The concept of moral desert is a complicated one. Moral Desert states that a person is obligated to something because of something else (the dog gets a biscuit because he's been good), and that result can be either good or bad; the person must accept all consequences be they positive or negative. The actual theory is more complex and the Stanford Encyclopedia of Philosophy gives a much more in-depth explanation (trying to explain it fully here would go way over the maximum word count, so I'll just mention the site).
This theory was famously rejected by the philosopher John Rawls. Rawls claimed that a person's talents were simply the result of 'natural lottery' and so a given individual could not claim credit for and does not morally deserve the results of said talents (better job/salary, award, etc); he does clarify that while he does not accept the underlying concept of moral desert, people can and should expect to receive positive--and only positive-benefits from talent (he calls this 'Legitimate Expectation'). Where the legitimate expectation argument seems to fail is that it states that one only deserves to take credit for results if the individual or group expected them to happen, and the only results that count are positive.
In applying this concept to hacking, a person may not expect the results of an action but it happens anyway. Is it then moral to claim credit for those results? According to the basic moral desert framework, yes. In today's world where exploits can be found with a Google search and skill isn't necessarily required to make use of some powerful tools, not unless the person personalized the results in some way (tweaking source code and adding in a signature, adding a message to a defaced site, etc) so that everyone would know it was them. Hacking results are only claimed by an individual or group if the results are positive (when was the last time you heard of Anon, LulzSec or the like taking credit for a failure?).
When I was in high school, the 'IT department' (one librarian who believed anything on a computer worked exactly the way it was supposed to) used a fairly simple keyword filter with a bad bit of code. It blocked sites based on keywords with no context, resulting in students unable to do research assignments because the filter was blocking a lot of stuff it shouldn't.
I was able to get the password through simple shoulder-surfing (I was just curious and did not expect to be able to actually get the master password). So I disabled the filter when I had an in-class project that otherwise would have been impossible. One teacher saw me doing this and assumed IT had trusted me with the password; I later told her that was not the case. She asked how I got it; I told her, gave her the password, she gave it to a couple other teachers and students were happy. Everyone behaved (the students didn't directly have the password, only teachers) and there were no logs to check. This fails the 'legitimate expectation' argument that Rawls gives, as I used knowledge (not 'natural lottery') to gain these results, but I had no real expectation of being able to circumvent the filter. Nor did I expect or even want credit; I figured that the librarians would probably find some reason to ban me from the computer lab altogether if they found out.
Another possible example of the moral desert theory is the Harvard admissions hack. Prospective students replaced a character string in a URL, and thus were able to view their admissions status in advance. Could it be considered an 'immoral' advantage? Not knowing the whole story, I would think that it depends. If an applicant viewed only their own information while waiting for the letter to arrive in the mail, I would not see that as an unfair advantage as the outcome was already certain. Some might.
You could argue that the person who discovered this flaw in the system did not expect to gain access (the expectation is that databases like that with sensitive information are protected by a password or other barrier to entry from the outside), but we don't know if that is in fact the case. Once the info was published, everyone expected to get in, so that might fall under 'legitimate expectation' (however wrong it may be). However, anyone using the hack must be prepared for the negative consequences as well as the possible positives (moral desert).
No comments:
Post a Comment