A Quality Advisor Book Review by Richard E. Biehl.
Copyright 1991, Data-Oriented Quality Solutions. All rights reserved.
ETHICS IN QUALITY
by August B. Mundel, ASQC Quality Press, 1991

COMPUTER ETHICS
Cautionary Tales and Ethical Dilemmas in Computing
by Tom Forester and Perry Morrison, The MIT Press, 1990

CYBERPUNK
Outlaws and Hackers on the Computer Frontier
by Katie Hafner and John Markoff, Simon & Schuster, 1991

The Professional Code of Ethics for the QAI Certified Quality Analyst requires that those certified will "maintain and improve their professional competency through continuing study, cooperate in the development and interchange of knowledge for mutual professional benefit," and "maintain high personal standards of moral responsibility, character, and business integrity." What does this mean to the practicing quality professional who must put these principles into action?

In Ethics In Quality, August Mundel places great emphasis on professional codes of ethics. "Ethical behavior indicates that there are responsibilities which become necessary parts of the decision-making process of anyone who agrees to be governed by a code of ethics. It is possible that some people will not agree with specific aspects of some codes. It behooves such a person not to agree to the codes." Mundel devotes 20% of his pages to the presentation of standards of ethics from a variety of professional organizations.

Tom Forester and Perry Morrison also place great emphasis upon professional codes in Computer Ethics: Cautionary Tales and Ethical Dilemmas in Computing. Their purpose is "to describe some of the problems created for society by computers" and "to show how these problems present ethical dilemmas for computer professionals" and users. They point to the various codes of ethics promulgated by organizations like the Institute of Electrical and Electronics Engineers IEEE), the Association for Computing Machinery (ACM), and the Data Processing Management Association (DPMA). They lament that "it is fairly true to say that few of these worthy statements have or will have much force behind them, given that membership (in) these organizations is in general not compulsory. Enforcement is therefore difficult to non-existent."

Computer Ethics is organized around specific topics and so is very useful for defining areas of concern to the information systems professional. Forester and Morrison begin with computer crime. They treat "the theft of computer time, usually in the form of the unauthorized use of an employer's computer" as a gray area in computer ethics. "Unauthorized use is technically 'theft' of processing and storage power, yet most employers turn a blind eye to the company's employees using the company's computers in moderation." They cite relatively innocent activities such as preparing income taxes, biorhythms, and mailing lists for the local church. Their concern is that eventually a line is crossed to improper behavior. "Using company computers for financial gain such as private consulting work is clearly unethical."

"The thorny problem of unauthorized use demonstrates how new possibilities opened up by the new technologies can lead otherwise honest and loyal employees down the slippery slope to more serious misconduct and perhaps outright criminal behavior." Clearly personal activities become unethical after a certain line has been crossed. But what are the implications for the quality professional? Obviously CQA's need to be held to the same ethical standards applied to any professional in the field. But are there additional ethical requirements vested in the CQA designation?

Forester and Morrison describe the 'typical' computer criminal "as being a loyal, trusted employee, not necessarily possessing great computer expertise, who has been tempted, for instance, by the discovery of flaws in a computer system or loopholes in the controls monitoring his or her activity. Like most fraud, it is the opportunity more than anything else that seems to generate this kind of aberrant behavior." This places an ethical requirement on the computer professional to try to prevent flaws and control loopholes in systems that might tempt someone into unethical behavior. Does it place additional ethical requirements on the quality analyst? Must we be extra vigilant in creating and monitoring processes that support these prevention requirements?

Even if we do not personally practice unethical activities, what about our direct knowledge of coworkers who do? What are our obligations under our own code of ethics when it comes to matters of such knowledge? Our options include ignoring the behavior, approaching the coworker to attempt to discourage the behavior, or approaching management to report the behavior. Many of us choose to ignore unethical activities because the confrontations required by other options are too uncomfortable to accept. Is our choice of inaction itself unethical?

Forester and Morrison spend the body of Computer Ethics continuing down their "slippery slope." From computer crime they move on to software theft, or piracy. "In commerce, industry, education and even in government departments, there is mounting evidence of the mass copying of software packages, often with the collusion of management." Businesses avoid substantial cash outlays by looking the other way when employees pirate software. Often these practices can be encouraged by instituting excessively bureaucratic in-house procedures for the acquisition of software. It simply becomes much easier to pirate a software package than to obtain a legitimate license. "There are few individuals who can honestly say that they have never used a program for which the developer has not been properly compensated. Software piracy is an endemic social problem which is here to stay."

What can the quality practitioner do about it? We can personally stop using pirated software and encourage our coworkers to do the same. We can work with management to help remove all obstacles to the legitimate acquisition of needed software licenses in the workplace. But software piracy illustrates the difficulty of enhancing ethics in the workplace. Piracy is illegal. Piracy is clearly unethical. The remedy is both obvious and reasonably available. And yet piracy continues. If this problem cannot be solved there is little hope for solving the more intractable ethical dilemmas facing our profession.

Forester and Morrison move on to hacking and viruses, changing their tone dramatically in the process. In earlier chapters, Computer Ethics challenged the reader toward ethical behavior. "Computer crime should not present an ethical dilemma for computer professionals or computer users. Theft is theft and fraud is fraud and both are generally accepted by our society to be morally wrong."

But when the subject turns to hacking, the authors seem desperate to find some justification that will avoid admitting the otherwise obvious lack of ethics involved with breaking into computer environments to which one is not authorized. They reason that "in many instances the breaching of systems can provide more effective security in the future, so that other hackers are prevented from causing real harm." This logic seems a bit self serving, and gets worse. "Given that more and more information about individuals is now being stored on computers, often without our knowledge and consent, is it not reassuring that some citizens are able to penetrate these databases to find out what is going on?"

Are Forester and Morrison serious? They wish to reassure the reader that not only do large businesses maintain personal information about us on their computer databases, but now an entire culture of hackers has access to this same information to do with as they wish. Come on now! In their own words: "theft is theft and fraud is fraud."

In Cyberpunk: Outlaws and Hackers on the Computer Frontier, Katie Hafner and John Markoff explore the world of hackers. They have "found harbingers of cyberpunk, young people for whom computers and computer networks are an obsession, and who have carried their obsession beyond what computer professionals consider ethical and lawmakers consider acceptable."

Cyberpunk tells the stories of three hackers. One is Kevin Mitnick, who sees "himself as a brilliant computer renegade" as "he prove(s) to be a formidable adversary for one of the world's leading computer makers." The second is a young German who calls himself Pengo. Pengo's "parents had no understanding of the electronic world he had entered, no one knew that he was doing anything wrong when he spent hours at a time in front of a computer screen." "Kevin and Pengo represent something close to the cyberpunk idea of the computer 'cowboy' who lives outside of the law."

The third story in Cyberpunk is different. A Cornell University graduate student named Robert Morris "became notorious when he wrote a program that brought down a nationwide computer network." His actions had a sudden impact in the Quality Assurance field. "By releasing a program that crippled several thousand computers in a matter of hours, he permanently altered the course of his life and confirmed everyone's worst fears about what hackers could do."

Cyberpunk is a sobering story of what can go wrong when individuals choose to become even benevolent hackers. "In Robert's mind, (his) was a perfectly harmless plan for probing security of the network." At one point a friend, Paul Graham, suggested that the attempt could be used for Robert's dissertation. "It probably didn't occur to Robert that this was the kind of thing saboteurs might generate in order to bring down an entire international computer network.

Forester and Morrison's argument that hackers can be beneficial to the industry is overshadowed by the cases illustrated by Hafner and Markoff. If such innocent hackers can wreak such havoc, the Quality Assurance practitioner must indeed work to assure that systems are built and installed that properly address the issues of security, access, and authorization. One can only imagine the damage that might be caused by a hacker who intended to cause damage.

After providing their own version of the ethics of hacking in Computer Ethics, Forester and Morrison move away from issues of personal ethics to more corporate ethical concerns. They explore the inherent unreliability of computers and the ethical issues involved with building systems responsible for human lives. They explore the ethics of keeping large databases containing personal or financial information about large populations and the inherent loss of privacy associated with these applications by society. Finally they explore the potentially dehumanizing aspects of the computerization of the workplace and the ethics of the use of employee monitoring applications by management.

Computer Ethics offers useful insights to the social issues surrounding the systems that are routinely built and installed by corporate information systems functions. The desirability of having these systems, and the ethics of participating in their development, requires continuing debate throughout the industry. For the quality professional, additional ethical issues are raised because we are challenged to aid management in the identification and handling of risks on information systems projects.

What obligations do we place on ourselves through our Professional Code of Ethics? Each of us must answer this question for ourselves. Open debate is needed to explore all of the issues and further education is needed in order to better articulate options. In Computer Ethics, Forester and Morrison define and discuss many of the problems. However, their book is descriptive, not prescriptive. Specialized materials need to be created to assist the quality practitioner.

Unfortunately, Ethics In Quality fails to deliver what its title promises. Mundel betrays his bias in the first paragraph of the book's preface: "The subject of ethics is one which is not regularly discussed in engineering studies or periodicals." His "introduction to ethics, in the context it is treated in this volume, has come about through (his) working with lawyers on incidents in which a product or service was blamed for a loss or injury to a person or corporation." His is a book about product liability and engineering. His reader is presumed to be an engineer. Every example is an engineering example with many oriented to the legal and medical professions.

Mundel devotes a late chapter to the issues of Quality Control in engineering. Other, more general, discussions of quality seem to have been added throughout the text late in the publication process. Each addition includes a reference to the American Society for Quality Control (ASQC), the organization that agreed to publish Mundel's work. Many of these insertions result in a choppy text. In most cases, particularly on pages 147 and 153, the text is easier to read if the inserted paragraph is simply skipped.

Organizations cited by Mundel throughout the book deal exclusively with engineering or product liability matters: IEEE, the American Society of Civil Engineers (ASCE), the Accreditation Board for Engineering and Technology (ABET), and the American Medical Association (AMA). QAI members dealing with embedded software projects involving public safety and product liability issues will benefit from Mundel's work.

Others will have to turn to alternative sources directed at ethics in traditional information systems. One such source is the Computer Professionals for Social Responsibility [CPSR, Box 717, Palo Alto, CA 94302, 415-322-3778]. CPSR, a non-profit member organization, conducts research into many of the general issues raised by Forester and Morrison. Every CQA has an obligation to think about, and act, on these important issues.

As Mundel states, "ethics is seldom a black-and-white situation. An action that might seem ethical in one case may not seem ethical in another, or to another individual." These books help define the issues that we must understand, and be aware of, in order to practice ethical actions in real-time.