04/19/2023 1

Computer Security Ethics and Privacy

Dr. Mehrdad AliasgariDept. of Computer Engineering and Computer Science

College of EngineeringCalifornia State University Long Beach

04/19/2023 2

Acknowledgement

• This project was supported by the Ethics Across the Curriculum Award through the Ukleja Center from Ethical Leadership at California State University Long Beach.

04/19/2023 3

All references

• This PowerPoint was put together using the textbook’s slides for chapter 19 (developed by the authors) and a chapter problem from textbook.

• “Computer Security - Principles and Practice", Second Edition by William Stalllings and Lawrie Brown, 2012.

Privacy

• Dramatic increase in scale of information collected and stored• in interest of law enforcement, national security,

economic incentives• Users know more about access and use of personal

information and their private details• Privacy advocates have raised concerns about extent of

privacy violations. Different Legal and technical approaches have been taken to reinforce privacy rights

European Union (EU) Data Protection Directive

• adopted in 1998 to:• ensure member states protect fundamental privacy rights when

processing personal information• prevent member states from restricting the free flow of personal

information within EU• Consists of these principles:

notice consent consistency access

security onward transfer enforcement

US Privacy Act of 1974

• dealt with personal information collected and used by federal agencies

• permits individuals to determine records kept• permits individuals to forbid records being used for other

purposes • permits individuals to obtain access to records and to

correct and amend records as appropriate• ensures agencies properly collect, maintain, and use

personal information• creates a private right of action for individuals

Privacy Act of 1974

s

ISO 27002 “An organizational data protection and privacy policy

should be developed and implemented. This policy should be communicated to all persons involved in the processing of personal information. Compliance with this policy and all relevant data protection legislation and regulations requires appropriate management structure and control. Often this is best achieved by the appointment of a person responsible, such as a data protection officer, who should provide guidance to managers, users, and service providers on their individual responsibilities and the specific procedures that should be followed. Responsibility for handling personal information and ensuring awareness of the data protection principles should be dealt with in accordance with relevant legislation and regulations. Appropriate technical and organizational measures to protect personal information should be implemented.”

Common Criteria Privacy Class

Privacy Appliance

Ethical Issues• privacy and security problems

from information and communication misuses or abuses

• Can’t only apply basic ethical principles developed by civilizations

• unique considerations surrounding computers and information systems

• Large scale of activities not possible or conceivable before

• creation of new types of entities for which no agreed ethical rules have previously been formed

• ethics:•“a system of moral principles that relates to the benefits and harms of particular actions, and to the rightness and wrongness of motives and ends of those actions.”

Ethical Question Examples

• whistle-blower• when professional ethical duty conflicts with

loyalty to employer• e.g. inadequately tested software product• organizations and professional societies should

provide alternative mechanisms• potential conflict of interest• e.g. consultant has financial interest in

vendor which should be revealed to client

Codes of Conduct

• ethics are not precise laws or sets of facts• many areas may present ethical ambiguity• many professional societies have adopted ethical codes of

conduct which can:1

•be a positive stimulus and instill confidence

2

•be educational

3

•provide a measure of support

4

•be a means of deterrence and discipline

5

•enhance the profession's public image

ACM Code of Ethics and Professional

Conduct

IEEE Code of Ethics

AITP Standard

of Conduct

Comparison of Codes of Conduct

• common themes:• dignity and worth of other people• personal integrity and honesty• responsibility for work• confidentiality of information• public safety, health, and welfare• participation in professional societies to improve standards of

the profession• the notion that public knowledge and access to technology

is equivalent to social power• They do not fully reflect the unique ethical problems

related to the development and use of computer and IS technology

The Rules

• A short list of guidelines on the ethics of computer systems developed collaboratively

• Ad Hoc Committee on Responsible Computing• anyone can join this committee and suggest

changes to the guidelines• Moral Responsibility for Computing Artifacts (The

Rules)

The rules :

1) The people who design, develop, or deploy a computing artifact are morally responsible for that artifact, and for the foreseeable effects of that artifact. This responsibility is shared with other people who design, develop, deploy or knowingly use the artifact as part of a sociotechnical system.

2) The shared responsibility of computing artifacts is not a zero-sum game. The responsibility of an individual is not reduced simply because more people become involved in designing, developing, deploying, or using the artifact. Instead, a person’s responsibility includes being answerable for the behaviors of the artifact and for the artifact’s effects after deployment, to the degree to which these effects are reasonably foreseeable by that person.

3) People who knowingly use a particular computing artifact are morally responsible for that use.

4) People who knowingly design, develop, deploy, or use a computing artifact can do so responsibly only when they make a reasonable effort to take into account the sociotechnical systems in which the artifact is embedded.

5) People who design, develop, deploy, promote, or evaluate a computing artifact should not explicitly or implicitly deceive users about the artifact or its foreseeable effects, or about the sociotechnical systems in which the artifact is embedded.

04/19/2023 19

Class DiscussionProblem 19.9 of Textbook

• “Assume you are a midlevel systems administrator for one section of a larger organization. You try to encourage your users to have good password policies and regularly run password-cracking tools to check that those in use are not guessable. You have become aware of a burst of hacker password-cracking activity recently. In a burst of enthusiasm, you transfer the password files from a number of other section of the organization and attempt to crack them. To your horror, you find that in one section for which you used to work (but you have rather strained relationships with), something like 40% of the passwords are guessable (including that of the vice-president of the section whose password is 'president'!). You quietly sound out a few former colleagues and drop hints in the hope things might improve. A couple of weeks later you again transfer the password file over to analyze in the hope things have improved. They haven't. Unfortunately this time one of your colleagues notices what you are doing. Being rather 'by the book person', he notifies senior management and that evening you find yourself being arrested on a charge of hacking and thrown out of a job. Did you do anything wrong? ....”

04/19/2023 20

Class Discussion (Cont.)

• Use Codes of Conduct• Arguments in support of system admin:• item 2.5 (analysis of risks) in the ACM code, • item 7 (correct errors) in the IEEE code

• Arguments against of system admin:• item 2.8 (authorized access) in the ACM code

• The admin should have raised the issue of password security with senior management not acting on it alone

Quiz 1

• You are working on a cookie system that sends a visited website URL along the IP address of the user to an advertising company without users’ consent. Which one of these (if any) did you violate?• EU Data Protection Directive• US Privacy Act of 1974

Quiz 2

• You develop a free android game app that accesses users’ contacts and location. You then give this information to an advertising company and allow them to push ads to your game. Did you violate any more obligation? Discuss your answer.

04/19/2023 23

References

• William Stalllings and Lawrie Brown . Computer Security - Principles and Practice, Second Edition, Prentice Hall, 2012.

• Donald Gotterbarn. How the new software engineering code of ethics affects you. Software, IEEE, 16(6):58-64, 1999.

• Charles P. Pfleeger and Shari Lawrence Pfleeger. Security in Computing (4th Edition) Prentice Hall PTR, Upper Saddle River, NJ, USA, 2006.

• http://www.acm.org/about/code-of-ethics• http://www.ieee.org/about/corporate/governance/p7-8.html• http://c.ymcdn.com/sites/www.aitp.org/resource/resmgr/for

ms/code_of_ethics.pdf