Information Security at the University of Pennsylvania: Practical Applications and Experience with Information Ethics CIS 401 Senior Design Course Joshua Beeman University Information Security Officer February 23, 2012

Agenda UPenn InfoSec - Who we are and what we do Computer Ethics – Context and History Ethics in practice – Examples from UPenn Policy & Incidents Workplace issues Intellectual Property and Copyright Cybercrime Privacy Professional Codes of Conduct Globalization

Office of Information Security Jim Choate (Executive Director, ISC/AIT) Senior Information Security Specialists: John Lupton Melissa Muth Dana Taylor Contact and reach all of Joshua Beeman (University Information Security Officer)

Office of Information Security Information Security’s core mission is to develop strategies and practices that protect Penn’s confidential and sensitive information assets.

Information Security Services Development of policy Information Security- related projects and initiatives Security consultation, awareness & training Risk assessment, risk management, threat monitoring, and related communications Reporting on events and trends Incident handling, response, investigation and notification Point of contact and coordination Office of Information Security

Brief Video…

Why it’s relevant Facemash - Zuckerberg was charged by the administration with breach of security, violating copyrights, and violating individual privacy. Later used in an Art History class as a “social study tool”. Image from:

Ethics Defined The rules of conduct recognized in certain associations or departments of human life. - (O.E.D.) More simply: the distinction between right and wrong in a given context.

Computer Ethics – History & Key Themes 1940's Norbert Wiener: Originator of cybernetics – the structure of regulatory systems - which he saw as having profound ethical implications when applied to technology Metaphysical concepts around information 1970's Walter Maner Developed "Starter Kit" for Teaching Computer Ethics (1978) Defined topics, including: Privacy and Confidentiality, Computer Crime, Professional ethics, etc. Believed computers introduced *new* ethical challenges Deborah Johnson Saw computers highlighting pre-existing ethical problems in interesting - but not *new* ways. Resulted in the "uniqueness" debate.

Computer Ethics – History & Key Themes 1980's Deborah Johnson published "Computer Ethics" textbook (1985) James Moor article "What is Computer Ethics", which describes "policy vacuums" and "conceptual muddles". 1990's Donald Gotterbarn emphasized codes of conduct for computing professionals "Computer Ethics: Responsibility Regained (1991) Establishment of professional organizations code of conducts, as well as programs and tools to assist with ethical behavior (ACM, IEEE, EFF, SEERI, SoDIS, etc.) Universal/Key concepts: Technological impact on core human values, such as health, happiness, abilities, knowledge, freedom, security, etc. (Wiener, Moor, others) Context of cultural norms, practices, rules and laws that form the basis for societal ethics (right and wrong).

Policy and the Relationship to Ethics Policy documents what you can and cannot do. Some key Penn resources: AUP Electronic Privacy Guidelines on Open Expression What guides policy? Directly related to the mission of your organization Frequently the place where we identify “conceptual muddles” Strongly driven by human values (e.g., Wiener, Moor)

Workplace Issues Employment/Labor Cases University Employee unauthorized use of IT resources, unlawful behavior, violation of terms of employment, etc. Faculty responsibility to be SME? Penn Cloud assessments

Intellectual Property and Copyright Copyright and IP issues Digital Millennium Copyright Act (DMCA) Professional misconduct (e.g., plagiarism) Changing laws Context matters Different populations / different cultures / different ethical norms Copyright incidents Briton Chance website

Cyber Crime Penn Incidents & Examples Hacking & Malware WebApp Backdoor Zeus bot Drive-by malware Theft & cloud Hacktivism climate research s at East Anglia University 2010 – 2011 – Numerous hacktivitst attacks by Anonymous group on both governments and private sector. Enabling in the name of teaching/demonstration Square debate Image courtesy of

Privacy Business of Penn – collecting information about students, alumni, business partners, etc. Regulations – PII, HIPAA, FERPA Cloud privacy concerns Social Media – UPenn MED grant Rutgers suicide Duke powerpoint Dr. Matt Blaze & Clipper Chip Other current events: FB lawsuit & Google Privacy Shift EPIC lawsuit

Professional Codes of Conduct Penn Institutional Review Board (IRB) Wikipedia research example Maner/Johnston uniqueness debate Note also: UPenn Social Media Guidance Ethical (“white hat”) hacking Gotterbarn in practice ACM, IEEE GCEH ISC2 The Ten Commandments of Computer Ethics:

Professional Codes of Conduct Example from The Computer Ethics Institute 1.Thou shalt not use a computer to harm other people. 2.Thou shalt not interfere with other people's computer work. 3.Thou shalt not snoop around in other people's computer files. 4.Thou shalt not use a computer to steal. 5.Thou shalt not use a computer to bear false witness. 6.Thou shalt not copy or use proprietary software for which you have not paid. 7.Thou shalt not use other people's computer resources without authorization or proper compensation. 8.Thou shalt not appropriate other people's intellectual output. 9.Thou shalt think about the social consequences of the program you are writing or the system you are designing. 10.Thou shalt always use a computer in ways that ensure consideration and respect for your fellow humans.

Globalization Collaboration Access Control and Shibboleth International Laws and Impact Wikileaks - Julian Assange IP and global economy Transcending Mission Arab Spring MIT open classroom & education gap

Some References & Resources Computer and Information Ethics, Stanford Encyclopedia of Philosophy; Oct 23, University of Pennsylvania Policy on Acceptable Use of Electronic Resources: University of Pennsylvania Policy on Privacy in the Electronic Environment: University of Pennsylvania Guidelines on Open Expression: Maner, W. (1980), Starter Kit in Computer Ethics, Hyde Park, NY: Helvetia Press and the National Information and Resource Center for Teaching Philosophy. Johnson, D. (1985), Computer Ethics, Third Edition Upper Saddle River, NJ: Prentice-Hall, West, A.G., Hayati, P., Potdar, V., and Lee, I. (2012). Spamming for Science: Active Measurement in Web 2.0 Abuse Research. In WECSR '12: Proceedings of the 3rd Workshop on Ethics in Computer Security Research, Kralendijk, Bonaire. Dittrich, D., Bailey, M., Dietrich, S.: Building an active computer security ethics community. IEEE Security and Privacy 9(4) (July/August 2011)

Peter Sunde (2012), Wired Magazine: “The Pirate Bay’s Peter Sunde: It’s Evolution, Stupid”, February 10, Tavernise, Sabrina, The New York Times, “Education Gap Grows Between Rich and Poor, Studies Say, February 9, show.html show.html Verifone Consumer Alert: Card Skimming with Square, Uploaded by VeriFoneInc on Mar 9, PÉREZ-PEÑA, Richard, The New York Times, "More Complex Picture Emerges in Rutgers Student’s Suicide, New York Times, August 12, complex-picture-emerges.html?_r=1https:// complex-picture-emerges.html?_r=1 Barber, C. Ryan, The Daily Tar Heel, "Yankaskas settles appeal, agrees to retire from UNC: Pay cut, demotion rescinded in deal", April 18, “Clipper Chip”, Wikipedia entry: