Dumpster Diving and Information Responsibility: Research Projects as Change Agents Elia V. Chepaitis Fairfield University Dolan School of Business N. Benson Road Fairfield, CT 06430 Abstract This paper describes student projects that encourage “thinking out of the box.” These projects address changing business information needs, socio-economic impacts, and professional challenges in information systems (IS). A number of action-based projects are presented, ranging from student-authored textbook proposals to board games. One non-traditional project from 2002-2003 is discussed at length--the author and her class examined computers discarded in dumpsters, city curbside collections, and second-hand shops to ascertain if the information on the hard disks has been erased. On 42% of the retrieved disks, data had not been erased. “Dumpster diving” illuminated much more than another security problem—it showed how computers have become throw-away commodities in popular culture. Classes examined internal and external factors and consequences of this careless habit. In conclusion, the paper considers how this project advances information literacy, specifically within Standard Five of the Information Literacy Competency Standards of the Association of College and Research Libraries (ACRL) for Higher Education. This emergent topic, information responsibility, supports a transdisciplinary and flexible approach to IS. Keywords: disk sanitation, information ethics, CSO (Chief Security Officer), privacy, environmental waste, legacy projects, information literacy, information responsibility 1. Introduction Information systems projects can achieve three objectives: to engage students in pioneering discovery, to convey professionalism and responsibility, and to ask needs-based, creative solutions from students. Ongoing research projects not only challenge the analytical mind, but also allow students to construct multi-faceted, stakeholder-based solutions to problems that have been buried in the discipline. The best projects, like archeological discoveries, are arresting and creative. This is especially valid if projects are replete with missing gaps, interrupted research trails, and rich clues not only about their content, but also about the context in which they evolved. One archeological exercise, “dumpster diving” captures the imagination and invited students to supply many missing gaps not only about the content but also the context of Information Systems (IS). The content and context of not only IS but also the IS curriculum are changing. The computer has emerged as a communication device, an information appliance, and an entertainment medium, and monumental changes will occur in the next decade. Students must study and assess the impacts of confluent changes in IS: the circle of players, e-business, the evolution of information economies and virtual societies, and critical questions in security, ethics and equity. The stakes have become huge, ranging from identity theft to cyberterrorism, and IS is both an intellectual and also an operational frontier across many disciplines. In addition, different stakeholders identify different challenges as critical. In “dumpster diving,” an interesting pattern emerges: a broad range of stakeholders do not identify discarded storage media as critical at all. 2. Perpetual Projects Convey Change and Complexity To convey the gravity and depth of seminal changes in Information Systems and Operations Management (ISOM), the author rotates a number of action-based projects across the ISOM curriculum. Since the curriculum included a required introductory course for all School of Business students as well as advanced courses for majors and minors, research exercises vary significantly in duration and method but they all have one feature in common—ongoing, real-time, “live” IS scenarios. Most projects identify important questions and are not intended to supply all answers; they are developed by students and passed to other classes, future classes, and classes that the author teaches abroad. Some projects are refined, corrected, and enriched as they pass from class to class. In IS, perpetual projects are especially appropriate. Not only is the field dynamic, but information and communication systems themselves are seldom finalized: ongoing maintenance, feedback, control, upgrades and training are the rule rather than the exception. Furthermore, the donation of an unfinished project to next semester’s class or to a class in a university abroad is thematically appropriate, projects are constructed as modules, to be assembled, reassembled in different configurations depending on the organization’s changing needs, and enhanced by different skills and perspectives of distributed teams. In the past six years, students shared case research and shaped pedagogy in a number of ongoing projects. These included: textbook proposals, alternative designs for flawed systems (in areas such as health care intranets), board game development, catalog course descriptions, mission statements for ISOM (information systems and operations management) professionals, and presentations for ISOM students abroad (in Russia, Morocco, and Ecuador, to date). Textbook proposals have been sent to publishers, board games have been passed on to the next class for refinement, and Fairfield students’ PowerPoint projects in systems analysis and design, international information systems, information systems and organizations, and quality and information management have been shown to students abroad. These internationals in turn send their projects back to Fairfield, for their peers in the United States to evaluate and learn from. A list of action-based projects is compiled in Table 1. At the top of the list is the latest project—Dumpster Diving—a novel approach to research and case development that spiked student curiosity not only in advanced courses, but also in introductory courses. Dumpster Diving is a dynamic investigation of the garbage heap of information technology, quite literally. Students purposefully analyze the discarded components of information systems unearthed that week. The instructor regularly collects discarded computers, primarily from a landfill, and alters the data but not the field names. Naturally, names and confidential data are deleted or changed in the interest of privacy. Structured data can be easily altered, particularly if it already resides in a spreadsheet or database. Unstructured data is more labor-intensive for the instructor to alter, although, of course, the number of records in all cases can be shortened significantly since it is the fields that are most germane. Once dummy data is created, it can be used repeatedly. Class lists work well in some files. At no time do students themselves enter a landfill or work with the original data. Hardware, software, and data are examined for evidence of issues and trends in three areas: security, privacy, and environmental waste. The students initially regard the retrieved detritus, gathered at an actual rural landfill, with a mixture of bewilderment and skepticism, but the proof is on the disk. This is a provocative project and evaluations consistently identify the exercise as memorable. Dumpster Diving: Threats to Security, Privacy, and the Environment Composing an IS Profession Mission Statement A Novel Approach to Systems Analysis and Design Team Composed: The Most Important Questions At the End of Each Week Student-Designed Questionnaires Student-Authored Catalog Descriptions Student-Authored Textbook Proposals Student-Authored Proposals for Quizzes and Exams Student Proposals for Syllabi Foreign Exchanges of Student Projects with Feedback and Reciprocity Student Textbook Selection for Introductory Courses Student-Invented Board Games Students Actors Posing as Guest Lecturers: the class as Dramatis Personae Students As Editors, Discussants, Graders Table 1: Action-Based Projects in Information Systems The amount of time devoted to projects varies, especially in the introductory course. Various inherited projects and projects in progress are demonstrated from the second to the fifteenth week of the semester, to reinforce information literacy concepts and to stimulate discussion. Other projects are used more intensively and actively. For example, students select a textbook for the next year in the first week after the midterm examination, from a large pile of “candidates.” It takes half a class period to evaluate these according to content, organization, style. Teams isolate two or three finalists, and then contrast only these in a final round of analysis, for a final recommendation. Other inherited projects such as mission statements or board games are demonstrated one half hour within the three-hour weekly class sessions. 3. Methods: Stage One Discarded hard disk drives and hardcopy are extracted from four areas: thrift and consignment shops, city trash collection, and, most of all, from two areas in a rural landfill. In this location, both an open trash heap, for hardcopy and also, a massive dumpster set aside for metal, for hardware, software, and electronic data are the sites in which disks and other research materials are extracted. When the landfill runs out of space, the research will terminate, so there is a need for haste. The project has an archeological flavor to it. All material is quietly and legally salvaged from a town dump in a bucolic New England town along the Connecticut River. Although students are incredulous, no laws prohibit this retrieval; discarded hardware with a value less than two hundred dollars is free for the taking, nor do any laws prohibit the possession of discarded information per se. The two most popular applications were, first, the “Buy A Shredder Affair,” based on an astonishing compilation of hardcopy gathered in the fall of 2002 from piles of personal and business records. The subjects, as noted above, remained anonymous. In the first stage, the classes addressed four areas: data content, the data’s utility for hard and soft profiles of subjects, the utility of the information for information brokers and other parties, and the range and depth of the threats to privacy. We sought to establish what proportion of hard disks had been erased and what proportion had not. A major research challenge was to extract the material before “sniffers” and “snoopers” took it—often as soon as it was discarded, sometimes right from the backs of trucks before it was discarded. The material had to be taken also, of course, before it was compacted and removed. Small case studies were developed featuring businesses that had not deleted information: the type of software discarded, the characteristics and robustness of enterprise and personal information that was can be pilfered, and the areas of vulnerability and risk for the original owners. Data mining took on a decidedly unconventional meaning in these exercises, and students appreciated the extreme cultural as well as procedural changes necessary to prevent the problem of “Garbage In, Critical Information Out.” 4. Methods: Stage Two In the second stage a natural migration of interest and curiosity occurred. Students expanded their investigations: to quantify the amount of discarded hardware, including peripherals; to examine the environmental and economic implications; and to interview the strippers who raid the bin to ascertain what they take and why. The students also read industry brochures and a study by two MIT graduated students about the problem, and considered the problem of foreign business espionage. The implications of the dumpster diving case unfolded and surprised the participants in several areas. The investigations raised a number of ethical, cultural, technical, and economic issues. The study created not only a dynamic educational experience, but also illustrated the intersection of professional responsibility and moral conduct for many stakeholders. The student-authored reports on dumpster research created several learning synergies and, hopefully, promoted a habit of independent inquiry. 5. Student-Driven Pedagogy and Research The origins and expansion of this project are significant both in the classroom and for ongoing research. Students drove this project and subsequent research. The author discovered the problem when retrieving discarded computers and peripherals for retrofitting for Goodwill donations. When the contents of many hard disks were found replete with business and personal data, the instructor mentioned her week-end “finds” in modules on data security last fall. In response to unanswerable student questions, she expanded the investigations in the spring. Student teams analyzed the potential consequences of discarded, uncleansed hard drives. Spurred on by student demands, classes examined discarded data in earnest, and searched for background on the topic. Thus, we discovered an under-reported and ubiquitous problem. Little scholarly research has been conducted in this area, and that fact in itself attracted student attention. Related problems in security and privacy, and also the environmental impacts of discarded computers and peripherals, have been investigated in many fields, but not from a “dumpster perspective.” The irony is inescapable. From the mid-1980s to 2003, information systems security was “hot.” Research stretched across a broad range of topics in computer security: piracy, hacking, industrial espionage, blackmail, back-up systems, encryption, firewalls and other preventative and remedial measures. Related research on privacy burgeoned and spilled into the popular press in numerous areas: identity theft, fraud, credit card number “sniffers,” IPS cookies, “snooping,” employer snooping, government eavesdropping, “spooking,” data brokers and miners, and sales of hospital, financial, credit, insurance, and tax records. Research centers also on emergent impacts of legitimate information sharing between employers, credit agencies, insurance carriers, bankers, and a growing list of stakeholders. Student teams verified that these topics in security and privacy are covered exhaustively, in journals, textbooks, industry literature, and television. Similarly, these problems are covered in the IS curriculum from systems analysis and design courses to e-business. The failure to unearth the careless disposal of unpurged hard disks is an anomaly. Why, until recently, was there not research into the widespread practice of discarding hard disks intact? The problem is more ubiquitous than dumps: unsanitized computers are accessible at the side of the streets during municipal bulk trash collection, in the halls of office buildings after upgrades, at thrift stores, at transfer stations, and in private dumpsters. 6. Literature Review Few studies have been conducted on the problem of discarded disks, and those are quite recent. This search of the literature deepened the mystery of unsanitized disks. Why has so little research been conducted, why is there so little interest in this problem? A 2003 article, “Building Confidence in a Networked World “(Garfinkel and Shelat) dominates the pertinent scholarly literature. The authors purchased one hundred and twenty-nine used drives via eBay, and found that forty-nine had recoverable information. In an interview with The Chronicle of Higher Education; Garfinkel noted that this is a huge problem and that almost no one is aware of it. Outside academia, industry periodicals such Federal Computer Week, CIO, and Waste News contain a few short articles on recoverable data. Promotional literature from firms such as Redemtech, Computer Forensics, and PCDisposal also describes the severity of the problem, and offer their services as a remedy. The New York Times and The Boston Globe have had short pieces on individual cases, primarily on privacy issues when personal data is found on resold computers. 7. An Investigation in Progress This problem was an ideal case for undergraduates since the problem was dramatic and of the utmost significance for data security. Three outcomes of student research into this problem included first, lively debates on responsibility, liability, and accountability for security and privacy risk. Second, students achieved a rough and alarming quantification of bulk and toxic waste from discarded computers in 2003. Third, the class, with the help of secondary sources including the Massachusetts Institute of Technology study, appreciated the massive extent bulk of this buried problem. They also examined and analyzes (with company and client names removed) sample lists of files, reports, and fields left on salvaged disks (with all company and discussed the possible consequences. The instructor tried to supplement the students’ investigations. First, the instructor floated soft factors that must be weighed in the design of improved technology and best IT practices for disk sanitation and hardware disposition. Viable solutions must consider socio-cultural, economic, legal, and political influences on disk disposition. Second, the critical importance of seamless data security through the organization was traced: where was data collected, shared, erased or discarded, and shared—from data mines to extranets and wastebaskets. Finally, we asked: what technologies and strategies can best correct this problem, and which stakeholders will be affected? Improved tools and procedures for purging disks were proposed. We were helped by the studies that have been conducted on unpurged disks a little, but more by information provided by companies that specialize in cleansing and disposal, admitting the self-interest inherent in their claims. Next year we will search for significant variations in disk sanitation: the method of disposal, the most careless user classes, regulatory environments, and costs. 8. Research Questions This project raises a number of interesting questions for students. One of the primary purposes of this project was to illustrate that IS professionals not only don’t know the answer to pressing questions, but also occasionally do not realize that a problem exists. “How can security be considered salient in so many areas, and disk dumping be widespread and largely unnoticed?” “What else may researchers be missing?” How can the industry or stakeholders decide: 1. Who is responsible—for poor security design, for example; 2. Who is accountable—for security lapses, for example; 3. Who is liable, for damages due to procedural gaps or violations? In addition to poor technology design and inferior practices, other interesting trends increase careless disposals: the view of computers as a disposable appliance, declining prices, multiple dumping opportunities, dynamic definitions of obsolescence, the lack of purging utilities, and the lack of user awareness of where data resides and can be accessed by intruders. It was cogent to compare and contrast this with other IS issues, and to formulate open-ended questions about careless computer disposals. Research on other economic, environmental, health, and waste management aspects of this mountainous (literally) problem is especially interesting if a more complete “cast of characters” (stakeholders) is assembled. The players in this problem include the original owners, their clients, business partners, employees, IT personnel, hardware resellers, trash haulers, metal collectors, waste managers, and others. Are accountability, responsibility, and liability ill defined and confused because there are so many stakeholders? Finally, an emerging trend in corporate governance, the office of CSO (Chief Security Officer), is emerging. Are these security lapses an additional justification for the CSOs who may infringe on the power of CIOs (Chief Information Officers)? Is information security too critical to be left to information technology professionals? Are seismic changes necessary as a remedy? 9. Conclusion: I S Archeology and Information Literacy Projects such as information systems archeology move ISOM away from computer literacy towards true information literacy, with less focus on technology skills and more cogent inclusion of the changing context and responsibilities within ISOM. The Association of College and Research Libraries’ (ACRL) Information Literacy Competency Standards, published by the American Library Association, for example, note that increasingly information technology skills must be interwoven with broader information literacy abilities. Students’ self-learning is critical in the development of habits of independent investigation, through problem-based, evidence-based, and inquiry-based learning. The dynamics of the networked economy demand not only self-actualization, but also broad stakeholder acceptance of responsibility and accountability. The project fits neatly into the ACRL’s Standard Number Five, since students investigate economic, legal, and social issues surrounding the ethical use of information, including its disposal, security, and privacy. Dumpster diving is an appropriate investigative method for observing phenomena first hand, as recommended. The outcomes require “higher order” thinking skills as defined by the ACRL, and, hopefully, can contribute to enhanced professionalism and ethical conduct by all stakeholders. Finally, arguments about legitimacy, identity, and dominant research paradigms in IS have appeared recently in MIS Quarterly (Benbaset and Zmud ,2003) and The Journal of the Association for Information Systems (Robey, 2003; Galliers, 2003). Information responsibility, a topic that surfaced from dumpster diving research, supports a transdisciplinary and flexible approach to IS, and informs students that IS inquiry must be creative, open-ended, and needs-based. 10. References Association of College and Research Libraries (2003). “Information Literacy Competency Standards for Higher Education,” American Library Association. Berinato, S. (2002). “Good Stuff Cheap,” CIO, October 15, pp. 53-59. Benbaset, I and R.W. Zmud (2003). “Identity Crisis Within the IS Discipline: Defining and Communicating the Discipline’s Core Properties,” MIS Quarterly, 27(2), pp. 183-194. Bray, H. (2003). “Discarded Hard Drives Found Full of Personal Data.” Boston Globe (January 16). Carlson, Scott (2003). “Technology’s Trash: Old Computers Never Die—They Just Cost Colleges Money in New Ways.” The Chronicle of Higher Education, XLIX (23), February 14. A33-A35. ___. “MIT Researchers Often Say Hard Drives Reveal Secrets.” (2003). The Chronicle of Higher Education, XLIX (23), February 14. A34. Chepaitis, E. (1999). “Ethics Across Information Cultures.” Ethics in Contemporary Society. University of Notre Dame Press. ___. (2003) “Dumpster Diving and IT Management.” Proceedings WACRA (World Association of Case Research). Bordeaux School of Business, Bordeaux, France. “Do You Know What’s Left on Your Disk?” Computer Forensics and Evidence Brochure. Gallers, R.D. (2003). “Change as Crisis or Growth? Toward a Transdisciplinary View of IS as a Field of Study; A Response to Benbaset and Zmud’s Call for Returning to the IT Artifact,” The Journal of the Association for Information Systems, 4(6), pp. 337-351. Garfinklel, S.L. and A. Shelat (2003). “Remembrance of Data Passed.” IEEE Security and Privacy: Building Confidence in a Networked World. v1(1)., 31-37. “Hard Drive Recycling Holds Risks,” (2003). Waste News. v8 (21), January 20, p. 1. Hasson, J. (2002). “VA Toughens Security after PC Disposal Blunders.” Federal Computer Week. August 26. “Is a Computer Junkyard Growing in Your Company?” (2003). PCdisposal.Com Newsletter, February 10. 1-4. Knowles, R. (2002). “The Dark Side of the Technology Boom: The Dangers and Liabilities of Improper Computer Disposal,” C-WIT Meeting Notes (June 24). Markoff, J. (1997). “Patient Files Turn Up in Used Computer,” New York Times, April 4. “Security Flaws Exposes Confidential Consumer and Corporate Information” (2002). Redemtech Data Security Whitepaper. April 24). Robey, D. (2003). “Identity, Legitimacy and the Dominant Research Paradigm: An Alternate Prescription for the IS Discipline: A Response to Benbaset and Zmud,” The Journal of the Association for Information Systems, 4(6), pp. 352-359. Thibodeau, P. (2002). “Handling E-Waste: The Challenges of Computer Disposal. ComputerWorld. (November 18). Villano, M.. (2002). “Hard Drive Magic: Making Data Disappear Forever.” New York Times. May 2.