Computer Security Ethics and Privacy Dr. Mehrdad Aliasgari Dept. of Computer Engineering and Computer Science College of Engineering California State University Long Beach 11/7/2015
Download ReportTranscript Computer Security Ethics and Privacy Dr. Mehrdad Aliasgari Dept. of Computer Engineering and Computer Science College of Engineering California State University Long Beach 11/7/2015
Computer Security Ethics and Privacy Dr. Mehrdad Aliasgari Dept. of Computer Engineering and Computer Science College of Engineering California State University Long Beach 11/7/2015 1 Acknowledgement • This project was supported by the Ethics Across the Curriculum Award through the Ukleja Center from Ethical Leadership at California State University Long Beach. 11/7/2015 2 All references • This PowerPoint was put together using the textbook’s slides for chapter 19 (developed by the authors) and a chapter problem from textbook. • “Computer Security - Principles and Practice", Second Edition by William Stalllings and Lawrie Brown, 2012. 11/7/2015 3 Privacy • Dramatic increase in scale of information collected and stored • in interest of law enforcement, national security, economic incentives • Users know more about access and use of personal information and their private details • Privacy advocates have raised concerns about extent of privacy violations. Different Legal and technical approaches have been taken to reinforce privacy rights European Union (EU) Data Protection Directive • adopted in 1998 to: • ensure member states protect fundamental privacy rights when processing personal information • prevent member states from restricting the free flow of personal information within EU • Consists of these principles: notice consent security consistency onward transfer access enforcement US Privacy Act of 1974 Privacy Act of 1974 • dealt with personal information collected and used by federal agencies • permits individuals to determine records kept • permits individuals to forbid records being used for other purposes • permits individuals to obtain access to records and to correct and amend records as appropriate • ensures agencies properly collect, maintain, and use personal information • creates a private right of action for individuals s ISO 27002 “An organizational data protection and privacy policy should be developed and implemented. This policy should be communicated to all persons involved in the processing of personal information. Compliance with this policy and all relevant data protection legislation and regulations requires appropriate management structure and control. Often this is best achieved by the appointment of a person responsible, such as a data protection officer, who should provide guidance to managers, users, and service providers on their individual responsibilities and the specific procedures that should be followed. Responsibility for handling personal information and ensuring awareness of the data protection principles should be dealt with in accordance with relevant legislation and regulations. Appropriate technical and organizational measures to protect personal information should be implemented.” Common Criteria Privacy Class Privacy Appliance Ethical Issues • ethics: •“a system of moral principles that relates to the benefits and harms of particular actions, and to the rightness and wrongness of motives and ends of those actions.” • privacy and security problems from information and communication misuses or abuses • Can’t only apply basic ethical principles developed by civilizations • unique considerations surrounding computers and information systems • Large scale of activities not possible or conceivable before • creation of new types of entities for which no agreed ethical rules have previously been formed Ethical Question Examples • whistle-blower • when professional ethical duty conflicts with loyalty to employer • e.g. inadequately tested software product • organizations and professional societies should provide alternative mechanisms • potential conflict of interest • e.g. consultant has financial interest in vendor which should be revealed to client Codes of Conduct • • • ethics are not precise laws or sets of facts many areas may present ethical ambiguity many professional societies have adopted ethical codes of conduct which can: 1 • be a positive stimulus and instill confidence 2 • be educational 3 • provide a measure of support 4 • be a means of deterrence and discipline 5 • enhance the profession's public image ACM Code of Ethics and Professional Conduct IEEE Code of Ethics AITP Standard of Conduct Comparison of Codes of Conduct • common themes: • • • • • • • dignity and worth of other people personal integrity and honesty responsibility for work confidentiality of information public safety, health, and welfare participation in professional societies to improve standards of the profession the notion that public knowledge and access to technology is equivalent to social power • They do not fully reflect the unique ethical problems related to the development and use of computer and IS technology The Rules • A short list of guidelines on the ethics of computer systems developed collaboratively • Ad Hoc Committee on Responsible Computing • anyone can join this committee and suggest changes to the guidelines • Moral Responsibility for Computing Artifacts (The Rules) The rules : 1) The people who design, develop, or deploy a computing artifact are morally responsible for that artifact, and for the foreseeable effects of that artifact. This responsibility is shared with other people who design, develop, deploy or knowingly use the artifact as part of a sociotechnical system. 2) The shared responsibility of computing artifacts is not a zero-sum game. The responsibility of an individual is not reduced simply because more people become involved in designing, developing, deploying, or using the artifact. Instead, a person’s responsibility includes being answerable for the behaviors of the artifact and for the artifact’s effects after deployment, to the degree to which these effects are reasonably foreseeable by that person. 3) People who knowingly use a particular computing artifact are morally responsible for that use. 4) People who knowingly design, develop, deploy, or use a computing artifact can do so responsibly only when they make a reasonable effort to take into account the sociotechnical systems in which the artifact is embedded. 5) People who design, develop, deploy, promote, or evaluate a computing artifact should not explicitly or implicitly deceive users about the artifact or its foreseeable effects, or about the sociotechnical systems in which the artifact is embedded. Class Discussion Problem 19.9 of Textbook • “Assume you are a midlevel systems administrator for one section of a larger organization. You try to encourage your users to have good password policies and regularly run password-cracking tools to check that those in use are not guessable. You have become aware of a burst of hacker password-cracking activity recently. In a burst of enthusiasm, you transfer the password files from a number of other section of the organization and attempt to crack them. To your horror, you find that in one section for which you used to work (but you have rather strained relationships with), something like 40% of the passwords are guessable (including that of the vice-president of the section whose password is 'president'!). You quietly sound out a few former colleagues and drop hints in the hope things might improve. A couple of weeks later you again transfer the password file over to analyze in the hope things have improved. They haven't. Unfortunately this time one of your colleagues notices what you are doing. Being rather 'by the book person', he notifies senior management and that evening you find yourself being arrested on a charge of hacking and thrown out of a job. Did you do anything wrong? ....” 11/7/2015 19 Class Discussion (Cont.) • Use Codes of Conduct • Arguments in support of system admin: • item 2.5 (analysis of risks) in the ACM code, • item 7 (correct errors) in the IEEE code • Arguments against of system admin: • item 2.8 (authorized access) in the ACM code • The admin should have raised the issue of password security with senior management not acting on it alone 11/7/2015 20 Quiz 1 • You are working on a cookie system that sends a visited website URL along the IP address of the user to an advertising company without users’ consent. Which one of these (if any) did you violate? • EU Data Protection Directive • US Privacy Act of 1974 Quiz 2 • You develop a free android game app that accesses users’ contacts and location. You then give this information to an advertising company and allow them to push ads to your game. Did you violate any more obligation? Discuss your answer. References • William Stalllings and Lawrie Brown . Computer Security Principles and Practice, Second Edition, Prentice Hall, 2012. • Donald Gotterbarn. How the new software engineering code of ethics affects you. Software, IEEE, 16(6):58-64, 1999. • Charles P. Pfleeger and Shari Lawrence Pfleeger. Security in Computing (4th Edition) Prentice Hall PTR, Upper Saddle River, NJ, USA, 2006. • http://www.acm.org/about/code-of-ethics • http://www.ieee.org/about/corporate/governance/p7-8.html • http://c.ymcdn.com/sites/www.aitp.org/resource/resmgr/for ms/code_of_ethics.pdf 11/7/2015 23