Case Analyses

I have two case studies due in my computer ethics class tomorrow.  I don’t really know what format he wanted, but I think I fulfilled the stated requirements.  I’m going to post what I have in full for you to enjoy if you want.  You have until tomorrow at around 3 to inform me of grammar and spelling mistakes.

For the first case the scenario is as follows.  I work for a company, SciTech, that gets contracts to install software for other companies.  I am working on a contract for Lakeside installing software written by ChiFi.  I find out half way through the contract that Lakeside does not have licenses to use the software, and my contact with Lakeside ignores my questions on the subject.

Software Licensing Case: Stuck in the Middle

Stakeholders: In this case the stakeholders are fairly clear and easily defined. The primary stakeholders are the company one is contracted to install for, Lakeside, and the company that developed the software to be installed, ChiFi, and one and one’s company, in this scenario, SciTech. There aren’t any secondary stakeholders important enough to warrant consideration.

Potential Actions: For organizational purposes I will make a simple list of the potential actions one could take in the situation described by this case. I will discuss the ethical merits and demerits of each later.

1. Say nothing – fulfill contract

2. Say nothing – leave job unfinished

3. Inform one’s superiors

4. Inform the superiors of one’s Lakeside contact

5. Inform ChiFi – aka whistle blow

Impact of Actions: Above I have listed the five major actions available to take in the scenario. I’ll discuss the ramifications of each, in turn, now.

The first, and perhaps the simplest, option is to just install the software and pretend everything is normal. By choosing this option one makes oneself and one’s company a knowing accessory to theft, but you complete the contract and maybe nothing ever comes of it.

The second option to consider is leaving the contract. This would result in loss of the contract, and likely Lakeside will find another contractor to do what you were being paid to do, so the theft continues.

Now we come to the more complicated options. Action three, one informs ones boss of the situation. It should be understood that this action must be followed up with some other action, and that the ethicality of those actions still stand. So ultimately, this action cannot solve the ethical dilemma. It can be a useful action to take, if ones bosses are ethical people, as they will assist in doing the right thing. However, if they are not, it will make things more difficult. One could be fired, or taken of the contract, both of which greatly decrease one’s ability to affect change.

Action four is to go over one’s contact’s head, since the contact is ignoring one’s warnings. There are a few possible outcomes from this. They could ignore you as well. They could rectify the situation, and purchase the licenses. In doing this they might punish your contact with Lakeside. They might start a dialog with your supervisors, which would have all the impact of those discussed for action three, if one has not already performed action three.

Finally, one could inform the victims of the theft, ChiFi. This action has three likely outcomes. The best is that ChiFi works out a deal with Lakeside, and everything is resolved to the satisfaction of all the stakeholders. Another is that ChiFi takes legal action to punish Lakeside, which could potentially ruin Lakeside. The final is that ChiFi does nothing.

Responsibilities and Rights: In this section I will discuss the rights and responsibilities of each stakeholder. I will not spell out the actions I believe to be best, however, it should be clear from the content here which actions are ethical, and which are not.

I’ll start with the individual employee at the center of the case. He has a responsibility not to steal, or assist in stealing. He has a responsibility to inform the groups involved, SciTech and Lakeside to see if a solution can be found. If not, he has a responsibility to inform the other involved party, ChiFi. He has the right to not perform work on the contract as long as the ethical issue is unresolved. He also has the right to seek compensation for any damages he takes from acting on those responsibilities.

SciTech has the right to be informed when there are ethical violations they are involved in. They have a responsibility to support their employs that act according to the responsibilities of the individual discussed above. They also have the same rights and responsibilities as the individual.

Lakeside has the same rights and responsibilities as SciTech. They additionally have a responsibility to appropriately punish any unethical behavior.

ChiFi has the same rights and responsibilities as the other companies, but in this scenario their role is unique, so they have additions. ChiFi has a right to own and distribute its product. It has a right to compensation for acts against that right, including theft of the property, assistance in the theft of the property, and silence about knowledge of such acts. ChiFi has the additional responsibility to act on its right to own its product. If ChiFi is informed of theft, and doesn’t take any action to prevent it, ChiFi tacitly waves the ownership rights discussed here.

Additional Considerations: In informing either Lakeside or ChiFi of the situation it is best to inform departments in charge of sales and accounts, or the central management chain. This decreases the chances of a legal battle by giving the parties a chance to settle things without lawyers. Legal departments will be brought into the discussion if necessary.

Also, in such a case that Lakeside’s internal policy strictly and explicitly forbids installation of unlicensed software, the considerations above are not changed. Such a policy strengthens one’s position when acting responsibly, but policies do no affect the ethics of a situation.

The second scenario has me as the head of IT for a company at which an administrator has had an accident.  The prognosis is that the administrator will be completely unavailable for a month, and mostly unavailable for three months thereafter.  Does the company have the right to look at the administrators e-mail account, which is a company account, to determine things about the work he was doing while he is incapacitated?

Administrator Accident Case

Stakeholders: The primary stakeholders of this case are the injured administrator, oneself, and one’s company. The secondary stakeholders of note are all the people in the injured administrator’s correspondence.

Potential Actions: As before, I will make a simple list of the potential actions one could take in the situation described by this case. I will discuss the ethical merits and demerits of each later.

  1. Keep the administrator’s e-mail private.
  2. Give access to the administrator’s e-mail to any authority at the company.
  3. Let a chosen individual look at the administrator’s e-mail to facilitate work in his absence.
  4. Let a committee look at the administrator’s e-mail to facilitate work in his absence.
  5. Automatically compile a list of those recently in contact with the administrator, and inform them to take some appropriate action.

Impact of Actions: I will now consider the mostly likely impacts the above listed actions could elicit. It is my intention to give a simple, objective analysis of what might happen, and not comment beyond that, for now.

The first action listed, keeping the injured administrator’s e-mail private. This is of varying difficulty depending on the degree to which the company wants access to the e-mail. The results of refusing include the range of corporate punishment, including firing. Also, work the injured administrator was managing may cease, or slow.

Second on the list is to acquiesce to the will of the company. This action is easy, and will have no impact on oneself. However, it will result in a loss of privacy for the injured administrator, and those who have contacted him via e-mail.

The third option is a compromise. It allows access to the account, but on the stipulation that only one person is allowed to look. The person would be selected to neutral and discrete as possible, and would be allowed access only for the purposes of allowing the work the administrator was supervising to continue. This compromise means that privacy of the administrator and his contacts is lost, although to a lesser degree than possible. The individual charged with searching the account might be placed in an uncomfortable position, depending on what he finds in the account. The contents of the e-mail could still be leaked to everyone, as well. However, likely the important work related information would be retrieved. For oneself, negotiating the compromise might anger the company, and could incur some punishment.

The fourth option is similar to the third; except for instead of allowing only one individual access, a committee will be allowed access. The committee would be formed to insure that access to the e-mail account of the injured administrator was used only the proper use of maintaining work on the administrators projects. All the possible outcomes for this option are the same as option three. The issue of placing those charged with looking at the account in an uncomfortable situation is mitigated by a committee, however, the likelihood of information from the account leaking out increases.

Action five, using some automated technology to determine those in contact with the injured administrator and contacting them, is similar to options three and four, in that information is retrieved from the account, but different in the important fact that no human has to look at the private data in the account. As such, nobody risks being placed in an uncomfortable situation from knowing the contents of the account, and the likelihood of any sort of leak is greatly reduced. This chance can never be zero since no such technology can be perfect, and human action will be required at some point. The risks to oneself, as one arguing for the compromise, are the same as for actions four and five.

Responsibilities and Rights: In the following paragraphs I will lay out the rights and responsibilities of the stakeholders involved in this case, as I see them. From these it should be possible to determine the ethical standing of the above actions, and variants.

The injured administrator has a right to privacy. He also has a responsibility to his company to allow them to continue the work he was doing in his absence. In a case involving company accounts, such as this one, the responsibility to the work takes precedent in a conflict between these two considerations. However, the breach to the individual’s right to privacy should be minimized.

As IT director of a company, one has a responsibility to maintain the privacy of the individuals whose data you work with, but also a responsibility to the company one works for, to allow them access to the data they require to do business. One has a right to refuse to comply with any action that one deems to favor either responsibility too greatly in a conflict between them.

The company employing the injured administrator and the IT director has a right to continue the work of their employee’s if they are unable to, and they have a right to access data in their accounts. They also have a responsibility to maintain the privacy of their employee’s, as well as the public.

The secondary stakeholders, the people in the injured administrators e-mail account, have a right to privacy, and no responsibilities applicable to this case.

Additional Considerations: When conflicts arise between the rights and responsibilities of various entities, a hierarchy of precedence must be established. Further, in fulfilling the responsibilities dictated by the hierarchy, breaches of rights should be minimized.

There are many miscellaneous details to a case such as the one discussed above that can be dismissed as having no importance. These include policies of a company declaring ownership of data in their accounts, or declaring that their accounts are to be used for business only. Also not of importance are laws regarding ownership of data.