Security Review: Security and Privacy Code of Ethics

By Kevin Wallace at 8:12 pm on January 8, 2009 | 2 Comments

The Security and Privacy Code of Ethics is a contract that every CSE484 student is required to sign, on penalty of a zero grade in the course. It places restrictions on the manner in which students may use knowledge gained in the course, and on the transfer of such knowledge. While it appears to be a good faith attempt by the University to prevent their students from engaging in malicious activities, it has several failings, and raises ethical issues.

Assets

  • Security knowledge. This could be used maliciously, which the contract seeks to prevent.
  • Vulnerable third-party assets. The contract seeks to protect these from would-be malicious students.
  • The University’s reputation and legal liability. If a student uses knowledge gained in the course in a malicious manner, the contract allows the University to assert that the student’s actions were performed against its will.

Adversaries / Threats

  • Students, who might use their security knowledge for evil. The University recognizes that such knowledge can be dangerous, and seeks to prevent it from being used in damaging ways.
  • From the student’s perspective, the University could be seen as an adversary. The contract attempts to limit use of student knowledge, and therefore student freedom. It is in the student’s best interest to maximize their freedom.

Potential Weaknesses / Defenses

  • Enforceability. The document, in its current form, is likely neither legally nor practically enforceable. This allows a nefarious student to sign, and then act in violation of the contract, with no repercussions. This might be solved with a “proper” contract with specific, enforceable penalties for violations (e.g. expulsion, or revocation of degree).
  • There exists a sort of race condition, which a student can exploit within the first week of the course. The contract’s wording only governs actions after it is signed, allowing a nefarious student to act against the guidelines set in the contract prior to signing it. This could be solved by ensuring that all students have signed the contract prior to the beginning of the first lecture.
  • Transfer of security knowledge is unauthenticated. A student who does not sign the contract (either through non-enrollment, or by intentionally taking a zero in the course) is still free to attend lectures. This could be solved by checking student identification at the door, allowing only those who have signed the contract into the classroom.
  • Denial of service. The terms of the contract are viral – that is, in order to share security knowledge, students must ensure that the receiving party has also agreed to the terms of the contract. One can imagine a situation where a student goes on to become a security researcher, but is required to ensure that anybody she interacts with in a meaningful capacity has agreed to the terms of the contract. Some of these people might find such a request unreasonable, and refuse to agree, hindering the student’s career success.

Risk Evaluation
From the University’s perspective, the risk associated with a student violating the contract is small, as the contract seems to protect their reputation and legal liability. There is, however, a larger risk in the case of a student who uses knowledge gained in the course to attack the University itself.

From the student’s perspective, the risk associated with signing the contract is large, if the student plans to continue their endeavors in the field of security, as its viral nature hinders their future interactions within the security community. This risk could most likely be addressed by removing or replacing the clause that makes the contract’s terms viral.

Conclusion
In the end, the contract only appears to completely protect one of the three assets under consideration: the University’s reputation and legal liability. This might actually be acceptable, as there exist enforceable laws that protect the other two. At the same time, the contract presents some risk to honest students. Somewhat ironically, the Security and Privacy Code of Ethics raises an ethical issue: is it ethical for the University to force the student into such risk?

Filed under: Ethics,Policy,Security Reviews2 Comments »

2 Comments

  • 1
    Get your own gravatar for comments by visiting gravatar.com

    Comment by Salikh Bagaveyev

    January 9, 2009 @ 2:01 am

    Interesting post. I agree that if it comes to consideration in court, the non-sharing clause will not stand (as unreasonable or unconscionable, somewhat like many courts finding non-compete clauses in the employment contracts to be unreasonable). But i don’t think it is worth rewriting it for one important reason – it is not worth it. Tautology, i know.
    There is almost no risk to a student, (you mention the risk of jeopardizing your career for being so paranoid as to cite a disclamer before every related conversations, or, maybe the risk of being the main party in the lawsuit as opposed to the University if he/one commits security attacks?). Too far-fetched, in my opinion.
    Despite contract being, likely, unconcionable, University has little to worry, as, I don’t think there is a lawyer born, who could transfer responsibility that way. (Let’s ask to sign a contract when buying any security book then). We can’t have a nicely written contract for every step we make in our lives.
    So, this contract, as it is, serves a good purpose of making a spontaneous student think a bit before he decides to break something, plus, it creates a feeling (for me, at least) of curiosity and exciting anticipation of what to come next in the class.

  • 2
    Get your own gravatar for comments by visiting gravatar.com

    Comment by vincez

    January 9, 2009 @ 10:06 pm

    To piggyback off of Salikh, your angle on the Security and Privacy Code of Ethics is certainly interesting, but not necessarily a compelling vulnerability. Without restating Salikh’s thoughts on the matter (which were nearly identical to mine as I was reading), I have trouble buying into the value of the assets and the severity of the vulnerability. What I’m most interested in are your thoughts on what the correct approach should be.

    By that, I mean to ask, how would you ‘patch’ this security threat. What should the University’s/Instructor’s policy be? Clearly, to learn how to protect systems, one must learn how they are attacked. The current contract makes the University’s position clear on how the knowledge should be used. Is it really in the University’s best interest to invest in the defenses you proposed? I feel like the risk of students taking the course and not signing the sheet and intentionally failing it or trying to mount attacks with knowledge gained in the first two lectures is quite low.

RSS feed for comments on this post