Ethics and Security for Dowling Computer Science Students

This web page is http://www.bernstein-plus-sons.com/.dowling/Dowling_Ethics_Security.html
Copyright © 2001, 2002 Herbert J. Bernstein and other parties. All rights reserved.

Basics of Ethics and Security

Ethical Issues
The Commons
Intellectual Property
Major Security Problems

Ethical Issues:

Computers and networks are powerful tools. Care must be exercised in using them to avoid causing harm to ourselves and to others. Private and confidential information lies in computers and courses through networks, just as private property and information lies behind the wall of people's houses and travels through the public streets in purses and wallets. We need to show ethical restraint in not taking or corrupting information which is not ours, and we need to be watchful to protect our own information against depredation by others.

Those working with computers, especially those working with shared computers, those working with networked computers, creating software to be used by others, and learning how to create software to be used by others are members of a community that can prosper only if its members show respect for one another. No person should take any action which might interfere with the use of shared facilities or networks by others, nor should any person intentionally view information belonging to others or make any use whatsoever of information belonging to others if unintentionally viewed.

In working with computers and networks all students who will be developing computer-related systems for use by others, should read, understand, and adhere to the "ACM Code of Ethics" (© 1997 ACM, and reproduced here with permission of the ACM). Those who will only make use of computer-related systems should also be aware of the ACM Code of Ethics, because it points out important areas of concern in the use of computers.

Why Ethics are Important:

We all know that the most important reasons to do the "right thing" are internal. In some areas of life, we have the reinforcement of knowing that there will be punishment for doing wrong things. Considerations of our internal state and fear of punishment are important motivations towards ethical behavior when working with computers, but, when working with computers and communications networks there are also very practical reasons for all of us to adhere to strict ethical standards and to encourage our colleagues to do the same.

The ACM Code of Ethics asks us to:

Contribute to society and human well-being;
Avoid harm to others;
Be honest and trustworthy;
Be fair and take action not to discriminate;
Honor property rights including copyrights and patent;
Give proper credit for intellectual property;
Respect the privacy of others; and
Honor confidentiality.

These sound like a boy-scout oath, the sort of things our mothers would tell us when we were young, and it is common to find people thinking themselves "grown up" when they can "get away" with violating such rules. Being a little bit "naughty" seems exciting. We tell ourselves that we can always make things right if we go a little bit too far.

Unfortunately, when dealing with computers and communications networks, the effects of small mistakes and missteps can be greatly amplified and get out of hand. For example, suppose you get a little bit careless in writing a procedure to compute the difference between two times, not worrying about, say, an end-of year, or end-of-millenium wrap-around. You just intend the code to be a one-shot for your own use that you will fix up long before the error case will become a reality. You never get around to fixing the code, but it wanders into your general bag of tricks, used in a variety of programs. Now suppose that bit of code gets picked up by someone else and used as an internal suboutine in a piece of equipment timing patient care in a hospital -- intravenous drips, high does x-ray treatment. That little mistake could kill somebody.

Now suppose someone deliberately meddles with the operation of a communications network, having a little "fun" making a mischievious message bounce from machine to machine, spreading copies of the message far and wide, not clobbering and disks, just sending copies of the message around. In the right/wrong circumstances, such actions can clog up a network so badly that other traffic cannot get through. This is what is known as a "denial of service" attack. Despite serious efforts at managing network flows to prevent such attacks from stopping all traffic, such attacks are be a common and increasing problem. Apparently some people think that doing this is "fun". But suppose that a doctor was trying to use that network to exchange information about a seriously ill patient during that denial-of-service attack, or a student was trying desperately to submit some work to his instructor needed for graduation. This would not be fun for the patient or the student.

The Commons

The basic problem is that software and communications networks are shared. They are like a village green, the so-called "village commons". A village can post signs, tax its residents, hire a village constable and village grounds keeper, and take other centralized actions to try to preserve the commons, but, in practice, the most important action that can be taken to keep a shared area useable by everyone is to convince almost everyone that they each are responsible for keeping the common area useable -- that they won't tear up the turf or bury it in litter. Then the constable and the grounds keeper can concentrate on dealing with a small number of people who are careless or don't wish to behave.

We are just now starting to build up an effective body of enforceable law with respect to computers and networks, and we are very far from having reliable mechanisms to clean up messy software and prune errant traffic from networks. Those mechanisms will improve, but right now we have to depend on the good will and good behavior of most people if we are to be able to get any work done.

Intellectual Property

Copyrights, Patents and Trademarks are areas for which there is a well-established body of law, but about which there is much misunderstanding. People make the wrong default assumption. They think that it is acceptable to copy almost anything they find on their computer or on the net. Just the opposite is true. In most cases, you need to have permission of the owner of the intellectual property involved to copy most documents, programs, pictures, etc. The owner is not obliged to put a copyright notice on a document or other "work" in order to have a copyright. In the United States and most other countries, the creator of a work has a copyright from the moment of creation whether or not a notice appears. The owner of a patent or trademark has even stronger rights.

The law on intellectual property is very complex, and the penalties for violating it can be severe, involving large civil and, in some cases, criminal penalties for what may seem like minor infractions. Until and unless you have had a lot of experience in judging what you may or may not copy without permission, the sensible thing to do is to ask permission. It takes just a few moments to send email requesting permission to copy what you need. I even asked the ACM for permission to reproduce the Code of Ethics. Naturally, no matter what arrangements have been made for permissions, one should give credit where credit is due and cite the sources of works based on somebody else's efforts.

Major Security Problems

In addition to people failing to respect intellectual property rights of others, there are serious and increasing problems of damage to information. When computers permit remote access, someone other than an authorized user may attempt to mimic a authorized user and gain unauthorized access, The most common problem is a failure to maintain the secrecy of user name/password combinations, particularly of user name/password combinations which allow system management access.

Even when security of direct access to a system is maintained, malicious persons can still cause damage. On modern computers we accept new information into our systems in many ways, for example as data, as documents, as application programs. A person determined to corrupt our data can simply modify the data we accept before we accept it, either replacing good data with bad, or adding extra data to it. Sometimes that extra data can itself be an active piece of code which a system may accidentlally execute to the detriment of the integrity of the system, or simply unexpected data which causes a program to do undesirable things. A person may corrupt a program or add an extra bit of software to a working program to cause unexpected things to happen. An email message may arrive with attachments (extra documents) which exceute programs which cause mischief. The problem has gotten so bad, that some maintainers of discussion lists refuse to accept messages with attachments.

Areas of Special Concern

Those who will be working on hardware, operating systems, databases, widely used applications and other aspects of the use of computers that help to create systems that will be used by people other than themselves have a special responsibility to exercise caution and restraint and to behave ethically. A simple bug or careless design can have an impact that is difficult to estimate. Even though we can never be certain that a system performs as intended, we can be certain that we did all that we reasonably could to identify and remove problems, or at least to warn users of areas about which we have doubts.

Prepared 31 August 2001,
Updated 10 February 2002,
yaya@dowling.edu.