Big Brotherís Spyware
Hypothetical Case Scenario:
Steve Stevenson, a security consultant for FF Consulting, has been asked to analyze the data gathered by a commercially available spyware program called Big Brother V.2 for the Fortune 500 company Popular Inc. Popular installed the spyware on all of their employeesí computers without notifying their employees that they were being monitored.† They suspect but have no proof that a number of employees are selling trade secrets to other corporations.† Stevenson has been contracted to develop the software that will filter keystroke logs based on a rule set of keywords.† Popular has provided a list of words they believe will be useful to search for. This list includes words such as: source, DivX, private, secret, money, trade, selling, resume, offer, salary, LongHorn (the next generation Popular product), MP3, and words associated with pornography.† Stevenson has concerns about his professional obligations and has come to you because he knows you have taken a course in computer ethics.
††††††††††† After the tragic events of September 11th, the concept of personal privacy in the workplace is being redefined.† Many larger corporations have installed web monitoring and keystroke logging software on the computers of their employees, often without their knowledge or consent.† Even the United States Judiciary branch was monitored for some time in 2001 to determine fair use of their computer systems.† Wide-reaching legislation has been passed regarding criminal searches, essentially allowing the FBI to install keystroke-logging software on a suspectís computer without a wiretap order issued from a judge.† The software would then monitor keystrokes and transmissions on the computer and store them for future review.† This is especially useful in the law enforcement sector when determining passwords of suspects that are using encryption to protect their sensitive information.† The ethical implications of these developments are frightening and have massive potential for abuse. Some organizations are calling for ďstronger government regulation of employee monitoring activitiesĒ. As an employee of the FF Consulting and a professional software engineer, there are several major ethical issues that must be confronted to fully understand the compromise between privacy and security in the workplace.
††††††††††† While employees are at work, they are using resources and materials that belong to the company, and it would naturally be in the companyís best interest to make sure that they are being used responsibly and properly.† This is an important legal distinction to make since the owner of the computer forms the basis of exactly what kinds of monitoring the employer can legally obtain and use. Methods such as telephone monitoring, computer monitoring for content, idle time, and even screenshots of the desktop are possible. Monitoring technology has been available for quite some time, but was not widely used until after September 11th. With commercial packages such as Big Brother v2.0, Investigator 3.0, and believe it or not, even one named Back Orifice, everything that the employee does at his or her terminal can be logged for future reference.
††††††††††† The ethical implications of keystroke monitoring software is surprising because employers are not legally required to disclose their computer monitoring practices and many donít even have a written policy available to the employees.† This is deceptive because many employees assume a certain degree of privacy while checking their personal email, as well as using instant messengers such as ICQ, or AOLís Instant Messenger.†† While many businesses employ video surveillance as a deterrent, they are legally bound to display a notice to the public who will patronize their business, as well as the employees working there.† It is also illegal to record someone over the telephone without his or her consent in the private sector, but not in the workplace.† The nature of computer surveillance in the business environment would serve as a much better deterrent to unfair use if the employees knew they were being monitored.† Monitoring computer resources without prior notification is in violation of the Privacy for Consumers and Employees Act of 1993, and should definitely be reported, no matter what the circumstances.
††††††††††† The stakeholders in the above scenario include Stevenson, whose job could depend on making the right decisions.† Other parties involved include Stevensonís employer, FF Consulting; Popular, the contractor of Stevensonís company; the employees of Popular, and the public.† Stevensonís actions will reflect on his companyís reputation.† The employees of Popular clearly are the most vulnerable of all the stakeholders because they have the most to lose, and have the least decision-making power.
In the case of Popular, the corporation has installed and monitored their employees without any prior notification in order to catch the individual they believe is responsible for selling trade secrets.† After running this program for a certain amount of time, they were able to compile a large amount of raw data concerning the actions of their employees.† The keywords Popular provided to Stevenson included appropriate words such as LongHorn, the codename of their next generation product, cash, and payoff. The dilemma for Stevenson is that the list included other keywords, such as Mp3, DivX, resume, salary, sex, offer, ACLU, GOP, and Jesus, that have nothing to do with selling trade secrets or protecting the companyís information.† Information on keywords such as these will give Popular insight into who might be leaving the company soon, as well as those who are casually looking for jobs.† Such a list would be important in our current economic state and would give Popular a list of employees that could be laid off.† This is the essential conflict for Stevenson: violating usersí privacy, violating the law, and possibly costing several employees their jobs, versus performing the contract for Popular according to their specifications.
Stevenson has several options available to him, ranging from refusing the contract and informing the employees of the monitoring, to performing the contract with no questions asked, despite his reservations.† These two options are the widest in scope, but there are many options in-between that are more ethical and still allow Stevenson to fulfill the contract to the best of his ability.† Stevenson could modify the list of keywords that Popular provides to include only appropriate keywords, and then perform the filtering without notifying the company of the changes.† He could also notify employee rights organizations of the monitoring, filter the keywords list, and then perform the contract.† While it is certain that Popular is using the monitoring software to their advantage, there must be criteria for evaluating the importance of certain keywords on the list, and Stevenson should make every effort to understand why those words are being included.
††††††††††† As a professional software engineer, Stevenson subscribes to the Software Engineering Code of Ethics that has several points that would help him in consideration of his dilemma.† Topics covered in the SE Code of Ethics on a professionalís responsibility to the public include acting for the public good (SE 1.02), and disclosing potential dangers to the users (SE 1.04). These two statutes defend his option to disclose the monitoring to the employees.
In Stevensonís relationship to his client and employer, the following SE Code of Ethics statutes could be applied: Identifying and reporting causes of social concern (SE 2.07), keeping confidential information private (SE 2.05), and using authorized property (SE 2.03).† These imply that he should not modify the keywords list nor should he inform the employees that they are being monitored.
††††††††††† Privacy issues are also covered in the Product Principle section of the code of ethics.† In statutes 3.12 and 3.13, the code of ethics implies that a professional should not use data that was obtained unethically or illegally and to develop products that respect the privacy of the users.† This is a gray area in the application of this code because although Popularís monitoring of their employees is unethical, it is not illegal according to our current laws.
Professional principles of the SE Code of Ethics imply that there are also several statues that apply to Stevensonís reservations about the keyword list.† He should discuss his reservations with his client (Popular) before fulfilling the contract.† Both 6.12 (Express concerns about violations of the code) and 6.13 (Report significant violations of this Code to appropriate authorities) apply to this scenario.
Upon weighing these possible alternatives, we feel that Stevenson should discuss the keyword list with his client and try to convince them not to include the inappropriate words in their search.† He should even show them the related sections of the SE Code of Ethics.† Perhaps that would be enough persuasion for them.† He can then base his next decision on the companyís response.† This is the most direct approach and though it probably precludes him from using the reduced list without telling them, it still leaves open options to notify the employees and/or privacy groups, walk away, or even acquiesce if they can convince him of their reasons for the list.
††††††††††† The scenario presented in this paper is one of current concern for todayís post-9/11 software engineer: balancing security with privacy.† The case is complex and no simple alternative will please everyone.† As a professional, Stevenson realizes that he should apply the SE Code of Ethics, however he is torn between the obligations to his client (Popular) who is pressuring him to deviate from the code, and the interest of the least empowered, the employees.† Though Stevensonís alternatives range from accepting the contract with no questions asked, to refusing to accept the contract and informing the employees that they are being monitored, it seems that the best alternative for Stevenson is to discuss the keyword list with his client and then to base his decision on the response that he receives.
Copyright 2002 Travis Carrell, Dan Fetters, James Ivey, Shannon Turner, Brian Andes, Derek Peters
Employee Monitoring: Is There Privacy In The Workplace?
http://www.privacyrights.org/fs/fs7-work.htm February 18, 2002
FBI May Use Keystroke Recording Device Without Wiretap Order.
February 18, 2002
ACLU In Brief: Electronic Monitoring
http://www.aclu.org/library/pbr2.htm †February 18, 2002
Software Engineering Code of Ethics
http://seeri.etsu.edu/Codes/TheSECode.htm February 18, 2002
EPIC Workplace Privacy Page
http://www.epic.org/privacy/workplace/default.html February 18, 2002
http://www.nwinternet.com/~pchelp/bo/bo.html March 25, 2002
http://bb4.com/ March 25, 2002
 Spyware is a keystroke logging software that can search keystrokes to find predefined words set by an administrator.
 For more information see http://www.epic.org/privacy/workplace/default.html
 Back Orifice: A remote administration tool that allows a remote operator anywhere on the global Internet can gain access and do almost anything you can do on your computer -- and some things you can't do -- all without any outward indication of his presence.† See the references.