As our technological acumen increases, so too does our capacity to help others and increase the quality of life for all. While true, this ignores the fact that computers are simply a tool and are thus inherently neither good nor evil. Because we tend to view new technology as being always good, we, as a society, overlook the numerous ways it has opened the door for more sinister uses. Workplace deviance has gained a new platform in the form of smartphones and social media, and the borderline monopolization of industry standard programs and operating systems leave a large backdoor for bad actors to take advantage of unsuspecting users. I believe that due to the increasing speed of technological advances we must create flexible legislation that protects citizens from possible discrimination based on data taken from records or censuses, while leaving enough flexibility to adapt to whatever future advances may occur. In this paper, I’ll put forth some examples of workplace deviance and how they can be avoided, what I believe to be the most egregious overstep of personal privacy aided by technology today when it comes to the Chinese social credit system, as well as possible solutions to the legislative dilemma of creating laws that can stay relevant and effective in the face of technological progress.
Microsoft, Norton, Malwarebytes, Intel, HP, all of these major computer companies are based out of the United States, meaning that every other country using these products has to purchase them from us. While I like to believe these companies are ethical, the argument must be made that they could easily create a security vulnerability within their own products that they could access or exploit at a later date and as long as these companies remain dominant in the industry, this risk will continue. With the exception of Huawei in China seeking to export it’s phones and 5G technology to other countries, most large companies within China ( Didi, the Chinese version of Uber, and JD.com, the Amazon competitor) aren’t seeking to market to anywhere outside of China.
Workplace deviance is defined as “voluntary behavior that violates significant organizational norms and in so doing threatens the well-being of an organization, its members, or both” (Bennett, Marasi, & Locklear, 2018). The most obvious way that technology can contribute to workplace deviance is through simple slacking off. How many times have you walked into an office and seen someone on their personal Facebook or Instagram account or texting on their cell phone? These seemingly harmless activities can easily be defined as workplace deviance because, by sacrificing their productivity, this employee is threatening the well-being of the organization. While it’s unlikely that a single employee slacking off is going to take down an institution, the impact of an act is not what determines its deviance.
A more meaningful example that can easily be used to hurt a company is the improper use of company computers. Any employee with a thumb drive and a grudge can upload malware to a company computer, and depending on how tight the cyber security implementation is at that company, it could very well infect the network as well as the individual computer. One way to stop this would be to ensure constant monitoring of data being uploaded to or downloaded from every computer on the network to detect any suspicious spikes of activity. This becomes increasingly difficult to do with the BYOD policies being adopted by more and more companies. Yes, being on devices that the employee is familiar with can increase both mood and productivity, but is it worth the security risk of having your personal device able to access company servers from anywhere? I would argue not. Phones are lost or stolen all the time, and all it would take was a single stolen phone with weak login credentials to put the company at risk for exposure.
On the other end of the spectrum, that same employee with the thumb drive could potentially download files from the computer that are classified, maybe not to the employee, but to the public. Typically, in-house correspondence has levels of classification, and only the lowest levels are information suitable for release to the public. Other information could be future sales plans, employee evaluations, or store/company sales figures. Any of these being released to people outside the company could be potentially harmful to the company at large, and now that most office correspondence is passed digitally, it’s infinitely easier to obtain on the down low and distribute it to entities it was not meant for.
In what I would call the most Orwellian move of our time, China has begun implementing what is commonly referred to as the social credit system. Broadly speaking, the program takes multitudes of data on each individual ranging from their credit score, loan payment history, social media posts, to whether not not you smoke or litter. All of this data is run through big data software specifically designed to sift through and analyze datasets too large for normal data processing to handle, and at the end a final score is determined. While this may not sound as sinister as being hacked or having compromising information released where you’d prefer it not, the fact that the government is planning on (and has begun, as of early 2018) using these scores to restrict certain freedoms (internet access, train and plane transportation) is troubling to me. This could be used to essentially control the lives of people the government defines as dissidents, and could be used to prevent them from fleeing the country if their safety came into question. This sort of mass surveillance could never be possible without new facial-recognition software and software designed to analyze these massive amounts of data put into the system, and showcases the need to store data pertaining to individuals in a way that can guarantee anonymity and keep the information restricted to only those who truly need access to it.
In the past, our actions had predictable consequences. In doctor’s offices or hospitals, patient records were just pieces of paper stored in filing cabinets that could be copied and sent to another office if needed. Enter the computer; now those records are digital, infinitely accessible to anyone with the clearance to see them. What are the ramifications of this? Those records will exist long after the patient is gone and those records, even with the creation of HIPAA, contain enough information to create a distinctions that can be used to group people by various demographics. It would not be feasible before the digitization of records to group patients, or just people in general in non-medical terms, by things like income, medical history, etc. on a grand scale. Because of this new ease of grouping on a large scale, it becomes our duty to create the infrastructure and laws that can protect these records and any other information that can be used to group people, if not to avoid privacy violations than to prevent discrimination as is already beginning in China.
Admittedly, this will be difficult. We won’t know all of the advances in technology that will come to pass, and because of this, we need to create an infrastructure and laws that are flexible; they need to be able to be easily adapted to fit whatever changes come, because otherwise, we’ll just be making Band-Aid solutions every few years. Much like the NIST has a Framework that’s a jumping off point for how a company should conduct their security, we need a framework for future legislation that is flexible enough to be changed to fit new developments in tech, but structured enough that the laws can practically be applied and enforced to the current landscape. To do this, I believe we need to use broad strokes to define things that exist now – hacking, denial of service, disseminating malware, etc – and create categories that they would fall under and create steps to determine appropriate punishment for these acts, but then continue to monitor the cyber landscape for new threats – new ways to attack, new methods of breaching security, new crimes assisted by technology – to ensure that as the new threats arise, they can be either filed under an existing category of crime or, if need be, a new category can be created to encompass it and new penalties can be assessed.
It’s important to remember that despite the negative uses of technology I’ve highlighted in this report, technology is a tool that can — and is often — used for the betterment of all. China’s mass surveillance program and the ease with which any other major country could implement a similar system shows the potential for government overreach into the lives of those they govern and demonstrates the need for additional privacy requirements in records. HIPAA is a great start as it stands yet it only pertains to healthcare information. What we should do is build upon things like HIPAA and the NIST Framework; use the roadmap like layout of the Framework, combined with the implicit beliefs of privacy behind the creation of HIPAA. Some would argue that the relative broadness of a law designed to adapt as outlined above would lead to a difficulty nailing down exactly what the crime committed was, but I would say that so long as the categories of offense are clearly defined in terms of intended target and result along with motivation, any crime utilizing technology can be adapted to fit, even if based on a new method. It is vital that we take these steps to create legislation on protecting privacy as well as prosecuting malicious attacks now so that we can be prepared to tackle any and all crimes when they occur, rather than having to play catch-up or struggling to find a legal standard for a crime that can be used to describe the offense.
References:
Bennett, R. J., Marasi, S., & Locklear, L. (2018, June 15). Workplace Deviance. Retrieved March 30, 2019, from http://oxfordre.com/business/view/10.1093/acrefore/9780190224851.001.0001/acrefore9780190 224851-e-11
Hiner, J. (2016, May 22). 7 Chinese companies that will shape the future of the tech industry: My week in Beijing. Retrieved March 9, 2019, from https://www.zdnet.com/article/7-chinese-companies-that-will-shape-the-future-of-the-tec h-indust ry-my-week-in-beijing/