Code of Conduct

Full Title or Meme

For the purposes of Identity Management, Code of Conduct applies to the actors in the identification of users and the protection of user data supplied during the process of Authentication or Authorization.

Actors

A typical list of actors in Identity Management which exhibits some overlap:

1. User Agent
2. Resource Server
3. Identifier or Attribute Provider
4. Authorization Server
5. Credential Service Provider

Conext

Exisnging examples

• The IDESG Code of Conduct deals with the practices of the members of IDESG.

Problems

The scope of a Code of Conduct is not always clear. In particular it can address either (1) the intent of the actor, (2) the actions of the actor, or (3) the result of the action.

1. High technology groups have created codes that address the intent of the person in creating their work product. These often proclaim to be professional, but lack any enforcement whatsoever. For example this extract from the ACM Code of Ethics and Professional Conduct.

   Computing professionals are in a position of trust, and therefore have a special responsibility to provide objective, credible evaluations and testimony to employers, employees, clients, users, and the public. Computing professionals should strive to be perceptive, thorough, and objective when evaluating, recommending, and presenting system descriptions and alternatives. Extraordinary care should be taken to identify and mitigate potential risks in machine learning systems. A system for which future risks cannot be reliably predicted requires frequent reassessment of risk as the system evolves in use, or it should not be deployed. Any issues that might result in major risk must be reported to appropriate parties.

2. Professions like Engineering focus on the actions of the engineers in creating the design. These codes are typically mandatory and violations can result in significant liability actions. a COMPARISON OF ENGINEERING SOCIETY CODES OF CONDUCT was created by the ASCE,

   It is perhaps not surprising that the two areas of greatest consistency among AAES member codes have to do with competence and objectivity, two areas that, it can be argued, have a pronounced effect on the reputation and integrity of the profession. Each of the society codes requires members to perform services only in their areas of competence, and each requires members to be truthful, objective, and honest in all public reports or statements. Several codes, ASCE's among them, provide express guidelines for engineers serving as expert witnesses. The American Society of Mechanical Engineers, for example, requires that "engineers...serving as expert or technical witnesses...shall express an engineering opinion only when it is founded on their adequate knowledge of the facts in issue, their background of technical competence in the subject matter, and their belief in the accuracy and propriety of their testimony."

3. The Code of Hammurabi was thoroughly results oriented. The penalties are notoriously strict, often slavery or death.

   Law #53: "If any one be too apathetic to keep his dam in primly condition, and does not so keep it; if then the dam break and all the fields be flooded, then shall he in whose dam the break occurred be sold for money, and the money shall replace the crops which he has caused to be ruined."

It is instructive to review the effects of Hyatt Regency walkway collapse where 114 people died. Nothing like this has ever been levied against the creators of defective computer or communications products.

The Missouri Board of Architects, Professional Engineers, and Land Surveyors found the engineers at Jack D. Gillum and Associates who had approved the final drawings to be culpable of gross negligence, misconduct, and unprofessional conduct in the practice of engineering. They were acquitted of all the crimes with which they were initially charged, but the company lost its engineering licenses in the states of Missouri, Kansas, and Texas, as well as its membership with the American Society of Civil Engineers (ASCE).

Solutions

This is a list of some of the codes listed by their intended audience.

Healthcare

The CARIN Alliance Code of Conduct was constructed specifically to address the Native App in Healthcare. As written is is wholly voluntary with no penalty for failure to abide by the terms. Any enforcement is directed to the FTC which enforces a variety of consumer privacy and notification requirements.

The CARIN Alliance believes that when an individual makes a request for their data to be sent to an application of their choice it should be treated as an individual “right of access” request pursuant to the HIPAA Privacy Rule. We also believe that when an application makes a request for a consumer’s data at the direction of, and on behalf of, an individual, it should also be treated as an individual “right of access” request when it does the [list of items including directed to a HIPAA EHR, the subject is IAL2 and AAL2 proofed and the destination of the data is well known].

The following sections are addressed (Notice is not mentioned other than the ONC’s Model Privacy Notice (MPN)) :

1. Transparency
2. Consent (includes advance notice of privacy policy changes)
3. Use and DIsclosure
4. Individual Access
5. Security
6. Provenance
7. Accountability
8. Education
9. Advocacy

It is not clear how this intersects with the ONC rule that the app developer is "certified" but otherwise no limitations are placed on the app.

Aerospace and Defense

Like the CA|B rules for Certificate authorities, the Code of Conduct or the common operating rules of the TSCP or Transglobal Secure Collaboration Program has been very successful creating a federated or single siggon for employees of large A&D enterprises. Since employees sign away all of the rights heretofore, there has been no interest in any PKI federation to focus on user rights. Still their common operating rules document does give security guidance that is valuable for any site with valuable user information.

References