- Email: [email protected]
Developing a code for ethical computer use
I, SYSTEMS SOFTWARE
69
1992; 17:69-W
Developing
a Code for Ethical Computer
Use
Ernest A. Kallman Computer Information
Systems Department,
Bentley College, Waltham, Massachusetts
This paper describes how a code for ethical computer use can be developed and implemented. Though the code was formulated for a medium-sized college, its objectives, the processes employed to create it, the issues to be resolved, and the compromises which had to be made are typical of any organization.
INTRODUCTION Both organizations and individuals
are increasingly vulnerable to financial loss, tarnished reputations and legal action because of potential and current unethical activities performed, either purposefully or unintentionally, by people who use computers and who develop systems for computers. Unethical activities are broadly defined as those computer-related actions that cause harm to individuals, organizations, or society [l]. The most famous incidents reach the popular press, including stories of hackers who break into government computers to steal data or to plant viruses which disrupt normal computer functions. But there are numerous other forms of unethical computer activity, some with much greater potential for harm and others the effects of which may be much more subtle or may never even be known by the victim. These include: software piracy and violations of copyrights which rob authors of their rightful royalties; invasions of privacy through unauthorized access to computer files which unnecessarily reveal personal medical, financial and other information; and the harm caused by inaccurate information stored in computers and used as the basis for denying credit and other decisions. There are ethical considerations in the systems development process as well. Information systems professionals who design systems and produce computer programs are responsible for the integrity of computer
Address correspondence Lyndeboro, NH 03082.
to Ernest A. Kallman,
0 Elsevier Science Publishing Co., Inc. 655 Avenue of the Americas. New York, NY 10010
RFD 1 Box 74,
outputs. If a programmer does not fully test a program or does not include all the functions necessary to properly serve the computer user, the result may be harm to an individual or organization from erroneous outputs. Activities such as these threaten to increase as the number of computers increases, as more people use them, and as computers become more central to the strategic mission of the organizations that employ them. Dealing with unethical computer use requires the same kind of management skill and attention as any other kind of organizational risk. It must be considered a risk to be planned for and managed just as are risks from physical disasters, precipitous government action, market forces, and the like. Key to managing the risk from unethical computer use is creating and maintaining an ethical computer environment and corporate culture supported by top management. And there must be visible indicators of that top management support 1% 31. One visible indicator of an organization’s expectations is a code of conduct, in this case a code specifically for ethical computer use. Many professional organizations such as the Association for Computing Machinery and the Data Processing Management Association publish codes of conduct. These codes have some value for the society’s membership, but for a number of reasons they are not an adequate substitute for an organization having its own specific code. First, it is unlikely that all the information systems professionals in an organization will be members of the same professional society; some may not belong to any society at all. Second, the code must apply to more than just the information systems professionals. It should be known by and cover all employees and any others who come in contact with computers in any way. Finally, even when applicable, the codes of these societies are difficult to enforce and have limited mechanisms for imposing sanctions [4]. An organization which develops its own code can tailor it to meet specific circumstances within the organization and insure that
01641212/92/$5.00
70
Ernest A. Kallman
J. SYSTEMS SOFTWARE 1992; 17~69-74
enforcement provisions are included and, if necessary, implemented.
The Situation
at Bentley College
The computing environment at Bentley College is analogous to that which might typically be found in a medium to large business organization. It is a mediumsized educational institution serving approximately 4000 undergraduate students, most of whom major in business. There are about 1500 graduate students and another 2000 in the School of Continuing and Professional Studies. There are 200 faculty and 400 staff employees. Virtually every aspect of computing is represented to some degree: hundreds of personal computers, electronic mail, a central facility accessed by numerous terminals from within and outside the organization, commercially-acquired data bases, packaged software, software developed in-house, fourth-generation languages, batch processing, extensive end-user computing, and local area networks. Like many colleges or business organizations, Bentley College is aware of the need to foster ethical computer use, but the extensive integration of the computer into all aspects of campus activity makes it especially sensitive. Ethics is taught in a number of courses, many of them in the information systems area. When students buy their software at the Bentley Computer Store they sign a form acknowledging the copyright provisions attached to the packages. But in spite of these efforts, there was a perceived need for something more. A minor incident involving a violation of privacy in an administrative office and the occurrence of remarkably similar homework solutions in a computer information systems course reinforced the feeling that more specific guidelines were necessary. The conclusion was to develop and implement a Code of Ethical Computer Use. Its purposes were to clearly state 1. the kinds of behavior that are and are not acceptable; 2. what will happen to those acting unethic~ly; and 3. what an individual should do if unethical activity is discovered or suspected. Furthermore, it was felt that establishing such a code would be a responsible act on the part of the College to protect students, employees, and others from harm due to unethical practices, and would contribute to preventing the waste or abuse of the College’s computer resources.
THE DEVEtOPMENT PROCESS The process involves six major steps: 1. 2. 3. 4. 5. 6.
Recognize the need Get broad support Form the right team Organize for action Agree on the details Plan for acceptance and implementation
1. Recognize
the Need
Though there were the incidents mentioned above and a general feeling that a code for ethical computer use was a good idea, there were those who demurred. Among these were some who said that nothing was really broken and that this “fix” was unnecessary. Others thought the code would draw attention to the potential for computer abuse and would actually encourage such activity. Many of those in favor of the code were involved in staff and student disciplinary processes; they reported that a major issue in reducing such incidents was whether the perpetrator was sufficiently aware that the act was inappropriate. Based on this need for specificity and clarity, as well as management’s desire to act diligently in protecting both this resource and those affected by it, it was decided to proceed with the development of a code. Furthermore, it was recognized that it was not sufficient to simply adopt a code prepared by another organization. The development process would be an important first step in raising awareness and winning the entire community’s acceptance of the code. Participation in this form of decision making would result in a sense of ownership which would ultimately lead to acceptance of the document.
2. Get Broad Support A necessary requirement for winning support is to have the project led by someone who has the authority to cross departmental lines and who is willing to vouch for the effort as necessary and worthwhile. The higher in the organization this person reports, the better. However, this does not mean that someone lower in the organization cannot be the catalyst to action. At Bentley, perhaps because of the nature of a college, the impetus originated with students, who were supported by the Faculty Senate. The request to establish a code uItimately reached the Vice President for Info~ation Services, who responded immediately and positively. In Bentley’s case, a major hurdle to acceptance had already been overcome since respected representatives
Developing
a Code
from two major constituencies, already favored the code.
J. SYSTEMS SOFTWARE 1992; 17:69-74
students
and faculty,
3. creation ings.
3. Form the Right Team The next step is to include the appropriate people in the process. This is essential for achieving the support sought in #2 above, but also to ensure that the needs of each important area are considered. Two other structural considerations cannot be overlooked. They are small group size (for manageability) and equivalent organization level of the participants (for fostering openness and cooperation). The structure of the organization and its culture strongly influence team formation decisions. At Bentley there are three educational units, so the deans of each were asked to appoint a representative. They each appointed an associate dean. With these three appointments, six constituencies were served: the three units themselves and the three types of students (graduate, undergraduate, and evening) they serve. The Vice President for Information Services was a member and was responsible for representing the college’s information systems professionals and all nonfaculty employees. Finally, a faculty member from the Computer Information Systems Department with extensive experience in classroom computer use and computer-based research represented the faculty at large. The group was led by a Faculty Senate representative, who was also a faculty member. This resulted in a committee of six, a manageable size for arranging meetings and facilitating discussions. The participants were well known to each other and had mutual confidence. Thus, lack of cooperation and intimidation were never issues. Even though having an even number of members raised the possibility of tie votes, the team saw this as a minor threat since its intention was to seek unanimity. Nevertheless, the team would have been strengthened by the addition of a human resources representative. Such participation might be even more important in a business organization.
4. Organize for Action The first meeting of the team is organizational. zational objectives include
sion by the chairman may be needed, team member should be replaced;
Organi-
that the composition of the group is 1. agreement correct and that no other constituencies should be represented; 2. agreement on the nature of the task and ensuring that all participants are willing to work on it and see it as important and necessary. If not, some persua-
of a method of operation
71
or perhaps a
for future meet-
At Bentley the group was left as formed. One discussion centered on whether to include students or userlevel employees on the team. Though this might appear advantageous for both acceptance and process reasons, the team decided against the idea; although participation from these areas might be helpful, the overall task was to set policy and was therefore a management responsibility. If specific issues arose that could best be resolved with participation from these groups, they would be called on at the appropriate time. After lengthy discussion on the nature of the task at hand and the principles on which the team would base its deliberations, the team reached consensus on several issues. 1) The code should place responsibility for ethical action on the individual, but also allow the college to take appropriate measures should unethical computer activity take place. 2) All Bentley constituencies should be covered by the code: students, faculty, staff, and administration. This is to be a college-wide policy. Computers must be used responsibly by all who have access to them not just information systems professionals. Even noncomputer users should be aware of the code and know that any computing performed on their behalf is carried out in an ethical environment. 3) The code should articulate broad guidelines for computer use. Elaborate, complicated procedures should be avoided. The code should be easy to follow and enforce. 4) Many of the actions termed “unethical computer actions” are unethical whether or not a computer is involved. One of the purposes of the policy statement should be to indicate that computer use must meet usual ethical norms. Also the policy statement should clarify those areas where computers present unique situations. For example, copying a file is still stealing, even though the file’s creator still possesses the original. 5) Enforcement provisions should be included. In Bentley’s case elaborate procedures were not necessary. It was recognized early that judicial systems and sanctions were already in place to enforce the code. Violating the code was no different from breaking any other rule of behavior. Staff and administrative employees who perform inappropriately are reprimanded or fired by their superiors in consultation with the human resources department. Student violators are disciplined by teachers or judicial review boards under the associate deans. Faculty performance is the purview of the
72
J. SYSTEMS SOFTWARE 1992; 17:69-14
department chair and/or dean; corresponding disciplinary procedures are already in place. If an organization does not have similar procedures, it may be advisable to enact a general disciplinary process and refer to it in the code rather than complicate the code with disciplinary procedures. 6) Questions regarding “property” created on a computer should be referred to the college administration. Some areas that appear to have ethical computer implications raise broader questions. For example, if a professor uses the computer to create a book or writes software that has market value, does the college share in the proceeds if it is offered for sale? The team felt that in this example, the computer was only an instrument, and the question of ownership would remain even if there were no computer involved. Thus the team chose not to deal with these kinds of questions. 7) Finally, the draft document should be passed to legal counsel before promulgation. The next question was how to begin. Though adopting the code of another organization was not an option, other codes could be valuable sources for ideas. The team agreed that the chairman would examine a number of existing codes and, following the parameters outlined above, prepare a draft and disseminate it to the other team members prior to the next meeting. Each team member was to come prepared to defend or deny each section of the proposed code.
5. Agree
on the Details
Starting with a rough draft made team deliberations shorter and more efficient. But the process of agreeing on a final document was by no means easy. A number of considerations had to be worked out and understood by all. The committee never lost sight that each member would have to “sell” the code to his or her constituency and would be responsible for its implementation. The associate deans were already responsible for student disciplinary procedures. The Vice President of Information Services was responsible for fostering ethical computer use for all staff and administrators. Finally, the faculty would monitor both students and colleagues; in any disciplinary action involving a faculty member the Faculty Senate would likely be involved through its judicial appeals process. In a business organization the chain of command as well as any collective bargaining agreements would impact these decisions. Among the topics discussed at this stage was the philosophical issue of the nature of the ethical principles we wanted to uphold. The team concluded that ethical action represented a balance between fairness and least harm. That is, in deciding a course of action
Ernest A. Kallman
an individual should ask whether it is fair to all parties to use the computer resources in a particular way and whether this use would harm the college, other users of the system, or any other individuals. The team also considered whether a different set of guidelines should apply when the computer resource was a shared facility (the central computer) rather than an individual resource (a personal computer). The team concluded that though the potential for harm may vary, the application of the code was similar in both instances. The team established four editorial or structural considerations in the final version of the code: 1) The code should not use language that is too specific, and should not attempt to describe every permitted action and possible infraction. To do so would run the risk of inadvertently omitting something, thus creating a loophole. For example, an early version of the code contained the following statement: “Other minor or incidental use (to the extent that it does not cause harm to another individual or the College) is generally permitted. ” On reflection, the team realized that this attempt to be generous and allow personal use would open the issue to wide interpretation of what was minor and incidental. The statement was dropped in favor of one stating that the computer resource was in place to support an individual’s primary endeavors as a student or employee of the college. Another early rule spelled out the sanction against sending “junk” messages over electronic mail or inordinately tying up the system. A statement prohibiting abuse of the system so as to reduce its efficiency was substituted. This general assertion was more inclusive and did not suggest specific wrongful acts. 2) Policies should be written in such a way as to encourage accepted use without suggesting gray areas or possible abuses. The computer is there to be used and the code should not artificially limit access. Originally the code prohibited sharing account numbers, passwords, and other access mechanisms with another individual. Further debate led to the conclusion that this was a hardship for faculty and an exception was made in their case. 3) Special activities allowed to one constituency should not justify inappropriate behavior by another constituency, e.g., allowing faculty members to give their password to a graduate assistant for research reasons should not imply permission for an administrative employee to share his or her password. 4) The code should not attempt to deal with administrative matters. These are often specific and changeable, whereas the code should be general and relatively stable. For example, in an early version there was a statement about which of the three major computer
I. SYSTEMS SOFTWARE t992; I7:69-74
Developing a Code systems students were allowed to access. This could more easily be handled through software and a separate memo or procedures manual. Another rule described the responsibility for returning hardware and software when an employee leaves the college’s employment. Obviously, this could be handled in the organization’s exit procedure without cluttering the code. Within this context the team agreed on the specifics of the code after a few meetings and numerous iterations of the text. The next task was to plan for acceptance and implementation of the code. 6. Plan for Acceptance
and Implementation
The level of acceptance is heavily dependent on the implementation approach. This is the stage where the code must be “sold” to those who are expected to abide by it. Whatever participatory effort invoked in the development of the code should be used in this stage to win adherence. It is not realistic simply to promulgate the code and expect it to be followed. The team assigned specific areas of implementation res~nsibility: faculty, students, and administration. The Vice President for Information Services had the initial task of clearing the code with the college’s lawyers, who made minimal changes. The Vice President then met with the other vice presidents and explained the necessity and rationale for the code, its provisions, and how it would be distributed to their employees. The code was met with enthusiasm and total acceptance. The Faculty Senate representative first took the code to the Student Government Association, explained its student origins and provisions, and received unanimous approval. Finally, the code was presented to the faculty at a General Faculty meeting and was adopted unanimously .
In all cases, the team members emphasized that adhering to the code was in the individual’s best interest as well as that of the college. The individual could be confident that his or her computer-based work would not be abused by others, that the college’s resources would be preserved, and that violators would be dealt with. Specific implemen~tion tasks included reference to, or publication of, the code, in the Faculty Manual, Student Handbook, Faculty Advising Handbook, and all college catalogs. Furthermore the code was posted in all computer labs and a copy was formally distributed and discussed in the introductory computer course required of all freshman. Finally, the human resources department was directed to make the code known to all present employees by memo and new employees through their orientation to the college. To
73
ensure proper coverage in a business organization, the information systems department would make the code known to each new contact person it encountered.
CONCLUSION
The code has been in force for almost three years. A recent review of its effectiveness drew these conclusions: To date there has been no major breach of ethical computer behavior. No circumstances have arisen nor has any new technological capability been added that cannot be handled under the provisions of the code. The provisions of the code remain relevant even though there have been many technological changes. However, there were some suggestions: 1) The human resources department should have a more direct connection to the code since it is responsible for promulgating the code and is involved when employees are penalized. A human resources representative should be added to the team and that department should act in coordination with the department responsible for the code. 2) The multiconstituency team is an ad hoc group and should not continue to be responsible for the code. An administrative department should have continuing operational responsibility for code oversight and monitoring. This department might best be one in the information systems chain of command. If new issues arise, the ad hoc team can always be reconstituted. 3) In spite of all the efforts to publicize the code, more exposure is needed. To that end the sign-on procedures for the central system will be modified to “force” users to read a display of the code, once each year, before they can sign on. And there are some issues unresolved: 1) The extent to which the college’s computer resources may be used for personal purposes needs further clarification. 2) There is some question of whether users would be more aware of their responsibilities and the college better protected if users signed a form stating they had read and understood the provisions of the code. 3) The increasing use of electronic mail necessitates specific policies relating to privacy, confidentiality, and the nature of appropriate messages using that medium. But managing a code of ethical computer use, or more broadly, an ethical computing environment, is no different from any other responsibility. It is a never-ending succession of implementation, review, and modification. No doubt in time this code will require changes
14
Ernest A. Kallman
J. SYSTEMS SOFTWARE 1992; 17:69-74
to ensure that it continues to meet the college’s needs. Results to date indicate a heightened awareness of ethical computer use on the part of all users, and a
feeling of confidence among the college leadership that a significant positive step has been taken in creating an ethical environment on campus with implications beyond computer use. Developing a code of ethical computer use can be a relatively painless activity. There is no good reason not to try. REFERENCES J. Feinberg, Social Philosophy, Prentice-Hall, Englewood Cliffs, New Jersey, 1973. K. Blanchard and N. Peale, The Power of Ethical Management, William Morrow & Company, New York, 1988. P. Murphy, Implementing business ethics, J. Bus. Ethics, 7, 907-915 (1988). D. Johnson, Computer Ethics, Prentice-Hall, Englewood Cliffs, New Jersey, 1985, pp. 30-37.
APPENDIX: CODE FOR ETHICAL COMPUTER USE Introduction
All members of the Bentley community-students, faculty, staff, and administration- have opportunities to use computers and be affected by computer usage in the pursuit of their primary endeavors at Bentley College. Therefore, it is critical that such computer use be performed in an ethical context which ensures that the use of these resources fosters the achievement of the individual user’s goals, consistent with Bentley College’s educational and research objectives. Such an ethical context implies that computing resources will not be abused, wasted, or employed in such a way as to interfere with, or cause harm or damage to another person, institution, or company within or outside the Bentley College community. It is up to the individual to act responsibly in the use of computer hardware and software, data, and computer outputs.
Policy Statement
The fundamental purpose of the Bentley computer resource (individually-used computers or shared computers) is to support an individual’s primary endeavors as a student or employee of Bentley College. Individuals may only use accounts, files, software, and computer resources authorized under their particular accounts. Faculty members who delegate use to their students or colleagues assume responsibility for appropriate control and all risk to their accounts. Individuals must take all reasonable precautions (e.g., prevent unauthorized access to accounts or data by others) both within and outside the Bentley community. Individuals must not make unauthorized copies of copyrighted software or data. An employee’s questions of copyright provisions or permissions should be directed to his or her supervisor or the supervisor of the computing facility. A student’s questions should be addressed to a member of the faculty or the supervisor of the computing facility. Employees are encouraged to report to their supervisors or the supervisor of the computing facility, and students are encouraged to report to a faculty member or the supervisor of the computing facility, any violations, flaws, or other deficiencies in the security of any and all Bentley College computer resources. Individuals must not abuse the College’s computing resources so as to reduce their efficiency to the detriment of other users. Individuals must not attempt to modify system facilities, utilities, and/or configurations, or change the restrictions associated with their accounts, or attempt to breach the College’s computer resources security system, whether with or without malicious intent. Individuals must not use any network access provided by the College to affect other computers or the network in any of the above ways. If uncertain about a specific situation, an employee should consult a superior or supervisor; a student should consult a member of the faculty before proceeding. Violations of this policy will be handled in a manner consistent with comparable situations requiring disciplinary action.
69
1992; 17:69-W
Developing
a Code for Ethical Computer
Use
Ernest A. Kallman Computer Information
Systems Department,
Bentley College, Waltham, Massachusetts
This paper describes how a code for ethical computer use can be developed and implemented. Though the code was formulated for a medium-sized college, its objectives, the processes employed to create it, the issues to be resolved, and the compromises which had to be made are typical of any organization.
INTRODUCTION Both organizations and individuals
are increasingly vulnerable to financial loss, tarnished reputations and legal action because of potential and current unethical activities performed, either purposefully or unintentionally, by people who use computers and who develop systems for computers. Unethical activities are broadly defined as those computer-related actions that cause harm to individuals, organizations, or society [l]. The most famous incidents reach the popular press, including stories of hackers who break into government computers to steal data or to plant viruses which disrupt normal computer functions. But there are numerous other forms of unethical computer activity, some with much greater potential for harm and others the effects of which may be much more subtle or may never even be known by the victim. These include: software piracy and violations of copyrights which rob authors of their rightful royalties; invasions of privacy through unauthorized access to computer files which unnecessarily reveal personal medical, financial and other information; and the harm caused by inaccurate information stored in computers and used as the basis for denying credit and other decisions. There are ethical considerations in the systems development process as well. Information systems professionals who design systems and produce computer programs are responsible for the integrity of computer
Address correspondence Lyndeboro, NH 03082.
to Ernest A. Kallman,
0 Elsevier Science Publishing Co., Inc. 655 Avenue of the Americas. New York, NY 10010
RFD 1 Box 74,
outputs. If a programmer does not fully test a program or does not include all the functions necessary to properly serve the computer user, the result may be harm to an individual or organization from erroneous outputs. Activities such as these threaten to increase as the number of computers increases, as more people use them, and as computers become more central to the strategic mission of the organizations that employ them. Dealing with unethical computer use requires the same kind of management skill and attention as any other kind of organizational risk. It must be considered a risk to be planned for and managed just as are risks from physical disasters, precipitous government action, market forces, and the like. Key to managing the risk from unethical computer use is creating and maintaining an ethical computer environment and corporate culture supported by top management. And there must be visible indicators of that top management support 1% 31. One visible indicator of an organization’s expectations is a code of conduct, in this case a code specifically for ethical computer use. Many professional organizations such as the Association for Computing Machinery and the Data Processing Management Association publish codes of conduct. These codes have some value for the society’s membership, but for a number of reasons they are not an adequate substitute for an organization having its own specific code. First, it is unlikely that all the information systems professionals in an organization will be members of the same professional society; some may not belong to any society at all. Second, the code must apply to more than just the information systems professionals. It should be known by and cover all employees and any others who come in contact with computers in any way. Finally, even when applicable, the codes of these societies are difficult to enforce and have limited mechanisms for imposing sanctions [4]. An organization which develops its own code can tailor it to meet specific circumstances within the organization and insure that
01641212/92/$5.00
70
Ernest A. Kallman
J. SYSTEMS SOFTWARE 1992; 17~69-74
enforcement provisions are included and, if necessary, implemented.
The Situation
at Bentley College
The computing environment at Bentley College is analogous to that which might typically be found in a medium to large business organization. It is a mediumsized educational institution serving approximately 4000 undergraduate students, most of whom major in business. There are about 1500 graduate students and another 2000 in the School of Continuing and Professional Studies. There are 200 faculty and 400 staff employees. Virtually every aspect of computing is represented to some degree: hundreds of personal computers, electronic mail, a central facility accessed by numerous terminals from within and outside the organization, commercially-acquired data bases, packaged software, software developed in-house, fourth-generation languages, batch processing, extensive end-user computing, and local area networks. Like many colleges or business organizations, Bentley College is aware of the need to foster ethical computer use, but the extensive integration of the computer into all aspects of campus activity makes it especially sensitive. Ethics is taught in a number of courses, many of them in the information systems area. When students buy their software at the Bentley Computer Store they sign a form acknowledging the copyright provisions attached to the packages. But in spite of these efforts, there was a perceived need for something more. A minor incident involving a violation of privacy in an administrative office and the occurrence of remarkably similar homework solutions in a computer information systems course reinforced the feeling that more specific guidelines were necessary. The conclusion was to develop and implement a Code of Ethical Computer Use. Its purposes were to clearly state 1. the kinds of behavior that are and are not acceptable; 2. what will happen to those acting unethic~ly; and 3. what an individual should do if unethical activity is discovered or suspected. Furthermore, it was felt that establishing such a code would be a responsible act on the part of the College to protect students, employees, and others from harm due to unethical practices, and would contribute to preventing the waste or abuse of the College’s computer resources.
THE DEVEtOPMENT PROCESS The process involves six major steps: 1. 2. 3. 4. 5. 6.
Recognize the need Get broad support Form the right team Organize for action Agree on the details Plan for acceptance and implementation
1. Recognize
the Need
Though there were the incidents mentioned above and a general feeling that a code for ethical computer use was a good idea, there were those who demurred. Among these were some who said that nothing was really broken and that this “fix” was unnecessary. Others thought the code would draw attention to the potential for computer abuse and would actually encourage such activity. Many of those in favor of the code were involved in staff and student disciplinary processes; they reported that a major issue in reducing such incidents was whether the perpetrator was sufficiently aware that the act was inappropriate. Based on this need for specificity and clarity, as well as management’s desire to act diligently in protecting both this resource and those affected by it, it was decided to proceed with the development of a code. Furthermore, it was recognized that it was not sufficient to simply adopt a code prepared by another organization. The development process would be an important first step in raising awareness and winning the entire community’s acceptance of the code. Participation in this form of decision making would result in a sense of ownership which would ultimately lead to acceptance of the document.
2. Get Broad Support A necessary requirement for winning support is to have the project led by someone who has the authority to cross departmental lines and who is willing to vouch for the effort as necessary and worthwhile. The higher in the organization this person reports, the better. However, this does not mean that someone lower in the organization cannot be the catalyst to action. At Bentley, perhaps because of the nature of a college, the impetus originated with students, who were supported by the Faculty Senate. The request to establish a code uItimately reached the Vice President for Info~ation Services, who responded immediately and positively. In Bentley’s case, a major hurdle to acceptance had already been overcome since respected representatives
Developing
a Code
from two major constituencies, already favored the code.
J. SYSTEMS SOFTWARE 1992; 17:69-74
students
and faculty,
3. creation ings.
3. Form the Right Team The next step is to include the appropriate people in the process. This is essential for achieving the support sought in #2 above, but also to ensure that the needs of each important area are considered. Two other structural considerations cannot be overlooked. They are small group size (for manageability) and equivalent organization level of the participants (for fostering openness and cooperation). The structure of the organization and its culture strongly influence team formation decisions. At Bentley there are three educational units, so the deans of each were asked to appoint a representative. They each appointed an associate dean. With these three appointments, six constituencies were served: the three units themselves and the three types of students (graduate, undergraduate, and evening) they serve. The Vice President for Information Services was a member and was responsible for representing the college’s information systems professionals and all nonfaculty employees. Finally, a faculty member from the Computer Information Systems Department with extensive experience in classroom computer use and computer-based research represented the faculty at large. The group was led by a Faculty Senate representative, who was also a faculty member. This resulted in a committee of six, a manageable size for arranging meetings and facilitating discussions. The participants were well known to each other and had mutual confidence. Thus, lack of cooperation and intimidation were never issues. Even though having an even number of members raised the possibility of tie votes, the team saw this as a minor threat since its intention was to seek unanimity. Nevertheless, the team would have been strengthened by the addition of a human resources representative. Such participation might be even more important in a business organization.
4. Organize for Action The first meeting of the team is organizational. zational objectives include
sion by the chairman may be needed, team member should be replaced;
Organi-
that the composition of the group is 1. agreement correct and that no other constituencies should be represented; 2. agreement on the nature of the task and ensuring that all participants are willing to work on it and see it as important and necessary. If not, some persua-
of a method of operation
71
or perhaps a
for future meet-
At Bentley the group was left as formed. One discussion centered on whether to include students or userlevel employees on the team. Though this might appear advantageous for both acceptance and process reasons, the team decided against the idea; although participation from these areas might be helpful, the overall task was to set policy and was therefore a management responsibility. If specific issues arose that could best be resolved with participation from these groups, they would be called on at the appropriate time. After lengthy discussion on the nature of the task at hand and the principles on which the team would base its deliberations, the team reached consensus on several issues. 1) The code should place responsibility for ethical action on the individual, but also allow the college to take appropriate measures should unethical computer activity take place. 2) All Bentley constituencies should be covered by the code: students, faculty, staff, and administration. This is to be a college-wide policy. Computers must be used responsibly by all who have access to them not just information systems professionals. Even noncomputer users should be aware of the code and know that any computing performed on their behalf is carried out in an ethical environment. 3) The code should articulate broad guidelines for computer use. Elaborate, complicated procedures should be avoided. The code should be easy to follow and enforce. 4) Many of the actions termed “unethical computer actions” are unethical whether or not a computer is involved. One of the purposes of the policy statement should be to indicate that computer use must meet usual ethical norms. Also the policy statement should clarify those areas where computers present unique situations. For example, copying a file is still stealing, even though the file’s creator still possesses the original. 5) Enforcement provisions should be included. In Bentley’s case elaborate procedures were not necessary. It was recognized early that judicial systems and sanctions were already in place to enforce the code. Violating the code was no different from breaking any other rule of behavior. Staff and administrative employees who perform inappropriately are reprimanded or fired by their superiors in consultation with the human resources department. Student violators are disciplined by teachers or judicial review boards under the associate deans. Faculty performance is the purview of the
72
J. SYSTEMS SOFTWARE 1992; 17:69-14
department chair and/or dean; corresponding disciplinary procedures are already in place. If an organization does not have similar procedures, it may be advisable to enact a general disciplinary process and refer to it in the code rather than complicate the code with disciplinary procedures. 6) Questions regarding “property” created on a computer should be referred to the college administration. Some areas that appear to have ethical computer implications raise broader questions. For example, if a professor uses the computer to create a book or writes software that has market value, does the college share in the proceeds if it is offered for sale? The team felt that in this example, the computer was only an instrument, and the question of ownership would remain even if there were no computer involved. Thus the team chose not to deal with these kinds of questions. 7) Finally, the draft document should be passed to legal counsel before promulgation. The next question was how to begin. Though adopting the code of another organization was not an option, other codes could be valuable sources for ideas. The team agreed that the chairman would examine a number of existing codes and, following the parameters outlined above, prepare a draft and disseminate it to the other team members prior to the next meeting. Each team member was to come prepared to defend or deny each section of the proposed code.
5. Agree
on the Details
Starting with a rough draft made team deliberations shorter and more efficient. But the process of agreeing on a final document was by no means easy. A number of considerations had to be worked out and understood by all. The committee never lost sight that each member would have to “sell” the code to his or her constituency and would be responsible for its implementation. The associate deans were already responsible for student disciplinary procedures. The Vice President of Information Services was responsible for fostering ethical computer use for all staff and administrators. Finally, the faculty would monitor both students and colleagues; in any disciplinary action involving a faculty member the Faculty Senate would likely be involved through its judicial appeals process. In a business organization the chain of command as well as any collective bargaining agreements would impact these decisions. Among the topics discussed at this stage was the philosophical issue of the nature of the ethical principles we wanted to uphold. The team concluded that ethical action represented a balance between fairness and least harm. That is, in deciding a course of action
Ernest A. Kallman
an individual should ask whether it is fair to all parties to use the computer resources in a particular way and whether this use would harm the college, other users of the system, or any other individuals. The team also considered whether a different set of guidelines should apply when the computer resource was a shared facility (the central computer) rather than an individual resource (a personal computer). The team concluded that though the potential for harm may vary, the application of the code was similar in both instances. The team established four editorial or structural considerations in the final version of the code: 1) The code should not use language that is too specific, and should not attempt to describe every permitted action and possible infraction. To do so would run the risk of inadvertently omitting something, thus creating a loophole. For example, an early version of the code contained the following statement: “Other minor or incidental use (to the extent that it does not cause harm to another individual or the College) is generally permitted. ” On reflection, the team realized that this attempt to be generous and allow personal use would open the issue to wide interpretation of what was minor and incidental. The statement was dropped in favor of one stating that the computer resource was in place to support an individual’s primary endeavors as a student or employee of the college. Another early rule spelled out the sanction against sending “junk” messages over electronic mail or inordinately tying up the system. A statement prohibiting abuse of the system so as to reduce its efficiency was substituted. This general assertion was more inclusive and did not suggest specific wrongful acts. 2) Policies should be written in such a way as to encourage accepted use without suggesting gray areas or possible abuses. The computer is there to be used and the code should not artificially limit access. Originally the code prohibited sharing account numbers, passwords, and other access mechanisms with another individual. Further debate led to the conclusion that this was a hardship for faculty and an exception was made in their case. 3) Special activities allowed to one constituency should not justify inappropriate behavior by another constituency, e.g., allowing faculty members to give their password to a graduate assistant for research reasons should not imply permission for an administrative employee to share his or her password. 4) The code should not attempt to deal with administrative matters. These are often specific and changeable, whereas the code should be general and relatively stable. For example, in an early version there was a statement about which of the three major computer
I. SYSTEMS SOFTWARE t992; I7:69-74
Developing a Code systems students were allowed to access. This could more easily be handled through software and a separate memo or procedures manual. Another rule described the responsibility for returning hardware and software when an employee leaves the college’s employment. Obviously, this could be handled in the organization’s exit procedure without cluttering the code. Within this context the team agreed on the specifics of the code after a few meetings and numerous iterations of the text. The next task was to plan for acceptance and implementation of the code. 6. Plan for Acceptance
and Implementation
The level of acceptance is heavily dependent on the implementation approach. This is the stage where the code must be “sold” to those who are expected to abide by it. Whatever participatory effort invoked in the development of the code should be used in this stage to win adherence. It is not realistic simply to promulgate the code and expect it to be followed. The team assigned specific areas of implementation res~nsibility: faculty, students, and administration. The Vice President for Information Services had the initial task of clearing the code with the college’s lawyers, who made minimal changes. The Vice President then met with the other vice presidents and explained the necessity and rationale for the code, its provisions, and how it would be distributed to their employees. The code was met with enthusiasm and total acceptance. The Faculty Senate representative first took the code to the Student Government Association, explained its student origins and provisions, and received unanimous approval. Finally, the code was presented to the faculty at a General Faculty meeting and was adopted unanimously .
In all cases, the team members emphasized that adhering to the code was in the individual’s best interest as well as that of the college. The individual could be confident that his or her computer-based work would not be abused by others, that the college’s resources would be preserved, and that violators would be dealt with. Specific implemen~tion tasks included reference to, or publication of, the code, in the Faculty Manual, Student Handbook, Faculty Advising Handbook, and all college catalogs. Furthermore the code was posted in all computer labs and a copy was formally distributed and discussed in the introductory computer course required of all freshman. Finally, the human resources department was directed to make the code known to all present employees by memo and new employees through their orientation to the college. To
73
ensure proper coverage in a business organization, the information systems department would make the code known to each new contact person it encountered.
CONCLUSION
The code has been in force for almost three years. A recent review of its effectiveness drew these conclusions: To date there has been no major breach of ethical computer behavior. No circumstances have arisen nor has any new technological capability been added that cannot be handled under the provisions of the code. The provisions of the code remain relevant even though there have been many technological changes. However, there were some suggestions: 1) The human resources department should have a more direct connection to the code since it is responsible for promulgating the code and is involved when employees are penalized. A human resources representative should be added to the team and that department should act in coordination with the department responsible for the code. 2) The multiconstituency team is an ad hoc group and should not continue to be responsible for the code. An administrative department should have continuing operational responsibility for code oversight and monitoring. This department might best be one in the information systems chain of command. If new issues arise, the ad hoc team can always be reconstituted. 3) In spite of all the efforts to publicize the code, more exposure is needed. To that end the sign-on procedures for the central system will be modified to “force” users to read a display of the code, once each year, before they can sign on. And there are some issues unresolved: 1) The extent to which the college’s computer resources may be used for personal purposes needs further clarification. 2) There is some question of whether users would be more aware of their responsibilities and the college better protected if users signed a form stating they had read and understood the provisions of the code. 3) The increasing use of electronic mail necessitates specific policies relating to privacy, confidentiality, and the nature of appropriate messages using that medium. But managing a code of ethical computer use, or more broadly, an ethical computing environment, is no different from any other responsibility. It is a never-ending succession of implementation, review, and modification. No doubt in time this code will require changes
14
Ernest A. Kallman
J. SYSTEMS SOFTWARE 1992; 17:69-74
to ensure that it continues to meet the college’s needs. Results to date indicate a heightened awareness of ethical computer use on the part of all users, and a
feeling of confidence among the college leadership that a significant positive step has been taken in creating an ethical environment on campus with implications beyond computer use. Developing a code of ethical computer use can be a relatively painless activity. There is no good reason not to try. REFERENCES J. Feinberg, Social Philosophy, Prentice-Hall, Englewood Cliffs, New Jersey, 1973. K. Blanchard and N. Peale, The Power of Ethical Management, William Morrow & Company, New York, 1988. P. Murphy, Implementing business ethics, J. Bus. Ethics, 7, 907-915 (1988). D. Johnson, Computer Ethics, Prentice-Hall, Englewood Cliffs, New Jersey, 1985, pp. 30-37.
APPENDIX: CODE FOR ETHICAL COMPUTER USE Introduction
All members of the Bentley community-students, faculty, staff, and administration- have opportunities to use computers and be affected by computer usage in the pursuit of their primary endeavors at Bentley College. Therefore, it is critical that such computer use be performed in an ethical context which ensures that the use of these resources fosters the achievement of the individual user’s goals, consistent with Bentley College’s educational and research objectives. Such an ethical context implies that computing resources will not be abused, wasted, or employed in such a way as to interfere with, or cause harm or damage to another person, institution, or company within or outside the Bentley College community. It is up to the individual to act responsibly in the use of computer hardware and software, data, and computer outputs.
Policy Statement
The fundamental purpose of the Bentley computer resource (individually-used computers or shared computers) is to support an individual’s primary endeavors as a student or employee of Bentley College. Individuals may only use accounts, files, software, and computer resources authorized under their particular accounts. Faculty members who delegate use to their students or colleagues assume responsibility for appropriate control and all risk to their accounts. Individuals must take all reasonable precautions (e.g., prevent unauthorized access to accounts or data by others) both within and outside the Bentley community. Individuals must not make unauthorized copies of copyrighted software or data. An employee’s questions of copyright provisions or permissions should be directed to his or her supervisor or the supervisor of the computing facility. A student’s questions should be addressed to a member of the faculty or the supervisor of the computing facility. Employees are encouraged to report to their supervisors or the supervisor of the computing facility, and students are encouraged to report to a faculty member or the supervisor of the computing facility, any violations, flaws, or other deficiencies in the security of any and all Bentley College computer resources. Individuals must not abuse the College’s computing resources so as to reduce their efficiency to the detriment of other users. Individuals must not attempt to modify system facilities, utilities, and/or configurations, or change the restrictions associated with their accounts, or attempt to breach the College’s computer resources security system, whether with or without malicious intent. Individuals must not use any network access provided by the College to affect other computers or the network in any of the above ways. If uncertain about a specific situation, an employee should consult a superior or supervisor; a student should consult a member of the faculty before proceeding. Violations of this policy will be handled in a manner consistent with comparable situations requiring disciplinary action.