It depends. If the purpose is to prevent access to customer data not authorized by the customer then it's ok. If you do it to further the interests of anyone other than your customer it's unethical.