CIS Ethics - SEAS - University of Pennsylvania

Information Security at the
University of Pennsylvania:
Practical Applications and Experience with Information Ethics
CIS 401 Senior Design Course
Joshua Beeman
University Information Security Officer
February 23, 2012
• UPenn InfoSec - Who we are and what we do
• Computer Ethics – Context and History
• Ethics in practice – Examples from UPenn
Policy & Incidents
Workplace issues
Intellectual Property and Copyright
Professional Codes of Conduct
Office of Information Security
Jim Choate (Executive Director, ISC/AIT)
Joshua Beeman (University Information Security Officer)
Senior Information Security Specialists:
John Lupton
Melissa Muth
Dana Taylor
Contact [email protected] and reach all of us!
Office of Information Security
Information Security’s core mission is to develop
strategies and practices that protect Penn’s
confidential and sensitive information assets.
Information Security Services
Information Securityrelated projects and
Security consultation,
awareness & training
Development of policy
Reporting on events and
Risk assessment, risk
management, threat
monitoring, and related
Incident handling,
response, investigation
and notification
Point of contact and
Brief Video…
Why it’s relevant
• Facemash - Zuckerberg was
charged by the
administration with breach
of security, violating
copyrights, and violating
individual privacy.
• Later used in an Art History
class as a “social study tool”.
Image from:
Ethics Defined
The rules of conduct recognized in certain associations or
departments of human life. - (O.E.D.)
More simply: the distinction between right and wrong in a given
Computer Ethics – History & Key Themes
• Norbert Wiener:
• Originator of cybernetics – the structure of regulatory
systems - which he saw as having profound ethical
implications when applied to technology
• Metaphysical concepts around information
• Walter Maner
• Developed "Starter Kit" for Teaching Computer Ethics (1978)
• Defined topics, including: Privacy and Confidentiality,
Computer Crime, Professional ethics, etc.
• Believed computers introduced *new* ethical challenges
• Deborah Johnson
• Saw computers highlighting pre-existing ethical problems in
interesting - but not *new* ways. Resulted in the
"uniqueness" debate.
Computer Ethics – History & Key Themes
• Deborah Johnson published "Computer Ethics" textbook (1985)
• James Moor article "What is Computer Ethics", which describes
"policy vacuums" and "conceptual muddles".
• Donald Gotterbarn emphasized codes of conduct for computing
professionals "Computer Ethics: Responsibility Regained (1991)
• Establishment of professional organizations code of conducts, as
well as programs and tools to assist with ethical behavior (ACM,
Universal/Key concepts:
• Technological impact on core human values, such as health,
happiness, abilities, knowledge, freedom, security, etc. (Wiener,
Moor, others)
• Context of cultural norms, practices, rules and laws that form
the basis for societal ethics (right and wrong).
Policy and the Relationship to Ethics
Policy documents what you can and cannot do.
Some key Penn resources:
• Electronic Privacy
• Guidelines on Open Expression
• What guides policy?
• Directly related to the mission of your organization
• Frequently the place where we identify “conceptual muddles”
• Strongly driven by human values (e.g., Wiener, Moor)
Workplace Issues
• Employment/Labor Cases
• University Employee unauthorized use of IT resources, unlawful
behavior, violation of terms of employment, etc.
• Faculty responsibility to be SME?
• Penn Cloud assessments
Intellectual Property and Copyright
• Copyright and IP issues
• Digital Millennium Copyright Act (DMCA)
• Professional misconduct (e.g.,
• Changing laws
• Context matters
• Different populations / different cultures
/ different ethical norms
• Copyright incidents
• Briton Chance website
1st violation
2nd violation
3rd violation
4th violation
Cyber Crime
• Penn Incidents & Examples
• Hacking & Malware
WebApp Backdoor
Zeus bot
Drive-by malware
Theft & cloud
• Hacktivism
Image courtesy of
• 2009 - climate research emails at East Anglia University
• 2010 – 2011 – Numerous hacktivitst attacks by Anonymous group
on both governments and private sector.
• Enabling in the name of teaching/demonstration
• Square debate
• Business of Penn – collecting information
about students, alumni, business partners,
• Regulations – PII, HIPAA, FERPA
• Cloud privacy concerns
• Social Media –
• UPenn MED grant
• Rutgers suicide
• Duke powerpoint
• Dr. Matt Blaze & Clipper Chip
• Other current events:
• FB lawsuit & Google Privacy Shift
• EPIC lawsuit
Professional Codes of Conduct
• Penn Institutional Review Board (IRB)
• Wikipedia research example
• Maner/Johnston uniqueness debate
• Note also: UPenn Social Media Guidance
• Ethical (“white hat”) hacking
• Gotterbarn in practice
The Ten Commandments of Computer Ethics:
Professional Codes of Conduct
Example from The Computer Ethics Institute
Thou shalt not use a computer to harm other people.
Thou shalt not interfere with other people's computer work.
Thou shalt not snoop around in other people's computer files.
Thou shalt not use a computer to steal.
Thou shalt not use a computer to bear false witness.
Thou shalt not copy or use proprietary software for which you
have not paid.
7. Thou shalt not use other people's computer resources without
authorization or proper compensation.
8. Thou shalt not appropriate other people's intellectual output.
9. Thou shalt think about the social consequences of the program
you are writing or the system you are designing.
10. Thou shalt always use a computer in ways that ensure
consideration and respect for your fellow humans.
• Collaboration
• Access Control and Shibboleth
• International Laws and Impact
• Wikileaks - Julian Assange
• IP and global economy
• Transcending Mission
• Arab Spring
• MIT open classroom & education gap
Some References & Resources
Computer and Information Ethics, Stanford Encyclopedia of Philosophy; Oct 23, 2008
University of Pennsylvania Policy on Acceptable Use of Electronic Resources:
University of Pennsylvania Policy on Privacy in the Electronic Environment:
University of Pennsylvania Guidelines on Open Expression:
Maner, W. (1980), Starter Kit in Computer Ethics, Hyde Park, NY: Helvetia Press and the National Information and
Resource Center for Teaching Philosophy.
Johnson, D. (1985), Computer Ethics, Third Edition Upper Saddle River, NJ: Prentice-Hall, 2001.
West, A.G., Hayati, P., Potdar, V., and Lee, I. (2012). Spamming for Science: Active Measurement in Web 2.0 Abuse
Research. In WECSR '12: Proceedings of the 3rd Workshop on Ethics in Computer Security Research, Kralendijk,
Dittrich, D., Bailey, M., Dietrich, S.: Building an active computer security ethics community. IEEE Security and
Privacy 9(4) (July/August 2011)
Peter Sunde (2012), Wired Magazine: “The Pirate Bay’s Peter Sunde: It’s Evolution, Stupid”, February 10, 2012
Tavernise, Sabrina, The New York Times, “Education Gap Grows Between Rich and Poor, Studies Say, February 9,
Verifone Consumer Alert: Card Skimming with Square, Uploaded by VeriFoneInc on Mar 9, 2011.
PÉREZ-PEÑA, Richard, The New York Times, "More Complex Picture Emerges in Rutgers Student’s Suicide, New
York Times, August 12, 2011.
Barber, C. Ryan, The Daily Tar Heel, "Yankaskas settles appeal, agrees to retire from UNC: Pay cut, demotion
rescinded in deal", April 18, 2011.
“Clipper Chip”, Wikipedia entry:

similar documents