Computer Security and Human Values Interact
Keith W. Miller
Dept. of Computer Science
University of Illinois at Springfield
Springfield, IL 62794
Abstract – Computer security is technically challenging; it
is also an area with ethical, legal, and sociological
implications. When we teach computer security (as well as
other technical content), we should provoke students to
think about the human values involved in making technical
decisions. This paper develops teaching ideas for two issues
in computer security: WWW cookies and public access to
government databases.
INTRODUCTION
As computing saturates our lives, computer security has
become a core concern. The economic, strategic, and
political consequences of security breaches are widely
discussed. A less explored issue is the interaction of
computer security and human values. In this paper we
discuss this interaction, and examine how it can be
presented in an engineering classroom.
Technical decisions influence human lives; human
values influence technical decisions. The fundamental
organization of digital communications reflects both of
these principals. As computer security concerns are
discussed, and as these concerns motivate new policies and
technologies, it is important that we, as computer
professionals, as well as our students, consider the potential
impact on people and what they hold dear. Privacy,
convenience, cost, community, freedom of expression, and
economic factors are only a few of the facets that must be
considered both by our students and by all computer
professionals.
In this paper we examine two computer security issues
in some detail: security concerns about Web "cookies," and
the security of government databases. We will examine
each of these issues from three perspectives: using a
consequentialist criterion: the greatest good for the greatest
number; using a deontological criterion: fulfill the most
important duties; and using a Rawlsian negotiation: arguing
for a just solution, regardless of social position of the
stakeholders. [1]
The presentation of these topics includes examples of
how engineering students can participate in an examination
of the issues. It is convenient to use the Web for
distributing reading materials and encouraging students to
find new sources on the topics. An electronic bulletin board
facilitates discussions among students, faculty, and outside
experts. Valuable (and relatively scarce) classroom time can
be used almost exclusively on group oriented activities.
The author has used case studies in different courses,
some exclusively for computer science majors, others for
more general audiences. Both graduate and undergraduate
students were involved in these classes. The two case
studies presented in this paper were used in a class that
included graduates and undergraduates from many different
majors, some of them computer science.
Although the author is not aware of any formal survey
of teaching methods in computer security ethics, textbooks
on computer ethics often include case studies. (For example,
see [2] and [3].) There are collections of fictional computer
ethics cases (such as [4]) and non-fictional cases (such as
[5]). In addition to these print sources, there are many case
studies available on-line; for an example of engineering
ethics cases, see [6].
For a scholarly discussion of the strengths and
weaknesses of case studies in teaching applied ethics, see
[7]. It is the author’s experience, supported by discussions
with other teachers of computer ethics, that the case study
method is useful in illustrating how ethical theory applies to
questions involving technology. Case studies seem to
engage students in a way that lectures do not. Students
mention class discussions about cases as their favorite part
of the course.
WEB COOKIES CASE
The World Wide Web delivers information from diverse
sources in a medium accessible to people who do not have a
great deal of technical expertise. The point and click
interface and the availability of search engines has made
reading the Web easy for most. Furthermore, making Web
pages is simple enough for school-children (with a little
help from a systems administrator) to share information
electronically with the world.
A Web browser provides reading access to the Web. A
browser is an applications package that executes Web
pages and allows options for users to set colors, send mail,
transfer files, play movies, and more. A browser engages in
a dialog with the server that owns the Web page being
accessed, and this dialog results in what the user perceives.
In the rest of this paper, we'll discuss Web readers
(accessing Web pages or "sites"), Web writers (who author
Web pages and make them available via a server), and
browser developers (who write the applications obtained by
readers to access the Web).
When a browser reads Web pages, it must also write
information to the reader's memory (both ram and
secondary). This writing is essentially invisible to a naive
user, but the technology is well known among computer
professionals. As the browser executes the commands of the
remote Web page, via the remote server, security questions
about the user's machine arise. Might the browser do
something to the reader's machine that the reader doesn't
want? Unwanted actions could be malicious (e.g., planting
a virus) or accidental (e.g., accidentally overwriting one of
the reader's data files). As Web pages become more and
more elaborate, they require more resources of the reader's
machine. Attempts to restrict the browser's access to
machine resources (as a security measure) conflict with the
desire to enhance the browser's capabilities.
The technical issues of Web browser security are
intertwined with human values. Users want their browsers
to be efficient and secure; but they also want them to be
inexpensive and fully-featured. Legitimate Web page
authors want to create with a full palette of effects, and
therefore want the use of reader machine resources; they
also want their Web source documents to be easy to
produce, store, and transmit from their server. These
competing concerns require tradeoffs.
In this paper we will not dwell on technical and
economic issues of Web browser design and
implementation. Instead, we discuss some broad
considerations that will be involved in any discussion of
how competing interests can be reasonably argued. We
identify three major stakeholders in these arguments: Web
authors, Web readers, and browser authors. These groups
overlap (are there any Web authors that aren't Web
readers?), but this naming identifies distinct interests in our
discussion. To illustrate how this grouping can facilitate
discussions about browser security, consider the question of
"cookies."
WEB COOKIES
Web cookies are encoded information that go from an
accessed Web page, through the browser, to the hard drive
of the reader's machine. Each cookie has a limited size, and
the browser mediates the reading and writing of these
cookies by accessed Web sites. Cookies need not be
comprehensible to the human reader. Cookies were
designed to let accessed Web sites store information about a
reader for use in subsequent visits to that site. [8]
The two popular browsers store cookies without
notification to the reader unless the reader specifically
requests notification (and permission). Thus, naive readers
will get cookies and not know it. Cookies were used
routinely by developers before their use was known
generally.
In the next three sections, we describe three approaches
to thinking about cookies. The first section talks about
maximizing the common good, the second discusses duties,
and the third describes a solution that might be a
compromise between the parties.
THE GOODNESS OF COOKIES
Cookies are a Web innovation that lets servers (under the
direction of Web writers) store information about readers on
the reader’s hard drive. This allows writers to tailor their
presentations to individual readers. Browsers enable the
storing and retrieving of the cookies for the servers. When
readers get services they desire because of cookies, and
writers get information they want about readers, mutual
good occurs. The browser developers reap good will from
both readers and writers.
There are costs and vulnerabilities introduced by
cookies: cookies require machine resources of readers, extra
development costs for Web writers and browser developers.
Since the cookies record information about Web sites a
reader visits, there could be privacy concerns for readers.
Finally, the default design of the browsers require that
cookies be either automatically accepted or individually
examined, which requires inconvenience to reject them at
all. (There may be advanced methods for blocking cookies
automatically, but this is not offered as a menu option in
current browsers. [9]
Web writers have the option to use or not use cookies,
and can make individual judgments about the costs and
benefits to their enterprise. Many readers do not know
about cookies at all, or they don’t realize there any options
concerning them. Once faced with the decision to accept or
individually examine each cookie offered, they can make
choices based on their weighing of the concerns of privacy,
convenience, and machine resources. The most responsible
moral agents are the browser producers. Acting as the
interface between readers and writers, the browser
developers gave explicit information to developers, but
chose not to emphasize reader choices. (For example, you
can't check off a box that says "Always reject cookies," and
the default is to silently accept them.) The goodness of
cookies is in benefits of their functionality; but their biggest
cost may be due to how they have been presented (or NOT
presented) to Web readers.
DUTIES OF THE COOKIE BAKERS
Browser developers have two sets of customers: Web
readers who obtain information from the browser, and Web
writers who obtain readers for their information. For the
benefit of both sets of customers the browser developers
should produce software that is reliable, efficient,
convenient, and well documented. Together, the developers
and writers should maintain the integrity of machines that
download Web pages, and should respect the privacy of
Web readers.
In so far as cookies are restricted to well defined local
files, the integrity of the reader machines is not violated
(unless too many cookies fill up a disk). The fundamental
idea of cookies does introduce privacy concerns. Since
machine resources and privacy are both issues some (if not
most) readers care about, it would seem reasonable to give
readers an informed choice about whether or not to have
cookies put onto their machines.
A CONFERENCE ABOUT COOKIES
Imagine a meeting of a Web reader, a Web writer, and a
browser developer. These representatives are meeting to
decide about Web cookies. Imagine this meeting takes
place before cookies are introduced into any browsers.
Using the same arguments in the previous sections,
writers and browser developers want to use cookies to
enhance the capabilities of Web sites and to facilitate the
collection of information about how individuals use the
browser and sites.
The reader acknowledges that some sites (the reader's
favorites) could give improved service with a system of
cookies. But the reader insists that browsers give three
options during the installation of the browser: accept all
cookies without interaction, reject all cookies without
interaction, and ask for permission each time a cookie is
"offered." These choices should be available on the
configuration menu as well. The default option should be to
ask, since this option will demonstrate the extent to which
cookies are used, and will help readers make an informed
choice. The configuration menu should also include
information about the bytes allotted to each cookie and the
maximum number of cookies that the browser can store at
any time. It is possible these desires could be met by
browser developers without doing undue harm to writers or
the developers.
CLASSROOM ACTIVITIES ABOUT COOKIES
The discussions above are examples of how someone might
think through the issue of Web cookies. Here are three to
encourage student participation.
1. Role play the conference described above. The
instructor should recruit advocates from the class.
Someone who thinks cookies are harmless should play
the browser developer; someone who dislikes cookies
should play the reader; someone who likes cookies
should play the writer. After each of these players has
established a position, ask them to keep their bias (for,
against, or neutral) and switch roles, continuing the
discussion. Alternatively, ask them to keep the same
role but switch positions. (For example, a Web writer
might say "I don't want the bother of cookies, but the
competition is using them so I have to; ban the cookies
and simplify my development costs.")
2. Have students research the history of Web cookies.
Then trace the motivations they can discern for each
decision in that process. For example, why are they
called cookies? Who had the idea first? What
percentage of Web sites now offer cookies? Is there a
pattern of which sites offer cookies and which don't?
Have students share discoveries on a web site. Have the
web site offer the students a cookie.
3. Have students imagine an analogy to cookies in other
types of transactions in their lives. Technological
convenience makes Web cookies a real issue, but if it
were convenient to keep track what you "visited" in a
newspaper, would that be a good idea? How about
when you watch television? What would be analogous
to a cookie when you make a phone call? When you
used an automatic teller machine? Have students
discuss their analogies in small groups, and have each
small group report their favorite to the class.
A SECOND EXAMPLE: GOVERNMENT
DATABASES
In the discussion above we described a distributed group of
shareholders with economic and communication ties to each
other: readers (from all over), writers (from all over), and a
few browser developers. In that situation, information gives
power, especially when some know the information and
some do not. In the next issue we look at a different kind of
power distribution: the U.S. government and individual
citizens.
Consider the information available in IRS databases.
We'll examine four stakeholders interested in the security of
this information: the IRS (and the government of which it is
a part), the citizens as a whole, individual citizens, and
people who want to intrude on this information. Again,
these groups may overlap.
LOSSES AND GAINS IN SECURING IRS
INFORMATION
The IRS must expend money to increase the security of its
records, and this money comes from the citizens. Citizens
(both as a whole and as individuals) will pay higher taxes
and perhaps receive slower service when security
procedures are invoked.
The IRS and its citizens could lose money if IRS
records are tampered with. Intruders lose access if security
measures are effective; the IRS database loses integrity if
they are not. Intruders gain information and power when
they can circumvent security. The government retains
control when security succeeds. Citizens and the IRS gain
when they both share in the benefits of confidential records;
citizens could gain if intrusions uncover dubious IRS
practices that would otherwise go undetected.
WHOSE GREATER GOOD?
We focus on the good of citizens, both individually and
collectively, in this analysis. We assume that the
government in general, and the IRS in particular, should
serve the common good of citizens. The integrity of the IRS
information is important to taxpayers. Individually, a
taxpayer does not want an error (or malicious tampering) to
increase her/his share of the tax burden. Collectively,
taxpayers want fairness and sufficient revenues to maintain
services. Furthermore, the benefit of privacy for sensitive
financial information is enhanced by increased security.
If the IRS is perceived as a threat to citizens, intrusion
could benefit citizens. Uncovering wrong-doing could help
correct problems with the IRS that it might be unwilling to
reveal otherwise. Security that defends a powerful agency
may be abused; defeating that security then becomes a good
that supersedes the potential harms of intrusion.
Weighing the goods and harms of IRS database security
depends heavily on one's belief in the relative benevolence
of the IRS and crackers. Another consideration is how to
compare the costs of increased security on all citizens versus
the protection of perhaps a relatively few citizens who
would be affected by intrusions into the database.
RESPONSIBILITIES OF FINDERS AND KEEPERS
The IRS collects information with the presumption that it
will be kept private, and must make a good faith effort to
protect the information. The IRS is pledged to fairness, and
this requires the integrity of the database. These duties
would seem to supersede any responsibilities to be "user
friendly," if convenience would compromise security. If the
IRS as an organization knows or suspects that the data
include irregularities, it should not hide its deficiencies
behind security precautions, but should make public its
problems without compromising individual citizens'
privacy.
Citizens are expected to obey the law unless overriding
moral concerns compel them to do otherwise, and there are
laws against database intrusion. Crackers who claim the
moral high ground as guardians against governmental
wrongdoing can validate that claim only by demonstrating
their dedication to the common good. Recreational
cracking is not justified by governmental excess. Civil
disobedience includes taking the (presumably unjust)
punishment until justice prevails.
When any government agency treats its citizens as
merely means to its organizational goals, it violates its
reason for existence. When individual citizens disregard
the rights of others, they violate their responsibilities to the
community. The intent of the IRS and the intent of hackers
become important in this analysis.
A VERY IMAGINARY NEGOTIATION
It’s hard to imagine crackers, citizens, and the IRS
negotiating a creative common approach to database
security, but the mental exercise may bear fruit. The least
advantaged in this situation seem to be most citizens, who
are vulnerable to both IRS's organizational power, to the
capricious (and perhaps malicious) whims of crackers, and
the vagaries of data corrupted by neglect. Maximizing
protection for the citizens would suggest increased security
and increased monitoring. Even recreational hackers might
welcome this as a greater challenge. Perhaps all parties
could agree that the IRS submit to periodic outside auditing.
STUDENT EXERCISES ABOUT DATABASE
SECURITY
1. Have students find as much information about
themselves (or the professor) using publicly available
information. Have this information printed out with
annotations about its accuracy.
2. Have students interview a data processing manager
who is responsible for data security, and seek out
specific costs incurred. (One such manager is the
systems manager of the campus Internet system, but
students should be encouraged to go outside the campus
as well.) These interviews can be done via email or
talk. They should ask if the manager can be candid
about any intrusions. If not, see if the policy of non-
disclosure is written. If the manager will tell you about
intrusions, ask about their impact. Enter the costs
gathered by the students into a spreadsheet, and
publicize the results on the class Web page.
3. Discuss your own methods of securing the class's
grades during the semester. Have students comment on
 a Web bulletin board possible methods of storing and 8) Cookies. http://www.cookiecentral.com/cookie.html
distributing grades during the semester. Include paper (March 28, 1997).
methods as well as electronic in the discussions.
9) Magic Cookies in Netscape/Internet Explorer.
4. Organize a debate between you and the rest of the class http://www.cookiecentral.com/magic.htm (March 28,
where you take the position the following position: 1997).
"Privacy is dead. All government information should be
public. Security is accomplished by keeping records off- 10) W. R. Collins and K. Miller. A paramedic method for
line, and having mirrored copies available, read only, computing professionals. Journal of Systems and
on the Internet." During the debate, one student at a Software (January, 1992), 47-84.
time stands at a podium, and you stand on another.
Anyone in the class can replace the student debating
against you until they are replaced. If things go well,
eventually students will decide they need to replace you
and argue your side more skillfully.

CONCLUSIONS

Computer science students, like other engineering students,

enjoy solving problems. The application of theoretical
concepts to challenging situations is commonplace to them.
By examining questions about human values in technical
decisions, and approaching these questions in a logical,
ordered fashion, we can help students grow into responsible
professionals. [10]

REFERENCES

1) D. Johnson and K. Miller. Ethical issues for computer

scientists and engineers. In The Computer Science and
Engineering Handbook, A. Tucker, Ed. CRC Press
(1997), 16-26.

2) D. Johnson. Computer Ethics, 2nd Edition. Prentice Hall

(1994).

3) S. Baase. A Gift of Fire: Social, Legal, and Ethical

Issues in Computing. Prentice Hall (1997).

4) R. Epstein. The Case of the Killer Robot. John Wiley

and Sons (1997).

5) K. Schellenberg, Ed. Computers in Society, 6th Edition.

Dushkin Publishing Group (1996).

6) Engineering Ethics Cases Section of the Ethics Center

for Engineering & Science.
http://www.mit.edu/ethics/www/engcases.html (April
1, 1997).

7) The Hastings Center. The Teaching of Ethics in Higher

Education. The Hastings Center (1980).