8

Chapter 2
INTRODUCTION
The field of IT ethics is complex, and as technol-
ogy continues to evolve at an alarmingly-fast pace,
the ethical situations that arise are becoming so
complicated that it is no longer sufficient to simply
be a good moral person to resolve ethical issues.
One needs a framework for solving such complex
problemsa code or set of conduct developed by
experts, agreed to be used by a given community,
and applied in a standard and consistent manner.
When such a code is in place and applied in a fair
manner, then any reasonable person would agree
that justice has been carried out. Here by reason-
able person we mean a typical IT professional
who has good morals and meets societys norms.
In fact, this latter point is worth elaborating on
further, and we do that next.
Most of us instinctively know the difference
between what is right and what is wrong. And,
since this book is not a philosophy text, we take
a common-sense approach in the discussion here.
Ethics for the IT Professional
ABSTRACT
This chapter focuses on ethics for the IT professional. The learning objectives for this chapter are to
understand basic ethical principles relating to IT, to develop a framework that supports making informed
decisions regarding ethical problems, to apply an ethical code in typical situations, and to understand
future trends relating to IT ethics. The author includes material on each of these topics and also sections
with conclusions and references. After having mastered the material in this chapter, a reader will have
a much-better understanding of ethical principles relating to the IT profession. But, more importantly,
a reader will be able to make practical use of that knowledge by applying it in the workplace to solve
ethical dilemmas.
DOI: 10.4018/978-1-4666-0237-3.ch002
9
Ethics for the IT Professional
We all agree that it is a bad and unacceptable to
steal another persons laptop. In fact, such an
act is criminal and punishable by law. However,
not all situations are as clear cut, and there are
gray areas. That is to say there are ethical situ-
ations where two reasonable people might draw
different conclusions. Once an ethical problem
is discovered, the process of resolving it can be
very challenging and sometimes painful. Ethics
vary from place to place and country to country.
In some parts of the world using pirated software
or selling fake Rolexes is not considered a crime
by many people, and if it is against the law, the
law is certainly not enforced. Let us begin by
presenting a code of ethics in the next section.
This code will give us a basis for deciding when
an ethical violation has occurred.
CODE OF ETHICS
Introduction
Our goal in this section is to describe the well-
known Association for Computing Machinerys
(ACM) Code of Ethics and Professional Conduct
(ACM, 1992). We call this document the Code
for short. This Code is widely accepted in the
IT community and has been developed, refined,
and applied over many years. Other ethical codes
contain similar directives, so in understanding the
Code one will have a good handle on understand-
ing other ethical codes. The Code is divided into
four parts. It consists of eight ethical standards,
a set of nine principles that all computing profes-
sionals are to follow, a group of six statements
pertaining to those in leadership roles, and two
statements about expected compliance with the
Code. In the next four sections we go over these
four parts of the code. Our main focus will be on
sections 1, 2, and 4 of the Code. We start with the
ethical standards from the Code.
Ethical Standards from
the ACM Code
Figure 1 shows an abridged version of the ACM
Code of Ethics and Professional Conduct. In this
section we focus on the ethical standards. The
interested reader should consult the full Code
(ACM, 1992). The ethical standards in the Code
are as follows:
1.1 Contribute to society and human well-
being.
1.2 Avoid harm to others.
1.3 Be honest and trustworthy.
1.4 Be fair and take action not to discriminate.
1.5 Honor property rights including copyrights
and patent.
1.6 Give proper credit for intellectual property.
1.7 Respect the privacy of others.
1.8 Honor confidentiality (ACM Flier, 2011).
We use the same numbering as given in the
original Code so that a reader can easily refer
back to the original Code. The basic idea behind
each of these eight statements is self evident.
However we elaborate a bit on each statement in
the domain of computing. We should point out
that the Code itself elaborates substantially on
each point in the Code. The reader should refer
to the full Code for any statement that one feels
is not completely clear.
We start with statement 1.1 which says Con-
tribute to society and human well-being (ACM,
1992). This piece of the Code is where diversity is
addressed. In contributing to human well-being we
must respect all cultures and all people regardless
of their race, religion, color, national origin, sex,
age, marital status, physical handicap, political
beliefs or affiliations, and sexual preference. The
Code elaborates further: An essential aim of
computing professionals is to minimize negative
consequences of computing systems, including
threats to health and safety. When designing or
implementing systems, computing professionals
10
Ethics for the IT Professional
Figure 1. An abridged version of the ACM Code of Ethics and Professional Conduct. ( 2011 Associa-
tion for Computing Machinery. Used with permission.) The full version of the Code is available from
http://www.acm.org/about/code-of-ethics
11
Ethics for the IT Professional
must attempt to ensure that the products of their
efforts will be used in socially responsible ways,
will meet social needs, and will avoid harmful
effects to health and welfare (ACM, 1992).
Given the important of the computing profes-
sion to society and the manner in which it is
interwoven throughout the critical infrastructure,
people working in computing have an obligation
to society to design and implement systems in
socially responsible ways (ACM, 1992).
Statement 1.2 says Avoid harm to others
(ACM, 1992). This statement is obvious in the
sense that it is wrong to cause injury to others.
However in the context of computing the state-
ment means we should not do anything that would
result in a person, for example, losing computer
data, system time, or money due to the intentional
destruction or tampering with of computer sys-
tems. Consider the case where one releases a virus
which infects and damages a number of computers.
This act clearly is causing harm to others in that
they will need to spend time and money in order
to recover from the problem, and they will lose
productive time as a result of having their atten-
tion shifted to deal with the virus problem. One
can imagine a situation where a program still has
known bugs, but where engineers are pressured
to release the program because the company is
badly behind an already announced released date.
If the buggy program is a medical program that
distributes dosage information for drugs to remote
sensors, the potential for harm to its users could
be substantial. A programmer involved in the
project would face a serious ethical dilemma about
whether or not to make others, perhaps people
outside of the company, aware of the situation.
If ones superiors do not act to curtail or mitigate
such dangers, it may be necessary to blow the
whistle to help correct the problem or reduce the
risk. However, capricious or misguided reporting
of violations can, itself, be harmful. Before report-
ing violations, all relevant aspects of the incident
must be thoroughly assessed (ACM, 1992). And,
in this case, as in many ethical situations, there
may not be a completely clear answer about the
course of action that one should take.
Statement 1.3 says Be honest and trustworthy
(ACM, 1992). Again, we have a self-evidence
ethical statement, but in the context of comput-
ing the statement means that one should not lie,
for example, about the capabilities of a system.
One would, for example, violate this statement by
making security claims about a system which one
knew was not truly secure. Obviously, custom-
ers and consumers depend on IT professionals to
provide accurate and honest information about the
capabilities of computers, software, and related
systems.
Statement 1.4 says Be fair and take action
not to discriminate (ACM, 1992). In addition to
the usual implications of such a statement, in the
context of computing the statement means that no
one should be denied authorized access to comput-
ing resources based on race, sex, religion, age,
disability, national origin, or other such similar
factors (ACM, 1992).
Statement 1.5 says Honor property rights
including copyrights and patent (ACM, 1992).
In addition to the usual implications of such a
statement, in the context here this statement is
primarily referring to respecting copyrights and
patents of software and other computer-related
material. Unauthorized duplication of materials
must not be condoned (ACM, 1992). IT profes-
sionals should take a leadership role in respecting
the work of others.
Statement 1.6 says Give proper credit for
intellectual property (ACM, 1992). This state-
ment means that IT professionals must protect
intellectual property. Proper credit must be given
for someones ideas even in cases where the work
has not been explicitly protected by copyright,
patent, and so on (ACM, 1992).
Statement 1.7 says Respect the privacy of
others (ACM, 1992). In a computing environ-
ment one might have access to a wide range of
personal information and data. Such personal in-
formation and data should remain private and only
12
Ethics for the IT Professional
be monitored in accordance with the published
policies associated with the systems in question.
This information should be deleted at the appro-
priate times, as should old backup materials that
are no longer needed for official purposes. User
data observed during the normal duties of system
operation and maintenance must be treated with
strictest confidentiality, except in cases where it
is evidence for the violation of law, organizational
regulations, or this Code. In these cases, the nature
or contents of that information must be disclosed
only to proper authorities (ACM, 1992).
Statement 1.8 says Honor confidentiality
(ACM, 1992). The ethical concern is to respect
all obligations of confidentiality to employers,
clients, and users unless discharged from such
obligations by requirements of the law or other
principles of this Code (ACM, 1992).
We suspect that a reader who has not read
through an ethical code before learned an enor-
mous amount by going through these eight ethical
standards. There are many important ethical issues
that the Code addresses, which one probably would
not normally consider, until a problem arises. It is
better to be equipped with knowledge of the Code
before such problems arise. The Code gives IT
professionals a framework from which to make
appropriate ethical decisions. One can see from a
careful reading of the Code that as IT profession-
als we have many important ethical obligations to
colleagues, our employers, and society.
Principles that Apply to All
Computing Professionals
In this section we cover the second part of the
Code. Although this Code applies to the comput-
ing field, many of the statements in it also apply
directly to non-computing fields as well. Let us
begin by listing the items in the Code that apply
to all computing professionals.
2.1 Strive to achieve the highest quality, ef-
fectiveness and dignity in both the process
and products of professional work.
2.2 Acquire and maintain professional compe-
tence.
2.3 Know and respect existing laws pertaining
to professional work.
2.4 Accept and provide appropriate professional
review.
2.5 Give comprehensive and thorough evalua-
tions of computer systems and their impacts,
including analysis of possible risks.
2.6 Honor contracts, agreements, and assigned
responsibilities.
2.7 Improve public understanding of computing
and its consequences.
2.8 Access computing and communication
resources only when authorized to do so
(ACM Flier, 2011).
This section of the Code is fairly straightfor-
ward. It stresses excellence, integrity, and the
responsibilities of an IT professional. Let us take a
look at just one statement in detail; a reader should
carefully go through the other statements and re-
flect about their meanings in the context of comput-
ing. Statement 2.7 Improve public understanding
of computing and its consequences (ACM, 1992)
indicates that as societys most-knowledgeable
people about computing, IT professionals must
aim to educate others and help them understand
hard-to-grasp computing issues. When we say
hard-to-grasp, we mean hard to grasp for the
intended audience, not the IT professional. For
example, we have a responsibility to dispelling
any computing myths that may be plaguing the
public. We need to help inform the public about
privacy and security issues relating to computing
and the threat level for any given scenario. For
example, this effort might involve explaining the
concept of firewalls to a user to help illustrate to
such a user how one can better secure a computer
that will be connected to the Internet.
13
Ethics for the IT Professional
One should try to abide by these eight prin-
ciples, and from time-to-time one might find it
helpful to review them.
Leadership Imperatives from
the ACM Ethics Code
In this section we briefly describe the leadership
imperatives that are contained in the Code. Let
us begin by listing those items using the same
numbering scheme as in the Code. The statements
pertaining to leadership are as follows:
3.1 Articulate social responsibilities of mem-
bers of an organizational unit and encourage
full acceptance of those responsibilities.
3.2 Manage personnel and resources to design
and build information systems that enhance
the quality of working life.
3.3 Acknowledge and support proper and autho-
rized uses of an organizations computing
and communication resources.
3.4 Ensure that users and those who will be af-
fected by a system have their needs clearly
articulated during the assessment and design
of requirements; later the system must be
validated to meet requirements.
3.5 Articulate and support policies that protect
the dignity of users and others affected by
a computing system.
3.6 Create opportunities for members of the
organization to learn the principles and
limitations of computer systems (ACM,
1992).
The meanings of the leadership imperatives
are quite clear. For those readers who are in lead-
ership positions it is a good idea to follow these
statements and review them periodically.
Expected Compliance
with the ACM Code
In this section we describe the two rules pertain-
ing to expected compliance with the Code. They
are as follows:
4.1 Uphold and promote the principles of this
Code.
4.2 Treat violations of this code as inconsistent
with membership in the ACM (ACM, 1992).
The meanings and purposes of these two state-
ments are clear and require no further elaboration.
Summary
The ACM Code of Ethics and Professional Conduct
provides an individual with an ethical framework
in the computing field. The Code was developed
over a number of years and has withstood the
test of time. All professionals in computing fields
should know this Code and use it in their work.
The Codes framework can be used a basis for
resolving ethical conflicts. In the next section we
exam a couple of scenarios and apply the Code
to them.
ETHICAL SCENARIOS
Introduction
Now that we have a framework to use for solv-
ing ethical problems we take a look at a couple
of scenarios and apply the ACM Code of Ethics
to resolve them. As we walk through these ex-
amples, one can think of ethical situations that
one has encountered in the past and about how
one might have been able to use this framework
and the techniques described here to resolve those
situations more effectively. Once one has seen a
14
Ethics for the IT Professional
wide range of such cases, one can use these cases
to help in resolving new ethical dilemmas. Other
researchers have advocated a similar strategy to
resolving ethical situations through case analysis
(Quinn, 2006).
Pill-Dispenser Software
In this section we look at a hypothetical ethical
case involving software that calculates medicine
dosages in the form of the number of pills that a
patient must take each day.
Scenario
Suppose that one is working for an organization
which is developing the pill-dispensing software.
With the great advances in medicine the daily dos-
age is actually calculated based on the persons
blood analysis of the day, the persons weight on
a given day, the persons level of physical activ-
ity, and parameters that a doctor inputs remotely
to the patients record on a regular basis. The
development team is several months behind on
coding up the software, and the boss (Sally) is
asking that the product be released immediately.
One programmer (Louis) has been telling Sally
about an error in the code which over calculates
dosages in a few rare cases. In these instances this
over calculation results in a patient being told to
consume at most one or two unnecessary pills
per day. The bug in the system cannot be tracked
down but seems to be due to weird rounding er-
rors in one of the many complex formulas that
are included in the program. Sally decides that
the product should be released.
We apply the Code to this scenario and then
examine what actions Louis might consider. If
the software is released, it is clear that the prod-
uct does not contribute to the well-being of all
people (section 1.1 of the Code). In particular,
there are medicines which when taken in larger
than necessary dosages could be fatal or result in
undesirable side effects. The cost of the medica-
tion could also be a factor, as some medications
are expensive. Releasing software that has the
potential to injury some users is not in the spirit
of avoiding harm to others (section 1.2 of the
Code). If the software gets released, the company
is not being honest and trustworthy (section 1.3
of the Code) with consumers and perhaps other
constituencies as well.
We move on and apply to the second section
of the Code to this scenario. In releasing a product
that is buggy and harmful one is not striving to
achieve the highest quality, effectiveness, and
dignity in both the process and products of profes-
sional work (section 2.1 of Code). One does not
respect existing laws pertaining to professional
work (section 2.3 of the Code) by releasing a
product that endangers lives. One does not give
comprehensive and thorough evaluations of com-
puter systems and their impacts, including analysis
of possible risks (section 2.5 of the Code) by
releasing software with known bugs and hiding
information from consumers about these bugs.
In this case we see that there are at least half a
dozen places where the Code has been violated.
In this scenario we noted that Louis had already
informed Sally about the problem, but that she
insisted on releasing the product. What should
Louis do? Louis can approach Sally again and
show her the ethical violations that will be com-
mitted if they release the software. If that fails,
Louis can perhaps consult with a colleague at
the company or perhaps with Sallys supervisor,
of course, going over Sallys head could create
problems. Louis could document the problem
and its history in a report and distribute it to other
company employees. Note that Louis employment
could be in jeopardy depending on Sallys take
on the situation. If Louis absolutely thought that
more-drastic measures were required, he could
possibly take the case to the media. Louis best
options will depend on how-much evidence he can
provide which documents the bugs in the system.
15
Ethics for the IT Professional
Clearly, this situation is a difficult one to handle,
especially if Sally never comes around. Finding
the right steps to take and achieving the desired
outcome may not be possible for Louis without
suffering undesirable consequences.
Spying Using Monitoring Software
In this section we consider a case where a sys-
tems administrator installs monitoring software
on another employees computer in order to spy
on that person.
Scenario
The systems administrator (Leroy) and his girl-
friend (Jill) work together at a medium-size uni-
versity in the South. Jill has convinced Leroy to
install monitoring software on her boss (Tammy)
computer. Jill plans to find out if Tammy is really
planning to fire her, as has been rumored. One night
when Leroy is working late to install operating-
system patches he installs software on Tammys
machine which allows both him and Jill to watch
Tammys actions while on her computer and also
to read her email. The president of the university
(Greg) has become aware of the situation and
has been presented with irrefutable evident that
Leroy installed monitoring software on Tammys
computer, and that both Leroy and Jill have been
reading Tammys email.
We apply the Code to this scenario and then
consider what actions Greg might consider. There
are earlier parts of the Code that one could argue
Leroy and Jill violated such as be honest and
trustworthy (section 1.3 of the Code), but let
us go to the more-obvious violation of respect
the privacy of others (section 1.7 of the Code).
Clearly, the installation of secret-monitoring soft-
ware, reading a persons email, and monitoring
a persons actions online are all gross violations
of privacy. In monitoring another persons email
and online actions one is certainly not honoring
confidentiality (section 1.8 of the Code).
We move on and apply the second section of
the Code. In installing spying software Leroy is
not striving to achieve the highest quality, ef-
fectiveness and dignity in both the process and
products of professional work (section 2.1 of the
Code) for there is no dignity in spying on another
employee. In all likelihood the universitys policy
prohibits installation of spy software so that do-
ing so does not respect existing laws pertaining
to professional work (section 2.3 of the Code).
Leroy did not honor assigned responsibilities
(section 2.6 of the Code); he violated them by using
his position to install monitoring software. Leroy
did not access computing and communication
resources only when authorized to do so (sec-
tion 2.8 of the Code), but rather Leroy accessed
a system that he was trusted to safe guard to suit
his own unethical needs. Jill also violated section
2.8 of the code.
In the spying using monitoring software
incident we have more than a handful of Code
violations. Most universities have a policy for
dealing with such computer violations. Greg must
make sure that the appropriate hearing is given for
Leroy and Jill, and that they have an opportunity
to respond to the allegations. However in our sce-
nario the two were guilty of installing and using
monitoring software. The university should fire
both Leroy and Jill after conversations with the
universitys legal counsel. Individuals in positions
of power, such as system administrators, should
not commit (gross) ethical violations. There is
little hope that individuals such as Leroy and Jill
could ever be trusted again; and furthermore, it is
not a good idea to have individuals as unethical
as Leroy and Jill around young people.
The two scenarios examined in this section
both involved major ethical violations. It may not
be possible to diagnose all cases so easily. In the
pill-dispensing software scenario determining the
right course of action for Louis was extremely chal-
lenging. In the spying using monitoring software
scenario it was clear what action the university
need to take. In the next section we synthesize
16
Ethics for the IT Professional
the ideas presented here and provide a set of steps
that one can follow in order to apply the Code.
This process should help one be able to resolve
challenging ethical situations.
APPLYING THE CODE OF ETHICS
Before being confronted with an ethical dilemma
it is important to have an ethical foundation for
successfully resolving the situation. The ACM
Code of Ethics and Professional Conduct gives
us that foundation. In general, there are several
items that we can rely on for dealing with ethical
dilemmas. They are as follows:
Our own ethical foundation and background
Our own experience relating to ethical
situations
Our own specialized training or education-
al experiences in ethics
Available case analyses
The input from other members of ones
community
IT professionals as a group have a wide range
of ethical backgrounds and foundations and expe-
riences. For a moment we ask the reader to pause
and consider ones own ethical background and
experiences.
Is it strong?
Is it weak?
Where do the beliefs come from?
What ethical situations have been
encountered?
What emotions were involved?
Were the situations resolved in a satisfac-
tory way?
What areas need to be strengthened?
What specifcally can be done for one to
become more compliant with the Code?
If one has little educational background re-
garding ethics or little experience one will need
to rely on the Code and perhaps other community
members more heavily. In consulting with another
community member one needs to make sure to
preserve the confidentiality of a situation. And, in
some cases, it may not be appropriate to consult
with anyone.
Having assessed ones own background, hav-
ing taken any necessary steps to strengthen ones
foundation, and having developed an ethical
framework; one is well poised to handle ethical
situations. When a situation arises that does not
feel right, one should take the time to think through
situation. If there appears to have been an ethical
violation, one can go back to the Code and try to
map the situation to one of the statements in the
Code, as we did in the last section. In other words
one needs to understand the violation and be able
to categorize it in some way. If one is writing down
notes about such a violation, one needs to take
precautions to make sure that such information
remains inaccessible to others and remains confi-
dential. If appropriate, one may be able to consult
with a colleague or supervisor. Again, one needs
to be aware of and respect confidentiality issues.
Depending on ones role in an organization, one
may need to take correct measures or one may
need to report a situation. The latter steps should
be performed with great care. To the extent that
a situation permits, one should not rush through
any of the aforementioned steps, but instead, one
needs to carry out the steps with the utmost care.
We summarize the steps in figure 2.
Note that many ethical situations are unique
and will require a unique and delicate solution.
For example, one may suspect that a long-term
colleague has broken into another employees
email Inbox. The first tact to resolving this di-
lemma might be to have a frank discussion with
that colleague. Other violations may require im-
mediate action or reporting to ones supervisor.
17
Ethics for the IT Professional
For example, suppose that one has found that a
colleague is selling classified information to an
enemy state. Clearly, such a situation must be
handled immediately.
If one is troubled about an ethical situation,
one must take peace of mind in knowing that
one tried to follow the right course of action. In
particular, we may be put in awkward situations
by the dishonest acts of others. In resolving such
dilemmas we must keep in mind that a wrongdoer
placed us in a difficult situation to begin with by
inappropriate behavior. We were put in a situa-
tion where we were forced to confront a problem.
After resolving such a problem, it is natural for
some people to have swirling and uncomfortable
emotions, but we must move on and try not to
be troubled. Again, by acting fairly, justly, and
methodically, one can take comfort in knowing
that a situation was resolved to the best of ones
abilities.
Those in leadership roles have even greater
ethical responsibilities, and they might have to
resolve ethical situations completely on their
own. For leaders section 3 of the Code serves as
a useful set of guidelines for helping to educate
other group members about ethical rules and other
important items.
CONCLUSION
As of this writing, the ACM Code of Ethics and
Professional Conduct has been around for about
20 years. The Code is still relevant and provides
an excellent framework for resolving ethical
dilemmas. In fact, for some infractions, it would
be worth pointing to a particular section, which a
guilty party has violated, as a means of educating
that person. The material in this chapter gives a
reader the necessary practical tools to address
many ethical situations. Some situations can be
difficult to handle and can be troubling to resolve.
When confidentiality issues will not be violated,
one can consult with a colleague or supervisor.
Having such a sounding board can be useful. As
technologies, laws, and work environments con-
tinue to emerge and evolve, new ethical dilemmas
will arise. The methods described here can be
applied to those situations. We should point out
that there are a number of good books devoted
to ethics in the IT domain: A Gift of Fire: Social,
Legal, of Ethical Issues for Computing and the
Internet (Baase, 2008); Ethics for the Information
Age (Quinn, 2011); and Case Studies in Informa-
tion Technology (Spinello, 2002). And, for those
in supervisor roles we note that it is always worth
Figure 2. High-level steps for approaching and resolving an ethical dilemma. In each step careful thought
must be applied, and the consequences regarding any actions taken should be thoroughly considered
18
Ethics for the IT Professional
reviewing an organizations ethical policies with
staff members on periodic bases. Of course, new
staff members should be taught about an organiza-
tions ethical policies during an initial-orientation
session.
REFERENCES
ACM. (1992). ACM code of ethics and professional
conduct. Retrieved December 1, 2010, from http://
www.acm.org/constitution/code
Baase, S. (2008). A gift of fire: Social, legal, and
ethical issues for computing and the Internet (3rd
ed.). Prentice Hall.
Flier, A. C. M. (2011). ACM code of ethics and
professional conduct flier. Retrieved on April 5,
2011, from http://plone.acm.org/membership/
COE_Flyer.pdf
Quinn, M. J. (2006). Case-based analysis: A practi-
cal tool for teaching computer ethics. Proceedings
of the Special Interest Group on Computer Science
Education, (pp. 520524).
Quinn, M. J. (2011). Ethics for the information
age (4th ed.). Addison-Wesley.
Spinello, R. (2002). Case studies in Information
Technology ethics (2nd ed.). Prentice Hall.