There really are two uses of power in this case that require some ethical inquiry, though both of them might be obscured by other issues at first. They both have to do with the use of power, in one case by computer professionals and in the other by users. We can think of the duties of computer professionals in this case under two categories: their duties as employees and their duties as computer professionals.

One way of analyzing the issues at stake is simply to think of Dana Rood and Allen Schiano in their roles of employees of the University of California, Irvine. They are hired by the university to maintain a computer system for the use of students, faculty, and staff at the university. If we use the analysis approach proposed by Collins and Miller [3] we should ask "to whom do these people owe duties?" For the sake of simplicity, let's talk about two of these sets of duties:

• Duties to their employer. Certainly they owe it to their employers to implement and configure an efficient, reliable, and current computing system, within the limits of their budget and time. In addition, they have a duty to their employer to keep them safe from losses due to lawsuits, harmful software, and other harmful actions that might be foreseeable by the computer professional.
• Duties to their users. They have some similar duties to users, in that users expect a reliable and reasonably current computer system. But users also expect a safe computer system (an environment in which they feel safe) and they have at least an expectation of reasonable privacy.

The privacy of electronic mail is a tangled topic, and you should see the discussion on privacy for an initial discussion of it. However, considering the duties of Dana Rood and Allen Schiano simply as employees presents an interesting difficulty: There may be situations in which one’s duties to the employer conflict with one’s duties to the users (the Therac-25 case may have been one of these). In some companies, computer professionals have been asked to implement detailed employee performance tracking and surveillance systems. In these cases, some individuals have felt their duties to be in conflict.

But are Rood & Schiano’s duties really in conflict here? In fact, their duties to their employer and their duties to their users (particularly the Asian students who were targeted) converge. So, simply as employees of the college and as service providers to the students, Rood and Schiano have a duty to protect students from harassment and from invasions of their privacy.

It would be rash to assume, however, that these duties will always agree so easily. It would be equally rash to assume that, in the case of a conflict, one set of duties always trumps the other.

In addition to being employees, Rood and Schiano are also computer professionals. They have special expertise in computing that qualifies them to make decisions about computer systems. The question about whether computing is a profession is a complex one. Deborah Johnson [7] provides an initial discussion motivated by the ethical implications of professional status, and Pavalko [1] provides a more sociological look at the issue.

But for the sake of this discussion, let’s assume that the special expertise that Rood and Schiano have comes with some additional responsibility. Why would this be? To the extent that special expertise allows a person to foresee the results of an action better (e.g. a meteorologist and the weather, a doctor and a prescription) that special expertise imposes an additional responsibility to avoid harm given that it is (or should have been) foreseen.

As an example, review the discussion in the socio-technical system section on the finger command. This command makes available personal information about users to those who invoke the command. Early RFCs for implementation of this command, even on networked systems, made no mention of the privacy or safety issues that might be associated with the widespread availability of this capability. Is there anything inherently wrong with providing this capability? Well, we can certainly think of cases where this capability would be nice to have, and even an addition to the quality of life of individuals who had access to the command. So, there is probably nothing inherently wrong with the idea. But later RFCs for finger protocols do contain clear discussion about the privacy implications of the command.

Decisions about whether or not to implement and how to configure a finger server are usually made by computer professionals. These computer professionals have this responsibility because of their technical expertise and because of the role they occupy in an organization, usually that of director or manager of systems.

In our case, we may have a situation where the harm from implementing the finger command was not foreseeable until the potential for harm was pointed out by our culprit, Mr. Machado. At a more general level, computer professionals who design or implement systems may find those systems being used in ways they could not have foreseen, and may not agree with. But their design or implementation may still contribute to the problem.

Huff [5] calls this ability of computer professionals to affect others by the systems they design or implement, unintentional power. In these cases, the question is whether a reasonable person with that expertise should have foreseen the harm. Some RFCs occurrences prior to the Machado case did point out the possibility of privacy violations. But it was still standard practice at that time to implement a finger server on university computing systems. It is still standard practice to do so today, at least for queries done on the campus.

Machado clearly used the added power that computing gave him to harass and intimidate Asian students at the university. Given Machado’s defense in court (and his failing grades, expulsion, etc.), he probably felt like he had very little power on campus. But the computer gave him power to speak to people he did not know, and whom he held indirectly responsible for his plight: Asian students.

Again, the issue of the foreseeability of the consequences comes into play here. And the question is not whether Machado could foresee the harm his email might do (he said he did not think it would do harm). The issue is whether a reasonable person would foresee the harm. Determining what we mean by "reasonable person" in this case is one of the things at issue. Comments made at trial by the defense suggested that people on a networked system reading email might expect "flames" and that, given that assumption about the nature of electronic communication, any harm that did occur was not foreseeable by someone familiar with that online culture. In the end, the jury did not agree with this analysis. But whether the jury was right or not is still open to discussion. To begin thinking about this issue, you might read the section on socio-technical analysis for this case.

So, the use of power in the ImpactCS framework is not just about the use of power that comes with special expertise in computing, but also encompasses the use of the power that computing technology gives individuals.