is this code complete? Why or why not? Support your answer.
4. Access www.eightmaps.com. Is the use of data on this Web site illegal? Unethical? Support your answer.
5. The Electronic Frontier Foundation (www.eff.org) has a mission of protecting rights and promoting freedom in the “electronic frontier.” Review the organization’s suggestions about how to protect your online privacy, and summarize what you can do to protect yourself.
6. Access your university’s guidelines for ethical computer and Internet use. Are there limitations as to the types of Web sites that you can visit and the types of material you can view? Are you allowed to change the programs on the lab computers? Are you allowed to download soft- ware from the lab computers for your personal use? Are there rules governing the personal use of computers and e-mail?
7. Access http://www.albion.com/netiquette/corerules.html. What do you think of this code of ethics? Should it be expanded? Is it too general?
8. Access www.cookiecentral.com and www.epubliceye.com. Do these sites provide information that helps you protect your privacy? If so, then explain how.
9. Do you believe that a university should be allowed to monitor e-mail sent and received on university computers? Why or why not? Support your answer.
[ Team Assignments ] 1. Access www.ftc.gov/sentinel to learn how law enforcement
agencies around the world work together to fi ght consumer fraud. Each team should obtain current statistics on one of
the top fi ve consumer complaint categories and prepare a report. Are any categories growing faster than others? Are any categories more prevalent in certain parts of the world?
[ Closing Case You Be the Judge ] Terry Childs worked in San Francisco’s information tech- nology department for fi ve years as a highly valued network administrator. Childs, who holds a Cisco Certifi ed Internet- work Expert certifi cation, the highest level of certifi cation offered by Cisco, built San Francisco’s new multimillion- dollar computer network, the FiberWAN. He handled most of the implementation, including the acquisition, confi gu- ration, and installation of all the routers and switches that compose the network. The FiberWAN contains essential city information such as offi cials’ e-mails, city payroll fi les,
confi dential law enforcement documents, and jail inmates’ booking information. On July 13, 2008, Childs was arrested and charged with four felony counts of computer tampering. Authorities accused him of commandeering the FiberWAN by creating passwords that granted him exclusive access to the system. In addition to refusing to give city offi cials the passwords necessary to access the FiberWAN, Childs has been accused of other actions. Authorities allege that he implemented a tracing system to mon- itor what administrators were saying and doing. Authorities also
c03EthicsandPrivacy.indd Page 76 15/11/11 4:15 PM F-497c03EthicsandPrivacy.indd Page 76 15/11/11 4:15 PM F-497 208/MHBR201/ben29421_disk1of1/0073529421/ben29421_pagefiles208/MHBR201/ben29421_disk1of1/0073529421/ben29421_pagefiles
Closing Case: You Be the Judge 77
discovered dial-up and digital subscriber line (DSL) modems (discussed in Chapter 6) that would enable an unauthorized user to connect to the FiberWAN. They also found that he had placed a command on several network devices to erase critical confi guration data in the event that anyone tried to restore administrative access to the devices. Further, he alleg- edly collected pages of user names and passwords, including his supervisor’s, to use their network login information. He was also charged with downloading terabytes of city data to a per- sonal encrypted storage device. The extent of Child’s activities was not known until a June 2008 computer audit. Childs had been disciplined on the job in the months leading up to his arrest, and his supervisors had tried to fi re him. Those attempts were unsuccessful, in part because of his exclusive knowledge of the city’s FiberWAN. After his arrest, Childs kept the necessary passwords to himself for ten days, and then gave them to the mayor of San Francisco in a secret meeting in the city jail. What was he thinking? Had he become a rogue employee? His lawyer paints a different picture of the man and his situation. Childs seems to have taken his job very seriously, to the point of arrogance. He worked very hard, including evenings and weekends, and rarely took vacations. Because the Fiber- WAN was so complex and Childs did not involve any of the other network engineers in his unit, he was the only person who fully understood the network’s confi guration. He appar- ently trusted no one but himself with the details of the net- work, including its confi guration and login information. Childs had a poor relationship with his superiors, who were all managerially oriented rather than technically oriented. He considered his direct supervisor to be intrusive, incompetent, and obstructive, and he believed the managers above him had no real concept of the FiberWAN. In fact, he felt that his superiors were more interested in offi ce politics than in getting anything done. He also complained that he was overworked and that many of his colleagues were incompetent freeloaders. Childs’s lawyer maintained that his client had been the victim of a “bad faith” effort to force him out of his post by incompetent city offi cials whose meddling was jeopardizing the network that Childs had built. He further charged that in the past, Childs’s supervisors and co-workers had damaged the FiberWAN them- selves, hindered Childs’s ability to maintain the system, and shown complete indifference to maintaining it themselves. Childs was the only person in the department capable of operating the FiberWAN. Despite this fact, the department
had established no policies as to the appropriate person to whom Childs could give the passwords. Childs maintains that none of the persons who requested the passwords from him was qualifi ed to have them. Childs’ lawyer raised the question: “How could the depart- ment say his performance was poor when he had been doing what no one else was able or willing to do?” Interestingly, the FiberWAN continued to run smoothly while Childs was hold- ing the passwords. As of May 2011, San Francisco offi cials maintained that they had paid Cisco contractors almost $200,000 to fi x the problems with the FiberWAN. The city has retained a security consulting fi rm, Secure DNA (www.secure-dna.com), to conduct a vulner- ability assessment of its network. It also has set aside a further $800,000 to address potential ongoing problems. On April 27, 2010, after nearly three days of deliberation, a jury convicted Childs of one count of felony computer tam- pering for withholding passwords to the city’s FiberWAN net- work. On August 9, 2010, the judge sentenced Childs to four years in prison.
Questions 1. Do you agree with the jury that Childs is guilty of computer tampering?
(a) Discuss the case from the perspective of the prosecutor of the City of San Francisco.
(b) Discuss the case from the perspective of Childs’s defense lawyer.
2. A single point of failure is a component of a system that, if it fails, will prevent the entire system from functioning. For this reason, a single point of failure is clearly undesirable, whether it is a person, a network, or an application. Is Childs an example of a single point of failure? Why or why not? If he is guilty, then how should the City of San Francisco (or any organization) protect itself from such a person?
Sources: Compiled from R. McMillan, “Network Admin Terry Childs Gets 4-Year Sentence,” Bloomberg BusinessWeek, August 7, 2010; J. Niccolai, “Terry Childs Is Denied Motion for Retrial,” PC World, July 30, 2010; J. Vijayan, “After Verdict, Debate Rages in Terry Childs’ Case,” Computerworld, April 28, 2010; P. Venezia, “Slouching toward Justice for Terry Childs,” InfoWorld, March 1, 2010; J. Van Derbeken, “S.F. Offi cials Locked Out of Computer Network,” SFGate.com, July 15, 2008; Z. Church, “San Francisco IT Hack Story Looks a Bit Too Much Like Chinatown,” SearchCIO-Midmarket.com, July 16, 2008; P. Venezia, “Why San Francisco’s Network Admin Went Rogue,” InfoWorld, July 18, 2008; J. Van Derbeken, “Lawyer Says Client Was Protecting City’s Code,” SFGate.com, July 23, 2008; R. McMillan and P. Venezia, “San Francisco’s Mayor Gets Back Keys to the Network,” Network World, July 23, 2008; R. McMillan, “Parts of San Francisco Network Still Locked Out,” Network World, July 23, 2008; J. Vijayan, “City Missed Steps to Avoid Network Lockout,” Computerworld, July 28, 2008; A. Surdin, “San Francisco Case Shows Vulnerability of Data Networks,” Washington Post, August 11, 2008; R. McMillan, “San Francisco Hunts for Mystery Device on City Network,” Computer- world, September 11, 2008; B. Egelko, “S.F. Computer Engineer to Stand Trial,” SFGate.com, December 27, 2008.
c03EthicsandPrivacy.indd Page 77 22/11/11 3:21 PM F-497c03EthicsandPrivacy.indd Page 77 22/11/11 3:21 PM F-497 208/MHBR201/ben29421_disk1of1/0073529421/ben29421_pagefiles208/MHBR201/ben29421_disk1of1/0073529421/ben29421_pagefiles
