Topic/Themes: Employee IT Acceptable Use Policy Description: Prepare an employee usage policy for your organization's information systems

and assets. Your policy should include, but not necessarily be limited to, email and web usage. Please include a basic description of the organization as an attachment. This description (less than 10 sentences) should identify the mission or business of the organization, approximate numbers and types of employees, the role of information technology, and any other descriptive information that relates to "acceptable use.") If your organization, for any reason, would object to your preparing such a paper for the organization, you may substitute the University or another organization. (I do not verify the facts you provide. Therefore, you may utilize and describe a fictitious organization.) The body of your paper should be in two parts. In Part I, present the policy itself. In Part II, discuss the ethical, moral and legal implications of your policy and the choices you made in preparing the policy. Be sure to include and identify each type (ethical, moral and legal). There is no page limit on your submission. In this paper you must demonstrate graduate level writing and comply with the format requirements of the Publication Manual of the American Psychological Association, 5th Edition. Careful attention should be given to spelling, punctuation, source citations, references, and the presentation of tables and figures. It is expected that all course work will be presented on time and error free. Be sure to include the certification statement. "This is my own work; any assistance I received acknowledged within the paper or presentation within the University of Maryland practice.

"This paper or presentation is my own work. Any assistance I received in its preparation is acknowledged within the paper or presentation, in accordance with academic practice. If I used data, ideas, words, diagrams, pictures, or other information from any source, I have cited the sources fully and completely in footnotes and bibliography entries. This includes sources which I have quoted or paraphrased. Furthermore, I certify that this paper or presentation was prepared by me specifically for this class and has not been submitted, in whole or in part, to any other class in this University or elsewhere, or used for any purpose other than satisfying the requirements of this class, except that I am allowed to submit the paper or presentation to a professional publication, peer reviewed journal, or professional conference. In adding my name following the word 'Signature', I intend that this certification will have the same authority and authenticity as a document executed with my hand-written signature. Signature _____________________________" Project 2 (20% of the grade) Prepare an employee usage policy of whatever length you think will work for your organization's information systems and assets. (paper should be about 10 typed pages, but can be greater if the issues require it.) Your putative policy should include by not necessarily be limited to e-mail and web usage. Please describe your organization in an attachment to the paper of about 10 sentences. You should identify the mission of the business or organization, the proximate number and types of employees, the role of technology in the organization and any overarching policy in place which refers to "acceptable use". If this poses difficulties, you may substitute a fictitious organization or use the University of Maryland or another organization of your choosing. There must be a bibliography of at least 10 sources in addition to the textbooks.

QWEST Example: Acceptable Use Policy Qwest has formulated this Acceptable Use Policy ("AUP") in order to encourage the responsible use of Qwest's networks, systems, services, web sites and products (collectively, the "Qwest Network and Services") by our customers and other users of the Qwest Network and Services (collectively, "Users"), and to enable us to provide Users with secure, reliable and productive services. By using the Qwest Network and Services, Users consent to be bound by the terms of this AUP. Qwest reserves the right to modify this AUP in its discretion at any time. Such modifications will be effective when posted. Any use of the Qwest Network and Services after such modification shall constitute acceptance of such modification. Suspension; Termination. Any User which Qwest determines to have violated any element of this AUP may be subject to a suspension or termination of service. Qwest will suspend service for violation of the AUP on the most limited basis as Qwest determines is reasonably practical under the circumstances to address the underlying violation. Qwest will attempt to notify Customer prior to suspending service for violation of the AUP (which may be via email or any other notification); provided, however, Qwest may suspend service without notice if Qwest becomes aware of a violation of any applicable law or regulation or activity, including but not limited to a violation of the AUP, that exposes Qwest to criminal or civil liability or that exposes the Qwest network or Qwest customers' network or property to harm. Such harm to a network may include, but is not limited to, risk of having an IP address placed on blacklists. Qwest may take such further action as Qwest determines to be appropriate under the circumstances to eliminate or preclude repeat violations, and Qwest shall not be liable for any damages of any nature suffered by any Customer, User, or any third party resulting in whole or in part from Qwest's exercise of its rights under this AUP. Prohibited Conduct. In General. The Qwest Network and Services must be used in a manner that is consistent with the intended purpose of the Qwest Network and Services and may be used only for lawful purposes. Users shall not use the Qwest Network and Services in order to transmit, distribute or store material: (a) in violation of any applicable law or regulation, including export or encryption laws or regulations; (b) that may adversely affect the Qwest Network and Services or other Qwest customers; or (c) that may expose Qwest to criminal or civil liability. Users are prohibited from facilitating the violation of any part of this AUP or another provider's AUP, including, but not limited to transmitting, distributing, or otherwise making available any product or service that violates this AUP or another provider's AUP. Inappropriate Content. Users shall not use the Qwest Network and Services to transmit, distribute or store material that is inappropriate, as reasonably determined by Qwest, or material that is obscene (including child pornography), defamatory, libelous, threatening, abusive, hateful, or excessively violent. Intellectual Property. Material accessible through the Qwest Network and Services may be subject to protection under privacy, publicity, or other personal rights and Intellectual Property rights, including but not limited to, copyrights and laws protecting patents, trademarks, trade secrets or other proprietary information. Users shall not use the Qwest Network and Services in any manner that would infringe, dilute, misappropriate, or otherwise violate any such rights. If you use a domain name in connection with any of the Qwest Network and Services, you must not use that domain name in violation of the trademark, service mark, or other rights of any third party. Harmful Content. Users shall not use the Qwest Network and Services to transmit, distribute or store material that may be harmful to or interfere with the Qwest Network and Services or any third party's networks, systems, services, or web

sites. Such prohibited harmful content includes, but is not limited to, viruses, worms, or Trojan horses. Fraudulent/Misleading Content. Users shall not use the Qwest Network and Services to transmit or distribute material containing fraudulent offers for goods or services, or any advertising or promotional materials that contain false, deceptive, or misleading statements, claims, or representations. In addition, Users are prohibited from submitting any false or inaccurate data on any order form, contract or online application, including the fraudulent use of credit cards. Email and Unsolicited Messages. Users shall not use the Qwest Network and Services to transmit unsolicited e-mail messages, including, without limitation, unsolicited bulk email , where such emails could reasonably be expected to provoke complaints ("spam"). Further, Users are prohibited from using the service of another provider to send spam to promote a site hosted on or connected to the Qwest Network and Services. In addition, Users shall not use the Qwest Network and Services in order to (a) send e-mail messages which are excessive and/or intended to harass or annoy others, (b) continue to send e-mail messages to a recipient that has indicated that he/she does not wish to receive them, (c) send email with forged TCP/IP packet header information, (d) send malicious e-mail, including, without limitation, "mail-bombing", (e) send or receive e-mail messages in a manner that violates the use policies of any other Internet service provider, or (f) use an e-mail box exclusively as a storage space for data. Third Party Rules; Usenet. Users may have access through the Qwest Network and Services to search engines, subscription Web services, chat areas, bulletin boards, Web pages, USENET, or other services that promulgate rules, guidelines or agreements to govern their use. Users must adhere to any such rules, guidelines, or agreements. Inappropriate Actions. Users shall not use the Qwest Network and Services to conduct activities that may be harmful to or interfere with the Qwest Network and Services or any third party's networks, systems, services, or Web sites, including, but not limited to, flooding, mail bombing, or denial of service attacks. Users are prohibited from violating or attempting to violate the security of the Qwest Network and Services or the computers, accounts, or networks of another party. Users are also prohibited from any activity considered a precursor to attempted security violations, including, but not limited to, any form of scanning, probing, or other testing or information gathering activity. Inappropriate activity may result in civil or criminal liability. Qwest will investigate such activity, and may involve and cooperate with law enforcement authorities in prosecuting Users involved in such activity. Responsibility for Content. Qwest takes no responsibility for any material created or accessible on or through the Qwest Network and Services. Qwest is not obligated to monitor such material, but reserves the right to do so. Qwest will not exercise any editorial control over such material. In the event that Qwest becomes aware that any such material may violate this AUP and/or expose Qwest to civil or criminal liability, Qwest reserves the right to block access to such material and suspend or terminate any User creating, storing or disseminating such material. Qwest further reserves the right to cooperate with legal authorities and third parties in the investigation of alleged wrongdoing, including disclosing the identity of the User that Qwest deems responsible for the wrongdoing. Violations of this AUP may be reported at the following link: abuse@qwest.net.

PAYPAL EXAMPLE:
You are independently responsible for complying with all applicable laws in all of your actions related to your use of PayPal's services, regardless of the purpose of the use. In addition, you must adhere to the terms of this Acceptable Use Policy.

Prohibited Activities
You may not use the PayPal service for activities that: 1. violate any law, statute, ordinance or regulation 2. relate to sales of (a) narcotics, steroids, certain controlled substances or other products that present a risk to consumer safety, (b) drug paraphernalia, (c) items that encourage, promote, facilitate or instruct others to engage in illegal activity, (d) items that promote hate, violence, racial intolerance, or the financial exploitation of a crime, (e) items that are considered obscene, (f) items that infringe or violate any copyright, trademark, right of publicity or privacy or any other proprietary right under the laws of any jurisdiction, (g) certain sexually oriented materials or services, or (h) ammunition, firearms, or certain firearm parts or accessories, or (i) ,certain weapons or knives regulated under applicable law 3. relate to transactions that (a) show the personal information of third parties in violation of applicable law, (b) support pyramid or ponzi schemes, matrix programs, other get rich quick schemes or certain multi-level marketing programs, (c) are associated with purchases of real property, annuities or lottery contracts, lay-away systems, off-shore banking or transactions to finance or refinance debts funded by a credit card, (d) are for the sale of certain items before the seller has control or possession of the item, (e) are by payment processors to collect payments on behalf of merchants, (f), are associated with the following Money Service Business activities: the sale of travelers checks or money orders, currency exchanges or check cashing,or (g) provide certain credit repair or debt settlement services 4. involve the sales of products or services identified by government agencies to have a high likelihood of being fraudulent 5. violate applicable laws or industry regulations regarding the sale of (a) tobacco products, or (b) prescription drugs and devices 6. involve gambling, gaming and/or any other activity with an entry fee and a prize, including, but not limited to casino games, sports betting, horse or greyhound racing, lottery tickets, other ventures that facilitate gambling, games of skill (whether or not it is legally defined as a lottery) and sweepstakes unless the operator has obtained prior approval from PayPal and the operator and customers are located exclusively in jurisdictions where such activities are permitted by law.

Activities Requiring Approval

PayPal requires pre-approval to accept payments for certain services as set out in 6 above and detailed in the chart below. Service Requiring Pre-Approval Contact Information Airlines and scheduled or non-scheduled charters/jets/air taxi operators; collecting donations as a charity or non-profit organization; Please send contact information, dealing in jewels, precious metals and stones; acting as a money business website URL and a brief transmitter or selling stored value cards; selling stocks, bonds, business summary to securities, options, futures (forex) or an investment interest in any compliance@paypal.com entity or property; or providing escrow services. Please send contact information, Offering online dating services; providing file sharing services or business website URL and brief access to newsgroups; or selling alcoholic beverages. business summary to aup@paypal.com

More Information
To learn more about the Acceptable Use Policy, please refer to our Help Center.

Transactions on eBay
When using PayPal's services in support of eBay transactions, you must comply with all of these guidelines and eBay's Prohibited and Restricted Items rules found here - http://pages.ebay.com/help/policies/itemsov.html.

Violations of the Acceptable Use Policy

We encourage you to report violations of this Acceptable Use Policy to PayPal immediately. If you have a question about whether a type of transaction may violate the Acceptable Use Policy, you can email PayPal's AUP Compliance Department at: aupviolations@paypal.com.

PENTON DIGITAL ADVERTISING EXAMPLE:

This AUP is a guideline and is not an all-inclusive listing of prohibited conduct. Penton reserves the right, in its discretion, to change or modify all or any part of this AUP at any time, effective immediately upon publication of this AUP. A third party posting may not contain or be linked to any Objectionable Content. Objectionable Content means any content that: infringes upon any copyright, trademark, trade secret or patent of any third party; violates any obligation of confidentiality; violates the privacy, publicity, moral or any other right of any third party; is hateful or obscene; is being used to harass, stalk or otherwise threaten a person; is libelous, defamatory, knowingly false or misrepresents another person; or is threatening, promotes violence, promotes discrimination (whether based on sex, religion, race, ethnicity, nationality, disability or age), promotes illegal activities or otherwise contains materials that Penton informs the user that it considers objectionable. Penton, in its sole discretion, will determine what constitutes "Objectionable Content" under this AUP. When posting or uploading (to, by way of example but not limitation, a blog, forum, forum profile, registration page, survey, or video uploading), a user must also: 1. Continue the general topic that is the focus of the blog; 2. Ensure that all postings made by the user are original materials created by the user, unless proper attribution is given to a third party; 3. Not post any advertising or promotional content for themselves or any third party; 4. Not accept any compensation from a third party for placing any content in a posting; 5. Disclose all affiliations or relations necessary so that postings are not deceptive or misleading (i.e., if you are commenting upon a company and work for that company, then this should be disclosed); 6. Not knowingly link to any downloadable applications or other content which may be harmful to another users computer; 7. Ensure that all opinions and statements are representative of the users honest views; and 9. Not offer legal, financial or medical advice. 1. 2. 3. 4. 5. 6. 7.

Any violations of this Acceptable Use Policy should be sent to commentingabuse@penton.com

DOD EXAMPLE:

DoD U.S. Government Policy on Acceptable Use of Government Information Systems (IS)

You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:

The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. At any time, the USG may inspect and seize data stored on this IS. Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential.

http://www.oit.edu/libraries/project_lead_the_way/code_of_ethics_acce ptable_use_policy.pdf Code of Ethics and Acceptable Use Policy

________________________________________________________ _____ Computing and Information Resources The ethical principles that apply to everyday community life also apply to computing. Every member of the OIT community has two basic rights, privacy and a fair share of resources. It is unethical for any person to violate these rights. Along with these rights comes a responsibility to respect the intellectual work and property of others. Without this respect, academic discourse and enterprise cannot flourish. Privacy 1 All data belongs to someone. Data shall be assumed to be private and confidential . unless the owner has explicitly made it available to others. 2 Network traffic shall be considered private. . 3 Messages transmitted to other users shall always identify the sender. . 4 Obscenities or threatening material shall not be transmitted. .
Resources

1 . 2 . 3 . 4 . 5 . 1 . 2 . 3 . 4 . 5 . 6 .

Entry into any computer system or network by individuals not specifically authorized (by group or personally), or attempts to circumvent protective mechanisms shall be viewed as trespassing. Computing equipment owned by departments or individuals shall be used only with the owner's permission. No one shall deliberately attempt to degrade or disrupt system performance or to interfere with the work of others. College resources are provided for college purposes only. Commercial activity or unsolicited advertising is prohibited. Be cognizant of and observe the acceptable use policies of other networks outside OIT's domain. It is your responsibility to learn how to use the network and computer systems. Please do not share your login/password with anyone else, as you are held personally responsible for all activity on your account. Do not remove or tamper with your .sh_history or .bash_history file in any way. No one shall alter the form or content of any computer software, or copy software, including programs, applications, databases and codes, without a license or express permission from the author or publisher. Plagiarism of software, as with any other media, is a violation of the rights of the author to have his/her work acknowledged. Violation of copyright laws will result in a termination of computer privileges and may result in prosecution.

Intellectual Rights and Responsibilities

7 .

Computing and information resources are community resources. Theft, mutilation or abuse of these resources violates the nature and spirit of community and intellectual inquiry.

Ethical Conduct for use of IT Resources

http://www.villanova.edu/unit/policies/ethicalconduct.htm Student Acceptable Use Policy

Villanova University reserves the right to change this policy with sufficient notice and it is the students responsibility to know and understand the current policy. By using the University network you agree to the following:
1. 2. Sharing of passwords is strictly prohibited. Each individual is responsible for his/her account(s), including the safeguarding of access to the account(s). All anti-virus and anti-malware software on your computer must be kept up to date and enabled. If your software is not up to date or disabled it may lead to an infection which may result in your network access being disabled. You are responsible for keeping your computer updated with security patches/fixes from the appropriate software update services (Windows Update on windows computers, Software Update on Apple computers). This includes updating applications, such as MS Office, Adobe, iTunes, or Firefox. If you computer is not up to date it may lead to virus infection which may result in your network access being disabled. Students are fully responsible for their computer, including its hardware, software, and any network traffic transmitted by it, regardless if this traffic was authorized by you or not. Please contact UNITs Technology Support Services group if you have any questions about whether or not certain software/hardware might conflict with this acceptable use policy. Your network access may be disabled if you: 1. 2. 3. 4. 5. 6. consume a disproportionate amount of bandwidth attempt denial-of-service attack(s) probe and/or exploit security holes in other systems use unauthorized IP addresses attempt "hacking" or "cracking" otherwise degrade or restrict network access for others (either on or off campus) In addition, your network access may be disabled if Villanova University receives complaints about or otherwise detects inappropriate behavior. One example is the illegal downloading of copyrighted material. You may also be subject to university disciplinary action and civil or criminal liability.

3.

4.

5.

6.

The use of personal routers (wireless or wired), bridges, and/or DHCP (Dynamic Host Configuration Protocol) servers is prohibited.

7.

Using the university network to provide any service that is visible off campus is prohibited. This applies to services such as, but not limited to, HTTP (Web), telnet, FTP, IRC, peer-topeer (p2p) multimedia sharing, game servers and email. Configuring your computer to provide internet or Villanova University network system access to anyone who is not a Villanova University faculty, staff member or student is prohibited.

8.

Acceptable Use Policy Violation Penalties

1. Penalties for Acceptable Use Policy violations 1. 1st offense: Student will be contacted by UNIT Technical Support Services to notify the user about the violation. The users Internet/network access may be disabled until issue is resolved, depending on the nature of the violation. 2nd offense: The users Internet/network access will be disabled until issue is resolved. 3rd offense: Students Internet/network access will be disabled until the student has met with the Dean of Students. 4th offense: Students Internet/network access will be disabled until the student has met with the Judicial Affairs office for potential disciplinary action.

2. 3. 4.

CommonSense. Understand Your Acceptable Use Policy http://cybersmartcurriculum.org/mannersbullyingethics/lessons/45/understand_your_acceptable_use_policy/

Overview

Acceptable Use Policy (AUP) contracts encourage responsible behavior by students and staff and give administrators enforceable rules for acceptable use of school computers. Students will interpret and make inferences about their school's AUP.
Objectives

Describe school district's Acceptable Use Policy (AUP) Describe consequences of misusing school computers/network Identify need for Acceptable Use Policies

National Educational Technology Standards for Students 2007

Source: International Society for Technology in Education 1. Digital Citizenship a. advocate and practice safe, legal, and responsible use of information and technology. a. exhibit a positive attitude toward using technology that supports collaboration, learning, and productivity. a. exhibit leadership for digital citizenship.
Administration of Computing Resources User activity will not normally be monitored, however ITS reserves the right to monitor and record all usage of College facilities, especially if threatening, abusive or illegal behavior has been reported. The College has the right to use information gained in this way in disciplinary proceedings. If a failure is found in the security of any computer system or network, it should be reported to the ITS Director. This code of ethics and acceptable use policy establishes general guidelines for the use of computing and information resources. Failure to observe the code may lead to disciplinary action. Offenses that involve academic dishonesty will be dealt with through college disciplinary procedures.

Name ____________________________________________________ Date _______________

Understand Your Acceptable Use Policy

Think About This
Using a computer to talk to your friends is cool. Exploring Web sites makes schoolwork more fun. Just as there are rules for crossing the street safely, there are rules for going into cyberspace. You may have heard a teacher explain what kinds of behavior are acceptable in her class. Acceptable means "permitted." Your school has acceptable use rules for using its computers. These rules may be in the form of a contract that you and your parent signed.

Read the Fine Print

Find out what your schools Acceptable Use Policy says. Then answer each question below in your own words. 1. What are your schools rules about using computer equipment? 2. About using E-mail?
Manners: Cyber Citizenship 15 Understand Your Acceptable Use Policy The CyberSmart! School Program Co-published by Macmillan/McGraw-Hill Activity Sheet 1 of 3

Name ____________________________________________________ Date _______________ 3.What are your schools rules about searching on the Internet? 4. About breaking the law? 5. What happens to students who break the rules? 6. What should you do if you find out that someone is breaking the rules? 7. Why are these rules important to have in school?
Manners: Cyber Citizenship 16 Understand Your Acceptable Use Policy The CyberSmart! School Program Co-published by Macmillan/McGraw-Hill Activity Sheet 2 of 3

Name ____________________________________________________ Date _______________

Tell It Your Way

Write a letter or E-mail message to your principal.

Tell how you got ready to go into cyberspace. List three rules that you think are very important to follow. Explain why. Show your letter or E-mail message to your teacher.
When you get permission, send it.
Manners: Cyber Citizenship Understand Your Acceptable Use Policy The CyberSmart! Education Company Activity Sheet 3 of 3

Sawu Bona
http://luizfirmino.blogspot.com/2011/05/acceptable-use-policy-vs-code-of-ethics.html

Acceptable Use Policy Vs Code of Ethics

AUP servers to protect company resources Code of ethics servers to protect and promote the reputation of the company

philosophy.lander.edu

http://philosophy.lander.edu/ethics/types.html

MORALS vs ETHICS Morals, Ethics, and Metaethics

Abstract: Prescriptive ethics is distinguished from descriptive ethics, and metaethics is characterized.

I. Although different writers use the words "ethics" and "morals" in different senses, in this course we will make the following distinctions in order to help avoid equivocation or these terms in ethical arguments.

A. Descriptive Ethics or Morals: a study of human behavior as a consequence of beliefs about what is right or wrong, or good or bad, insofar as that behavior is useful or effective. In a sense, morals is

the study of what is thought to be right and what is generally done by a group, society, or a culture. In general, morals correspond to what actually is done in a society. 1. Morals is best studied as psychology, sociology, or anthropology. Different societies have different moral codes. 2. Morals is a descriptive science; it seeks to establish "what is true" in a society or group. 3. Often morals are considered to be the shared ideals of a group, irrespective of whether they are practiced. 4. In the sense of descriptive ethics or morals, different persons, groups, and societies have different moral standards. This observation is seen as true by all sides. a. We would commit the fallacy of equivocation to conclude from this observation that there is no universal ethical (q.v., below under I, B) standard. b. We can only conclude by observation that there appears to be, or is, no universal moral standard. For more on this distinction see the notes on the Case Study: Moral Rules and Ethical Standards. c. This confusion between descriptive and prescriptive ethics occurs quite often by persons untrained in philosophical analysis. Isaac Asimov got it right when he wrote, "Never let your sense of morals get in the way of doing what's right." B. Normative Ethics or Prescriptive Ethics: the study of moral problems which seeks to discover how one ought to act, not how one does in fact act or how one thinks one should act. 1. More specifically, (normative) ethics is the discipline concerned with judgments of setting up norms for ... a. When an act is right or wrong--e.g., is it wrong to liter on campus when we pay someone to pick up the litter. b. What kinds of things are good or desirablei.e., is knowledge to be sought for its own sake or is it to be sought for money? Is money to be sought for its own sake or is it to be sought for power? And so on. c. When a person deserves blame, reward, or neither

e.g., a person who stole your wallet returns it intact two weeks later, how do you judge his actions? What would be appropriate to say or do? 2. From the terms introduced so far, you can see that different things can be meant by the terms: ethical, unethical, moral, immoral, nonmoral, amoral, and nonethical. E.g., how would you describe the action of a mechanic who throws a tire iron over in a corner after changing a tire? Think about probable consequences both mental and physical. C. Metaethics or Analytical Ethics: the discipline concerned with elucidating the meaning of ethical terms or the discipline concerned with the comparison of ethical theories. 1. Metaethics is an analytical inquiry. Metaethics asks, "What is _____?" e.g., goodness, excellence, right, amoral, and so on. 2. That we ordinarily do not agree on the meaning of common ethical terms can be easily seen by the following quiz. a. Is the meaning of "ethical concern" clear? Let us define "ethical concern" as describing "an action which can help or harm persons (including ourselves)." b. Which of the following situations would you look upon as a matter of ethical concern? 1. Slipping an ace from the bottom of the deck in order to win an informal game of cards. 2. Arriving late for ethics class. 3. Jaywalking after looking both ways to make sure its clear. 4. Keeping your car washed. 5. Keeping your car in good running condition. 6. Drinking a coke between classes. 7. Doing two hours work for eight hours pay. 8. Attending a boring ethics class. 9. Drinking a beer after a difficult test, if you are

over 21 years old. 10. "Borrowing" a pencil or paper in order to take a test. c. With some thought, it can be easily seen that all these situations have the possibility to help or harm others (including ourselves) and so on this definition would be of ethical concern. II. Lets briefly look at a particular example of metaethics: G. E. Moores analysis of "good" in Principia Ethica A. If one can develop a set of principles for distinguishing between good and bad conduct, we must be able to understand what "good" means. Consider the ten situations above. If we cannot agree on what situations are of ethical concern, then our ethical theory would be worthless. B. One way to begin the inquiry is to ask what all good things have in common. 1. Moore answers the term "good" cannot be defined in any other terms as, for example, "brother" can be defined as "male sibling." 2. Moore concludes good is a simple quality, like the color yellow; it cannot be defined in any other terms. If you dont already know what it means, you cannot explain it to anyone. 3. The Naturalistic Fallacy is, according to Moore, defining an ethical term (prescriptive) in terms of a descriptive equivalent. Compare, for example, the definition of "yellow" with respect to a certain frequency of light. We know what yellow is even though we do not know that it has a frequency, and even if we did know the frequency, it would not be an adequate definition of the color.

Everyday Ethics
Ethics for Real People and Real Issues

http://everyday-ethics.org/2008/11/ethics-vs-morals-not-as-easy-as-it-seems/ I Was Just Looking: Ethical Thought and the Opposite Sex My Cat is Smarter Than Your Baby

Ethics vs. Morals: Not As Easy As It Seems

November 15th, 2008 by Elijah Weber 8 Comments

Its always fun to go back and read your own work. I often look back at articles that I have written and wonder why did I say that? or that doesnt even make sense. Occasionally, I impress myself, which is fun. And sometimes, I am forced to admit a deficiency in my own writing, in this case the fact that I tend to use the terms ethics and morals interchangeably, when they are not the same thing. One evening, seeking a deeper level of personal clarity, I dove into the shallow pond of the internet to attempt to solidify this subtle but important distinction in my own mind. The results, presented here, were rather surprising. According to Dictionary.com, ethics is a system of moral principles, while morals are principles of right and wrong conduct. This seems simple enough. Ethics is a framework, a systemic and reasoned basis for making statements about morality. Morals are simply what we believe to be right and wrong. There appears to be a clear distinction here that ethics are more sophisticated than morals. Morally, one can support almost anything, while ethically we require reason and justification for what we believe. When a doctor violates a certain behavioral standard, this is an ethics violation rather than a moral one. This individual has violated a reason based, systemic code of conduct that is held in mutually high esteem by all physicians. If we were to call this individuals actions unethical, we are making a statement about his or her conduct relative to the standards of his profession. If we were to call such actions immoral, we are simply saying that we consider this behavior to be wrong. I thought I had this figured out until I tried to explain it to my wife, who promptly crushed my argument by pointing out that in describing ethics, I was using the word moral and continuing to interchange these terms with no regard for specifics. I was frustrated, upset even. Im a philosopher by trade, for crying out loud. I should know this, this is easy! In fact it is not so easy and is made more complicated by the context in which the terms are used. But wait, there is more. As my confusion continued, I dived back into the electronic abyss and typed morality and ethics into Thesaurus.com. According to this site, morality is beliefs regarding appropriate behavior, while ethics is the formal study of morality. This seemed okay, until I realized that using this definition, unethical would mean un-formal study of morality. Sorry, what? Clearly that wont work either. I decided to play with this inversion concept, and deduced that when

something is unethical, it goes against a system of morality, such as utilitarianism. If something is immoral, it is morally objectionable or simply wrong. It seems that this distinction is actually made more complicated by referring to linguistics-based references. Both of the above sites, as well as Merriam-Webster.com listed morals and ethics as synonyms for one another, even though their definitions make it clear that they are not the same thing. Further research showed an even greater variety of opinion, often with the consistent theme that ethics are systemic, while morals are simply beliefs about right and wrong. One site went so far as to suggest that morals are subjective while ethics are objective and come from the Christian God. The things we find on Google. In any event, my hope is to find a way to clearly and distinctly designate between ethics and morals without finding myself perched atop a high balcony and considering my own mortality. Here goes nothing. Morals, quite simply, are beliefs about right and wrong conduct. They are often based on sociological conditions and learned behavior, but not always. They do not require reason, consistency, or thorough analysis in their initial shaping or practical application. One can make a statement about morals without making a statement about ethics. If something is immoral, it may or may not be appropriate to call it unethical. I can believe that lying is wrong because my grandmother told me it was, and that is what I believe. No further justification is required. Ethics, on the other hand, is a reason based, cumulative system of moral decision making. It is built upon one or a few basic principles and requires that we be thorough, honest, and comprehensive in making statements about right and wrong. Ethics is about building the kind of world we want to live in, and developing a consistent process by which to achieve this. Ethics is an advanced expression of morality. For example, let us say that I believe abortion is wrong because all human life is valuable, but I also believe that we should punish murderers by putting them to death. These points of view could be held simultaneously from a position of simple moral belief, but would at a minimum require additional justification before being accepted as a reasonable ethical position. Morality is simply a statement about right and wrong. Abortion is wrong, the death penalty is right. (This is just an example, I do not really think this.) Moral belief does not require that we are reasonable or justified, but ethics does. An ethicist would have to deal with the contradiction regarding value of human life that is created by holding these positions simultaneously. Still confused? Join the club.

The Philosopher's Beard

Mini-essays in philosophy, politics and economics

http://thephilosophersbeard.blogspot.com/2010/10/morality-vs-ethics.html

Monday, 13 December 2010

Morality vs Ethics: The Trolley Problem
"Aha" says the Moral Philosopher, ferociously polishing his monocle with a large handkerchief. "You have contradicted yourself! If you say yes to the first case you should say yes to the second, for you have already revealed your acceptance of the principle that one person can be sacrificed for the many." Many people - even many philosophers - think that morality and ethics are the same thing, but they are not. Morality is primarily about making the correct choices, while ethics is about proper reasoning. Take the so called 'trolley problem', a thought experiment about runaway trains invented by the late Philippa Foot and very popular with moral philosophers of a certain whimsical bent. A train is hurtling down the track and you see that it is going to hit a group of 5 people and will certainly kill them all. However you happen to be standing next to a switch that can divert the train down another track where only a single person would be killed. Most people say they would pull the switch and kill 1 rather than 5. (Visit www.philosophyexperiments.com to read the full outline, try out your own intuitions against various iterations of the situation, and find out what other people decided).

Should you kill the fat man?

But if the terms of the situation are slightly changed people tend to give quite a different answer. Suppose you are standing on a bridge over the line next to a fat man and you are informed that if you pushed him onto the line his bulk (but not yours) would be sufficient to stop the train before it hit the group of people. What do you think? Should you kill the fat man? Most people say no. But if you do, many moral philosophers would say you have made a mistake, not because you are wrong about whether or not to kill people to save others, but because you are being inconsistent about your killing decisions.

This reveals much about the character of contemporary moral philosophy and its relationship with individual rationality and the associated formal virtues of consistency, transitivity, and menu independence. "Morality" derives originally from the Latin, mores (norms), and is concerned with the correct derivation and application of moral rules. It is legalistic in the sense that it thinks that laws should determine everything. Morality therefore has two concerns: i) the content - 'what are the moral laws?' (whether the 10 commandments or Kant's categorical imperative); and ii) their application - 'which moral law does this case fall under?' It is supposed that the hard part of morality is coming up with good rules, while their application will be more or less formulaic. Hence, the moral philosopher in the trolley case does not criticise your choice of principle (the formula: sacrifice one for five) but does feel more than qualified to criticise your inconsistent application of it. Is this a realistic model of morality? Does it characterise how you think about moral problems, or think you should? Fortunately there is an alternative. Ethics. Ethics comes from the Greek tradition that emphasises ethos (character), though it remained important right up until the enlightenment and is still popular today in our ordinary talk and thinking. It asks 'what kind of person is good?' This is personalised as 'What kind of person should I be?' It is particularised as 'how should a good person behave in this case?' Ethics emphasises the responsibility and capability of the individual (hence character) to come to her own conclusions through reasoning, to be the judge of which principles are relevant in a particular case and how they should be considered in combination. The ethicist does not think that moral laws interpret themselves and sees that view as deeply naive about the importance of moral reasoning, in the same sense that believing supreme court justices merely read the constitution and do what it says is naive. The important thing about judges is that they are themselves responsible for making their decisions - not some independent formula - but their reasoning itself has a universal aspect. No judge, whether of the quality of an artwork, a gymnastics competition, or a murder trial, is allowed to simply announce their conclusion and leave it at that as if it were only a personal opinion. Unlike opinions, which one may have about one's favourite icecream flavour or the morality of capital punishment in general, judgements must be justified by the particularities of the case in hand and expressed in a way that seeks inter-subjective agreement from others with an interest in the matter. Judges must be able to show by explaining their reasoning that anyone else in their position should come to their conclusion, e.g. that this and this are the salient features of this case and should be understood in this way. They must be prepared to persuade others, and to modify their reasoning and conclusions in the light of relevant contrary evidence and arguments. So, turning back to the trolley problem, The problem I see with the straightforward moral philosophy approach is that it fails to distinguish between reasoning and choices, and thus interprets any inconsistency of choice as evidence of inconsistency of reasoning. But from the ethical perspective people are seen as reasoning about which principles are relevant and how much they should count in these two different cases in order to come to an overarching judgement about what one should do. There is no point in trying to identify the formula the participant is using to decide what to do because there isn't one, and thus the moral philosopher's charge of contradiction - the inconsistent application of a formula - is misguided (a case of petitio principii - arguing for a conclusion already assumed in the premise). All this is not to say that these thought experiments aren't interesting and useful, but we should be more concerned with evaluating - and challenging - the reasoning behind the participant's conclusion, where the real ethical action is, rather than studying matrices of choices to detect patterns and 'mistakes'.

http://researchport.umd.edu/V/UTVYS4JUC7EII52QNI76C97U1ADSX6DUDU2Y419B BPNUR7K4XX-09548?func=quick-3&shortformat=002&set_number=000110&set_entry=000009&format=999 Author: Gaskin, James E. Information Systems Management Spring98, Vol. 15 Issue Citation: 2, p20 Year: 1998

Describes how internet acceptable usage policies are written, what they cover and how they are most effectively Abstract: activated. Scope and overview of the policy; Positions and expected contribution of an Acceptable Use Policy Committee; Conclusion. INTERNET Subject: POLICY sciences ISSN: 1058-0530 Text: -----------------------------------------Source: Information Systems Management, Spring98 Section: NETWORKING ISSUES INTERNET ACCEPTABLE USAGE POLICIES Writing and Implementation The job of an acceptable use policy is to explain what the organization considers acceptable Internet and computer use and to protect both employees and the organization from the ramifications of Illegal actions. This article describes how such policies are written, what they should cover, and how they are most effectively activated. Now that Internet connection is a requirement, IS executives are responsible for more work than ever before. One vital area on the to-do list is to write, update, or implement the company's acceptable usage policy for Internet use. The company may refer to this as an Internet use policy, the networking portion of the computer use policy, or the Internet addition to the personnel manual. No matter the name, the role of such a policy is the same: It lists the rules and standards the company believes are important for employees using computers, networks, and, particularly, the Internet. Although the acceptable use policy can be incorporated into other existing documents, it is generally taken more seriously and provides more company protection if it is a separate document. Why is the acceptable use policy so important today? Legal liability for Internet actions can quickly shift from the employee to the employer. After all, if the Internet is filled with obscenity and other illegal temptations, the company should provide protections for the employees. If management knowingly allows access to inappropriate Internet sites without either warning the users or blocking that access, management climbs on the liability hook with the actual employee performing illegal actions. WRITING AN ACCEPTABLE USE POLICY

The department manager, or someone in his or her department, must write the acceptable use policy. It is better to have the fewest number of people possible involved in writing the acceptable use policy. The best number of authors is one. This practice may grate against corporate culture, where technical documents often see more hands than a public washroom sink. Although there are few excuses for the amount of tampering and changing that goes on with technical documents, the acceptable use policy goes beyond a product manual or marketing white paper. Management must consider the acceptable use policy a legal document that binds the behavior of employees within certain boundaries explained within the document. Limiting the number of authors limits the number of viewpoints within the acceptable use policy. Employees must have no doubt about why they were given the acceptable use policy, what their responsibilities are in regard to Internet and computer use, and what the penalties are for misuse of company resources, including time. More authors, or up-the-line editorial changes, muddy the acceptable use policy. Internal contradictions within the acceptable use policy leave loopholes for an employee's lawyers to exploit. After the acceptable use policy is written, the committee to oversee employee compliance with the terms of the agreement should be created. The committee should meet and approve the acceptable use policy before distributing the document. This is the time for any comments, suggestions, additions, or deletions to the acceptable use policy. All on the committee should be welcome to offer changes to the document, but only the author should implement those changes. Again, the consistency of viewpoint is important. Legal review comes after the committee approves the acceptable use policy contents and related documents. This step brings us to a philosophical decision: Lawyers want long, complicated documents that spell out every possible infraction and associated punishment, whereas business managers want short documents that can be interpreted in the company's favor. The decision on the acceptable use policy's length and completeness reflects the corporate culture and the wishes of upper management. The acceptable use policy is considered part of the

employee handbook. Some states regard these handbooks as a legal contract; others do not. Corporate counsel will be able to answer that question for the states in which a company has operations. If it matters, managers should be aware that the number of employees who read the acceptable use policy approaches zero as the document lengthens. Simply put, the longer the document, the fewer readers. In most states, employees are bound by the conditions of the acceptable use policy regardless of whether they read and signed the document. However, holding employees liable for a document they have not read will be seen as a cold, heartless corporate maneuver. Employees who feel betrayed contact lawyers far more often than those who feel they were treated fairly. Although it is legal in some states for companies to ignore the promises they make in employee handbooks, the antagonism generated within the employee ranks by that mode of operation guarantees more lawsuits than following the company's own written guidelines. SCOPE AND OVERVIEW OF THE POLICY Does the company already have policies concerning computer use? How about company telephone, facsimile, and U.S. mail use? Is there a security policy in place? Some companies, remiss in providing policies in the past, try to cram everything into the acceptable use policy. This is legal but confusing to the employees. The acceptable use policy will be more valuable if it is targeted strictly to Internet and other computer networking concerns. E-Mail Because E-mail is the most popular Internet application, Email control is important. The good part of E-mail is that there is a strong analogy to something all users are familiar with, namely physical mail. One company includes the following excellent statement: Remember that E-mail sent from the company travels on the company's electronic stationary. Your E-mail appears to the recipient as if it were sent on company letterhead. A company's security policy, if separate, should cover information about E-mail accounts, such as forging identities (not good). If it does not, or if the company wishes to put all E-mail information in its acceptable use policy, it should feel free to do so. A company can easily make the argument that E-mail information belongs in its Internet usage document.

Following are a few more warnings different schools and companies provide clients about E-mail use: Sending harassing, obscene, and/or other threatening Email is illegal. Sending junk mail, for-profit messages, or chain letters is prohibited. Take all precautions against importation of computer viruses. Do not send or receive sexually oriented messages or images. Do not transmit confidential company information. Employee medical, personal, or financial information must never be divulged. Personal messages are prohibited (or limited, or freely allowed, depending on the company's policy). Also important, users should be told that their supervisor will, definitely, read E-mail messages at times. Whether an employee must be told when the company monitors communications is advisable according to some lawyers but not according to others. Either way, if all employees sign the acceptable use policy that says they will be monitored on a random basis, there will be little wiggle room if they complain later. Employees will also pay more attention to following the rules when they know someone will be monitoring their messages. Following is one more bullet for the list appearing earlier: E-mail messages will be kept and periodically reviewed before being deleted. This should leave no doubt that messages from users will be reviewed. Employee users should have no expectation that their E-mail messages are private and protected by any type of privacy law. Managers should make sure each user understands that some messages will be read, even if messages are only spot-checked. Employees must understand that every message they send or receive may be read by management. However, a company or department should not keep E-mail messages for longer than 90 days, if that long. Why? Lawyers are now routinely demanding E-mail archives during lawsuit discovery If a company is sued for any reason, the opposing lawyers will try to read all internal and external E-mail messages for the period in question. No Email archives means no embarrassing quotes and off-thecuff remarks that will cost the company in court. Some large

companies refuse to back up E-mail files for this reason. World Wide Web Resources and Newsgroups The Web takes the brunt of criticism when the Internet is blasted as a giant productivity sink hole. Corporate managers rank employee time wasted, frittering away hours at a time perusing the Web on company time and using company equipment, as their number two concern about Internet access, right behind security. Newsgroups have somewhat the same reputation, because there are more than 20,000 newsgroups, only a few of which pertain to any one business. Although newsgroups full of equivalent professionals in other companies provide great benefit to a company's employees, the nontechnical press focuses on the "alt.sex.*" hierarchy of newsgroups. Someone in management is likely to be determined to limit access to all newsgroups just to keep the alt.sex.* groups out of the company. A company does not lie to management or employees in the acceptable use policy. Yes, there are inappropriate Web servers and newsgroups. Yes, some Web servers and newsgroups are valuable. Yes, the company can monitor and track each user of any network resource by name, date, time online, and amount of material downloaded from any inappropriate network source. In other words, the company can log the actions of each and every corporate user during each and every network communication. If a company does not have the proper firewall or proxy server in place yet to monitor its users, it should get one. The company can, however, get one after the Internet connection is available. Better late than never. After all, employees will be told what the company considers inappropriate in the acceptable use policy. Management must realize that some time will be wasted on the Web, just as time is wasted reading through trade magazines looking for articles that apply to the company. Every profession has trade magazines that offer articles and information in exchange for presenting advertising to the reader. The Web, to some people, is becoming nothing more than a huge trade magazine, offering helpful information interspersed with advertising. In a sense, the We is not new; it is just advertising delivered by computer rather than by magazine. Management should treat it similarly. As some employees research information more than others, they will use their Web client more than others.

Information-dependent employees will surf quite a bit; clerks and production employees should not. Management may mention the company's guidelines for the Web in the acceptable use policy, or management may prefer to ignore the Web. Some sample restrictions may include the following: Viewing, downloading, displaying, and/or distributing obscene images is illegal. Although the Web encourages wandering, employees should remember that their focus during work hours remains business. The first bullet point is not optional; managers should remind their employees regularly that obscenity in the workplace will not be allowed. The second bullet point is optional and should be modified to match management's comfort level regarding employee use of the Web. Following are some of the restrictions other acceptable use policies have listed for newsgroup activity, plus a few I have added: Downloading or uploading nonbusiness images or files is prohibited and possibly illegal. Sending harassing, obscene and/or other threatening posts is illegal. Sending junk posts or "for-profit" messages is prohibited. Post articles only to groups supporting that subject matter. Do not post company advertisements of any kind in any newsgroup. Posting messages without the user's real name attached is prohibited. Copying newsgroup information to any other forum is illegal (copyright infringement). The majority of defamation happens in newsgroups; flame wars encourage angry responses rather than clear thinking. Often, other readers of the newsgroup send copies of messages to the postmasters of the flame war participants. Whether the messages indicate a flame war that is getting out of hand or Just unprofessional statements, it is best to visit the involved employee and counsel restraint. If kind words do not settle the employee, unplug him or her from the newsgroup access list. It makes no sense for the company to risk a lawsuit when management knows there is a good chance of things being said that have no positive value to the company. Several acceptable use policies address defamation

somewhat obliquely. Here are some examples of the language included in those policies: ... including comments based on race, national origin, sex, sexual orientation, age, disability, religion, or political beliefs. ... inappropriate uses ... to send/receive messages that are racist, inflammatory, sexist, or contain obscenities. Whether these statements are politically correct or good business sense depends on the individual company. However, reading, "you can't understand, because you're a [blank]," in a global forum such as an Internet newsgroup will not endear anyone to the employee making that statement. The company will suffer loss of customer goodwill at the least and may be sued for defamation. These same courtesy restrictions apply to E-mail, but E-mail lacks that extra edge brought when thousands of readers see the company name attached to the ranting of one overwrought employee. Internet relay chat and Multiuser domain are not mentioned here because they have no redeeming professional use. No employee use of such activity should be tolerated. In case employees are confused about whether the company I's rights to monitor employee activity extend to the computers, include a line such as the following: All computer communications are logged and randomly reviewed to verify appropriate use. Notice the words are "appropriate use." If the acceptable use policy says the words "dirty pictures" or "Indecent," the employees (and their lawyers) will argue about that wording. Dirty is in the eye of the beholder, as is indecent. "Obscene," however, is a legal term that applies just as well to computers as to magazines, books, and videos. It is better to stick with "inappropriate," if possible, because that covers more activities than any other term. Penalty for misuse should range up to and include termination. If an employee must be terminated, management should do so for work-related causes rather than mention the word "Internet." Free speech advocates get involved when an employee is fired for inappropriate use of the Internet but not when an employee is terminated for wasting too much time on the job and disobeying orders. Netiquette Addendum Some companies spell out appropriate E-mail, newsgroup,

and Web communication guidelines within their acceptable use policy. This is a noble endeavor but slightly misguided. A company's guidelines toward Internet communications are likely to change more often than its restrictions on inappropriate Internet use and discipline for infractions. Because the acceptable use policy should be signed by each employee if possible, any changes to netiquette embedded in the acceptable use policy require a new signature. The logistics of this process quickly become overwhelming. The company should put the rules of Internet behavior in a separate "netiquette addendum," attached to the acceptable use policy. In this way, changes to E-mail rules, for instance, will not negate the acceptable use policy in any way, nor will anyone believe a new signature is necessary. ACTIVATING THE POLICY As briefly mentioned in the preceding section, getting signatures on the acceptable use policy can be tricky. Small- to medium-size companies can handle the logistics of gathering signed copies of the acceptable use policy, although considerable time will still be expended on that effort. Large companies may find it impossible to ship paper policies all over the world for signatures and get them back signed, no matter how much time and effort they devote. The best answer is to get a signed acceptable use policy from each employee before that person is connected to the Internet. Training classes offer an excellent chance to gather signatures. If software must be installed on client computers, management should present the acceptable use policy, explain it, and have it signed during software loading. Reality intrudes, however, and ruins our best-case scenario. Many companies already have granted Internet access before developing their acceptable use policy. This is not the wisest course, but it is common. Other companies do not offer training or cannot physically gather signed copies. It is important to send copies of the acceptable use policy to each employee with Internet access. Copies should also be posted in public places, such as break rooms and department bulletin boards. Management sould add the policy to the existing personnel manual or employee handbook. Management should send an E-mail to users every quarter reminding them of the acceptable use

policy and where they can read a copy if they have misplaced theirs. Public attempts blunt any disgruntled employee's contentions that he or she did not know about Internet restrictions. THE ACCEPTABLE USE POLICY COMMITTEE An Acceptable Use Policy Committee should be carefully formed. Department managers should participate in the selection process for employees in their group so as not to ruffle feathers or step into the middle of some other disagreement. Each member should be given plenty of warning before the first meeting and provided background information quickly. Who should be included? The following list contains the requisite positions and their expected contribution: Computer systems manager. Supplies technical details of Internet access and monitoring. Company lawyer or human resources official. Monitors legal aspects of workplace rules. Executive management representative. Guarantees that the committee will not be ignored. Union representative. Laws for union workers vary from those covering other employees. The "One Who Knows All," or a general power user. Provides employee concerns and input. What is the committee responsible for, and to whom? Everything concerning the Internet, and everyone. How often should the committee meet? At the beginning, every two weeks. Once the Internet connection is old news, once a month may be enough. The interval is dictated by the number of security incidents and employee discipline actions to be resolved. In extreme cases, such as an employee action that could result in company liability or criminal prosecution for someone, the committee must meet immediately. The grievance policy in cases of Internet abuse should be clear and well-known to all employees who care to ask. It is important that all employees know who sits on the Acceptable Use Policy Committee. Secret committees are repressive, but open committees can encourage goodwill within the company. Management should strongly consider setting up an internal E-mail address for the committee and using it for questions and as an electronic suggestion box. The most effective deterrent to misdeed is not the severity of discipline but the inevitability of discovery. The goal is to

make the Internet serve the company, not to find excuses to discipline or fire employees. After the first committee meeting, the following questions should be answered: Will employees be fired for Internet misuse? What is the penalty for the first offense? The third? The fifth? Will the police be called for stolen software or obviously obscene images? Where must other employee policies be modified to support the company's Internet connection? Are any insurance policies in place to protect against hackers or employee misdeed? Should some be added? How often will employees be reminded of company Internet guidelines? How will this be done? Discipline is particularly tough when discussing the Internet. After all, if an employee is wasting hours per day on the Internet, the department manager should be disciplined for improper management. Waste of time on the Internet is not a technology issue but a management issue. Even though the department manager should be disciplined, that same manager should be the one to discipline the employee. Outsiders with an executive mandate to punish miscreants are never popular and often are sabotaged by the very employees they should oversee. Keep the department managers in the loop as long as possible. Exceptions to this approach include security violations and illegal acts. In those cases, the department manager must be informed, but company security or the local police must handle the situation. These cases are never pleasant, but managers should not be naive. If they believe none of their employees could act illegally, they must be new to management. CONCLUSION The job of the acceptable use policy is to explain what the company considers acceptable Internet and/or computer use and behavior. The committee dedicated to enforcing the provisions of the policy must publicize the acceptable use policy and monitor employee compliance. Infractions must be handled quickly, or the employees will assume nothing in the acceptable use policy is really important, and compliance levels will shrink. Proactive Internet management will drastically lower the chances of Internetrelated lawsuits, arguments, and misunderstandings.

~~~~~~~~ By James E. Gaskin JAMES E. GASKIN is an author and consultant specializing in technical subjects and technical policy issues, such as corporate politics and the Internet. He can be reached at james@gaskin.com. Copyright of Information Systems Management is the property of Taylor & Francis Ltd and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use. Source: Information Systems Management Accession Number: 740402 http://www.edri.org/edrigram/number5.7/echr-monitor-internet Home EDRI-gram - Number 5.7, 12 April 2007

Monitoring employee's Internet breaches human rights, says ECHR

12 April, 2007

Privacy | Wiretapping

(Dieser Artikel ist auch in deutscher Sprache verfgbar) The Welsh Government, through Carmarthenshire College, was found in breach of human rights by the European Court of Human Rights (ECHR) for having monitored one of the college employee's emails, internet traffic and telephone calls. As the College is publicly funded, Lynette Copland sued the government for infringing Art.8 of the European Convention on Human Rights that says "everyone has the right to respect for his private and family life, his home and his correspondence". The government argued that the monitoring was carried out in order to establish whether Copland had extensively used college resources for personal communication, but the court ruled that: "The court is not convinced by the government's submission that the college was authorised under its statutory powers to do 'anything necessary or expedient' for the purposes of providing higher and further education, and finds the argument unpersuasive". Copland claimed that her correspondence had been monitored for about 18 months by the headmaster of the college who even contacted some of the people with whom she had communicated to ask for the nature of their communications. The government admitted the monitoring but stated it had lasted only a few months. The Court ruling was that "According to the court's case-law, telephone calls from business premises are prima facie covered by the notions of 'private life' and 'correspondence' " and that "It follows logically that emails sent from work should be similarly protected under article eight, as should information derived from the monitoring of personal internet usage." "The applicant in the present case had been given no warning that her calls would be liable to monitoring, therefore she had a reasonable expectation as to the privacy of calls made from her work

telephone. The same expectation should apply in relation to the applicant's e-mail and internet usage." The college had no policy to inform employees they might be monitored and Copland had received no warning on this. "The ruling is important in that it reinforces the need for a statutory basis for any interference with respect to private use of a telecommunications system by an employee... The lawful business practice regulations (part of RIPA) allow an employer to monitor and intercept business communications, so the Court is implying that private use of a telecommunications system, assuming it is authorised via an acceptable use policy, can be protected." said Dr Chris Pounder, a privacy specialist at Pinsent Masons. The Court awarded Copland 3,000 Euros in damages and 6,000 Euros in costs and expenses. European Court of Human Rights - Copland vs. The United Kingdom (3.04.2007)

http://www.bailii.org/eu/cases/ECHR/2007/253.html
EU court rules monitoring of employee breached human rights (5.04.2007)

http://www.theregister.co.uk/2007/04/05/monitoring_breached_human_r igh...
Court of Human Rights protects the private use of the Internet (4.04.2007)

http://www.heise.de/english/newsticker/news/87867
Monitoring of employee breached human rights, says European court (4.04.2007)

http://www.out-law.com/page-7936

NOVELL http://support.novell.com/techcenter/articles/ana20030402.html

Creating and Enforcing an Internet Acceptable Use Policy

Articles and Tips: article

Tony Merritt Global Solutions Architect Novell, Inc. tmerritt@novell.com 01 Apr 2003 This AppNote is for those individuals who are responsible for implementing, maintaining, and enforcing corporate Internet usage policies. The content is also relevant to those who allocate and pay for Internet bandwidth and are responsible for its usage, especially in these times when the boundary lines are blurring between corporate and personal liability.

Introduction The Business Problems of Internet Access Internet Acceptable Use Policies Architecting an Automated Policy Solution Conclusion

Topics

Internet acceptable use policies, Secure Identity Management (SIM),

security, access control Products Audience Level Prerequisite Skills Operating System Tools Sample Code
Introduction
The ubiquity of Internet access in today's business world has opened up powerful new channels of communication, both within a single organization and between separate organizations. However, it has also given rise to a host of problems related to security and legal liability for Internet misuse. This AppNote discusses some of the key business problems regarding Internet access and presents a sound methodology for devising an Internet Acceptable Use Policy (iAUP) for any organization. It then presents a sample solution for automating and enforcing such a policy. This information will be of particular interest to those involved with the creation and maintenance of corporate Internet usage policies, including Internet content policy administrators, firewall policy administrators, human resources administrators, and corporate security administrators.

eDirectory, BorderManager, iChain, DirXML network designers, administrators beginning familiarity with basic network security concepts n/a none no

The Business Problems of Internet Access

Business requirements are the key framework within which to design a solution. Across different businesses, there tend to be major differences in policy, especially with regards to Intenet access and usage. As a result, a consistent methodology is critical to formulating an effective Internet Acceptable Use Policy. Business requirements are not typically bound by the "inside" or "outside" of a corporation. The security of corporate data is important regardless of the access location. Because of this, the technology, policies, and procedures must support internal corporate users interacting externally through the Internet, as well as users interacting from the Internet into the organization. This section discusses some of the key issues driving the importance of an iAUP.

Security of Corporate Assets

Any company today can be severely handicapped or put out of business by the disclosure of confidential or proprietary information. The release of confidential processes, the distribution of customer information and pricing, or the publication of private medical records for virus screenings are examples of situations that can lead to loss of revenue, loss of customers, and legal damages that could prove insurmountable. Here are some revealing statistics from a recent FBI/CSI Computer Crime & Security Survey:

Network penetration by outsiders increased for the third year in a row; 30% of those surveyed reported specific intrusions. 57% of the respondents reported the Internet as a frequent point of attack. Internal abuse of Internet access privileges by employees was reported by 97% of the respondents. 26% of the respondents reported actual theft of proprietary and classified company information. 45% reported unauthorized access by insiders.

Another indication of security risk is the rash of Internet theft of credit card numbers. The following is just a small listing of recent articles on CNN covering these types of activities:

"Root of massive credit card theft found" (CNN 02/20/2003) - A hacker who gained access to millions of credit card numbers apparently did it by breaking into a computer system at a company that handles transactions for catalog companies and other direct marketers. "Rebuffed Internet extortionist posts stolen credit card data" (CNN 01/10/2000) - An anonymous computer hacker stole credit card numbers from an Internet music retailer and posted them on a Web site after an attempt to extort money from the company failed. "Hackers access Playboy.com's credit card data" (CNN 11/20/2001) - Computer hackers broke into the Playboy Enterprises' Web site, playboy.com, gaining access to the credit card numbers of customers.

Regulatory Compliance
One has only to look through the daily news to read about companies failing due to illegal activity, personal information exposed for public view, and consumer credit information illegally distributed. As a result of such activities, many countries have enacted laws requiring companies to comply with privacy policies and be held accountable for the security and privacy of the information covered by those policies. Here are examples of a few of these regulations:

Sarbane-Oxley Act (2002). This U.S. legislation affects financial services, accounting, auditing, financial reporting and professional services firms. The act declares its purpose as follows: "To protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws, and for other purposes. Penalties for failure to comply include the possibility of the removal of publicly traded stocks from the market and encarceration for corporate officers responsible." Gramm-Leach-Bliley Act (1999). The primary goal of this U.S. legislation is the facilitating of affiliation among banks, securities firms, and insurance companies. The section relevant to iAUP and security is "Title V - Privacy," which states: "It is the policy of the Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers' nonpublic personal information." Health Insurance Portability and Privacy Act (1996). This U.S. act, commonly referred to as HIPPA, includes important new protections for millions of working Americans and their families who have preexisting medical conditions or might suffer discrimination in health coverage based on a factor that relates to an individual's health. The section relevant to iAUP and security is the Administrative Simplicifcation Provisions including National Standards for Transactions, Security, and Privacy. UK Data Protection Act (1998). This British act makes a new provision for the regulation of the processing of information relating to individuals, including the obtaining, holding, use, or disclosure of such information. It is designed to protect personal information and establish security and privacy regarding that information. Poland Data Protection Law (1997). This Polish law states: "Any person has a right to have his personal data protected. The Act shall determine the code of conduct for the processing of personal data and the rights of natural persons whose personal data is or can be processed as a part of a filing system." Personal Data Protection Act (2000). This purpose of this Argentine act, also known as the Habeas Data Law, is the full protection of personal information recorded in data files, registers, banks, or other technical means of data-treatment, either public or private for purposes of providing reports, in order to guarantee the honor and intimacy of persons, as well as the access to the information that may be recorded about such persons. Data Protection Directive (2002). This European directive applies whenever personal data is processed wholly or partly by automatic means and also to certain forms of manual systems. In this latter situation, the legislation will apply only where the data is held as part of a structured filing system. Although an extensive transitional period of 12 years is made available to those Member States whose legislation presently excludes manual systems, this will apply only in respect of data held in systems at the date of the Directive's adoption (24 October 1995).

Liability for Offensive Content

In the last decade, harassment in many forms has driven corporate workplace litigation, resulting in fines, settlements, and policy changes. Typically, rulings on these cases have been based not only on the incident, but also on the corporate cultures that support the specific behavior. As a direct result, corporations which do not actively control the Web-based content employees are exposed to at work are at risk for "passive approval" of such material. These actions tend to widen the litigations from personal liability to corporate liability. As an example, federal law now requires companies in the United States with 25 or more employees to provide a work environment free of gender, ethnic, and racial harassment or discrimination. That requires taking reasonable steps to eliminate harassing materials from the workplace. Illegal or offensive content may include:

Pornographic images downloaded off the Web Pornographic or racially offensive e-mail attachments Offensive language or words

It may not matter whether the company knew employees were downloading pornographic images. The test at trial is whether well-known remedies were available to prevent abuses, whether a policy existed to apply those remedies, and whether the policy was actually enforced. Here are two examples of such situations. United States Example. R.R. Donnelly is facing a $500 million discrimination suit involving allegedly racist e-mails. Employees claim they were discriminated against when the company arranged transfers after a 1993 plant closing. Presented as evidence were e-mail documents listing 165 racial, ethnic, and sexual jokes said to be created at the Lancaster, Pennsylvania plant. Australia Example. In the court case of "Thompson v Australian Capital Television," Channel 7 was found liable for relaying a Channel 9 television show that contained defamatory material. The court considered that Channel 7 had the ability to control and supervise the telecast. Even though the program was "live," the legal argument was that Channel 7 knew from experience that program carried a high risk of defamatory statements and therefore was still liable.

Loss of Productivity/"Non Work-Related" Activity

Typically, the Internet has been touted as a mechanism for improving productivity in the workplace by allowing employees to become "knowledge workers." Employees empowered by the Internet are able to research information more easily, communicate with customers and vendors more efficiently, publish product information instantly, and so on. However, with the ubiquity of the Internet and the information published through it, there exists the temptation to view "non work-related" information. Further, depending on the particular "non work-related" information downloaded (for example, pictures with huge file sizes, bandwidth-gobbling multi-player games, and the like), such activity can impact the bandwidth available for legitimate work-related activities. Internet Gaming Example. A soft manufacturing outsource company headquartered in Clearwater, Florida, was having tremendous problems with the wide area network connectivity between its U.S. headquarters and a Singapore office. Operations based on exchange of data had all but halted, and the IT personnel were called in to determine the cause. The conclusion of the investigation led to the discovery that a network-enabled game called Doom had been played between several members of the headquarters staff and staff from around the world (including Singapore). Since the Singapore office already had bandwidth constraints on their wide area network connectivity, that site was the first location to be affected.

Internet Acceptable Use Policies

The cases and examples cited above tend to support the following conclusions about the iAUP in today's corporate environments:

Documentation regarding the iAUP is inconsistent or non-existent. There is little or no enforcement of the iAUP. There is little or no maintenance of the iAUP. There is little or no alignment of the iAUP with compliance or regulatory requirements.

Only within the last few years has the technology become common that is required to support an enterprise implementation to address these issues. As more and more companies adopt a "remote workforce" approach, there is a stronger need to create, implement, enforce, and maintain an enterprise-wide set of Internet acceptable use policies.

Policy Best Practices

To create an auditable and verifiable match of enterprise policies to specific business drivers, including the ones mentioned previously, a functional matrix approach is recommended. This approach allows a mapping of policies across various classifications, personnel groups, and locational dependencies. Typical iAUP Policy Classifications. The first step in creating the functional matrix is to identify the appropriate classification from a list such as the following:

Regulatory Compliance Security Risk Offensive Content

Productivity General Departmental General Corporate

These classifications answer the question, What is driving the policy? Ideally, only one of the items is checked in the above list of matrix categories. This allows for easier classification and management. Typical Application of iAUP Policies. The next step in completing the matrix is to do a similar mapping of the corporate personnel:

Everyone/Global (employees, customers, vendors, and so on) Specific Company Relationships (customers only, partners only, and so on) Employees Departmental Personnel Corporate Roles (CIO, CSO, vice presndents, and so on)

This step answers the question, Who is affected by the policy? Again, ideally only one of the items is checked in the above list. When two or more of the areas seem applicable, choose from the top down to ensure a wider scope of compliance. Finally, the matrix resulting from the prior two classifications is combined with a matrix regarding locational dependencies/security exposure dependencies:

All Locations (both internal and external) Public Shared Access Locations (shared workstations, Internet cafes, nursing stations, airport kiosks, and so on) External Locations (external wireless, company laptop in hotel, company laptop at customer site, home office, and so on) DMZ (De-Militarized Zone, referring to devices that are Internet facing and outside the internal company firewalls, making them particularly vulnerable to attack from the Internet) Company Private LAN Company Secure Location (machines protected by hardened physical security, biometric authentication devices, and so on) Company Data Center

Using this matrix approach, you can readily map policy creation, management, and maintenance to technical capabilities. Population of the matrix for a particular company is typically a combination of input from the CSO (Chief Security Officer), the IT Director, the HR Director, Corporate Legal Counsel, external auditors and consultants, and so on.

Matrix Formulation Example

As an example, here is how a company might go about creating a functional matrix if they want to protect employees from "controversial material" and reduce the company's harassment liability. First, they determine that "controversial material" falls under the classification of Offensive Content. As far as interpreting where the policy should apply, they check the "Employees" box. One of the assumptions of reducing the liability associated with "controversial material" is that the company is only responsible for material viewed within its walls. Based on that interpretation, the company then determines the following locations to apply the policy against:

Corporate Campus Wireless Location DMZ Company Private LAN Company Secure Location Company Data Center

The resulting iAUP matrix is as follows: Type: Offensive Content How: Block All where policy appears

Public Campus Private Secure Data All Shared External DMZ Wireless LAN LAN Center Access Everyone/Global Specific Company Relationships Employees Department Personnel Corporate Roles
By working through the matrix from a top-down perspective, general corporate policies will consist only of policies that are not from compliance, offensive data protection, and productivity policies. By using the matrix in this fashion, when compliance or other policies are changed, they can easily be updated and matched to the technology changes that are required to maintain compliance. Also, an auditor or other non-technical person can review the enterprise policies and ensure due diligence within the company. Note: Keep in mind that there is no specific "correct" answer; each company may have a different interpretation and desired risk exposure. The point isn't necessarily to arrive at the "correct" answer, but to come up with a consistent and auditable application of the answer the company has chosen and supporting documentation to prove due diligence. Now that you are armed with an iAUP matrix, let's discuss how to create a technology mirror of this abstract policy that provides automated enforcement.

Architecting an Automated Policy Solution

http://www.nlrg.com/employment-law-legal-research/bid/53993/EMPLOYMENT-LAWWorkplace-Computers-and-the-Internet

Employment Law Legal Research

EMPLOYMENT LAW: Workplace Computers and the Internet

Posted by Gale Burns on Wed, Feb 09, 2011 @ 02:04 PM Share: Email Article Twitter Facebook delicious StumbleUpon LinkedIn Comments The Lawletter Vol 34 No 3, June 4, 2010 John Buckley, Senior Attorney, National Legal Research Group As many employers have discovered too late, unrestricted use of the Internet and e-mail not only has the potential to drain productivity but

also may subject an employer to liability for the improper use. These consequences were recently illustrated by employees of the SEC who spent up to eight hours a day surfing the Internet for pornography. Employers can protect themselves from liability, however, by implementing and enforcing a policy outlining the permissible parameters of employee Internet use, or an Internet acceptable-use policy ("IAUP"). The need for a well-drafted and properly enforced IAUP is illustrated by several recent cases. In one case, Taxel Creative, Inc. v. Kelly, No. 93378, 2010-Ohio-263, 2010 WL 323430 (Ct. App. Jan. 28, 2010), the court held that an employee's termination was without just cause, despite the employee's purported violation of the employer's Internet use policy, and that, therefore, the termination did not render the employee ineligible for unemployment benefits. The employee had been terminated for excessive personal use of the Internet, but the employer's policy did not define what level of personal use was permissible, although it indicated that some amount of personal Internet use during business hours was expected. However, in another case, In re Pesant, 63 A.D.3d 1411, 881 N.Y.S.2d 227 (2009), the court held that a claimant was disqualified from receiving unemployment insurance benefits, because his employment had been terminated due to misconduct; the evidence established that the claimant had continued to violate his employer's Internet policy by downloading inappropriate materials to his assigned computer even though he had been previously warned about the consequences of such behavior. A recent case from a New Jersey state court held that in order for an Internet policy to be effective in converting an employee's personal emails into company property, the policy must further a legitimate business interest of the employer's. Stengart v. Loving Care Agency, Inc., 408 N.J. Super. 54, 973 A.2d 390 (App. Div. 2009). Thus, the employer could not use the employee's personal e-mails to her attorney in her discrimination lawsuit brought against the employer. Significantly, the fact that the e-mails were directed to the employee's attorney was a deciding factor in the Stengart court's decision. In addition, the employee had been using a personal, Web-based, password-protected Yahoo e-mail account. For the most part, the promulgation and enforcement of an IAUP has been recognized as a legitimate business decision. Pacenza v. IBM Corp., No. 04 Civ. 5831(PGG), 2009 WL 890060, at *8 (S.D.N.Y. Apr. 2, 2009) (slip copy) (granting summary judgment in favor of employer in employee's discrimination suit, stating: "IBM's policies prohibited the internet use that Pacenza engaged in and that prompted his termination."); Johnson v. Midcoast Aviation, No. 4:06-CV-1805(CEJ), 2008 WL 3200801 (E.D. Mo. Aug. 6, 2008) (unreported) (granting summary judgment to employer on issue of damages, because the

court found that the employer would have terminated the plaintiff's employment when it discovered the plaintiff's violation of its Internet usage policy).

In re Claim of Pesant
State of New York Supreme Court, Appellate Division Third Judicial Department Footnotes, docket and citations numbers available with purchase.
Buy case for $4.95

June 18, 2009 IN THE MATTER OF THE CLAIM OF ALBERT F. PESANT, APPELLANT. BRINKMANN INSTRUMENTS, INC., RESPONDENT. COMMISSIONER OF LABOR, RESPONDENT. MEMORANDUM AND ORDER Calendar Date: May 13, 2009 Before: Spain, J.P., Lahtinen, Malone Jr., Stein and Garry, JJ. Appeal from a decision of the Unemployment Insurance Appeal Board, filed October 16, 2008, which ruled that claimant was disqualified from receiving unemployment insurance benefits because his employment was terminated due to misconduct. From November 2006 until February 2008, claimant worked for the employer as a technology specialist in its customer support department. In September 2007, after it was discovered that claimant had downloaded images containing nudity and violence to his assigned computer, he received a warning concerning his violation of the employer's Internet policy. He received a second warning regarding the same type of activity in January 2008. A subsequent investigation revealed that claimant had downloaded a number of sexually explicit images to his assigned computer. He was discharged as a result. The Unemployment Insurance Appeal Board ruled that claimant was disqualified from receiving unemployment insurance benefits because his employment was terminated due to misconduct. Claimant appeals. We affirm. An employee's knowing violation of an employer's reasonable rules and policies has been held to constitute disqualifying misconduct (see Matter of Graham [Commissioner of Labor], 305 AD2d 922, 922 [2003]), particularly where the employee has received repeated warnings (see Matter of Baker [Eastern Connection -Commissioner of Labor], 10 AD3d 763, 764 [2004]; Matter of Limarzi

[Sweeney], 244 AD2d 750, 751 [1997]). Here, the evidence established that claimant continued to violate the employer's Internet policy by downloading inappropriate materials even though he had been previously warned about the consequences of such behavior. Although claimant denied downloading the subject materials and postulated that it may have been done by a member of the cleaning staff, this presented a credibility issue for the Hearing Officer to resolve (see Matter of Barcene [Commissioner of Labor], 6 AD3d 855, 855 [2004]; Matter of Limarzi [Sweeney], 244 AD2d at 751). Spain, J.P., Lahtinen, Malone Jr., Stein and Garry, JJ., concur. ORDERED that the decision is affirmed, without costs. 20090618