In the wake of incidents such as the exposure of PRISM, the problematic launch of the healthcare.gov website and the breach of Adobe Creative Cloud, the cyber security community may need to come up with comprehensive new guidance about IT ethics. While technologies like cloud computing enable businesses, government agencies and security professionals to collect and process unprecedented amounts of data as part of their efforts to protect assets and provide better services, this power must be handled ethically and with care.
Moreover, the stakes for clear, sensible ethics could not be higher. For example, concern about the privacy of cloud-stored data has sparked a global movement toward siloed, nationalized telecommunications infrastructure. Government officials from Brazil to Switzerland have pushed to make their respective countries’ Internet and cloud services inaccessible to foreign organizations.
For anyone accustomed to the globalized, unified nature of online communication over the past 20 years, its loss would be a painful price to pay for the world’s growing lack of faith in parties to ethically handle user data. Plus, this level of discomfort extends to lower levels than the international scene, and there it is driving a wedge between individuals, cloud service providers and organizations such as school districts. IT ethics must be updated for this new landscape and work toward restoring trust in public and private sector institutions.
Lack of trust may bring an end to notion of a global Internet
Recent international rows over Internet privacy are the most prominent example of potentially declining trust in IT providers and the cyber security community. Brazil and Germany recently introduced a UN resolution that would extend guaranteed privacy rights to Internet communications.
The measure does not name any specific countries, and it does not have the force of law. However, its introduction demonstrates heightened concerns that data collection efforts are crossing the line from legitimate exercise to unwarranted intrusion.
“Today, there seem to be hardly any technical limitations for accessing, storing or combining personal data. But should everything that is technical feasible also be allowed?,” asked Peter Witting, German Ambassador to the UN. “Where do we draw the line between legitimate security concerns and the individual right to privacy?”
Some nations have made more specific efforts to secure their citizens’ data. Reuters reported that Brazilian legislators have drafted a bill that would force Web services giants like Facebook and Google to keep all data on Brazilian users inside the country.
Internet-based companies have opposed the measure, citing its erosion of the World Wide Web and its potential to drive up the costs of cloud computing services. The bill could strike a fatal blow to online communications in their current form by jeopardizing their unfettered global scope and the open technological standards that support them.
Cloud services are the nexus of privacy and trust issues
The precipitous rise of cloud computing almost guaranteed that organizations would some day have to address privacy issues, even if government surveillance had not provided such strong impetus. For example, Swiss telecom Swisscom has been working on a cloud solution that would keep all data within national borders, but which was not inspired by revelations about the NSA
According to Help Net Security, the initiative is essentially state-sponsored, since the Swiss state owns a majority of Swisscom. The new cloud is designed to ensure data privacy and provide a cost-effective alternative to prominent services, some of which coincidentally may be based in other nations.
Services of this kind may actually indicate the broader positive impact that the NSA et al have had on the cloud. Writing for PandoDaily, Vineet Jain argued that the NSA’s PRISM and Muscular initiatives provided much-needed course correction for cloud companies. Jain stated that some providers already did a good job of separating cloud application processes from cloud-based data repositories and that the current privacy debates sparked by surveillance reports would spur many others to follow suit.
“It’s important to note that not all cloud companies expose your sensitive information,” wrote Jain. “By separating the cloud service (the application that is running in the cloud) from where the data is stored (in the cloud or behind the firewall), the business benefits of the cloud and [software-as-a-service] can be realized without running into privacy or security issues.”
Long Island school district incident reveals trust issues even at local level
The importance of IT services providers behaving ethically and taking pains to protect user data is not just an international issue. Reporting for Newsday, John Hildebrand chronicled New York’s controversial plan to turn over data on more than 2 million students to an Atlanta-based nonprofit.
The company, inBloom, manages cloud-based repositories containing sensitive data such as student test scores, disabilities and disciplinary histories. Although the state and inBloom have both assured administrators and parents that data will be safely handled, some are not convinced.
“This information is being taken out of the hands of local school districts,” Pamela Verity, a New York mother of three, told Newsday. “It’s a very dangerous situation.”
The education technology industry may be worth $9 billion, and the inBloom case reveals the high stakes of ethical data handling and respect for privacy. More than 600 New York schools have already signed-on to the inBloom initiative.
What would constitute a framework for modern IT security ethics?
Speaking to Bank Info Security, Purdue University computer science professor Eugene Spafford highlighted the fundamental challenges that the cyber security profession faces as a result of these prominent data privacy cases. Spafford argued that while some ethical frameworks already exist, they are perhaps insufficient for moving cyber security forward and attracting more young recruits to the field.
“[I]f we’re really going to develop as a profession, we have to have behavior that’s generally agreed upon that allows society at large to place a certain kind of trust in us because we’re running critical equipment, managing critical data for them, respecting privacy, doing what we can to protect the security and longevity of the information, protecting intellectual property and providing systems that react fairly,” stated Spafford.
The cloud has given the IT industry access to more data than ever before. With that information comes new responsibilities to respect privacy, shield users from possible identity theft and – in the case of government agencies – apply data as necessary to preventing attacks. New ethics frameworks would go a long way in ensuring that everyone knows where the lines are drawn and what can be done to ensure that organizations do not step over them.