Leadership

Corporate ethics versus security ethics

There are direct conflicts of interest between a technology corporation's responsibility to its shareholders and the ethical responsibility to its customers' security. Ignore them at your peril.

There are direct conflicts of interest between a technology corporation's responsibility to its shareholders and the ethical responsibility to its customers' security. Ignore them at your peril.


Corporate responsibility is a term often used to refer to the legal mandates and business priorities of decision makers within public corporations. This particular breed of responsibility, as a domain specific system of ethics, is quite clearly divorced from other ethical systems in the general case. There are both theoretical and practical limitations on the liability that apply to any individual decision maker for, or agent of, a public corporation whenever such liability might interfere with the ability of that decision maker or agent to directly serve corporate responsibility, specifically because of that domain specific system of ethics.

In short, Corporate Responsibility mandates that all decision makers and agents within public corporations must assume as their first priority "the success of the corporation as an investment of the shareholders' resources." Such decision makers and agents have "an ethical mandate to serve that end, and anything that stands in the way of that end is secondary at best. Period."

Contrast this reality of corporate responsibility with what we wish to be true when we make optimistic statements about the honesty of those acting on behalf of corporations that provide us with our software and services. Was the operating system running on the computer you use to read this article developed under the auspices of an organization whose first priority is to serve the interests of its users, or is that organization's first priority the metrics used to convince shareholders that they're getting a good return on their investments?

When it comes to software and service security, this can manifest in manifold ways, of which the following three (not entirely hypothetical) examples comprise just the tip of the iceberg.

A. Privacy

Which do you think is easier to accomplish with an absolute minimum of expense when government law enforcement agencies make requests for customer data on a regular basis?

  1. Check the source of a request, determine the legal requirements for such a request (subpoena, warrant, et cetera), have a lawyer examine the paperwork in detail, enumerate options for legal compliance with minimal exposure of private customer data, and finally proceed in a manner calculated to facilitate legal searches while barring access to any data that is not legally required in satisfaction of the law enforcement request so that the corporation's customers are protected.
  2. Create an automated law enforcement data access portal, then effectively ignore it, simply hoping that if there are any breaches of trust nobody will notice.

B. Testing

Which do you think is more important when testing the security of a piece of software or a service intended to be employed by millions of end-users to manage their finances?

  1. Thoroughly test the software or service. When you are done, conduct in-depth focus group testing. When finished with that, offer closed beta testing. Finally, use open beta testing to work the final bugs out of the system over a period of time substantial enough to minimize as much as reasonably possible the remaining bug count. Only when this is done do you consider the software or service ready for prime time.
  2. Test it enough so that you think any remaining bugs probably won't damage the company's reputation over more than a very short-term period, then conduct any further testing by basically unleashing the bug-laden software on the open market and adopt a secrecy-based vulnerability management policy (see below) to try to cover up the fact that you've foisted essentially unfinished, unsecured software on an unsuspecting customer base.

C. Vulnerability management

Which do you think is more important when a vulnerability is discovered in a desktop application or Web service, and it becomes known that it is being exploited by security crackers in a way that is not obvious to end users?

  1. Ensure that the security vulnerability is fixed quickly, and that users are informed of the vulnerability so that they can protect themselves with work-arounds or suspension of their use of the software or service.
  2. Keep users in the dark and the existence of the vulnerability hushed up as much as possible so that public confidence in the corporation and its products and services will not be damaged.

Harsh reality

It is quite likely that your answers to these questions as an end-user and the answers of the CEO of a public corporation offering software or Web services to customers will not be the same answers. The sad fact is that this is not a matter of a few rotten apples giving the rest of the corporate world a bad name. Rather, it is a matter of conflicting ethical demands -- on one hand, a duty to the customer, and on the other, a duty to the shareholder -- where the legal enforcement of such ethics almost universally punish giving greater care to the customer's benefit. Depending on how you look at it, you might characterize the dilemma as having no correct answer, or no incorrect answer, or even a "more correct" answer that mandates giving the end-user the shaft more often than not.

This is why there's no such thing as a trusted brand. It is also part of the reason why encryption that doesn't trust the user isn't trustworthy. Perhaps most importantly, it is a demonstration of the reason that we should all learn to fish for ourselves.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

16 comments
kama410
kama410

I find your writing to be thought provoking and very clear. I always find articles by reading the abstracts in my Tech Republic newsletters. It is an interesting co-incidence that I seem to read a lot of your articles. Keep up the good work!

golden.kenneth
golden.kenneth

The struggle that most executives are pinned in to is the marriage of how to assuage the security folks? concerns (who are necessary like toilet cleaner, of which I am one, security folk that is?) and the appeasement of the C level. With the C?s watching the bottom line and listening to the board who are concerned about cost, viability, protection of assets, meeting minimum legal requirements etc? The executives are caught with people hanging on both ears and most, IMHO, are not mentally or technically prepared to make the decisions they are forced to in this arena.

Dr_Zinj
Dr_Zinj

In a natural, free market place, customer satisfaction (user security) is subject to the law of diminishing returns. Maximizing security AND profits means you're going to have to provide customers with at least better than average security; otherwise, your customers are going to bail and take your profits away. In example 1, you're giving law enforcement carte blanche to go on a never ending search for irregularities. That's a surefire way to kill corporate profits via lawsuits, because anyone can find irregularities that are of questionable justification in court. And where there is a question, there's blood in the water for legal sharks. Your ethical obligation to the shareholders is to minimize legal entanglements. Your ethical obligation to customers is to minimize exposure. The ideal is to subject law enforcement agencies to run the gauntlet of option 1, and have option 2 available if they succeed. Example 2 is a false dilemma. I remember software built in the 70s and 80s that was developed under option 1, that worked wonderfully, but the company died anyway, ostensibly due to overhead costs; which would support your arguement. However, I've also seen major products take a massive hit because customers were so pissed off over option 2 that they bailed to a competitor's product. The ethical stance to satisfy both parties is to work a compromise between the two, and keep both groups fully informed as to what and why you are doing that. Finally, example 3. Why does Microsoft immediately jump to mind? Probably because they exclusively adhere to the second option. The problem with that is that every time the truth gets out, and it always will, it engenders more dissatisfaction with the company for having the vulnerability in the first place, and for lies of ommission to their customer base in the second place. The end result is an over all net loss; hardly ethical to either the shareholders or to the customers.

santeewelding
santeewelding

Filled with straw, to make use of your favored device. Corporate responsibility can -- is -- cast also as triumvirate, even quadrumvirate, no part "secondary at best" to another, except in your world. All that follows from what you establish at the outset, your proprietary premise, dies.

apotheon
apotheon

I appreciate your compliments, and hope you continue to find my articles interesting enough to spend the time reading them. "Thought provoking" is exactly the sort of compliment I'd hope to deserve for my articles.

jdclyde
jdclyde

is you get the MS fanboys more than willing to make excuses for MS instead of being honest or ethical enough to DEMAND MS be held to a higher standard. Too many have an emotional attachment to their OS instead of just remembering it is just a tool to use the REAL tools, the applications.

apotheon
apotheon

You're acting like massive, government-entangled and -regulated corporations are part of a "free" market. They aren't. They're legal fictions created as a way to manipulate market forces, thus adding a strong element of (mis)management to the economy. Maximizing security AND profits means you're going to have to provide customers with at least better than average security; otherwise, your customers are going to bail and take your profits away. That'd be the case in a free market. A free market is not what we have in the US, so that's not necessarily the case. In example 1, you're giving law enforcement carte blanche to go on a never ending search for irregularities. That's a surefire way to kill corporate profits via lawsuits, because anyone can find irregularities that are of questionable justification in court. Are you saying that, in question A, my answer 1 is the wrong answer and answer 2 is the right answer? I'm confused. What do you mean exactly? Example 2 is a false dilemma. It's not a dilemma at all. It's 1. an ideal and 2. a very real example with which we are probably all familiar. I remember software built in the 70s and 80s that was developed under option 1, that worked wonderfully, but the company died anyway, ostensibly due to overhead costs; which would support your arguement. It only supports my argument in that the public corporate model has created a market in which good software as a commercial enterprise is difficult to sustain. Eliminate the business realities of the public corporation and you'd eliminate the obstacles to paying ethical attention to security that keep quality software from being as profitable as crap software. However, I've also seen major products take a massive hit because customers were so pissed off over option 2 that they bailed to a competitor's product. That's what happens in a market correction, which -- while rare in the current system -- is still possible, and (in large part because of its artificial rarity) can be quite devastating. It's the same kind of effect we're seeing in the wake of the housing bubble's burst: a massive, painful market correction that could have been avoided or at least minimized by simply not screwing with natural market equilibrium in the first place. The ethical stance to satisfy both parties is to work a compromise between the two, and keep both groups fully informed as to what and why you are doing that. When you compromise with evil, evil wins. Choose software produced under a development model whose motivating forces are roughly aligned with your own needs, and you're far more likely to get good software. Choose software that is produced by a public corporation, though, and you play with fire. It's Russian Roulette, and if you play Russian Roulette long enough you will eventually lose. Finally, example 3. Why does Microsoft immediately jump to mind? Probably because they exclusively adhere to the second option. I'm surprised you didn't say the same thing about question B, actually. The problem with that is that every time the truth gets out, and it always will, it engenders more dissatisfaction with the company for having the vulnerability in the first place, and for lies of ommission to their customer base in the second place. The end result is an over all net loss; hardly ethical to either the shareholders or to the customers. Corporate responsibility, as essentially defined by law, is focused on the short-term -- because the shareholders are focused on the short-term. It's kind of inevitable that the shareholders will be focused on the short-term, too, thanks to the way stock markets work. When your organization becomes a publicly traded corporation, many facets of long-term business strategy are screwed.

apotheon
apotheon

I'm going to try a "new" approach to responding to your poppycock, santeewelding. I'm going to treat it as though it's someone's attempt at reasoned discourse, even though it bears almost no relation to reasoned discourse. Colossal Scarecrow, Chad Filled with straw, to make use of your favored device. I'm going to assume you're claiming that I'm employing a straw man fallacy (though I don't know why you couldn't just come out and say it like a normal human being). That being the case, please identify for me whose position I'm misrepresenting to produce a straw man fallacy, since the misrepresentation of some party's position is a necessary component of a straw man fallacy. Corporate responsibility can -- is -- cast also as triumvirate, even quadrumvirate, no part "secondary at best" to another, except in your world. You seem to be claiming that corporate responsibility is in some way a trinity as gestalt, or something to that effect, though you appear notably unwilling to explain that in any way. Okay, whatever. Explain or not -- if you choose to not explain, I guess you'll never make a point. I'm not sure how that turns into refuting the idea that anything that stands in the way of the standard "corporate responsibility" being "secondary at best". Perhaps you could support your apparent non-sequitur with some kind of actual argument for a change. All that follows from what you establish at the outset, your proprietary premise, dies. 1. How is it "proprietary"? I've never claimed any exclusive right to the premise of this article, nor even any originality in it. I just spelled it out for the benefit of those who may not have seen things from that particular perspective before. Please explain how that is "proprietary" in any way. 2. How does everything following from that "die"? You make these proclamations as though you've built valid arguments supporting given conclusions, except that you've said nothing that actually relates to that conclusion. Provide some support for your assertion, please.

AnsuGisalas
AnsuGisalas

So how are the groups of three men and groups of four men connected to this? Are they beating up the straw man too? I must say that the corporate responsibility is very much a "pirate's code" and very little else. It even means that corporations are required to spend money greasing politicians to tweak legislation... it's not just an option, it's the only (corporately) responsible thing to do!

santeewelding
santeewelding

Straw-man fallacy: (mis)representation of position, you being responsible for the (mis), unless you are dealing with necessary truth, which is an affront to God, your readers, and maybe to Baptists. "To respond" is both transitive and an intransitive verb. The transitive version requires -- necessarily -- two or more functional components for the ability to respond (responsibility). You name three components: officers ("decision makers"), shareholders, and customers ("users"). Like the three-leg stool, remove one and there is no corporation -- that "legal fiction" I had in mind when I mentioned "quadrumvirate". That fourth part would be law. Remove law, which refers to the rest of us in relation to the corporation, and there is no corporation. Your [i]non sequitur[/i] is my [i]sine qua non[/i]. I said, "part". I did not say, "gestalt", which is you off doing your thing, again, as with, "poppycock". Rather than these parts and their respective imperatives functioning co-equivalently, you put just the one at the top: success of shareholder investment, then proceed linearly and hierarchically down to the death of your proposition. That proposition, proprietary, by the way, on account of your having needed two whole first paragraphs to set it up (tch-tch). How else could it exist. I take back, "scarecrow". It was an abortion.

santeewelding
santeewelding

I put some time and attention into that. I can (always have) therefore fully appreciate the time and attention that you must likewise put into your efforts. Accounts I think for why you, not I, are circumspect. Like I said, damn. I spent time and attention painting and erecting my sign for you that said between the lines: This way, to the valley of the shadow of death. Thank you for your response, as it was. What else could you do?

apotheon
apotheon

Straw-man fallacy: (mis)representation of position, you being responsible for the (mis), unless you are dealing with necessary truth, which is an affront to God, your readers, and maybe to Baptists. Whose position, and which position in particular, do you think I'm misrepresenting here? "To respond" is both transitive and an intransitive verb. The transitive version requires -- necessarily -- two or more functional components for the ability to respond (responsibility). In this case, the two parties would be the officers/agents of the corporation and its shareholders, for most purposes. You name three components: officers ("decision makers"), shareholders, and customers ("users"). Okay, now that makes more sense. Was that so hard? Like the three-leg stool, remove one and there is no corporation -- that "legal fiction" I had in mind when I mentioned "quadrumvirate". That fourth part would be law. Remove law, which refers to the rest of us in relation to the corporation, and there is no corporation. That makes perfect sense, and I agree. It's easy to agree when you say something well-reasoned, rather than keeping the reasoning to yourself and making vague pronouncements that, without any kind of contextual clarity, mean nothing to anyone who isn't basically living inside your head. Your non sequitur is my sine qua non. Well . . . it certainly seems sometimes like spouting non-sequiturs is your sine qua non. I don't think that's what you meant, in this case. Of course, looking through all this, I still don't see anything that refutes my statement that anything standing in the way of shareholder value is "secondary at best" amongst the corporate officers'/agents' priorities. All you've said up to this point by way of explanation is a bunch of stuff I might have said if the conversation had gone in a slightly different direction, though in different words. I said, "part". I did not say, "gestalt", which is you off doing your thing, again, as with, "poppycock". Cluestick: When you say something that doesn't make much sense as-is, and I try to present an explanation so I can ask if that's what you meant, I have to offer what I think is a paraphrase of what you said. As you should be aware, a paraphrase will, by definition, involve using some words you did not. In this case, one of them is "gestalt". If what you said was not effectively paraphrased by what I said, the correct response would be to say something like "No, I didn't mean that exactly. What I meant was this." That's where you start offering an explanation of what you said. I don't see how saying you never used the word "gestalt" in any way helps improve communication between us. I'm frankly shocked and dismayed that you require an explanation of how conversation works, but given the last several years of you acting like you don't know how to communicate effectively (or don't want to), I guess I shouldn't be surprised. Rather than these parts and their respective imperatives functioning co-equivalently, you put just the one at the top: success of shareholder investment, then proceed linearly and hierarchically down to the death of your proposition. I'm losing you again. Did you say there was some other priority than shareholder investment? I remember you talking about parts of the corporate whole, and insulting me snidely and circumspectly, but I don't recall any other specific priorities being mentioned. Please elaborate on what you've implied here, if I read it right. That proposition, proprietary, by the way, on account of your having needed two whole first paragraphs to set it up (tch-tch). How else could it exist. Are you sure you don't mean some other P-word -- maybe "pedantic"? I wouldn't dispute that. In fact, give the word's roots, I might take a little pride in it. People seem to like my tendency to get into some depth when I'm explaining some strictly technical matter, but for some reason it's not always appreciated quite as much when I'm discoursing about some less clearly defined subject. Go figure. I take back, "scarecrow". It was an abortion. Err . . . okay.

apotheon
apotheon

He actually explained some of what he meant (a minor miracle) in response to me elsewhere in this discussion.

mr_m_sween
mr_m_sween

good sir Santee is simply stating that the different aspects of the corporate model act as table legs supporting the business. Were one leg to fall shorter than the others the table would fail in its purpose. And personally, I dont think 'security ethics' is really what is at question here, rather I'd place it more with quality of product. And in the case where the quality of product is suspect, let the buyer beware.

AnsuGisalas
AnsuGisalas

Tertiary and quaternary I could understand. Ternary too. But for something to be cast as triumvirate ... talk about giving pause. And rewind, play, pause again. I might have to use my workaround for this one.

Editor's Picks