1. Information Security at the University of Pennsylvania: Practical Applications and Experience with Information Ethics CIS 401 Senior Design Course Joshua Beeman University Information Security Officer February 23, 2012

2. Agenda UPenn InfoSec - Who we are and what we do Computer Ethics – Context and History Ethics in practice – Examples from UPenn Policy & Incidents Workplace issues Intellectual Property and Copyright Cybercrime Privacy Professional Codes of Conduct Globalization

3. Office of Information Security Jim Choate (Executive Director, ISC/AIT) Senior Information Security Specialists: John Lupton Melissa Muth Dana Taylor Contact security@isc.upenn.edu and reach all of us!security@isc.upenn.edu Joshua Beeman (University Information Security Officer)

4. Office of Information Security Information Security’s core mission is to develop strategies and practices that protect Penn’s confidential and sensitive information assets.

5. Information Security Services Development of policy Information Security- related projects and initiatives Security consultation, awareness & training Risk assessment, risk management, threat monitoring, and related communications Reporting on events and trends Incident handling, response, investigation and notification Point of contact and coordination Office of Information Security

6. Brief Video… https://www.youtube.com/watch?v=6bahX2rrT1I

7. Why it’s relevant Facemash - Zuckerberg was charged by the administration with breach of security, violating copyrights, and violating individual privacy. Later used in an Art History class as a “social study tool”. Image from: https://www.facebook.com/photo.php?fbid=794826159841&set=a.794820416351.2344423.1681&pid=41088721&id=1681 https://www.facebook.com/photo.php?fbid=794826159841&set=a.794820416351.2344423.1681&pid=41088721&id=1681

8. Ethics Defined The rules of conduct recognized in certain associations or departments of human life. - (O.E.D.) More simply: the distinction between right and wrong in a given context.

9. Computer Ethics – History & Key Themes 1940's Norbert Wiener: Originator of cybernetics – the structure of regulatory systems - which he saw as having profound ethical implications when applied to technology Metaphysical concepts around information 1970's Walter Maner Developed "Starter Kit" for Teaching Computer Ethics (1978) Defined topics, including: Privacy and Confidentiality, Computer Crime, Professional ethics, etc. Believed computers introduced *new* ethical challenges Deborah Johnson Saw computers highlighting pre-existing ethical problems in interesting - but not *new* ways. Resulted in the "uniqueness" debate.

10. Computer Ethics – History & Key Themes 1980's Deborah Johnson published "Computer Ethics" textbook (1985) James Moor article "What is Computer Ethics", which describes "policy vacuums" and "conceptual muddles". 1990's Donald Gotterbarn emphasized codes of conduct for computing professionals "Computer Ethics: Responsibility Regained (1991) Establishment of professional organizations code of conducts, as well as programs and tools to assist with ethical behavior (ACM, IEEE, EFF, SEERI, SoDIS, etc.) Universal/Key concepts: Technological impact on core human values, such as health, happiness, abilities, knowledge, freedom, security, etc. (Wiener, Moor, others) Context of cultural norms, practices, rules and laws that form the basis for societal ethics (right and wrong).

11. Policy and the Relationship to Ethics Policy documents what you can and cannot do. Some key Penn resources: AUP Electronic Privacy Guidelines on Open Expression What guides policy? Directly related to the mission of your organization Frequently the place where we identify “conceptual muddles” Strongly driven by human values (e.g., Wiener, Moor)

12. Workplace Issues Employment/Labor Cases University Employee unauthorized use of IT resources, unlawful behavior, violation of terms of employment, etc. Faculty responsibility to be SME? Penn Cloud assessments

13. Intellectual Property and Copyright Copyright and IP issues Digital Millennium Copyright Act (DMCA) Professional misconduct (e.g., plagiarism) Changing laws Context matters Different populations / different cultures / different ethical norms Copyright incidents Briton Chance website

14. Cyber Crime Penn Incidents & Examples Hacking & Malware WebApp Backdoor Zeus bot Drive-by malware Theft & cloud Hacktivism 2009 - climate research emails at East Anglia University 2010 – 2011 – Numerous hacktivitst attacks by Anonymous group on both governments and private sector. Enabling in the name of teaching/demonstration Square debate Image courtesy of https://commons.wikimedia.org/wiki/File:Anonymous_at_Scientology_in_Los_Angeles.jpg

15. Privacy Business of Penn – collecting information about students, alumni, business partners, etc. Regulations – PII, HIPAA, FERPA Cloud privacy concerns Social Media – UPenn MED grant Rutgers suicide Duke powerpoint Dr. Matt Blaze & Clipper Chip Other current events: FB lawsuit & Google Privacy Shift EPIC lawsuit

16. Professional Codes of Conduct Penn Institutional Review Board (IRB) Wikipedia research example Maner/Johnston uniqueness debate Note also: UPenn Social Media Guidance Ethical (“white hat”) hacking Gotterbarn in practice ACM, IEEE GCEH ISC2 The Ten Commandments of Computer Ethics: http://www.computerethicsinstitute.com http://www.computerethicsinstitute.com

17. Professional Codes of Conduct Example from The Computer Ethics Institute 1.Thou shalt not use a computer to harm other people. 2.Thou shalt not interfere with other people's computer work. 3.Thou shalt not snoop around in other people's computer files. 4.Thou shalt not use a computer to steal. 5.Thou shalt not use a computer to bear false witness. 6.Thou shalt not copy or use proprietary software for which you have not paid. 7.Thou shalt not use other people's computer resources without authorization or proper compensation. 8.Thou shalt not appropriate other people's intellectual output. 9.Thou shalt think about the social consequences of the program you are writing or the system you are designing. 10.Thou shalt always use a computer in ways that ensure consideration and respect for your fellow humans.

18. Globalization Collaboration Access Control and Shibboleth International Laws and Impact Wikileaks - Julian Assange IP and global economy Transcending Mission Arab Spring MIT open classroom & education gap

19. Some References & Resources Computer and Information Ethics, Stanford Encyclopedia of Philosophy; Oct 23, 2008 http://plato.stanford.edu/entries/ethics-computer/ http://plato.stanford.edu/entries/ethics-computer/ University of Pennsylvania Policy on Acceptable Use of Electronic Resources: http://www.upenn.edu/computing/policy/aup.html http://www.upenn.edu/computing/policy/aup.html University of Pennsylvania Policy on Privacy in the Electronic Environment: http://www.upenn.edu/almanac/v47/n04/OR-eprivacy.html http://www.upenn.edu/almanac/v47/n04/OR-eprivacy.html University of Pennsylvania Guidelines on Open Expression: http://www.upenn.edu/provost/PennBook/guidelines_on_open_expression http://www.upenn.edu/provost/PennBook/guidelines_on_open_expression Maner, W. (1980), Starter Kit in Computer Ethics, Hyde Park, NY: Helvetia Press and the National Information and Resource Center for Teaching Philosophy. Johnson, D. (1985), Computer Ethics, Third Edition Upper Saddle River, NJ: Prentice-Hall, 2001. West, A.G., Hayati, P., Potdar, V., and Lee, I. (2012). Spamming for Science: Active Measurement in Web 2.0 Abuse Research. In WECSR '12: Proceedings of the 3rd Workshop on Ethics in Computer Security Research, Kralendijk, Bonaire. http://www.cis.upenn.edu/~westand/docs/wecsr_12_final.pdfhttp://www.cis.upenn.edu/~westand/docs/wecsr_12_final.pdf Dittrich, D., Bailey, M., Dietrich, S.: Building an active computer security ethics community. IEEE Security and Privacy 9(4) (July/August 2011)

20. Peter Sunde (2012), Wired Magazine: “The Pirate Bay’s Peter Sunde: It’s Evolution, Stupid”, February 10, 2012 http://www.wired.com/threatlevel/2012/02/peter-sunde/ http://www.wired.com/threatlevel/2012/02/peter-sunde/ Tavernise, Sabrina, The New York Times, “Education Gap Grows Between Rich and Poor, Studies Say, February 9, 2012. https://www.nytimes.com/2012/02/10/education/education-gap-grows-between-rich-and-poor-studies- show.html https://www.nytimes.com/2012/02/10/education/education-gap-grows-between-rich-and-poor-studies- show.html Verifone Consumer Alert: Card Skimming with Square, Uploaded by VeriFoneInc on Mar 9, 2011. https://www.youtube.com/watch?v=ObGQxSuORy0 https://www.youtube.com/watch?v=ObGQxSuORy0 PÉREZ-PEÑA, Richard, The New York Times, "More Complex Picture Emerges in Rutgers Student’s Suicide, New York Times, August 12, 2011. https://www.nytimes.com/2011/08/13/nyregion/with-tyler-clementi-suicide-more- complex-picture-emerges.html?_r=1https://www.nytimes.com/2011/08/13/nyregion/with-tyler-clementi-suicide-more- complex-picture-emerges.html?_r=1 Barber, C. Ryan, The Daily Tar Heel, "Yankaskas settles appeal, agrees to retire from UNC: Pay cut, demotion rescinded in deal", April 18, 2011. http://www.dailytarheel.com/index.php/article/2011/04/yankaskas_settles_appeal_agrees_to_retire_from_unc http://www.dailytarheel.com/index.php/article/2011/04/yankaskas_settles_appeal_agrees_to_retire_from_unc “Clipper Chip”, Wikipedia entry: https://en.wikipedia.org/wiki/Clipper_chiphttps://en.wikipedia.org/wiki/Clipper_chip https://epic.org/ https://www.eff.org/