Duke ITAC - December 2, 2004 Minutes

DUKE ITAC - December 2, 2004 Minutes

Minutes

December 2, 2004

Call to Order: Meeting called to order by Robert Wolpert at 4:06pm. He observed that today was a joint meeting of CLAC and ITAC to discuss the ethics of systems administration.

Rob Carter opened the agenda by referring participants to a handout outlining 8 case studies, then introduced the guest facilitator, Tony Brown, Professor of the Practice at the Sanford Institute. Having asked various attendees to respond to each case study, Prof. Brown asked each volunteer to describe what action they would take under the circumstances described in their scenario and why. Following each case study, there was a brief time to ask clarification questions.

Scenario I: Fairness and Equity Issues

Conclusion: A faculty member does not have the right to take away a student's account. The chair should be told "no" because the original mistake was not the student's. Making the change would not only inconvenience the student, but enable personal or professional information meant for the student to be misdirected to the chair. This could jeopardize the student's job search. Virtually all participants agreed with this course of action.

Scenario II: Privacy Rights

Conclusion: The sysadmin should not perform the search through private records because private areas should be private. There was a difference of opinion regarding this conclusion among the group--some participants said that they would perform the search if told to do so by a person in greater authority.

Scenario III: More Privacy Rights

Conclusion: Same as above. The sysadmin should not do the comparison of lab reports if it involved getting information from a student's account or files without that student's permission. Issues of clarification: Did department make the accounts available to the students for the sole purpose of submitting papers? What is the difference between going into the student's account and going into the student's room to look for a paper copy? To whom do the lab reports belong? Most participants said that they would not provide the information requested.

Scenario IV: Still More Privacy

Conclusion: The sysadmin should not take any action except to notify his/her supervisor. Clarification: Do I know the person? At least one person felt said that his course of action would be affected by his relationship to the person. He valued personal relationships above ethics about work and might contact the person or even destroy information if the person was a friend. Several questions were posed in the discussion. What is your moral obligation if you suspect that a law is being broken? Most present said that they would not pursue any action except to notify their supervisors and disclose the risks to that person. Some participants felt that they would need to secure the system immediately, then inform their supervisor.

Scenario V: Legal Counsel

Conclusion: The sysadmin should not look for the information on the assumption that e-mail is private unless a subpoena is issued. Clarification questions: What would you do if Legal Counsel refuted your contention of privacy with regard to e-mail? Do you have the request from legal counsel and assurances about liability to you as an individual in writing? Many people agreed that they would refuse to look for the information without a subpoena, but some said they would give the information to Duke's legal counsel.

Scenario VI: Copyright Infringement Dilemma

Conclusion: The sysadmin should go to the user and indicate that it appeared they had an illegal copy of the software and offer to assist in determining whether it is illegal. If it was illegal, the sysadmin should ask the person to remove the file. Clarification questions: Who is the person? Several participants said that their action might be different depending upon whether the user was a student or faculty/staff. Does the sysadmin really have a role as enforcer in this case? Is it a different situation if the sysadmin uncovers potential illegal activity as a result of normal systems admin work? Mike Pickett noted that under the Digital Millenium Copyright Act, if the sysadmin were to take an action in this scenario without being notified by the copyright owner, it could potentially put the institution at some legal risk.

Scenario VII: Interpersonal Dispute

Conclusion: The sysadmin should not comply with the request from the faculty member. Clarification questions: Most businesses have nondisclosure agreements. Universities are very different, but also have data disclosure issues sometimes depending upon funding source of the research. Which is more important--ownership of the data or privacy of the student's computer files? Is the data restricted? Is there a difference between searching on content or by identifer?

Scenario VIII: Personal vs. Professional Responsibilities

Conclusion: The sysadmin should not do anything and should not discuss the information with anyone. Clarification questions: If asked a direct question about whether s/he saw the information, should the sysadmin lie and say no? At what point (if ever) would the sysadmin have a moral obligation to disclose anything?

It was observed that conclusions to the scenarios might be different in MCIS as they are more corporate in their philosophy. Several participants agreed that it is important to determine what our legal obligations are and the points on which we could put the University at risk by either taking action to hastily or failing to take action.

Professor Brown suggested that a manual be developed that would help guide sysadmins as to the appropriate action in various ethical dilemmas. He asked the group to brainstorm about what the manual should contain.

  •  
  • Clear, unambiguous statement of what belongs to the user: e-mail, files in home/personal directory; hard drive on computer. Can access if under legal process to produce information; user is not available; under some outside agency directive.
  • Policy should set default--we assume that the University or department owns the hardware, but can't always determine easily who owns the data. - Policy should dictate access to data under various circumstances--who, what, and when
  • Policy needs to guide sysadmins about what to do when in the course of their normal duties, they come across potential illegal activities

Questions the Manual should answer:

  •  
  • Who owns the "shopright"?
  • Do file permissions affect privacy?
  • Can we distinguish between the privacy of a staff/faculty and a student?
  • Are directories created by faculty for students to submit their work different from directories created, e.g., acpub, for other purposes
  • What about staff who are also students?
  • What are our legal and moral obligations with regard to back-ups, security, and preserving the integrity of data?

Professor Brown suggested five questions that can help determine individual action in a moral/ethical dilemma.

  1.  
  2. How great is the need?
  3. What is my capability to act and solve the problem?
  4. What is my proximity?
  5. Am I the only person who can solve this problem?
  6. What are the risks and costs to me?

Other questions/issues that the group raised included the following:

  •  
  • What is the sysadmin's liability for destroying evidence as the result of normal business operations, e.g., purging logs or temporary files
  • What is the standard procedure for destroying back-ups and is it written down?
  • How does the request for data fit into the University's student judicial processes?
  • How responsible is a sysadmin for educating others as to ethical procedures?

It was noted that the Law School has developed policy statements that are relevant to the discussion today and may be found on their website <http://www.law.duke.edu/general/info/s07.html#policy7-8>. To encourage action following the discussion, the group suggested several strategies.

  1.  
  2. Tap into best practices
  3. Get information from EDUCAUSE about the sub-committee of that organization working on these issues.
  4. Make it a priority for ITAC to develop and recommend to the CIO a set of broad standards for the University and possibly a template for schools/departments
  5. Encourage departments to address these issues internally.
  6. Consult with Duke's legal counsel.
  7. Develop standard operating procedures and a code of ethics for sysadmins.

    In conclusion, Professor Brown suggested a book relevant to today's discussion: The Responsible Manager by Michael Rion.

    The meeting was adjourned at 5:30pm.