BS3909 Week 9 1

Information Systems – Week 9

Last Week» Information Systems Security and Control

(see DTI reference on the website)» Still to cover – Wireless networking

This week: Ethical & Social impact of Information Systems» Based on lecture by Prof. Graham Wright» Reading: Laudon & Laudon Ch 5 (7th ed Ch 15)» http://www.bized.ac.uk/fme/6-12.htm

Discussion of Case Study for Exam

BS3909 Week 9 2

Security and Wireless Networking

Hot new technology – interesting new exposures! Wireless LANs

» IEEE 802.11b is 11Mbps local area networking at 2.4GHz (802.11g raises this to 54Mbps)

» Access point may be built into router or ADSL modem» Range is 100m (can be more for eavesdropping)» Access point name is broadcast (unless you stop it)

Other wireless technologies» Point-to-point (e.g. Bluetooth)

– Vulnerable to eavesdropping, and can interfere with 802.11x

» Wireless WAN and satellite – OK if encrypted– potential route for broadband to remote communities

BS3909 Week 9 3

Protecting Wireless LANs

Select “Wired Equivalent Protection” (WEP) » Security isn’t activated by default – need to turn it on » Use the 128 bit key – “64 bit” really only uses 40 bits

Don’t broadcast your network identifier Restrict MAC addresses of cards that can access

» Not foolproof, as these can be spoofed

IEEE 802.11i coming soon – better security» Security activated by default» Part of key changes with time» http://www.embedded.com/showArticle.jhtml?articleID=34400002

BS3909 Week 9 4

So Why Take the Risk?

With adequate countermeasures, need not compromise security

Supports mobile workforce – bring authorized laptop on site and it is automatically connected

Facilitates “hot desking” Avoids need to butcher buildings to install LANs

(particularly valuable in older buildings) Can be lowest cost solution

BS3909 Week 9 5

Data Security – Summary

Security is mainly about Risk Management Need to understand what your assets are Analyse their vulnerabilities

» People – error, fraud, sabotage» Technical – failure, broadcast

Devise countermeasures to» Minimize risk

(virus check, physical security, no single points of failure)» Recover when the worst happens

(back-ups, journals, disaster recovery plan) Audit security on a continuing basis

» Ensure understanding and “buy-in” by staff

84% of companies suffered a security

breach in 2003

BS3909 Week 9 6

Ethics: Management Challenges

Understand Moral Risks of New Technology

Include Information Systems Issues in Ethics Policies

Ensure compliance with moral and legal guidance

Ethics:

Principles of right and wrong

used by individualsas free moral agents

to guide behavior

BS3909 Week 9 7

INDIVIDUAL

SOCIETY

POLITY

ETHICAL ISSUES

SOCIAL ISSUES

POLITICAL ISSUES

QUALITY OF LIFEQUALITY OF LIFE

INFORMATION INFORMATION RIGHTS & RIGHTS & OBLIGATIONSOBLIGATIONS

PROPERTY PROPERTY RIGHTS & RIGHTS & OBLIGATIONSOBLIGATIONS

ACCOUNTABILITY ACCOUNTABILITY & CONTROL& CONTROL

SYSTEM SYSTEM QUALITYQUALITY

INFORMATION INFORMATION & &

TECHNOLOGYTECHNOLOGY

Ethical, Social & Political Issues

BS3909 Week 9 8

Technology Trends & Ethical Issues

Computing power doubles every 18 months(Moore’s Law – twice as many MIPS for the $)

Advances in data storage Advances in data mining techniques

» Data can include voice recognition, DNA mapping Advances in networking lead to

» Opportunities for abusee-mail bombs, viruses…

» Invasion of privacy» Spam

BS3909 Week 9 9

Ethics in an Information Society

RESPONSIBILITY: Accepting costs, duties, obligations for decisions

ACCOUNTABILITY: Assessing responsibilities for decisions & actions

LIABILITY: Must pay for legal damages

DUE PROCESS: Ensures laws are applied properly

BS3909 Week 9 10

Ethical analysis of Information

Identify, describe facts Determine potential conflict

» Including opportunities for abuse Identify values

» Privacy, due process, etc. Who are the stakeholders? Identify options Examine potential consequences of each option Make choices

BS3909 Week 9 11

Ethical Principles

Treat others as you want to be treated If action not is right for everyone, not right for anyone

(Kant) If action is not repeatable, it is not right at any time

(Descartes) Put value on outcomes, understand consequences Incur least harm or cost No free lunch

BS3909 Week 9 12

Information Rights

PRIVACY: right to be left alone Right not to be hurt/disadvantaged by others Fair Information Practices (FIP):

» No secret personal records» Individuals can access information about themselves

and may amend erroneous records» Information to be used only with prior consent» Managers accountable for damage done by systems» Governments can intervene» Principles behind UK Data Protection Acts

BS3909 Week 9 13

UK Data Protection Acts 1984 & 1998 Anyone holding personal data has to be registered

with the Data Protection Registry They can only use the data for the purpose

permission was granted Data Subjects have a right to see and have incorrect

data corrected Holders have to ask you before they pass on data to

others

1984 Act applied only to computer data,1998 Act extended rules to data in any form

BS3909 Week 9 14

Data Protection Principles in 1998 Act

1) Data must be fairly and lawfully processed2) Data must be processed for limited purposes3) Data must be adequate, relevant and not excessive4) Data should be accurate5) Data must not be kept longer than necessary6) Data must be processed in accordance with the

data subject’s rights7) Data must be secure8) Data must not be transferred to countries without

adequate protection

BS3909 Week 9 15

Data Protection Principles I

Personal data:

1) shall be obtained & processed fairly & lawfully

2) shall be obtained only for one or more specified and lawful purposes

(1984 only) held for any purposes shall not be used or disclosed in any manner incompatible with those purposes

3) shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed

BS3909 Week 9 16

Data Protection Principles II

4) Personal data shall be accurate and, where necessary, kept up to date

5) Personal data held for any purpose or purposes shall not be kept for longer than is necessary for that purpose

6) Data must be processed in accordance with the data subject’s rights

BS3909 Week 9 17

Data Protection Principles III

7) Appropriate security measures shall be taken against unauthorised or unlawful access to, or alteration, disclosure or destruction of, personal data and against accidental loss or destruction of personal data

8) Data must not be transferred to countries outside the European Economic Area without adequate protection

BS3909 Week 9 18

1984 Act Subject Rights Principle

An individual shall be entitled at reasonable intervals and without undue delay or

expense – » to be informed by any data user whether he holds

personal data of which that individual is subject; and» to access any such data held by a data user; and

where appropriate, to have such data corrected or erased

This was principle 7, but is buried in the new Act: Even so, remember it, as it impacts all system design

BS3909 Week 9 19

Additions in 1998 Data Protection Act

Paper records are now included

Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data » (The USA is OK)

BS3909 Week 9 20

UK Human Rights Act 1998

Rights» to life

» to liberty and security

» to a fair trial

» to marry

» to respect for private and family life

Freedoms» of thought, conscience & religion

» of expression

» of Assembly and Association

Prohibitions» Torture» Slavery and forced labour» No punishment without law» Discrimination

NotesAbsolute rightsLimited rightsQualified rights

BS3909 Week 9 21

Human Rights Act – UK

Effectively introduced (for the first time)» a right to privacy and» protection of the right to free expression

Act may be used to challenge employers the right to pry into their employees’ private mail and email » What should policy be about looking at employees’

computer data? » Should we treat desk contents similarly?» We need to establish position contractually

BS3909 Week 9 22

last_nameWrightdelphigroup.com/026686199042944742694843459229374998*companyK

ing Alfred's College

SSMBSuperCookie%20Name%75Graham_Wright%20Company%75%20Email%75graham.wright@surrey.ac.uk%20Address%7513_Blackwater_Close%20Address2%75Oakley%20City

%75Basingstoke%20State%75Hampshire%20Zip%75Rg23_7AS%20Country%75England%20Phone

%7501256_780195%20Comments%75

Cookies, Spyware and Privacy

Some outdated information… (not in handout)

BS3909 Week 9 23

Kent Anderson

Intrusions: International Patterns

“Close examination of the motivation behind intrusions shows several important international differences: » In Europe, organized groups often have a political

or environmental motive, while in the USA a more ‘anti-establishment’ attitude is common, as well as simple vandalism.

» In recent years, there appears to be a growth in industrial espionage in Europe while the USA is seeing an increase in criminal (fraud) motives.”

These differences are now fading

BS3909 Week 9 24

Council of Europe

In view of the convergence of information technology and telecommunications: » Law pertaining to technical surveillance for the purpose

of criminal investigations, such as interception of telecommunications, should be reviewed and amended, where necessary, to ensure their applicability.

» The law should permit investigating authorities to avail themselves of all necessary technical measures that enable the collection of traffic data in the investigation of crimes

This is basis of UK’s “Regulation of Investigatory Powers Act 2003” (RIPA)

BS3909 Week 9 25

Regulation of Investigatory Powers

Data Protection Act 1984 gave government investigators access to all records except» Certain privileged communication with lawyers» Medical records

Also made it offence for Data User to tell Subject about any such access

RIPA adds new powers, e.g. to» force ISPs and phone companies to keep records» oblige people to provide encryption keys on demand

(onus of proof is on you to prove you’ve forgotten it!)

BS3909 Week 9 26

Hacking, Cracking and Viruses

Creator of “the Cornell worm” was successfully prosecuted in USA

Christopher Pile (aka The Black Baron)» Charged with (and ultimately convicted of) unlawfully

accessing, as well as damaging, computer systems and data by releasing a virus into a series of networks

» Sentence was 18 months, handed down in Nov 1995 » Pile is reportedly the first virus author ever convicted

under the Computer Misuse Act

BS3909 Week 9 27

“It’s an issue where if we move too quickly to ban the tools used by hackers, we may also ban the tools used by investigators”

John Patrick, vice president for Internet technology at IBM.

Not obvious how to halt abuse

BS3909 Week 9 28

Viruses

Urban Myth? Was the first virus released by a well known software house to stop people copying their software?

Is it right to sack an employee who introduces a virus into a company system?

Who needs bombs for economic terrorism?» Just get your victim to run a program that comes with

e-Mail – how Bugbear was carried» Think how many viruses the College system intercepts

BS3909 Week 9 29

Intellectual Property

Intellectual Property is intangible creations protected by law» Trade Secret: intellectual work or product belonging to

business, not in public domain

» Copyright: statutory grant protecting creator of intellectual property from copying or exploitation by others

» Trade mark: legally registered mark, device, or name to distinguish one’s goods

» Patent: gives owner exclusive monopoly to exploit invention for a period

BS3909 Week 9 30

Accountability, Liability & Control

Ethical issues: who is morally responsible for consequences of use of Information system?

Social issues: what should society expect and allow?

Political issues: to what extent should government intervene, protect?

BS3909 Week 9 31

Data Quality & System Errors

Ethical issues: when is a system or service ready for release?

Social issues: can people trust quality of software, services, data?

Political issues: should legislature or industry develop quality standards for software, hardware, data?

BS3909 Week 9 32

IS and the Quality of Life EMPLOYMENT: trickle-down technology

» Job losses from re-engineering» IT and telecomms makes it easy to send jobs offshore

EQUITY & ACCESS: increasing divisions» Remains an inhibitor to e-Government initiatives

HEALTH RISKS » Repetitive stress injury (RSI)» Carpal tunnel syndrome (CTS)» Computer vision syndrome (CVS)» TechnoStress: Irritation, hostility, enervation, fear» VDU Radiation; microwave devices

BS3909 Week 9 33

Summary: A Corporate Code of Ethics

Information rights & obligations Property rights & obligations Accountability & control System quality Quality of life Anything else you want to add?

BS3909 Week 9 34

BS3909 Assessment

Your assignment (50%) includes an individual element consisting of:» Your individual contribution to the assignment

presentation, » plus a few questions to check that it’s really your work

The other 50% of the module mark is a formal exam in the assessment period» 66% – two questions out of four, based on the Ganesh

and Security Case study» 34% – short questions on the rest of the module