I found item 3.d of The Chartered Institute for IT’s (2013) Code of Conduct interesting. It states that you should “NOT disclose or authorise to be disclosed, or use for personal gain or to benefit a third party, confidential information except with the permission of your Relevant Authority, or as required by Legislation”. Reading this in the light of recent stories surrounding the NSA, in the USA, and GCHQ, here in the UK, makes me wonder wether a company complying with a request from either agency would be contravening The Chartered Institute for IT’s (2013) Code of Conduct. I say this, as arguably both GCHQ and the NSA are third parties, and the former doesn’t necessarily rely on legislation to operate and the latter almost certainly does not. I am almost certain there’s no legal precedent for many of these scenarios so it’s hard to make a judgment call, however I would like to think I’d not only do my best to challenge these kinds of requests but also make them harder to carry out.
Maintaining the surveillance theme, item 3.a of the Code of Conduct talks about “carrying out your professional responsibilities with due care and diligence” and “exercising your professional judgement at all times”. The infosec community is alive with discussion of ways to fix or replace security holes left in systems we had previously thought to be secure, for example the National Institute of Standards and Technology’s SP 800-90 standard that covers pseudo random number generators which is now under review. Not protecting systems, and data, from the type of access these backdoors provide will likely leave companies and individuals at significant legal risk. This legal threat could come in the form of a disgruntled customer, an industry regulator, or even the government. In the future, making sure the work I do is carried out “with due care and diligence” will play a key roll in protecting myself or employer.
BCS, The Chartered Institute for IT (2013) BCS Code of Conduct Available at: http://www.bcs.org/category/6030. [Accessed 23 October 2013]