Information Technology Act 2000

• While the first draft was created by the

Ministry of Commerce, Government of India
as the ECommerce Act, 1998, it was redrafted
as the ‘Information Technology Bill, 1999’, and
passed in May 2000.
 Information Technology Act 2000
• The main objective of the Information
Technology Act 2000 is to provide legal
recognition for transactions carried out by
means of electronic data interchange and
other means of electronic communication,
commonly referred to as E-commerce, which
involve the use of alternatives to paper-based
methods of communication
The primary objectives of the IT Act, 2000 are:

• Granting legal recognition to all transactions done

through electronic data exchange, other means of
electronic communication or e-commerce in place
of the earlier paper-based communication.
• Providing legal recognition to digital signatures for
the authentication of any information or matters
requiring authentication.
• Facilitating the electronic filing of documents with
different Government departments and also
agencies.
• Facilitating the electronic storage of data
• Providing legal sanction and also facilitating the
electronic transfer of funds between banks and
financial institutions.
• Granting legal recognition to bankers for keeping
the books of accounts in an electronic form.
Further, this is granted under the Evidence Act,
1891 and the Reserve Bank of India Act, 1934.
Features of the Information Technology Act, 2000

• All electronic contracts made through secure

electronic channels are legally valid.
• Legal recognition for digital signatures.
• Security measures for electronic records and
also digital signatures are in place
• A procedure for the appointment of
adjudicating officers for holding inquiries
under the Act is finalized
• Provision for establishing a Cyber Regulatory Appellant Tribunal
under the Act. Further, this tribunal will handle all appeals made
against the order of the Controller or Adjudicating Officer.
• An appeal against the order of the Cyber Appellant Tribunal is
possible only in the High Court
• Digital Signatures will use an asymmetric cryptosystem and also
a hash function
• Provision for the appointment of the Controller of Certifying
Authorities (CCA) to license and regulate the working of
Certifying Authorities. The Controller to act as a repository of all
digital signatures.
• The Act applies to offences or contraventions
committed outside India
• Senior police officers and other officers can
enter any public place and search and arrest
without warrant
• Provisions for the constitution of a Cyber
Regulations Advisory Committee to advise the
Central Government and Controller.
 Applicability

• According to Section 1 (2), the Act extends to the entire country,

which also includes Jammu and Kashmir. In order to include Jammu
and Kashmir, the Act uses Article 253 of the constitution. Further, it
does not take citizenship into account and provides extra-territorial
jurisdiction.
• Section 1 (2) along with Section 75, specifies that the Act is applicable
to any offence or contravention committed outside India as well. If
the conduct of person constituting the offence involves a computer or
a computerized system or network located in India, then irrespective
of his/her nationality, the person is punishable under the Act.
• Lack of international cooperation is the only limitation of this
provision.
 Non-Applicability

• According to Section 1 (4) of the Information

Technology Act, 2000, the Act is not applicable to
the following documents:
• Execution of Negotiable Instrument under
Negotiable Instruments Act, 1881, except
cheques.
• Execution of a Power of Attorney under the
Powers of Attorney Act, 1882.
• Creation of Trust under the Indian Trust Act, 1882.
• Execution of a Will under the Indian Succession Act,
1925 including any other testamentary disposition
by whatever name called.
• Entering into a contract for the sale of conveyance
of immovable property or any interest in such
property.
• Any such class of documents or transactions as may
be notified by the Central Government in the
Gazette.
 Cyber Crime
• Cyber Crime is when an individual
intentionally uses information technology to
produce destructive and harmful effects on
the tangible and/or intangible property of
others.
• Marc M Goodman – A computer crime (cybercrime) is classified
into three categories:
• A crime where a computer is a target
• Crimes where a computer is a tool
• Crimes where a computer is instrumental
• Nandan Kamath – Since the internet is composed of computers,
crimes on the internet are computer crimes. Further, he classifies
computer crime into these three categories:
• A computer is the subject of the crime – stolen or damaged
• A computer is the site of the crime – a fraud or copyright
infringement
• Also, a computer used as the instrument of a crime – illegal access
of other machines or hacking.
• Any illegal action where a computer is a tool
or object of a crime.
• Any incident associated with computers where
a perpetrator intentionally tries to gain
• Computer abuse – any illegal unethical or
unauthorized behaviour pertaining to
automatic processing and transmission of
data.
 Digital signatures
• Digital signatures mean the authentication of
any electronic record using an electronic
method or procedure in accordance with the
provisions of the Information Technology Act,
2000. Also, a handwritten signature scanned
and digitally attached with a document does
not qualify as a Digital Signature.
• According to the Information Technology Act,
2000, digital signatures mean authentication
of any electronic record by a subscriber by
means of an electronic method or procedure
in accordance with the provisions of section 3.
Further, the IT Act, 2000 deals with digital
signatures under Sections 2, 3, and 15.
• Based on the subject of the crime,
cybercrimes are classified into three broad
groups:
 Crimes against individuals –
• Crimes against individuals – These are
committed against individuals or their
properties. Some examples are:
– Email harassment
– Cyber-stalking
– Spreading obscene material
– Unauthorized access or control over the computer
system
 Crimes against individuals –
– Indecent exposure
– Spoofing via email
– Fraud and also cheating
– Further, crimes against individual property like
computer vandalism and transmitting a virus. Also,
trespassing online and intellectual property-
related crimes. Further, internet time thefts are
also included
 Crimes against organizations –
• Crimes against organizations – Some
examples of cyber crimes against
organizations are:
– Possessing unauthorized information
– Cyber terrorism against a government
organization
– Distributing pirated software
 Crimes against society –
• Crimes against society – Some examples of crimes
against society are:
– Polluting the youth through indecent exposure
– Trafficking
– Financial crimes
– Selling illegal articles
– Online Gambling
– Forgery
 Important provisions under the IT Act, 2000 for cyber crimes.

• A penalty for damage to a computer, computer system,

etc. – Section 43
• Tampering with the computer’s source code documents
– Section 65
• Hacking of a Computer System – Section 66
• Publishing obscene information in an electronic form –
Section 67
• Publication with the intention of fraud – Section 74
• Failure to furnish information, returns, etc. – Section 44
• Residuary Penalty – Section 45
• Misrepresentation – Section 71
• Breach of confidentiality and privacy – Section 72
• Publishing a Digital Certificate with incorrect
details – Section 73
• Publication with a fraudulent purpose – Section 74
• Company Offences – Section 85
 Types of Computer Crimes
• Identity theft
• Identity theft occurs when a cyber-criminal impersonates someone
else identity to practice malfunction. This is usually done by
accessing personal details of someone else. The details used in such
crimes include social security numbers, date of birth, credit and
debit card numbers, passport numbers, etc.
• Once the information has been acquired by the cyber-criminal, it can
be used to make purchases online while impersonating himself to be
someone else. One of the ways that cyber-criminals use to obtain
such personal details is phishing. Phishing involves creating fake
websites that look like legitimate business websites or emails.
• Copyright infringement
• Piracy is one of the biggest problems with digital products.
Websites such as the pirate bay are used to distribute
copyrighted materials such as audio, video, software, etc.
Copyright infringement refers to the unauthorized use of
copyrighted materials.
• Fast internet access and reducing costs of storage have also
contributed to the growth of copyright infringement crimes.
• Click fraud
• Advertising companies such as Google
AdSense offer pay per click advertising
services. Click fraud occurs when a person
clicks such a link with no intention of knowing
more about the click but to make more
money. This can also be accomplished by using
automated software that makes the clicks.
• Advance Fee Fraud
• An email is sent to the target victim that promises them a lot
of money in favor of helping them to claim their inheritance
money.
• In such cases, the criminal usually pretends to be a close
relative of a very rich well-known person who died. He/she
claims to have inherited the wealth of the late rich person and
needs help to claim the inheritance. He/she will ask for
financial assistance and promise to reward later. If the victim
sends the money to the scammer, the scammer vanishes and
the victim loses the money.
• Hacking
• Hacking is used to by-pass security controls to gain unauthorized access
to a system. Once the attacker has gained access to the system, they
can do whatever they want. Some of the common activities done when
system is hacked are;
• Install programs that allow the attackers to spy on the user or control
their system remotely
• Deface websites
• Steal sensitive information. This can be done using techniques such as
SQL Injection, exploiting vulnerabilities in the database software to
gain access, social engineering techniques that trick users into
submitting ids and passwords, etc.
• Computer virus
• Viruses are unauthorized programs that can annoy users, steal sensitive
data or be used to control equipment that is controlled by computers.
 Types of Computer Crimes
• Identity theft
• Identity theft occurs when a cyber-criminal impersonates someone
else identity to practice malfunction. This is usually done by
accessing personal details of someone else. The details used in such
crimes include social security numbers, date of birth, credit and
debit card numbers, passport numbers, etc.
• Once the information has been acquired by the cyber-criminal, it can
be used to make purchases online while impersonating himself to be
someone else. One of the ways that cyber-criminals use to obtain
such personal details is phishing. Phishing involves creating fake
websites that look like legitimate business websites or emails.
• Copyright infringement
• Piracy is one of the biggest problems with digital products.
Websites such as the pirate bay are used to distribute
copyrighted materials such as audio, video, software, etc.
Copyright infringement refers to the unauthorized use of
copyrighted materials.
• Fast internet access and reducing costs of storage have also
contributed to the growth of copyright infringement crimes.
• Click fraud
• Advertising companies such as Google
AdSense offer pay per click advertising
services. Click fraud occurs when a person
clicks such a link with no intention of knowing
more about the click but to make more
money. This can also be accomplished by using
automated software that makes the clicks.
• Advance Fee Fraud
• An email is sent to the target victim that promises them a lot
of money in favor of helping them to claim their inheritance
money.
• In such cases, the criminal usually pretends to be a close
relative of a very rich well-known person who died. He/she
claims to have inherited the wealth of the late rich person and
needs help to claim the inheritance. He/she will ask for
financial assistance and promise to reward later. If the victim
sends the money to the scammer, the scammer vanishes and
the victim loses the money.
• Hacking
• Hacking is used to by-pass security controls to gain unauthorized access
to a system. Once the attacker has gained access to the system, they
can do whatever they want. Some of the common activities done when
system is hacked are;
• Install programs that allow the attackers to spy on the user or control
their system remotely
• Deface websites
• Steal sensitive information. This can be done using techniques such as
SQL Injection, exploiting vulnerabilities in the database software to
gain access, social engineering techniques that trick users into
submitting ids and passwords, etc.
• Computer virus
• Viruses are unauthorized programs that can annoy users, steal sensitive
data or be used to control equipment that is controlled by computers.
• Ethics refers to the principles of right and
wrong that individuals, acting as free moral
agents, use to make choices to guide their
behaviors.
• Information ethics has been defined as "the
branch of ethics that focuses on the relationship
between the creation, organization,
dissemination, and use of information, and the
ethical standards and moral codes governing
human conduct in society".
 ETHICS IN AN INFORMATION SOCIETY

Basic Concepts: Responsibility, Accountability, and Liability

• Responsibility: Accepting the potential costs, duties, and
obligations for decisions

• Accountability: Mechanisms for identifying responsible

parties

• Liability: Permits individuals (and firms) to recover

damages done to them

• Due process: Laws are well known and understood, with

an ability to appeal to higher authorities
• Information systems raise new ethical questions for
both individuals and societies because they create
opportunities for intense social change, and thus
threaten existing distributions of power, money,
rights, and obligations.
• Like other technologies, such as steam engines,
electricity, the telephone, and the radio,
information technology can be used to achieve
social progress, but it can also be used to commit
crimes and threaten cherished social values.
 What Ethics can be Followed in IT?

• Never Piracy Online…

• Follow Up the Social Reputation…
• Never Harm the Public Websites…
• Closure of Digital Hacking…
• Certify Websites Who Deal with Payments…
• Never Do Fraudulent Activities…
• Never Give Misguided Information…
• Never Steal Information online for
Reproduction…
• Never Create a False Evidence Using IT…
• Utilizing the IT in a Manner to Get Benefits
Only…
• Digital Signature
• A digital signature is a mathematical technique which validates
the authenticity and integrity of a message, software or digital
documents. It allows us to verify the author name, date and
time of signatures, and authenticate the message contents.
The digital signature offers far more inherent security and
intended to solve the problem of tampering and impersonation
(Intentionally copy another person's characteristics) in digital
communications.
• A software audit is an internal or external
review of a software program to check its
quality, progress or adherence to plans,
standards and regulations. Software
audits may be conducted for a number of
reasons, including: Verifying licensing
compliance.
• Why You Need a Software Audit and How to Do It
• Software audits are conducted for the purpose of making sure your business’
software is properly functioning, meeting standard criteria, and legal. If your
company’s software meets standard criteria, this means that it has been verified
that sufficient licenses have been obtained to cover the software that your
business is using. Therefore, there is important information gained by conducting a
software audit. This information can then ultimately make or break your business.
• Why the Audit is Important
• As previously stated, one key reason to perform a software audit is to ensure that
the licenses you have are current. Therefore, you will want to maximize your
current license position and reduce the number of inactive licenses you carry. An
audit will allow you to reduce your licenses under compliance. An audit is also
important because it is a cost-saving method for you to remove software you no
longer use, and it can help you identify which programs you will need to reclaim in
the future.
• How to Perform the Audit
• If you have not conducted a software audit previously, you may want to consult with your IT staff (or an
outside IT company) and explain why you want it performed. There are five steps to follow when you
conduct the audit:
• Determine which applications you want to be audited. Run a report on your current usage with a usage
tool.
• Check the report you’ve created and determine the non-usage software. You then can arrange for the
removal of unused software with the help of an installation team. Document which application you’ve
removed and the machine you’ve taken it from along with the date you performed the removal.
• Determine which users have not used the applications for more than 60 days. Verify whether or not the
application will be needed in the future. If the software isn’t needed, then arrange to have it removed
permanently. Then add any responses you receive to the audit report.
• Determine by the usage report if the correct versions of the applications are being used. Also,
sometimes it may be cheaper to use a smaller version, if only portions of an application are being
utilized.
• Install and run a report from a SCCM tool and establish your updated compliance figures. Determine the
savings you’ve created and present them to your company.
 Cyber security
• "Cyber security is primarily about people, processes, and technologies working
together to encompass the full range of threat reduction, vulnerability reduction,
deterrence, international engagement, incident response, resiliency, and recovery
policies and activities, including computer network operations, information
assurance, law enforcement, etc."
• Cyber security is the protection of Internet-connected systems, including hardware,
software, and data from cyber attacks. It is made up of two words one is cyber and
other is security. Cyber is related to the technology which contains systems,
network and programs or data. Whereas security related to the protection which
includes systems security, network security and application and information
security.
• It is the body of technologies, processes, and practices designed to protect
networks, devices, programs, and data from attack, theft, damage, modification or
unauthorized access. It may also be referred to as information technology security.
 1. Firewalls
• As we know, the firewall is the core of security tools,
and it becomes one of the most important security
tools. Its job is to prevent unauthorized access to or
from a private network. It can be implemented as
hardware, software, or a combination of both. The
firewalls are used to prevent unauthorized internet
users from accessing private networks connected to
the Internet. All messages are entering or leaving
the intranet pass through the firewall. The firewall
examines each message and blocks those messages
that do not meet the specified security criteria.
• The Firewall is very useful, but it has limitations
also. A skilled hacker knew how to create data and
programs that are believing like trusted firewalls. It
means that we can pass the program through the
firewall without any problems. Despite these
limitations, firewalls are still very useful in the
protection of less sophisticated malicious attacks on
our system.
 2. Antivirus Software
• Antivirus software is a program which is designed to
prevent, detect, and remove viruses and other malware
attacks on the individual computer, networks, and IT
systems. It also protects our computers and networks
from the variety of threats and viruses such as Trojan
horses, worms, key loggers, browser hijackers, root kits,
spyware, bot nets, adware, and ransom ware.
• Most antivirus program comes with an auto-update
feature and enabling the system to check for new viruses
and threats regularly. It provides some additional
services such as scanning emails to ensure that they are
free from malicious attachments and web links.
 3. PKI Services
• PKI stands for Public Key Infrastructure. This tool supports
the distribution and identification of public encryption
keys. It enables users and computer systems to securely
exchange data over the internet and verify the identity of
the other party. We can also exchange sensitive
information without PKI, but in that case, there would be
no assurance of the authentication of the other party.
• People associate PKI with SSL or TLS. It is the technology
which encrypts the server communication and is
responsible for HTTPS and padlock that we can see in our
browser address bar. PKI solve many numbers of cyber
security problems and deserves a place in the organization
security suite.
• PKI can also be used to:
• Enable Multi-Factor Authentication and access control
• Create compliant, Trusted Digital Signatures.
• Encrypt email communications and authenticate the
sender's identity.
• Digitally sign and protect the code.
• Build identity and trust into IoT ecosystems.
 4. Managed Detection and Response Service (MDR)

• Today's cybercriminals and hackers used more advanced

techniques and software to breach organization security So,
there is a necessity for every businesses to be used more
powerful forms of defences of cyber security.
• MDR is an advanced security service that provides threat
hunting, threat intelligence, security monitoring, incident
analysis, and incident response. It is a service that arises from
the need for organizations (who has a lack of resources) to be
more aware of risks and improve their ability to detect and
respond to threats. MDR also uses Artificial Intelligence and
machine learning to investigate, auto detect threats, and
orchestrate response for faster result.
• The managed detection and response has the following
characteristics:
• Managed detection and response is focused on threat
detection, rather than compliance.
• MDR relies heavily on security event management and
advanced analytics.
• While some automation is used, MDR also involves humans to
monitor our network.
• MDR service providers also perform incident validation and
remote response.
 5. Penetration Testing

• Penetration testing, or pen-test, is an important

way to evaluate our business's security systems and
security of an IT infrastructure by safely trying to
exploit vulnerabilities. These vulnerabilities exist in
operating systems, services and application,
improper configurations or risky end-user behavior.
In Penetration testing, cybersecurity professionals
will use the same techniques and processes utilized
by criminal hackers to check for potential threats
and areas of weakness.
• A pen test attempts the kind of attack a business might
face from criminal hackers such as password cracking,
code injection, and phishing. It involves a simulated real-
world attack on a network or application. This tests can
be performed by using manual or automated
technologies to systematically evaluate servers, web
applications, network devices, endpoints, wireless
networks, mobile devices and other potential points of
vulnerabilities. Once the pen test has successfully taken
place, the testers will present us with their findings
threats and can help by recommending potential changes
 6. Staff Training

• Staff training is not a 'cybersecurity tool' but

ultimately, having knowledgeable employees who
understand the cybersecurity which is one of the
strongest forms of defence against cyber-attacks.
Today's many training tools available that can
educate company's staff about the best
cybersecurity practices. Every business can organize
these training tools to educate their employee who
can understand their role in cybersecurity.
• We know that cyber-criminals continue to expand their
techniques and level of sophistication to breach
businesses security, it has made it essential for
organizations to invest in these training tools and
services. Failing to do this, they can leave the organization
in a position where hackers would be easily targeted their
security system. So, the expense of the investment on
these training tools might put a reward for the business
organization with long-term security and protection.
 Management

Behavioral Targeting and Your Privacy: You’re the Target

• Problem: Need to efficiently target online ads

• Solutions: Behavioral targeting allows businesses and organizations to more
precisely target desired demographics
• Google monitors user activity on thousands of sites; businesses monitor own
sites to understand customers
• Demonstrates IT’s role in organizing and distributing information
• Illustrates the ethical questions inherent in online information gathering

56 © Prentice Hall 2011

 Management

Understanding Ethical and Social Issues Related to Systems

• Recent cases of failed ethical judgment in business

– Lehman Brothers, Minerals Management Service, Pfizer
– In many, information systems used to bury decisions from public
scrutiny
• Ethics
– Principles of right and wrong that individuals, acting as free moral
agents, use to make choices to guide their behaviors

57 © Prentice Hall 2011

 Management

Understanding Ethical and Social Issues Related to Systems

• and ethics
– raise new ethical questions because they
create opportunities for:
• Intense social change, threatening
existing distributions of power, money,
rights, and obligations
• New kinds of crime

58 © Prentice Hall 2011

 Management

Understanding Ethical and Social Issues Related to Systems

• Model for thinking about ethical, social, political

issues:
– Society as a calm pond
– IT as rock dropped in pond, creating ripples of new
situations not covered by old rules
– Social and political institutions cannot respond
overnight to these ripples—it may take years to
develop etiquette, expectations, laws
• Requires understanding of ethics to make choices in
legally gray areas

59 © Prentice Hall 2011

 Management

Understanding Ethical and Social Issues Related to Systems

THE RELATIONSHIP
BETWEEN ETHICAL,
SOCIAL, AND POLITICAL
ISSUES IN AN
INFORMATION SOCIETY

The introduction of new information

technology has a ripple effect, raising
new ethical, social, and political issues
that must be dealt with on the
individual, social, and political levels.
These issues have five moral
dimensions: information rights and
obligations, property rights and
obligations, system quality, quality of
life, and accountability and control.

60 © Prentice Hall 2011

 Management
:

Understanding Ethical and Social Issues Related to Systems

• Five moral dimensions of the

information age
1. Information rights and obligations
2. Property rights and obligations
3. Accountability and control
4. System quality
5. Quality of life

61 © Prentice Hall 2011

 Management

Understanding Ethical and Social Issues Related to Systems

» Key technology trends that raise ethical issues

1. Doubling of computer power
• More organizations depend on computer systems for
critical operations
2. Rapidly declining data storage costs
• Organizations can easily maintain detailed databases on
individuals
3. Networking advances and the Internet
• Copying data from one location to another and
accessing personal data from remote locations is much
easier
62 © Prentice Hall 2011
 Management

Understanding Ethical and Social Issues Related to Systems

• Key technology trends that raise ethical issues (cont.)

4. Advances in data analysis techniques
• Companies can analyze vast quantities of data gathered
on individuals for:
– Profiling
» Combining data from multiple sources to create dossiers
of detailed information on individuals
– Nonobvious relationship awareness (NORA)
» Combining data from multiple sources to find obscure
hidden connections that might help identify criminals or
terrorists

63 © Prentice Hall 2011

 Management

Understanding Ethical and Social Issues Related to Systems

NONOBVIOUS
RELATIONSHIP
AWARENESS (NORA)
NORA technology can take
information about people from
disparate sources and find
obscure, nonobvious
relationships. It might discover,
for example, that an applicant
for a job at a gold store shares
a telephone number with a
known criminal and issue an
alert to the hiring manager.

64 © Prentice Hall 2011

 Management

Ethics in an Information Society

• Basic concepts for ethical analysis

– Responsibility:
• Accepting the potential costs, duties, and obligations for
decisions
– Accountability:
• Mechanisms for identifying responsible parties
– Liability:
• Permits individuals (and firms) to recover damages done to
them
– Due process:
• Laws are well known and understood, with an ability to
appeal to higher authorities

65 © Prentice Hall 2011

 Management

Ethics in an Information Society

• Ethical analysis: A five-step process

1. Identify and clearly describe the facts
2. Define the conflict or dilemma and identify the
higher-order values involved
3. Identify the stakeholders
4. Identify the options that you can reasonably
take
5. Identify the potential consequences of your
options

66 © Prentice Hall 2011

 Management

Ethics in an Information Society

• Six Candidate Ethical Principles

1. Golden Rule
• Do unto others as you would have them do unto you
2. Immanuel Kant’s Categorical Imperative
• If an action is not right for everyone to take, it is not
right for anyone
3. Descartes’ Rule of Change
• If an action cannot be taken repeatedly, it is not right to
take at all

67 © Prentice Hall 2011

 Management
:

Ethics in an Information Society

» Six Candidate Ethical Principles (cont.)

4. Utilitarian Principle
• Take the action that achieves the higher or greater
value
5. Risk Aversion Principle
• Take the action that produces the least harm or least
potential cost
6. Ethical “no free lunch” Rule
• Assume that virtually all tangible and intangible objects
are owned by someone unless there is a specific
declaration otherwise
68 © Prentice Hall 2011
 Management

Ethics in an Information Society

» Professional codes of conduct

˃ Promulgated by associations of professionals
• E.g. IFLA, ARMA, AIIM, ACM
˃ Promises by professions to regulate themselves in
the general interest of society
» Real-world ethical dilemmas
˃ One set of interests pitted against another
˃ E.g. Right of company to maximize productivity of
workers vs. workers right to use Internet for short
personal tasks
69 © Prentice Hall 2011
 Management

The Moral Dimensions of

• Privacy:
– Claim of individuals to be left alone, free from
surveillance or interference from other individuals,
organizations, or state. Claim to be able to control
information about yourself

70 © Prentice Hall 2011

 Management

The Moral Dimensions of

» Fair information practices:

˃ Set of principles governing the collection and use of
information
˃ Basis of most international and local privacy laws
˃ Based on mutuality of interest between record holder
and individual
˃ Restated and extended by FTC in 1998 to provide
guidelines for protecting online privacy
˃ Used to drive changes in privacy legislation
• COPPA
• Gramm-Leach-Bliley Act
• HIPAA
71 © Prentice Hall 2011
 Management

The Moral Dimensions of

Principles of Information Systems:

1. Notice/awareness (core principle)
2. Choice/consent (core principle)
3. Access/participation
4. Security
5. Enforcement
72 © Prentice Hall 2011
 Management

The Moral Dimensions of

• Internet Challenges to Privacy:

– Cookies
• Tiny files downloaded by Web site to visitor’s hard drive to help
identify visitor’s browser and track visits to site
• Allow Web sites to develop profiles on visitors
– Web beacons/bugs
• Tiny graphics embedded in e-mail and Web pages to monitor who
is reading message
– Spyware
• Surreptitiously installed on user’s computer
• May transmit user’s keystrokes or display unwanted ads
• Google’s collection of private data; behavioral
targeting
73 © Prentice Hall 2011
 Management

The Moral Dimensions of

» U.S. allows businesses to gather transaction

information and use this for other marketing
purposes
» Online industry promotes self-regulation over
privacy legislation
» However, extent of responsibility taken varies
˃ Statements of information use
˃ Opt-out selection boxes
˃ Online “seals” of privacy principles
» Most Web sites do not have any privacy policies
74 © Prentice Hall 2011
 Management

The Moral Dimensions of

• Technical solutions
– The Platform for Privacy Preferences (P3P)
• Allows Web sites to communicate privacy policies
to visitor’s Web browser – user
• User specifies privacy levels desired in browser
settings
• E.g. “medium” level accepts cookies from first-
party host sites that have opt-in or opt-out policies
but rejects third-party cookies that use personally
identifiable information without an opt-in policy

75 © Prentice Hall 2011

 Management

The Moral Dimensions of

• Property rights: Intellectual property

– Intellectual property: Intangible property of any kind
created by individuals or corporations
– Three main ways that protect intellectual property
1. Trade secret: Intellectual work or product belonging
to business, not in the public domain
2. Copyright: Statutory grant protecting intellectual
property from being copied for the life of the author,
plus 70 years
3. Patents: Grants creator of invention an exclusive
monopoly on ideas behind invention for 20 years

76 © Prentice Hall 2011

 Management

The Moral Dimensions of

» Challenges to intellectual property rights

˃ Digital media different from physical media (e.g.
books)
• Ease of replication
• Ease of transmission (networks, Internet)
• Difficulty in classifying software
• Compactness
• Difficulties in establishing uniqueness
» Digital Millennium Copyright Act (DMCA)
˃ Makes it illegal to circumvent technology-based
protections of copyrighted materials
77 © Prentice Hall 2011
 Management

The Moral Dimensions of

• Accountability, Liability, Control

– Computer-related liability problems
• If software fails, who is responsible?
– If seen as part of machine that injures or harms,
software producer and operator may be liable
– If seen as similar to book, difficult to hold
author/publisher responsible
– What should liability be if software seen as service?
Would this be similar to telephone systems not
being liable for transmitted messages?

78 © Prentice Hall 2011

 Management

The Moral Dimensions of

• System Quality: Data Quality and System Errors

– What is an acceptable, technologically feasible level of
system quality?
• Flawless software is economically unfeasible
– Three principal sources of poor system performance:
• Software bugs, errors
• Hardware or facility failures
• Poor input data quality (most common source of
business system failure)

79 © Prentice Hall 2011

 Management

The Moral Dimensions of

» Quality of life: Equity, access, and boundaries

˃ Negative social consequences of systems
• Balancing power: Although computing power
decentralizing, key decision-making remains centralized
• Rapidity of change: Businesses may not have enough
time to respond to global competition
• Maintaining boundaries: Computing, Internet use
lengthens work-day, infringes on family, personal time
• Dependence and vulnerability: Public and private
organizations ever more dependent on computer
systems
80 © Prentice Hall 2011
 Management

The Moral Dimensions of

• Computer crime and abuse

– Computer crime: Commission of illegal acts through use
of compute or against a computer system – computer
may be object or instrument of crime
– Computer abuse: Unethical acts, not illegal
• Spam: High costs for businesses in dealing with spam

• Employment:
– Reengineering work resulting in lost jobs
• Equity and access – the digital divide:
– Certain ethnic and income groups in the United States
less likely to have computers or Internet access

81 © Prentice Hall 2011