{"id":360,"date":"2009-01-08T20:12:12","date_gmt":"2009-01-09T04:12:12","guid":{"rendered":"http:\/\/cubist.cs.washington.edu\/Security\/?p=360"},"modified":"2009-01-08T20:17:09","modified_gmt":"2009-01-09T04:17:09","slug":"security-review-security-and-privacy-code-of-ethics","status":"publish","type":"post","link":"https:\/\/secblog.cs.washington.edu\/Security\/2009\/01\/08\/security-review-security-and-privacy-code-of-ethics\/","title":{"rendered":"Security Review:  Security and Privacy Code of Ethics"},"content":{"rendered":"<p>The <a href=\"http:\/\/www.cs.washington.edu\/education\/courses\/cse484\/09wi\/administrivia\/ethics.pdf\">Security and Privacy Code of Ethics<\/a> is a contract that every CSE484 student is required to sign, on penalty of a zero grade in the course.  It places restrictions on the manner in which students may use knowledge gained in the course, and on the transfer of such knowledge.  While it appears to be a good faith attempt by the University to prevent their students from engaging in malicious activities, it has several failings, and raises ethical issues.<\/p>\n<p><!--more--><\/p>\n<p><strong>Assets<\/strong><\/p>\n<ul>\n<li>Security knowledge.  This could be used maliciously, which the contract seeks to prevent.<\/li>\n<li>Vulnerable third-party assets.  The contract seeks to protect these from would-be malicious students.<\/li>\n<li>The University&#8217;s reputation and legal liability.  If a student uses knowledge gained in the course in a malicious manner, the contract allows the University to assert that the student&#8217;s actions were performed against its will.<\/li>\n<\/ul>\n<p><strong>Adversaries \/ Threats<\/strong><\/p>\n<ul>\n<li>Students, who might use their security knowledge for evil.  The University recognizes that such knowledge can be dangerous, and seeks to prevent it from being used in damaging ways.<\/li>\n<li>From the student&#8217;s perspective, the University could be seen as an adversary.  The contract attempts to limit use of student knowledge, and therefore student freedom.  It is in the student&#8217;s best interest to maximize their freedom.<\/li>\n<\/ul>\n<p><strong>Potential Weaknesses \/ Defenses<\/strong><\/p>\n<ul>\n<li>Enforceability.  The document, in its current form, is likely neither legally nor practically enforceable.  This allows a nefarious student to sign, and then act in violation of the contract, with no repercussions.  This might be solved with a &#8220;proper&#8221; contract with specific, enforceable penalties for violations (e.g. expulsion, or revocation of degree).<\/li>\n<li>There exists a sort of race condition, which a student can exploit within the first week of the course.  The contract&#8217;s wording only governs actions after it is signed, allowing a nefarious student to act against the guidelines set in the contract prior to signing it.  This could be solved by ensuring that all students have signed the contract prior to the beginning of the first lecture.<\/li>\n<li>Transfer of security knowledge is unauthenticated.  A student who does not sign the contract (either through non-enrollment, or by intentionally taking a zero in the course) is still free to attend lectures.  This could be solved by checking student identification at the door, allowing only those who have signed the contract into the classroom.<\/li>\n<li>Denial of service.  The terms of the contract are viral &#8211; that is, in order to share security knowledge, students must ensure that the receiving party has also agreed to the terms of the contract.  One can imagine a situation where a student goes on to become a security researcher, but is required to ensure that anybody she interacts with in a meaningful capacity has agreed to the terms of the contract.  Some of these people might find such a request unreasonable, and refuse to agree, hindering the student&#8217;s career success.<\/li>\n<\/ul>\n<p><strong>Risk Evaluation<\/strong><br \/>\nFrom the University&#8217;s perspective, the risk associated with a student violating the contract is small, as the contract seems to protect their reputation and legal liability.  There is, however, a larger risk in the case of a student who uses knowledge gained in the course to attack the University itself.<\/p>\n<p>From the student&#8217;s perspective, the risk associated with signing the contract is large, if the student plans to continue their endeavors in the field of security, as its viral nature hinders their future interactions within the security community.  This risk could most likely be addressed by removing or replacing the clause that makes the contract&#8217;s terms viral.<\/p>\n<p><strong>Conclusion<\/strong><br \/>\nIn the end, the contract only appears to completely protect one of the three assets under consideration:  the University&#8217;s reputation and legal liability.  This might actually be acceptable, as there exist enforceable laws that protect the other two.  At the same time, the contract presents some risk to honest students.  Somewhat ironically, the Security and Privacy Code of Ethics raises an ethical issue:  is it ethical for the University to force the student into such risk?<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The Security and Privacy Code of Ethics is a contract that every CSE484 student is required to sign, on penalty of a zero grade in the course. It places restrictions on the manner in which students may use knowledge gained &hellip; <a href=\"https:\/\/secblog.cs.washington.edu\/Security\/2009\/01\/08\/security-review-security-and-privacy-code-of-ethics\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":70,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7,8,5],"tags":[],"class_list":["post-360","post","type-post","status-publish","format-standard","hentry","category-ethics","category-policy","category-security-reviews"],"_links":{"self":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/360","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/users\/70"}],"replies":[{"embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/comments?post=360"}],"version-history":[{"count":10,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/360\/revisions"}],"predecessor-version":[{"id":1316,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/360\/revisions\/1316"}],"wp:attachment":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/media?parent=360"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/categories?post=360"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/tags?post=360"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}