Security Research/Concepts, Issues and Resources: Structuring Ethical Curricula in the Information Age
By Sarah Gordon
This paper was first prepared for the 1995 IFIP Technical Committee 11 Working Group 11.8 Workshop on xxxx, held in Capetown South Africa, May xxxx, 1995.
© 1995 Indiana University Department of Math and Computer Science. This document may not be reproduced in whole or in part, stored on any electronic information system, or otherwise be made available without prior express written consent of the author and copyright holder.
According to experts in the field of Information Technology, one of the most pressing need facing students in computer related fields is a lack of understanding of the social and ethical implications of computerization. In "Integrated Social Impact and Ethical Issues Across the Computer Science Curriculum" [Holz, Martin 92] we read:
This paper will address what is often said to be the most serious problem there is in implementing the sort of approach suggested by Holz and Martin:
We will identify some major ethical issues as they relate to computer based interactions, and provide a compact guide which educators can use to guide them in quickly obtaining materials needed for a more thorough exploration of these issues.
One of the first things we must recognize is the lack of familiarity students may have with some terms we may take for granted; even people in computing sciences may be unfamiliar with some of the terminology used in discussion of the ethical issues relating to technology. While they may have familiarity with the technology and with ethics, they have not been exposed to many of technological implementations which help create ethical conflicts. Additionally, since the computing sciences are so new, it is possible that students and educators are not sufficiently aware of the end-result of some computer based interactions. In some cases, people may be using different terminology or analogies which may not be be conducive to a thorough discussion and understanding of the topics at hand. For this reason, a beginning course in social and ethical implications of technology must define terms - even those which may appear obvious. Some suggested terms are: e-mail, Internet, software, privacy, property, virus, world wide web, html, virus, copyright, shareware, IRC, ftp. These terms are used frequently in discussion of ethics and technology; however, some of the terms (privacy, property) are subject to interpretation. Others, (html, www, ftp), are not as widely known. The instructor may wish to let students list terms they are familiar with, to build a list of key words for future classes.
Once there are some definitions, (and in some cases, a decision that there are no adequate definitions that are generically applicable), traditional ethical terms and concepts can offer a solid base for exploration of modern technology. A discussion of Duty and Rights is a good place to start. Such a discussion can refresh the concepts of duty and rights; the instructor may wish to present in concise form a overview of "ethics" including deontology, utilitarianism, aristotlean and other ethical models of choice. From this point, issues related to duty and rights become clear as we explore some of the new concepts.
Traditionally ethics are viewed as how we behave in our interaction with other people, or in our behaviours which affect people. There are some basic rules:
These rules are, of course, based on principles, which are in turn based on ethical theories of the varying types discussed above. The premise of these theories and their applications appear to be how we relate to other people and how our actions affect others as well as ourselves. The introduction of computing technology introduces an "interface". This interface is, of course, the computer. When we communicate electronically, we can forget there are people involved. This becomes more likely when we spend a lot of time in computing environments, away from other human beings. These computing environments are called "cyberspace" by some. In these environments, depersonalization and desensitization can and do occur. This depersonalization effect can manifest itself in various ways, from withdrawal from "real life", to abberant social behaviours. However, it is important to remember that what we may consider "wrong" may be considered "right" in the cyberspace environment, or it may even be considered a "non-issue". What sorts of behaviours and concepts exist in this environment? We will examine those which exist, and attempt to define some of the issues which we must address if we are to overcome our ambivalence on standards for judging the ethical status of a given situation.
Concept: Hacking Issues: Damage, Ownership, Breaking in
The first concept we will examine is "hacking". Much formal written work has been done on hacking. There are books available at most libraries which tell the stories of hackers breaking into computers, and of the subsequent chases by law enforcement. Some even discuss the successful arrest and prosecution of these 'bad guys'. [Sterling, 1992] [Stoll, 1989] However, there are people who question the validity of some of the more conservative views toward computer hacking. Some serious issues need to be raised in a discussion of hacking. Denning [Denning, 1991] discusses the curiousity, peer pressure and thrill that contribute to some hackers motivations. When we examine the psycho-socio makeup of any group of young people, we find this is not at all an abnormal set of motivations. We hear from many persons called hackers that damage is wrong. This is not so far from our own perception of what is wrong. We would all agree that damage is generally wrong. This is a generic social principle.
"Leave only footprints, take only memories" is one slogan some members of the hacking community adhere to. "We don't hurt anyone" is a common claim of hackers. These claims lead us to some issues, such as what is hurting? What is damage? Is reading your electronic files "damaging" you? What is the importance of intent and motivation? Do people have a right to "equal access" as many hackers claim? What part do freedom and creativity, espoused by many hackers, play in the general development of computing technologies? Is creating new accounts damage? Is reading a password file damage, and if so, what kind of damage is it? Damage to who? Is exploring a system damage? Is it true that we would not be as technologicially advanced today if not for hackers?
What constitutes breaking into a a system? If a system is on the Internet and it is left "open", is it breaking in if you log in without specific authorization?
If you can log in as guest, are you breaking in if you do?
If you are not specifically invited to access a system, are you breaking in if you access that system? What are the responsibilities of the adminstrators of systems? Is it helping administrators to break into systems and tell them how you did it? How should we define and assess penalties for electronic crimes. What -are- electronic crimes? What -is- damage? Who defines it? We come full circle.
There are many resources for information on hacking. Usenet newsgroups, mailing lists, ftp sites, magazines, and IRC all offer a way to gain insights into the hacking culture.
Concept: Ownership Issues: Who owns data about you? Should software be free? Who owns the Internet?
Some of the questions we ask about hacking seem to be based on our lack of true understanding and definition of various forms of ownership; of systems and of the Internet in general. Classical definitions of IP aside, there appears to be in our computing community some dissension as to who actually owns (or who SHOULD own) "things" on the Internet. The Internet itself is not owned by anyone, although small parts of it seem to be getting swallowed up by commercial interests. There are people who feel that software itself should be free. Reasons such as the encouragement of social cohesiveness and enhanced development capability are usually cited by those taking this position. [Stallman] SPA (The Software Publishers Association) and other business oriented groups work to combat software piracy (which would not exist if software were free). [SPA] Piracy is rampant, depriving developers of huge revenues. Why do people feel it justifiable to copy software and use it without paying for it? These issues are worth discussion. Do people have a right to try software first? Do developers have a duty to let them? What about the argument that without copyright, there is little (if any) incentive for innovation?
People and organizations
Concept: Privacy Issues: Who should be able to read your mail? Who owns information about you?
"Who owns what" also applies to concepts like E-Mail. Based on our traditional concepts of mail, we consider electronic mail to be private; however this is not necessarily the case.
It is not only trivial to read someone's mail, but many companies do it as a matter of routine. There are other questions we must consider when we move from paper mail into electronic mail. Who owns your electronic mail? Do companies have the right to read it? Does your service provider have the right to read it? Do they have a duty to inform you if this is their practice? Can a University rightfully decide what is an appropriate topic for you to discuss in public forum or e-mail? These issues are complex.
There are others. Privacy and ownership of information are not only up for discussion in broad generic philosophical terms, but in real life impacting terms. Information on you is collected routinely. Who owns this information? Some of the types of information include your health records, driving records, neighbors, employment history. What ethical conflicts arise in the gathering and accessibility of this kind of information? Is a computer a good place to store this information? What, if any, safeguards should be required? What can you do to protect your privacy? What is the governments role in providing privacy. Is there a right to privacy in cyberspace? To answer some of these questions, we must first initiate informed discussions. We can make use of the same technology that helps form the questions by accessing information available via:
These are places to go for information on privacy, and the other concepts that go along with it: anonymity and cryptography.
Concept: Anonymity Issues: Does anonymity change behaviour? Is anonymity ever justified? What are your rights in electronic transactions?
Anonymity in life (specifically, in non-computer based) has been shown to change behaviours. In experiments throughout history, people have been shown to be less responsible in a group situation or where their indentity is not known. Computers can encourage and facilitate anonymity, and multiple or fake (not necessarily fradulent) identities. What sorts of ethical issues arise due to this process? Do you have the right to know who you are talking to? Do you have the right to hide who you are? Anonymous mailers and anonymous remailers add more depth to the discussion. It is possible to be totally anonymous on the internet, although total anonymity requires some effort. In what situations is anonymity justified, if it is ever justified at all? What are the affects of anonymity on electronic communications?
Anonymity Information Resources
Concept: Cryptography Issues: Who owns the code?
Privacy, some say, can only be ensured by cryptography. Some people say strong cryptography is needed to ensure the government cannot read private individual communications. Some cryptographic products are on the lists of things that cannot be exported, and are seen as 'weapons'. What are the issues surrounding cryptography and who are the cypherpunks? What is PGP? What is PEM? This information is available from various electronic sources:
Concept: Viruses Issues: Do you have a "right" to pass out viruses? Do you have a "duty" not to? Are computer viruses artificial life?
Viruses are another new concept in computing. The debate surrounding them seems to center around several issues: is virus writing a right? should virus distribution be made illegal. These questions are usually met with a variety of arguments from both sides, ranging from "Viruses are constitutionally protected" to "Viruses are Artificial Life" research. Neither of these has been proven and the debate goes on. You can get information about the debate and viruses from:
There are various mailing lists and newsgroups dealing with the topic: comp.virus, alt.comp.virus are two of the more used ones. FTP sites with information about viruses include ftp.informatik.uni-hamburg.de (login anonymous, username as password), and ftp.datafellows.com.
Other sites which are easily accessible via the Internet contain live viruses and viral source code. It is the opinion of this author that such distribution of viruses constitutes irresponsible action on the part of the account owner and should be discouraged. However, it is not illegal in some countries to make this information available, so discouraging will probably take the form of peer and societal pressures.
More Anti-Virus Resources
The resources provided by this paper can provide instructors and students with information sufficient to begin a discussion on ethical issues related to computing. This list of resources is, however, by no means exhaustive. It is our hope that by encouraging the student to explore these issues, we are at the same time encouraging an evolution in the computing community's approach to these dilemmas.
Please note: The resources listed in this document are subject to change. Due to the nature of the Internet, there is no guarantee that any or all of these sites will be operational at any time. Newsgroups are formed and abandoned. However, all of the sites and newsgroups mentioned in this paper were operational when this paper was drafted. Should you find any of these sites are no longer operational, or any of the newsgroups no longer exist, please do not panic. This is the nature of the Internet.
© 1995 Sarah Gordon. This document may not be reproduced in whole or in part, stored in any electronic information system, or otherwise made available without specific prior express written permission of the author. All rights reserved.
Sarah Gordon's work in various areas of IT Security can be found profiled in various publications including the New York Times, Computer Security Journal and Virus Bulletin. She is a frequent speaker at such diverse conferences as those sponsored by NSA/NIST/NCSC and DEFCON. Recently appointed to the Wildlist Board of Directors, she is actively involved in the development of anti-virus software test criteria and methods. She may be reached as [email protected]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .