Ethics In IT

chiefloko writes "I am presently taking a Business Ethics class while earning my MBA. For my final paper topic I have chosen 'Ethics within the Information Technology realm.' Over the past 13 years I have worked for three corporations and have seen everything from the typical BOFH to ungodly pirated software use. I also bore witness to a remote user logging in to a poorly administrated Sun station, finding out s/he was root, and then reading co-workers' emails. I am interested in what the norm is for ethics in the IT world and some of the stories and outcomes."

You need to clarify your question

[arivanov]

Whose ehics are you talking about?

The Ethics of an MBA giving IT orders, the ethics of a BOFH doing his job, the ethics of a developer?

Let's not speak of Joe Average consumer of IT as he actually has no IT Ethics, he applies his Ethical viewpoint to IT so his inclusion will only muddle up the concepts.

Each of these communities (PHB, BOFH, Developers) has their own ethical codes (or lack of). While there is a great difference between them, there are not that many differences between members of a particular caste.

Re:You need to clarify your question

[MindKata]

You also have to add in the ethics of other departments within a company. I've found often to my surprise, the ethics of sales people & marketing people are at times very different from that of programmers and other workers in a company.

Many sales people are not scientifically minded people. I'm a programmer and I worked in one company where the programmers were on one side of a desk divider and the other side had the sales people. We were killing ourselves laughing at then kinds of statements sale people were making about the products we were creating!. Often it wasn't based on fact at all. Ignorance or ethics? ... call it what you will, but to a sales person, its also part of the game they play.

They talk with complete conviction on a subject and it sounds like they know what they are saying (to anyone who doesn't know the subject), but with programmers I've found we often add disclaimers, because we see there are gaps in our knowledge and gaps in areas where we want to carry out more tests etc... Sales people's eyes often glaze over and they loose interest after telling them details for more than a few seconds. They don't what to know the details. They want to push a certain version of the truth (to me that's not truth at all and its ethically wrong, yet to sales people, its part of their way of communicating).

Also the ethics of high up bosses are often even worse than sales people. But they often do have one personality trait that helps them deal with sales people, as bosses I have found are often very distrustful people, even though on the surface they give a good image of confidence, deep down they show their insecurity and distrust of others. (Many even have recognisable personality disorders like NPD). They approach dealing with others, in a very different way to e.g. how programmers would work together.

The whole subject of ethics especially in big business like IT is very subjective depending on what people you ask.

Re:You need to clarify your question

[pdwalker]

That's sociopaths, not psychopaths.

Think of it as the difference between a politician and a serial killer.

Re:You need to clarify your question

[lorenzino]

Think of it as the difference between a politician and a serial killer. Sorry, what difference again ?

Re:You need to clarify your question

[mux2000]

You didn't read your own links, did you? From your Wikipedia link:

Psychopathy is a psychological construct describing immoral and antisocial behavior.[1] The term is often used interchangeably with sociopathy[2].

Actually, the difference between a politician and a serial killer is the amplitude of the mental disorder, not its type. Politicians obviously have it much harder.

Re:You need to clarify your question

[MindKata]

Yes unfortunately there are many high up bosses who go beyond even NPD. (Its an interesting sliding scale, as even NPD's lack a great deal of empathy. The higher up in this form of disorder, the more they lack empathy ... but often the more they perfect their image of being a good confident even moral person ... this suppression of empathy towards others is ironically why we have a world with such extreme behaviours ... even terrorists fit high up on this scale, as their self-righteousness blinds them from the horror of their actions. Scary world we live in thanks to these kinds of people. Thankfully most people in the world are not like them).

The whole subject of ethics in IT needs to be considered in a wider context with the ethics/morality of the other staff that make up the companies. Also even the whole of society and even at a given time in history affect interpretations of ethics. Each aspect of the context, can vary the interpretation.

The irony is most employees are far more trusting people than bosses or sales people. If we were more distrusting, we would seek out and learn to spot more examples of the gaps in what the bosses say, compared with what they do, and therefore be less easy to be exploited by some bosses. Its why some people are not called "business minded". What some bosses are actually describing as business minded, is a behaviour that is at times so twisted and lacking empathy, that I don't want to be like them. But I want to be successful in business, so it helps to learn to understand their behaviours, because once you learn to see these personality types, it gives a way of predicting their behaviours. Once you learn to see these personality types, its actually far easier to deal with them.

Ethics in big business like IT is a fascinating subject, as even their way of interpreting the law is at times different from most people. To most people (I hope!) the law is an uncrossable line. A solid boundary of ethical and moral behaviour. But to big business, I have been shocked at times at how the law is treated at times more like for example, the rules in Formula 1 racing cars, where they can twist and exploit the definitions of the law to suit themselves and how the government plays the same games back at them. For example government will say something like, "if you big company A do that now, to get around this law, then next time around, when we alter the wording of the laws, we will make it tighter still on you and all companies like you, so don't get around this law now". Its all political power biasing. The law at that level, isn't an absolute line, the way most of us interpret it. That kind of thinking in big business, I find, really puts the ethical worries of programmers into perspective.

Re:You need to clarify your question

[clickclickdrone]

Interesting stuff. What doesn't help is that by and large, we, as a society, reward the kind of errant behaviour you describe whilst wringing our hands and muttering about how unpalatable it is. As a species we're our own worst enemy in many respects.

Re:You need to clarify your question

[apt142]

. But to big business, I have been shocked at times at how the law is treated at times more like for example, the rules in Formula 1 racing cars, where they can twist and exploit the definitions of the law to suit themselves and how the government plays the same games back at them.

I think the reason that big business tends to view laws as more flexible than the average person does is because of the penalty of those laws on big business in relation to the rewards.

For example:

If I as an individual, go out and set fire to somebody's car, I'm likely to spend a good deal of time in jail. I would possibly lose years off of my life and get a criminal record that would hurt the ability to provide for myself in the future. Knowing that trade off would deter me.

If a big businesses made a car that burst into flames then their likely punishment will all be in dollars and cents. So, any deterrent to them would be to not lose money. But sometimes, it's more profitable to make an unsafe car than it is to make a safe one. If that causes a violation of the law for them, then so be it. Even after the punishment is dealt out, they can come out better than before. As long as they can avoid the public action and boycotting that happened to Firestone, then there really isn't any punishment.

I think there needs to be a better punishment system for big business. Perhaps prosecution of CEO's, or forced closing (short term or permanent), maybe a fine to the shareholders.... I don't know.

Re:You need to clarify your question

[Tony+Hoyle]

That's where we go wrong (it appears to be a very US centric view also - I've never heard that from a european company & I've spoken to more than a few over the years).

A company is part of the social fabric.. it doesn't stand alone. It provides employment, which gives its employees a certain standard of living. It also generates wealth that improves the economy. The employees use their pay to give money to other companies, thus helping them also.

If a company mistreats its employees it breaks part of that. It may make more profit, but at a cost to the rest of society. That's why most countries have strict employment laws.

Re:You need to clarify your question

[Anonymous+Brave+Guy]

To most people (I hope!) the law is an uncrossable line. A solid boundary of ethical and moral behaviour.

Confusing ethics and the law is a dangerous thing in itself.

To put things very simplistically, ethics is theory and the law is practice. Ideally, someone living a good, honest life according to fair, ethical principles would always find their behaviour falls within the law, but sometimes a bad law comes into conflict with those ethics. Whether someone chooses to obey the letter of the law or to follow their own ethics at that point says a lot about them.

To give a concrete, IT-related example that is relevant in my country today: the UK government is currently planning to introduce identity cards and the National Identity Register database. I know that some surveys in the past have found a majority of the sample population in favour of these measures. I also believe that introducing these measures is not in the interests of the people, and that the government policy would not be so widely supported if people understood the implications for access to personal information, security, reliability, and the like. I know that I am far from alone in these beliefs, because there are campaign groups with many thousands of people supporting them who express the same concerns. However, the law has already been passed to make these measures possible, though it was passed by a government for which only a small minority of the people actually voted; substantially more people voted for parties that oppose the scheme. So, when the government attempts to roll the ID cards and database out to the population, should I be a good little citizen and accept my fate, or should I join the radical law-breakers promising civil disobedience by refusing to participate? Are those who choose to follow their beliefs to the point of breaking a law they believe to be unjust really unethical, or are those who accept without challenge a dangerous law passed by an unrepresentative government the unethical ones?

Re:You need to clarify your question

[EnglishSteve]

This is why I now refuse to do work for public companies (I am self-employed). Once a company becomes a public entity, all motives except the profit motive go by the wayside. Employees and suppliers become numbers on a balance sheet.

Private companies, on the other hand, are free to have other motives in addition to profit such as providing employment etc. In my experience, private companies are much more likely to actually give a shit about their employees and suppliers. Of course there are private companies out there that are purely profit motivated, but it's not all of them.

Re:You need to clarify your question

[dpilot]

Once upon a time, the CEO of a very successful company had a simple 3-step recipe:

1: Take care of your customers.
2: Take care of your employees.
3: PROFIT!!

Actually, Step 3 was really, "The profits will take care of themselves." But it's worth noting that this was Step 3, not Step 4 with some sort of "???" for Step 3. It was also a long-term attitude, in that you were building the foundations of long-term success, and perhaps sacrificing higher short-term profits in exchange for that long term.

This too, has passed.
But then again, that company isn't now considered as successful as it was when it was run by those 3 steps.

IMHO, the "maximize profits" attitude in US corporations is a fundamental problem. Let's phrase it this way... You want to buy a car, and you have to choose between Car Company A and Car Company B.

Car Company A's guiding principles are to "maximize profits" and "maximize shareholder return", and they happen to make cars.

Car Company B's guiding principles are to make the best cars that they can, and so far by selling those cars at a competitive price they have remained profitable and in business.

Who would you want to buy your car from?

ethics require education

[rucs_hack]

Someone who has no understanding of ethical implications regrading IT will do things they wouldn't dream of if they understood what it meant in terms of invasion of privacy..

Alas many people who use computers regularly are in this category.

I have access to the email of almost everyone I know presonally. Do I read it? Nope.

However, the reason I have access to one persons email is because they needed help stopping another person who knew their password reading every email they sent and received. In spite of my urging they have yet to change their password anew to also lock me out.

You can lead a horse to water, and if you Duct Tape a hose to its mouth, you can make it drink too.

Oh wait...

Ethics is eithics

[clickclickdrone]

Irrespective of if it's IT related. You shouldn't do anything you wouldn't want done to yourself or is likely to hurt people. Just be a decent honest person.

Unix syndrome

[QuantumG]

Anything that isn't prohibited is not only allowed, but also ethical.

Re:Unix syndrome

[value_added]

Anything that isn't prohibited is not only allowed, but also ethical.

There may be some truth in that, but I don't see how that applies to interpersonal behaviour. My own preference is to defer to what my grandmother taught me: ethics is insisting on doing what's right even when no one is looking.

She also taught me to the principle of keeping things simple, both from a moral perspective and practical one. I never asked, but I'm sure she preferred vi to emacs.

Ethics on an MBA?

[edittard]

Ethics on an MBA - do the marks from this module get subtracted from your overall score?

Do something useful or something popular

[JohnnyKlunk]

While it's not strictly related to IT, I can spend a whole week doing any number of things that are really useful in the long-term to the business from an IT perspective. Or I can do something that will make the boss happy. Like a flashy widget on the intranet or a set of graphs that prove nothing. One gets me a better bonus and the favour of all those above me. One makes me a good tech. What's the norm here? Balance I guess, depends on the job. This year I'm going to spend a lot more time on the latter. Hopefully get the bonus and pay off the mortgage - most people trade ethics for a mortgage eventually.

Trust simulation and purpose-blindness

[Frater+219]

The point of authorization systems (like user permissions on a Unix system) is to simulate and thereby enforce the trust relationships that people have with regards to data. You aren't allowed to read my email, so you don't have read access. You're allowed to use a certain amount of disk space, so there's a quota.

But here's a problem: Technology is purpose-blind. It doesn't know for what purpose you're trying to do a particular thing -- only whether you've got access to do it. However, in the real world, we frequently want to trust someone with a particular resource, but only for certain purposes.

You're allowed to drive Daddy's T-bird to the library, but not to the hamburger stand. But the ignition system doesn't know that; it just knows you put the right key in. Your sysadmin is allowed to read your email files if she thinks something's wrong with the mail server, but not just because she thinks you're cute and wants to stalk you. But the permissions bits don't know that.

You're allowed to access Scientology's Web page to read it, but not to repeatedly reload it just to put load on their server and run up their bandwidth bill. But neither your browser (or wget) nor their server necessarily understand that.

So there's an ethical problem: you frequently have access to things for only certain purposes. How are those purposes defined and agreed on? Is it possible to make authorization systems more purpose-aware? Would that even be desirable, or would it just cause problems with unexpected situations?

Suppose Daddy's T-bird only allows you to drive to the library, by shutting off the engine if you try to go somewhere else ... and Daddy has a heart attack and you need to get him to the hospital. Down that road lie DRM and other systems that decrease the value of technology by getting in the way of legitimate uses.

do unto others?

[wall0159]

I think a better approach is do unto others as you think they would want done to them

That helps avoid the "well, I'd want to be killed if I was gay" rationale...

The difference between IT and other professions

[Yvanhoe]

One of the key difference between IT-related ethics and other fields like medicine or law is that there is no official body emitting guidelines and no rights and duties recognized by the law.

When a doctor is asked by an employer to give him medical informations about his employees, he can point out that this would be illegal.
When a sysadmin is asked by his company to monitor users' web access, there are a lot of privacy issues that are raised but never addressed in the law. I mean, it can be part of the sysadmin job to prevent company computers from accessing porn sites but knowing which users access gay websites and which are ordering viagra online is something that should never be forwarded to upper management. He cannont prevent knowing this, but there should be something akin to medical secret regarding these data.

ACM Code of Ethics

[floki]

The Association for Computer Machinery (ACM) has a Code of Ethics. Have a look at it. It gives quite a lot of guidance converning professional conduct in IT.

IT Ethics is Different from Business Ethics

[Starky]

The fundamental focus of ethics is different between general business and IT issues.

In many business programs, students are exhorted to compete from day one. Many students take away the message that they should maximize profits (or market share or whatever they use as a metric of success) by any means necessary.

(I have worked on a number of antitrust regulatory issues, and you would be astonished at the number of e-mails that have been unearthed in which executives send each other messages to the effect, "Let's use unfair competitive practices to squash the little guy!" I'm paraphrasing, of course, but not by much.)

In IT, on the other hand, the issues pertain more to privacy and intellectual property rights. If a system administrator reads someone's e-mail, it may be for personal gain or just out of curiosity, but it's not due to any sort of overriding business objective. Competition in IT is to build the best product, not to "get" the other guy. And the ethics reflect that.

By the way, I've also worked at a company where an admin, who reported to a manager I worked beside, was reading e-mails. The manager let him know that he knew, and that if anything came of it, it would come back to bite him, but also let it slide because (1) someone has to have access, and whoever it is will probably take a peek from time to time, and (2) he was relatively discrete about it, and others may not be. Was he unethical in letting the behavior persist?

This is actually untrue

[Kupfernigk]

The posts here suggesting the "business ethics" is an oxymoron are from people who obviously have no real experience of business. Real world businesses know that they have to keep both customers and suppliers happy, and the best way to do this is still to be ethical where it counts. If I treat my suppliers honestly and you try to diddle them, you may save a percent or so now, but what will happen when there is a shortage? Who will get priority?

When I was a general manager, one of my policies was always to pay the small suppliers promptly, because they need it most. That's not only ethics, it is simple common sense.

It is interesting that one of the most developed business environments in the world -that little region that includes Northern Italy, Switzerland, parts of South Germany and South-East France - relies heavily on networks of trust. I have sealed the deal there more than once with no paperwork and a handshake. I suspect that the reason that "Business ethics" needs to be taught in an MBA class is because many new graduates have fantasies of the ruthless corporate world based on Hollywood and computer games, and they need to be made a little safer before they can get out and cause their companies serious damage.

The fact that some CEOs are psychopaths should not blind us to the fact that most are not.

Cultural & Legal

[Aceticon]

Ethics in IT is just a reflection of ethics in the world at large - what people tend to do or not to do is usually a reflection of what they believe that others expect them to do or not to do.

Often this is for cultural or even legal reasons: for example, in Holland it's forbidden by law in a company to check the web access logs for an employee unless there is reason to believe that employee is misusing the company resources or doing something illegal, while in the UK an employee can expect that anything done via the company network will be watched.

The main differences that affect the actions of people in a position of power in an IT environment and in an equivalent non-IT environment are:

• Anonymity: the belief that "nobody will know who i really am" means that some will do online certain actions that are shunned by society at large. While acting behind an alias which cannot be traced back to the real world persona many, free of social pressures and/or direct repercussions for their actions, will act online in ways that they would not act offline (I suggest you study MMORPGs for this).
• Decoupling from reality: often one's actions do not have a visible component in the "real" world. At it's most basically, it's easier to be unpleasant when the target is somebody you've never met personally.
• The lower likelihood of being caught: the risk of being caught is a strong factor when considering whether or not to act in a way which might be perceived as unethical, illegal or socially unacceptable. In the "virtual" world it's easier to do some actions without being caught. For example, consider the workers in the mail room in a company vs the e-mail server administrators in that company: for whom would it be easier to read somebody else's messages without leaving a trace ...

"ungodly" and "pirated" on Slashdot?

[mi]

Sorry, we do not believe in Imaginary Property here. There is nothing "ungodly" about "pirated", because pirating is not exactly the same as stealing.

Re:Ethically speaking

[TheVelvetFlamebait]

I never read slshdot.

...or at least its title.

Talking of reading other people's emails...

[adrianmsmith]

A friend of a friend was working in IT as a Windows administrator. He was called to fix someone's computer, who then went out to lunch leaving the friend alone with the computer. He saw a mail on the computer that he found interesting, so he forwarded it to himself.

This is surely a bad thing to do, and the end of the story is that he got fired, but he probably would have got away with it apart from the mistake he made....

He managed to spell his own name wrong in his email address. So when the guy got back from lunch, there was a bounce mail waiting for him in his inbox....

Re:sudo

[ideonode]

It usually boils down to these two things:
                                #1) Respect the privacy of others.
                                #2) Think before you type.
                                #3) With great power comes great responsibility.

There is no norm for ethics in IT I think

[oldbamboo]

I've had to familiarise myself with Sarbanes Oxley (which applies only to US listed companies anyway) and that is the only piece of legislation which I am aware of which requires regular sign off of ethical conduct, and that only applies to the board I belive. Elsewhere, for IT workers, both the CISSP and CISA certifications require that a standard of ethical conduct is maintained, and a declaration of such is made by the applicant. I think ethics are only defined in this way, as a requirement for membership of specific professional organisations or for the holding of certain credentials, but these are the only ones I'm aware of. Beyond that, and this is the point, having conducted audits and reviews of a number of companies and the governance of their IT, I think this topic is universally ignored for IT staff specifically. I can not recall once seeing the discreet topic of "Ethics" enshrined within the IT policies and standards of any major company I have inspected. The best thing you can do is collect and review a number of general "End User" policies from different places and see to what degree promises to not view porn, sell secrets, access stuff you shouldn't, etc, etc, are reflected, and quantify them against the ethical requirements being taught on your MBA. IT User policies can be dredged up from the Internet ten a penny, and they should allow you to gather sufficient of them to launch an academic argument as to the provisions for ethical conduct they establish within companies or public bodies in general. The degree to which they are obeyed is impossible to measure, but you can certainly speculate on the need for regular training on ethics.

Re:CYA

[maczealot]

To expand this thought a bit (because it is pretty accurate imho) there is a direct link between an IT worker's behavior and the culture from which they come. I have worked in everything from infrastructure to development (solo and team) as well as security. From my observation IT workers have tremendous amounts of access to information and normally do not violate this "trust" if they think they will get caught.

This, as I said, is probably more to do with what kind of culture they are from (I am American) and the social norms they were taught (or not taught) than any commonality of ethic due to corporate department (just because you are classified as IT). The email example will show the classic "Yes, I CAN read all your emails, but I don't. Not because I think it would be wrong for ME to do so necessarily, but because I am too busy to care what you wrote." This is the only unique Ethical constraint I see in IT, where those of us who manage the information and the resources to access it choose an "ethical" path on a daily basis by choosing to solve OTHER PEOPLE's info problems rather than our own with a given block of time. Most IT workers will "feel" ethical if they are doing something useful for those in power over them (i.e. paycheck signers) rather than bending the resources at their disposal to their own amusement/education (i.e. displaying ten different will-it-blend's on different LCD's to see how cool it is).

Ultimately, this behavior is altruistic because upper management, given enough time from which to sample, can tell if an IT worker is "useful" or not and thus reward or punish them. America has a very minimalistic ethic of "if it isn't hurting anyone else.." so unless there are other cultural factors they can lose out to those from other cultures (see: Indians).

the worst thing I ever did as a sysadmin

The worst thing I ever did as a sysadmin: a coworker of mine attempted to apply for a job somewhere else, and accidentally sent the cover letter & resume to our boss. At her request, I deleted that message from his inbox before he'd had the chance to read it.

I know that this is pretty small potatoes, but it still bugs me.

The slimy factor

[griffinme]

Here is an example from my dad. He was an engineer at a manufacturing plant in the 70's that decided they needed to go to CAD. He was given the project. He started working with DEC and they quoted XXX,XXX.00 as the price for a great system. He took that back to his bosses and they agreed. He goes back to DEC and the salesman starts mentioning things like, "Would you like an OS with that? It will cost XX,XXX.00 more." and "Would you like the special power cord? It will cost an extra XXX.00" They kept this up until the price was now one and a half times the original quote. Dad was getting embarrassed at going back to his bosses over and over asking for more money and finally got mad and started threatening to kill the deal. At this point the salesman mentions that it includes a Rainbow computer (their version of a PC and rather pricey at that) that wouldn't show up on the invoice and could be shipped to any address. That was about the point were Dad exploded.

Crazy thing is he loved DEC computers and still does. He wistfully talks about their ability to multi-task and better file system.

Years later I was caught in an ethical bind and asked him what to do. "You can do the easy thing or you can do the right thing. Doing the right thing might be bad for you in the short term, but you will be able to look back later and feel good about yourself instead of feeling slimy every time your reminded about it."

I took a business ethics class taught by a retired corporate head of human resources. He gave a good explanation of why this is taught in some business schools. "If you think about this now when you have no pressure on you, you stand a much better chance of making the best decision when under pressure and you have to make a snap decision. Don't kid yourself and think these things won't happen to you. They will, and most of the time you will have no time to do any soul searching."