Upload
howardb24
View
109
Download
2
Embed Size (px)
DESCRIPTION
Ethical and legal dilemmas that are faced in IT
Citation preview
Ethical and Legal Dilemma in IT 1
Ethical and Legal Dilemma in IT
Howard Beny
Ethical and Legal Considerations in Information Technology
September 13, 2012
Corinne Dalelio
Ethical and Legal Dilemma in IT 2
ABSTRACT
There are many instances when people or companies have committed legal or ethical wrongs.
It is up to the individual to have the moral compass to see the difference between right and
wrong whether you are talking about ethics or legal issues. When talking about cloud
computing, those same ethics and laws need to be held in many ways even higher, since people,
companies, and governments have begun to utilize the cloud for storage and processing of
information and data. Since now these people are trusting a third party to store and/or process
your personal and confidential information, the cloud companies need to show how they would
protect that information.
Ethical and Legal Dilemma in IT 3
Table of ContentsAbstract............................................................................................................................................2
The ethical considerations in technology applications....................................................................4
The effect of the law on IT professionals and the profession..........................................................6
The impact of computer legislation and case law in the areas of privacy, security, and criminal liability in information sharing........................................................................................................9
Compare privacy and security practices in IT...........................................................................11
Legislation and case law related to security practices and criminal liability in information sharing........................................................................................................................................12
How legislation and case law in these areas will (now and in the future) impact the dilemma you have chosen and in turn, how the dilemma will impact the IT field..............................................13
Examination of how the legislation and case law......................................................................14
Formulate conclusions about the future of security practices and criminal liability in information sharing....................................................................................................................15
The importance of using information legally and ethically in these areas, based on the established legal and ethical values in IT.........................................................................................................16
The impact of organizing IT in an ethical and legal manner to ensure regulatory compliance in current and future IT practices.......................................................................................................16
References......................................................................................................................................18
Ethical and Legal Dilemma in IT 4
THE ETHICAL CONSIDERATIONS IN TECHNOLOGY APPLICATIONS
The ethical framework in Information Technology (IT) details the moral values and standard
behaviors that tell us how to act. The ethical framework is used to make the right decision of a
single person or company, a different person or company might make a different decision even
with the same information. When it comes to IT and specifically to cloud computing the ethical
behavior of companies is of utmost importance. Imagine that you placed all of your data with a
company that rented cloud storage; sometime later there was a breach and data was stolen, your
data. This data contained sensitive information about you and your family; you would lose trust
and faith in this company. So, what must be done to protect the information that is entrusted to
these companies from an ethical standpoint? It is the ethical framework that decisions are made
from, that is what defines the ethics that are used by companies to make the right decision.
The other side of the coin is the knowledge of the users. There are millions of people that are
using the cloud, but what percentage of them understands the cloud and the probabilities that
something will happen to their information. From a legal and medical point of view, there is a
legal duty to protect the information of the clients and patients. “In the context of a law firm,
cloud computing raises concerns associated with entrusting a third party with confidential client
data.” (Newton, Unknown) It will be a partnership of the company’s technology experts that,
with their ethical behavior, make sure that the information is secure and accessible to only those
with the proper access. When you talk about ethics you by default need to talk about the law and
the consequences since the two are considerably interconnected.
Ethical and Legal Dilemma in IT 5
Over the last twenty or so years, computing power, acceptance, and new technologies has come
about that has changed the lives of almost everyone. These new technologies bring new ethical
quandaries and much discussion. “The fact that new technology is involved does not alter that.
But, because new technology allows us to perform activities in new ways, situations may arise in
which we do not have adequate policies in place to guide us. We are confronted with policy
vacuums.” (Moor, 2006) Technologies have been developed that performs many good and bad
things. There was a school bus monitor in New York State that was verbally abused by 4 middle
schoolers. The benefit was that a technology application was used to help her and raised over
$600,000 for her. The other side of the coin contains things that aren’t ethical like someone
creating a virus or hacking into secured servers to retrieve information. These are some of the
ethical and legal problems that the new technology has created, stealing without leaving your
home. When we talk about the cloud technologies we encounter the very same ethical and legal
issues. The companies that host these data centers are aware of these challenges of keeping the
data that is entrusted to them safe, but I’m not quite sure they are upholding the ethical side when
it comes to helping their customers. There is a balance between costs and ensuring the customers
store their information securely. If the data is in a secure physical location, is protected from
hackers and the like, but the user is allowed to create a weak password that is easy to break,
whose fault is it, ethically speaking?
In the case of cloud computing the laws have gotten very muddy, because data that is housed in a
U.S. based company on U.S. soil might have different laws than a company and data that is
based in Japan. What jurisdiction would you go to when you have data from all over the world?
In one instance, “European concerns about US privacy laws led to creation of the US Safe
Harbor Privacy Principles, which are intended to provide European companies with a degree of
insulation from US laws.” (Binning, 2009) The lack of legislation and regulation has not caused
Ethical and Legal Dilemma in IT 6
undue issues or loss of data, but it is inevitable that some type of legislation is yet to come, right
after a significant breach. There are currently laws to prosecute hackers, writers of viruses and
others; these will have to do for the time being. The cloud computing environment is the new
“old west”. Even though cloud computing has been around for a while, there has been little
legislation to protect the data, and there probably will never be enough legislation, simply
because of this little question: whose data is it and where does it physically sit? The companies
and data are global; you can be sitting at home today and tomorrow be half way around the world
all the while having access to retrieve your music, files, and videos. Since there hasn’t been a
call to globally regulate these cloud computing providers, we rely on the ethical practices of the
companies that host the servers and data centers to live by an ethical code. What we as
individuals need to understand is that we need to manage our security, our passwords and
understand where the data is stored. If your ethical framework is high you might not use the
cloud or if you did, you might be very careful where you store your data as well as its security.
The ethical framework that motivates us and the companies that service us must always strive for
the highest level of security and protection.
THE EFFECT OF THE LAW ON IT PROFESSIONALS AND THE PROFESSION
The laws that pertain to IT professionals and the profession impact the community in many
ways. The laws that we need to follow are extensive and can be far reaching if not followed,
especially after September 11, 2001. I have not been adversely impacted since the area of IT that
I work in doesn’t have many regulations, most come from the company that I have worked with,
instead of laws or acts. There are many laws that relate to the IT field, the table below shows
what they are and a brief summary.
Ethical and Legal Dilemma in IT 7
( Pollack &
Hartzel, 2006)
Most of these impact the IT professional in one way or another. Companies have used different
training programs to inform the IT professional so they are aware of what they need to do and the
consequences of not acting in a law abiding way. For the IT profession, these laws and acts have
added a number of layers to organizations to either comply and/or to verify compliance, which in
turn increases costs, manpower, and certain paradigm changes to make sure all the holes are
covered.
There are numerous laws that affect the information technology arena from laws that regulate
access to data and copyright to discrimination and libel. Take for instance SOX. SOX mainly
targets accounting, financial reporting, and accurate reporting. Because all of the functions of
accounting, reporting, and other financial information is kept on computers and servers, it in turn
is the responsibility of the information technology(IT) department and management to make sure
Ethical and Legal Dilemma in IT 8
all the systems are secure, operating, and accurate otherwise fines and other monetary penalties
could be enforced by the federal government. The Patriot Act has again added a new layer of
complexity to the IT department. Because of this bill, a new position was required to be created
in companies, the compliance office. It is the duty of the compliance officer to verify that the
company has met all the requirements and mandates of the Patriot Act. Because of the Patriot
Act companies were forced to look at their IT security as well. The Computer Trespasser is a
person or entity that accesses computer systems without authority. The Patriot Act allows law
enforcement to monitor, intercept and prosecute those found guilty of this crime, in certain
circumstances. Section 105 gives the Secret Service the power to investigate
computer/cybercrimes, including cellphone cloning and denial of service attacks. The Patriot
Act also made sweeping changes to many other acts and laws. One of the acts is the Computer
Fraud and Abuse Act (CFAA).
(Eecke, 2012)
The above chart shows how slowly the EU has enacted laws compared to the growth of the
internet technologies.
In cloud computing, Microsoft has penned an act called the Cloud Computing Advancement Act.
Ethical and Legal Dilemma in IT 9
This act, which has not passed congress yet, increases the security and privacy rules in cloud
computing to protect companies and the public that currently uses cloud computing resources.
This act would also bring Fourth Amendment rights to the cloud, protecting information from
undue searches and seizures. The Federal Trade Commission (FTC) has been in the forefront of
cloud computing, advocating privacy and security needs and better enforcement, but it currently
does not have the authority to do so. HIPAA regulates that any data transmission and cloud
storage be encrypted and customized business associates (BA) agreements. These BA
agreements safeguard the data that is being transmitted between the healthcare provider and the
third party cloud storage company.
The regulations and agreements that need to be enacted as well as stronger laws to protect all of
the data stored and processed by cloud computing companies is needed. Cloud computing
covers everything from server based emails to remote computing and everything in between and
there have been breaches. Google’s Gmail was breached and user names were released; credit
card servicer’s have been targeted releasing hundreds of thousands of credit card numbers into
the wild. There have been prosecutions, but many of these breaches (hackers) have been done
from outside of the US prosecutors reach. So how do we combat these breaches? I feel stronger
laws, international relationships, and accountability are some of the best ways to counteract these
crimes, but as technologies get better other breaches will occur.
THE IMPACT OF COMPUTER LEGISLATION AND CASE LAW IN THE AREAS OF
PRIVACY, SECURITY, AND CRIMINAL LIABILITY IN INFORMATION SHARING
Over the last 20 years or so Information Technology (IT) has taken our world and flipped it
upside down. IT has done this by the internet, new technologies, mobile technologies, and other
forms of technology. What once took hours, days, or weeks now can take as little as a few
Ethical and Legal Dilemma in IT 10
seconds. Just go search Google and in the top right hand side of the page it will tell you how
long and how many results were found. So when we talk about the legal and ethical values in IT,
we need to start out seeing how the world has changed and what these new technologies can and
do bring us. For instance, it’s legal to purchase a game on line, but it’s not legal to download that
same game without paying for it, and furthermore it’s not ethical. The big difference is, it is
much easier to use technologies that are web based instead of stealing from a brick and mortar
store. Just think of all the times programs, music, videos have been downloaded illegally. Has it
become the norm because “everyone else does it?” I think that depends on your ethics, which in
turn guides your values and decisions.
Because of IT and the assurances that companies give us that our information is safe, we tend to
believe the experts, but there have been times that this isn’t true. There have been many break-
ins that have affected servers and data/ information that has been stolen and/or placed on the
internet for all to see. There are ethical and legal responsibilities that the company must do to
protect our information.
Ultimately, if the industry doesn’t regulate itself then, I feel it will be the government that will
have to pass laws to protect our information. It’s the company’s responsibility to protect our
information to its best ability, and most of the time the break-ins occur due to the company not
patching or in negligent acts that easily allows hackers the ability to extract the information.
“There is widespread acceptance of unethical practices in the information technology field due in
part to the fact that data is often an abstraction. The very same unethical practices that would
never be allowed when the abuser is holding his prize in his hand is too often overlooked when
there is no physical evidence of wrongdoing.” (Sexton, 2007) Sexton’s story is only too true.
Most people wouldn’t walk into a store like Target and steal a CD or DVD, but with Peer to Peer
services on the internet people that wouldn’t steal from a brick and mortar store steal all the time.
Ethical and Legal Dilemma in IT 11
Compare privacy and security practices in IT
Before we can compare privacy and security, let’s define them. Privacy, as defined by
Dictionary.com is “the state of being free from intrusion or disturbance in one's private life or
affairs”. Security, as defined by Merriam-Webster.com is the “measures taken to guard against
espionage or sabotage, crime, attack, or escape (2): an organization or department whose task is
security”. In many ways privacy and security are very similar. In both you have something that
you don’t want others to know or have. Another way to explain the similarities is security
protects privacy and privacy protects security; same coin different side.
Privacy in IT is centered on the company’s ability to keep your information safe/secure, to not
monitor your movements, and to preserve the identities of the person or company doing business.
There are so many ways that IT can let down their customers by not protecting the privacy they
have entrusted with us, and there are so many ways that we can protect the privacy of our
customers.
The laws to protect privacy have not developed as technology has developed and has not
supported our First and Fourth Amendments (basically, the First Amendment protects free speech
and the Fourth protects us from undo search and seizures). There have been some strides to
protect the privacy of personal and corporate information from law enforcement authorities, but
they aren’t enough. The Do Not Track Me Online Act of 2011 orders the Federal Trade
Commission to work toward stopping the collection of personal information while on the
internet, unless this information is given (like providing a credit card for a purchase). More and
more companies are beginning to be more proactive in stopping security and privacy breaches.
There is a framework that tries to give companies the steps and information to be proactive in
protecting personal information; Privacy by Design is the proactive framework that companies
are using to deter breaches. “There are seven foundational principles of Privacy by Design that
Ethical and Legal Dilemma in IT 12
help companies integrate privacy into all facets of its business. These seven principles are:
1. Proactive, not reactive; preventative, not remedial;
2. Privacy as the default;
3. Privacy embedded into design;
4. Full functionality – positive-sum, not zero-sum;
5. End-to-end lifecycle protection;
6. Visibility and transparency; and
7. Respect to user privacy” (Serwin, 2011)
By utilizing these principals companies from the outset look at privacy differently. It becomes
an essential component of the IT strategy and integrated into business and IT models. This also
revolves around the ethical and legal responsibilities that businesses have to protect the privacy
of their clients and to create a secure environment to store information from unauthorized
intrusions.
Legislation and case law related to security practices and criminal liability in information
sharing
Information sharing is the illegal access and dissemination of confidential and private
information. This usually takes the form of internet hacking, phishing, and other forms of
gathering information. “The past five years alone have resulted in an astronomical amount of
data loss and crime. We must look at these attacks differently as not all “attacks” are the same.
I, as well as a good amount of others, break these attacks into a couple of categories. We have E-
crime, Cyber Espionage, Cyber War and E-vandalism.” (Somaini, 2011) The Computer Fraud
and Abuse Act was enacted to punish those who hacked or cracked into computers. The problem
is the law protects Federal, financial computers and computers supporting interstate and foreign
Ethical and Legal Dilemma in IT 13
commerce only; it doesn’t protect any computer/server system that doesn’t work with the above
criteria. There have been several criminals punished under this act including; Sergey Aleynikov,
Neil Scott Kramer, and Peter Alfred-Adekeye to name just a few. Other laws and acts that have
been enacted to protect the security of information include: The Health Insurance Portability and
Accountability Act of 1996 (HIPAA), Fair Credit Reporting Act/ Fair and Accurate Credit
Transactions Act of 2003 (FCRA/FACTA), and Sarbanes-Oxley (SOX). HIPAA is designed to
protect a person’s health information and the security rule is for businesses and how they need to
protect a person’s information and the enforcement and penalties for non-compliance. The
FCRA provides protection in fair credit reporting is true and accurate; the FACTA adds
protections related to identity theft, consumer protections, and criminal prosecution. SOX was
enacted to make banks and other financial institutions responsible for their transactions, reduce
money laundering, and increase compliance.
HOW LEGISLATION AND CASE LAW IN THESE AREAS WILL (NOW AND IN THE
FUTURE) IMPACT THE DILEMMA YOU HAVE CHOSEN AND IN TURN, HOW THE
DILEMMA WILL IMPACT THE IT FIELD
There aren’t laws currently on the books that specifically protect or prosecute offenders of cloud
computing wrongdoings. “Amazon EC2(Amazon EC2 is a cloud based host that users can use
virtual PCs or servers for all most anything, from running a business to illegal activity), for
example, has been used to carry out numerous attacks and password-cracking endeavors. Reed
believes that the legislation would empower service providers to take certain actions (presumably
civil) in such situations.” “Reed said the legislation aims to address two important issues:
appropriate criminal penalties for cyberhacking of cloud services and providing legal clarity
around transnational data storage and computing. (Harris, 2011) This legislation is currently in
Ethical and Legal Dilemma in IT 14
draft and it’s one of the first to address international issues and the theft and use of
computers/servers in illegal ways. Unfortunately, the draft has not been presented to the
congress and as of the date of this paper.
One interesting fact is that President Obama endorsed this technology in his 2010 budget for the
purpose of moving the Federal government to the cloud. Over the last 8-12 months and into the
future, most federal agencies are moving their computing to the cloud to save money.
Companies like Microsoft are looking for these very profitable contracts to host the cloud for
data storage and computing (servers that run “virtual PCs”, all computing is done at the server).
Currently there aren’t dedicated laws that protect the data and processing of data at cloud
computing companies in the US. If there are wrong doings, current laws will have to do the job
of prosecuting and protecting the public and corporations. Because of the European Union (EU)
partner countries, there has been some movement in the laws to protect data in the cloud, and the
US might have some claim to it, since our laws are as tight or tighter than the EUs, but this paper
is looking at US law, not EU laws.
Examination of how the legislation and case law
Here in the US the laws surrounding cloud computing have severely lagged behind the EU. We
do have several laws that protect certain parts of your online life, but as you read about the
Fourth Amendment, you are not as protected as you should be in the cloud. If the data was
located on your personal computer, the Fourth Amendment would easily protect your
information against search and seizure without a warrant, but not in cyberspace. There are also
no laws that protect your data or rights if it happens to be stored in a different country. What is
interesting is that the government can monitor and capture the network packet header
information (the header has all of the information about where the packet has come from and
where its final location is); the packet is the information that you are sending via email or IM,
Ethical and Legal Dilemma in IT 15
etc. The Supreme Court stated that it doesn’t violate the Fourth Amendment to look at the
outside of a letter; you just can’t open it, just like an electronic packet. “On January 20, 2010,
Microsoft, through its Senior Vice President and General Counsel Brad Smith, announced a
legislative and industry initiative it called the Cloud Computing Advancement Act. The proposal
contains two main legislative thrusts: (1) modification of the Electronic Communications Privacy
Act and the Computer Fraud and Abuse Act (ECPA) to strengthen privacy protection, and (2)
enhancement to the Computer Fraud and Abuse Act of 1986 (CFAA) to deter malicious
hacking.” (Martin, 2011) There are other companies and consortiums that are trying to
strengthen the laws in regards to cloud computing, but I fear that we are still far away from
having laws that protect our data and data processing in the cloud as we do have in our
personal/corporate computing space.
Formulate conclusions about the future of security practices and criminal liability in
information sharing
The future of cloud computing is wide open, and with it the laws and acts that help protect this
infrastructure will certainly strengthen. As I have said in the past the laws always come after the
crimes. There have been too many hackers, crackers, and others that have broken into computer
systems and have stolen information worth millions of dollars. By strengthening laws like the
CFAA, HIPAA, and FCRA/FACTA we could work to secure our infrastructure, data and
processing systems, but at this time there aren’t indications that this will happen. I feel that there
hasn’t been a large enough outcry from the public to quickly modify these bills. Others like the
Microsoft Cloud Computing Advancement Act looks to directly strengthen the cloud computing
systems. This proposed act looks to be one of the most comprehensive and forward looking
documents yet.
Ethical and Legal Dilemma in IT 16
THE IMPORTANCE OF USING INFORMATION LEGALLY AND ETHICALLY IN THESE AREAS, BASED ON THE ESTABLISHED LEGAL AND ETHICAL VALUES IN
ITThere is no more important choice to make than to choose to be ethical and do your best to not
break laws; unfortunately, this happens all the time. This pertains to cloud computing as well. As
I have said before, due to the cloud being relatively new, there aren’t dedicated laws that protect
the Cloud company, your data, or any other processing and information. There are currently
laws and acts that prosecute the acts of an intrusion, like hacking, phishing, etc. but the laws are
not enforceable outside of the US.
It is also not ethical for a cloud host company to monitor or look at the data that is on their
servers and storage arrays. All companies create standards and codes of conducts that guide their
business models and interactions with their customers. The ethical way in which companies
conduct their business reflects in how they follow the laws of the country that they belong to or
do business in. “Mason identified four areas of critical concern for managers. They include
privacy, accuracy, property, and accessibility and are frequently referred to by the acronym
PAPA”. ( Pollack & Hartzel, 2006) In cloud computing, the same ethics and laws affects the
company’s business. Businesses that follow the laws do so because they are ethical. You really
can’t be an effective person or company if your ethics aren’t in the right direction, and without a
good ethical behavior how can you truly follow the law.
THE IMPACT OF ORGANIZING IT IN AN ETHICAL AND LEGAL MANNER TO ENSURE REGULATORY COMPLIANCE IN CURRENT AND FUTURE IT
PRACTICESWhenever a business organizes any department there are a number of legal and ethical choices
that must be made and one of the most influential departments is the IT department. Since IT
has their hands in just about everything a company does it is critical that standards (ethical and
legal, among others) are created first. It is the responsibility of the leaders to set the tone. If you
Ethical and Legal Dilemma in IT 17
have strong leaders, then ethical and legal behavior will be upheld to its highest standards. If
you have leaders that are not as strong, then you would certainly not have the same standards and
laws and/or ethics would be broken easier.
Some of the direct reporting departments would include legal, networking, training, desktop,
compliance, and others. It is leadership that is needed to create a successful department.
To ensure regulatory compliance now and in the future you again need a strategic leadership
team that leads by design. Then you have the employees. Most IT employees do not know the
law and some might not be as ethical as others. Through training, commitment to and
documentation the employees would have an understanding, the information, and the right moral
compass to make the right decisions, based on their knowledge and the ethical/legal behavior of
the company.
Ethical and Legal Dilemma in IT 18
REFERENCESPollack, T. A., & Hartzel, K. S. (2006). Ethical and Legal Issues for the Information Systems
Professional. ASCUE Conference, 172-179.Binning, D. (2009, April 24). Top five cloud computing security issues. Retrieved from Computer
weekly: http://www.computerweekly.com/news/2240089111/Top-five-cloud-computing-security-issues
Eecke, P. V. (2012, September 2). Cloud Computing Legal Issues. Retrieved from isaca.org: http://www.isaca.org/Groups/Professional-English/cloud-computing/GroupDocuments/DLA_Cloud%20computing%20legal%20issues.pdf
Harris, D. (2011, July 16). cloud legislation takes center stage on capitol hill. Retrieved from gigaom.com: http://gigaom.com/cloud/cloud-legislation-takes-center-stage-on-capitol-hill/
Martin, T. D. (2011, May). Hey! You! Get Off of My Cloud: Defining and Protecting the Metes and Bounds of Privacy, Security, and Property in Cloud Computing. Retrieved from Bepress.com: http://works.bepress.com/timothy_martin/3/
Moor, J. H. (2006, September). Why We Need Better Ethics for Emerging Technologies. Retrieved from commonsenseatheism.com: http://commonsenseatheism.com/wp-content/uploads/2011/03/Moor-Why-We-Need-Better-Ethics-for-Emerging-Technologies.pdf
Newton, J. (Unknown, Unknown Unknown). The Ethics and Security of Cloud Computing. Retrieved August 5, 2012, from goclio.com: http://www.goclio.com/resources/white_papers/Security%20Ethics%20of%20Cloud%20Computing.pdf
Serwin, A. (2011, September 12). Compliance Best Practices in Information Security: An Analysis of Privacy by Design. Retrieved from corporate compliance insights: http://www.corporatecomplianceinsights.com/compliance-best-practices-in-information-security-an-analysis-of-privacy-by-design/
Sexton, T. (2007, Feburary 9). Ethics in the Field of Information Technology. Retrieved from voices.yahoo.com: http://voices.yahoo.com/ethics-field-information-technology-191336.html
Somaini, J. (2011, May 22). My Review of White House Cybersecurity Strategy and Legislative Proposal . Retrieved from somaini.net: http://www.somaini.net/justins-journal/2011/5/22/my-review-of-white-house-cybersecurity-strategy-and-legislat.html