If you live under a rock or something, it will shock you to know that the US Government has the capability of tapping into the databases of the biggest, most widely-ranging internet sites around. Google, Microsoft, Yahoo, Skype, Apple, etc. The entire list probably isn’t even known.

Anyway, it’s been no secret that the government can obtain information from these sites (and more!) — the Patriot Act in 2001 guaranteed that. What has come to light recently is a program called PRISM. As that Washington Post article says, this top-secret program was authorized by federal judges according to FISA (having to do with Foreign intelligence).

What PRISM does is apparently allow the National Security Agency (NSA) access to the providers’ databases (probably through an API of some kind). Strangely enough, all of the providers have been claiming not to take part while the government has spent its time claiming that PRISM is legal. That’s an uncomfortable disconnect.

But as I said, all of this is top-secret. You and I wouldn’t even know of its existence if it weren’t for Edward Snowden.

http://embedded-video.guardianapps.co.uk/?a=false&u=/world/video/2013/jun/09/nsa-whistleblower-edward-snowden-interview-video

Edward Snowden is an Infrastructure Analyst for the NSA, and was employed by Booz Allen Hamilton. Ed Snowden is a sysadmin.

There’s already a cultural issue with IT in a lot of organizations. We don’t speak the same language as the rest of the business (which, by the way, is our bad — we need to work on fixing that in our culture). But this is a very, very high profile case, and a lot of companies have to be re-evaluating their inherent trust of the people in their IT departments.

What do we tell them? What can we tell them? In most cases, we do have the keys to the kingdom, and that they have to trust us. Certainly, strong cryptography plays a part in protecting data from external (and in many cases, even internal) entities, but the keys have to be stored somewhere. Someone has to do backups of data, and to perform file transfers, and read logs and fix email, and so on. We deal with extremely sensitive data every day in our professions.

There’s very little that we can do to assure people that we’re not going to steal or leak their data other than by being trustworthy and working according to an ethical professional standard of practice. I abide by the LOPSA and USENIX Code of Ethics, and if you practice in this profession, you probably should, too.

The question has come up as to whether Ed Snowden should have done what he did. Whether it was wrong or not. It’s such a simple question with so many different answers, and we’re all scratching our heads and rubbing our chins. LOPSA has issued a statement and made reference to the Code of Ethics, but they didn’t take a stance (which, given the many many ways this could play out in the long term, might not be a bad thing).

Here’s how I see it.

Professionally, I believe that Ed was in the wrong. Our code of ethics allows for promptly disclosing factors that might pose unexamined risks or dangers. It seems very clear to me that the NSA and the participating companies knew exactly what they were doing, and what the ramifications of it were. The clause that I just referenced begins with, “I will do my best to make decisions consistent with the safety, privacy, and well-being of my community and the public”. I’m certain that Ed would argue that he was doing just that, but he (and we) don’t know the full ramifications of making this program public.

If, and this is purely theoretical, but if PRISM was actually keeping “us” safe from people who wanted to harm us, then the exposure of it caused damage to those efforts. And I am every bit as cynical as you are, and we both suspect that it wasn’t doing as much as they want us to believe it was doing. But we don’t know what the ramifications will be, and neither did he. He had incomplete visibility into the workings of the program, and doesn’t know the ramifications of his actions. And that’s why he was wrong to do it, from a professional standpoint.

Now, speaking personally…I’m an American. I suspected, as have most of us, that the US government was able to spy on us, and that if they wanted to, they could tap our phones (legally or illegally — it’s all the same if you don’t get caught, right?) and I suspected that, given the aforementioned Patriot Act, this was happening on a wide scale. But I had no idea that so many companies were involved, and I didn’t realize that they had been so intrusive into our lives. As I write this, the ACLU is suing to stop PRISM, and I support them in that. I’ll probably support whatever the EFF does, too, honestly.

So how do I reconcile these two views? I don’t think I can. I think that they’re inherently irreconcilable, and that they have to exist concurrently, independently, in my mind. We’re far from the only profession to deal with ethical dilemas — we’re just the latest.

If you look at that last example, Engineering Ethics, you’ll see a subheading for whistleblowing, mentioning that courts typically find in favor of the whistleblower. If you check the references, you’ll find a link to the story of Shawn Carpenter, who worked as IT security in Sandia National Labs. Shawn reported cracking that he found across a swath of government computers, in Sandia as well as outside. He was fired (wrongfully, it was determined).

Whether this case turns out in a similar vein, and Ed is found by the legal system to be within his bounds as an IT professional or not, time will tell. In the meantime, now would be a great time to hang the System Administrators Code of Ethics up so that you can point to it and say, “I’m not going to steal your data because I follow this”. There’s even a poster version you can print out.