Information Security at the University of Pennsylvania:Practical Applications and Experience with Information Ethics

CIS 401 Senior Design Course

Joshua BeemanUniversity Information Security OfficerFebruary 23, 2012

Agenda• UPenn InfoSec - Who we are and what we do• Computer Ethics – Context and History• Ethics in practice – Examples from UPenn

• Policy & Incidents• Workplace issues• Intellectual Property and Copyright• Cybercrime• Privacy• Professional Codes of Conduct• Globalization

Office of Information Security

Jim Choate (Executive Director, ISC/AIT)

Senior Information Security Specialists:John Lupton Melissa MuthDana Taylor

Contact security@isc.upenn.edu and reach all of us!

Joshua Beeman (University Information Security Officer)

Office of Information Security

Information Security’s core mission is to develop strategies and practices that protect Penn’s

confidential and sensitive information assets.

Information Security Services

Development of policy

Information Security-related projects and

initiatives

Security consultation, awareness & training

Risk assessment, risk management, threat

monitoring, and related

communications

Reporting on events and trends

Incident handling, response, investigation

and notification

Point of contact and coordination

Office of Information Security

Brief Video…

https://www.youtube.com/watch?v=6bahX2rrT1I

Why it’s relevant• Facemash - Zuckerberg was

charged by the administration with breach of security, violating copyrights, and violating individual privacy.

• Later used in an Art History class as a “social study tool”.

Image from: https://www.facebook.com/photo.php?fbid=794826159841&set=a.794820416351.2344423.1681&pid=41088721&id=1681

Ethics Defined

The rules of conduct recognized in certain associations or departments of human life. - (O.E.D.)

More simply: the distinction between right and wrong in a given context.

Computer Ethics – History & Key Themes

1940's • Norbert Wiener:

• Originator of cybernetics – the structure of regulatory systems - which he saw as having profound ethical implications when applied to technology

• Metaphysical concepts around information

1970's • Walter Maner

• Developed "Starter Kit" for Teaching Computer Ethics (1978)• Defined topics, including: Privacy and Confidentiality,

Computer Crime, Professional ethics, etc.• Believed computers introduced *new* ethical challenges

• Deborah Johnson• Saw computers highlighting pre-existing ethical problems in

interesting - but not *new* ways. Resulted in the "uniqueness" debate.

Computer Ethics – History & Key Themes

1980's• Deborah Johnson published "Computer Ethics" textbook (1985)• James Moor article "What is Computer Ethics", which describes

"policy vacuums" and "conceptual muddles".

1990's• Donald Gotterbarn emphasized codes of conduct for computing

professionals "Computer Ethics: Responsibility Regained (1991)• Establishment of professional organizations code of conducts, as

well as programs and tools to assist with ethical behavior (ACM, IEEE, EFF, SEERI, SoDIS, etc.)

Universal/Key concepts: • Technological impact on core human values, such as health,

happiness, abilities, knowledge, freedom, security, etc. (Wiener, Moor, others)

• Context of cultural norms, practices, rules and laws that form the basis for societal ethics (right and wrong).

Policy and the Relationship to Ethics

Policy documents what you can and cannot do.

Some key Penn resources:• AUP• Electronic Privacy • Guidelines on Open Expression

• What guides policy?• Directly related to the mission of your organization• Frequently the place where we identify “conceptual muddles”• Strongly driven by human values (e.g., Wiener, Moor)

Workplace Issues • Employment/Labor Cases

• University Employee unauthorized use of IT resources, unlawful behavior, violation of terms of employment, etc.

• Faculty responsibility to be SME?

• Penn Cloud assessments

Intellectual Property and Copyright

• Copyright and IP issues • Digital Millennium Copyright Act (DMCA)• Professional misconduct (e.g.,

plagiarism)• Changing laws

• Context matters• Different populations / different

cultures / different ethical norms • Copyright incidents• Briton Chance website

82%

12%

3% 3%

1st violation2nd violation3rd violation4th violation

Cyber Crime • Penn Incidents & Examples

• Hacking & Malware• WebApp Backdoor• Zeus bot• Drive-by malware• Theft & cloud

• Hacktivism• 2009 - climate research emails at East Anglia University• 2010 – 2011 – Numerous hacktivitst attacks by Anonymous group

on both governments and private sector.

• Enabling in the name of teaching/demonstration• Square debate

Image courtesy of https://commons.wikimedia.org/wiki/File:Anonymous_at_Scientology_in_Los_Angeles.jpg

Privacy • Business of Penn – collecting information

about students, alumni, business partners, etc.• Regulations – PII, HIPAA, FERPA • Cloud privacy concerns

• Social Media –• UPenn MED grant• Rutgers suicide• Duke powerpoint

• Dr. Matt Blaze & Clipper Chip

• Other current events:• FB lawsuit & Google Privacy Shift

• EPIC lawsuit

Professional Codes of Conduct • Penn Institutional Review Board (IRB)

• Wikipedia research example• Maner/Johnston uniqueness debate

• Note also: UPenn Social Media Guidance

• Ethical (“white hat”) hacking

• Gotterbarn in practice• ACM, IEEE• GCEH• ISC2• The Ten Commandments of Computer Ethics: http://

www.computerethicsinstitute.com

Professional Codes of ConductExample from The Computer Ethics Institute

1. Thou shalt not use a computer to harm other people.2. Thou shalt not interfere with other people's computer work.3. Thou shalt not snoop around in other people's computer files.4. Thou shalt not use a computer to steal.5. Thou shalt not use a computer to bear false witness.6. Thou shalt not copy or use proprietary software for which you have not

paid.7. Thou shalt not use other people's computer resources without

authorization or proper compensation.8. Thou shalt not appropriate other people's intellectual output.9. Thou shalt think about the social consequences of the program you are

writing or the system you are designing.10. Thou shalt always use a computer in ways that ensure consideration and

respect for your fellow humans.

Globalization• Collaboration

• Access Control and Shibboleth

• International Laws and Impact • Wikileaks - Julian Assange• IP and global economy

• Transcending Mission• Arab Spring • MIT open classroom & education gap

Some References & Resources

• Computer and Information Ethics, Stanford Encyclopedia of Philosophy; Oct 23, 2008 http://plato.stanford.edu/entries/ethics-computer/

• University of Pennsylvania Policy on Acceptable Use of Electronic Resources: http://www.upenn.edu/computing/policy/aup.html

• University of Pennsylvania Policy on Privacy in the Electronic Environment: http://www.upenn.edu/almanac/v47/n04/OR-eprivacy.html

• University of Pennsylvania Guidelines on Open Expression: http://www.upenn.edu/provost/PennBook/guidelines_on_open_expression

• Maner, W. (1980), Starter Kit in Computer Ethics, Hyde Park, NY: Helvetia Press and the National Information and Resource Center for Teaching Philosophy.

• Johnson, D. (1985), Computer Ethics, Third Edition Upper Saddle River, NJ: Prentice-Hall, 2001.

• West, A.G., Hayati, P., Potdar, V., and Lee, I. (2012). Spamming for Science: Active Measurement in Web 2.0 Abuse Research. In WECSR '12: Proceedings of the 3rd Workshop on Ethics in Computer Security Research, Kralendijk, Bonaire. http://www.cis.upenn.edu/~westand/docs/wecsr_12_final.pdf

• Dittrich, D., Bailey, M., Dietrich, S.: Building an active computer security ethics community. IEEE Security and Privacy 9(4) (July/August 2011)

• Peter Sunde (2012), Wired Magazine: “The Pirate Bay’s Peter Sunde: It’s Evolution, Stupid”, February 10, 2012 http://www.wired.com/threatlevel/2012/02/peter-sunde/

• Tavernise, Sabrina, The New York Times, “Education Gap Grows Between Rich and Poor, Studies Say, February 9, 2012.• https://www.nytimes.com/2012/02/10/education/education-gap-grows-between-rich-and-poor-studies-show.html

• Verifone Consumer Alert: Card Skimming with Square, Uploaded by VeriFoneInc on Mar 9, 2011. https://www.youtube.com/watch?v=ObGQxSuORy0

• PÉREZ-PEÑA, Richard, The New York Times, "More Complex Picture Emerges in Rutgers Student’s Suicide, New York Times, August 12, 2011. https://www.nytimes.com/2011/08/13/nyregion/with-tyler-clementi-suicide-more-complex-picture-emerges.html?_r=1

• Barber, C. Ryan, The Daily Tar Heel, "Yankaskas settles appeal, agrees to retire from UNC: Pay cut, demotion rescinded in deal", April 18, 2011. http://www.dailytarheel.com/index.php/article/2011/04/yankaskas_settles_appeal_agrees_to_retire_from_unc

• “Clipper Chip”, Wikipedia entry: https://en.wikipedia.org/wiki/Clipper_chip

• https://epic.org/

• https://www.eff.org/