I’m firmly of the opinion that the IT industry should have a licence to practice, or at least a recognised qualification or membership that indicates that you are serious about your conduct within your career. The best body for this as it appears to stand in the UK is the British Computer Society. Unfortunately, the BCS remains an embarrassment and continues to fail to make an impact on employers and professionals in respect of a licence to practice, or even recognition of any ethical standing. Despite their reinvented Chartered IT Professional status, they remain invisible and irrelevant.
IT is an industry that now touches us all and the risk of our data traversing physical, network, jurisdictional and geographic boundaries has come into sharp focus with an increase in the number of data leakages and ‘hacks’ that serve to showcase anything from a security hole to the hubris of an anonymous script kiddie. As an individual working within this profession, one should have to commit to exercising every possible effort in maintaining one’s own ethical position, which would include their role in ensuring the projects within which they work make every possible effort to perform to the same standard. The BCS has their own Code of Conduct which attempts to create a position of professional and ethical performance but this does not offer any real sanctions other than being “struck off” as a member of an entirely irrelevant register.
Had a workable and enforceable code of conduct or ethics existed, would we have seen any of just a few of the recent scandals?
- Volkswagen’s discovery (not admission) that they had used software to cheat in emissions tests for their vehicles under specific test conditions required effort by at least one developer who knew exactly what they were trying to achieve. These developers breached ethical considerations which surely span cultures; thou should not lie. VW’s American CEO Michael Horn claimed in congress that it was two software engineers that came up and implemented the cheat. Of course, we should consider that they may have felt pressured to implement the cheating software, but had there been a substantial professional body behind them they may have felt confident in blowing a whistle.
- Adobe had 153 million accounts exposed in 2013 which revealed usernames, email addresses, encrypted passwords and unencrypted password hints. Unfortunately, the passwords were encrypted weakly meaning it was fairly easy to brute force the encryption based on repeated sequences of data. Coupled with an unencrypted password hint which only serves to undermine the weak encryption and it makes one wonder whether the developers stopped and thought, “are we doing enough?”
- This year saw 780 people “outed” as HIV sufferers by a leading sexual health clinic. The cause was a basic human error of pasting the email addresses into the wrong field. It’s very easily done. This very basic administrative error has major repercussions on lives.
- We have our own case of gross incompetence on the Isle of Man. Earlier this year, hundreds of individuals’ email addresses were shared across email, again as a result of the basic administrative error of using the wrong email field. What happened? The Data Protection Commissioner took no action and all that could be seen were some red faces.
I did miss one recent high-profile hack, that of Ashley Madison. This raises an interesting point. Within an ethical framework, where does one’s professional ethics come into play? Personally, I believe that as long as the programmers were honest in what they were doing, regardless of society’s view on the ultimate effect of their actions which are quite rightly extremely serious, then they should feel confident in their professional conduct. The programmers have apparently gone to great lengths to safeguard the identities and security of their clients. We still don’t know how the hack was performed or whether it was an inside job, but based on the news and discussions, security was seemingly tight. This notwithstanding, their managers’ decision not to delete data from individuals paying to be deleted is blatantly unethical and these individuals should feel the full force of the law as punishment.