When Ethics and IT Collide

jcatcw writes "IT workers have access to confidential data, and they can see what other employees are doing on their computers or the networks. This can put a good worker in a bad predicament. Bryan, the IT director for the U.S. division of German company, discovered an employee using a company computer to view pornography of Asian women and of children. He reported it but the company ignored it. Subsequently the employee was promoted and moved to China to run a manufacturing plant. That was six years ago but Bryan still regrets not going to the FBI. Other IT workers admit using their admin passwords to snoop through company systems. In a Ponemon Institute poll of more than 16,000 U.S. IT practitioners, 62% said they had accessed another person's computer without permission, 50% read confidential or sensitive information without a legitimate reason, and 42% said they had knowingly violated their company's privacy, security or IT policies. But in the absence of a professional code of ethics, companies struggle to keep corporate policies up to date."

Re:Why bother keeping corporate policies up to dat

[Stormcrow309]

If it was like the PMP, CMA, CPA or other professional certifications/licensure that industry requires for certain jobs, then code of ethics violations would mean loss of certifications/licensure. That would weed out all those unethical assholes in IT.

I faced a quandry

[Anonymous Coward]

When I was sysadmin for a small company years ago, I discovered shortly after installing ProxyServer in our Exchange machine that the boss (or someone???) had been surfing porn on his machine. I was delicate, mentioning in a private moment that we (sysops) could see exactly what sites had been visited, on which machine, and who was logged in at the time. We never spoke of it again. I later left the company voluntarily, under no duress.

Probably a million stories similar to mine...

Re:So where is the "ethical dilemma"?

[arivanov]

The article is missing some bits that are of interest here.

Was the employee German or it was all happening in the USA? If the employee was German, was the policy compliant to German privacy legislation and were the employees correctly informed about it and warned about its enforcement as required by German (and EU) legislation?

Based on personal experience with Americans rolling out nannyware around Y2K I somehow suspect that none of that was done and if the employee was not in the USA and not American the logs were inadmissible as evidence for an employee tribunal. This was the general state of the industry around Y2K and is still the state in many USA companies operating abroad.

Further to this, I am a great fan of the maxima: do not start a fight unless you bloody well want to finish it. So if the guy raised the alarm at all he should have followed it through. The excuse about slump seems pretty lame to me. A settlement in a constructive dismissal for leaving due to company accepting child porn as normal behaviour would have probably net him more money than his salary all the way through the slump. So I suspect he simply did not have the evidence correctly untainted to be used in Germany in the first place.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:When my pay is ethical, I'll worry about the re

[Surt]

It's not uncommon to have a higher ethical obligation to provide food, for, say, a child, which takes precedence over your ethical obligation to quit rather than work unpaid overtime. If the OP is basically incompetent, he may not have any additional job choices which would allow him to fulfill the first obligation in order to satisfy the second.

Re:Summary has 2 different ethical problems

[Billosaur]

Theoretically, ethics start with your parents. You get your original ethics template from them by watching what they do. You can try to overlay a code of ethics over that, and if the individual is flexible enough it might help reinforce the need for security or override a natural tendency to want to violate the rules, but more often than not a code of ethics is just so many words. It's up to the individual to determine right from wrong in their own mind, based on personal and societal cues. If someone is going to snoop through company data, they're probably going to do it. If they discover something illegal in their snooping, they're going to have to weigh their ethics against the ethics of those perpetrating the illegal action.

It's not just IT

[Merenth]

This isn't specific to IT, but it happens a lot.
Most newbie Admins poke around in places they shouldn't soon after getting heightened access to the systems.

Almost anyone, in any career where they have access to sensitive information end up abusing it to some degree.
Doctors, Nurses and medical records people read the files of friends or relatives all the time, and that's certainly illegal.

Also, if you come across that kind of stuff in your routine work, you are actually required by law to report it to the police.

After 15+ years in IT, all data looks the same to me.
I can help someone adjust the font on a document and not even notice what it says.

Re:What privacy? There is no privacy at work.

[cerberusss]

I don't know where you live, but in my country the employer has to state in advance that usage of PC equipment and internet resources can be spied upon. Otherwise viewing porn at work is not a firing offense.

At the end of the day, it's your reflection.

[UncHellMatt]

Not too many years ago I worked for a "web startup" (i.e. small company founded by Harvard MBA who smoked lots of weed, drove a VW, and was out to "save the world") as IT manager. As the market tanked, the CEO became more and more concerned for the future of the company and with good reason! We'd gone from regular upper 6 figures per month to less than half that, with three locations whittled down to essentially one and a half. Many employees left for greener pastures. When things REALLY started to go down hill, the CEO asked me to intercept any emails between current and former employees, and then "hinted" that since so many of our clients had their email hosted on our email server, couldn't I do the same with them. I know that, legally, he had the right to get access to current employee email, and any former employee whom he had granted continued use of our email system (not sure on that last bit, IANAL). But asking me to, or suggesting I should allow him to, read client emails was a final straw. While he may have the "legal right" to read employee emails, it left a very bad taste in my mouth. Suggesting I allow him to read client's emails? It was like licking a rat. At the end of the day I had to go home and see myself in the mirror, and I knew that reading other people's personal, private emails was something so abhorrent. (Rimmer: "Lister, that is my private, personal, private diary; full of my personal, private, personal things." Cat: "It's gone public.") Now all that said, at another job, myself and some other IT workers suspected one of the devs of possibly being a pedo. We didn't read his emails, we didn't pour through his computer (which we could easily have done), but we did put google to good use, and at one point we did packet sniff where he was browsing. Was I proud of that? Well, actually yes. If he HAD been looking at kiddie porn, if he HAD been a sexual predator, being a father how could I stand back and not try to do something? It turned out he wasn't a diddler, just... Really really really really creepy. It is a very fine line between "ethical" and "non-ethical", it can be very hard to judge which is which, and everyone will have their own opinions. But in the end you have to live with yourself, and certainly I'm not qualified to decide right and wrong, nor pass judgment. If I had my way, anyone who sold a poorly made curry would be strung up and boiled in oil.

Re:What privacy? There is no privacy at work.

[King_TJ]

I follow your logic, but I still disagree.

Privacy is a rather "slippery" thing. The U.S. Constitution never specifically guarantees anyone a "right" to privacy. Neither to any of the Constitutional amendments. It's more of an "implied" individual right, subject to interpretation. (Just being defined as a "figure in the public eye" can drastically change your ability to sue someone for publishing photos taken of you without your permission, for example.)

Ultimately, I think people only retain the amount of privacy they're willing to fight to maintain.

So yes, in the workplace it's understood that legally, when push comes to shove, the employer will prevail in the courts if they decide to snoop around on the computer assigned to you. That doesn't mean the I.T. staff should go around disrespecting people's privacy on a regular basis, just because "the law lets me do it".

The law says it's ok for me to sit on our mail server and start opening up people's mailboxes, reading the contents of all their email too. As an employee, would you really be ok with that, knowing I was doing that all the time at your business?

I know, as an I.T. admin myself, I'm constantly trying to do my job, while still respecting people's privacy (whether it's legally protected or not). To me, it absolutely comes down to "ethics". I understand that despite what the *law* says, people still feel like the company property assigned to them for their use during the workday is *generally* not subject to snooping. That's why we have logins with passwords on them, and email isn't just collectively sent out under a heading of the company's name. (The Internet connection and mail servers might be owned by your employer, but they don't really own your thoughts, put into writing, in individual emails, right?)

Sort of depends on what this means...

[jafiwam]

view pornography of Asian women and of children.

Does it mean;

- Asian women, men in porn
- Asian children in porn

Or, does it mean;

- generic Asian porn
- generic pictures of kids in NON porn situations like one might run across if one were looking into culture of the far east.

You can like Asian women and seek out that sort of porn without liking Asian children in porn.

There is a HUGE difference between porn at work (a common thing) and KIDDIE porn at work. One is just something you can get fired for. The other is a felony.

The phrasing in the summary seems to imply the latter is what is going on, in which case you need to check your morals at the door and adopt whatever the company says is OK. (And that seems to be that a bit o-boobies searching is fine since the HR department didn't do anything about it.)

Just because YOU don't like porn of adults, doesn't mean you need to be bugging the FBI about it. If it was real child porn YOU ALREADY COMMITTED A CRIME and acted immorally by not going to the cops with the information.

Re:What privacy? There is no privacy at work.

[plague3106]

Except of course that you're wrong. Courts have upheld the right to use company phones for occasional personal use. Recently, they have ruled simillary for the web or email (I can't remember which). I also don't ever recall a court allowing a company to spy on telephone call, even though they owned the equipment.

You don't lose your rights when you enter a workplace.

Re:There is no Absence!

[archen]

What kind of soulless bastard needs a written code of ethics to know what's right and wrong? Who really thinks that snooping around other peoples' data is the right thing to do?

Most of us do. But then again a LOT of us have lapses and moments of weakness. I mean if you know there is some really good dirt being shot back and forth via email and you log all email it's really tempting to just snoop through it to kill some boredom. Sometimes just reading a piece of paper on the wall can help you keep your focus.

I'm an I.T. Manager and it's sort of tough sometimes. For me personally I'm having a bad time in my life and I have this vicious streak that emerges many times a day - and that isn't helping. I have the ability to see every website they visit, everything they do on their PC, and can see every email received and sent. I can also access pretty much every file on every machine in the company. That's a LOT of responsibility. And I honestly don't snoop through any of it - it's kept for security/legal reasons. Monthly I wrap it up an 256bit AES encryption on a DVD and that's it. I think most I.T. people are actually pretty honest as well as far as the ones I've met. I mean I'd hate to see what the assholes in sales would do if they had as much power over the company as I had. heh, I actually just cringed.

Re:It's simple

[Maximum Prophet]

The capitalist economic system, with all its little trappings, is about war. That's why Sun Tzus book is one of the top selling books for executives.

What you are confusing is the Adam Smith style capitalism with the Monopolist practices of modern upper managment.

Capitalism isn't war, it's more like a race. Even though you are trying to win, there must be other competetors for there to be a race. Imagine Lance Armstrong tried to have a bike race where he was the only entrant. What would be the point?

That said, reading Sun Tzu would help you play the game of "Risk", but no-one would confuse a game with a real war.

We don't live in a Democracy, but we realize that Democracy is a good idea. (I'm talking about the US's Federalism) We don't live in a truely Capitalist system, but we realize Capitalism is a good idea.

As far as dropping out, go for it. Read Don Lancaster's "Incredible Secret Money Machine" for a method of dropping out while staying in the system, read old issues of "The Mother Earth News" for descriptions of people who have truely gone off grid and "dropped out".

Re:Not entirely ethics

[athdemo]

70% huh? You know, 87.395% of all statistics are made up on the spot.

Sure, coworkers may do it, but do you really think that makes it alright? Not saying I have anything personally against porn, but it still doesn't make it alright. I don't see why it's so hard to understand that from the perspective of the company, they're paying you to do work, nothing else, and certainly not to look at porn.

Re:75% of all stats are made up on the spot...

[GigaHurtsMyRobot]

Many years ago I worked as a temp in a helpdesk situation. The position included tons of down-time, and one day I filled in the gaps by browsing what available resources I had been granted access to. I assumed that as a temp, I would have almost no access at all as any such access was not required in order to open a ticket.

Much to the contrary, I was able to access the entire salary list for the organization, and detailed networking topography and connections for all the remote offices. I reported this immediately and was thanked, not discouraged in any way, for what I did. However, a week or so later at the stroke of 5pm after all of the techs had left, I got a call from a remote office that could not access some resource... I tried to help troubleshoot the issue, and again looked around on the network for info that might help. I found an IP address I could ping. I pinged it and was able to at least report the results to the tech when I called them. I was terminated the next day, much to my surprise since I was completely honest and upfront with them at all times, and I was only trying to help (as opposed to the first time, when I was snooping intentionally and was not scolded).

I'm a believer in the idea that if you give me access to something, I'm free to utilize it... Controlling access is the admins responsibility. Yes, I'll state that again... If you give me access to the HR drive, I have every right to view the spreadsheets inside. The company has every right to fire you for screwing up and giving me that access, and every right to fire me if I publish it or do something other than keep it to myself.

Re:Why bother keeping corporate policies up to dat

[rtechie]

And there are no crooked accountants? Haven't the very largest accounting firms in the USA, regulated and certified, been responsible for most of the recent multi-billion dollar corporate scandals? They just found ways to work around the "ethical rules" imposed on them.

It's about culture. Most IT guys are "techies" not money-grubbing bastards (aka business executives, accountants, etc.) Most IT professionals have a sense of integrity, understand their power within the organization, and act reasonably responsibly. Some do not. Lots download stuff they shouldn't at work and read the HR department's email. Annoying, but not a big deal. What they don't do is copy the records from the accounting department and sell them to brokerage firms. They don't create bogus POs for themselves. The don't sell proprietary information to competitors.

I guess I'm saying that their are DEGREES of corruption, and in the grand scheme of things IT workers aren't anywhere near the realm of "the money people" when it comes to corruption.

Re:Summary has 2 different ethical problems

[krotkruton]

Although this isn't quite related to the article, I think following the ethical policy all the time isn't always a good thing (of course, always doing anything will rarely be the right course of action).

At my university, they recently sent out an email to a couple thousand students that included an attachment containing personal information about every student in the engineering department, including GPA, phone numbers, and addresses. Instead of calling up the IT guys and deleting the emails from the accounts that received them, the university sent out emails asking students to manually delete the emails. I'm not sure if they did this because they didn't want to invade the student's privacy, but if that's the case, then I think they went too far in following their code of ethics. Sometimes you have to bend the rules to fix a problem.

Re:Why bother keeping corporate policies up to dat

[trolltalk.com]

Re #1: Its only an ethical problem if you think its an ethical problem. Most of it is pretty harmless/lame/stupid, so why not let people spend a few minutes once in a while looking at something they find easy on the eyes. Better than looking at this [trolltalk.com].

Re #3: He didn't report the kiddie porn to the police ... they're the ones who you report kiddie porn to, not your boss.

I can understand his frustration to a certain extent. Ever try to report child abuse? You'd better have a squeeky-clean past, because you can be sure that whoever you report is going to try to smear you. Its the same with accusing someone of holding kiddie porn. "Invasion of privacy" "You planted it - that's how come you knew where to look" etc.

Ambiguity over ethics

[PPH]

So, lets say you are an employee who works for a company and:

• You discover child porn among the company documents brought back from an overseas business trip by a vice president. You report it and corporate decides to hide the discovery from law enforcement and allow the v.p. to retire 'quietly'.
• You monitor the web mail accessed by employees at work. This reveals that he is having an affair. You report it and the board of directors ask for his immediate resignation, publicly.
• You are a vendor that handles photo developing for a number of companies, including a major defense contractor. Upon developing several rolls of personal photos for a high ranking manager, you spot a number of them that have been taken on board a nuclear missile sub and (based upon your past experience in the Navy) know that some of these contain highly classified information. You contact the FBI. Nothing happens, other than the company drops your firm from its list of approved vendors. Nothing happens to the manager who took the photos.
• You expose a whistle-blower downloading documents that could show a pattern of fraud within the company involving its dealing with federal regulators. The fines against the company could be from $5 billion dollars to as much as $15 billion (if Rico damages apply). The company has the police arrest the whistle-blower and charge him with theft of company IP/
• As an IT employee, you ask your supervisor why a particular vendor was chosen for a project. In spite of a clear written corporate policy forbidding conflicts of interest or the appearance of such conflicts, he doesn't even hesitate to reply, "Because I get stock options from them".

This all involves the same company. As an employee, what can I conclude about my company's ethical standards? What should I do if I discover something 'unethical'?

Re:Why bother keeping corporate policies up to dat

[Stormcrow309]

I'm sorry, but that is exactly what I am saying. I am replacing a guy who lost his position because he was an unethical boob without an education. Each one of the managers in my division that have lost their job or have been forced into retirement in the last 10 years just happen to have an associates only or no degree. By the end of the year, we will have only one manager without a bachelors and they are sweating bullets right now. It has become so endemic within my organization, a hospital, that we starting to require a bachelors for any supervisory position. Most nurse manager positions in the market require a minimum amount of business education in addition to a nursing degree. Director or above require an MBA or MHA plus a nursing degree.

I am sorry that it seems unfair, but I spend the last seven years in school while working in a salaried position. I work 60+ hours a week normally and am taking a full load of graduate classes. I have gotten some significant payraised, but it has been hard. One point, I was making the federally minimum salary for exempt, 23k. If you can't swing a night class or two while working, maybe you need to look at your lifestyle/career mix. My wife and I didn't go out and eat for two years so I could go back to school.