3 Ethical Dilemma for Information Security Professionals

security

Having worked in Information Governance and Assurance for a few years now I have yet to come across any information regarding information security and ethics. Which to me is an area where more thought into the issues surrounding what we do as InfoSec Professionals and the ethical ramifications.

There are discussions surrounding disclosure, and how to disclose things like flaws and bugs to the appropriate authorities but little to dictate how we should do our work on a regular basis.

Take the following scenarios (all based on my experiences) and see if you came up with the same decision, and let us know in the comments how you feel about them.  

Use Data For a Morally ‘Right’ Reason But Legally ‘Wrong’ Ramifications

Imagine a young girl has been abducted. There is a growing grass roots movement to publicise this event with hopes to find her. It is felt that time is of the essence and the more people who know the more likely she will be found.

A board member with little exposure to the Information Department sent you and email and specifically asks you to arrange to have it sent to every single contact on the in-house CRM system. This email contains a few pictures, a description and a request to contact law enforcement if they have any information.

On the face of it it would seem to be the right thing to do is to send the mail to everyone in the CRM with the help of inbuilt campaign management tools. You are keen to help do everything within your power to find this girl and you have a direct instruction from a senior manager telling you to do it.

My dilemma on this issue was that yes, it may be the better action to send this mail. However our list of contacts did not consent to receiving emails from us for public service announcements, and accounting for data protection legislation sending this information on may prove to be illegal.

In the end I sent an email back to the senior manager outlining the corporate responsibilities and maintaining good governance, and although the reason for breaking the law may be morally just the ramifications could be illegal.

In the end the email wasn’t sent out about the missing girl. It was a case of educating the senior manager as to our responsibilities as corporate guardians, although sending the email would have been morally acceptable and still pains me to this day.

Disrupting or Removing a Valid Right to Protest

Another well known company I worked with asked if I could help with their information governance specifically with regards to an electronic protest that was currently taking place.

This electronic protest was not disrupting any of the information processing facilities at my employer, it was in my opinion a free right to protest the perceived lack of accountability in certain corporate operations. The disruption was coming through on visibility of the corporate brand and disruption to it’s operational factors.  The protesters were not doing anything illegal.

I was specifically tasked with doing nothing illegal or immoral but to try and stop these protests from further damaging the corporate brand. There was a PR company involved also that was pushing out positive messages and trying to be transparent in it’s decisions making process with regards to this specific brand.

Information Governance tends to be concerned with those things within a company boundaries, however this one specific case these boundaries (due to the internet) were being very cleverly blurred. There were tools available and commonly used processes that were not being applied but could have been used to seriously limit the exposure to the negative press.

I made my stance known to my employer: in that I felt that although this was a fair protest and that the relations company would probably be of greater use than I. I also made it clear that although I would consult in ways to improve the boundary defence and isolate the protest I would follow my initial specification and not do anything unethical or illegal.

In the end I was tasked with putting into effect further controls at the company, which as envisaged went a way to reduce the exposure but did not make away with it altogether.

I found this to be a more difficult ethical dilemma than my first example. Yes there was a right to protest, but at the same time the business also had a right to try and minimise disruption and to answer the accusations in their own fashion. The business were my employer and I was asked to do nothing that would compromise my ethics.

If I had been asked to do something above and beyond what I did, then that would have been a major dilema.

Infringing Peoples Expected Freedoms & Privacy

This is an issue that comes up much more often than many would think and I will provide some generic examples:

  • Being asked to check web/email/system activity for a certain user
  • Being asked to implement content filters for web/email/system activity to prevent certain activities
  • Being asked to limit availability of resources to prevent certain activities

All of these we can point to fair use documents, contracts of employment, IT Quality Management Sytems (such as ISO 27001) but in my experience they can sometimes be difficult to call.

For example it is a legal right to have the right to look for employment (even if you’re employed), although companies may say there is no business reason why you should be looking for jobs in work time. Lets take it a step further and look at incidents that came to light during the Arab Spring, namely around governments monitoring Skype and Gmail to maintain control of their subjects.

We could probably say that one of these is just and right, and another one (from our Western perspective) is wrong. So therefore there must be somewhere in the middle where the activity is questionable.

Without a full contract of employment backed up with IT Policies I have always had a problem with singling out individual users for monitoring. Once I went as far as to implement a procedure that had to be followed to get that information (or even start the data collection process), it involved signatures from Human Resources, the Line Manager and Line Director. No one person could perform more than one role, and if a conflict occurred then the requirements was to escalate the process upwards (all the way to the CEO if necessary).

I’m not sure how many of these forms never made it as far as myself to act upon, but from collecial evidence I believe for everyone one I acted upon, two never made it as far as myself. It meant that decisions to monitor someone could not be made on a whim or a bad day, but when there was an emergency the paper trail could back up what we did in court if necessary.

So where do you stand on this sliding scale of morality in IT?

5 Comments on "3 Ethical Dilemma for Information Security Professionals"

  1. Jake says:

    A very interesting piece indeed. If you were to ask me, I believe all of the following actions you took were justified. Specifically, the online protest against the company you worked for. I do feel as if though, from the tone of your article, that you analyzed all situations that were present at that time. Meaning, you put your feet in both shoes, example: The protesters and the duty you were tasked with to help keep your company’s name. Obviously, they had the right to protest, which you analyzed was not illegal, but also that your company’s name was also being damaged from that fact. By studying and analyzing both sides, in my opinion, that makes you very sophisticated. Now the choice that you made, by helping your company legally but not completely “make away” with the protest altogether, was in fact justified. But I am curious, to see what your own personal perspective was on that situation. Was their protest also justified? Thanks, I really like your post.

    Jake

    • gyp says:

      Hi Jake,

      Thanks for dropping by and thanks for commenting. I’m glad that my ethical dilemas and actions would be shared by yourself :)

      The online protest was a very very difficult one to judge and it gave me no sleep that night while I thought about it. I specifically tried to not get ‘clouded’ by the reasons the protesters were protesting, in other words I tried to stay just to the proven facts and the legality of each course of actions. In the end this resulted in a simple list of the proven facts of each ‘vector’ (for want a better description) and weighed against each other using industry standard measurement tools.

      I know that probably doesn’t answer your question though. In my opinion I believe that any protest can be justified as long as the benefits in protesting outweighs the cost it could cause. Were the protesters justified in the vectors they took to my client? Yes, since any protest can be justified and they were not breaking the law. However the same right to protest I believe should go hand in hand with the right for those being protested about to have their thoughts heard.

      I know this still probably doesn’t answer your question, but as I mentioned before I tried to look at this case on just the facts and believe that this gave the best outcome for all parties, if I start questions my actions now I may end up slightly (more) deranged :) Like any discussions about ethics or morality on any subjects it is possible to run yourself round in circles, I just find it strange that Information Security seems to have the ethics questions largely left to peoples own gauge of morality. I’m not sure if that’s right or not (again could go round in circles on that one too!).

      What would you have done? Imagine it both ways: that the protesters had a moral case to protest and another time that they did not. Would the course of actions be different? How about if some people thought they were justified but others didn’t, and that the people who didn’t were paying you?

      Thanks again for dropping by,
      Gyp

  2. Jake says:

    Thanks Gyp,

    Personally, I would have done the exact same thing that you did for your company. Hehe, ethics really does make you run circles indeed, especially if it goes against what you believe. You asked for both ways, if the protest had a moral reason and if they didn’t. If I had the same ideological beliefs as the protesters did and was forced to make the choice to either A. stand up for my beliefs even if it costed me my job, or B. stand by my job and keep it; I unfortunentely would have chosen choice B regardless. Now, if it was a life-threatening situation obviously, the choice I would have chosen was A. I know it may sound as if I am a hypocrite for going back against one’s beliefs but you can’t forget the whole picture, in my opinion. In this economy, (assuming the U.S. or pretty much anyware) fiscal issues will always be above social issues. Meaning, your job comes first so that you may provide for yourself or the ones you love. Even if you shared the same opinion as the protesters did, I personally don’t think that one would have been condemned for choosing what was the most logical choice, which is what you did and what I would have done as well.

    Now, when I said that fiscal issues always comes above social issues, I mean that in a practical sense. But if it comes to your religion (if one has) or some sort of life-threatening issue such as (race, gender ect.) than obviously social issues can somewhat overbear economical issues.

    Hehe, now if the protesters did not have a moral case and did not share my same beliefs or opinions, I unfortuenetly wouldn’t bother analyzing their point of view unfortunetely. As horrid, as that sounds, I admit to myself that I could be selfish at times but being honest, I would have been glad to help carry out my task for the company. Even some-what describing my actions as activism. (Being honest of course). Though it is better to always understand both sides or scenarious and then make the best decision from there.

    Did you yourself have some, or any, of the same opinions or beliefs as did the protestors who were against your company? Or did you make your decision based on just the legality of the situation.

    Thanks for replying back,
    Jake

    • gyp says:

      Hi Jake,

      I always like to reply to people who take the time to read what I enjoy writing about, and apologies for the tardy reply I’ve been very busy this last couple of days :)

      It’s funny how you mentioned about money, it’s always a very difficult one if you’re being paid for a specific job and you let your morality get in the way, I must admit I’ve been torn a few times when I know for a fact that my involvement is no longer necessary about. But if we look to things like the Arab Spring then it’s as you say sometimes the social factor take priority, so you’re right a full holistic approach is always useful even if you don’t do it consciously.

      As for ‘my’ protestors I agreed with their right to protest, but my actions were decided solely on the legal and security frameworks in place. I have to admit that although I wouldn’t go to the same extent as the protesters did about the subject their took up, I did think they were allowed to make their feelings heard.

      And to be honest, I’m not sure if a full appraisal both sides of the situation improved my actions. I just found it a very interesting thing to contemplate I suppose.

      Gyp

  3. Jake says:

    Understood Gyp. Again, it’s a very interesting post. I really like your site and i’ll definitely be on here more time to time.

    Thanks,
    Jake

Got something to say? Go for it!