Ethics and the Citizen Clinic Code of Conduct

Next Module: Old School INFOSEC: Basic Controls


Module 2 introduces ethical considerations for clinical security work. Our look at ethics builds on the work of the Markulla Center for Applied Ethics, at Santa Clara University, and introduces a set of ethical considerations and norms specific to the work of Citizen Clinic. (For more information, see Citizen Clinic Code of Conduct.)

Learning Objectives

  • Identify ethically significant harms in cybersecurity (and the Clinic)
  • Identify ethical challenges in cybersecurity (and the Clinic)
  • Understand best practices for cybersecurity ethics including the three components of informed consent
  • Understand one’s mandate to regularly consider the ethics of their position and work


  • See Course Readings for “Ethics and the Citizen Clinic Code of Conduct”



Read pages 7-21 & 48-52 of “An Introduction to Cybersecurity Ethics” (Shannon Vallor, The Markkula Center for Applied Ethics) Prepare answers to questions on pages 13-15 and page 53 for discussion.
Question 1.1: What risks of ethically significant harm, as defined in Part One, are involved in this case? Who could be harmed if Leslie makes poor choices in this situation, and how? What potential benefits to others should she consider in thinking about BioHack’s proposal?
Question 1.2: Beyond the specific harms noted in your answer to 1.1, what are some ethical concerns that Leslie should have about the proposed arrangement with BioHack? Are there any ethical ‘red flags’ she should notice?
Question 5.1: Of these 12 best practices for cybersecurity ethics, which two do you think are the most challenging to carry out? What do you think could be done (by an individual, team, or organization) to make those practices easier?


What ethically significant harms should we consider?
What ethical challenges (Vallor pg 15-20) might we encounter?


Consider “First, do no harm”…
…but discuss the limitations of that guiding principle.
We should be intentional about the decisions we make and intervene in ways that will not make the situation worse. Ultimately, the organization and its well-being should be your primary concern. However, you also have a duty to yourself, your family, and your team members. Sometimes it may seem like there are no good answers (for instance, doing nothing because there might be risk is not a resolution). If we view our interventions as already raising the risks for our partners and ourselves, what can we actively do to mitigate that?
Informed Consent
    • Discuss and define disclosure, comprehension, and voluntary participation.
    • Understand the effect of your institutional affiliation and positioning.
Tools and methods for good (ethical) can be used for bad (unethical).
Important questions to regularly ask:
  • Are you, your team, or your partner able to do this?
  • Are you, your team, or your partner willing to do this?
  • Do you, your team, or your partner have any conflicts of interest?


What should our Code of Ethics look like? (Vallor pg 48)


Review the Citizen Clinic Code of Conduct. Highlights:
  • Harassment and Discrimination
  • Operational Security
  • Confidentiality
  • Professionalism
  • Reporting


Review and submit signed Code of Conduct.