Ethical Analysis of a Travel-tracking Application
Content
UNIVERSITY OF TWENTE, DEPARTMENT OF ELECTRICAL ENGINEERING, MATHEMATICS AND COMPUTER SCIENCE
ETHICAL ANALYSIS OF A TRAVELTRACKING APPLICATION
A
COMPUTER ETHICS PROJECT- 2010 19161280
LAURA ILEANA STOILESCU( S1070053), MIRCEA STOICA (S1033158)
10/12/2011
TABLE OF CONTENTS
Abstract ......................................................................................................................................................... 3 1. 1.1. 2. 2.1 2.2 3. 3.1. 3.2. 3.3. 3.4. 3.5. Introduction .......................................................................................................................................... 3 Motivation......................................................................................................................................... 4 Our product – Travel-tracking application ............................................................................................ 4 Data collected ................................................................................................................................... 5 The reward system............................................................................................................................ 5 Ethical analysis of the system ............................................................................................................... 5 A perfectly plausible scenario ........................................................................................................... 6 Violated rules of the ethic code (ACM) ............................................................................................. 6 Identity theft ..................................................................................................................................... 8 Privacy ............................................................................................................................................. 10 Privacy frauds .................................................................................................................................. 11
Data gathering, exchanging, mining, merging, matching .......................................................................... 11 3.6. 4. 5. 6. Embedded values- BIAS .................................................................................................................. 12 Technical measures ............................................................................................................................. 12 Conclusion ........................................................................................................................................... 13 Bibliography ........................................................................................................................................ 14
ABSTRACT
In this essay are described some of the ethical problems raised with the use of a mobile phone application that tracks a tourist’s accommodation at a hotel and keeps a profile for all travels made in a certain hotel or hotel chain. Our analysis has the purpose of setting a solid design and a clear set of usage rules for this application so that the ethical conflicts are minimal. We explore each problem on the basis of two major ethical theories that attempt to specify and justify moral rules and principles: I. Kant’s Deontological ethics and Consequentialism, or Utilitarianism as a more particular form based by J. Bentham and J. S. Mill. The analysis brings into attention a series of ethical aspects that can label the application as ineffective considering the user sensitive about his privacy and data protection.
1. INTRODUCTION
Technology, from its most rudimentary to its actual form, has the sole purpose of making, using and understanding tools in order to solve a problem or serve some purpose. Along with the technological development, on the evolution’s road from the stick and stone to the orbital satellites, the ethical issues raised have increasingly greater impact for the user, sometimes doubting even the global utility of a certain product. In this background, information has became more than just an abstract concept, but a value that needs to be protected and preserved, also referred to as the intellectual capital from which human beings craft their lives and secure their dignity in (Mason, 1986). The need for applying the computer ethics in the technological domain, at this level is that technology in itself, either referring to a computer, a mobile phone, or a piece of software, has a neutral intrinsic value. The responsibility of using technology therefore lies in the user himself (“Guns don’t kill people, people kill people with guns”). On a more informal but still true note, the web wisdom pops out another version of this quote: “Guns don’t kill people, people do and monkeys do too, if they have a gun (E. Izzard)” which balances the responsibility between the user and the tool, how neutral is the technology actually? Of course, the decision of doing an immoral, wrong, unethical act lies with the user but the fact that without the proper tool, the act could be avoided is also true. Collecting, storing, processing and distributing information in this informational era proves to have unique challenges while having great advantages over the previous methods. We are mainly referring to assuring privacy and confidentiality, assuring the data and the system are modified with proper authorization only, assuring unimpaired service, ensuring data consistency and controlling access to resources(Martin).When centralization can be identified with control, finding your way, with being tracked down, a help turns out to be an abuse, some boundaries must be set. From another point of view, we cannot expect absolute privacy in an environment with all information at reach based only on the correct ethical behavior of the other users therefore there isn’t always a clear line from which we can conclude the existence of an abuse. Users expect
freedom from intrusion and surveillance while dealing with computers and giving up personal information that may make them traceable. In the following sections, we describe a travel tracking system which refers only to the accommodation aspect of the journey and the activities performed in its environment. The system is described in section 2 and analyzed in the following chapters from an ethical perspective, discussing the situations that can lead to misusage of the data collected and the impact on the customer and hotel respectively.
1.1.
MOTIVATION
We consider that one of the purposes of mobile phone applications is to assure a multi-tasking attribute to any smart-phone. Our application combines the already- present functions with a custom made micro-travel agency that will be able to book the perfect room for each occasion. At each booking, the hotel’s personnel checks the profile’s historic, makes all the necessary arrangements and is able to suggest other similar products and services.
So why not being able to book a hotel room and know you will find there all the small but effective details that make your stay a pleasant one through a simple icon touch? Perhaps having a permanent log of your spending during a stay at the hotel will even help you be wiser with your own finances. Of course, there are advantages of using this application but so are risks. Is it worth to jeopardize your privacy for sparing a few minutes of extra effort through the conventional method? The answers differ, of course, for each customer and background.
2. OUR PRODUCT – TRAVEL-TRACKING APPLICATION
The application we have considered is not built-in but available to all contract-based mobile phone users. The contract is a condition and a mean to verify the data fed at registration since the application purposes is to record and edit the users’ activities and preferences during his stay at a hotel. This will require extra security for logging on the application as discussed in section 3.4. Several profiles can be kept at once, each one being associated to a travelling “mode”. Each profile will be represented by a quick response code chosen from a pre-set list of codes available at the hotel and will mark a certain combination of factors such as: room type, TV grid, mini bar selection, restaurant preferences, etc.
The code will be also marked on the electronic key card which will be scanned to grant access to the hotel’s facilities and to update the profile’s state. While the key is placed in the room key slot, several sensors will monitor the usage of the mini bar, TV, phone, Internet and the data will be automatically sent to the monitoring application. If the key slot is empty, the functioning of all equipment will be interrupted. For other facilities such as automatic vendor machines, hotel’s spa, gym or any facility that is not free and belongs to the hotel or to the associated companies, the key will again act as a switch granting access and monitoring their usage. The costs associated with each recording in the key’s log add up to form the total bill and keep track of all activities. The bill can either be paid at the end of the stay or it can be sent to the billing address of the telephone contract owner. If this is the case, editing a profile will be possible only after the payment is registered. Based on the current choices, the application might suggest similar products or activities which are available in the hotel and the associated companies. This presumes a previous indexing and correlation of all the available products and stocking them in a database available online.
2.1 DATA COLLECTED
The system gets some of its data from the mobile phone contract and the rest is provided by the customer at each room booking consisting in the details of each stay. As we intuit, the data stored is generally sensitive data such as: - name, phone number, address, credit card account; name, phone number, address of next-of-kin; - usage of mini bar, room service, laundry service, TV-channels watched, Internet traffic, phone calls from the hotel room, presence in the hotel room; - usage of services from taxi companies, bars, clubs, spa, gym and other facilities associated with the hotel; - a complete log will be used to monitor the customer’s behavior in order to be awarded or not with a certain type of membership card and to create the detailed bill at the end of the stay
2.2 THE REWARD SYSTEM
Based on the amount of money spent, the number of check-ins and the number of rooms booked at once, each customer can be awarded the platinum, golden, or silver membership card which grants free accommodation at the hotel for a limited period, access to the hotel’s facilities or price reductions for staying at the hotel according to each type of membership. For being able to accord the memberships correctly, each client’s log is being kept for a period of two years, after which the data is no longer valid. Therefore, the benefits of any type of account can be used within those two years.
3. ETHICAL ANALYSIS OF THE SYSTEM
Although at a first glance the application seems to be somewhat harmless, the problems that can arise are, at least, diverse. From identity theft and privacy loss to robbery, the simple possibility of these issues can make the application unsafe and unappealing. Just as any virtual account, provided an unauthorized person gets in possession of the phone, the data already stored can be modified or , worst case scenario, the account can be used to book several rooms for which the phone owner will pay. Also, the data will not only be available to the user but also to the hotel personnel which, for a public person, will not be acceptable. We will discuss also the threats over privacy in section 3.4, over data in section 3.5 and Error! Reference ource not found. and find the technical solutions for them, if possible.
3.1.
A PERFECTLY PLAUSIBLE SCENARIO
We are considering the case when the phone on which our application is running is lost. Since Mr. Smith, the user, didn’t expect to lose his phone, he also didn’t log out of the application so the finder will not have any difficulties in browsing through the data already stored. Therefore, there will be no obstacle if he decides to book a room on Mr. Smith’s account, in a hotel he otherwise couldn’t afford and send the bill to the misfortunate Mr. Smith who will pay the bill. We won’t get into detail referring Mr. Smith’s social status who might simply be an app-enthusiastic student who now has to pay for the bill of his lifetime, or he might be a retired CEO whose funds are barely scratched. The financial aspect of the consequences is not the goal of this essay but can be used, if willing, to find mitigating circumstances for each situation and to extend the debate on the act’s moral character. In the next subchapters we will discuss (we hope) all problems that can rise from this scenario and we will also deviate from the plot to cover other possible application bugs.
3.2.
VIOLATED RULES OF THE ETHIC CODE (ACM)
It is not our job, as system developers, to prevent the phone from being lost but it is our job to make it as robust as possible against unauthorized usage. The responsibility aspect will be discussed in detail in section Error! Reference source not found. but we are taking into account the ngineer’s ability to disclose and correct potential problems. Therefore, there is at least a causal and legal responsibility, if not a moral one, that will lie in the developer segment. Considering the Association for Computing Machinery Code of Ethics and Professional Conduct several rules would be violated in a scenario such as the one presented. (1.1) Contribute to society and human well-being: this principle concerning the quality of life of all people affirms an obligation to protect fundamental human rights and to respect the diversity of all cultures. An essential aim of computing professionals is to minimize negative consequences of computing systems including threats to health and safety and to assure that the system will be used
in socially responsible ways, will meet social needs, and will avoid harmful effects to health and welfare. We cannot refer to the society level in our case but at the individual level, there are strong evidences that the threats to one’s safety are not minimized and no assurances regarding the usage of the software are given whatsoever. (1.2) Avoid harm to others: avoid any injury or negative consequence, such as undesirable loss of information, loss of property, property damage, or unwanted environmental impacts. Wellintended actions, including those that accomplish assigned duties, may lead to harm unexpectedly. In such an event the responsible person or persons are obligated to undo or mitigate the negative consequences as much as possible. One way to avoid unintentional harm is to carefully consider potential impacts on all those affected by decisions made during design and implementation. Let us consider the case in which the database consisting of all users’ data is accessible for the developer even after selling the application to the hotel chain. The reason could be: Simple negligence, if the engineer or team of engineers working on this project didn’t consider this possibility; They realized that there might be a security breach but did not make the required adjustments; On purpose they left a “way in” the database for future usage of the data stored. In the work environment, the computing professional has the obligation to report any signs of system dangers that might result in serious personal or social damage. If one's superiors do not act to curtail or mitigate such dangers, it may be necessary to "blow the whistle" to help correct the problem or at least to reduce the risks. However, whistle blowing is a delicate decision to take and the professional who decides to follow this course should research intensely the situation and the background before acting. Whistle blowing should be a last resort after exhausting all internal options and concluding lack of cooperation from the management and board of directors. (1.7) Respect the privacy of others: It is the responsibility of professionals to maintain the privacy and integrity of data describing individuals. This includes taking precautions to ensure the accuracy of data, as well as protecting it from unauthorized access or accidental disclosure to inappropriate individuals. Furthermore, procedures must be established to allow individuals to review their records and correct inaccuracies. The user is indeed permitted to view and edit their data through the mobile phone interface therefore the accuracy aspect is respected. The unauthorized access issue is a pressing problem and extra security measures must be taken to correct it. (1.8) Honor confidentiality: The principle of honesty extends to issues of confidentiality of information whenever one has made an explicit promise to honor confidentiality or, implicitly, when private information not directly related to the performance of one's duties becomes available.
This rule actually demands that the access should be granted only to a clearly determined group of people so that the risks are minimal. Monitoring the customer and his activities should not be a task for any employee of the hotel, but they should be chosen through a strict procedure and even sign a disclosure agreement with the hotel when granted the access. In any case, the entry level employees should not have access to this type of information. (2.1) Strive to achieve the highest quality, effectiveness and dignity in both the process and products of professional work: Excellence is perhaps the most important obligation of a professional. The computing professional must strive to achieve quality and to be cognizant of the serious negative consequences that may result from poor quality in a system. We acknowledge that excellence is a subjective level depending on each professional’s set of values and cultural background but the result should always be a superior quality product. In our case the great number of faults and security breaches take the application out of this select class of products. (2.4) Accept and provide appropriate professional review: Quality professional work, especially in the computing profession, depends on professional reviewing and critiquing. Whenever appropriate, individual members should seek and utilize peer review as well as provide critical review of the work of others. (2.5) Give comprehensive and thorough evaluations of computer systems and their impacts, including analysis of possible risks: Computer professionals must strive to be perceptive, thorough, and objective when evaluating, recommending, and presenting system descriptions and alternatives. Computer professionals are in a position of special trust, and therefore have a special responsibility to provide objective, credible evaluations to employers, clients, users, and the public. (2.8) Access computing and communication resources only when authorized to do so: Trespassing and unauthorized use of a computer or communication system is addressed by this imperative. Trespassing includes accessing communication networks and computer systems, or accounts and/or files associated with those systems, without explicit authorization to do so. Individuals and organizations have the right to restrict access to their systems so long as they do not violate the discrimination principle. No one should enter or use another's computer system, software, or data files without permission. One must always have appropriate approval before using system resources, including communication ports, file space, other system peripherals, and computer time.(Reynolds, 2010)
3.3.
IDENTITY THEFT
"But he that filches from me my good name Robs me of that which not enriches him And makes me poor indeed” Shakespeare, Othello, act III, scene 3.
The short definition is that identity theft is a crime. Identity theft and identity fraud are terms used to refer to all types of crime in which someone wrongfully obtains and uses another person's personal data in some way that involves fraud or deception, typically for economic gain. Unlike fingerprints, which are unique and cannot be given to someone else for their use, the personal data especially Social Security number, bank account or credit card number, telephone calling card number, and other valuable identifying data can be used, if they fall into the wrong hands, to personally profit at the victim’s expense. In the United States and Canada, for example, many people have reported that unauthorized persons have taken funds out of their bank or financial accounts, or, in the worst cases, taken over their identities altogether, running up vast debts and committing crimes while using the victims’ names. In many cases, a victim's losses may include not only out-of-pocket financial losses, but substantial additional financial costs associated with trying to restore his reputation in the community and correcting erroneous information for which the criminal is responsible.(Identity theft and Identity Fraud) The most common ways to commit identity theft or fraud are a lot less elaborate than breaking into our homes. In public places, criminals may engage in: - "shoulder surfing" watching you from a nearby location as you punch in your telephone calling card number or credit card number or listen in on your conversation if you give your credit-card number over the telephone to a hotel or rental car company. - "dumpster diving" going through your garbage cans or a communal dumpster or trash bin to obtain copies of your checks, credit card or bank statements, or other records that typically bear your name, address, and even your telephone number. - If you receive applications for "preapproved" credit cards in the mail, but discard them without tearing up the enclosed materials, criminals may retrieve them and try to activate the cards for their use without your knowledge. - In recent years, the Internet has become an appealing place for criminals to obtain identifying data, such as passwords or even banking information. In some cases, criminals reportedly have used computer technology to obtain large amounts of personal data. With enough identifying information about an individual, a criminal can take over that individual's identity to conduct a wide range of crimes: for example, false applications for loans and credit cards, fraudulent withdrawals from bank accounts, fraudulent use of telephone calling cards, or obtaining other goods or privileges which the criminal might be denied if he were to use his real name. If the criminal takes steps to ensure that bills for the falsely obtained credit cards, or bank statements showing the unauthorized withdrawals, are sent to an address other than the victim's, the victim may not become aware of what is happing until the criminal has already inflicted substantial damage on the victim's assets, credit, and reputation.(Identity theft and Identity Fraud) Even from a deontological point of view, when the consequence is not known, a system that wouldn’t meet the security standards needed to prevent identity theft cannot be accepted as suitable. Although
the intention of the developer is, indeed, to develop a functional system, by breaking the ACM article 2.1, the “intention’s quality” proves to be less than it should. In the identity theft problem, the victim’s identity becomes a mean, a tool to an end which possibly is a felony. This contradicts Kant’s second categorical imperative. From the utilitarian perspective, identity theft can be in some extremely special situations less blamable. If the individual whose identity was stolen is a criminal (of any type) and using this method the police would be able to capture him/her, there are perhaps sufficient excuses for using identity theft.
3.4.
PRIVACY
“[Privacy is]… the right to be let alone” Warren and Brandeis (1890)
ACCESSIBILITY , DECISIONAL , INFORMATIONAL
The lack of privacy is easy to identify when experienced but difficult to define in a clear and simple manner. L. Introna splits the concept into three subcategories: privacy as no access to the person or the personal realm, privacy as control over personal information and privacy as freedom from judgment or scrutiny by others. The notion of control is due to the dynamic environment in which the concept is defined which varies socially and culturally. This idea of control over personal information is very powerful in situations where it is important to determine whether or not an individual’s right to privacy has been violated. Although at a first glimpse, the access over private data cannot do a serious damage to an individual (“If you have nothing to hide…”), even from a relationship point of view, so not taking into account the economic or social aspect, the behavior of an individual can be dramatically changed when “supervised”. J.Bentham described the famous Panopticon architecture as “a new mode of obtaining power of mind over mind, in a quantity hitherto without example”. Following this path, we can suspect a behavioral change in the user of our product therefore influence the decisions the client takes during his stay at the hotel. The more accessible the data is to a third party, the greater the tendency to take decisions closer to what is socially appropriate. Also the control over the information transfer consisting of personal data of the user can be object of privacy threats such as data gathering, data exchanging, data mining, data merging and data matching. These aspects will be discussed in subchapter 3.5 and further discussions on the system’s embedded value in subchapter 3.6. The developer’s intention of having easily accessible data cannot be classified with certainty in any way. It is indeed useful and appealing to have all data through a simple touch of the screen but this provides so little protection of the actual data. Provided the exact details of the system are correctly presented in an agreement signed by both parts, the developer will not have to account for any legal
responsibility. In this matter both theories, deontological ethics and utilitarianism, are equally unable to determine the moral character of the accessibility, decisional and informational privacy.
3.5.
PRIVACY FRAUDS
DATA GATHERING, EXCHANGING, MINING, MERGING, MATCHING
The ways in which available data on a certain individual can be exploited and misused are only limited by the criminal imagination therefore we will not be able to cover all possible scenarios. If besides the data mentioned in the signed agreement, any other type of data is stored without the user’s consent, we are talking about data gathering techniques; In the case in which existent databases are exchanged to third parties without the consent of the user, the data exchanging can affect the security, integrity and social image of a certain individual; By tracking the user’s activity during his stay it can be realized a “consumer’s profile” and this profile can be exchanged with advertising companies that will spam the client with offers similar to his taste; Taking the previous example to a new level, let us consider a large database consisting of all the clients who use our application. In this case we have to be aware of data mining –the process of discovering new patterns from large data sets involving methods from statistics and artificial intelligence but also database management. The result is a set of associations that aren’t obvious and the way this new data is used determines, in the end, the implicit value of the process. It can be simply a mean to help the hotel stock up with the right products and run an efficient business. When the data is fed to an automatic system that takes adverse decisions affection your wellbeing, safety, health, rights to certain services etc. we can no longer talk about a neutral value data. These decisions would previously be regarded as prejudiced and biased can now be justified by ascribing causal responsibility to computer represent an advantage for companies who want to use these non-transparent techniques. Data merging - A data-exchanging process in which personal data from two or more sources is combined to create a "mosaic" of individuals that would not be discernable from the individual pieces of data alone ; Data matching - A technique in which two or more unrelated pieces of personal information are cross-referenced and compared to generate a match or "hit," that suggests a person's connection with two or more groups. In the last two situations we are considering new data obtained by processing the information available in our database. This new data might result in a piece of information the user isn’t willing to share and is not mentioned in the initial contract. We can consider these case a more particular case of data gathering.
3.6.
EMBEDDED VALUES- BIAS
B. Latour argued that technological artifacts issue constraints on the world surrounding them, and Winner has argued that they can harbor political consequences. The idea of embedded values is best understood as a claim that technological artifacts, especially in our case in which we are talking about a software application, have built-in tendencies to promote or demote the realization of particular values, a “built-in consequence”. Technological artifacts have therefore, consequences that tend to manifest themselves in all central uses of the artifact. Also, technological artifacts have built-in values and built-in norms so that we can reach the conclusion that technology is not morally neutral.
4. TECHNICAL MEASURES
Since we are discussing about a smart-phone application we afford being a little creative with the technical measures that can be taken to avoid or, at least, minimize the consequences of application misusage. Regarding the security aspect, several improvements can be brought. For instance the user can log in using an iris recognition function which can be easily implemented in any smart-phone considering nowadays the characteristics of their incorporated cameras. This method is not as fast and smooth as the regular login but for gadget enthusiasts can be a reason to enjoy the application even more. If this is not the case, we can add an automatic log-off procedure that will be enabled after 5 minutes of inactivity in the application’s window. Logging back on will be realized either through iris recognition or through the input of a complex key. The key will be mandatory formed by different types of characters: case sensitive letters, numerical and special characters (%,$,*,etc.) eliminating the risk of having dumb keys such as the user’s name or obvious character combinations. To prevent unauthorized data access, the data can be kept on a local support (namely, the phone’s memory) and the hotel’s actions will be reduced to a minimum: the client will present the already computed bill at the hotel’s reception (the data cannot be modified before the payment so there are no risks in this moment); the bill will not be a detailed one, just the total sum; at a future reservation the hotel will ask if there are any preferences and if so, the user can decide to grant access to his database. The membership will not be automatically granted, the client must request it when he meets the given criteria. If the client decides to grant access to his data, the hotel personnel must present a rank code which will allow them to see the data only if they are above a certain level of security. As discussed before, entry level personnel will not be able to access the database.
5. CONCLUSION
In this paper we discussed some of the ethical conflicts that may arise when misusing the application or the data stored by it. As expected, we did not find a generally valid formula on which basis we could say precisely which case is ethically correct or not. The true nature of an action can only be determined in its own conjecture. In our case, the hotel’s hospitality and efficient management have to balance out the risks to which the user is exposed while using this application. The application should be rigorously tested before being sent on the market since it handles delicate data and can raise great problems for the user. Following even remotely the ethical rules, many unpleasant situations can be avoided and just as many can be justified resulting in a useful, appealing experience for all parts involved.
6. BIBLIOGRAPHY
Identity theft and Identity Fraud. (n.d.). Retrieved october 08, 2011, from The United States Department of Justice: http://www.justice.gov/criminal/fraud/websites/idtheft.html Martin, C. A Brief Introduction to Morality. Kansas. Mason, R. O. (1986). Four Ethical Issues of theIinformation Age. Management Information Systems Research Center, University of Minessota . Reynolds, G. W. (2010). Ethics in Information Technology. Cengage Learning Inc.: Boston.
ETHICAL ANALYSIS OF A TRAVELTRACKING APPLICATION
A
COMPUTER ETHICS PROJECT- 2010 19161280
LAURA ILEANA STOILESCU( S1070053), MIRCEA STOICA (S1033158)
10/12/2011
TABLE OF CONTENTS
Abstract ......................................................................................................................................................... 3 1. 1.1. 2. 2.1 2.2 3. 3.1. 3.2. 3.3. 3.4. 3.5. Introduction .......................................................................................................................................... 3 Motivation......................................................................................................................................... 4 Our product – Travel-tracking application ............................................................................................ 4 Data collected ................................................................................................................................... 5 The reward system............................................................................................................................ 5 Ethical analysis of the system ............................................................................................................... 5 A perfectly plausible scenario ........................................................................................................... 6 Violated rules of the ethic code (ACM) ............................................................................................. 6 Identity theft ..................................................................................................................................... 8 Privacy ............................................................................................................................................. 10 Privacy frauds .................................................................................................................................. 11
Data gathering, exchanging, mining, merging, matching .......................................................................... 11 3.6. 4. 5. 6. Embedded values- BIAS .................................................................................................................. 12 Technical measures ............................................................................................................................. 12 Conclusion ........................................................................................................................................... 13 Bibliography ........................................................................................................................................ 14
ABSTRACT
In this essay are described some of the ethical problems raised with the use of a mobile phone application that tracks a tourist’s accommodation at a hotel and keeps a profile for all travels made in a certain hotel or hotel chain. Our analysis has the purpose of setting a solid design and a clear set of usage rules for this application so that the ethical conflicts are minimal. We explore each problem on the basis of two major ethical theories that attempt to specify and justify moral rules and principles: I. Kant’s Deontological ethics and Consequentialism, or Utilitarianism as a more particular form based by J. Bentham and J. S. Mill. The analysis brings into attention a series of ethical aspects that can label the application as ineffective considering the user sensitive about his privacy and data protection.
1. INTRODUCTION
Technology, from its most rudimentary to its actual form, has the sole purpose of making, using and understanding tools in order to solve a problem or serve some purpose. Along with the technological development, on the evolution’s road from the stick and stone to the orbital satellites, the ethical issues raised have increasingly greater impact for the user, sometimes doubting even the global utility of a certain product. In this background, information has became more than just an abstract concept, but a value that needs to be protected and preserved, also referred to as the intellectual capital from which human beings craft their lives and secure their dignity in (Mason, 1986). The need for applying the computer ethics in the technological domain, at this level is that technology in itself, either referring to a computer, a mobile phone, or a piece of software, has a neutral intrinsic value. The responsibility of using technology therefore lies in the user himself (“Guns don’t kill people, people kill people with guns”). On a more informal but still true note, the web wisdom pops out another version of this quote: “Guns don’t kill people, people do and monkeys do too, if they have a gun (E. Izzard)” which balances the responsibility between the user and the tool, how neutral is the technology actually? Of course, the decision of doing an immoral, wrong, unethical act lies with the user but the fact that without the proper tool, the act could be avoided is also true. Collecting, storing, processing and distributing information in this informational era proves to have unique challenges while having great advantages over the previous methods. We are mainly referring to assuring privacy and confidentiality, assuring the data and the system are modified with proper authorization only, assuring unimpaired service, ensuring data consistency and controlling access to resources(Martin).When centralization can be identified with control, finding your way, with being tracked down, a help turns out to be an abuse, some boundaries must be set. From another point of view, we cannot expect absolute privacy in an environment with all information at reach based only on the correct ethical behavior of the other users therefore there isn’t always a clear line from which we can conclude the existence of an abuse. Users expect
freedom from intrusion and surveillance while dealing with computers and giving up personal information that may make them traceable. In the following sections, we describe a travel tracking system which refers only to the accommodation aspect of the journey and the activities performed in its environment. The system is described in section 2 and analyzed in the following chapters from an ethical perspective, discussing the situations that can lead to misusage of the data collected and the impact on the customer and hotel respectively.
1.1.
MOTIVATION
We consider that one of the purposes of mobile phone applications is to assure a multi-tasking attribute to any smart-phone. Our application combines the already- present functions with a custom made micro-travel agency that will be able to book the perfect room for each occasion. At each booking, the hotel’s personnel checks the profile’s historic, makes all the necessary arrangements and is able to suggest other similar products and services.
So why not being able to book a hotel room and know you will find there all the small but effective details that make your stay a pleasant one through a simple icon touch? Perhaps having a permanent log of your spending during a stay at the hotel will even help you be wiser with your own finances. Of course, there are advantages of using this application but so are risks. Is it worth to jeopardize your privacy for sparing a few minutes of extra effort through the conventional method? The answers differ, of course, for each customer and background.
2. OUR PRODUCT – TRAVEL-TRACKING APPLICATION
The application we have considered is not built-in but available to all contract-based mobile phone users. The contract is a condition and a mean to verify the data fed at registration since the application purposes is to record and edit the users’ activities and preferences during his stay at a hotel. This will require extra security for logging on the application as discussed in section 3.4. Several profiles can be kept at once, each one being associated to a travelling “mode”. Each profile will be represented by a quick response code chosen from a pre-set list of codes available at the hotel and will mark a certain combination of factors such as: room type, TV grid, mini bar selection, restaurant preferences, etc.
The code will be also marked on the electronic key card which will be scanned to grant access to the hotel’s facilities and to update the profile’s state. While the key is placed in the room key slot, several sensors will monitor the usage of the mini bar, TV, phone, Internet and the data will be automatically sent to the monitoring application. If the key slot is empty, the functioning of all equipment will be interrupted. For other facilities such as automatic vendor machines, hotel’s spa, gym or any facility that is not free and belongs to the hotel or to the associated companies, the key will again act as a switch granting access and monitoring their usage. The costs associated with each recording in the key’s log add up to form the total bill and keep track of all activities. The bill can either be paid at the end of the stay or it can be sent to the billing address of the telephone contract owner. If this is the case, editing a profile will be possible only after the payment is registered. Based on the current choices, the application might suggest similar products or activities which are available in the hotel and the associated companies. This presumes a previous indexing and correlation of all the available products and stocking them in a database available online.
2.1 DATA COLLECTED
The system gets some of its data from the mobile phone contract and the rest is provided by the customer at each room booking consisting in the details of each stay. As we intuit, the data stored is generally sensitive data such as: - name, phone number, address, credit card account; name, phone number, address of next-of-kin; - usage of mini bar, room service, laundry service, TV-channels watched, Internet traffic, phone calls from the hotel room, presence in the hotel room; - usage of services from taxi companies, bars, clubs, spa, gym and other facilities associated with the hotel; - a complete log will be used to monitor the customer’s behavior in order to be awarded or not with a certain type of membership card and to create the detailed bill at the end of the stay
2.2 THE REWARD SYSTEM
Based on the amount of money spent, the number of check-ins and the number of rooms booked at once, each customer can be awarded the platinum, golden, or silver membership card which grants free accommodation at the hotel for a limited period, access to the hotel’s facilities or price reductions for staying at the hotel according to each type of membership. For being able to accord the memberships correctly, each client’s log is being kept for a period of two years, after which the data is no longer valid. Therefore, the benefits of any type of account can be used within those two years.
3. ETHICAL ANALYSIS OF THE SYSTEM
Although at a first glance the application seems to be somewhat harmless, the problems that can arise are, at least, diverse. From identity theft and privacy loss to robbery, the simple possibility of these issues can make the application unsafe and unappealing. Just as any virtual account, provided an unauthorized person gets in possession of the phone, the data already stored can be modified or , worst case scenario, the account can be used to book several rooms for which the phone owner will pay. Also, the data will not only be available to the user but also to the hotel personnel which, for a public person, will not be acceptable. We will discuss also the threats over privacy in section 3.4, over data in section 3.5 and Error! Reference ource not found. and find the technical solutions for them, if possible.
3.1.
A PERFECTLY PLAUSIBLE SCENARIO
We are considering the case when the phone on which our application is running is lost. Since Mr. Smith, the user, didn’t expect to lose his phone, he also didn’t log out of the application so the finder will not have any difficulties in browsing through the data already stored. Therefore, there will be no obstacle if he decides to book a room on Mr. Smith’s account, in a hotel he otherwise couldn’t afford and send the bill to the misfortunate Mr. Smith who will pay the bill. We won’t get into detail referring Mr. Smith’s social status who might simply be an app-enthusiastic student who now has to pay for the bill of his lifetime, or he might be a retired CEO whose funds are barely scratched. The financial aspect of the consequences is not the goal of this essay but can be used, if willing, to find mitigating circumstances for each situation and to extend the debate on the act’s moral character. In the next subchapters we will discuss (we hope) all problems that can rise from this scenario and we will also deviate from the plot to cover other possible application bugs.
3.2.
VIOLATED RULES OF THE ETHIC CODE (ACM)
It is not our job, as system developers, to prevent the phone from being lost but it is our job to make it as robust as possible against unauthorized usage. The responsibility aspect will be discussed in detail in section Error! Reference source not found. but we are taking into account the ngineer’s ability to disclose and correct potential problems. Therefore, there is at least a causal and legal responsibility, if not a moral one, that will lie in the developer segment. Considering the Association for Computing Machinery Code of Ethics and Professional Conduct several rules would be violated in a scenario such as the one presented. (1.1) Contribute to society and human well-being: this principle concerning the quality of life of all people affirms an obligation to protect fundamental human rights and to respect the diversity of all cultures. An essential aim of computing professionals is to minimize negative consequences of computing systems including threats to health and safety and to assure that the system will be used
in socially responsible ways, will meet social needs, and will avoid harmful effects to health and welfare. We cannot refer to the society level in our case but at the individual level, there are strong evidences that the threats to one’s safety are not minimized and no assurances regarding the usage of the software are given whatsoever. (1.2) Avoid harm to others: avoid any injury or negative consequence, such as undesirable loss of information, loss of property, property damage, or unwanted environmental impacts. Wellintended actions, including those that accomplish assigned duties, may lead to harm unexpectedly. In such an event the responsible person or persons are obligated to undo or mitigate the negative consequences as much as possible. One way to avoid unintentional harm is to carefully consider potential impacts on all those affected by decisions made during design and implementation. Let us consider the case in which the database consisting of all users’ data is accessible for the developer even after selling the application to the hotel chain. The reason could be: Simple negligence, if the engineer or team of engineers working on this project didn’t consider this possibility; They realized that there might be a security breach but did not make the required adjustments; On purpose they left a “way in” the database for future usage of the data stored. In the work environment, the computing professional has the obligation to report any signs of system dangers that might result in serious personal or social damage. If one's superiors do not act to curtail or mitigate such dangers, it may be necessary to "blow the whistle" to help correct the problem or at least to reduce the risks. However, whistle blowing is a delicate decision to take and the professional who decides to follow this course should research intensely the situation and the background before acting. Whistle blowing should be a last resort after exhausting all internal options and concluding lack of cooperation from the management and board of directors. (1.7) Respect the privacy of others: It is the responsibility of professionals to maintain the privacy and integrity of data describing individuals. This includes taking precautions to ensure the accuracy of data, as well as protecting it from unauthorized access or accidental disclosure to inappropriate individuals. Furthermore, procedures must be established to allow individuals to review their records and correct inaccuracies. The user is indeed permitted to view and edit their data through the mobile phone interface therefore the accuracy aspect is respected. The unauthorized access issue is a pressing problem and extra security measures must be taken to correct it. (1.8) Honor confidentiality: The principle of honesty extends to issues of confidentiality of information whenever one has made an explicit promise to honor confidentiality or, implicitly, when private information not directly related to the performance of one's duties becomes available.
This rule actually demands that the access should be granted only to a clearly determined group of people so that the risks are minimal. Monitoring the customer and his activities should not be a task for any employee of the hotel, but they should be chosen through a strict procedure and even sign a disclosure agreement with the hotel when granted the access. In any case, the entry level employees should not have access to this type of information. (2.1) Strive to achieve the highest quality, effectiveness and dignity in both the process and products of professional work: Excellence is perhaps the most important obligation of a professional. The computing professional must strive to achieve quality and to be cognizant of the serious negative consequences that may result from poor quality in a system. We acknowledge that excellence is a subjective level depending on each professional’s set of values and cultural background but the result should always be a superior quality product. In our case the great number of faults and security breaches take the application out of this select class of products. (2.4) Accept and provide appropriate professional review: Quality professional work, especially in the computing profession, depends on professional reviewing and critiquing. Whenever appropriate, individual members should seek and utilize peer review as well as provide critical review of the work of others. (2.5) Give comprehensive and thorough evaluations of computer systems and their impacts, including analysis of possible risks: Computer professionals must strive to be perceptive, thorough, and objective when evaluating, recommending, and presenting system descriptions and alternatives. Computer professionals are in a position of special trust, and therefore have a special responsibility to provide objective, credible evaluations to employers, clients, users, and the public. (2.8) Access computing and communication resources only when authorized to do so: Trespassing and unauthorized use of a computer or communication system is addressed by this imperative. Trespassing includes accessing communication networks and computer systems, or accounts and/or files associated with those systems, without explicit authorization to do so. Individuals and organizations have the right to restrict access to their systems so long as they do not violate the discrimination principle. No one should enter or use another's computer system, software, or data files without permission. One must always have appropriate approval before using system resources, including communication ports, file space, other system peripherals, and computer time.(Reynolds, 2010)
3.3.
IDENTITY THEFT
"But he that filches from me my good name Robs me of that which not enriches him And makes me poor indeed” Shakespeare, Othello, act III, scene 3.
The short definition is that identity theft is a crime. Identity theft and identity fraud are terms used to refer to all types of crime in which someone wrongfully obtains and uses another person's personal data in some way that involves fraud or deception, typically for economic gain. Unlike fingerprints, which are unique and cannot be given to someone else for their use, the personal data especially Social Security number, bank account or credit card number, telephone calling card number, and other valuable identifying data can be used, if they fall into the wrong hands, to personally profit at the victim’s expense. In the United States and Canada, for example, many people have reported that unauthorized persons have taken funds out of their bank or financial accounts, or, in the worst cases, taken over their identities altogether, running up vast debts and committing crimes while using the victims’ names. In many cases, a victim's losses may include not only out-of-pocket financial losses, but substantial additional financial costs associated with trying to restore his reputation in the community and correcting erroneous information for which the criminal is responsible.(Identity theft and Identity Fraud) The most common ways to commit identity theft or fraud are a lot less elaborate than breaking into our homes. In public places, criminals may engage in: - "shoulder surfing" watching you from a nearby location as you punch in your telephone calling card number or credit card number or listen in on your conversation if you give your credit-card number over the telephone to a hotel or rental car company. - "dumpster diving" going through your garbage cans or a communal dumpster or trash bin to obtain copies of your checks, credit card or bank statements, or other records that typically bear your name, address, and even your telephone number. - If you receive applications for "preapproved" credit cards in the mail, but discard them without tearing up the enclosed materials, criminals may retrieve them and try to activate the cards for their use without your knowledge. - In recent years, the Internet has become an appealing place for criminals to obtain identifying data, such as passwords or even banking information. In some cases, criminals reportedly have used computer technology to obtain large amounts of personal data. With enough identifying information about an individual, a criminal can take over that individual's identity to conduct a wide range of crimes: for example, false applications for loans and credit cards, fraudulent withdrawals from bank accounts, fraudulent use of telephone calling cards, or obtaining other goods or privileges which the criminal might be denied if he were to use his real name. If the criminal takes steps to ensure that bills for the falsely obtained credit cards, or bank statements showing the unauthorized withdrawals, are sent to an address other than the victim's, the victim may not become aware of what is happing until the criminal has already inflicted substantial damage on the victim's assets, credit, and reputation.(Identity theft and Identity Fraud) Even from a deontological point of view, when the consequence is not known, a system that wouldn’t meet the security standards needed to prevent identity theft cannot be accepted as suitable. Although
the intention of the developer is, indeed, to develop a functional system, by breaking the ACM article 2.1, the “intention’s quality” proves to be less than it should. In the identity theft problem, the victim’s identity becomes a mean, a tool to an end which possibly is a felony. This contradicts Kant’s second categorical imperative. From the utilitarian perspective, identity theft can be in some extremely special situations less blamable. If the individual whose identity was stolen is a criminal (of any type) and using this method the police would be able to capture him/her, there are perhaps sufficient excuses for using identity theft.
3.4.
PRIVACY
“[Privacy is]… the right to be let alone” Warren and Brandeis (1890)
ACCESSIBILITY , DECISIONAL , INFORMATIONAL
The lack of privacy is easy to identify when experienced but difficult to define in a clear and simple manner. L. Introna splits the concept into three subcategories: privacy as no access to the person or the personal realm, privacy as control over personal information and privacy as freedom from judgment or scrutiny by others. The notion of control is due to the dynamic environment in which the concept is defined which varies socially and culturally. This idea of control over personal information is very powerful in situations where it is important to determine whether or not an individual’s right to privacy has been violated. Although at a first glimpse, the access over private data cannot do a serious damage to an individual (“If you have nothing to hide…”), even from a relationship point of view, so not taking into account the economic or social aspect, the behavior of an individual can be dramatically changed when “supervised”. J.Bentham described the famous Panopticon architecture as “a new mode of obtaining power of mind over mind, in a quantity hitherto without example”. Following this path, we can suspect a behavioral change in the user of our product therefore influence the decisions the client takes during his stay at the hotel. The more accessible the data is to a third party, the greater the tendency to take decisions closer to what is socially appropriate. Also the control over the information transfer consisting of personal data of the user can be object of privacy threats such as data gathering, data exchanging, data mining, data merging and data matching. These aspects will be discussed in subchapter 3.5 and further discussions on the system’s embedded value in subchapter 3.6. The developer’s intention of having easily accessible data cannot be classified with certainty in any way. It is indeed useful and appealing to have all data through a simple touch of the screen but this provides so little protection of the actual data. Provided the exact details of the system are correctly presented in an agreement signed by both parts, the developer will not have to account for any legal
responsibility. In this matter both theories, deontological ethics and utilitarianism, are equally unable to determine the moral character of the accessibility, decisional and informational privacy.
3.5.
PRIVACY FRAUDS
DATA GATHERING, EXCHANGING, MINING, MERGING, MATCHING
The ways in which available data on a certain individual can be exploited and misused are only limited by the criminal imagination therefore we will not be able to cover all possible scenarios. If besides the data mentioned in the signed agreement, any other type of data is stored without the user’s consent, we are talking about data gathering techniques; In the case in which existent databases are exchanged to third parties without the consent of the user, the data exchanging can affect the security, integrity and social image of a certain individual; By tracking the user’s activity during his stay it can be realized a “consumer’s profile” and this profile can be exchanged with advertising companies that will spam the client with offers similar to his taste; Taking the previous example to a new level, let us consider a large database consisting of all the clients who use our application. In this case we have to be aware of data mining –the process of discovering new patterns from large data sets involving methods from statistics and artificial intelligence but also database management. The result is a set of associations that aren’t obvious and the way this new data is used determines, in the end, the implicit value of the process. It can be simply a mean to help the hotel stock up with the right products and run an efficient business. When the data is fed to an automatic system that takes adverse decisions affection your wellbeing, safety, health, rights to certain services etc. we can no longer talk about a neutral value data. These decisions would previously be regarded as prejudiced and biased can now be justified by ascribing causal responsibility to computer represent an advantage for companies who want to use these non-transparent techniques. Data merging - A data-exchanging process in which personal data from two or more sources is combined to create a "mosaic" of individuals that would not be discernable from the individual pieces of data alone ; Data matching - A technique in which two or more unrelated pieces of personal information are cross-referenced and compared to generate a match or "hit," that suggests a person's connection with two or more groups. In the last two situations we are considering new data obtained by processing the information available in our database. This new data might result in a piece of information the user isn’t willing to share and is not mentioned in the initial contract. We can consider these case a more particular case of data gathering.
3.6.
EMBEDDED VALUES- BIAS
B. Latour argued that technological artifacts issue constraints on the world surrounding them, and Winner has argued that they can harbor political consequences. The idea of embedded values is best understood as a claim that technological artifacts, especially in our case in which we are talking about a software application, have built-in tendencies to promote or demote the realization of particular values, a “built-in consequence”. Technological artifacts have therefore, consequences that tend to manifest themselves in all central uses of the artifact. Also, technological artifacts have built-in values and built-in norms so that we can reach the conclusion that technology is not morally neutral.
4. TECHNICAL MEASURES
Since we are discussing about a smart-phone application we afford being a little creative with the technical measures that can be taken to avoid or, at least, minimize the consequences of application misusage. Regarding the security aspect, several improvements can be brought. For instance the user can log in using an iris recognition function which can be easily implemented in any smart-phone considering nowadays the characteristics of their incorporated cameras. This method is not as fast and smooth as the regular login but for gadget enthusiasts can be a reason to enjoy the application even more. If this is not the case, we can add an automatic log-off procedure that will be enabled after 5 minutes of inactivity in the application’s window. Logging back on will be realized either through iris recognition or through the input of a complex key. The key will be mandatory formed by different types of characters: case sensitive letters, numerical and special characters (%,$,*,etc.) eliminating the risk of having dumb keys such as the user’s name or obvious character combinations. To prevent unauthorized data access, the data can be kept on a local support (namely, the phone’s memory) and the hotel’s actions will be reduced to a minimum: the client will present the already computed bill at the hotel’s reception (the data cannot be modified before the payment so there are no risks in this moment); the bill will not be a detailed one, just the total sum; at a future reservation the hotel will ask if there are any preferences and if so, the user can decide to grant access to his database. The membership will not be automatically granted, the client must request it when he meets the given criteria. If the client decides to grant access to his data, the hotel personnel must present a rank code which will allow them to see the data only if they are above a certain level of security. As discussed before, entry level personnel will not be able to access the database.
5. CONCLUSION
In this paper we discussed some of the ethical conflicts that may arise when misusing the application or the data stored by it. As expected, we did not find a generally valid formula on which basis we could say precisely which case is ethically correct or not. The true nature of an action can only be determined in its own conjecture. In our case, the hotel’s hospitality and efficient management have to balance out the risks to which the user is exposed while using this application. The application should be rigorously tested before being sent on the market since it handles delicate data and can raise great problems for the user. Following even remotely the ethical rules, many unpleasant situations can be avoided and just as many can be justified resulting in a useful, appealing experience for all parts involved.
6. BIBLIOGRAPHY
Identity theft and Identity Fraud. (n.d.). Retrieved october 08, 2011, from The United States Department of Justice: http://www.justice.gov/criminal/fraud/websites/idtheft.html Martin, C. A Brief Introduction to Morality. Kansas. Mason, R. O. (1986). Four Ethical Issues of theIinformation Age. Management Information Systems Research Center, University of Minessota . Reynolds, G. W. (2010). Ethics in Information Technology. Cengage Learning Inc.: Boston.
