Having worked in Information Governance and Assurance for a few years now I have yet to come across any information regarding information security and ethics. Which to me is an area where more thought into the issues surrounding what we do as InfoSec Professionals and the ethical ramifications.
There are discussions surrounding disclosure, and how to disclose things like flaws and bugs to the appropriate authorities but little to dictate how we should do our work on a regular basis.
Take the following scenarios (all based on my experiences) and see if you came up with the same decision, and let us know in the comments how you feel about them.
Use Data For a Morally ‘Right’ Reason But Legally ‘Wrong’ Ramifications
Imagine a young girl has been abducted. There is a growing grass roots movement to publicise this event with hopes to find her. It is felt that time is of the essence and the more people who know the more likely she will be found.
A board member with little exposure to the Information Department sent you and email and specifically asks you to arrange to have it sent to every single contact on the in-house CRM system. This email contains a few pictures, a description and a request to contact law enforcement if they have any information.
On the face of it it would seem to be the right thing to do is to send the mail to everyone in the CRM with the help of inbuilt campaign management tools. You are keen to help do everything within your power to find this girl and you have a direct instruction from a senior manager telling you to do it.
My dilemma on this issue was that yes, it may be the better action to send this mail. However our list of contacts did not consent to receiving emails from us for public service announcements, and accounting for data protection legislation sending this information on may prove to be illegal.
In the end I sent an email back to the senior manager outlining the corporate responsibilities and maintaining good governance, and although the reason for breaking the law may be morally just the ramifications could be illegal.
In the end the email wasn’t sent out about the missing girl. It was a case of educating the senior manager as to our responsibilities as corporate guardians, although sending the email would have been morally acceptable and still pains me to this day.
Disrupting or Removing a Valid Right to Protest
Another well known company I worked with asked if I could help with their information governance specifically with regards to an electronic protest that was currently taking place.
This electronic protest was not disrupting any of the information processing facilities at my employer, it was in my opinion a free right to protest the perceived lack of accountability in certain corporate operations. The disruption was coming through on visibility of the corporate brand and disruption to it’s operational factors. The protesters were not doing anything illegal.
I was specifically tasked with doing nothing illegal or immoral but to try and stop these protests from further damaging the corporate brand. There was a PR company involved also that was pushing out positive messages and trying to be transparent in it’s decisions making process with regards to this specific brand.
Information Governance tends to be concerned with those things within a company boundaries, however this one specific case these boundaries (due to the internet) were being very cleverly blurred. There were tools available and commonly used processes that were not being applied but could have been used to seriously limit the exposure to the negative press.
I made my stance known to my employer: in that I felt that although this was a fair protest and that the relations company would probably be of greater use than I. I also made it clear that although I would consult in ways to improve the boundary defence and isolate the protest I would follow my initial specification and not do anything unethical or illegal.
In the end I was tasked with putting into effect further controls at the company, which as envisaged went a way to reduce the exposure but did not make away with it altogether.
I found this to be a more difficult ethical dilemma than my first example. Yes there was a right to protest, but at the same time the business also had a right to try and minimise disruption and to answer the accusations in their own fashion. The business were my employer and I was asked to do nothing that would compromise my ethics.
If I had been asked to do something above and beyond what I did, then that would have been a major dilema.
Infringing Peoples Expected Freedoms & Privacy
This is an issue that comes up much more often than many would think and I will provide some generic examples:
- Being asked to check web/email/system activity for a certain user
- Being asked to implement content filters for web/email/system activity to prevent certain activities
- Being asked to limit availability of resources to prevent certain activities
All of these we can point to fair use documents, contracts of employment, IT Quality Management Sytems (such as ISO 27001) but in my experience they can sometimes be difficult to call.
For example it is a legal right to have the right to look for employment (even if you’re employed), although companies may say there is no business reason why you should be looking for jobs in work time. Lets take it a step further and look at incidents that came to light during the Arab Spring, namely around governments monitoring Skype and Gmail to maintain control of their subjects.
We could probably say that one of these is just and right, and another one (from our Western perspective) is wrong. So therefore there must be somewhere in the middle where the activity is questionable.
Without a full contract of employment backed up with IT Policies I have always had a problem with singling out individual users for monitoring. Once I went as far as to implement a procedure that had to be followed to get that information (or even start the data collection process), it involved signatures from Human Resources, the Line Manager and Line Director. No one person could perform more than one role, and if a conflict occurred then the requirements was to escalate the process upwards (all the way to the CEO if necessary).
I’m not sure how many of these forms never made it as far as myself to act upon, but from collecial evidence I believe for everyone one I acted upon, two never made it as far as myself. It meant that decisions to monitor someone could not be made on a whim or a bad day, but when there was an emergency the paper trail could back up what we did in court if necessary.
So where do you stand on this sliding scale of morality in IT?