Monday, March 31, 2008

Another data breach goes nearly unnoticed.

Vague topic this week, I'm under the assumption that I can basically choose anything involving ethics in computer science for this article. Link to the original assignment.

A recent incident of personal data being unintentionally released has occurred affecting 75,000 members of the public website for The Dental Network. The information contained full names, complete addresses, dates of birth, and social security numbers. This was reported by The Baltimore Sun on March 26th, 2008, even though the security breach happened February 20th, and the affected persons were informed by letter on March 10th, nearly three weeks later. Thousands of dollars in unauthorized purchases, accounts being opened and held for use at a later date, and many other illegal activities all could have happened before anyone was informed that they were at risk.

According to the Baltimore Sun: article,

“The company says that to its knowledge, no one has misused the information.”
The company has offered those who were affected 12 months of free credit monitoring, and sent information to these people on how to contact the credit bureau's and put a fraud alert on their account.
"We moved in a timely fashion to secure the data and notify the members,"
said CareFirst spokesman Michael Sullivan, but the article also mentions that
“[The information] had been posted on its Web site for two weeks in February because of a technical error.”

The Consumerist also picked up this article and added a few interesting points. They are critical of the companies offer of free credit monitoring services for a year, saying it's too short.
“Companies, is it really that expensive to offer 5 years, or 10 years, of credit monitoring to victims of your data security incompetence? Seriously, own up to your responsibility in exposing people to the risk of financial and credit problems and give them the tools they need to protect themselves. After all, it's your fault.”

This is a valid point. The company is at fault here, and the threat of identity theft due to this will not be gone in one year.

While on the website of The Dental Network, I could find no mention of the data breach, even though it is now only 3 weeks after the affected users were informed, and only 3 days after the article was picked up by The Baltimore Sun. The home page of the site is now displaying the message that:
“New Sales of Dental HMO Products Temporarily Halted in Maryland, Due to a technical issue involving the internal restructuring of The Dental Network (TDN).”

The company seems to be taking no responsibility for what has happened, instead trying to hide it away from people to attempt to maintain a semblance of security. Take a look and judge it for yourself, the website looks like it was created 10 years ago, and their policy for data integrity probably hasn't been updated since then.

It is the responsibility of The Dental Network to inform the people affected in this case. There is a state law passed in Maryland that requires businesses to respond promptly in the case of a data breach. It is my opinion that this company did not adhere to this law. The users in this case should have been given the positive right to privacy by the company, but instead it was broken, and the data was leaked. This clearly violates the ACM Code of Ethics, specifically section 1.7:
“Respect the privacy of others.”
The Dental Network should have been more diligent in securing the personal data of it's users, and much faster at noticing the breach and notifying it's users. There was a total of two weeks before the breach was noticed, and 3 more weeks before users were notified. That's 5 weeks were a potential criminal could have had access to this data. Five weeks is completely unacceptable.

UPDATE: I found the FAQ for the data breach. The data there isn't very helpful, and would likely only confuse and cause most people to ignore it. All of the information contained is about what you should do, the company seems to be doing nothing on it's own, therefore leaving the majority of people affected without any security against identity theft.

Thursday, March 27, 2008

U.S. Patriot Act causes ethical concerns for software developers

Here's the topic from the third paper:

“Pick an example from Chapter 2 or 5 and show if the people who built the software acted ethically according to Appendix A and your general sense of ethics.”


It occurs to me that I haven't noted which textbook we are using. It is A Gift of Fire, by Sara Baase, Third Edition.

Here's my paper, I tried not to include too much reference to the book, but it was needed for this assignment.

A good example of software that has been built upon questionable ethics is the software and procedures that the government uses to obtain personal information about suspected criminals.[1] “The U.S. Patriot Act, passed in the weeks after the September, 2001, terrorist attacks in the United States, gives authorities the means to secretly view personal data held by U.S. Organizations” from the article Patriot Act haunts Google service on www.theglobeandmail.com. This law conflicts with many other government's privacy laws, which require organizations to protect all private information, and also require that the consumer is informed when this information is obtained, regardless of the process, by a third party. According to the Software Engineering Code of Ethics and Professional Practice (Version 5.2) section 1.04 Software engineers shall, as appropriate “Disclose to appropriate persons or authorities any actual or potential danger to the user, the public, or the environment, that they reasonably believe to be associated with software or related documents.” It is my argument that the U.S. Patriot Act causes the potential threat of private data being obtained by an outside party, in this case, the U.S. government, and that this causes an ethical dilemma for software developers, specifically in the U.S.

Some people have recently noted effects of the law. In the recent article posted on www.theglobeandmail.com, and also covered on boingboing.net, there is a discussion of how the U.S. Patriot Act affects the use of Gmail, specifically in countries outside of the U.S. The information obtained by Google when a user uses Gmail can legally be reviewed by the U.S. government under loose controls. Not only is the ethicalness of the U.S. Patriot Act in the regards to privacy put into question, but it also causes an ethical dilemma for software developers. If the government can obtain personal information about someone without a warrant, is it ethical for a software company to keep data about you without informing you of the potential breach of privacy? A well defined privacy policy such as Google's are likely to provide a clause for this situation, such as “We may also share information with third parties in limited circumstances, including when complying with legal process, preventing fraud or imminent harm, and ensuring the security of our network and services.” It is my opinion that privacy policies are created to protect the organization, instead of to protect the end user.

Many people would argue that the privacy policy is a solution to the ethical issues prevented here, but I do not think that it provides a full solution. The majority of users will never read a privacy policy, and of those that do, many of them will not understand the complete implications of it. It's likely the privacy policy misses some small detail that is important to the user, or some situation that the writer completely overlooked. It would be nearly impossible for the writer to know the complete set of laws that govern their organization, especially with the recent globalization of Internet based companies. How far do you have to go in informing the end user of possible dangers of using the service for you to have done what can be considered ethical?

Unfortunately, I don't have a solution to this problem. Ethical guidelines dictate that you should inform the end user of all potential danger to them, and breaches of privacy clearly fall in this category. However, “because no matter what promises companies make (or what privacy laws Congress might enact), data leaks happen.”, so maybe that should be taken into account when writing up a privacy policy. If there is a distinct possibility of a third party obtaining a user's personal data without the permission of that user, the software developer should make this information apparent to all of it's users. It doesn't matter if the third party is a government, or someone malicious looking to steal your identity, it still constitutes a breach of privacy, and the user needs to be informed.

Monday, March 24, 2008

Security through Open Source

Topic for paper number two:

Write a “Short paper on a computing technology of your choosing introduced in the last 30 years that you believe has been used unethically. Include references and cite from the Codes of Ethics in Appendix A.”



There have been many new computing tools introduced in the last 30 years, some even earlier, that have been used unethically. Usually these tools have legitimate and legal reasons for being created, but often these tools can also be used for questionable or unethical behavior. The UNIX security scanner Nmap has many legitimate uses, and comes installed on almost all Linux systems. However, even a program this widespread can be used for black-hat purposes.

A more recent example (Nmap was created in 1997), came up in an article on Coding Horror entitled A Question of Programming Ethics. A program called G-Archiver was found to contain code that used a hard coded email and password to send an email containing every username and password that entered into the software back to the creator of the program. This was a huge breach of trust between the author of the program and it's users. Luckily, a good hearted programmer had looked into the source code and found this, and instead of abusing what he found, he deleted all of the emails in the account, changed the password, and sent a message to Google asking them to delete the account.

There is no way to know exactly how many people could have found this before the security flaw was exposed, and instead of doing what this person did, stayed quiet and used the stolen information for their own purposes. Since the source code was easily examined, this flaw was found, but imagine how long this could have occurred if the source was not accessible. This brings up the topic of security through openness.

By completely exposing what your program does, the end user has a way to ensure your program only does what you say it does. However, this also allows the end user to more easily find vulnerabilities in the software. Having an open source program forces the programmer to understand these risks, which also helps to avoid poor decisions such as using security through obscurity. This could be interpreted to apply directly to Principle 1.04 of The Software Engineering Code of Ethics: “Disclose to appropriate persons or authorities any actual or potential danger to the user, the public, or the environment, that they reasonably believe to be associated with software or related documents.” How can you disclose any more information about your software than releasing the full source code?

There will always be tools created for completely legitimate purposes that will be converted into tools for unethical uses. Something as simple as a match can be used for many ethical uses, but it could also be used to burn down a house. The only thing that you as a programmer can do, is make sure that you make ethical decisions; you don't get a choice of what your users will do.

Wednesday, March 19, 2008

Google's role in the spread of Information

I'm taking a class at WPI this term called "Social Implications of Computing" where everyone is required to write a short paper on topics relevant to ethics and information processing. I plan to publish all of them that are at least remotely interesting.

With all of that out of the way, here is the first one:

One page paper on a point you choose to make about the statement:
"Google brought information to the general public."


Google did not bring information to the public, they have only made information more easily accessible to the general public. Information has been around forever, so to say that Google was the first to bring information to the general public is incorrect. Google is also not the only way to get the information that is on the Internet, there are many other search engines which index the same information.

It would be hard to make the statement that any search engine has brought information to the general public, since that search engine could easily be replaced by any other one. To put this in context, a Internet based company that I would say has brought information to the general public is Wikipedia. It has a publicly available, regularly updated, central source of information about a massive amount of topics.

Information has been available to the public in so many ways, from storytelling to printed information; including newspapers, magazines, and books. However, there was no central place to collect and store the information contained in these mediums. The Internet provided this, Google and other search engines exist to index this information and make it much easier to find what you are looking for.

More recently, Google has provided more access to the data they have already collected, through it's multitude of API's. However, even though this information is available to the general public, it is almost completely currently used by software developers, not the general public. This opens up a new aspect to the question, since Google is now a place to obtain information from. An interesting use of this information can be seen at a project called googleDrive, which allows you to drive a car on top of a simple overhead map pulled from Google Maps.

In conclusion, I would argue the point that “Google has brought information closer to the general public.” Information is not provided to you by Google, you must use it's service to find the information you are looking for. Google is a great service in this regard, since it allows a user to find and retrieve the information they are looking for in a matter of seconds, a speed which would have been nearly unthought of until recently in the past.



PS: googleDrive was made by Samuel Birch. It's fairly simple so far, but I am happy to see more people using the data that they already have available to them.

Someone should work on an openGL version using street view, maybe a street racing simulator, or just so you can get familiar with the location without having to waste gas.

EDIT 3/24/08: Fixed a typo