Technology – Society – Issue / Solution – du jour – Feb. 18, 2014

The intention of this blog-segment is to bring up a current problem caused by technology and discuss not only its impact to Society but potential ways of solving the issue. Today’s topic: Target store recent data breach, where the personal data of an estimated 110 million people, was exposed to hackers raising questions about the incident, how it could affect victims, and perhaps raisin also the issue of what should other companies do to protect their customers information and avoid such failures in the future.
—Initially it was thought that hackers gained access to cardholder names, credit or debit card numbers, card expiration dates and CVV security codes. Later it was revealed that “guest information” such as names, mailing addresses, phone numbers, and email addresses of customers may have been accessed by the same thieves.

Is Hacking Ethical?

And if not, should/can IEEE do something?

IEEE, the world’s largest technical professional society, has a code of ethics.  This clearly states two relevant points:

Accept responsibility in making decisions consistent with the safety, health, and welfare of the public, and to disclose promptly factors that might endanger the public or the environment;

and

to avoid injuring others, their property, reputation, or employment by false or malicious action

IEEE also has an Ethics and Member Conduct Committee (EMCC) that deals with ethics violations, including (according to IEEE Bylaws I-110) expulsion, suspension, or censure. It is interesting to note that institutions (corporations, universities, government agencies) that subscribe to IEEE’s Xplore products are not subject to complaints or review by IEEE related to IEEE’s Code of Ethics — while it is not clear how a process here might proceed, it is clear that these entities benefit from access to the intellectual property curated by IEEE.

So, let’s try out some examples:

  1. A software package called “Blackshades” appears to allow hackers to spy via webcams on users as well as acquire financial information and has resulted in the arrest of both the alleged creators of that software as well as persons suspected of using it in 18 countries.  The creation or use of software like this would appear to be a violation of the IEEE Code of Ethics.  Presumably, the individuals involved, if they are IEEE members, would be subject to action by the EMCC.
    Ok, that one seems pretty straight forward.
  2. The U.S. Justice Department has charged five Chinese military officers (all reportedly associated with  Unit 61398 of the Peoples Liberation Army) with economic espionage/theft of commercial data/secrets.  If these charges have merit, and some of the accused are IEEE members, presumably they could be subject to action by the IEEE EMCC.
    Here things get tricky since this is also a politically charged situation, where IEEE could alienate the government of China and/or members in China and lose some or all memberships, subscriptions and/or rights to do business in China (conferences, etc.)  This creates a conflict of interest within IEEE, potentially dealing with applying it’s Code of Ethics but at the risk of significant economic impact on the organization.  (Note: while IEEE Code of Ethics actions are maintained in confidence by IEEE, that does not prevent 3rd parties such as employers or governments who become aware of the actions from responding in various ways.)
  3. So what about Stuxnet?  “I think it’s pretty clear that the United States government did the Stuxnet attack”  according to Richard Clarke, who has served as US Counterterrorism tzar under three US Presidents,  quoted in Smithsonian Magazine April 2012.  It is clear that Stuxnet damaged property, and those responsible were not acting in a way consistent with the IEEE Code of Ethics.  — unless of course you decide that ethics should be interpreted based on “whose side you are on.”

A variation on the Blackshades situation might involve a corporate entity, perhaps one subscribing to IEEE publications such as Security and Privacy magazine. If a corporation were formed to pursue activities inconsistent with IEEE’s Code of Ethics should IEEE either have some channel for ethical review, or perhaps not accept a subscription from them? Is the answer different before they are convicted or after they are convicted?

Situations 2 and 3 raise issues at the entity level as opposed to the individual level.  They also raise conflict of interest issues at the entity level.  If a Chinese or U.S. entity appears to be using IEEE content to pursue actions inconsistent with IEEE’s Code of Ethics, should  IEEE have some action to take in response?  Does it make a difference if that entity is a major customer?  What if IEEE might lose its non-profit tax status by taking such an action?  (Presumably the U.S. Government does not take retribution against persons (including corporations) for exercising their constitutional rights … presumably.)

Is the Ethics of an action depend on individual vs entity responsibility?  Does it depend on who is taking the action and who is affected by it? Or does it just come down to power .. is the Ethical version of “too big to fail” something like “too big to fault?”

IEEE’s first Ethics Conference will be held this week in Chicago. There does not appear to be any discussion in this particular area among the quite interesting selection of papers and panels.  Ethics is becoming a more important, and more challenging consideration for both the individual professional, and for IEEE as an institution.