An Ethics-Based Remedy for Clamping Down Data Privacy Breaches

INTRODUCTION

Data privacy breaches matter to lawyers as it is a tripartite concern traversing ethics, information security, and law. Further, it is the most sensational of cyberattacks and the most covered in the media, and reflective of the status quo that data protection must helplessly go on even though hacking continues, a new, effective remedy is badly needed. Taking issue with remedy, an ethics-based framework is perceived, and developed, successively through the symptomatic big spending on data protection and the raging cyberwar that renders the expensive data protection futile, the causal relationship between our indifference and respect to ethics, the muddle of our perception of the basic concepts: risk and privacy, and seeks. This framework, grounded in Ethical Computing and its tools for ethical analysis: Ethical Matrix and Hexa-dimension Metric, has the effect of lessening the incidence of hacking or making hacking exasperate, and should of intrinsic value to lawyers just as much as the IT professionals and the general users.

THE SYMPTOMS

Big Spending refers to the multi-billion dollars that organizations spend on cybersecurity such as the American financial institutions alone spent US$1.5 billion in 2016, UK organizations spent £6.2m in 2016 up from £3m in 2015, worldwide spending was predicted in 2017 to grow to $93 billion in 2018 from $86.4 billion in 2017, Hong Kong’s budget to reach HK$85 million in 2019, mainland China almost 23.9 billion yuan and 27.3 billion yuan, respectively 2018 and 2019. Cyberwar denotes international, inter-organizational, and inter-group cyber-conflicts attacks such as the alleged Russian interference of the US general election in 2016 and the UK allegation of Russia’s tampering of Brexit voting.

THE CAUSES

We spend a lot of money on cybersecurity, yet still get hacked because the policymakers and standards enforcers stay away from the social/ethical aspects of the problem. We do not take ethics seriously because of our indifference to or half-based perception of ethics. Muddled view and fallacious belief are the main culprits. Also, not all of us, especially and more importantly the information technologists, have an intrinsic interest in ethics.

THE MUDDLES

Ethics, privacy, risk are used commonly, subconsciously, intuitively in our daily, casual conversations and writings. Few, and certainly not the majority, admit that ethics is not just about ‘right or wrong’, privacy is not the same as being alone, and risk is more than physical damages, financial losses or legal prosecution, and even fewer have an intrinsic interest in these concepts. Unless these concepts are cleared and well understood will the status quo deteriorate, not improve.

Ethics is more than ‘right or wrong’ else there won’t be any complaint about ethics for being vague or slippery. ‘What is legal is ethical’ is fallacious and such fallacious ethics exacerbates the situation. Ethics can be viewed as a dual mission and a dual function (or an Invisible-Hand that has the function of an attacker and a defender shown in Figure 1 (Lee, 2014-15; Lee, 2015). 

Figure 1 – Conceptual Graph – Double Duality

Ethical principles evolve to cope with ethical dilemmas arising in different contexts, times, cultures, and so on. Some are descriptive, others include normative duty-based and result-based.  Described briefly below are those we commonly come across. [Be beware! Sometimes these principles may be in conflict; self-reflection and self-disciplined helps to make a balanced decision.]

  • Golden Rule states that “Do unto others as you would have them do unto you” or “We should do to others what we would want others to do to us”.
  • Relativism holds that different individuals or groups can have completely opposite views of a certain action and both views can be ‘morally’ right or wrong or both” depending on culture, society, historical context, etc.
  • Deontology asserts that an action is morally right if it is done out of a sense of duty.
  • Kantian Categorical Imperative holds that never treat human beings merely as means to an end; always treat them as ends in themselves.
  • Consequentialism holds that an action is morally right if its consequences are beneficial or morally wrong if its consequences are harmful.
  • Utilitarianism means that an action is morally wrong if its results are more harmful than beneficial.
  • Social Contract Theory says that an action is morally wrong if someone’s rights are being violated or an action is good if it is in accord with a moral rule that rational people would collectively accept as binding because of the resulting benefits to the community.
  • Virtue Ethics advise us to live according to the values we cherish and care.

Privacy is a “zone of inaccessibility” or a “right to be left alone”.  Entering a person’s zone without permission is a violation of that person’s privacy. To be left alone embraces “physically being let alone” or “being free from intrusion into one’s physical proximity”. Infringing that right is violating privacy; violating someone’s privacy is rude and unacceptable as it affronts that person’s dignity, not just that person’s privacy.

Risk transcends the orthodox decision attributes which are measured in terms of damages of a physical, financial and legal nature. However, taking home from work a USB containing corporate data (a company asset) for personal convenience exemplifies a new type of risk, a risk of breaching privacy. In this case, the person who takes home an un-encrypted USB is a threat, taking home a USB is a vulnerability, thus causing loss, damage or destruction to an asset. This violation of data privacy constitutes a risk, a techno-ethical risk or simply ethical risk vis-à-vis financial risk, legal risk and physical risk, 

THE REMEDY

The design is premised coupling ethical doctrines (to persuade against wrong-doings) and ethical actions (to nurture trust), aiming to lessen the incidence of hacking or make hacking exasperate with resultant effect of relaxing or softening the demand on data protection and gradually reducing the information security budget and the cost of cyberattacks. The backbone of the remedy is Ethical Computing, and the other key components are built on a sound understanding of the applicable theories of ethics and a shift of view of risk and ethics.

Ethical Computing is the practice of Computer Ethics (Moor, 1985; Johnson, 2009) that identifies/discovers ethical issues arising from developing and using computer-based application systems, and analyzes these issues to come up with balanced solutions. Its current major issues of interest include privacy, intellectual property, digital-divide, professionalism, trust, anonymity, cyberbullying and netiquette. Its methods and tools for ethical analysis include the Ethical Matrix and Hexa-dimension Metric among others (Lee, 2015)

Ethical Matrix is a tool recently adapted from food and agriculture for ethical analysis (Mepham, et. al, 2006, pp 8, 9 and Lee, 2015). Adapted for ethical analysis in the IT context, the columns of the matrix correspond to values held by stakeholders with respect to ethical principles, and the rows correspond to the stakeholders or interest groups. The number of columns and rows varies as required. The cells contain the concerns of the stakeholders (the main criterion that should be met) with respect to the value held (by the stakeholders) or a particular ethical principle.

Hexa-dimension Metric is a measurement instrument initially conceived as a checklist to aid decision making in technology-driven and information-intensive organizations. It comprises six principles related to efficiency or requirements:

  • Financial viability (a justifiable ROI),
  • Technical effectiveness (optimized utilization),
  • Legal validity,
  • Ethical acceptance,
  • Social acceptability, and
  • Ecological sustainability (environmental protection).

Illustration – The Octopus scandal (South China Morning Post, 2010)

As reported, the company sold cardholders’ personal data and milked $44 mil+; the Privacy Commission investigated and prosecuted; some legislators demanded independent investigation headed up by a judge (a legal investigation); and the CEO eventually resigned. An ethical analysis shows:

  • “She didn’t do anything wrong (nothing illegal)”. But is it ethical?
  • “Everybody is doing it”. This is a circular argument relying on Relativism that doesn’t justify her action.
  • “She had a duty to run a profitable operation”. So, she got the duty to make a profit for the company and the shareholders. This is a deontological (duties-based) argument.
  • “The money from sales goes to company profit, a positive return to shareholders”. So, she has done her job well; she delivers the good; the result is beneficial to the company and shareholders. She has made a consequentialist (results-based) argument. The consequence may be good. But for whom, how many – herself only, the company and shareholders, the majority of the whole population of Hong Kong?
  • The proceeds from selling the data benefit the CEO and perhaps the company and shareholders, certainly not the cardholders, not to mention to rest of the population. This is certainly not consistent with the utilitarian doctrine.
  • The cardholders have been cheated and treated as a means to meet the CEO’s want. This contradicts the categorical imperative.
  • The CEO acts against the Gold Rule as she would like to see her own personal data being collected by a third party without her knowledge and permission, and sold for a profit.
  • Lastly, collecting cardholders’ personal data inconsistent with the purpose and selling them without the data subjects’ consent defies the value cherished and cared for by the majority of people – an action against virtue ethics.

The stakeholders, the ethical principles respected for, and the concerns are depicted in Table 1.

Table 1 – Ethical Matrix - a First-cut Result

Values

 


Stakeholders

Well-being (utilitarian/consequential)

Deontic Ethics

Virtue Ethics

Justice/

Fairness

Golden rule

Categorical imperative

CEO

Job security

Performance as CEO

A clear conscience

Not stepping over the redline

Self-protection

Not appear taking advantage of others

Cardholders

Enjoyment of benefits provided by the scheme

Materialize the benefits promised

Confidentiality of personal data

Fair, prima facie

Self-interest

Ensuring not to be exploited

The Company & shareholders

Profit & ROI

Performance monitoring

Company image and reputation

Meeting the set profit margin

 

 

Regulators

Fair and just way trading

Proof of fair trading

 

Compliance of fair & proper trading

 

 

The Ethical Matrix shows that

  • The CEO’s main concern is obviously her job security, undoubtedly a duty for herself. Finding a way to improve or bring in a profit is fine. However, that way must be consistent with ethical principles. She fulfilled her duty; she did nothing illegally; she may or may had a clear conscience with respect to selling the cardholders’ personal data; she may have infringed the Golden Rule and certainly deviated from the Categorical Imperative.
  • Those cardholders who signed up for the Octopus Rewards were obviously attracted by the benefits. Shouldn’t they bear certain responsibility? Were they in a position to complain of being cheated?
  • And more.

The Hexa-dimension Metric (represented by Table 2) shows that the problem does not involve technology or use of technology even though the use of the card is an application of information technology. Hence the technical and ecology measures can be excluded from the analysis. However, as indicated, the ethical and social dimensions of the action (i.e., collecting and then selling personal data) must be addressed.

Table 2 – Hexa-dimension Metric

The measures

Verdicts

Check

Financial viability

Making that extra income is financially viable for the CEO, the Company and shareholders, though at the expense of the Octopus Rewards participants

Technical effectiveness

Not a technical issue; not applicable

n. a.

Legal validity

No prima facie evidence of illegal action

Ethical acceptability

Data collection and data use ethically questionable; unacceptable

×

Social desirability

Questionable in  utilitarian view

×

Ecological sustainability

Not an ecology issue; air pollution or climate are non-issue; obviously not applicable

n. a.

CONCLUSION

Data privacy breaches are parties to the tripartite issue of ethics, law and information security.  The symptoms of the information security nightmare that we spend a lot on data protection yet still get hacked are the big spending (the multi-billion dollars expenditure on cybersecurity) and the cyberwar.

The cause is that we don’t take ethics seriously, hence missing the social/ethical aspects of the problem in formulating information security policy and setting standards. Why that we neglect ethics attributes to our indifference to or lack of intrinsic interest in ethics, and why the indifference is due to our muddled view of the basic concepts of ethics, risk and privacy.

Ethics is not just about right and wrong but has a dual function: acting ethically brings benefits and acting unethically backfires.

Privacy transcends being alone; it defines a zone of accessibility and is right – infringing that right of someone means affronting that someone’s dignity.

Risk is more than physical, financial or legal damages; violating ethics amounts to a new type of risk – ethical risk

Data protection must helplessly go on as the big spending amounts to little avail because it will at least make data owners and data managers feel more comfortable (perhaps falsely) and because data protection is part of corporate operation routine.

Such is the status quo desperately in need of an effective remedy. An ethics-based framework was perceived and developed in response to that need. This framework is grounded in Ethical Computing, the practice of Computer Ethics. An ethical analysis for illustrating the framework using a case enables the user to have an overview of the ethical concerns that the identified stakeholders have with respect to the ethical principles that the stakeholders value by means of the Ethical Matrix, and to gain a feel of how the action taken measures up against the six efficiency principles with the help of the Hexa-dimension Metric.

The remedy’s design relies on the coupling of ethical doctrines (to persuade against wrong-doings) and ethical actions (to nurture trust), and its aim is to lessen the incidence of hacking or make hacking exasperate so as to relax or soften the demand on data protection and gradually reduce the information security budget and the cost of cyberattacks. It should be helpful to all IT users, and of professional interest to lawyers as well as IT practitioners.

Editorial note: Professor Wanbil W. Lee will be presenting a seminar “Data Privacy and Cybersecurity” at the Hong Kong Academy of Law on 25 June 2019.

References

Fortune (2018) These Were the Worst Data Breaches and Vulnerabilities of 2018. <http://fortune.com/2019/01/04/worst-data-breaches-of-2018/ > (accessed 24 February 2019)

Johnson, D. G. (2009). Computer Ethics (4th Ed.). Upper Saddle River, NJ: Prentice Hall

Lee, W.W. (2014-15). Ethical, Legal & Social Issues. Lecture Notes, Postgraduate Diploma in eHealth Informatics, The University of Hong Kong

Lee, W. W. (2015). Ethical Computing. In Khosrow-Pour, M. (Ed.), Encyclopedia of Information Science and Technology (3rd ed., Ch. 292, pp. 2991-9)

Mepham, B., Kaiser, M., Thorstensen, E., Tomkins, S., & Millar, K. (2006). Ethical Matrix Manual. The Hague: LEI <http://www.ethicaltools.info/content/ET2 Manual EM (Binnenwerk 45p).pdf>

Moor, J. H. (1985). What is Computer Ethics? Metaphilosophy, 16(4), 266–275.

South China Morning Post (2010) <https://www.scmp.com/article/720620/octopus-sold-personal-data-customers-hk44m > (accessed 17 March 2019)

President of the Computer Ethics Society

Professor Wanbil W. Lee is a cyberethics evangelist, Founder and President of The Computer Ethics Society, and Principal of Wanbil & Associates. He is also Co-founder of The Hong Kong Computer Society, Advisory Board Member of the European Centre of eCommerce & Internet Law, and Member of the Nous Global International Experts Network. Professor Lee sits on committees or advisory boards of several professional bodies, government agencies and editorial boards. His experience spans business, government and higher education; his education embraces Mathematics, Computing and Management. He evangelizes through publishing his work on Ethical Computing and Cybersecurity, teaching the subject Computer Ethics at undergraduate and postgraduate levels, consulting, training or speaking to various organizations including the Hong Kong Police Force, the Office of the Government Chief Information Officer, the Hong Kong Jockey Cub, Commonwealth Bank of Australia, the China Light & Power Co. Ltd. (CLP), the University of Vienna Faculty of Law, the University of Newcastle School of Electrical Engineering and Computer Science, Australia, the Institution of Engineering and Technology, the Hong Kong Institution of Engineers, the Hong Kong Computer Society, the Law Society of Hong Kong, and international conferences on Info-security, etc.