Ethical Obligations in Internet Operations - Survey Results

Ethical Obligations in Internet Operations - Survey Results

October 12th, 2015

A few weeks ago, I started a survey on "Ethical Obligations in Internet Operations" in preparation for my talk with the same title at Velocity NY 2015. Here are the results:

---

This survey was sent around the Twitterverse, the USENIX LISA, LOPSA, and NANOG mailing lists, as well as shared with colleagues and friends. The above distribution of job functions necessarily reflects the communities targeted.

Of course this survey is thus not free of biases and pre-selections: asking members of various professional organizations about their stance on guidelines within professional organizations necessarily misses the vast majority of Internet Operations practitioners who have never heard of any of these.

---

Not surprisingly, many of the people responding to this survey were -- or at least see themselves as -- "senior" level. I probably could have left this question out altogether; I had hoped to see if seniority and membership in professional organizations relate, but there really was no meaningful correlation, at least not within the small pool of respondents.

---

There was a surprising variety of responses in the "Other" category (Education, Biotech, Adtech, Finance, ...), which is great. I probably would have liked to have gotten more respondents from the government sector, but the distribution of the survey was likely not ideal for reaching those communities.

---

No surprises here: as anticipated, the majority of people working in Internet Operations are not members of any professional organization.

Note: except for combinations with "no", multiple answers were possible here. "Other" options included: (ISC)2, ISACA, itSMF, NANOG. Members of one professional organization were frequently also members of others (Usenix, LISA, LOPSA; ACM, IEEE), which also seemed unsurprising.

---

The majority of respondents either believed there is no Code of Ethics for their profession, or if there was, they didn't know. The largest response bracket stated that their profession isn't well defined, which should likely be grouped with the negative responses.

I think it's again worth considering the small sample of respondents to the survey as well as their background: despite being directed towards organizations, the responses suggest that participants in the community do not identify, share, or are aware of a common Code of Ethics.

---

If your profession does have a Code of Ethics, please add a link.

---

What ethical obligations do you believe people working in Internet Operations have?

The following is a selection of the responses I've received. I am not publishing all answers as many are overlapping, some are overly broad, and others may (partially) identify individuals who have responded.

"Respecting privacy of customers and their data..."

"Respect the agency of the end user. Don't lie about or conceal what you're going to do with their data."

"I believe that internet operators are obligated to support US Constitutional principles of free speech."

"Honestly, none to very little."

"We have an obligation to maintain the aspects of the Internet that have made it so powerful - basically the Mozilla manifesto."

"Engineering should benefit society as a whole."

"Don't be an asshole."

"Privacy, Security, Trust. Defend the users and the business."

"Be conservative in what you send, and liberal in what you accept."

"We have an obligation that's higher than merely following the dictates of our company; an ethical obligation to the public."

"To protect the experience of using the Internet for the end-user. That means protecting the medium itself, both in the short term of protecting the network-at-large, and in the longer term of planning and lobbying for things (projects, protocols, companies, ...) that will make it better and fighting things that will make it worse."

"Keeping the internet running. Good citizenship/civility towards other entities on the net."

"None."

"None. They do what they are told. Or moved to other project or fired."

---

Given the capibilities and responsibilities people operating in Internet Operations have, it is not surprising that the majority of respondents have faced an ethical dilemma in their career.

Expand on your previous answer, if you like.

The following are, again, only some of the answers I've received. Here, more than in the previous answer, details provided might conceivably (partially) identify respondents. As you will see, the responses run the gamut from the expected, minor conflicts to severe moral issues.

(Note: the order of responses here does not correlate in any way with the order of responses above.)

"In an educational environment ( university level ) I have teaching staff often asking - or demanding - access to students home directories."

"Managers have asked me to spy on employees."

"Snooping on specific employee's e-mail."

"I've been buiding Skynet for Big Brother since the early 1990's [...]"

"DNS NXDOMAIN hijacking."

"Consulted into gambling companies. Had one occasion were a user obviously had a gambling problem and had hit a bug stopping him. Priority was to fix the bug."

"Faculty member child porn collection."

"have been asked to lie to my direct reports (and candidates) about the future of the company"

"have been told to not report various outages/loss of data situations to customers"

"I say no only because such matters tend to be above my current pay grade."

"I have worked in a government agency where, on occasion, reported code of ethics violations were not acted on due to what I'd term political considerations."

"This is a daily thing."

---

Most people do have a line they are not willing to cross. The more interesting answers are those where people accept legality as a sufficient (not merely necessary) justification for any tasks asked of them. Another interesting aspect is that almost 30% of people appear to accept a "the ends justify the means" morality. Of course it's difficult to judge people's rationale based on these questions, and I believe the question itself could have been phrased differently.

---

Expand on your previous answer, if you like.

Select answers, as above:

"Providing user data to law enforcement without clear legal authority or user notification"

"I would not work on projects / software that would be used in warfare, harm people or organisations."

"Ethics is a large area; I currently support systems for a foreign government, and for companiesy that make (among other things) military hardware."

"It all depends on context. For example, I would support 24/7 all inclusive, no consent, no privacy monitoring for convicted, violent prisoners but I would refuse to support the same monitoring for infatuation/jealousy reasons."

"Installing intrusive taps into a customer's network without customer knowledge or court orders."

"I find it impossible to reject specific tasks. I can advocate against undertaking a particular project or tactic that I find unethical, but in the past the only leverage I had is leaving the company."

"It specifically does not depend on the end goal; the means are ethical or not based on their reasonably predictable consequences."

"Destroying stuff that is obviously evidence."

"Not to say that ends justify means, but sometimes ethics fail to keep up with the technology, and you have to work within the available parameters."

---

I suspect that this question did not turn out to be very useful, as it overlaps significantly with the previous. As before, we see that respondents have specific thresholds or ideas of jobs they consider unethical and are unwilling to perform.

---

Expand on your previous answer, if you like.

There was a large number of references to government agencies, tobacco, porn, and weapons development. This is not surprising, but I believe it also reflect a lack of consideration for more gray-area sort of positions.

Select answers, as above:

"I have turned down job offers at betting and gambling sites on ethical grounds. And at large banks."

"Cigarettes or guns producer, per example."

"would not work for a US company, way to many active three letter agencies"

"Working for the intelligence services."

"Weapons development"

"I have turned down a lucrative job for an online porn company."

"Advertising."

"The only situation I've run across is a friend who used to write drone software for a defense contractor but refused to work weapons or projects that directly caused loss of life."

"I have been offered very attractive positions in the defense research sector that I couldn't bring myself to accept."

"Exploit sales"

---

I found it interesting that the majority of responses suggest that companies do, in fact, present ethical values byeond their immediate mission as important to their self-perception. This does mirror the "we make the world a better place" trope, regardless of whether or not the companies or their employees actually follow through on these 'core values' when they conflict with immediate business objectives.

---

I think this question and the replies are really interesting: companies present certain values (explicitly or implicitly, see above), and most people who responded have experienced ethical dilemmas, but at the same time, questions about personal ethical beliefs are rarely, if ever, asked. At the same time, though, we do not assume they overlap with ours.

I suspect that people choosing "It's inappropriate..." feel that this goes too close to people's religion, which often plays a role in how ethical beliefs are formed. I wonder if a question around one's ethical beliefs as they may relate to the company's business and (presented) values should be made more of a standard aspect of interviewing.

---

Even though most respondents are not a member of a professional organization or do not know whether or not a Code of Ethics exists, they do seem to favor the idea of having one. Not surprisingly, a large number also believes that there cannot be a meaningful Code of Ethics in this ill-defined profession.

---

Multiple answers could be selected. I feel that this question did not provide any useful results, especially since this survey does not include any proposed Code of Ethics. The devil's in the details, so well-thought out answers could not be provided here.

---

Any comments? What questions should I have asked (instead/in addition)?

Sample responses below:

"i think codes of ethics are a complete joke."

"Seems like waste of time. How do you deal with this basic theme? People with ethics don't so much need a code and people without ethics won't so much bother to look at one."

"One code of ethics doesn't do it."

" The idea of licensure to practice my profession, an additional barrier to entry in a specialization which is already IMPOSSIBLE IMPOSSIBLE IMPOSSIBLE to hire for, is a total non-starter."

"University engineering programs do an awful job at teaching ethics to students on a technical path."

"Should there be a "license to practice this profession"? There are many operational concerns here, not the least of which could be how this is handled internationally."

"Don't forget that "The Internet" is usually operating at a global level, but different countries and regions not only have their own governments but also have different cultures, which frequently define "Ethics" differently."

"Randall Schwartz comes to mind...."

---

Well, those are the results. I believe this survey could have been done better, questions expanded or made more precise. However, I also wanted to avoid leading too much with the questions I pose, and keep the survey short enough for people to quickly fill out.

Either way, I found the responses highly interesting, and feel that there is significant interest in this topic across the profession. That alone was very motivating, and I again thank everybody who filled out the survey.

I will add a link here to the slides of my talk after Velocity NY is done, and I will continue to keep the topic of Ethics in Internet Operations on my mind. If you're interested in sharing your thoughts or otherwise engaging in a discussion around this, please don't hesitate to contact me: @jschauma | [email protected]

October 12th, 2015

---

Related: