"Fingering" Ethical Problem

© Copyright 1996 by John Halleck


Background

Most systems have a "finger" command of some sort. This tells you if a given user is on the system or not, and information about when they were last on, and often information like where they logged in from.

The command our systems came with also says whether or not they have new mail (and when they last read it).

Some finger commands even tell you who they last got mail from if they have new mail. (Although this "feature" has generally been disabled on machines on this campus).

Almost everybody here generally agrees that this information is more or less "public" information.

Problem

We found that one of our student machines was severely bogged down, in a manner that made it painful for the average student to use. We tracked down what was taking the system's time. A student's script was eating all the available resources of the machine. Contrary to stated policy, it was a background script (which we don't allow) that continued running 24 hours a day, whether or not the student was logged in. This script had large amounts of network bandwidth communicating with other machines and used large amounts of cpu time.

Since this was a student we had had some prior problems with, we were very curious as to what the student was doing. We were afraid they were trying to crack other systems using our system.

We discovered that the student was doing the finger command on his ex-girlfriend on every machine she had access to, several times a second. The result of these fingers was being compiled by the script to form a profile of when and where she was logging in, reading mail, etc. It was gathering statistics of which labs she used, and how often. He had statistics of which labs she read mail from, and what hours she kept. At that time this incident happened the system mail logs were readable by users (the system is shipped that way) and he was also searching the mail logs regularly (every 60 seconds) to see what mail had been delivered to her. He was collecting lists of which people she corresponded with, and how often she corresponded with them.

We terminated his account on grounds of violating the policy against background processes. We also informed the person being fingered what was going on.

There are a number of very serious ethical issues here concerning what our limits should be in investigating the student, what the student was doing, and what our response should be.

The student argued that the information was "public" and there was nothing wrong with what he was doing (except for the background process issue). By the student's argument, what he was doing would be OK if he was actually at the terminal doing it. The student also argued that we went too far in investigating what he was doing, and that we should have just terminated the account when we tracked the problem back to him. He argued that anything further we did was just prying into his private life. The student argued that we violated his privacy by informing his ex-girlfriend of what he had been doing.

We argued that what he was doing was an invasion of his ex-girlfriend's privacy.

We argued that what he was doing was an excessive waste of computer resources.

We argued that his history with us meant we didn't give him the benefit of the doubt on anything he was up to, and meant we would investigate more than we would with other students. We argued that his behavior was such that his ex-girlfriend had a right to know what he had done.

Any of these points could, in good faith, be argued either way. The issues are serious issues here involving policy, ethics, social norms, and even the responsibilities of administrators who go beyond the written rules.


Follow up:

The ex-girlfriend found his actions frightening, and they were added to the stalking complaint she had already filed with the local police.

Whether or not this fact changes the issues listed above depends on what one's ethical views are...


Bringing this up to date

This problem was posed a number of years ago, and some things have changed. There are still vendors that have "finger" give out full information, but it is now rare for administrators to allow that. Having the system logs readable (so that one can see what mail went through) is also less common. However many vendors still set that up as the default.


Go to ...


This page is http://www.cc.utah.edu/~nahaj/ethics/fingering.html
This page is © Copyright 1996 by John Halleck
This page was last modified on April 8th, 2000