This is not going to be a technical discussion but rather a
philosophical one. For those
of you who feel philosophy has no place in technology, fell free to
leave and have a nice
life. I on the other hand, feel that all undertakings in life need to
be properly understood, this includes not just the how,
but also the why.
So this is no guideline of ethics but rather a discussion of why
ethical guidelines are needed. This is especially true of those who
possess a keen understanding of the technology of our world.
I say this because we are the alchemists of the information age. In our
world today we have 1's and 0's which are cars, houses, money, even
reputations, and just about anything else. Technology is so pervasive
that there is no-one that is not impacted in some small way. All thats
needs to happen for a person to go from being wealthy to not, is for
some 1's and 0's to change. Alchemists of ancient times sought to turn
lead into gold, this goal has never been closer to being realized then
in the current modern world.
I also use the term alchemist
for another reason. To the vast majority of people in the world today,
what people like us do is almost magical. In their daily life, anything
which a computer says is the truth, because computers don't lie. We on
the other hand know that computers cannot tell the difference between
fact and fiction, they merely report on what they think
are the facts. So when we change these immutable
facts, people are amazed that we can make the infallible computer do
what we want it to.
But, as with all knowledge, it can be used for good or evil. Knowing
how to crack passwords is not in itself inherently wrong, it is the use
you make of the knowledge which results in order or chaos. Those of us
who protect information make use of the same tools and knowledge that
those of us who attack information use. In many cases it requires more
knowledge to protect then it does to destroy. Those who protect must
ensure that all the holes are covered, while those who attack merely
need to find one. It is also those who protect who most must understand
the why.
Now nothing of what I have said so far is new, we all recognize these
facts, the question I want to pose is; "Who
do we serve?". Why do we protect
information? Why do we do the things we do the way we do?
I propose the idea that we protect people. When I say people I do not
mean that we always do what our employer tells us, I do not mean that
we always take the side of our users, or even that we always do what
our peers tell us. I mean that we serve people as a whole. We do not
only prevent attackers from attacking in, but we also prevent people
from attacking out. It means making the hard choices about what
freedoms to limit and which to allow. Making the hard choices about
what we can do and what we should do. There is no clear cut path, no
silver bullet for the problem. Why do we do this? Because if we do not,
we are not better than those who use what they know to attack others.
Even this choice carries it's own pitfalls. When we protect we must
never fall into the trap of the self-righteous. We are there to serve,
not to spread fear or persecute. We are there to defend the people, not
to start a witch-hunt. Make no mistake, choosing to do the right thing
all the time is not easy. When you don't get that raise or bonus, but
it goes to the office brown-noser. When you are treated badly or
possibly even victimized for trying to do the right thing. There are
very few other professions that daily have to work with the object of
temptation, but yet not cross the line. Every time we sit in front of a
keyboard we have to realize that even though we could, we shall not.
As I said earlier, there is no easy recipe for this, each one of us has
to make their own choices, but I would like to share my own personal
checkpoints;
Be Honest
This is a simple but difficult one. On one side it means that we must
always tell the truth about what we do and find. More difficult is that
we must be honest with ourselves and others about what we can do and
why we do it. This is very important as our entire career is built not
on how much knowledge we have, but how much trust people have in us.
Without the trust of those you are trying to protect, you cannot do
anything. And always remember that you can undo years of trust in
minutes.
Be Understanding
We often deal with sensitive data and ambiguous circumstances in our
work. We need to realize that each instance is unique and requires a
new understanding of how to deal with it and resolve it. Never assume
you know it all and have all the answers. It also means remembering
what it was like to not know what we might currently know. Some will
know more, some will know less. Learn from the first, help the second.
Be Human
It is very easy to hold up a high standard of behavior, but most of us
will stumble in trying to follow it, anyone would. If we forget that we
are human we will become despondent and not carry on working towards
that standard. We need to realize that even when we or others may cross
the line, it is the attitude and perseverance of working towards that
high standard that counts.
Don't worry, I'm almost off my soapbox. The reason for going through
this is that many of us are not entirely honest about why we do what we
do. Some do it for power, a sense of prestige, a feeling of importance,
or many other things. No-one's life is great all the time, we all have
rough patches. And it is in those times when we most need to do what is
right, and not being honest or doing things for the wrong reasons ...
well, suffice to say I think it makes things worse. I will finish with
two quotes...
"Let those who hunt monsters, be careful that they themselves do not become monsters. For when you stare into the abyss, the abyss stares back." --Fredrick Nietzsche--
"With great power comes great responsibility" --Ben Parker (from Spiderman)--