The Information Technology
As information technology getting more and more advanced in this era, many parties have the tendency to keep personal data and information digitally for the sake of convenience. New systems and latest software were developed to impress big organizations or even individuals and talk them into keeping important personal data, for example like password management software and so on.
When the majority of information technology users and online community implement the usage of advanced technologies in their daily life (online transaction, instant messaging, storage of customers' information and confidential data), looking forward to increase productivity as well as effective communication, a serious issue came to the picture, HOW DO WE SAFEGUARD AND SECURE OUR PERSONAL DATA?
Despite all the advantages we can enjoy from these technologies, we've provided enormous databases for hackers to access to. Apparently the security issue of our personal data cannot be dependent on technology itself. Our privacy is protected by acts and laws.
The ethical issue here is that laws can only outline the limit of what can be or cannot be done. Law provides protection only to what's written in an act. It cannot control human's behaviour to access others' privacy. Both technology and laws can only sustain a partial need of securing our personal data.
2.0 Data Security and Privacy
In Data Protection Act 1998, data is specified as information which:-
(a) is being processed by means of equipment operating automatically in response to instructions given for that purpose, or
(b) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system, or
(c) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system.
According to the Personal Data Act 1998, personal data carries the meaning of all kinds of information that directly or indirectly may be referable to a natural person who is alive. Personal Data Act 1999 defined personal data as any information on his/her personal characteristics or personal circumstances, where these are identifiable as concerning him/her or the members of his/her family or household. Therefore data makes a wide range of information from personal files and intellectual property to customers' information and trade secret.
On the other hand, personal data security is ways of protecting data and information from corruption or being accessed without permission. It is needed mostly to ensure privacy. Privacy invasion has been one of the top reasons for some people to avoid internet and communication technology. Databases and personal information are always open for unauthorized access either by random hackers or people from the company itself, for security issue can never be resolved wholly.
Rights of privacy are one of the basic principles of human right. Every human being has the right to enfold a certain portion of information to prevent intrusion into one's personal life or affairs, by direct physical means or by publication of information. Same right goes to data protection to prevent data loss, especially sensitive data. Sensitive data is defined in Data Protection Act 1988 as personally confidential or commercially confidential data which will cause damage or distress to individuals if lost or stolen, and which is related to racial origin, political opinions, religious beliefs, health, sexual life, commerce and other offences.
The leakage of these data caused by individual actions is sometimes uncontrollable. Despite security system failure, even with a strong system, some people are always encouraged by their immoral instinct to break into the system. For intended intrusion, these data usually will end up being used illegally.
Internet and technologies' fast pace of forward motion made personal data more easily attainable due to its vulnerability and threats from other users. To safeguard privacy and access to data is suitably controlled, one must learn the weaknesses of the technologies and also acts that protect their privacy rights.
3.0 Threats and Vulnerabilities in the Internet and Information Technology
3.1 Local Area Network Security
Organizations from various industries nowadays use their wireless network for multi-purpose than just email and internet access. Productivity is increased and working expenses are reduced as operation is always on-going. This infrastructure will always be continuously improved to achieve operational excellence.
One computer is assigned as the file server in a classic LAN configuration. It basically stores applications, software and devices that control the network. It also can be shared over all the computers that are attached to the network. These computers are called workstations.
Communication or data transfer throughout LAN has a high potential of risk to be captured. If handled improperly, sensitive data might fall into wrong hand. For example, one of the major applications provided by most LANs which is electronic mail (email) replaced the traditional enveloped mail written on paper. However, email failed to give the assurance of confidentiality between sender and receiver. Unlike email, conventional mail makes certain that the message was not altered by referring to the integrity of the paper envelope. Inadequate protected LAN put such simple file transmission at risk of being read or perhaps even altered. For some LANs, there can even be no guarantee that a mail is sent genuinely from the named sender.
To be able to catalyse the productivity in an organization without having to concern about the security problem, sufficient security measure has to take place. Technical management, user training and awareness, and risk management planning should also be in the picture to handle data loss and several other risks.
What is spamming?
Spam is filling many copies of the same message quick and beyond the capacity in the Internet in an attempt to force the message on people who would not otherwise choose to receive it.
Techniques of Spamming
E-mail spam is the most common spamming technique in which many users had encountered. It is a junk mail that tries to deceive internet users into sharing personal details, or redirects to a website containing malicious content.
There are a lot more techniques used for spamming but it all came down to one purpose, to increase the probability for targeted victims to be deceived and end up giving away personal details, leading to identity theft cases. Even before the spamming itself the victims' personal data have already fell into wrong hand and consequently be spammed.
3.3 Identity Theft
What is identity theft?
Identity theft represents intentional deception by someone in disguise by pretending to be another person to serve his/her purpose of performing malicious act. This will cause the person whose identity is used will be held responsible for the committer's actions that cause various consequences.
According to sources from Wikipedia, identity theft can be divided into five categories:
- Business or commercial identity theft which is using another's business name to obtain credit.
- Criminal identity theft which is posing as another when apprehended for a crime.
- Financial identity theft which is using another's identity to obtain goods and services.
- Identity cloning which is using another's information to assume her or his identity in daily life.
- Medical identity theft which is using another's information to obtain medical care or drugs.
Identity theft comes with several of techniques and methods to steal information from others. Here are some of the techniques used:
- Dumpster diving
- Information retrieval
- Victim research
- Pick pocketing
- Computer identity theft
- Data breach
- Employment scams
- Social networking
- Remote thievery
Organizations and individuals might be careful in handling data security problem but the truth is, there will always be somebody trying to deceive a party in order to do fraud activities. This is beyond the system security's reach and users itself must be aware of these techniques to avoid data loss.
3.4 Data Encryption
On the contrary to LAN and other data security problem, data encryption is one of the alternatives to overcome security problem. Encryption is the activity of converting electronic data or information into code. It can only be read by intended recipient using an encryption key to recover the message.
Data encryption converts a file into a form that cannot be read using a mathematical algorithm with a unique key. Some highly confidential data like government records and military secrets are secured using this method long ago. Now, data encryption is denoted as a leading-edge protection strategy for a majority of organizations.
Data encryption is almost perfect for data protection except for the fact that it will cause the system to slow down due to its complexity in encrypting data. Sarcastically, it also contributes to data security issue as it may lead to data corruption. This is one of the reasons some companies are hesitating on using data encryption in their work. Data might not be successfully decrypted again and it will be unrecoverable.
Therefore there's no absolute solution for data protection. It all depends on how big is the organization because installing data encryption technology with minimal corruption could cost a big fortune. High level of complexity and maintenance are vital to make sure data encryption does not fail.
4.0 Laws and Ethical issues
What are ethical issues?
Theory of ethics must be included to making a critical evaluation on an action. Privacy violation, misuse of data, control and access to others information is mostly considered as issue relating to electronic information. Each specific problems required slightly different kinds of ethical decisions.
There are a lot of pros and cons on ethical issue in the cyber world, in fact, many IT experts failed to realize that their work field is closely related to ethics. Programming skills could be applied in an ethical way to contribute to the society, or vice versa, depending on programmers' moral principles. The word "Hacker" which is related to "black hat", are hackers who use their skills to break into systems and access data and programs without permission of the owner. However the term is originally from a term to address people with great programming skills and uses their skills to help companies and individuals in protecting against the black hats, which is called "white hat hackers". Hackers can be helpful or destructive. Ethical issues may occur when computing skills are used for different purposes (action).
Electronic network is becoming relatively common in business field, government sector, and also home users. Recognition of the power and potential of electronic networks has created some ethically contested issues that may eventually get in touch in laws, political power, control of communications, equality of access and privacy.
Is it a right thing that a computer break-in could be justified on ethical ground? Eugene Spafford (2004) believes that in certain cases, breaking into a computer could be the "right thing to do". He also argues, however, that computer break-ins always cause harm, which suggests they are not ethically harm.
Many business sectors and government view hacking activities in any form as evasive activity, and some see it as a form of trespass. Current legislation against trespass in cyberspace has taken the side of business, government, and law enforcement agencies. Yet in crimes who committed in cyberspace, these distinctions have not always been made by judges and juries in determining sentences.
Some international Laws have been carrying out, for example, Council of Europe (COE) has considered ways to implement international legal code. Cybercrime involves in multiple law enforcement agencies and multiple IPSs in diverse countries under diverse rules of law. Therefore COE has come up with four types of criminal activities in cyber space.
- Offences against the confidential, availability, and integrity of data and computer system
- Computer-related offenses (such as fraud)
- Content-related offenses (such as child pornography)
- Copyright-related offenses.
5.0 Personal Data Protection Bill
"In a world where literally everything you do can leave a digital fingerprint, nothing strikes a visceral chord among web users more than the issue of privacy. There is very little that one can do in complete anonymity when it comes to surfing the web. It is only a question of how willing various data collectors are in maintaining the privacy of users. The potential for abuse is enormous."
- MICHAEL RAPPA, founder and director of the Institute for Advanced Analyticsand a professor in theDepartment of Computer Scienceat North Carolina State University.
Almost 10 years since it was first thought of, the Personal Protection Bill of Malaysia will finally be enforced sometime in 2010. The Bill which aims to "regulate the collection, processing, storage as well as exploitation of people's personal data" will maintain the government's attention towards the importance of international business and trade while at the same time protecting the society as consumers interest at large.
Here's a short chronology of the events taken place until this monumental bill was tabled in 2009:
- 2001 - The bill is first drafted and disseminated to various parties but was never implemented due to strong opposition.
- 2004 - The bill was again brought into the spotlight but still did not get much recognition because of the uncertainties it might cause to trade in general.
- 2007 - The bill was in its last stages of finalisation and again thrown out amid concerns with what the regulation could effect.
- 2009 - Yet another finalize Bill is tabled in parliament and is expected to be implemented by 2010.
What exactly is the Personal Data Protection Bill and why is it needed? The proposed bill is Malaysia's version of the Data Protection Act 1998 which has been enforced in the United Kingdom and designates that personal data must be:
- Processed fairly and lawfully;
- Obtained for specified and lawful purposes;
- Adequate, relevant and not excessive;
- Accurate and up-to-date;
- Not kept any longer than necessary;
- Processed in accordance with the "data subject's" (the individual's) rights;
- Securely kept; and
- Not transferred to any other country without adequate protection in situ (in its original place).
So until the proposed Bill is enforced, Malaysia technically does not have any rights of privacy for its citizens, despite the fact that the underlying point of having such a law is to supply enough security and privacy in handling personal data and to create confidence among consumers and users of both networked and non-networked environment and also to accelerate the use of electronic transactions and finally to promote a secure electronic environment in line with the objectives of the Multimedia Super Corridor.
The ethical issue in question here is the misuse of data. For example, have u ever receive a text message from someone you do not know who is trying to sell you something? Or an email from a company you don't even know? This is only the tip of the iceberg. And if whoever sent you that message has your contact number, he/she might even have your house address, I.C. number or even credit card number which will allow for an even greater abuse of your information to occur.
The process of social engineering is even simplified if you have data of a certain party. Examples of entities who own your data:
a) Public sector, namely the government.
b) Private sector, namely banks, insurance companies, telephone companies and social networking websites like Facebook.
Now what if these bodies were in fact sharing your data among themselves? And since there's no law to limit that, they are not legally under the law doing anything wrong and we the consumers are all at risk of having our information being abused.
We were the first country to have the MSC and every country that's seen it, envies us but yet, when there's all this talk of cyber-terrorism, we still do not have a law that safeguards us against the wrongful manipulation of our information.
More on the Proposed Bill
The bill when enacted will cover almost everyone or body that collects data relating to people such as employees, customers, clients, members of organizations or societies, patients, citizens and etc.
The ethical issues which arise from such a law are as follows:
- Should the proposed law apply to the government, or strictly restricted to the private sector?
- Who would be responsible for making sure everyone follows the law?
- The relationship between existing laws and the proposed law, for example, should the proposed law prevail over any existing laws or vice versa.
- What exemptions could be provided in matters of national security, public policy, cries, health records and could these matters be exempted from this law?
- With technology becoming more and more advance, how would any new technology affect this law?
- The cost and implications that would arise in enforcing such a law. Would it be advantageous or would it affect the flow of investment into this country?
Amidst all the issues, the rationale behind the proposed bill is only for the privacy of the individuals who may be disregarded or abused and fears of the manipulation of data or use or storage of out-dated, incorrect or misleading information.
It is important to enforce such a Bill, as Lord Hoffmann said it, "...one of the less welcome consequences of the information revolution is the ease with which it has become possible to invade the privacy of the individual. ... Vast amounts of information about everyone are stored on computers, capable of instant transmission anywhere in the world and accessible at the touch of a keyboard. The right to keep oneself to oneself, to tell other people certain things are none of their business, is under technological threat."1
The proposed Bill is significant in that it deals with an aspect of privacy which Amnesty International clearly defines as a fundamental human right. The Bill will ensure that our information will not be abused (for example, plainly disclosed to anyone) and protects it. At the same time, the law can't be so stringent in that it prohibits business to carry on with their business or transfer information from one country to another.
As consumers, we should have the confidence in knowing that what we do through the internet is safe and can be trusted. Have we not agreed to this when everybody agreed to the social contract? Or do we have to wait until something tragic really happens for action to be taken?
1 Lord Hoffmann, Reg vs Brown. (1996). The European Court of Human Rights.
With the rapid advancement in information technology and its aggressive implementation in our daily life, security issue regarding the protection of our personal data has raised the awareness among organizations and individuals to come up with security plans. Plus, programmers have to endlessly put in effort to do detail testing in order to cut down the probability of system failure or intrusion. However we all know that these plans can only reduce, not prevent the unauthorized invasion or corruption to our personal data.
Many laws and acts were created with the hope of providing a clear limitation between right and wrong actions. Every term is well-define and what's being protected by the law is accurately stated. We gained our fundamental right to forbid the disclosure of our private information through these laws. Ironic enough, these rights are for us to claim only when it is being violated. Damage has already been done.
To remove the root of the problem, our group came to an understanding and proposed that:
(a) The profession of computer network and programming should be embraced and be treated with respect so that no one will act in disregard to the principles within the profession and use his/her expertise to access another party's personal data without permission or cause damage to them. Knowledge and skills should be constantly developed to come up with a safer environment for the public to use technology without worries.
(b) Laws should come hand in hand with ethics and moral. Only when ethics are applied in life, knowledge can be treated with dignity and used in a way that brings up the whole society to another level of life eased by technology.
Hopefully the gradual improvements of information technology can instead awaken the moral sense within the society and thus lead us to a better living where ethics and knowledge are being held with high regards.
7.0 Bibliography and References
A.Spinello, Richard. Case Studies in Information Technology Ethics. New Jersey: Pearson Education, 2003.
Bosworth, Seymour. Computer Security Handbook. New Jersey: Wiley, 2009.
Reynolds, George. Ethics in Information Technology. US: Thomson Course Technology, 2007.
Wright, Craig. The IT Regulatory and Standards Compliance Handbook: How to Survive an Information Systems Audit and Assessments. US: Syngress Publishing, 2008.
Federal Information Processing Standards Publications. (1994). Guideline for the Analysis of Local Area Network Security.http://www.itl.nist.gov/fipspubs/fip191.htm
Information Commissioner's Office. (2007). Data Protection Technical Guidance: Determining What is Personal Data. http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/personal_data_flowchart_v1_with_preface001.pdf
Khaw, Lake Tee.(2002)Towards a Personal Data Protection Regime in Malaysia.Journal of Malaysian and Comparative Law, 29 (1).
Lee Min Keong. (2009). Malaysia to Enforce Data Protection Law. http://www.zdnetasia.com/malaysia-to-enforce-data-protection-law-62058458.htm
Personal Data Act. (1999). Personal Data Act. http://www.tietosuoja.fi/uploads/hopxtvf.HTM
Spectrum Data. Data Encryption: A Basic Understanding. http://www.spectrumdata.com.au/content.aspx?cid=263
United Kingdom. (1998). Data Protection Act 1998. http://www.opsi.gov.uk/acts/acts1998/ukpga_19980029_en_1