Ethical Analysis of a Travel-tracking Application

8/3/2019 Ethical Analysis of a Travel-tracking Application

1/14

UNIVERSITY OF TWENTE, DEPARTMENT OF ELECTRICAL ENGINEERING, MATHEMATICS AND

COMPUTER SCIENCE

ETHICALANALYSISOFATRAVEL-TRACKINGAPPLICATION

A COMPUTERETHICSPROJECT-201019161280

LAURA ILEANA STOILESCU( S1070053),MIRCEA STOICA (S1033158)

10/12/2011


2/14

TABLE OF CONTENTSAbstract ......................................................................................................................................................... 3

1. Introduction .......................................................................................................................................... 3

1.1. Motivation ......................................................................................................................................... 4

2. Our product Travel-tracking application ............................................................................................ 4

2.1 Data collected ................................................................................................................................... 5

2.2 The reward system ............................................................................................................................ 5

3. Ethical analysis of the system ............................................................................................................... 5

3.1. A perfectly plausible scenario ........................................................................................................... 6

3.2. Violated rules of the ethic code (ACM) ............................................................................................. 6

3.3. Identity theft ..................................................................................................................................... 8

3.4. Privacy ............................................................................................................................................. 10

3.5. Privacy frauds .................................................................................................................................. 11

Datagathering, exchanging, mining, merging, matching .......................................................................... 11

3.6. Embedded values- BIAS .................................................................................................................. 12

4. Technical measures ............................................................................................................................. 12

5. Conclusion ........................................................................................................................................... 13

6. Bibliography ........................................................................................................................................ 14


3/14

ABSTRACTIn this essay are described some of the ethical problems raised with the use of a mobile phone

application that tracks a tourists accommodation at a hotel and keeps a profile for all travels made

in a certain hotel or hotel chain. Our analysis has the purpose of setting a solid design and a clear

set of usage rules for this application so that the ethical conflicts are minimal. We explore eachproblem on the basis of two major ethical theories that attempt to specify and justify moral rules

and principles: I. Kants Deontological ethics and Consequentialism, or Utilitarianism as a more

particular form based by J. Bentham and J. S. Mill. The analysis brings into attention a series of

ethical aspects that can label the application as ineffective considering the user sensitive about his

privacy and data protection.

1.INTRODUCTIONTechnology, from its most rudimentary to its actual form, has the sole purpose of making, using and

understanding tools in order to solve a problem or serve some purpose. Along with thetechnological development, on the evolutions road from the stick and stone to the orbital satellites,

the ethical issues raised have increasingly greater impact for the user, sometimes doubting even the

global utility of a certain product. In this background, information has became more than just an

abstract concept, but a value that needs to be protected and preserved, also referred to as the

intellectual capital from which human beings craft their lives and secure their dignity in (Mason,

1986).

The need for applying the computer ethics in the technological domain, at this level is that

technology in itself, either referring to a computer, a mobile phone, or a piece of software, has a

neutral intrinsic value. The responsibility of using technology therefore lies in the user himself

(Guns dont kill people, people kill people with guns). On a more informal but still true note, the webwisdom pops out another version of this quote: Guns dont kill people, people do and monkeys do

too, if they have a gun(E. Izzard) which balances the responsibility between the user and the tool,

how neutral is the technology actually? Of course, the decision of doing an immoral, wrong,

unethical act lies with the user but the fact that without the proper tool, the act could be avoided is

also true.

Collecting, storing, processing and distributing information in this informational era proves to have

unique challenges while having great advantages over the previous methods. We are mainly

referring to assuring privacy and confidentiality, assuring the data and the system are modified

with proper authorization only, assuring unimpaired service, ensuring data consistency and

controlling access to resources(Martin).When centralization can be identified with control, finding

your way, with being tracked down, a help turns out to be an abuse, some boundaries must be set.

From another point of view, we cannot expect absolute privacy in an environment with all

information at reach based only on the correct ethical behavior of the other users therefore there

isnt always a clear line from which we can conclude the existence of an abuse. Users expect


4/14

freedom from intrusion and surveillance while dealing with computers and giving up personal

information that may make them traceable.

In the following sections, we describe a travel tracking system which refers only to the

accommodation aspect of the journey and the activities performed in its environment. The system

is described in section 2 and analyzed in the following chapters from an ethical perspective,discussing the situations that can lead to misusage of the data collected and the impact on the

customer and hotel respectively.

1.1. MOTIVATIONWe consider that one of the purposes of mobile phone applications is to assure a multi-tasking

attribute to any smart-phone. Our application combines the already- present functions with a

custom made micro-travel agency that will be able to book the perfect room for each occasion. At

each booking, the hotels personnel checks the profiles historic, makes all the necessary

arrangements and is able to suggest other similar products and services.

So why not being able to book a hotel room and know you will find there all the small but effective

details that make your stay a pleasant one through a simple icon touch? Perhaps having a

permanent log of your spending during a stay at the hotel will even help you be wiser with your

own finances. Of course, there are advantages of using this application but so are risks. Is it worth to

jeopardize your privacy for sparing a few minutes of extra effort through the conventional method?

The answers differ, of course, for each customer and background.

2.OUR PRODUCT TRAVEL-TRACKING APPLICATIONThe application we have considered is not built-in but available to all contract-based mobile phone

users. The contract is a condition and a mean to verify the data fed at registration since the

application purposes is to record and edit the users activities and preferences during his stay at a

hotel. This will require extra security for logging on the application as discussed in section 3.4.

Several profiles can be kept at once, each one being associated to a travelling mode. Each profile

will be represented by a quick response code chosen from a pre-set list of codes available at the

hotel and will mark a certain combination of factors such as: room type, TV grid, mini bar selection,

restaurant preferences, etc.


5/14

The code will be also marked on the electronic key card which will be scanned to grant access to the

hotels facilities and to update the profiles state. While the key is placed in the room key slot,

several sensors will monitor the usage of the mini bar, TV, phone, Internet and the data will be

automatically sent to the monitoring application. If the key slot is empty, the functioning of all

equipment will be interrupted.

For other facilities such as automatic vendor machines, hotels spa, gym or any facility that is not

free and belongs to the hotel or to the associated companies, the key will again act as a switch

granting access and monitoring their usage. The costs associated with each recording in the keys

log add up to form the total bill and keep track of all activities. The bill can either be paid at the end

of the stay or it can be sent to the billing address of the telephone contract owner. If this is the case,

editing a profile will be possible only after the payment is registered.

Based on the current choices, the application might suggest similar products or activities which are

available in the hotel and the associated companies. This presumes a previous indexing and

correlation of all the available products and stocking them in a database available online.

2.1 DATA COLLECTEDThe system gets some of its data from the mobile phone contract and the rest is provided by the

customer at each room booking consisting in the details of each stay. As we intuit, the data stored is

generally sensitive data such as:

- name, phone number, address, credit card account;- name, phone number, address of next-of-kin;- usage of mini bar, room service, laundry service, TV-channels watched, Internet traffic,phone calls from the hotel room, presence in the hotel room;- usage of services from taxi companies, bars, clubs, spa, gym and other facilities associatedwith the hotel;

- a complete log will be used to monitor the customers behavior in order to be awarded ornot with a certain type of membership card and to create the detailed bill at the end of the stay

2.2 THE REWARD SYSTEMBased on the amount of money spent, the number of check-ins and the number of rooms booked at

once, each customer can be awarded the platinum, golden, or silver membership card which grants

free accommodation at the hotel for a limited period, access to the hotels facilities or pricereductions for staying at the hotel according to each type of membership. For being able to accord

the memberships correctly, each clients log is being kept for a period of two years, after which the

data is no longer valid. Therefore, the benefits of any type of account can be used within those two

years.

3.ETHICAL ANALYSIS OF THE SYSTEM


6/14

Although at a first glance the application seems to be somewhat harmless, the problems that can

arise are, at least, diverse. From identity theft and privacy loss to robbery, the simple possibility of

these issues can make the application unsafe and unappealing.

Just as any virtual account, provided an unauthorized person gets in possession of the phone, the

data already stored can be modified or , worst case scenario, the account can be used to bookseveral rooms for which the phone owner will pay. Also, the data will not only be available to the

user but also to the hotel personnel which, for a public person, will not be acceptable. We will

discuss also the threats over privacy in section 3.4, over data in section 3.5 and Error! Reference

ource not found. and find the technical solutions for them, if possible.

3.1. A PERFECTLY PLAUSIBLE SCENARIOWe are considering the case when the phone on which our application is running is lost. Since Mr.

Smith, the user, didnt expect to lose his phone, he also didnt log out of the application so the finder

will not have any difficulties in browsing through the data already stored. Therefore, there will beno obstacle if he decides to book a room on Mr. Smiths account, in a hotel he otherwise couldnt

afford and send the bill to the misfortunate Mr. Smith who will pay the bill.

We wont get into detail referring Mr. Smiths social status who might simply be an app-enthusiastic

student who now has to pay for the bill of his lifetime, or he might be a retired CEO whose funds are

barely scratched. The financial aspect of the consequences is not the goal of this essay but can be

used, if willing, to find mitigating circumstances for each situation and to extend the debate on the

acts moral character.

In the next subchapters we will discuss (we hope) all problems that can rise from this scenario and

we will also deviate from the plot to cover other possible application bugs.

3.2. VIOLATED RULES OF THE ETHIC CODE (ACM)It is not our job, as system developers, to prevent the phone from being lost but it is our job to make

it as robust as possible against unauthorized usage. The responsibility aspect will be discussed in

detail in section Error! Reference source not found. but we are taking into account the

ngineers ability to disclose and correct potential problems. Therefore, there is at least a causal and

legal responsibility, if not a moral one, that will lie in the developer segment. Considering the

Association for Computing Machinery Code of Ethics and Professional Conduct several rules wouldbe violated in a scenario such as the one presented.

(1.1) Contribute to society and human well-being:this principleconcerning the quality of life of

all people affirms an obligation to protect fundamental human rights and to respect the diversity of

all cultures. An essential aim of computing professionals is to minimize negative consequences of

computing systems including threats to health and safety and to assure that the system will be used


7/14

in socially responsible ways, will meet social needs, and will avoid harmful effects to health and

welfare.

We cannot refer to the society level in our case but at the individual level, there are strong

evidences that the threats to ones safety are not minimized and no assurances regarding the usage

of the software are given whatsoever.

(1.2) Avoid harm to others: avoid any injury or negative consequence, such as undesirable loss of

information, loss of property, property damage, or unwanted environmental impacts. Well-

intended actions, including those that accomplish assigned duties, may lead to harm unexpectedly.

In such an event the responsible person or persons are obligated to undo or mitigate the negative

consequences as much as possible. One way to avoid unintentional harm is to carefully consider

potential impacts on all those affected by decisions made during design and implementation.

Let us consider the case in which the database consisting of all users data is accessible for the

developer even after selling the application to the hotel chain. The reason could be:

- Simple negligence, if the engineer or team of engineers working on this project didntconsider this possibility;

- They realized that there might be a security breach but did not make the requiredadjustments;

- On purpose they left a way in the database for future usage of the data stored.In the work environment, the computing professional has the obligation to report any signs of

system dangers that might result in serious personal or social damage. If one's superiors do not act

to curtail or mitigate such dangers, it may be necessary to "blow the whistle" to help correct the

problem or at least to reduce the risks. However, whistle blowing is a delicate decision to take andthe professional who decides to follow this course should research intensely the situation and the

background before acting. Whistle blowing should be a last resort after exhausting all internal

options and concluding lack of cooperation from the management and board of directors.

(1.7) Respect the privacy of others:It is the responsibility of professionals to maintain the privacy

and integrity of data describing individuals. This includes taking precautions to ensure the accuracy

of data, as well as protecting it from unauthorized access or accidental disclosure to inappropriate

individuals. Furthermore, procedures must be established to allow individuals to review their

records and correct inaccuracies.

The user is indeed permitted to view and edit their data through the mobile phone interface

therefore the accuracy aspect is respected. The unauthorized access issue is a pressing problem and

extra security measures must be taken to correct it.

(1.8) Honor confidentiality:The principle of honesty extends to issues of confidentiality of

information whenever one has made an explicit promise to honor confidentiality or, implicitly,

when private information not directly related to the performance of one's duties becomes available.


8/14

This rule actually demands that the access should be granted only to a clearly determined group of

people so that the risks are minimal. Monitoring the customer and his activities should not be a task

for any employee of the hotel, but they should be chosen through a strict procedure and even sign a

disclosure agreement with the hotel when granted the access. In any case, the entry level

employees should not have access to this type of information.

(2.1) Strive to achieve the highest quality, effectiveness and dignity in both the process and

products of professional work: Excellence is perhaps the most important obligation of a

professional. The computing professional must strive to achieve quality and to be cognizant of the

serious negative consequences that may result from poor quality in a system.

We acknowledge that excellence is a subjective level depending on each professionals set of values

and cultural background but the result should always be a superior quality product. In our case the

great number of faults and security breaches take the application out of this select class of products.

(2.4) Accept and provide appropriate professional review: Quality professional work, especially

in the computing profession, depends on professional reviewing and critiquing. Whenever

appropriate, individual members should seek and utilize peer review as well as provide critical

review of the work of others.

(2.5) Give comprehensive and thorough evaluations of computer systems and their impacts,

including analysis of possible risks: Computer professionals must strive to be perceptive,

thorough, and objective when evaluating, recommending, and presenting system descriptions and

alternatives. Computer professionals are in a position of special trust, and therefore have a special

responsibility to provide objective, credible evaluations to employers, clients, users, and the public.

(2.8) Access computing and communication resources only when authorized to do so:Trespassing and unauthorized use of a computer or communication system is addressed by this

imperative. Trespassing includes accessing communication networks and computer systems, or

accounts and/or files associated with those systems, without explicit authorization to do so.

Individuals and organizations have the right to restrict access to their systems so long as they do

not violate the discrimination principle. No one should enter or use another's computer system,

software, or data files without permission. One must always have appropriate approval before

using system resources, including communication ports, file space, other system peripherals, and

computer time.(Reynolds, 2010)

3.3. IDENTITY THEFT"But he that filches from me my good name

Robs me of that which not enriches him

And makes me poorindeed

Shakespeare, Othello, act III, scene 3.


9/14

The short definition is that identity theft is a crime. Identity theft and identity fraud are terms used

to refer to all types of crime in which someone wrongfully obtains and uses another person's

personal data in some way that involves fraud or deception, typically for economic gain.

Unlike fingerprints, which are unique and cannot be given to someone else for their use, the

personal data especially Social Security number, bank account or credit card number, telephonecalling card number, and other valuable identifying data can be used, if they fall into the wrong

hands, to personally profit at the victims expense.

In the United States and Canada, for example, many people have reported that unauthorized

persons have taken funds out of their bank or financial accounts, or, in the worst cases, taken over

their identities altogether, running up vast debts and committing crimes while using the victims

names. In many cases, a victim's losses may include not only out-of-pocket financial losses, but

substantial additional financial costs associated with trying to restore his reputation in the

community and correcting erroneous information for which the criminal is responsible.(Identity

theft and Identity Fraud)

The most common ways to commit identity theft or fraud are a lot less elaborate than breaking into

our homes. In public places, criminals may engage in:

- "shoulder surfing" watching you from a nearby location as you punch in your telephonecalling card number or credit card number or listen in on your conversation if you give your

credit-card number over the telephone to a hotel or rental car company.

- "dumpsterdiving" going through your garbage cans or a communal dumpster or trash binto obtain copies of your checks, credit card or bank statements, or other records that typically

bear your name, address, and even your telephone number.

- If you receive applications for "preapproved" credit cards in the mail, but discard themwithout tearing up the enclosed materials, criminals may retrieve them and try to activate the

cards for their use without your knowledge.

- In recent years, the Internethas become an appealing place for criminals to obtainidentifying data, such as passwords or even banking information. In some cases, criminals

reportedly have used computer technology to obtain large amounts of personal data.

With enough identifying information about an individual, a criminal can take over that individual's

identity to conduct a wide range of crimes: for example, false applications for loans and credit cards,

fraudulent withdrawals from bank accounts, fraudulent use of telephone calling cards, or obtaining

other goods or privileges which the criminal might be denied if he were to use his real name. If thecriminal takes steps to ensure that bills for the falsely obtained credit cards, or bank statements

showing the unauthorized withdrawals, are sent to an address other than the victim's, the victim may

not become aware of what is happing until the criminal has already inflicted substantial damage on

the victim's assets, credit, and reputation.(Identity theft and Identity Fraud)

Even from a deontological point of view, when the consequence is not known, a system that wouldnt

meet the security standards needed to prevent identity theft cannot be accepted as suitable. Although


10/14

the intention of the developer is, indeed, to develop a functional system, by breaking the ACM article

2.1, the intentions quality proves to be less than it should. In the identity theft problem, the victims

identity becomes a mean, a toolto an end which possibly is a felony. This contradicts Kants second

categorical imperative.

From the utilitarian perspective, identity theft can be in some extremely special situations lessblamable. If the individual whose identity was stolen is a criminal (of any type) and using this method

the police would be able to capture him/her, there are perhaps sufficient excuses for using identity

theft.

3.4. PRIVACYACCESSIBILITY, DECISIONAL, INFORMATIONAL

[Privacy is] the right to be let alone

Warren and Brandeis (1890)

The lack of privacy is easy to identify when experienced but difficult to define in a clear and simple

manner. L. Introna splits the concept into three subcategories: privacy as no access to the person or

the personal realm, privacy as control over personal information and privacy as freedom from

judgment or scrutiny by others. The notion of control is due to the dynamic environment in which

the concept is defined which varies socially and culturally. This idea of control over personal

information is very powerful in situations where it is important to determine whether or not an

individuals right to privacy has been violated.

Although at a first glimpse, the access over private data cannot do a serious damage to an individual

(If you have nothing to hide), even from a relationship point of view, so not taking into accountthe economic or social aspect, the behavior of an individual can be dramatically changed when

supervised. J.Bentham described the famous Panopticon architecture as a new mode of obtaining

power of mind over mind, in a quantity hitherto without example. Following this path, we can

suspect a behavioral change in the user of our product therefore influence the decisions the client

takes during his stay at the hotel. The more accessible the data is to a third party, the greater the

tendency to take decisions closer to what is socially appropriate.

Also the control over the information transfer consisting of personal data of the user can be object

of privacy threats such as data gathering, data exchanging, data mining, data merging and data

matching. These aspects will be discussed in subchapter 3.5 and further discussions on the

systems embedded value in subchapter3.6.

The developers intention of having easily accessible data cannot be classified with certainty in any

way. It is indeed useful and appealing to have all data through a simple touch of the screen but this

provides so little protection of the actual data. Provided the exact details of the system are correctly

presented in an agreement signed by both parts, the developer will not have to account for any legal


11/14

responsibility. In this matter both theories, deontological ethics and utilitarianism, are equally

unable to determine the moral character of the accessibility, decisional and informational privacy.

3.5. PRIVACY FRAUDSDATAGATHERING, EXCHANGING, MINING, MERGING, MATCHING

The ways in which available data on a certain individual can be exploited and misused are only

limited by the criminal imagination therefore we will not be able to cover all possible scenarios.

- If besides the data mentioned in the signed agreement, any other type of data is storedwithout the users consent, we are talking aboutdatagathering techniques;

- In the case in which existent databases are exchanged to third parties without the consentof the user, the dataexchanging can affect the security, integrity and social image of a certain

individual;

- By tracking the users activity during his stay it can be realized a consumers profile andthis profile can be exchanged with advertising companies that will spam the client with offers

similar to his taste;

- Taking the previous example to a new level, let us consider a large database consistingof all the clients who use our application. In this case we have to be aware ofdata miningthe

process of discovering new patterns from large data sets involving methods

from statistics and artificial intelligence but also database management. The result is a set of

associations that arent obvious and the way this new data is used determines, in the end, the

implicit value of the process. It can be simply a mean to help the hotel stock up with the right

products and run an efficient business.

When the data is fed to an automatic system that takes adverse decisions affection your well-

being, safety, health, rights to certain services etc. we can no longer talk about a neutral value

data. These decisions would previously be regarded as prejudiced and biased can now be

justified by ascribing causal responsibility tocomputer represent an advantage for companieswho want to use these non-transparent techniques.

- Datamerging - A data-exchanging process in which personal data from two or moresources is combined to create a "mosaic" of individuals that would not be discernable from the

individual pieces of data alone ;

- Datamatching - A technique in which two or more unrelated pieces of personalinformation are cross-referenced and compared to generate a match or "hit," that suggests a

person's connection with two or more groups.

In the last two situations we are considering new data obtained by processing the information

available in our database. This new data might result in a piece of information the user isnt willing

to share and is not mentioned in the initial contract. We can consider these case a more particular

case of data gathering.
http://en.wikipedia.org/wiki/Data_sethttp://en.wikipedia.org/wiki/Statisticshttp://en.wikipedia.org/wiki/Artificial_intelligencehttp://en.wikipedia.org/wiki/Database_managementhttp://en.wikipedia.org/wiki/Database_managementhttp://en.wikipedia.org/wiki/Artificial_intelligencehttp://en.wikipedia.org/wiki/Statisticshttp://en.wikipedia.org/wiki/Data_set


12/14

3.6. EMBEDDED VALUES-BIASB. Latour argued that technological artifacts issue constraints on the world surrounding them, and

Winner has argued that they can harbor political consequences.

The idea of embedded values is best understood as a claim that technological artifacts, especially in

our case in which we are talking about a software application, have built-in tendencies to promote

or demote the realization of particular values, a built-in consequence. Technological artifacts have

therefore, consequences that tend to manifest themselves in all central uses of the artifact. Also,

technological artifacts have built-in values and built-in norms so that we can reach the conclusion

that technology is notmorally neutral.

4.TECHNICAL MEASURESSince we are discussing about a smart-phone application we afford being a little creative with the

technical measures that can be taken to avoid or, at least, minimize the consequences of application

misusage.

Regarding the security aspect, several improvements can be brought. For instance the user can log

in using an iris recognition function which can be easily implemented in any smart-phone

considering nowadays the characteristics of their incorporated cameras. This method is not as fast

and smooth as the regular login but for gadget enthusiasts can be a reason to enjoy the application

even more.

If this is not the case, we can add an automatic log-off procedure that will be enabled after 5

minutes of inactivity in the applications window. Logging back on will be realized either through

iris recognition or through the input of a complex key. The key will be mandatory formed by

different types of characters: case sensitive letters, numerical and special characters (%,$,*,etc.)

eliminating the risk of having dumb keys such as the users name or obvious character

combinations.

To prevent unauthorized data access, the data can be kept on a local support (namely, the phones

memory) and the hotels actions will be reduced to a minimum: the client will present the already

computed bill at the hotels reception (the data cannot be modified before the payment so there are

no risks in this moment); the bill will not be a detailed one, just the total sum; at a future

reservation the hotel will ask if there are any preferences and if so, the user can decide to grant

access to his database. The membership will not be automatically granted, the client must request it

when he meets the given criteria.

If the client decides to grant access to his data, the hotel personnel must present a rank code which

will allow them to see the data only if they are above a certain level of security. As discussed before,

entry level personnel will not be able to access the database.


13/14

5.CONCLUSIONIn this paper we discussed some of the ethical conflicts that may arise when misusing the

application or the data stored by it. As expected, we did not find a generally valid formula on which

basis we could say precisely which case is ethically correct or not. The true nature of an action can

only be determined in its own conjecture.

In our case, the hotels hospitality and efficient management have to balance out the risks to which

the user is exposed while using this application. The application should be rigorously tested before

being sent on the market since it handles delicate data and can raise great problems for the user.

Following even remotely the ethical rules, many unpleasant situations can be avoided and just as

many can be justified resulting in a useful, appealing experience for all parts involved.


14/14

6.BIBLIOGRAPHYIdentity theft and Identity Fraud. (n.d.). Retrieved october 08, 2011, from The United States

Department of Justice: http://www.justice.gov/criminal/fraud/websites/idtheft.html

Martin, C.A Brief Introduction to Morality. Kansas.

Mason, R. O. (1986). Four Ethical Issues of theIinformation Age. Management Information Systems

Research Center, University of Minessota .

Reynolds, G. W. (2010). Ethics in Information Technology. Cengage Learning Inc.: Boston.

Documents

Ethical Analysis of a Travel-tracking Application