Ethical and Legal Dilemma in IT

Ethical and Legal Dilemma in IT 1

Ethical and Legal Dilemma in IT

Howard Beny

Ethical and Legal Considerations in Information Technology

September 13, 2012

Corinne Dalelio


ABSTRACT

There are many instances when people or companies have committed legal or ethical wrongs.

It is up to the individual to have the moral compass to see the difference between right and

wrong whether you are talking about ethics or legal issues. When talking about cloud

computing, those same ethics and laws need to be held in many ways even higher, since people,

companies, and governments have begun to utilize the cloud for storage and processing of

information and data. Since now these people are trusting a third party to store and/or process

your personal and confidential information, the cloud companies need to show how they would

protect that information.


Table of ContentsAbstract............................................................................................................................................2

The ethical considerations in technology applications....................................................................4

The effect of the law on IT professionals and the profession..........................................................6

The impact of computer legislation and case law in the areas of privacy, security, and criminal liability in information sharing........................................................................................................9

Compare privacy and security practices in IT...........................................................................11

Legislation and case law related to security practices and criminal liability in information sharing........................................................................................................................................12

How legislation and case law in these areas will (now and in the future) impact the dilemma you have chosen and in turn, how the dilemma will impact the IT field..............................................13

Examination of how the legislation and case law......................................................................14

Formulate conclusions about the future of security practices and criminal liability in information sharing....................................................................................................................15

The importance of using information legally and ethically in these areas, based on the established legal and ethical values in IT.........................................................................................................16

The impact of organizing IT in an ethical and legal manner to ensure regulatory compliance in current and future IT practices.......................................................................................................16

References......................................................................................................................................18


THE ETHICAL CONSIDERATIONS IN TECHNOLOGY APPLICATIONS

The ethical framework in Information Technology (IT) details the moral values and standard

behaviors that tell us how to act. The ethical framework is used to make the right decision of a

single person or company, a different person or company might make a different decision even

with the same information. When it comes to IT and specifically to cloud computing the ethical

behavior of companies is of utmost importance. Imagine that you placed all of your data with a

company that rented cloud storage; sometime later there was a breach and data was stolen, your

data. This data contained sensitive information about you and your family; you would lose trust

and faith in this company. So, what must be done to protect the information that is entrusted to

these companies from an ethical standpoint? It is the ethical framework that decisions are made

from, that is what defines the ethics that are used by companies to make the right decision.

The other side of the coin is the knowledge of the users. There are millions of people that are

using the cloud, but what percentage of them understands the cloud and the probabilities that

something will happen to their information. From a legal and medical point of view, there is a

legal duty to protect the information of the clients and patients. “In the context of a law firm,

cloud computing raises concerns associated with entrusting a third party with confidential client

data.” (Newton, Unknown) It will be a partnership of the company’s technology experts that,

with their ethical behavior, make sure that the information is secure and accessible to only those

with the proper access. When you talk about ethics you by default need to talk about the law and

the consequences since the two are considerably interconnected.


Over the last twenty or so years, computing power, acceptance, and new technologies has come

about that has changed the lives of almost everyone. These new technologies bring new ethical

quandaries and much discussion. “The fact that new technology is involved does not alter that.

But, because new technology allows us to perform activities in new ways, situations may arise in

which we do not have adequate policies in place to guide us. We are confronted with policy

vacuums.” (Moor, 2006) Technologies have been developed that performs many good and bad

things. There was a school bus monitor in New York State that was verbally abused by 4 middle

schoolers. The benefit was that a technology application was used to help her and raised over

$600,000 for her. The other side of the coin contains things that aren’t ethical like someone

creating a virus or hacking into secured servers to retrieve information. These are some of the

ethical and legal problems that the new technology has created, stealing without leaving your

home. When we talk about the cloud technologies we encounter the very same ethical and legal

issues. The companies that host these data centers are aware of these challenges of keeping the

data that is entrusted to them safe, but I’m not quite sure they are upholding the ethical side when

it comes to helping their customers. There is a balance between costs and ensuring the customers

store their information securely. If the data is in a secure physical location, is protected from

hackers and the like, but the user is allowed to create a weak password that is easy to break,

whose fault is it, ethically speaking?

In the case of cloud computing the laws have gotten very muddy, because data that is housed in a

U.S. based company on U.S. soil might have different laws than a company and data that is

based in Japan. What jurisdiction would you go to when you have data from all over the world?

In one instance, “European concerns about US privacy laws led to creation of the US Safe

Harbor Privacy Principles, which are intended to provide European companies with a degree of

insulation from US laws.” (Binning, 2009) The lack of legislation and regulation has not caused


undue issues or loss of data, but it is inevitable that some type of legislation is yet to come, right

after a significant breach. There are currently laws to prosecute hackers, writers of viruses and

others; these will have to do for the time being. The cloud computing environment is the new

“old west”. Even though cloud computing has been around for a while, there has been little

legislation to protect the data, and there probably will never be enough legislation, simply

because of this little question: whose data is it and where does it physically sit? The companies

and data are global; you can be sitting at home today and tomorrow be half way around the world

all the while having access to retrieve your music, files, and videos. Since there hasn’t been a

call to globally regulate these cloud computing providers, we rely on the ethical practices of the

companies that host the servers and data centers to live by an ethical code. What we as

individuals need to understand is that we need to manage our security, our passwords and

understand where the data is stored. If your ethical framework is high you might not use the

cloud or if you did, you might be very careful where you store your data as well as its security.

The ethical framework that motivates us and the companies that service us must always strive for

the highest level of security and protection.

THE EFFECT OF THE LAW ON IT PROFESSIONALS AND THE PROFESSION

The laws that pertain to IT professionals and the profession impact the community in many

ways. The laws that we need to follow are extensive and can be far reaching if not followed,

especially after September 11, 2001. I have not been adversely impacted since the area of IT that

I work in doesn’t have many regulations, most come from the company that I have worked with,

instead of laws or acts. There are many laws that relate to the IT field, the table below shows

what they are and a brief summary.


( Pollack &

Hartzel, 2006)

Most of these impact the IT professional in one way or another. Companies have used different

training programs to inform the IT professional so they are aware of what they need to do and the

consequences of not acting in a law abiding way. For the IT profession, these laws and acts have

added a number of layers to organizations to either comply and/or to verify compliance, which in

turn increases costs, manpower, and certain paradigm changes to make sure all the holes are

covered.

There are numerous laws that affect the information technology arena from laws that regulate

access to data and copyright to discrimination and libel. Take for instance SOX. SOX mainly

targets accounting, financial reporting, and accurate reporting. Because all of the functions of

accounting, reporting, and other financial information is kept on computers and servers, it in turn

is the responsibility of the information technology(IT) department and management to make sure


all the systems are secure, operating, and accurate otherwise fines and other monetary penalties

could be enforced by the federal government. The Patriot Act has again added a new layer of

complexity to the IT department. Because of this bill, a new position was required to be created

in companies, the compliance office. It is the duty of the compliance officer to verify that the

company has met all the requirements and mandates of the Patriot Act. Because of the Patriot

Act companies were forced to look at their IT security as well. The Computer Trespasser is a

person or entity that accesses computer systems without authority. The Patriot Act allows law

enforcement to monitor, intercept and prosecute those found guilty of this crime, in certain

circumstances. Section 105 gives the Secret Service the power to investigate

computer/cybercrimes, including cellphone cloning and denial of service attacks. The Patriot

Act also made sweeping changes to many other acts and laws. One of the acts is the Computer

Fraud and Abuse Act (CFAA).

(Eecke, 2012)

The above chart shows how slowly the EU has enacted laws compared to the growth of the

internet technologies.

In cloud computing, Microsoft has penned an act called the Cloud Computing Advancement Act.


This act, which has not passed congress yet, increases the security and privacy rules in cloud

computing to protect companies and the public that currently uses cloud computing resources.

This act would also bring Fourth Amendment rights to the cloud, protecting information from

undue searches and seizures. The Federal Trade Commission (FTC) has been in the forefront of

cloud computing, advocating privacy and security needs and better enforcement, but it currently

does not have the authority to do so. HIPAA regulates that any data transmission and cloud

storage be encrypted and customized business associates (BA) agreements. These BA

agreements safeguard the data that is being transmitted between the healthcare provider and the

third party cloud storage company.

The regulations and agreements that need to be enacted as well as stronger laws to protect all of

the data stored and processed by cloud computing companies is needed. Cloud computing

covers everything from server based emails to remote computing and everything in between and

there have been breaches. Google’s Gmail was breached and user names were released; credit

card servicer’s have been targeted releasing hundreds of thousands of credit card numbers into

the wild. There have been prosecutions, but many of these breaches (hackers) have been done

from outside of the US prosecutors reach. So how do we combat these breaches? I feel stronger

laws, international relationships, and accountability are some of the best ways to counteract these

crimes, but as technologies get better other breaches will occur.

THE IMPACT OF COMPUTER LEGISLATION AND CASE LAW IN THE AREAS OF

PRIVACY, SECURITY, AND CRIMINAL LIABILITY IN INFORMATION SHARING

Over the last 20 years or so Information Technology (IT) has taken our world and flipped it

upside down. IT has done this by the internet, new technologies, mobile technologies, and other

forms of technology. What once took hours, days, or weeks now can take as little as a few


seconds. Just go search Google and in the top right hand side of the page it will tell you how

long and how many results were found. So when we talk about the legal and ethical values in IT,

we need to start out seeing how the world has changed and what these new technologies can and

do bring us. For instance, it’s legal to purchase a game on line, but it’s not legal to download that

same game without paying for it, and furthermore it’s not ethical. The big difference is, it is

much easier to use technologies that are web based instead of stealing from a brick and mortar

store. Just think of all the times programs, music, videos have been downloaded illegally. Has it

become the norm because “everyone else does it?” I think that depends on your ethics, which in

turn guides your values and decisions.

Because of IT and the assurances that companies give us that our information is safe, we tend to

believe the experts, but there have been times that this isn’t true. There have been many break-

ins that have affected servers and data/ information that has been stolen and/or placed on the

internet for all to see. There are ethical and legal responsibilities that the company must do to

protect our information.

Ultimately, if the industry doesn’t regulate itself then, I feel it will be the government that will

have to pass laws to protect our information. It’s the company’s responsibility to protect our

information to its best ability, and most of the time the break-ins occur due to the company not

patching or in negligent acts that easily allows hackers the ability to extract the information.

“There is widespread acceptance of unethical practices in the information technology field due in

part to the fact that data is often an abstraction. The very same unethical practices that would

never be allowed when the abuser is holding his prize in his hand is too often overlooked when

there is no physical evidence of wrongdoing.” (Sexton, 2007) Sexton’s story is only too true.

Most people wouldn’t walk into a store like Target and steal a CD or DVD, but with Peer to Peer

services on the internet people that wouldn’t steal from a brick and mortar store steal all the time.


Compare privacy and security practices in IT

Before we can compare privacy and security, let’s define them. Privacy, as defined by

Dictionary.com is “the state of being free from intrusion or disturbance in one's private life or

affairs”. Security, as defined by Merriam-Webster.com is the “measures taken to guard against

espionage or sabotage, crime, attack, or escape (2): an organization or department whose task is

security”. In many ways privacy and security are very similar. In both you have something that

you don’t want others to know or have. Another way to explain the similarities is security

protects privacy and privacy protects security; same coin different side.

Privacy in IT is centered on the company’s ability to keep your information safe/secure, to not

monitor your movements, and to preserve the identities of the person or company doing business.

There are so many ways that IT can let down their customers by not protecting the privacy they

have entrusted with us, and there are so many ways that we can protect the privacy of our

customers.

The laws to protect privacy have not developed as technology has developed and has not

supported our First and Fourth Amendments (basically, the First Amendment protects free speech

and the Fourth protects us from undo search and seizures). There have been some strides to

protect the privacy of personal and corporate information from law enforcement authorities, but

they aren’t enough. The Do Not Track Me Online Act of 2011 orders the Federal Trade

Commission to work toward stopping the collection of personal information while on the

internet, unless this information is given (like providing a credit card for a purchase). More and

more companies are beginning to be more proactive in stopping security and privacy breaches.

There is a framework that tries to give companies the steps and information to be proactive in

protecting personal information; Privacy by Design is the proactive framework that companies

are using to deter breaches. “There are seven foundational principles of Privacy by Design that


help companies integrate privacy into all facets of its business. These seven principles are:

1. Proactive, not reactive; preventative, not remedial;

2. Privacy as the default;

3. Privacy embedded into design;

4. Full functionality – positive-sum, not zero-sum;

5. End-to-end lifecycle protection;

6. Visibility and transparency; and

7. Respect to user privacy” (Serwin, 2011)

By utilizing these principals companies from the outset look at privacy differently. It becomes

an essential component of the IT strategy and integrated into business and IT models. This also

revolves around the ethical and legal responsibilities that businesses have to protect the privacy

of their clients and to create a secure environment to store information from unauthorized

intrusions.

Legislation and case law related to security practices and criminal liability in information

sharing

Information sharing is the illegal access and dissemination of confidential and private

information. This usually takes the form of internet hacking, phishing, and other forms of

gathering information. “The past five years alone have resulted in an astronomical amount of

data loss and crime. We must look at these attacks differently as not all “attacks” are the same.

I, as well as a good amount of others, break these attacks into a couple of categories. We have E-

crime, Cyber Espionage, Cyber War and E-vandalism.” (Somaini, 2011) The Computer Fraud

and Abuse Act was enacted to punish those who hacked or cracked into computers. The problem

is the law protects Federal, financial computers and computers supporting interstate and foreign


commerce only; it doesn’t protect any computer/server system that doesn’t work with the above

criteria. There have been several criminals punished under this act including; Sergey Aleynikov,

Neil Scott Kramer, and Peter Alfred-Adekeye to name just a few. Other laws and acts that have

been enacted to protect the security of information include: The Health Insurance Portability and

Accountability Act of 1996 (HIPAA), Fair Credit Reporting Act/ Fair and Accurate Credit

Transactions Act of 2003 (FCRA/FACTA), and Sarbanes-Oxley (SOX). HIPAA is designed to

protect a person’s health information and the security rule is for businesses and how they need to

protect a person’s information and the enforcement and penalties for non-compliance. The

FCRA provides protection in fair credit reporting is true and accurate; the FACTA adds

protections related to identity theft, consumer protections, and criminal prosecution. SOX was

enacted to make banks and other financial institutions responsible for their transactions, reduce

money laundering, and increase compliance.

HOW LEGISLATION AND CASE LAW IN THESE AREAS WILL (NOW AND IN THE

FUTURE) IMPACT THE DILEMMA YOU HAVE CHOSEN AND IN TURN, HOW THE

DILEMMA WILL IMPACT THE IT FIELD

There aren’t laws currently on the books that specifically protect or prosecute offenders of cloud

computing wrongdoings. “Amazon EC2(Amazon EC2 is a cloud based host that users can use

virtual PCs or servers for all most anything, from running a business to illegal activity), for

example, has been used to carry out numerous attacks and password-cracking endeavors. Reed

believes that the legislation would empower service providers to take certain actions (presumably

civil) in such situations.” “Reed said the legislation aims to address two important issues:

appropriate criminal penalties for cyberhacking of cloud services and providing legal clarity

around transnational data storage and computing. (Harris, 2011) This legislation is currently in


draft and it’s one of the first to address international issues and the theft and use of

computers/servers in illegal ways. Unfortunately, the draft has not been presented to the

congress and as of the date of this paper.

One interesting fact is that President Obama endorsed this technology in his 2010 budget for the

purpose of moving the Federal government to the cloud. Over the last 8-12 months and into the

future, most federal agencies are moving their computing to the cloud to save money.

Companies like Microsoft are looking for these very profitable contracts to host the cloud for

data storage and computing (servers that run “virtual PCs”, all computing is done at the server).

Currently there aren’t dedicated laws that protect the data and processing of data at cloud

computing companies in the US. If there are wrong doings, current laws will have to do the job

of prosecuting and protecting the public and corporations. Because of the European Union (EU)

partner countries, there has been some movement in the laws to protect data in the cloud, and the

US might have some claim to it, since our laws are as tight or tighter than the EUs, but this paper

is looking at US law, not EU laws.

Examination of how the legislation and case law

Here in the US the laws surrounding cloud computing have severely lagged behind the EU. We

do have several laws that protect certain parts of your online life, but as you read about the

Fourth Amendment, you are not as protected as you should be in the cloud. If the data was

located on your personal computer, the Fourth Amendment would easily protect your

information against search and seizure without a warrant, but not in cyberspace. There are also

no laws that protect your data or rights if it happens to be stored in a different country. What is

interesting is that the government can monitor and capture the network packet header

information (the header has all of the information about where the packet has come from and

where its final location is); the packet is the information that you are sending via email or IM,


etc. The Supreme Court stated that it doesn’t violate the Fourth Amendment to look at the

outside of a letter; you just can’t open it, just like an electronic packet. “On January 20, 2010,

Microsoft, through its Senior Vice President and General Counsel Brad Smith, announced a

legislative and industry initiative it called the Cloud Computing Advancement Act. The proposal

contains two main legislative thrusts: (1) modification of the Electronic Communications Privacy

Act and the Computer Fraud and Abuse Act (ECPA) to strengthen privacy protection, and (2)

enhancement to the Computer Fraud and Abuse Act of 1986 (CFAA) to deter malicious

hacking.” (Martin, 2011) There are other companies and consortiums that are trying to

strengthen the laws in regards to cloud computing, but I fear that we are still far away from

having laws that protect our data and data processing in the cloud as we do have in our

personal/corporate computing space.

Formulate conclusions about the future of security practices and criminal liability in

information sharing

The future of cloud computing is wide open, and with it the laws and acts that help protect this

infrastructure will certainly strengthen. As I have said in the past the laws always come after the

crimes. There have been too many hackers, crackers, and others that have broken into computer

systems and have stolen information worth millions of dollars. By strengthening laws like the

CFAA, HIPAA, and FCRA/FACTA we could work to secure our infrastructure, data and

processing systems, but at this time there aren’t indications that this will happen. I feel that there

hasn’t been a large enough outcry from the public to quickly modify these bills. Others like the

Microsoft Cloud Computing Advancement Act looks to directly strengthen the cloud computing

systems. This proposed act looks to be one of the most comprehensive and forward looking

documents yet.


THE IMPORTANCE OF USING INFORMATION LEGALLY AND ETHICALLY IN THESE AREAS, BASED ON THE ESTABLISHED LEGAL AND ETHICAL VALUES IN

ITThere is no more important choice to make than to choose to be ethical and do your best to not

break laws; unfortunately, this happens all the time. This pertains to cloud computing as well. As

I have said before, due to the cloud being relatively new, there aren’t dedicated laws that protect

the Cloud company, your data, or any other processing and information. There are currently

laws and acts that prosecute the acts of an intrusion, like hacking, phishing, etc. but the laws are

not enforceable outside of the US.

It is also not ethical for a cloud host company to monitor or look at the data that is on their

servers and storage arrays. All companies create standards and codes of conducts that guide their

business models and interactions with their customers. The ethical way in which companies

conduct their business reflects in how they follow the laws of the country that they belong to or

do business in. “Mason identified four areas of critical concern for managers. They include

privacy, accuracy, property, and accessibility and are frequently referred to by the acronym

PAPA”. ( Pollack & Hartzel, 2006) In cloud computing, the same ethics and laws affects the

company’s business. Businesses that follow the laws do so because they are ethical. You really

can’t be an effective person or company if your ethics aren’t in the right direction, and without a

good ethical behavior how can you truly follow the law.

THE IMPACT OF ORGANIZING IT IN AN ETHICAL AND LEGAL MANNER TO ENSURE REGULATORY COMPLIANCE IN CURRENT AND FUTURE IT

PRACTICESWhenever a business organizes any department there are a number of legal and ethical choices

that must be made and one of the most influential departments is the IT department. Since IT

has their hands in just about everything a company does it is critical that standards (ethical and

legal, among others) are created first. It is the responsibility of the leaders to set the tone. If you


have strong leaders, then ethical and legal behavior will be upheld to its highest standards. If

you have leaders that are not as strong, then you would certainly not have the same standards and

laws and/or ethics would be broken easier.

Some of the direct reporting departments would include legal, networking, training, desktop,

compliance, and others. It is leadership that is needed to create a successful department.

To ensure regulatory compliance now and in the future you again need a strategic leadership

team that leads by design. Then you have the employees. Most IT employees do not know the

law and some might not be as ethical as others. Through training, commitment to and

documentation the employees would have an understanding, the information, and the right moral

compass to make the right decisions, based on their knowledge and the ethical/legal behavior of

the company.


REFERENCESPollack, T. A., & Hartzel, K. S. (2006). Ethical and Legal Issues for the Information Systems

Professional. ASCUE Conference, 172-179.Binning, D. (2009, April 24). Top five cloud computing security issues. Retrieved from Computer

weekly: http://www.computerweekly.com/news/2240089111/Top-five-cloud-computing-security-issues

Eecke, P. V. (2012, September 2). Cloud Computing Legal Issues. Retrieved from isaca.org: http://www.isaca.org/Groups/Professional-English/cloud-computing/GroupDocuments/DLA_Cloud%20computing%20legal%20issues.pdf

Harris, D. (2011, July 16). cloud legislation takes center stage on capitol hill. Retrieved from gigaom.com: http://gigaom.com/cloud/cloud-legislation-takes-center-stage-on-capitol-hill/

Martin, T. D. (2011, May). Hey! You! Get Off of My Cloud: Defining and Protecting the Metes and Bounds of Privacy, Security, and Property in Cloud Computing. Retrieved from Bepress.com: http://works.bepress.com/timothy_martin/3/

Moor, J. H. (2006, September). Why We Need Better Ethics for Emerging Technologies. Retrieved from commonsenseatheism.com: http://commonsenseatheism.com/wp-content/uploads/2011/03/Moor-Why-We-Need-Better-Ethics-for-Emerging-Technologies.pdf

Newton, J. (Unknown, Unknown Unknown). The Ethics and Security of Cloud Computing. Retrieved August 5, 2012, from goclio.com: http://www.goclio.com/resources/white_papers/Security%20Ethics%20of%20Cloud%20Computing.pdf

Serwin, A. (2011, September 12). Compliance Best Practices in Information Security: An Analysis of Privacy by Design. Retrieved from corporate compliance insights: http://www.corporatecomplianceinsights.com/compliance-best-practices-in-information-security-an-analysis-of-privacy-by-design/

Sexton, T. (2007, Feburary 9). Ethics in the Field of Information Technology. Retrieved from voices.yahoo.com: http://voices.yahoo.com/ethics-field-information-technology-191336.html

Somaini, J. (2011, May 22). My Review of White House Cybersecurity Strategy and Legislative Proposal . Retrieved from somaini.net: http://www.somaini.net/justins-journal/2011/5/22/my-review-of-white-house-cybersecurity-strategy-and-legislat.html