9-1 Chapter 9 Information Systems Ethics and Computer Crime Robert Riordan, Carleton University.

9-1

Chapter 9

Information Systems

Ethics andComputer

Crime

www.pearsoned.ca/jessup

Robert Riordan, Carleton University

9-2Information Systems Today, 2/C/e ©2008 Pearson Education Canada

Learning Objectives

1. Analyze the ethical, social, and political issues that are raised by information systems

2. Discuss the ethical concerns associated with information privacy, accuracy, property, and accessibility

3. Identify the main moral dimensions of an information society and specific principles for conduct that can be used to guide ethical decisions


Learning Objectives

4. Define computer crime, and list several types of computer crime

5. Contrast what is meant by the term “computer virus,” “worm,” Trojan Horse,” and “logic or time bomb”

6. Describe and explain the differences between cyberwar and cyberterrorism


• In the past, so-called “white collar” crimes were treated with a slap on the wrist and fines to restore any damage done

• Industrial societies have become much less tolerant of financial, accounting, and computer crimes

• Managers and employees must make judgments about what constitutes legal and ethical conduct

Understanding Ethical and Social Issues Related to Systems


Ethics:• Principles of right and wrong• Assumes individuals are acting as free moral

agents to make choices to guide their behavior

• Have been given new urgency by the use of the Internet, electronic commerce, and digital technologies



A model for thinking about ethical, social, and political issues

• Illustrates the dynamics connecting ethical, social, and political issues

• Identifies the moral dimensions of the information society, across individual, social, and political levels of action



Five moral dimensions of the information age• Information rights and obligations• Property rights and obligations• Accountability and control• System quality• Quality of life




The relationship between ethical, social, and political issues in an information society


Key technology trends that raise ethical issues

• Computing power doubles every 18 months– More organizations depend on computer

systems for critical operations• Rapidly declining data storage costs

– Organizations can easily maintain detailed databases on individuals



Key technology trends that raise ethical issues (continued)

• Data analysis advances– Companies can analyze vast quantities of

data gathered on individuals to develop detailed profiles of individual behaviour

• Networking advances and the Internet– Easier to copy data from one location to

another and to access personal data from remote locations



Basic concepts: Responsibility, Accountability, and Liability

• Responsibility: Accepting the potential costs, duties, and obligations for decisions

• Accountability: Mechanisms for identifying responsible parties

• Liability: Permits individuals (and firms) to recover damages done to them

• Due process: Laws are well known and understood, with an ability to appeal to higher authorities

Ethics in an Information Society


Ethical Analysis

• Identify and describe the facts• Define the conflict or dilemma, the values

involved• Identify the stakeholders• Identify the options• Identify the consequences



Professional Codes of Conduct • Promises by professions to regulate

themselves in the general interest of society• Promulgated by associations such as the

Canadian Medical Association (CMA), the Canadian Bar Association (CBA), and the Association of Information Technology Professionals (AITP)



Some Real-World IT Ethical Dilemmas • Using systems to increase efficiency, causing

layoffs and personal hardships• Monitoring employee use of the Internet at

work to increase productivity, decreasing employee privacy



Information Privacy and Issues

Information PrivacyWhat information an individual must reveal to others in the course of gaining employment or shopping online

Information PrivacyWhat information an individual must reveal to others in the course of gaining employment or shopping online

Identify Theft

The stealing of another person’s private information (SIN, credit card numbers, etc.) for the purpose of using it to gain credit, borrow money, buy merchandise, or otherwise run up debt that are never paid. This is especially problematic because it:

• is invisible to the victim, they don’t know it is happening

• is very difficult to correct…credit agencies are involved

• can cause unrecoverable losses and legal costs


Information Rights: Privacy and Freedom in the Internet Age

• Privacy: Claim of individuals to be left alone, free from surveillance or interference from other individuals, organizations, or the state. • Personal Information Protection and Electronic

Documents Act (PIPEDA) establishes principles for collection, use, and disclosure of personal information

• Provinces have parallel legislation• Only Quebec has legislation governing private sector

The Moral Dimensions of Information Systems


Information Property - PIPEDA

Personal Information Protection and Electronic Documents Act (PIPEDA)

The law gives individuals the right to• know why an organization collects, uses or discloses their personal

information; • expect an organization to collect, use or disclose their personal

information reasonably and appropriately, and not use the information for any purpose other than that to which they have consented;

• know who in the organization is responsible for protecting their personal information;

• expect an organization to protect their personal information by taking appropriate security measures;

• expect the personal information an organization holds about them to be accurate, complete and up-to-date;

• obtain access to their personal information and ask for corrections if necessary; and

• complain about how an organization handles their personal information if they feel their privacy rights have not been respected.


Information Property - PIPEDA

Personal Information Protection and Electronic Documents Act (PIPEDA)

The law requires organizations to:•obtain consent when they collect, use or disclose their personal information; •supply an individual with a product or a service even if they refuse consent for the collection, use or disclosure of your personal information unless that information is essential to the transaction; •collect information by fair and lawful means; and •have personal information policies that are clear, understandable and

readily available.


Internet Challenges to Privacy (continued):

Cookies: • Tiny files deposited on a hard drive• Used to identify the visitor and track visits to

the Web site • May or may not be used to gather personal

private information• In some cases, only a visitors customer

number is maintained, not any personal information. In other cases, personal information can be gathered



How cookies identify Web visitors




Web bugs: • Tiny graphic files embedded in e-mail

messages and Web pages• Designed to monitor online Internet user

behaviour• When a user views the e-mail or the page, a

message is sent to a without the knowledge of the user

• In the case of e-mail, the user’s e-mail address is known to the server




Spyware:• Software downloaded onto a user’s computer

– usually without the user’s knowledge – that tracks Web behaviour and reports that behaviour to a third-party server

• Spyware is also used to call for ads from third-party servers, or to divert customers from one site to a preferred site



Two Models of Providing Web Privacy: Opt-out versus opt-in model of informed consent

• An opt-out model of informed consent permits the collection of personal information until the consumer specifically requests that the data not be collected. The default is to assume consent is given..



Two Models of Providing Web Privacy: Opt-out versus opt-in model of informed consent

• An opt-in model of informed consent prohibits an organization from collecting any personal information unless the users specifically requests to allow such use by clicking a box. The default is to assume consent is not given



The TRUSTe seal of approval



Information Rights (continued)

Technical Solutions:• Platform for Privacy Preferences (P3P)

• Enables automatic communication of privacy policies between an e-commerce site and its visitors

• Privacy policy can become part of the page’s software



The P3P standard



Information Property – Example of a Privacy Statement



Ethical Issues• Under what conditions should the privacy of

others be invaded? • What legitimates intruding into others’ lives

through unobtrusive surveillance, through market research, or by whatever means?

• Do we have to inform people that we are eavesdropping?

• Do we have to inform people that we are using credit history information for employment screening purposes?



Social Issues• In what areas of life should we as a society

encourage people to think they are in private territory as opposed to public territory?

• Should expectations of privacy be extended to criminal conspirators?



Political Issues• Should we permit the RCMP or CSIS to

monitor email at will to apprehend suspected criminals and terrorists?

• To what extent should e-commerce sites and other businesses be allowed to maintain personal data about individuals?



Property Rights: Intellectual PropertyIntellectual property: Intangible property of any

kind created by individuals or corporations

Three main ways that intellectual property is protected:

1. Trade secret2. Copyright3. Patents



Property Rights: Intellectual PropertyTrade secret: Intellectual work or product

belonging to business, not in the public domain

Supreme Court test for breach of confidence:1. information conveyed must be confidential2. information must have been communicated in

confidence3. information must have been misused by the

party to whom it was communicated



Property Rights: Intellectual PropertyCopyright: Statutory grant protecting intellectual

property from being copied for at least 50 years

Canadian copyright law protects original literary, musical, artistic, and dramatic works. It also includes software, and prohibits copying of entire programs or their parts.



Property Rights: Intellectual PropertyPatents: A grant to the creator of an invention

granting the owner an exclusive monopoly on the ideas behind an invention for between 17 and 20 years

Patent law grants a monopoly on underlying concepts and ideas of software.

Originality, novelty, and invention are key concepts



Challenges to Intellectual Property Rights• Perfect digital copies cost almost nothing• Sharing of digital content over the Internet costs

almost nothing• Sites, software, and services for file trading are

not easily regulated. • The construction of web pages poses problems:

a web page may present data from many sources, and incorporate framing



Who owns the pieces? Anatomy of a Web page



Accountability, Liability, and Control• Computer-related liability problems

• Bank of America system failure caused cheques to bounce, etc.

• Sprint Canada’s system failure caused disruption in trading on Vancouver Venture Exchange

• Raise issues of liability legislation for software and systems



System Quality: Data Quality and System Errors

• No software program is perfect, errors will be made, even if the errors have a low probability of occurring

• Software manufacturers knowingly ship “buggy” products

• At what point should software “be shipped?” What kind of disclaimer statements might be appropriate?



Quality of Life: Equity, Access, and Boundaries• Balancing Power: Centre versus Periphery

• Is IT centralizing decision-making power in the hands of a few, or is it allowing many more people to participate in decisions that affect their lives?

• Rapidity of Change: Reduced Response Time to Competition• The business you work for may not be able to

respond to rapidly changing IT-enabled market places and be wiped-out, along with your job.



Quality of Life: Equity, Access, and Boundaries• Maintaining Boundaries: Family, Work, and

Leisure• “Do anything anywhere” environment blurs

the boundaries between work, vacation, and family time

• Dependence and Vulnerability

• There are few regulatory standards to protect us from the failure of complex electrical, communications, and computer networks upon which we all depend



Quality of Life: Equity, Access, and Boundaries

• Computer crime: Commission of illegal acts through the use of a computer or against a computer system is on the increase.

• Computer abuse: Unethical but not necessarily illegal acts. Spam is computer abuse.



Spam filtering software




Employment Trickle-down Technology and Reengineering:

• The rapid development of the Internet has made it possible to offshore hundreds of thousands of jobs from high-wage countries to low- wage countries. Reengineering existing jobs using IT also results in few jobs (generally). While this benefits low-wage countries enormously, the costs are paid by high-wage country workers




Equity and access: Increasing Racial and Social Class Divisions

– Digital divides exist in ethnic, social, and wealth groups

Health Risks:

RSI: Repetitive Stress Injury

– Muscle groups are forced through repetitive actions with high-impact loads or thousands of repetitions with low-impact loads




Health Risks (continued):

CVS: Computer Vision Syndrome

– Eyestrain related to computer display use

Technostress

– Stress induced by computer use




Management Opportunities


Management Opportunities:• Managers have the opportunity to use

information technology to create an ethical business and social environment.

• This does not mean management actions will always please all stakeholders, but at least management actions should take into account the ethical dimensions of IT-related decisions

Management Opportunities, Challenges, and Solutions


Management Challenges:• Understanding the moral risks of new technology • Establishing corporate ethics policies that

include information systems issues



Solution Guidelines:

Managers should strive to develop an IS-specific set of ethical standards for each of the following moral dimensions:

• Information rights and obligations• Property rights and obligations• System quality• Quality of life • Accountability and control



Responsible Computer Use

The Computer Ethics Institute developed these guidelines for ethical computer use that prohibit the following behaviors:

• Using a computer to harm others• Interfering with other people’s computer work• Snooping in other people’s files• Using a computer to steal• Using a computer to bear false witness• Copying or using proprietary software without paying for it• Using other people’s computer resources without

authorization or compensation• Appropriating other people’s intellectual output

The Computer Ethics Institute developed these guidelines for ethical computer use that prohibit the following behaviors:

• Using a computer to harm others• Interfering with other people’s computer work• Snooping in other people’s files• Using a computer to steal• Using a computer to bear false witness• Copying or using proprietary software without paying for it• Using other people’s computer resources without

authorization or compensation• Appropriating other people’s intellectual output

GuidelinesIn area of ethics, we rely on guidelines to guide behaviour. These guidelines can come from many organizations

GuidelinesIn area of ethics, we rely on guidelines to guide behaviour. These guidelines can come from many organizations


Responsible Computer Use

The guidelines from the Computer Ethics Institute also recommend the following when creating programs or using computers:

• Thinking about the social consequences of programs you write and systems you design (e.g Napster, or a piece of Spyware)

• Using computers in ways that show consideration and respect for others (e.g. proliferation of viruses, instant messaging, etc.)

The guidelines from the Computer Ethics Institute also recommend the following when creating programs or using computers:

• Thinking about the social consequences of programs you write and systems you design (e.g Napster, or a piece of Spyware)

• Using computers in ways that show consideration and respect for others (e.g. proliferation of viruses, instant messaging, etc.)


Computer Crimes

Computer CrimeThe act of using a computer to commit an illegal act. The broad definition of computer crime can include the following:

• Targeting a computer while committing an offense (e.g gaining entry to a computer system in order to cause damage to the computer or the data it contains)

• Using a computer to commit and offense (e.g. stealing credit card numbers from a company database)

• Using computers to support criminal activity(e.g. drug dealer using computers to store records of illegal transactions)

Computer CrimeThe act of using a computer to commit an illegal act. The broad definition of computer crime can include the following:

• Targeting a computer while committing an offense (e.g gaining entry to a computer system in order to cause damage to the computer or the data it contains)

• Using a computer to commit and offense (e.g. stealing credit card numbers from a company database)

• Using computers to support criminal activity(e.g. drug dealer using computers to store records of illegal transactions)


Computer Crimes and the Impact on Organizations


Computer Crime – Unauthorized Access

Unauthorized AccessA person gaining entry to a computer system for which they have no authority to use such access

THIS IS A COMPUTER CRIME!

Unauthorized AccessA person gaining entry to a computer system for which they have no authority to use such access

THIS IS A COMPUTER CRIME!


Computer Crime – Unauthorized Access Trends


Computer Crimes – Who Commits Them?

Unauthorized Access1998 Survey of

1600 companies by PricewaterhouseCoopers

82% come from inside the

organization(employees)


Computer Crimes – Who Commits Them?

Unauthorized AccessSurvey by

Computer Security Institute

Unauthorized AccessSurvey by

Computer Security Institute


Computer Crime – Various Types 1st Half


Computer Crime – Various Types 2nd Half


Computer Crimes - Hacking and Cracking

HackersA term to describe unauthorized access to computers based entirely on a curiosity to learn as much as possible about computers. It was originally used to describe MIT students in the 1960s that gained access to mainframes. It was later used universally used for gaining unauthorized access for any reason

HackersA term to describe unauthorized access to computers based entirely on a curiosity to learn as much as possible about computers. It was originally used to describe MIT students in the 1960s that gained access to mainframes. It was later used universally used for gaining unauthorized access for any reason

CrackersA term to describe those who break into computer systems with the intention of doing damage or committing crimes. This term was created because of protests by true hackers

CrackersA term to describe those who break into computer systems with the intention of doing damage or committing crimes. This term was created because of protests by true hackers


Computer Crimes – Cracker (Humorous)


Computer Crime – Software Piracy

Software PiracyThis practice of buying one copy and making multiple copies for personal and commercial use, or for resale is illegal in most countries while others offer weak or nonexistent protections. This has become and international problem as shown below


Destructive Code that Replicates

Viruses These programs disrupt the normal function of a computer system through harmless pranks or by destroying files on the infected computer. They come in several types:

• Boot Sector – attaches to the section of a hard disk or floppy disk that boots a computer.

• File Infector – attach themselves to certain file types such as .doc, .exe, etc.

• Combination – viruses can change types between boot sector and file infector to fool antivirus programs

• Attachment – released from an e-mail when an attachment is launched. Can also send themselves your address book

Viruses These programs disrupt the normal function of a computer system through harmless pranks or by destroying files on the infected computer. They come in several types:

• Boot Sector – attaches to the section of a hard disk or floppy disk that boots a computer.

• File Infector – attach themselves to certain file types such as .doc, .exe, etc.

• Combination – viruses can change types between boot sector and file infector to fool antivirus programs

• Attachment – released from an e-mail when an attachment is launched. Can also send themselves your address book

Worms This destructive code also replicates and spreads through networked computers but does damage by clogging up memory to slow the computer versus destroying files

Worms This destructive code also replicates and spreads through networked computers but does damage by clogging up memory to slow the computer versus destroying files


Computer Crimes – Destructive Code


Destructive Code that Doesn’t Replicates

Trojan HorsesThese programs do not replicate but can do damage as they run hidden programs on the infected computer that appears to be running normally (i.e. a game program that creates an account on the unsuspecting user’s computer for unauthorized access)

Trojan HorsesThese programs do not replicate but can do damage as they run hidden programs on the infected computer that appears to be running normally (i.e. a game program that creates an account on the unsuspecting user’s computer for unauthorized access)

Logic or Time BombsA variation of a Trojan Horse that also do not replicate and are hidden but are designed to lie in wait for a triggering operation. (i.e. a disgruntled employee that sets a program to go off after they leave the company)

• Time Bombs – are set off by dates (e.g. a birthday)

• Logic Bombs – are set off by certain operations (e.g. a certain password)

Logic or Time BombsA variation of a Trojan Horse that also do not replicate and are hidden but are designed to lie in wait for a triggering operation. (i.e. a disgruntled employee that sets a program to go off after they leave the company)

• Time Bombs – are set off by dates (e.g. a birthday)

• Logic Bombs – are set off by certain operations (e.g. a certain password)


Cyberwar and Cyberterrorism

Cyberwar

An organized attempt by a country’s military to disrupt or destroy the information and communications systems of another country. Common targets include:

• Command and control systems

• Intelligence collection and distribution systems

• Information processing and distribution systems

• Tactical communication systems

• Troop and weapon positioning systems

• Friend-or-Foe identification systems

• Smart weapons systems

Cyberwar

An organized attempt by a country’s military to disrupt or destroy the information and communications systems of another country. Common targets include:

• Command and control systems

• Intelligence collection and distribution systems

• Information processing and distribution systems

• Tactical communication systems

• Troop and weapon positioning systems

• Friend-or-Foe identification systems

• Smart weapons systems



A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack):

• an attempt to make a computer resource unavailable to its intended users.

• motives for, and targets of a DoS attack may vary• generally consists of the concerted efforts of a

person or people to prevent an Internet site or service from functioning efficiently or at all, temporarily or indefinitely.

• perpetrators of DoS attacks typically target sites or services hosted on high-profile web servers such as banks, credit card payment gateways, and even root nameservers.

A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack):

• an attempt to make a computer resource unavailable to its intended users.

• motives for, and targets of a DoS attack may vary• generally consists of the concerted efforts of a

person or people to prevent an Internet site or service from functioning efficiently or at all, temporarily or indefinitely.

• perpetrators of DoS attacks typically target sites or services hosted on high-profile web servers such as banks, credit card payment gateways, and even root nameservers.



Cyberterrorism

The use of computer and networking technologies against persons or property to intimidate or coerce governments, civilians, or any segment of society in order to attain political, religious, or ideological goals

Cyberterrorism

The use of computer and networking technologies against persons or property to intimidate or coerce governments, civilians, or any segment of society in order to attain political, religious, or ideological goals

Responses to the ThreatAt greatest risk are those that depend highly on computers and networking infrastructure (i.e. governments, utilities, transportation providers, etc.) Responses include:

• Improved intelligence gathering techniques

• Improved cross-government cooperation

• Providing incentives for industry security investment

Responses to the ThreatAt greatest risk are those that depend highly on computers and networking infrastructure (i.e. governments, utilities, transportation providers, etc.) Responses include:

• Improved intelligence gathering techniques

• Improved cross-government cooperation

• Providing incentives for industry security investment

9-1 Chapter 9 Information Systems Ethics and Computer Crime Robert Riordan, Carleton University.

Documents

Transcript of 9-1 Chapter 9 Information Systems Ethics and Computer Crime Robert Riordan, Carleton University.