Let me preface this post:
When I worked undercover, I was one of the most paranoid extremists in trying to be as unrecognizable as possible. I worked cases involving dangerous individuals, career criminals, street gangs, and organized crime groups that operated not only locally, but internationally. While undercover, I was searched, followed, interrogated, and threatened by those I was investigating both inside and outside the US. One night, I had a gun stuck in my belly and quickly learned that the brain is the most important security feature that we have.
Let’s get to the point of where the ethics and morals fit in
So, while on twitter the other day, I saw a “live event” that a plane passenger was tweeting. The passenger and her boyfriend were taking photos and videos of two unidentified passengers and creating a ‘love story’ between them, even to the point of following them to the baggage claim. The two unidentified passengers were unaware of the online event they were the focus of. Even their private comments were being tweeted. The spectator comments only encouraged more of the same, even with T-Mobile CEO John Legere stepping into the tweet stream to offer free WiFi to keep the story going .Voyeurism at its finest, security at its worst. The female victim (I say victim as she had no choice in being the target of online voyeurism) has since been doxed, stalked, insulted, and harassed, leaving her to delete her social media accounts and hire an attorney to speak for her.
The point is that we in the cyber/information security community should take stories like this as ethical and moral reminders. Although personal privacy has been eroded due to haphazard use of the Internet, let’s not be part of that problem. Just as important, educate others to not do this sort of thing either. Any person who touches the electronic data about any other person surely assumes the awesome responsibility of securing that data against inadvertent and intentional release into the public space. Also, creating data where other persons can be negatively affected should be treated no differently.
Some of this is easy. We sign NDAs with clients that legally bind us to protections of client data. We see things in the data that is sometimes embarrassing for clients, yet it never crosses our mind to publicly out the information. We are professionals, both at work and private lives.
Some of this may not be as easy. If you are hunting for, or inadvertently find, publicly accessible data (which should not be publicly accessible) on the Internet, and you have no legal obligation to safeguard the data you find, fall back on ethics and morals. For those who don’t care (ie; no morals or ethics, or just plain evil people) finding and publicly outing embarrassing data causes no dilemma to them; in effect, the hell if someone gets harmed (or even killed) because of it.
For those who do find this data and care about security, do what you ethically are obligated to do, based on what you found, how you found it, and what should legally be done about it. Different situations are different, and if you are ‘ethical’, then you know what you should do.
We live in an amazing technological age that is nothing related to the pre-Internet days as if we live on a completely different planet. Take bullying as an example. The difference between traditional bullying and cyber-bullying is so far apart, we should have a different word for bullying because of the dramatically more harmful effects ‘cyberbullying’ has compared to bullying of days before the Internet. Today, bullying lasts forever, because the Internet is forever.
When we can tweet a thought faster than we can actually think about what we are doing, we risk harming ourselves and others out of sheer carelessness. Consider Twitter like an arrow flown. Any person tweeting about another person, can directly impact that person's life either positively or negatively. The range of effect can also be a small embarrassment to suicide. Wielding the Internet is an awesome power that we treat as serious as putting on our socks.
Even taking photos in public, where bystanders are unknowingly included the photos (legal, as they are in public, right?), photos posted online can have harmful ramifications. Imagine a photo of someone in witness protection, or the victim of a domestic violence, or even an undercover officer who is off duty with family. They may not want images of them on the Internet for good reason. Be judicious in your photos in public places as the last thing you'd want is to hear about a murder victim who was identified by the suspect through your Facebook photo at Disneyland.
So, I propose that in addition to our moral, ethical, and legal obligations of personal security and client data security, we take into consideration the security of others who are doing nothing more than going about their business in public. You might never comprehend the damage done to another person with a photo, a tweet, or social media post that you made. But now that you know, you should be make others aware as well. Be the security pro that can also talk about security outside the CPU. And certainly don't be that person who harms someone else just because you can or because you have no idea that you are doing it in the first place.
I'm not referring to being snarky, sarcastic, self-deprecating, or legitimately humorous online. I’m talking about being intentionally mean or ignorant as to the harm done to others through comments and memes. I know that 2019 is already approaching, but the Golden Rule still applies regardless of what year it is.