Ethical and Legal Dilemma in IT

Ethical and Legal Dilemma in IT Howard Beny Ethical and Legal Considerations in Information Technology September 13, 2012 Corinne Dalelio

Ethical and Legal Dilemma in IT ABSTRACT There are many instances when people or companies have committed legal or ethical wrongs. It is up to the individual to have the moral compass to see the difference between right and wrong whether you are talking about ethics or legal issues. When talking about cloud computing, those same ethics and laws need to be held in many ways even higher, since people, companies, and governments have begun to utilize the cloud for storage and processing of information and data. Since now these people are trusting a third party to store and/or process your personal and confidential information, the cloud companies need to show how they would protect that information.

Ethical and Legal Dilemma in IT

Table of Contents
Abstract ........................................................................................................................................... 2 The ethical considerations in technology applications ................................................................... 4 The effect of the law on IT professionals and the profession ......................................................... 6 The impact of computer legislation and case law in the areas of privacy, security, and criminal liability in information sharing ....................................................................................................... 9 Compare privacy and security practices in IT ...........................................................................11 Legislation and case law related to security practices and criminal liability in information sharing ....................................................................................................................................... 12 How legislation and case law in these areas will (now and in the future) impact the dilemma you have chosen and in turn, how the dilemma will impact the IT field ............................................. 13 Examination of how the legislation and case law ..................................................................... 14 Formulate conclusions about the future of security practices and criminal liability in information sharing ................................................................................................................... 15 The importance of using information legally and ethically in these areas, based on the established legal and ethical values in IT ........................................................................................................ 16 The impact of organizing IT in an ethical and legal manner to ensure regulatory compliance in current and future IT practices ...................................................................................................... 16 References ..................................................................................................................................... 18

Ethical and Legal Dilemma in IT

THE ETHICAL CONSIDERATIONS IN TECHNOLOGY APPLICATIONS The ethical framework in Information Technology (IT) details the moral values and standard behaviors that tell us how to act. The ethical framework is used to make the right decision of a single person or company, a different person or company might make a different decision even with the same information. When it comes to IT and specifically to cloud computing the ethical behavior of companies is of utmost importance. Imagine that you placed all of your data with a company that rented cloud storage; sometime later there was a breach and data was stolen, your data. This data contained sensitive information about you and your family; you would lose trust and faith in this company. So, what must be done to protect the information that is entrusted to these companies from an ethical standpoint? It is the ethical framework that decisions are made from, that is what defines the ethics that are used by companies to make the right decision. The other side of the coin is the knowledge of the users. There are millions of people that are using the cloud, but what percentage of them understands the cloud and the probabilities that something will happen to their information. From a legal and medical point of view, there is a legal duty to protect the information of the clients and patients. In the context of a law firm, cloud computing raises concerns associated with entrusting a third party with confidential client data. (Newton, Unknown) It will be a partnership of the companys technology experts that, with their ethical behavior, make sure that the information is secure and accessible to only those with the proper access. When you talk about ethics you by default need to talk about the law and the consequences since the two are considerably interconnected. Over the last twenty or so years, computing power, acceptance, and new technologies has come

Ethical and Legal Dilemma in IT about that has changed the lives of almost everyone. These new technologies bring new ethical quandaries and much discussion. The fact that new technology is involved does not alter that.

But, because new technology allows us to perform activities in new ways, situations may arise in which we do not have adequate policies in place to guide us. We are confronted with policy vacuums. (Moor, 2006) Technologies have been developed that performs many good and bad things. There was a school bus monitor in New York State that was verbally abused by 4 middle schoolers. The benefit was that a technology application was used to help her and raised over $600,000 for her. The other side of the coin contains things that arent ethical like someone creating a virus or hacking into secured servers to retrieve information. These are some of the ethical and legal problems that the new technology has created, stealing without leaving your home. When we talk about the cloud technologies we encounter the very same ethical and legal issues. The companies that host these data centers are aware of these challenges of keeping the data that is entrusted to them safe, but Im not quite sure they are upholding the ethical side when it comes to helping their customers. There is a balance between costs and ensuring the customers store their information securely. If the data is in a secure physical location, is protected from hackers and the like, but the user is allowed to create a weak password that is easy to break, whose fault is it, ethically speaking? In the case of cloud computing the laws have gotten very muddy, because data that is housed in a U.S. based company on U.S. soil might have different laws than a company and data that is based in Japan. What jurisdiction would you go to when you have data from all over the world? In one instance, European concerns about US privacy laws led to creation of the US Safe Harbor Privacy Principles, which are intended to provide European companies with a degree of insulation from US laws. (Binning, 2009) The lack of legislation and regulation has not caused undue issues or loss of data, but it is inevitable that some type of legislation is yet to come, right

Ethical and Legal Dilemma in IT after a significant breach. There are currently laws to prosecute hackers, writers of viruses and others; these will have to do for the time being. The cloud computing environment is the new old west. Even though cloud computing has been around for a while, there has been little legislation to protect the data, and there probably will never be enough legislation, simply because of this little question: whose data is it and where does it physically sit? The companies

and data are global; you can be sitting at home today and tomorrow be half way around the world all the while having access to retrieve your music, files, and videos. Since there hasnt been a call to globally regulate these cloud computing providers, we rely on the ethical practices of the companies that host the servers and data centers to live by an ethical code. What we as individuals need to understand is that we need to manage our security, our passwords and understand where the data is stored. If your ethical framework is high you might not use the cloud or if you did, you might be very careful where you store your data as well as its security. The ethical framework that motivates us and the companies that service us must always strive for the highest level of security and protection.

THE EFFECT OF THE LAW ON IT PROFESSIONALS AND THE PROFESSION The laws that pertain to IT professionals and the profession impact the community in many ways. The laws that we need to follow are extensive and can be far reaching if not followed, especially after September 11, 2001. I have not been adversely impacted since the area of IT that I work in doesnt have many regulations, most come from the company that I have worked with, instead of laws or acts. There are many laws that relate to the IT field, the table below shows what they are and a brief summary.

Ethical and Legal Dilemma in IT

( Pollack & Hartzel, 2006) Most of these impact the IT professional in one way or another. Companies have used different training programs to inform the IT professional so they are aware of what they need to do and the consequences of not acting in a law abiding way. For the IT profession, these laws and acts have added a number of layers to organizations to either comply and/or to verify compliance, which in turn increases costs, manpower, and certain paradigm changes to make sure all the holes are covered. There are numerous laws that affect the information technology arena from laws that regulate access to data and copyright to discrimination and libel. Take for instance SOX. SOX mainly targets accounting, financial reporting, and accurate reporting. Because all of the functions of accounting, reporting, and other financial information is kept on computers and servers, it in turn is the responsibility of the information technology(IT) department and management to make sure

Ethical and Legal Dilemma in IT all the systems are secure, operating, and accurate otherwise fines and other monetary penalties could be enforced by the federal government. The Patriot Act has again added a new layer of complexity to the IT department. Because of this bill, a new position was required to be created in companies, the compliance office. It is the duty of the compliance officer to verify that the company has met all the requirements and mandates of the Patriot Act. Because of the Patriot Act companies were forced to look at their IT security as well. The Computer Trespasser is a person or entity that accesses computer systems without authority. The Patriot Act allows law enforcement to monitor, intercept and prosecute those found guilty of this crime, in certain circumstances. Section 105 gives the Secret Service the power to investigate computer/cybercrimes, including cellphone cloning and denial of service attacks. The Patriot Act also made sweeping changes to many other acts and laws. One of the acts is the Computer Fraud and Abuse Act (CFAA).

(Eecke, 2012) The above chart shows how slowly the EU has enacted laws compared to the growth of the internet technologies. In cloud computing, Microsoft has penned an act called the Cloud Computing Advancement Act.

Ethical and Legal Dilemma in IT This act, which has not passed congress yet, increases the security and privacy rules in cloud computing to protect companies and the public that currently uses cloud computing resources. This act would also bring Fourth Amendment rights to the cloud, protecting information from undue searches and seizures. The Federal Trade Commission (FTC) has been in the forefront of cloud computing, advocating privacy and security needs and better enforcement, but it currently does not have the authority to do so. HIPAA regulates that any data transmission and cloud storage be encrypted and customized business associates (BA) agreements. These BA agreements safeguard the data that is being transmitted between the healthcare provider and the third party cloud storage company. The regulations and agreements that need to be enacted as well as stronger laws to protect all of the data stored and processed by cloud computing companies is needed. Cloud computing covers everything from server based emails to remote computing and everything in between and there have been breaches. Googles Gmail was breached and user names were released; credit card servicers have been targeted releasing hundreds of thousands of credit card numbers into the wild. There have been prosecutions, but many of these breaches (hackers) have been done

from outside of the US prosecutors reach. So how do we combat these breaches? I feel stronger laws, international relationships, and accountability are some of the best ways to counteract these crimes, but as technologies get better other breaches will occur.

THE IMPACT OF COMPUTER LEGISLATION AND CASE LAW IN THE AREAS OF PRIVACY, SECURITY, AND CRIMINAL LIABILITY IN INFORMATION SHARING Over the last 20 years or so Information Technology (IT) has taken our world and flipped it upside down. IT has done this by the internet, new technologies, mobile technologies, and other forms of technology. What once took hours, days, or weeks now can take as little as a few

Ethical and Legal Dilemma in IT seconds. Just go search Google and in the top right hand side of the page it will tell you how

10

long and how many results were found. So when we talk about the legal and ethical values in IT, we need to start out seeing how the world has changed and what these new technologies can and do bring us. For instance, its legal to purchase a game on line, but its not legal to download that same game without paying for it, and furthermore its not ethical. The big difference is, it is much easier to use technologies that are web based instead of stealing from a brick and mortar store. Just think of all the times programs, music, videos have been downloaded illegally. Has it become the norm because everyone else does it? I think that depends on your ethics, which in turn guides your values and decisions. Because of IT and the assurances that companies give us that our information is safe, we tend to believe the experts, but there have been times that this isnt true. There have been many breakins that have affected servers and data/ information that has been stolen and/or placed on the internet for all to see. There are ethical and legal responsibilities that the company must do to protect our information. Ultimately, if the industry doesnt regulate itself then, I feel it will be the government that will have to pass laws to protect our information. Its the companys responsibility to protect our information to its best ability, and most of the time the break-ins occur due to the company not patching or in negligent acts that easily allows hackers the ability to extract the information. There is widespread acceptance of unethical practices in the information technology field due in part to the fact that data is often an abstraction. The very same unethical practices that would never be allowed when the abuser is holding his prize in his hand is too often overlooked when there is no physical evidence of wrongdoing. (Sexton, 2007) Sextons story is only too true. Most people wouldnt walk into a store like Target and steal a CD or DVD, but with Peer to Peer services on the internet people that wouldnt steal from a brick and mortar store steal all the time.

Ethical and Legal Dilemma in IT Compare privacy and security practices in IT Before we can compare privacy and security, lets define them. Privacy, as defined by Dictionary.com is the state of being free from intrusion or disturbance in one's private life or

11

affairs. Security, as defined by Merriam-Webster.com is the measures taken to guard against espionage or sabotage, crime, attack, or escape (2): an organization or department whose task is security. In many ways privacy and security are very similar. In both you have something that you dont want others to know or have. Another way to explain the similarities is security protects privacy and privacy protects security; same coin different side. Privacy in IT is centered on the companys ability to keep your information safe/secure, to not monitor your movements, and to preserve the identities of the person or company doing business. There are so many ways that IT can let down their customers by not protecting the privacy they have entrusted with us, and there are so many ways that we can protect the privacy of our customers. The laws to protect privacy have not developed as technology has developed and has not supported our First and Fourth Amendments (basically, the First Amendment protects free speech and the Fourth protects us from undo search and seizures). There have been some strides to protect the privacy of personal and corporate information from law enforcement authorities, but they arent enough. The Do Not Track Me Online Act of 2011 orders the Federal Trade Commission to work toward stopping the collection of personal information while on the internet, unless this information is given (like providing a credit card for a purchase). More and more companies are beginning to be more proactive in stopping security and privacy breaches. There is a framework that tries to give companies the steps and information to be proactive in protecting personal information; Privacy by Design is the proactive framework that companies are using to deter breaches. There are seven foundational principles of Privacy by Design that

Ethical and Legal Dilemma in IT help companies integrate privacy into all facets of its business. These seven principles are: 1. Proactive, not reactive; preventative, not remedial; 2. Privacy as the default; 3. Privacy embedded into design; 4. Full functionality positive-sum, not zero-sum; 5. End-to-end lifecycle protection; 6. Visibility and transparency; and 7. Respect to user privacy (Serwin, 2011) By utilizing these principals companies from the outset look at privacy differently. It becomes

12

an essential component of the IT strategy and integrated into business and IT models. This also revolves around the ethical and legal responsibilities that businesses have to protect the privacy of their clients and to create a secure environment to store information from unauthorized intrusions. Legislation and case law related to security practices and criminal liability in information sharing Information sharing is the illegal access and dissemination of confidential and private information. This usually takes the form of internet hacking, phishing, and other forms of gathering information. The past five years alone have resulted in an astronomical amount of data loss and crime. We must look at these attacks differently as not all attacks are the same. I, as well as a good amount of others, break these attacks into a couple of categories. We have E-crime, Cyber Espionage, Cyber War and E-vandalism. (Somaini, 2011) The Computer Fraud and Abuse Act was enacted to punish those who hacked or cracked into computers. The problem is the law protects Federal, financial computers and computers supporting interstate and

Ethical and Legal Dilemma in IT

13

foreign commerce only; it doesnt protect any computer/server system that doesnt work with the above criteria. There have been several criminals punished under this act including; Sergey Aleynikov, Neil Scott Kramer, and Peter Alfred-Adekeye to name just a few. Other laws and acts that have been enacted to protect the security of information include: The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Fair Credit Reporting Act/ Fair and Accurate Credit Transactions Act of 2003 (FCRA/FACTA), and Sarbanes-Oxley (SOX). HIPAA is designed to protect a persons health information and the security rule is for businesses and how they need to protect a persons information and the enforcement and penalties for noncompliance. The FCRA provides protection in fair credit reporting is true and accurate; the FACTA adds protections related to identity theft, consumer protections, and criminal prosecution. SOX was enacted to make banks and other financial institutions responsible for their transactions, reduce money laundering, and increase compliance.

HOW LEGISLATION AND CASE LAW IN THESE AREAS WILL (NOW AND IN THE FUTURE) IMPACT THE DILEMMA YOU HAVE CHOSEN AND IN TURN, HOW THE DILEMMA WILL IMPACT THE IT FIELD There arent laws currently on the books that specifically protect or prosecute offenders of cloud computing wrongdoings. Amazon EC2(Amazon EC2 is a cloud based host that users can use virtual PCs or servers for all most anything, from running a business to illegal activity), for example, has been used to carry out numerous attacks and password-cracking endeavors. Reed believes that the legislation would empower service providers to take certain actions (presumably civil) in such situations. Reed said the legislation aims to address two important issues: appropriate criminal penalties for cyberhacking of cloud services and providing legal clarity around transnational data storage and computing. (Harris, 2011) This legislation is currently in

Ethical and Legal Dilemma in IT draft and its one of the first to address international issues and the theft and use of computers/servers in illegal ways. Unfortunately, the draft has not been presented to the congress and as of the date of this paper.

14

One interesting fact is that President Obama endorsed this technology in his 2010 budget for the purpose of moving the Federal government to the cloud. Over the last 8-12 months and into the future, most federal agencies are moving their computing to the cloud to save money. Companies like Microsoft are looking for these very profitable contracts to host the cloud for data storage and computing (servers that run virtual PCs, all computing is done at the server). Currently there arent dedicated laws that protect the data and processing of data at cloud computing companies in the US. If there are wrong doings, current laws will have to do the job of prosecuting and protecting the public and corporations. Because of the European Union (EU) partner countries, there has been some movement in the laws to protect data in the cloud, and the US might have some claim to it, since our laws are as tight or tighter than the EUs, but this paper is looking at US law, not EU laws. Examination of how the legislation and case law Here in the US the laws surrounding cloud computing have severely lagged behind the EU. We do have several laws that protect certain parts of your online life, but as you read about the Fourth Amendment, you are not as protected as you should be in the cloud. If the data was located on your personal computer, the Fourth Amendment would easily protect your information against search and seizure without a warrant, but not in cyberspace. There are also no laws that protect your data or rights if it happens to be stored in a different country. What is interesting is that the government can monitor and capture the network packet header information (the header has all of the information about where the packet has come from and where its final location is); the packet is the information that you are sending via email or IM,

Ethical and Legal Dilemma in IT etc. The Supreme Court stated that it doesnt violate the Fourth Amendment to look at the outside of a letter; you just cant open it, just like an electronic packet. On January 20, 2010, Microsoft, through its Senior Vice President and General Counsel Brad Smith, announced a

15

legislative and industry initiative it called the Cloud Computing Advancement Act. The proposal contains two main legislative thrusts: (1) modification of the Electronic Communications Privacy Act and the Computer Fraud and Abuse Act (ECPA) to strengthen privacy protection, and (2) enhancement to the Computer Fraud and Abuse Act of 1986 (CFAA) to deter malicious hacking. (Martin, 2011) There are other companies and consortiums that are trying to strengthen the laws in regards to cloud computing, but I fear that we are still far away from having laws that protect our data and data processing in the cloud as we do have in our personal/corporate computing space. Formulate conclusions about the future of security practices and criminal liability in information sharing The future of cloud computing is wide open, and with it the laws and acts that help protect this infrastructure will certainly strengthen. As I have said in the past the laws always come after the crimes. There have been too many hackers, crackers, and others that have broken into computer systems and have stolen information worth millions of dollars. By strengthening laws like the CFAA, HIPAA, and FCRA/FACTA we could work to secure our infrastructure, data and processing systems, but at this time there arent indications that this will happen. I feel that there hasnt been a large enough outcry from the public to quickly modify these bills. Others like the Microsoft Cloud Computing Advancement Act looks to directly strengthen the cloud computing systems. This proposed act looks to be one of the most comprehensive and forward looking documents yet.

Ethical and Legal Dilemma in IT

16

THE IMPORTANCE OF USING INFORMATION LEGALLY AND ETHICALLY IN THESE AREAS, BASED ON THE ESTABLISHED LEGAL AND ETHICAL VALUES IN IT There is no more important choice to make than to choose to be ethical and do your best to not break laws; unfortunately, this happens all the time. This pertains to cloud computing as well. As I have said before, due to the cloud being relatively new, there arent dedicated laws that protect the Cloud company, your data, or any other processing and information. There are currently laws and acts that prosecute the acts of an intrusion, like hacking, phishing, etc. but the laws are not enforceable outside of the US. It is also not ethical for a cloud host company to monitor or look at the data that is on their servers and storage arrays. All companies create standards and codes of conducts that guide their business models and interactions with their customers. The ethical way in which companies conduct their business reflects in how they follow the laws of the country that they belong to or do business in. Mason identified four areas of critical concern for managers. They include privacy, accuracy, property, and accessibility and are frequently referred to by the acronym PAPA. ( Pollack & Hartzel, 2006) In cloud computing, the same ethics and laws affects the companys business. Businesses that follow the laws do so because they are ethical. You really cant be an effective person or company if your ethics arent in the right direction, and without a good ethical behavior how can you truly follow the law.

THE IMPACT OF ORGANIZING IT IN AN ETHICAL AND LEGAL MANNER TO ENSURE REGULATORY COMPLIANCE IN CURRENT AND FUTURE IT PRACTICES Whenever a business organizes any department there are a number of legal and ethical choices that must be made and one of the most influential departments is the IT department. Since IT has their hands in just about everything a company does it is critical that standards (ethical and legal, among others) are created first. It is the responsibility of the leaders to set the tone. If you

Ethical and Legal Dilemma in IT have strong leaders, then ethical and legal behavior will be upheld to its highest standards. If

17

you have leaders that are not as strong, then you would certainly not have the same standards and laws and/or ethics would be broken easier. Some of the direct reporting departments would include legal, networking, training, desktop, compliance, and others. It is leadership that is needed to create a successful department. To ensure regulatory compliance now and in the future you again need a strategic leadership team that leads by design. Then you have the employees. Most IT employees do not know the law and some might not be as ethical as others. Through training, commitment to and documentation the employees would have an understanding, the information, and the right moral compass to make the right decisions, based on their knowledge and the ethical/legal behavior of the company.

Ethical and Legal Dilemma in IT

18

REFERENCES Pollack, T. A., & Hartzel, K. S. (2006). Ethical and Legal Issues for the Information Systems Professional. ASCUE Conference, 172-179. Binning, D. (2009, April 24). Top five cloud computing security issues. Retrieved from Computer weekly: http://www.computerweekly.com/news/2240089111/Top-five-cloud-computingsecurity-issues Eecke, P. V. (2012, September 2). Cloud Computing Legal Issues. Retrieved from isaca.org: http://www.isaca.org/Groups/Professional-English/cloudcomputing/GroupDocuments/DLA_Cloud%20computing%20legal%20issues.pdf Harris, D. (2011, July 16). cloud legislation takes center stage on capitol hill. Retrieved from gigaom.com: http://gigaom.com/cloud/cloud-legislation-takes-center-stage-on-capitolhill/ Martin, T. D. (2011, May). Hey! You! Get Off of My Cloud: Defining and Protecting the Metes and Bounds of Privacy, Security, and Property in Cloud Computing. Retrieved from Bepress.com: http://works.bepress.com/timothy_martin/3/ Moor, J. H. (2006, September). Why We Need Better Ethics for Emerging Technologies. Retrieved from commonsenseatheism.com: http://commonsenseatheism.com/wpcontent/uploads/2011/03/Moor-Why-We-Need-Better-Ethics-for-EmergingTechnologies.pdf Newton, J. (Unknown, Unknown Unknown). The Ethics and Security of Cloud Computing. Retrieved August 5, 2012, from goclio.com: http://www.goclio.com/resources/white_papers/Security%20Ethics%20of%20Cloud%20 Computing.pdf Serwin, A. (2011, September 12). Compliance Best Practices in Information Security: An Analysis of Privacy by Design. Retrieved from corporate compliance insights: http://www.corporatecomplianceinsights.com/compliance-best-practices-in-informationsecurity-an-analysis-of-privacy-by-design/ Sexton, T. (2007, Feburary 9). Ethics in the Field of Information Technology. Retrieved from voices.yahoo.com: http://voices.yahoo.com/ethics-field-information-technology191336.html Somaini, J. (2011, May 22). My Review of White House Cybersecurity Strategy and Legislative Proposal . Retrieved from somaini.net: http://www.somaini.net/justinsjournal/2011/5/22/my-review-of-white-house-cybersecurity-strategy-and-legislat.html