CSCE 390Professional Issues in Computer Science and EngineeringPrivacy Concerns (Chapters 14-15 [B]) Spring 2010 Marco Valtorta firstname.lastname@example.org
Codes of Ethics and Privacy ACM Code of Ethics and Professional Conduct: http://www.acm.org/about/code-of-ethics 1.7 Respect the privacy of others. • Computing and communication technology enables the collection and exchange of personal information on a scale unprecedented in the history of civilization. Thus there is increased potential for violating the privacy of individuals and groups. It is the responsibility of professionals to maintain the privacy and integrity of data describing individuals. This includes taking precautions to ensure the accuracy of data, as well as protecting it from unauthorized access or accidental disclosure to inappropriate individuals. Furthermore, procedures must be established to allow individuals to review their records and correct inaccuracies. • This imperative implies that only the necessary amount of personal information be collected in a system, that retention and disposal periods for that information be clearly defined and enforced, and that personal information gathered for a specific purpose not be used for other purposes without consent of the individual(s). These principles apply to electronic communications, including electronic mail, and prohibit procedures that capture or monitor electronic user data, including messages, without the permission of users or bona fide authorization related to system operation and maintenance. User data observed during the normal duties of system operation and maintenance must be treated with strictest confidentiality, except in cases where it is evidence for the violation of law, organizational regulations, or this Code. In these cases, the nature or contents of that information must be disclosed only to proper authorities.
Codes of Ethics and Privacy ACM Code of Ethics and Professional Conduct: http://www.acm.org/about/code-of-ethics 1.8 Honor confidentiality. • The principle of honesty extends to issues of confidentiality of information whenever one has made an explicit promise to honor confidentiality or, implicitly, when private information not directly related to the performance of one's duties becomes available. The ethical concern is to respect all obligations of confidentiality to employers, clients, and users unless discharged from such obligations by requirements of the law or other principles of this Code. 3.5 Articulate and support policies that protect the dignity of users and others affected by a computing system. • Designing or implementing systems that deliberately or inadvertently demean individuals or groups is ethically unacceptable. Computer professionals who are in decision making positions should verify that systems are designed and implemented to protect personal privacy and enhance personal dignity.
Codes of Ethics and Privacy • ACM/IEEE-CS Software Engineering Code of Ethics and Professional Practice http://www.acm.org/about/se-code • 1.03. Approve software only if they have a well-founded belief that it is safe, meets specifications, passes appropriate tests, and does not diminish quality of life, diminish privacy or harm the environment. The ultimate effect of the work should be to the public good. • 3.12. Work to develop software and related documents that respect the privacy of those who will be affected by that software.
Codes of Ethics and Privacy The Ten Commandments of Computer Ethics http://www.acm.org/about/se-code • Thou shalt not use a computer to harm other people. • Thou shalt not interfere with other people's computer work. • Thou shalt not snoop around in other people's computer files. • Thou shalt not use a computer to steal. • Thou shalt not use a computer to bear false witness. • Thou shalt not copy or use proprietary software for which you have not paid. • Thou shalt not use other people's computer resources without authorization or proper compensation. • Thou shalt not appropriate other people's intellectual output. • Thou shalt think about the social consequences of the program you are writing or the system you are designing. • Thou shalt always use a computer in ways that ensure consideration and respect for your fellow humans. • Three case studies: Gotterbarn, D. and Miller, K. W. 2004. Computer ethics in the undergraduate curriculum: case studies and the joint software engineer's code. J. Comput. Small Coll. 20, 2 (Dec. 2004), 156-167, http://portal.acm.org/citation.cfm?id=1040168#
Codes of Ethics and Privacy • Three case studies: Gotterbarn, D. and Miller, K. W. 2004. Computer ethics in the undergraduate curriculum: case studies and the joint software engineer's code. J. Comput. Small Coll. 20, 2 (Dec. 2004), 156-167, http://portal.acm.org/citation.cfm?id=1040168#
Case Study 2 Leikessa Jones owns her own consulting business, and has several people working for her. Leikessa is currently designing a database management system for the personnel office of ToyTimeInc., a mid-sized company that makes toys. Leikessa has involved ToyTimeInc management in the design process from the start of the project. It is now time to decide about the kind and degree of security to build into the system. Leikessa has described several options to the client. The client has decided to opt for the least secure system because the system is going to cost more than was initially planned, and the least secure option is the cheapest security option. Leikessa knows that the database includes sensitive information, such as performance evaluations, medical records, and salaries. With weak security, she fears that enterprising ToyTimeInc employees will be able to easily access this sensitive data. Furthermore, she fears that the system will be an easy target for external hackers. Leikessa feels strongly that the system should be more secure than it would be if the least secure option is selected. Ms. Jones has tried to explain the risks to ToyTimeInc, but the CEO, the CIO, and the Director of Personnel are all convinced that the cheapest security is what they want. Should Jones refuse to build the system with the least secure option?
Case Study 2: Relevant Clauses • Principle 1. PUBLIC Software engineers shall act consistently with the public interest. In particular, software engineers shall, as appropriate: • 1.01. Accept full responsibility for their own work. • 1.03. Approve software only if they have a well-founded belief that it is safe, meets specifications, passes appropriate tests, and does not diminish quality of life, diminish privacy or harm the environment. The ultimate effect of the work should be to the public good. • 1.04 Disclose to appropriate persons or authorities any actual or potential danger to the user, the public, or the environment, that they reasonably believe to be associated with software or related documents.
Case Study 2: Relevant Clauses • Principle 2. CLIENT AND EMPLOYER Software engineers shall act in a manner that is in the best interests of their client and employer, consistent with the public interest. In particular, software engineers shall, as appropriate: • 2.05. Keep private any confidential information gained in their professional work, where such confidentiality is consistent with the public interest and consistent with the law.
Case Study 2: Relevant Clauses • Principle 3. PRODUCT Software engineers shall ensure that their products and related modifications meet the highest professional standards possible. In particular, software engineers shall, as appropriate: • 3.01. Strive for high quality, acceptable cost, and a reasonable schedule, ensuring significant tradeoffs are clear to and accepted by the employer and the client, and are available for consideration by the user and the public. • 3.03. Identify, define and address ethical, economic, cultural, legal and environmental issues related to work projects. • 3.12. Work to develop software and related documents that respect the privacy of those who will be affected by that software.
Applying the Code • Privacy • Security of private data vs. economic interests of the client • Mistake: offering an option that is not beneficial to the public • Ms. Jones cannot just blame the client • Ms. Jones failed in her duty to use sound professional judgement • She may need to absorb the additional cost of a sufficiently secure solution as a loss