A note on ethics

To study computer security effectively, you have to observe computer systems in ways that could potentially give you access to information other people do not intend for you to have. You can't be a security expert without knowing the techniques that are used to breach security. Thus, the study of security brings you into frequent and tricky contact with ethical problems.

If computer and communications technology are to bring more benefits than cost to human beings over the long-term, we are going to need a steady supply of security experts. I want you to experiment, investigate, and follow your nose as you learn how the security infrastructure (or lack thereof) of modern computer systems works. But I also want you to learn to think deeply not just about the technology but also about its implications.

Before each new activity in this class, we will take a few minutes in class to talk about the ethical and legal implications of what we're about to do. I want you to have similar conversations with your classmates and yourselves as you explore security theory and practice. Think about what you're doing ahead of time, and make a plan for how to study security without breaching security.

This note can't thoroughly cover the ethical ground we need to cover. However, I want to offer a small number of practical general principles you can use to get started. I will be eager to hear your thoughts on other useful general principles.

• Read and understand Carleton's academic integrity policy, and make sure your security studies adhere to this policy.
• Don't break the law. (We'll do some research on the relevant law so you'll know more about what is and isn't legal.)
• When you think you are getting close to a questionable area or practice, raise the issue on Slack and/or in class, so we can discuss it.
• Plan ahead. It is much better not to get into an ethically compromised situation in the first place than to have to deal with such a situation's consequences. One bit of planning has already been done for you. In this class, we will make extensive use of a pair of specially built virtual machines to act as attacker and target, which will provide you with an ethically safe environment in which to experiment from both perspectives.
• Whenever possible, restrict your observations to your own devices.
• When you observe more than your own devices, make sure that the owners and operators of the other devices you are observing (1) know that you're observing them, and (2) give you permission to do so.
• If you find your observations have led you to possess data owned by another person, (1) do not read it, (2) discard all copies of the data immediately, and (3) inform the person that this observation took place and what you did to fix the problem.
• If your investigations leave you with access to and/or control over a device or account to which you are not entitled to have access or control, (1) logout or otherwise give up your access/control, and (2) inform a relevant responsible party (e.g. the owner of the device or account) of what happened and when, so they can take steps to prevent similar problems in the future.
• Don't hide your actions. Do your study in good faith, and if you end up doing something wrong, tell people about it.