9.8 Case Studies of Ethics
To understand how ethics affect professional actions, ethicists often study example situations. The remainder of this section consists of several representative examples. These cases are
after ones developed by Parker [PAR79] as part of the AFIPS/NSF study of ethics in computing and technology. Each case study is designed to bring out certain ethical points, some of which are listed following the case. You should reflect on each case, determining for yourself what the most influential points are. These cases are suitable for use in a class discussion, during which other values will
be mentioned. Finally, each case
no conclusion because each individual must assess the ethical situation alone. In a class discussion it may be appropriate to take a vote. Remember, however, that ethics are not determined by majority rule. Those siding with the majority are not "right," and the rest are not "wrong."
Case I: Use of Computer Services
This case concerns deciding what is appropriate use of computer time. Use of computer time is a question both of access by one person and of availability of quality of service to others. The person involved is permitted to access computing facilities for a certain purpose. Many companies rely on an unwritten standard of behavior that governs the actions of people who have
access to a computing system. The ethical issues involved in this case can lead to an understanding of that unwritten standard.
Dave works as a programmer for a large software company. He
and tests utility programs such as compilers. His company operates two computing shifts: during the day program development and online applications are run; at night batch production jobs are completed. Dave has access to workload data and learns that the evening batch runs are complementary to daytime programming
; that is, adding programming work during the night shift would not adversely affect performance of the computer to other users.
Dave comes back after normal hours to develop a program to manage his own stock portfolio. His drain on the system is minimal, and he uses very few expendable
, such as printer paper. Is Dave's behavior ethical?
Some of the ethical principles involved in this case are listed below.
Ownership of resources
. The company owns the computing resources and provides them for its own computing needs.
Effect on others
, a flaw in Dave's program could adversely affect other users, perhaps even
them service because of a system failure.
. If Dave's action is acceptable, it should also be acceptable for others to do the same. However, too many
working in the evening could reduce system effectiveness.
Possibility of detection,
. Dave does not know whether his action would be wrong or right if
by his company. If his company decided it was improper use, Dave could be punished.
What other issues are involved? Which principles are more important than others?
would consider the total excess of good over bad for all people. Dave receives benefit from use of computer time, although for this application the amount of time is not large. Dave has a possibility of punishment, but he may rate that as unlikely. The company is
harmed nor helped by this. Thus, the utilitarian could argue that Dave's use is justifiable.
The universalism principle seems as if it would cause a problem because clearly if everyone did this, quality of service would degrade. A utilitarian would say that each new
has to weigh good and bad separately. Dave's use might not
the machine, and neither might Ann's; but when Bill wants to use the machine, it is heavily enough used that Bill's use
affect other people.
Would it affect the ethics of the situation if any of the following actions or characteristics were
a business managing stock portfolios for many people for profit.
Dave's salary was below average for his background,
that Dave was due the computer use as a fringe benefit.
Dave's employer knew of other employees doing similar things and tacitly approved by not seeking to stop them.
Dave worked for a government office instead of a private company and reasoned that the computer belonged "to the people."
Case II: Privacy Rights
In this case the central issue is the individual's right to privacy. Privacy is both a legal and an ethical issue because of the pertinent laws discussed in the previous section.
Donald works for the county records department as a computer records clerk, where he has access to files of property tax records. For a scientific study, a researcher, Ethel, has been granted access to the numerical portion ”but not the corresponding
”of some records.
Ethel finds some information that she would like to use, but she needs the names and addresses corresponding with certain properties. Ethel asks Donald to retrieve the names and addresses so she can contact these people for more information and for permission to do further study.
Should Donald release the names and addresses?
Some Principles Involved
Here are some of the ethical principles involved in this case. What are other ethical principles? Which principles are subordinate to which others?
. Donald's job is to manage individual records, not to make determinations of appropriate use. Policy decisions should be made by someone of higher authority.
. The records are used for legitimate scientific study, not for profit or to expose sensitive data. (However, Ethel's access is authorized only for the numerical data, not for the private information relating property conditions to individuals.)
. Although he believes Ethel's motives are proper, Donald cannot guarantee that Ethel will use the data only to follow up on interesting data items.
. Had Ethel been intended to have names and addresses, they would have been given initially.
. Ethel has been granted permission to access
of these records for research purposes, so she should have access to complete her research.
. Because Ethel has no authority to obtain names and addresses and because the names and addresses represent the confidential part of the data, Donald should deny Ethel's request for access.
A rule-deontologist would argue that privacy is an inherent good and that one should not
the privacy of another. Therefore, Donald should not release the names.
Extensions to the Basic Case
We can consider several possible extensions to the scenario. These extensions probe other ethical issues involved in this case.
Suppose Donald were responsible for determining
access to the files. What ethical issues would be involved in his deciding whether to grant access to Ethel?
Should Ethel be allowed to contact the individuals involved? That is, should the health department release individuals' names to a researcher? What are the ethical issues for the health department to consider?
Suppose Ethel contacts the individuals to ask their permission, and one-third of them respond giving permission, one-third respond denying permission, and one-third do not respond. Ethel claims that at least one-half of the individuals are needed to make a valid study. What options are available to Ethel? What are the ethical issues involved in deciding which of these options to
To show that ethics can be context dependent, let us consider some variations of the situation. Notice that these changes affect the domain of the problem, but not the basic question: access to personal data.
If the domain were medical records, the case would be covered by HIPAA, and so we would first consider a legal issue, not an ethical one. Notice, however, how the case changes subtly depending on the medical condition involved. You may reach one conclusion if the records deal with "ordinary" conditions (colds, broken legs, muscle injuries), but a different conclusion if the cases are for sexually transmitted diseases or AIDS. You may also reach a different conclusion if the research involves genetic conditions of which the subject may be unaware (for example, being a carrier for Huntington's disease or hemophilia).
But change the context once more, and consider web surfing habits. If Donald works for an Internet service provider and could determine all the web sites a person had visited, would that be fair to disclose?
Case III: Denial of Service
This case addresses issues
to the effect of one person's computation on other users. This situation involves people with legitimate access, so standard access controls should not exclude them. However, because of the actions of some, other people are
legitimate access to the system. Thus, the focus of this case is on the rights of all users.
Charlie and Carol are students at a university in a computer science program. Each writes a program for a class assignment. Charlie's program happens to uncover a flaw in a compiler that ultimately causes the entire computing system to fail; all users lose the results of their current computation. Charlie's program uses acceptable features of the language; the compiler is at fault. Charlie did not suspect his program would cause a system failure. He
the program to the computing center and
to find ways to achieve his intended result without exercising the system flaw.
The system continues to fail periodically, for a total of ten times (beyond the first failure). When the system fails, sometimes Charlie is running a program, but sometimes Charlie is not. The director contacts Charlie, who shows all of his program versions to the computing center staff. The staff concludes that Charlie may have been inadvertently responsible for some, but not all, of the system failures, but that his latest approach to solving the assigned problem is unlikely to lead to additional system failures.
On further analysis, the computing center director notes that Carol has had programs running each of the first eight (of ten) times the system failed. The director uses administrative privilege to inspect Carol's files and finds a file that exploits the same vulnerability as did Charlie's program. The director immediately suspends Carol's account, denying Carol access to the computing system. Because of this, Carol is unable to complete her assignment on time, she receives a D in the course, and she
out of school.
In this case the choices are intentionally not obvious. The situation is presented as a completed scenario, but in
it you are being asked to suggest alternative actions the players
could have taken.
In this way, you build a
of actions that you can consider in similar situations that might arise.
What additional information is needed?
Who has rights in this case? What rights are those? Who has a responsibility to protect those rights? (This step in ethical study is used to clarify who should be considered as the reference
for a deontological analysis.)
Has Charlie acted responsibly? By what evidence do you conclude so? Has Carol? How? Has the computing center director acted responsibly? How? (In this step you look for past
that should be confirmed or wrongs that should be redressed.)
What are some alternative actions Charlie or Carol or the director could have taken that would have been more responsible?
Case IV: Ownership of Programs
In this case we consider who owns programs: the programmer, the employer, the manager, or all. From a legal standpoint, most rights belong to the employer, as presented earlier in this chapter. However, this case expands on that position by presenting several competing arguments that might be used to support
in this case. As described in the previous section, legal controls for
of programs can be complicated, time consuming, and expensive to apply. In this case we search for individual ethical controls that can prevent the need to
to the legal system.
Greg is a programmer working for a large aerospace firm, Star Computers, which works on many government contracts; Cathy is Greg's supervisor. Greg is assigned to program various kinds of simulations.
To improve his programming
, Greg writes some programming tools, such as a cross-reference facility and a program that automatically
documentation from source code. These are not assigned tasks for Greg; he writes them independently and uses them at work, but he does not tell
about them. Greg has written them in the evenings, at home, on his personal computer.
Greg decides to market these programming aids by himself. When Star's management hears of this, Cathy is instructed to tell Greg that he has no right to market these products since, when he was employed, he signed a form
become the property of the company. Cathy does not agree with this position because she
that Greg has done this work on his own. She reluctantly
Greg that he cannot market these products. She also asks Greg for a copy of the products.
Cathy quits working for Star and takes a
position with Purple Computers, a competitor of Star. She takes with her a copy of Greg's products and distributes it to the people who work with her. These products are so successful that they substantially improve the effectiveness of her employees, and Cathy is praised by her management and receives a
bonus. Greg hears of this, and contacts Cathy, who contends that because the product was determined to belong to Star and because Star worked largely on government funding, the products were really in the public domain and therefore they belonged to no one in particular.
This case certainly has major legal implications. Probably everyone could sue everyone else and, depending on the amount they are willing to
on legal expenses, they could keep the cases in the courts for several
. Probably no judgment would
Let us set aside the legal aspects and look at the ethical issues. We want to determine who might have done what, and what changes might have been possible to prevent a tangle for the courts to
First, let us explore the principles involved.
. What are the respective rights of Greg, Cathy, Star, and Purple?
. What gives Greg, Cathy, Star, and Purple those rights? What principles of fair play, business, property rights, and so forth are involved in this case?
. Which of these principles are inferior to which others? Which ones take precedence? (Note that it may be
to compare two different rights, so the outcome of this analysis may yield some rights that are important but that cannot be ranked first, second, third.)
. What additional facts do you need in order to analyze this case? What assumptions are you making in performing the analysis?
, we want to consider what events led to the situation described and what alternative actions could have prevented the negative
What could Greg have done differently before starting to develop his product? After developing the product? After Cathy explained that the product belonged to Star?
What could Cathy have done differently when she was told to tell Greg that his products belonged to Star? What could Cathy have done differently to avert this decision by her management? What could Cathy have done differently to prevent the
with Greg after she went to work at Purple?
What could Purple have done differently upon learning that it had products from Star (or from Greg)?
What could Greg and Cathy have done differently after Greg spoke to Cathy at Purple?
What could Star have done differently to prevent Greg from feeling that he owned his products? What could Star have done differently to prevent Cathy from taking the products to Purple?
Case V: Proprietary Resources
In this case, we consider the issue of access to proprietary or restricted resources. Like the previous one, this case involves access to software. The focus of this case is the rights of a software developer in contrast with the rights of users, so this case concerns determining legitimate access rights.
Suzie owns a copy of G-Whiz, a proprietary software package she purchased legitimately. The software is
, and the documentation contains a license agreement that says that the software is for use by the purchaser only. Suzie invites Luis to look at the software to see if it will fit his needs. Luis goes to Suzie's computer and she
the software to him. He says he likes what he sees, but he would like to try it in a longer test.
Extensions to the Case
So far the actions have all been ethically sound. The next steps are where ethical responsibilities arise. Take each of the following steps as independent; that is, do not assume that any of the other steps has occurred in your analysis of one step.
Suzie offers to copy the disk for Luis to use.
Suzie copies the disk for Luis to use, and Luis uses it for some period of time.
Suzie copies the disk for Luis to use; Luis uses it for some period of time and then buys a copy for himself.
Suzie copies the disk for Luis to try out overnight, under the restriction that he must bring the disk back to her tomorrow and must not copy it for himself. Luis does so.
Suzie copies the disk with the same restrictions, but Luis makes a copy for himself before returning it to Suzie.
Suzie copies the disk with the same restrictions, and Luis makes a copy for himself, but he then purchases a copy.
Suzie copies the disk with the same restrictions, but Luis does not return it.
For each of these extensions, describe who is affected, which ethical issues are involved, and which principles override which others.
Case VI: Fraud
In previous cases, we have dealt with people acting in situations that were legal or, at worst, debatable. In this case, we consider
fraud, which is illegal. However, the case really concerns the actions of people who are asked to do fraudulent things.
Patty works as a programmer in a corporation. David, her supervisor, tells her to write a program to allow people to post entries directly to the company's accounting files ("the books"). Patty knows that ordinarily programs that affect the books involve several steps, all of which have to balance. Patty realizes that with the new program, it will be possible for one person to make changes to crucial amounts, and there will be no way to trace who made these changes, with what justification, or when.
Patty raises these concerns to David, who tells her not to be
, that her job is simply to write the programs as he specifies. He says that he is aware of the potential misuse of these programs, but he justifies his request by noting that periodically a figure is mistakenly entered in the books and the company needs a way to correct the inaccurate figure.
First, let us explore the options Patty has. If Patty writes this program, she might be an accomplice to fraud. If she complains to David's superior, David or the
might reprimand or fire her as a troublemaker. If she refuses to write the program, David can clearly fire her for failing to carry out an assigned task. We do not even know that the program is desired for fraudulent purposes; David suggests an explanation that is not fraudulent.
She might write the program but insert extra code that creates a secret log of when the program was run, by whom, and what changes were made. This extra file could provide evidence of fraud, or it might cause trouble for Patty if there is no fraud but David discovers the secret log.
At this point, here are some of the ethical issues involved.
Is a programmer responsible for the programs he or she writes? Is a programmer responsible for the results of those programs? (In contemplating this question, suppose the program were to adjust dosage in a computer-controlled medical application, and David's request were for a way to override the program controls to cause a lethal dosage. Would Patty then be responsible for the results of the program?)
Is a programmer merely an employee who
orders (assigned tasks) unthinkingly?
What degree of personal risk (such as possible firing) is an employee obliged to accept for opposing an action he or she thinks is improper?
Would a program to manipulate the books as described here ever be justified? If so, in what circumstances would it be justified?
What kinds of controls can be placed on such programs to make them acceptable? What are some ways that a manager could legitimately ask an employee to write a program like this?
Would the ethical issues in this situation be changed if Patty designed and wrote this program herself?
The act-deontologist would say that truth is good. Therefore, if Patty thought the purpose of the program was to deceive, writing it would not be a good act. (If the purpose were for learning or to be able to admire beautiful code, then writing it might be justifiable.)
A more useful analysis is from the perspective of the utilitarian. To Patty, writing the program
possible harm for being an accomplice to fraud, with the gain of having cooperated with her manager. She has a possible item with which to blackmail David, but David might also
on her and say the program was her idea. On balance, this option seems to have a strong negative slant.
By not writing the program her possible harm is being
. However, she has a potential gain by being able to "blow the
" on David. This option does not seem to bring her much good, either. But fraudulent acts have negative consequences for the
, the banks, and other innocent employees. Not writing the program brings only personal harm to Patty, which is similar to the harm described earlier. Thus, it seems as if not writing the program is the more positive option.
There is another possibility. The program may
be for fraudulent purposes. If so, then there is no ethical conflict. Therefore, Patty might try to determine whether David's motives are fraudulent.
Case VII: Accuracy of Information
For our next case, we consider responsibility for accuracy or integrity of information. Again, this is an issue addressed by database management systems and other access control mechanisms. However, as in previous cases, the issue here is access by an
user, so the controls do not prevent access.
Emma is a researcher at an institute where Paul is a statistical programmer. Emma wrote a grant request to a cereal manufacturer to show the nutritional value of a new cereal, Raw Bits. The manufacturer
Emma's study. Emma is not a statistician. She has brought all of her data to Paul to ask him to perform appropriate analyses and to print reports for her to send to the manufacturer. Unfortunately, the data Emma has collected seem to refute the claim that Raw Bits is nutritious, and, in fact, they may
that Raw Bits is
his analyses to Emma but also indicates that some other
could be performed that would cast Raw Bits in a more favorable light. Paul makes a facetious remark about his being able to use statistics to support either side of any issue.
Clearly, if Paul changed data values in this study he would be acting unethically. But is it any more ethical for him to suggest analyzing correct data in a way that supports two or more different conclusions? Is Paul obligated to present both the positive and the negative analyses? Is Paul responsible for the use to which others put his program results?
If Emma does not understand statistical analysis, is she acting ethically in accepting Paul's positive conclusions? His negative conclusions? Emma suspects that if she forwards negative results to the manufacturer, they will just find another researcher to do another study. She
that if she forwards both sets of results to the manufacturer, they will publicize only the positive ones. What ethical principles support her sending both sets of data? What principles support her sending just the positive set? What other courses of action has she?
Case VIII: Ethics of Hacking or Cracking
What behavior is acceptable in
? Who owns or controls the Internet? Does malicious or nonmalicious intent matter? Legal issues are involved in the answers to these questions, but as we have pointed out previously, laws and the courts cannot protect everything, nor should we expect them to. In this final case study we consider ethical behavior in a shared use computing environment, such as the Internet. The questions are similar to "what behavior is acceptable in outer space?" or "who owns the oceans?"
Goli is a computer security consultant; she enjoys the challenge of finding and fixing security vulnerabilities. Independently wealthy, she does not need to work, and so she has ample spare time in which to test the security of systems.
In her spare time, Goli does three things: First, she aggressively attacks commercial products for vulnerabilities. She is quite proud of the tools and approach she has developed, and she is quite successful at finding flaws. Second, she probes accessible systems on the Internet, and when she finds vulnerable sites, she contacts the
to offer her services repairing the problems. Finally, she is a strong believer in
pastry, and she plants small programs to slow performance in the web sites of pastry
that do not use enough butter in their pastries. Let us examine these three actions in order.
Vulnerabilities in Commercial Products
We have already described a current debate regarding the vulnerability reporting process. Now let us explore the ethical issues involved in that debate.
Clearly from a rule-based ethical theory, attackers are wrong to perform malicious attacks. The appropriate theory seems to be one of consequence: who is helped or hurt by finding and publicizing flaws in products? Relevant parties are
, the vulnerability finder, the vendor, and the using public. Notoriety or credit for finding the flaw is a small interest. And the interests of the vendor (financial, public relations) are less important than the interests of users to have secure products. But how are the interests of users best
helps users assess the seriousness of the vulnerability and apply appropriate protection. But it also gives attackers more information with which to
attacks. Early full disclosure ”before the vendor has countermeasures ready ”may actually harm users by leaving them vulnerable to a now widely known attack.
” the general nature of the vulnerability but not a detailed exploitation scenario ”may forestall attackers. One can argue that the vulnerability details are there to be discovered; when a vendor announces a patch for an unspecified flaw in a product, the attackers will test that product aggressively and study the patch
to try to determine the vulnerability. Attackers will then spread a complete description of the vulnerability to other attackers through an
network, and attacks will start against users who may not have applied the vendor's fix.
. Perhaps users are best served by a scheme in which every so often new code is released, sometimes fixing security vulnerabilities, sometimes fixing things that are not security-related, and sometimes adding new features. But without a sense of significance or urgency, users may not install this new code.
Searching for Vulnerabilities and Customers
What are the ethical issues involved in searching for vulnerabilities? Again, the party of greatest interest is the user community and the good or harm that can come from the search.
On the positive side, searching may find vulnerabilities. Clearly, it would be wrong for Goli to report vulnerabilities that were not there, simply to get work, and it would also be wrong to report some but not all vulnerabilities, to be able to use the additional vulnerabilities as future leverage against the client.
But suppose Goli does a diligent search for vulnerabilities and reports them to the potential client. Is that not similar to a service station owner's
you that a headlight is not operating when you take your car in for gasoline? Not quite, you might say. The headlight flaw can be seen without any possible harm to your car; probing for vulnerabilities might cause your system to fail.
The ethical question seems to be which is greater: the potential for good or the potential for harm? And if the potential for good is stronger, how much stronger does it need to be to override the risk of harm?
This case is also related to the common practice of ostensible nonmalicious probing for vulnerabilities: Hackers see if they can access your system without your permission, perhaps by guessing a password. Spafford [SPA98] points out that many crackers simply want to look around, without
anything. As discussed in Sidebar 9-6, Spafford
this seemingly innocent activity with entry into your house when the door is unlocked. Even when done without malicious intent, cracking can be a serious offense; at its worst, it has caused millions of dollars in damage. Although crackers are prosecuted severely with
penalties, cracking continues to be an appealing crime,
Finally, consider Goli's interfering with operation of web sites whose actions she opposes. We have purposely phrased the issue in a situation that arouses perhaps only a few gourmands and p ¢tissiers. We can dismiss the interest of the butter fans as an insignificant minority on an insignificant issue. But you can certainly think of many other issues that have brought on wars. (See Denning's
article on cybercriminals [DEN99a] for real examples of politically motivated computer activity.)
Sidebar 9-6 Is Cracking a
Many people argue that cracking is an acceptable practice because lack of protection means that the owners of systems or data do not really value them. Spafford [SPA98] questions this logic by using the analogy of entering a house.
Consider the argument that an intruder who does no harm and makes no changes is simply learning about how computer systems
. "Most of these people would never think to walk down a street, trying every door to find one unlocked, then search through the drawers or the furniture inside. Yet, these same people seem to give no second thought to making repeated attempts at guessing passwords to accounts they do not own, and once onto a system, browsing through the files on disk." How would you feel if you knew your home had been invaded, even if no harm was done?
Spafford notes that breaking into a house or a computer system
trespassing. To do so in an effort to make security vulnerabilities more visible is "presumptuous and reprehensible." To enter either a home or a computer system in an unauthorized way, even with benign intent, can lead to
consequences. "Many systems have been damaged
by ignorant (or careless) intruders."
The ethical issues abound in this scenario. Some people will see the (butter) issue as one of inherent good, but is butter use one of the fundamental good principles, such as honesty or fairness or not doing harm to others? Is there universal agreement that butter use is good? Probably there will be a division of the world into the butter advocates (
%), the unrestricted pastry advocates (
%), and those who do not take a position (
%). By how much does
have to exceed
for Goli's actions to be acceptable? What if the value of
is large? Greatest good for the greatest number requires a balance among these three percentages and some measure of benefit or harm.
Is butter use so patently good that is justifies harm to those who
? Who is helped and who suffers? Is the world helped if only good, but more expensive, pastries are available, so poor people can no longer afford pastry? Suppose we could determine that 99.9 percent of people in the world agreed that butter use was a good thing. Would that preponderance justify overriding the interests of the other 0.1 percent?
Codes of Ethics
Because of ethical issues such as these, various computer groups have sought to develop codes of ethics for their
. Most computer organizations, such as the Association for Computing Machinery (ACM), the Institute of Electrical and Electronics
(IEEE), and the Data Processing Management Association (DPMA), are voluntary organizations. Being a member of one of these organizations does not
a level of competence, responsibility, or experience in computing. For these reasons, codes of ethics in these organizations are primarily advisory. Nevertheless, these codes are fine starting points for analyzing ethical issues.
The IEEE has produced a code of ethics for its members. The IEEE is an organization of engineers, not limited to computing. Thus, their code of ethics is a little broader than might be expected for computer security, but the basic principles are
in computing situations. The IEEE Code of Ethics is shown in Figure 9-1.
Figure 9-1. IEEE Code of Ethics. (Reprinted
of the Institute of Electrical and Electronics Engineers 1996.)
The ACM code of ethics recognizes three kinds of responsibilities of its members: general moral imperatives, professional responsibilities, and leadership responsibilities, both inside the association and in general. The code of ethics has three sections (plus a fourth commitment section), as shown in Figure 9-2.
Figure 9-2. ACM Code of Ethics and Professional Conduct. (Reprinted courtesy of the Association for Computing Machinery 1993.)
Computer Ethics Institute
The Computer Ethics Institute is a
group that aims to
people to consider the ethical aspects of their computing activities. The organization has been in existence since the mid-1980s, founded as a joint activity of IBM, the Brookings Institution, and the Washington Theological Consortium. The group has published its ethical guidance as ten
of computer ethics, listed in Figure 9-3.
Figure 9-3. The Ten Commandments of Computer Ethics. (Reprinted with permission, Computer Ethics Institute, Washington, D.C.)
Many organizations take ethics seriously and produce a document guiding the behavior of its members or employees. Some corporations require new employees to read its code of ethics and sign a promise to abide by it. Others, especially at universities and research centers, have special
that must approve proposed research and ensure that projects and team members act ethically. As an individual professional, it may be useful for you to review these codes of ethics and compose a code of your own, reflecting your ideas about appropriate behavior in likely situations. A code of ethics can help you assess situations quickly and act in a consistent, comfortable, and ethical manner.
Conclusion of Computer Ethics
In this study of ethics, we have tried not to decide right and wrong, or even to brand certain acts as ethical or unethical. The purpose of this section is to stimulate thinking about ethical issues concerned with confidentiality, integrity, and availability of data and
The cases presented show complex, conflicting ethical situations. The important first step in acting ethically in a situation is to obtain the facts, ask about any uncertainties, and acquire any additional information needed. In other words, first one must understand the situation.
The second step is to identify the ethical principles involved. Honesty, fair play, proper compensation, and respect for privacy are all ethical principles. Sometimes these conflict, and then we must determine which principles are more important than others. This analysis may not lead to one principle that obviously overshadows all others. Still, a ranking to identify the major principles involved is needed.
The third step is choosing an action that meets these ethical principles. Making a decision and taking action are difficult, especially if the action has evident negative consequences. However, taking action based on a
ranking of principles is necessary. The fact that other equally
people may choose a different action does not
you from taking some action.
This section is not trying to force the development of rigid,
principles. Decisions may vary, based on fine differences between two situations. Or a person's views can change over time in response to experience and changing context. Learning to reason about ethical situations is not quite the same as learning "right" from "wrong." Terms such as
imply a universal set of values. Yet we know that even widely accepted principles are overridden by some people in some situations. For example, the principle of not killing people may be violated in the case of war or capital punishment. Few, if any, values are held by everyone or in all cases. Therefore, our purpose in introducing this material has been to stimulate you to recognize and think about ethical principles involved in cases related to computer security. Only by recognizing and analyzing principles can you act consistently, thoughtfully, and responsibly.