Privacy and Ethics Survey among Computer Professionals by Frank Maldacker, Pace University and Stuart A. Varden, Pace University February, 1997 Abstract The ever-increasing amount of confidential computer based information, coupled with the explosive growth of networked systems, creates an opportunity for computer professionals to inappropriately access files. This paper will explore the issue of privacy and ethical guidelines as it relates to computer professionals. For the purpose of this paper, a computer professional will be defined as an individual whose work centers around the use of computers and associated items and who has greater access to computer hardware, confidential files and electronic mail than most other members of the organization he/she works for. We are referring primarily to individuals who make their living working with computers. Background Development of Computer Based Information Files Collecting information in manageable files has been an integral part of business organizational practice for centuries. The manner in which they are stored has changed, however. Initially, records of activity were kept as paper files. Files that were deemed confidential were often locked in appropriate places to keep them safe from those who did not have reason to see them. As technology progressed, the process of storing files was transformed. Documents that were retained in their paper-based form were sometimes converted into microfiche or microfilm, a space efficient storage system for voluminous records. These files could also be secured under lock and key. But this was a costly practice. Eventually, the development of the computer and associated storage devices created a powerful and affordable business tool. Information that once took weeks to obtain was now available in days, if not hours or minutes. A slow and gradual transformation was begun away from paper based and microfiche/microfilm storage to computer based storage. Today, however, the issue of keeping files from those who don't need to see them has changed as computers allow a greater range of access to computer based information. "Computers store confidential data of a political, social, economic, or personal nature-e.g., personnel files, criminal records, intelligence records, political strategies."1 As the increasing expansion of computer based information continues throughout the corporate world, issues of insuring privacy and appropriate access are becoming paramount. Accompanying the increasing use of computer based information is the need for computer professionals to manage the networks and systems where the data resides. The increasing popularity of the internet has called much attention to the issues of privacy and appropriate access by unauthorized individuals. This attention has been most commonly associated with external break in attempts by unauthorized persons, although an increasing number of internal unauthorized accesses have been reported to researchers. A recent research survey by the School of Criminal Justice at Michigan State University reveals "most computer crimes are committed by full time employees followed by part-time or 'outsource' employees." They also cite an increase in the past five years of "unauthorized access to computer files for 'snooping.' "2 "The thorny problem of unauthorized use demonstrates how new possibilities opened up by new technologies can lead otherwise honest and loyal employees down the slippery slope to more serious misconduct and perhaps outright criminal behavior. In a review of major British studies of computer crime, Keith Hearndon found that the vast majority (80 per cent) of crimes involving computers were carried out by employees rather than outsiders. ...24 per cent by computer staff...."3 A very important question arises -- who or what is in place to provide guardianship of our confidential data from the people assigned to manage it? "The increasing reliance on technology as a foundation of society has resulted in gains that were unimaginable just a decade ago.... But there are some very real costs associated with these benefits, one of the most prevalent of which is the ever expanding potential for criminals to manipulate this reliance on computer technology for their own illicit purposes."4 Computer Professionals and Access Issues Computer professionals, also known as Information Technology (IT) workers, are the caretakers of our information in the 1990's. Greater and greater amounts of sensitive confidential information are being stored in computer based information systems maintained by computer professionals. These records are maintained in high density, compact storage devices that are accessible in seconds.5 For the purposes of this research, we will define computer access as the ability to read, create, modify and delete computer files that are of value to an organization, or to its' employees. Computer professionals have access to areas that allow manipulation of files which either directly or indirectly affect the integrity of stored computer based information. Electronic Mail Electronic mail privacy is a growing issue in many corporate organizations. Recently publicized events have created a heightened awareness of the access issues involved with sending, receiving and storing corporate electronic messages. A recent example is an employee at Pillsbury who was terminated for the stored content of his stored e-mail messages.6 The main question being asked is -- do companies have the right to inspect e-mail, either with or without the employees consent? In many situations, "lawyers and, more recently, human resource managers have strongly encouraged companies to have explicit written policies stating that the company owns the communication system, that the system is intended for business purposes only, and that the company can monitor it."7 It would appear that this position indicates a corporation can review components of their electronic mail systems at any time and without cause. IT workers can be authorized to review e-mail by their company. This access ability can be abused and lead to unauthorized access as well. Research indicates that "more than 50% of the respondents (to a Society for Human Resource Management survey) didn't provide confidentiality training for IS (Information Systems) staffers who might have access to E-mail."8 "Computer professionals frequently gain access to massive amounts of corporate and individual information. Misuse of the information may cause heavy damages to organizations and individuals. It is therefore very appropriate to emphasize proper behavior with respect to privacy in ethical codes for the profession."9 Ethical Codes There are many organizations that suggest ethical codes of conduct when interacting with computers. Four major organizations have created guidelines for the ethical uses of computers: DPMA Founded in 1951, the Data Processing Management Association is dedicated to the professional development of the information processing professional. The organization now has about 35,000 members throughout the U.S., Canada, and 35 other countries. Its mission is "to advocate effective, responsible management of information to the benefit of its members, employers, and the business community." ICCP The Institute for Certification of Computer Professionals invites data processing professionals to take its exams to ensure proper knowledge and professionalism. It is currently the only US certificate--granting organization in the field. Those who pass the exams receive one, or more of the following certificates: Associate Computer Professional (ACP), Certified Computer Programmer (CCP), Certified System Professional (CDP), Certified Systems Professional (CSP) and Certified in Data Processing (CDP), regarded as the highest non-academic professional certificate. Since its establishment in 1973, the organization has certified over 40,000 professionals in the U.S. and other countries. Certificate holders must recertify their skills every three years by either retesting or in involvement in approved continuing education courses. ACM The Association for Computing Machinery was established in 1947 as the society of the computing community. It is the oldest educational and also the largest professional organization in the data processing industry. Its goals are to develop information processing as a discipline, and to promote responsible use of computers. Its purposes are to advance the sciences and arts of information processing, to promote the free interchange of information among specialists and the public, and to develop and maintain the integrity and competence of individuals in the field. Members are expected to adhere to the ACM Code of Professional Conduct. ITAA The ITAA (ADAPSO) Recommended Code of Ethics for Professional Services Firms Data Processing has become central to the success of virtually every organization in the country. As a result, the professional services business has grown to a multi-billion dollar enterprise providing clients with people-support and data processing expertise on an as-needed basis. Members of ADAPSO, the computer software and services industry association, clearly recognize the sensitive nature of the business relationship between a client and a professional services company. This brochure is designed as a goal of ethical conduct for professional services companies to reach and a yardstick for clients to measure the conduct of these firms. This code represents the beginning of a continuing program to promote an ensure the highest standards of ethical conduct within the professional services industry. Research Rationale And Questions The rationale for this paper is to investigate the knowledge and opinions of computer professionals from 2 diverse groups to obtain information about their knowledge of access guidelines and their ethical views regarding this issue. The sample consisted of a group of computer science and information systems graduate school professionals from diverse organizations and a group of Information Technology respondents from a large, technologically sophisticated, metropolitan based corporation. Research questions focused on three major sub-topics. Sub-topic 1 - Professional guidelines Given the fact that no single set of guidelines exists for computer professionals regarding the issue of privacy and access, this researcher wanted to know the extent to which professional guidelines from organizations such as DPMA, ACM, ICCP, and ITAA impact on the ethical behavior of the respondents. To access this information the researcher specifically questioned the respondents to determine: * Whether respondents were aware of these various organizations * Whether respondents were members of any of these organizations * Whether respondents' knew if their companies adhered to any of these organizations' ethical guidelines Sub-topic 2 - Corporate guidelines This researcher wanted to determine the respondents' knowledge of company guidelines regarding ethical computer practices. In order to gain insight into this issue, the respondents were questioned to determine: * Whether respondents were aware of formal guidelines set forth by their company * Whether respondents believed their companies had the right to access their personal computer based information, such as e-mail Sub-topic 3 - Personal ethical views This researcher wanted to explore the respondents' personal ethical views regarding access to information when it's not necessary for completing their job. Specifically, the researcher wanted to obtain responses to: * Whether respondents believed it was acceptable to view computer based information about their companies * Whether respondents believed it was acceptable to view information about their fellow employees * Whether respondents believed it was acceptable to view confidential information which existed about them within company files * Whether respondents believed it was acceptable for others in their organization to gain unauthorized access to computer based information about the respondents' confidential personnel records without their knowledge Comparisons and Variables In addition to looking at the full sample's responses to these questions, the researcher is interested in comparing and contrasting the data from the two groups to see what the differences and similarities are. Presumably, the IT group responses will be more consistent with respect to knowledge of corporate guidelines. Additionally, this researcher expects that there will be a greater knowledge among the IT group about Professional Guidelines. Responses to all questions will also be examined to see if either of the following variables appear to be factors in the way the questions were answered: * Gender * Number of years in the computer profession Procedures Sample Selection process The sample consisted of two specific groups. The first group is an Information Technology (IT) group in a major, multi-national non-computer manufacturing corporation in a suburb of New York City. The second group consisted of graduate computer science and information systems students in a major northeast university which is attended by this researcher. Distribution Graduate students: 42 surveys were distributed to the Computer Science graduates. IT group: 35 surveys were distributed to the IT group. A total of 77 surveys were distributed. Survey Instrument Issues The areas being investigated involved fairly sensitive issues. The respondents were being asked about their knowledge and views related to computer access issues. This researcher hesitated to craft questions that might be considered confidential or would probe into overly sensitive areas, as this may have caused a lowered response rate. Every effort was made to mute any tendencies on the part of the respondents to answer questions on the basis of perceived correctness, instead the survey was designed to encourage honest, personal responses. It was essential to ensure that respondents not compromise themselves in any way by participating. The survey questions were designed as opinion statements and requested the respondents to provide their level of agreement or disagreement to the statements. Respondents were not asked for written responses of any kind. Demographics Respondents were asked to provide information about their job title, business size, number of employees in their entire organization, number of employees at their location, age, years in computer profession and gender. Those questions that would have identical answers for all Information Technology (IT) workers were eliminated from the survey distributed to IT professionals at the corporation. Design The survey was comprised of four sections. The first section comprised the demographic questions. The demographics were selected to facilitate a better understanding of the sample as well as to provide a series of variables to query. The second section comprised 3 statements focusing on whether the respondent found it acceptable to access informational areas not required to do their job. Respondents were asked their views on accessing company's information, accessing fellow employees information and accessing their own confidential personnel records. The third section focused on the respondent's views about their information being accessed by the company and fellow employees. The fourth section queried the respondent to determine their awareness of the four major computer organizations. It also queried respondents to determine if their organization had a set of formal ethical guidelines or followed the computer organization's ethical guidelines. Discussion of survey findings Sub-topic 1- Professional Guidelines The questions in this section asked respondents if they: had heard of ACM, ICCP, DPMA and ITAA; were members; and whether their companies adhered to any of the ethical guidelines suggested by these organizations. Findings in this area indicated that there was indeed some awareness among computer professionals in both groups about organizations such as ACM, ICCP, DMPA and ITAA (table no. 14). Awareness was highest and most consistent among the IT group. Affirmative response were as follows: DPMA - 31.8%; ACM - 54.5%; ICCP - 33.3%; and ITAA 9.5%. Graduate students had a lower awareness rate and most affirmative responses were in the ACM and ICCP categories. These were 52% and 26.9% respectively. Among both groups, professional membership in these organizations proved to be quite low. Among graduate students, 4.8% were members of ACM and 8.7% were members of ICCP. Among the IT group 4.5% were members of ACM (table no. 14). Despite awareness of the organizations, only 5% of the graduate students and 5% of the IT workers who responded, believed that their company adhered to any of the guidelines of these organizations (table no. 14). Neither gender, nor years in profession, appeared to be factors in these responses. Perhaps differences would emerge in a larger sample. Sub-topic 2 - Corporate Guidelines Question no. 13 My company has a formal set of guidelines, other than those listed, relating to the ethical use of computers. In response to this question, a large number of respondents indicated that they were unsure. 33.3% of the graduate students and 59.1% of the IT workers for a total of 42.6% of the total respondents had no idea if their company had a set of formal guidelines. 38.5% of the graduate students believed that their organization had a formal set of guidelines, while only 18.1% of the IT workers did. These responses are an indication that policies don't exist in many of these companies or are not communicated clearly to employees. Neither gender nor years of experience emerged as significant factors (table no. 13). Question no. 11 My company has the right to access personal computer based information (such as e-mail messages) that I maintain at work. The majority of graduate students, 56.1%(combining disagree and strongly disagree), disagreed with this statement. The opposite was true of the IT respondents where 54.6% (combining agree and strongly agree) agreed. There were a substantial number of IT respondents who disagreed or were unsure, indicating either a lack of procedural guidelines within the company, or a lack of adequate communication about existing guidelines (table no. 12). Gender and years of service do not seem to be factors, perhaps because sample numbers are low. Sub-topic 3 - Personal Ethical Practices The findings in this section indicate that respondents tend to view unauthorized access to company information as more acceptable than unauthorized access to information about specific individuals. Despite the tendency of respondents to view access to individuals' information as unacceptable, there are a substantial number of respondents who are unsure or feel that this is acceptable. Question no. 7 It is acceptable to access computer-based information not required to do your job about your organization as long as no harm is done. The majority of respondents among graduate students (42.9%) agreed with this statement. 9.8% were unsure and 29.2% disagreed. The IT responses were more mixed, with 31.8% agreeing, 27.3% unsure and 22.7% disagreeing (table no. 8). No strong indications emerged indicating that gender or years of experience were factors (table nos. 15, 22). This may be due to the small sample size utilized for this study (table no. 15). Question no. 8 It is acceptable to access computer-based information not required to do your job about fellow employees as long as no harm is done. The majority of respondents in both categories disagreed or strongly disagreed with this statement. 67.22% of the total number of respondents disagreed, with an almost equal percentage coming from each of the two sub-groups. A slightly higher percentage of students responded affirmatively in the unsure category than IT workers did (table no. 9). Neither gender nor years of experience emerged as a factor (table nos. 16, 23). Question no. 9 It is acceptable for me to access computer-based company information about my confidential personnel records if I couldn't be discovered. There was strong disagreement to this statement by both groups of respondents. 65.6% of the total population responded in the disagree or strongly disagree categories. Interestingly, 45.3% strongly disagree, indicating a significant ethical view on the part of many of the respondents (table no. 10). Gender did not appear to be a factor. However, it is interesting to note that among graduate students, all agree responses were among the categories of respondents 33 years of age and younger (table no. 10). Question no. 10 It is acceptable for others in my organization to access computer- based information about my confidential personnel records that is not part of their job without my knowledge. Both groups strongly disagreed with the statement. 77.8% of the total respondents (table no. 11). A sidenote is that there was a percentage (14.7%) of the graduate population who agreed with this statement. Gender was not a significant factor although it is noted that the respondents who agreed came primarily from 26.7% of the male graduate students (table no. 18). Further analysis discovered the majority of individuals agreeing to the statement are working in the profession less than 5 years (a total of 13.3%) (table no. 25). It is significant to note, however, that 100% of the IT group responded in one of the two disagreement categories, whereas, there were responses in the agree and unsure categories in the student group. Remarks and Implications Several interesting findings emerged with respect to trends for the sample groups surveyed. Most respondents did not feel their company adhered to the major computing organizational guidelines. They also reported a lack of company guidelines. The implication is that these employees will be left to make their decisions regarding privacy and access issues based on their own ethical views. "Ethical action comes from the decisions of individuals based on personal conviction."10 While many of the respondents value their own, as well as other individuals' privacy, others did not. Additionally, many respondents from other sub groups felt that accessing company information was acceptable. These variations indicate that respondents are likely to be making access decisions according to many different sets of standards in their everyday work. It is important to recognize that the findings do not lend themselves to being projected onto a larger population. However, the fact that this issue exists within this small group raises serious questions. A significant number of the graduate students are currently working in metropolitan corporations. What ethical issues are they faced with in their workplace? "...people who have been trained in engineering, computer science, and management information systems, frequently have little training in ethics, philosophy, and moral reasoning. Without a vocabulary with which to think and talk about what constitutes an ethical computing issue, it is difficult to confront these problems by drawing analogies."11 It causes one to question the integrity of the entire profession -- whether it is healthy and appropriate to be perceived as a professional group where there are no quality standards that set up expectations which IT workers can have of one another and others can expect of them. Discussions and Conclusions The findings of this paper show that in both the corporate and student groups, there is a serious lack of awareness of ethical standards of the leading professional societies. Not only is there a lack of awareness of the specifics of these standards, few respondents reported that they knew of their existence. Clearly, IT professionals are not looking to the profession, as embodied in the leader professional societies, for guidelines in making decisions regarding the appropriate use and access to information. This may in part be due to the fact that the professional societies themselves are not offering the profession a unified set of standards to go by. In his comparison of the four major organizations, Effy Oz found that among all four, while "some of the behavioral precepts are similar, others are not. People who are members of more than one organization may wonder how they should act in certain circumstances. Furthermore, computer professionals are not provided with any guidance for cases of ethical conflicts."12 Guidelines, like laws, cannot anticipate every situation that may arise. "Laws are written to provide a shared understanding of what is considered 'right.' "13 Even so, it is difficult "to think of all the exceptions when drafting a law. Even when the law is well written, its enforcement may be difficult. Thus it is impossible or impractical to develop laws of behavior acceptable to society. Instead, society relies on ethics or morals to prescribe generally accepted standards of proper behavior. An ethic is an objectively defined standard of right & wrong. In a given situation, however, several moral objectives may be involved, so that is it necessary for people to determine an action that is appropriate, considering all the objectives."14 The situation does not improve much when it comes to the awareness of ethical standards of one's own company. Finally, the observed differences in perceived ethical standards based on the age of the respondent most likely reflects a breakdown, or at least a shift, in one's commitment and adherence to ethical standards in the larger society. This research, then, suggests that the sense of ethical standards held by computer professionals (unlike physicians or lawyers) are perceived to be subordinate to the values stated (or implied) by one's company or organizational affiliation. This, in part, is due to the relative newness of the computer field. The reality of business life is that issues of ethical conduct, especially with something as amorphous as information, will all too often take a back seat to "bottom line" issues. The computer profession needs its equivalent of the physician's Hippocratic oath or the lawyers' or psychologists client confidentiality principle. References 1 Dr. David L. Carter, Dr. Andra J. Katz, "Computer Crime in America: Research Findings Fact Sheet" Michigan State University; November 1995 2 Dr. David L. Carter, Dr. Andra J. Katz, "A National Survey On Computer-Related And Technology Crime", Michigan State University October 1995 3 Tom Forester, Perry Morrison, Computer Ethics: Cautionary Tales and Ethical Dilemmas in Computing. Massachusetts Institute of Technology 1990, 1994, p. 19 4 Kelly J. Harris, "Computer Crime: An Overview" SEARCH Technical Bulletin 1995 Issue Number 1, The National Consortium For Justice Information And Statistics 5 Dr. David L. Carter, Dr. Andra J. Katz, "Computer Crime in America: Research Findings Fact Sheet" Michigan State University; November 1995 6 Patrice Duggan Samuels, "Who's Reading Your E-Mail? Maybe The Boss," New York Times; section F, p. 11, 5/12/96 7 Patrice Duggan Samuels, "Who's Reading Your E-Mail? Maybe The Boss," New York Times; section F, p. 11, 5/12/96 8 Michael F. Cavanagh, "E-Mail Privacy: A Glass Almost Half Full," Computerworld magazine, 3/18/96, p. 379 Effy Oz, "Journal Of Business Ethics - Ethical Standards For Computer Professionals: A Comparative Analysis Of Four Major Codes", Sep. 1993, Vol. 12 No. 9, pp. 709-72610 K. Laudon, "Ethical Concepts and Information Technology," Communications of the ACM magazine, Vol. 38, No. 12, December 1995, pp. 33-39 11 K. Laudon, "Ethical Concepts and Information Technology", Communications of the ACM magazine, Vol. 38, No. 12, December 1995, pp. 33-39 . 12 Effy Oz, "Journal Of Business Ethics - Ethical Standards For Computer Professionals: A Comparative Analysis Of Four Major Codes", Sep. 1993, Vol. 12 No. 9, pp. 709-726 13 Charles P. Pfleeger, Security in Computing. Engelwood Cliffs, New Jersey: Prentice--Hall, Inc. 1989, pp. 501-50614 Charles P. Pfleeger, Security in Computing. Engelwood Cliffs, New Jersey: Prentice--Hall, Inc. 1989, pp. 501-506 14 see 13 Tables ************************************************************************** SA = Strongly Agree A = Agree U = Unsure D = Disagree SD = Strongly Disagree ____________________________________________________________________________ Ques. No. | SA A U D SD _______________________________________________________|____________________ 1. | It is acceptable to access computer | Grad| 7 18 5 6 6 | based information not required to do | IT | 3 7 6 1 5 | your job about your organization as | Tot | 10 25 11 7 11 | long as no harm is done. | % | 16% 39% 17% 11% 17% ---------------------------------------------------------------------------- 2. | It is acceptable to access computer- | Grad| 3 5 8 14 12 | based information not required to do | IT | 1 3 1 7 10 | your job about fellow employees as | Tot | 4 8 9 21 22 | long as no harm is done. | % | 6% 13% 14% 33% 34% ---------------------------------------------------------------------------- 3. | It is acceptable for me to access | Grad| 3 6 7 7 19 | computer-based company information | IT | 1 3 2 6 10 | about my confidential personnel | Tot | 4 9 9 13 29 | records if I couldn't be discovered. | % | 6% 14% 14% 20% 45% ---------------------------------------------------------------------------- 4. | It is acceptable for others in my | Grad | 4 2 2 3 30 | organization to access computer- | IT | 0 0 0 3 19 | based information about my confiden- | Tot | 4 2 2 6 49 | tial personnel records that is not | % | 6% 3% 3% 10% 78% | part of their job without my know- | | ledge. | ---------------------------------------------------------------------------- 5. | My company has the right to access | Grad | 5 10 3 7 16 | to access personal computer-based | IT | 4 8 4 3 3 | information (such as e-mail) that I | Tot | 9 18 7 10 19 | maintain at work. | % | 14% 29% 11% 16% 30% ---------------------------------------------------------------------------- 6. | My company has a formal set of guide- | Grad | 6 9 13 3 8 | lines, other than those listed, | IT | 1 3 13 5 0 | relating to the ethical use of | Tot | 7 12 26 8 8 | computers. | % | 11% 20% 43% 13% 13% ----------------------------------------------------------------------------