CS 231: Computer Security

Ethical analysis of a security-related scenario

Partner or alone.

Hand in to ethics/scenario1.pdf in your CS231 repository.

This assignment involves a computer security scenario with potential ethical implications. Your job is to analyze the ethics of the scenario.

The scenario

You have discovered a bug in the InstaToonz music-sharing app. This bug is a nasty one that would allow an attacker to read the contents of all the private InstaToonz direct messages for anyone who has ever posted a public InstaToonz message. This bug is threatens the privacy of hundreds of millions of InstaToonz users.

You want to report this bug to InstaToonz, Inc., but you know that the last time somebody reported a security bug to them privately, InstaToonz sued the bug-reporter in California and also called in the FBI, causing the person significant hassle and expense. The case was briefly a cause célèbre in the tech world, with calls for boycotts and state and Congressional action. Eventually, after a fair amount of sabre-rattling, InstaToonz dropped the suit. But at the same time, they released a statement articulating their belief that all security researchers (which InstaToonz always put inside scare quotes) are engaging in attempted thievery of trade secrets. After a brief investigation upon being first contacted by InstaToonz, the FBI declined to pursue the matter further.

By the way, here's a story from the past couple days that has many similar features to this scenario.

What to hand in

The goal of this assignment is to get you to think seriously about the ethics of a tricky situation. To give some structure to your analysis, I'd like you to organize your report around the following questions.

1. Identify the main ethical question or questions faced by the main character ("you") in the scenario. This will certainly include "what should you do?", but there may be other interesting questions to consider.
2. For each stakeholder (or category of stakeholders) in the scenario, identify the stakeholder's relevant rights.
3. List any information missing from the scenario that you would like to have to help you make better choices.
4. Describe your possible actions, and discuss the likely consequences of those actions.
5. Discuss whether the ACM Code of Ethics and Professional Conduct offers any relevant guidance.
6. Describe and justify your recommended action, as well as your answers to any other questions you presented in part A.

This particular scenario has an interesting legal twist if it happens in the US. So make sure to include in your discussion of items A-F these two possible options:

• Suppose the bug involves the encryption and copy-protection of the music shared by InstaToonz users. You are not a lawyer, but you're concerned that your uncovering of this bug may put you in violation of Section 1201 of the Digital Millennium Copyright Act.
• Suppose the bug does not involve encryption or copy-protection.