Slashdot Mirror
Ethics In IT
chiefloko writes "I am presently taking a Business Ethics class while earning my MBA. For my final paper topic I have chosen 'Ethics within the Information Technology realm.' Over the past 13 years I have worked for three corporations and have seen everything from the typical BOFH to ungodly pirated software use. I also bore witness to a remote user logging in to a poorly administrated Sun station, finding out s/he was root, and then reading co-workers' emails. I am interested in what the norm is for ethics in the IT world and some of the stories and outcomes."
Whose ehics are you talking about?
The Ethics of an MBA giving IT orders, the ethics of a BOFH doing his job, the ethics of a developer?
Let's not speak of Joe Average consumer of IT as he actually has no IT Ethics, he applies his Ethical viewpoint to IT so his inclusion will only muddle up the concepts.
Each of these communities (PHB, BOFH, Developers) has their own ethical codes (or lack of). While there is a great difference between them, there are not that many differences between members of a particular caste.
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
Cover Your Ass. That's it, that's all.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
Someone who has no understanding of ethical implications regrading IT will do things they wouldn't dream of if they understood what it meant in terms of invasion of privacy..
Alas many people who use computers regularly are in this category.
I have access to the email of almost everyone I know presonally. Do I read it? Nope.
However, the reason I have access to one persons email is because they needed help stopping another person who knew their password reading every email they sent and received. In spite of my urging they have yet to change their password anew to also lock me out.
You can lead a horse to water, and if you Duct Tape a hose to its mouth, you can make it drink too.
Oh wait...
Anyone who has time to read peoples email obviously isn't busy enough (and is easily amused).
http://michaelsmith.id.au
Irrespective of if it's IT related. You shouldn't do anything you wouldn't want done to yourself or is likely to hurt people. Just be a decent honest person.
I want a list of atrocities done in your name - Recoil
Anything that isn't prohibited is not only allowed, but also ethical.
How we know is more important than what we know.
Ethics on an MBA - do the marks from this module get subtracted from your overall score?
At the bottom of the
While it's not strictly related to IT, I can spend a whole week doing any number of things that are really useful in the long-term to the business from an IT perspective. Or I can do something that will make the boss happy. Like a flashy widget on the intranet or a set of graphs that prove nothing. One gets me a better bonus and the favour of all those above me. One makes me a good tech. What's the norm here? Balance I guess, depends on the job. This year I'm going to spend a lot more time on the latter. Hopefully get the bonus and pay off the mortgage - most people trade ethics for a mortgage eventually.
But here's a problem: Technology is purpose-blind. It doesn't know for what purpose you're trying to do a particular thing -- only whether you've got access to do it. However, in the real world, we frequently want to trust someone with a particular resource, but only for certain purposes.
You're allowed to drive Daddy's T-bird to the library, but not to the hamburger stand. But the ignition system doesn't know that; it just knows you put the right key in. Your sysadmin is allowed to read your email files if she thinks something's wrong with the mail server, but not just because she thinks you're cute and wants to stalk you. But the permissions bits don't know that.
You're allowed to access Scientology's Web page to read it, but not to repeatedly reload it just to put load on their server and run up their bandwidth bill. But neither your browser (or wget) nor their server necessarily understand that.
So there's an ethical problem: you frequently have access to things for only certain purposes. How are those purposes defined and agreed on? Is it possible to make authorization systems more purpose-aware? Would that even be desirable, or would it just cause problems with unexpected situations?
Suppose Daddy's T-bird only allows you to drive to the library, by shutting off the engine if you try to go somewhere else ... and Daddy has a heart attack and you need to get him to the hospital. Down that road lie DRM and other systems that decrease the value of technology by getting in the way of legitimate uses.
I think a better approach is do unto others as you think they would want done to them
That helps avoid the "well, I'd want to be killed if I was gay" rationale...
One of the key difference between IT-related ethics and other fields like medicine or law is that there is no official body emitting guidelines and no rights and duties recognized by the law.
When a doctor is asked by an employer to give him medical informations about his employees, he can point out that this would be illegal.
When a sysadmin is asked by his company to monitor users' web access, there are a lot of privacy issues that are raised but never addressed in the law. I mean, it can be part of the sysadmin job to prevent company computers from accessing porn sites but knowing which users access gay websites and which are ordering viagra online is something that should never be forwarded to upper management. He cannont prevent knowing this, but there should be something akin to medical secret regarding these data.
The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
http://www.thinkgeek.com/tshirts/frustrations/31fb/
If you mod this up, your slashdot background will turn into a beautiful sunset!
The Association for Computer Machinery (ACM) has a Code of Ethics. Have a look at it. It gives quite a lot of guidance converning professional conduct in IT.
from the to-stupid-for-words dept.
And so does SAGE (for system administrators), more to the point: http://www.sage.org/ethics/ethics.html
In many business programs, students are exhorted to compete from day one. Many students take away the message that they should maximize profits (or market share or whatever they use as a metric of success) by any means necessary.
(I have worked on a number of antitrust regulatory issues, and you would be astonished at the number of e-mails that have been unearthed in which executives send each other messages to the effect, "Let's use unfair competitive practices to squash the little guy!" I'm paraphrasing, of course, but not by much.)
In IT, on the other hand, the issues pertain more to privacy and intellectual property rights. If a system administrator reads someone's e-mail, it may be for personal gain or just out of curiosity, but it's not due to any sort of overriding business objective. Competition in IT is to build the best product, not to "get" the other guy. And the ethics reflect that.
By the way, I've also worked at a company where an admin, who reported to a manager I worked beside, was reading e-mails. The manager let him know that he knew, and that if anything came of it, it would come back to bite him, but also let it slide because (1) someone has to have access, and whoever it is will probably take a peek from time to time, and (2) he was relatively discrete about it, and others may not be. Was he unethical in letting the behavior persist?
-- My choice of computing platform is a symbol of my individuality and belief in personal freedom.
Maximizing shareholder value > anything else. Seriously, ethics? I'm in the SMB consulting industry. I sign NDA's on a regular basis with consulting companies so when the consulting company violates an ethical obligation to a client I'm contractually bound not to say anything. 13 passwords all the same for 13 company's but they (not me) billed their managed services as following best practices. PPTP VPN instead of LT2P/IPSEC (a stand alone certificate server = $), no account auditing(disk space = $), no logon failure limits(disrupted users = lost $), no port security at the switch (network admin = $), etc... I've yet to run across a salesperson that didn't upsell/oversell. I think most techs realize what's ethical behavior and what's not but they get pressured into not saying anything by management and sales.
Here's a scenario that happened to me in 2006. I had a contract terminated with no reason given. 4 days before the contract was terminated I sent a memo to the CEO (I reported to him) about sending bulk email without an opt-out option and without the companies physical address. I included relevant state and federal laws regarding the issue, mainly the Can Spam Act. 3 days before the contract was terminated the CEO confronts me in front of the whole office about how they were the following the law. I flatly told him I wouldn't send them or train anyone to send them until they added physical contact information and a way to opt-out. This was in front of his entire office staff. I wanted to discuss it in private and he wanted to discuss it in front of everyone. Friday, my contract got terminated, no reason given. Take a guess as to why it was terminated?
When I was a general manager, one of my policies was always to pay the small suppliers promptly, because they need it most. That's not only ethics, it is simple common sense.
It is interesting that one of the most developed business environments in the world -that little region that includes Northern Italy, Switzerland, parts of South Germany and South-East France - relies heavily on networks of trust. I have sealed the deal there more than once with no paperwork and a handshake. I suspect that the reason that "Business ethics" needs to be taught in an MBA class is because many new graduates have fantasies of the ruthless corporate world based on Hollywood and computer games, and they need to be made a little safer before they can get out and cause their companies serious damage.
The fact that some CEOs are psychopaths should not blind us to the fact that most are not.
From scarped cliff or quarried stone she cries "A thousand types are gone, I care for nothing, no not one."
Access are for the things that you never should be able to touch. Audit seems to be working quite well for the rest. This doesn't work quite well in the sysadmin example where he can go in and read the files directly, but it's very effective in most systems where you have to go through a regular interface. I know for example banks have used that for operators that like to peek at famous people's bank accounts. Another example that I know personally is passing through project gates - the access controls are quite loose, but of course you're supposed to go up to a review meeting and actually pass the gate. There's an audit log to tell who said they had passed the gate and when, and it's not going to be pretty if they find you're bluffing.
People don't handle temptation all that well. If you put a normally honest person in a position where he could very easily and with little risk where he could do something wrong, he might do it. If it looks hard, he'll think long and hard before doing anything. If it requires a conspiracy, he almost certainly won't do it. So I'd say the solution isn't to try to limit everything up front, just make them fear that someone will peek them in the cards later.
Live today, because you never know what tomorrow brings
Often this is for cultural or even legal reasons: for example, in Holland it's forbidden by law in a company to check the web access logs for an employee unless there is reason to believe that employee is misusing the company resources or doing something illegal, while in the UK an employee can expect that anything done via the company network will be watched.
The main differences that affect the actions of people in a position of power in an IT environment and in an equivalent non-IT environment are:
Sorry, we do not believe in Imaginary Property here. There is nothing "ungodly" about "pirated", because pirating is not exactly the same as stealing.
In Soviet Washington the swamp drains you.
You know, there is a difference between trolling and pointing out the flaws in your reasoning. Just saying.
In all the companies I have worked, there was no ethical code as such. In no department I have seen such a thing. There are the general things, like not stealing and such, but those are coverd by law.
I have signed papers from the IT department that I would not do certain things on the network. Never was anything in there enforced, so it was basicaly a farce.
I have read other peoples mailboxes (after 3, I stopped, because it is utterly boring)
Basicaly it comes down to; will it harm the company or not? If it does, then you can not do it and when caught you can get fired. If not, then nobody seriously cares.
Don't fight for your country, if your country does not fight for you.
One of the interesting ethics issues I have seen at most of the places I have worked is how the typical person is treated versus how the executive is treated.
The typical person calls the Help Desk, gets a level 1 person who reads scripts and then if they can't help it gets escalated. If the problem is severe they might try to remote control the computer, etc. It is also, in most places I have worked, expressly forbidden to work on home machines due to liability factors (if you destroy their data for instance, catch porn on a personal computer, etc).
However, with executives they generally have a special number or person to call, they frequently have non-standard hardware/software, have people going to their house for support, etc.
In general they can get away with abusing the system and its resources. The interesting thing here is that if you talk to a lot of people in IT they have split views on whether this is ok or not. Some think that it is an executive perk. Others think it is an abuse of system resources. Others, like myself, think it gives executives a flawed view of IT (even if the typical user is getting horrid service, the executives don't see it and do not correct the issue - because it is working perfectly for them).
I think an issue like this is not as clear cut, but I'm curious to see what other people think of the same sort of thing in their company.
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these two things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
---
That's about the ethics my teachers had when I started to learning system administration 15 years ago and this is what I'm still educating people new to this about. I never met a good admin who wouldn't passionately subscribe to this.
k2r
A friend of a friend was working in IT as a Windows administrator. He was called to fix someone's computer, who then went out to lunch leaving the friend alone with the computer. He saw a mail on the computer that he found interesting, so he forwarded it to himself.
This is surely a bad thing to do, and the end of the story is that he got fired, but he probably would have got away with it apart from the mistake he made....
He managed to spell his own name wrong in his email address. So when the guy got back from lunch, there was a bounce mail waiting for him in his inbox....
Kupfernigk >>> "When I was a general manager, one of my policies was always to pay the small suppliers promptly, because they need it most."
... that doesn't help cash flow much!
Well, most companies don't hold to that.
Oft repeated rhetoric here is that a companies only purpose is to make money. You're actually depriving your shareholders of a small amount of capital by paying on time if it's possible to avoid.
I find that (as a director in a small business) we get paid late by big businesses and government organisations. They can pay late, we can't afford to sue and we need them more than they need us. We've been paid over a month late by a local council (!) for an amount equal to about 50% of our wages bill
Inspired by Google's early ethical policy of "do no evil" ours is "be nice". We've many times checked our behaviour, and adapted it (sometimes to our financial detriment), by following this code.
From what I've seen in 25 years, the difference is simple personal committment. I have been put under pressure to charge clients for hours I didn't work, for being 'creative' with the truth so the real facts wouldn't show (i.e. readers would be mislead), for 'accidentally' overlooking problems because it would be politically convenient and for coming to a pre-determined conclusion by a biased look at the facts.
You have in each case two options: do what's right or do what is convenient. I prefered to do what is right, but you have to accept that in many cases this will be held against you by those that are more of the morally lazy persuasion (or who need their numbers to stack up).
The good news is that such a reputation also works in a positive way: you can become regarded as utterly unbiased, and as long as you don't have personality defects to go with it (I get on with almost anyone) you sometimes end up becoming an example.
In many cases the requested behaviour was contradicting ethics policies. Ethics policies are treated by most organisations as a marketing exercise, not as a code of behaviour. Given the examples of thos who make a real profit I can't see this change overnight..
I've had to familiarise myself with Sarbanes Oxley (which applies only to US listed companies anyway) and that is the only piece of legislation which I am aware of which requires regular sign off of ethical conduct, and that only applies to the board I belive. Elsewhere, for IT workers, both the CISSP and CISA certifications require that a standard of ethical conduct is maintained, and a declaration of such is made by the applicant. I think ethics are only defined in this way, as a requirement for membership of specific professional organisations or for the holding of certain credentials, but these are the only ones I'm aware of. Beyond that, and this is the point, having conducted audits and reviews of a number of companies and the governance of their IT, I think this topic is universally ignored for IT staff specifically. I can not recall once seeing the discreet topic of "Ethics" enshrined within the IT policies and standards of any major company I have inspected. The best thing you can do is collect and review a number of general "End User" policies from different places and see to what degree promises to not view porn, sell secrets, access stuff you shouldn't, etc, etc, are reflected, and quantify them against the ethical requirements being taught on your MBA. IT User policies can be dredged up from the Internet ten a penny, and they should allow you to gather sufficient of them to launch an academic argument as to the provisions for ethical conduct they establish within companies or public bodies in general. The degree to which they are obeyed is impossible to measure, but you can certainly speculate on the need for regular training on ethics.
You may not agree with what I say, but you should fight to the death to allow me to say it, by modding me up.
Far too often, companies consider business ethics to == "not doing things that will get the company into trouble."
Particularly with the advent of outsourcing, those who work in IT are selling trust more than skill. That's why abuse of power by IT folks should be dealt with harshly and swiftly when detected.
One CPU cycle wasted on digital restrictions management is ONE TOO MANY.
Let me begin by reviewing three modalities of ethical behavior:
1) How the IT worker functions vis-a-vis their co-workers: the usual stuff--office politics, gossip, backstabbing, etc. and has been well-covered elsewhere.
2) How the "visible" IT worker functions in relation to his/her job: Email snoops, BOFHs, yeah, yeah, we get it.
3) Invisible work: Poor management doesn't understand the value of patching, refactoring, debugging, commenting--and because of this forces the worker to compromise their ethics. These operations are often invisible to the unwashed masses.
The third category is hard for management to grasp. They don't understand what it means to cross the line from "useful hack" to "pure garbage."
Code like this: ...should be considered a special type of ethics violation (there are probably better examples--but this one should suffice).
Lots of programmers make evil shortcuts or write halfass algorithms, not (always) because they're lazy or incompetent, but because they're implicitly asked to, by managers and product teams who don't understand. Where is the ethical violation in an empty 'catch' block? Could it be the result of:
A) Management who lied about the man-hours required to complete a project,
B) Product teams who didn't take the time to gather requirements properly, or
C) Decision-makers who don't consider programmer input or advice.
The programmer is often forced to make an ethical decision: what is the right thing to do when the boss says "STFU about revising your code and push it into production?" Usually the programmer will just throw whatever they have ready, knowing that they're not putting their best work forward.
Who suffers? The programmer who feels they're forced to make an evil choice, the enduser who pays for shoddy product, the next person who looks at your code, etc.
Sometimes this choice is validated based on expediency, sometimes, it does nothing but let the manager check a milestone off in their excel spreadsheet.
"Beware of bugs in the above code; I have only proved it correct, not tried it." -- Donald Knuth
What ethics in is NOT: Choosing Open Source or Closed Source Software, Choosing one Hardware/Software over the other, wether you code you produce is open sourced or closed source, open Spec or Closed Spec ( Although I think they should put more effort in Open Spec vs Open Source) Those are Business decisions and have no real morality issues.
What are Ethical issues:
Finding loop holes in software to avoid paying extra license fee (lets make sure that everyone loges onto this server as this name)
Knowing there has been a security breach and possible data has gotten lost wether to tell the company or not
Change the ways hours for projects are recorded to put more hours in one project and less in an other.
Contracting consultants to replace your current work force just because they are billed from a different source and makes you look good.
Not contracting consultants when your project really needs more people or skills. or a new set of skills for the job for a project.
Changing a project from Fixed Priced to Time and material or vice versa because it just suits your needs.
Expecting Free Quotes or Specs for a new project then going to a different group to do the work.
Work with a third party reseller to get the design you need then go to to the source just because they can give you a better deal.
If you have third party resellers choosing to undercut them after they have done all the relationship building and advertising for your projects.
Ethis is an issue of trust. If your actions shows that you cannot be trusted then things really backfire. Any one ethic violation may not hurt anyone but a combination will generally get the company of employees and venders shit lists and you will get less quality and service and value over time.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
First group arguments:
* concept of ownership in Shariah is confined to the tangible objects only
* no precedent in religious practice where an intangible object has been subjected to private ownership or to sale and purchase
* concept of "intellectual property" leads to monopoly of some individuals over knowledge, which can never be accepted by Islam
Second group arguments:
* there is no express provision in the Holy Qur'an or in the Sunnah which restricts the ownership to the tangible objects only
* there are several instances in Shariah where such intangible rights have been transferred to others for some monetary considerations
* concept of "intellectual property" does in no way restrict the scope of knowledge
Read more of it through the reference. I know there are tons of Muslims from subcontinent in IT industry and (inevitably) on
"reading co-workers' emails":
1. Sahih Bukhari is book number 2 for Muslims:2. Less solid hadeeth (has somewhat flawed chain of narrators)
I guess second part of the second hadeeth does not apply to BOFH.
I do not believe in karma. "Funny"=-6. Do good and forbid evil. Yours, Oft-Offtopic Flamebaiting Troll.
As another student of ethics (although my my course in religious ethics was extremely one-sided, I've taken intro to ethics and am currently taking an environmental ethics course), I agree completely. One of our biggest problems as a society is that we overwhelmingly tend toward dogmatism, and dogmatism is a Bad Thing no matter what side you're on because it prevents everyone involved from actually thinking or coming to rational decisions; stem cells are a great example of everybody involved simply failing to listen at all, choosing instead to call each other baby-killers or idiots respectively (and not respectfully), and both sides have done a great disservice to their cause by letting it come to that.
The key is (as parent I'm sure already knows) is to ACTUALLY THINK ABOUT IT. On virtually every issue, two moral, ethical individuals can come to well reasoned and ethically defensible positions which are completely opposed to one another, and neither of them actually has to be wrong; but if they are both honest, then they could have a serious and possibly even productive discussion about what can be done to make both of them happy. A symptom of our culture of dogmatism is that the word "compromise" has become a synonym for "selling out" or "giving up", and that politicians and activists receive criticism if they actually do it.
Try not to take me more seriously than I take myself.
The worst thing I ever did as a sysadmin: a coworker of mine attempted to apply for a job somewhere else, and accidentally sent the cover letter & resume to our boss. At her request, I deleted that message from his inbox before he'd had the chance to read it.
I know that this is pretty small potatoes, but it still bugs me.
Here is an example from my dad. He was an engineer at a manufacturing plant in the 70's that decided they needed to go to CAD. He was given the project. He started working with DEC and they quoted XXX,XXX.00 as the price for a great system. He took that back to his bosses and they agreed. He goes back to DEC and the salesman starts mentioning things like, "Would you like an OS with that? It will cost XX,XXX.00 more." and "Would you like the special power cord? It will cost an extra XXX.00" They kept this up until the price was now one and a half times the original quote. Dad was getting embarrassed at going back to his bosses over and over asking for more money and finally got mad and started threatening to kill the deal. At this point the salesman mentions that it includes a Rainbow computer (their version of a PC and rather pricey at that) that wouldn't show up on the invoice and could be shipped to any address. That was about the point were Dad exploded.
Crazy thing is he loved DEC computers and still does. He wistfully talks about their ability to multi-task and better file system.
Years later I was caught in an ethical bind and asked him what to do. "You can do the easy thing or you can do the right thing. Doing the right thing might be bad for you in the short term, but you will be able to look back later and feel good about yourself instead of feeling slimy every time your reminded about it."
I took a business ethics class taught by a retired corporate head of human resources. He gave a good explanation of why this is taught in some business schools. "If you think about this now when you have no pressure on you, you stand a much better chance of making the best decision when under pressure and you have to make a snap decision. Don't kid yourself and think these things won't happen to you. They will, and most of the time you will have no time to do any soul searching."
Is he strong? Listen bud, He's got radioactive blood.
"There's no such thing as business ethics. There are only ethics, you either have them or you don't."
I have worked in every aspect of IT from phone support to network security for some of the biggest companies in central texas and have to say there is a fine line between ethics and doing whatever it takes to get the job done. I have witnessed business managers who tell you to load software with no license to get people productive now then worry about the paperwork later often not at all. I have also seen IT managers that use the IT department as their own little playhouse for personal gain. I recently had the opportunity to see an ethical explosion first hand when a disgruntled employee tried to bring "piracy and missuse of company assets for personal gain to the attention of management who then burried it they don't care they don't want to know they just want things to work. I guess ultimately as in any other profession you have the good with the bad. I do miss the good ol days though!!
And in the business world, the "fittest" is often whomever is most willing to do whatever it takes, and stop over whomever they can, to achieve the goal.
I spent a year of straight "heads down" time, doing network administration, database administration (we use Access 2000, but it's exposure nonetheless), writing a backup tool (and porting it 3 times "...it's only temporary, you know." - yeah, right), and learning RHEL during the day. At night I was writing a win32 application, bash scripts, C/C++ code, Java, playing with advanced routing, samba, and kernels in Slackware Linux, and constantly digging in to technical documentation and CS theory. The time has paid off ten fold. The difference between myself and my peers without 'hand-on' experience is simply astounding!
I didn't realize until I took graduate level administration and programming classes last semester and this semester and I breezed through them without cracking a book. My code is cleaner, better documented, and formatted better than when I was taking AP C++ in high school. I look at applications (regardless of platform - I'm running 3 flavors of Linux, a Mac and a Windows box at home, a RHEL box at work, and work on a Solaris box at school) in a completely different way than ever before. I don't see an application any more, but rather layers of abstraction connected via interfaces.
Once I realized that everything is a connecting interface from the backend to the frontend (protocols, devices, GUIs, etc., everything), I found I could do incredibly complex things in both programming and administration - it's just about getting the right interfaces on the right layers. It was a moment of revelation that compares to when I found out in *nix, everything is a file. The light went on! I also found out that C/C++ is almost a completely different language on each platform. GNU, win32, xcode might as well be 3 separate languages. Good documentation is worth its weight in gold. Version control is How It Should Be. And, every bit of knowledge is a tool in your toolbox; the more tools at your disposal, the more elegant your solution and the less forehead dents in your desk. Finally, if your interface layers are concise all the way up, everything falls in to place all the way up to the GUI and troubleshooting and bug fixing become single line fixes instead of full function kludges. That being said, I still write a lot of crap code... but at least I know when I'm doing it now.
Sorry for that rant, but I really had to comment on what the job has taught me.
If I mod you up, it doesn't necessarily mean I agree with what you've said, sorry.