Hacker News new | comments | show | ask | jobs | submit login

This is tough to read. I've railed and yelled in meeting about ethics and have ultimately discovered that in nearly every case the money talks louder. I remember this company I worked with that had a sign up with a "add me to the newsletter" check box. When leading a ux review it was decided to switch it off by default. One day a friend of mine buzzed me to say she was annoyed at receiving mail even though she specifically made sure that that box was unchecked when signing up. I assumed it was a dev error and checked with the dev team and was told to go check with the CTO. When I did, the CTO said that it was exactly how he wanted it. I wasnt even manager level but I lost it and yelled at the CTO. I was simply told "we need our email signups and dont dare tell me how to do my job". I tried to look for support elsewhere in the company and all I discovered were at best some hushed mutterings in corners. Even laughs of me being on some kind of moral high horse. It hurt to know that the same people I know who did these things are now working on startups that scoop up massive amounts of people's location data. The same people who wrote tiny scripts to collate customer data to give to the sales teams who would give it to clients as part of a sales package even though the terms specifically said we don't share personal info. It bothers me that I don't even know how to fight it since all it takes is the next dev to come along and say yes to end months of protests against something unethical. I don't want regulation and lobbyists pushing their tech onto me as a solution. If anyone has advice, I think this is a great thread to share thoughts.



> in nearly every case the money talks louder

This is one of the reasons some industries create professional associations or trade unions. It is hard to argue against pressure from your boss, so when ethics issues start to become common, you need a reasonably reliable way to apply opposing pressure.

A professional association with a code of ethics offers a standard excuse that you swore an oath against e.g. knowingly creating software that is designed to be fraudulent.

Alternatively, a minimal trade union that was chartered to only address ethics problems can create an incentive (under threat of collective action by the union) to not even ask for anything unethical. I know that it's popular to have a low opinion of unions, but it's important to remember that they are just a tool. If all you need is pressure against unethical requests, that should only need a tiny, mostly hands-off union.

> all it takes is the next dev to come along and say yes

Sure, but that's at least it wouldn't be your ethical problem anymore. Even if a more willing replacement is found, that takes at least some time and resources, and it sends a clear message that some behavior isn't appropriate. If you don't send that message, you're just conditioning the responsible people to do more ask for more unethical things it the future.

> I don't want regulation and lobbyists pushing their tech onto me as a solution.

If regulation could work well as a solution to a specific type of problem, it might be a good idea to get there first. Get to the politicians before the lobbyists carrying cash, a clear and brief explanation of the problem, and your proposed regulation.

However, this may not be a useful approach in some situations. I think some sort of collective organization is usually a better approach, but it's worth at least considering the regulatory approach.


These are very good, very well-stated points,

I've been thinking about this recently. Less on the trade union (even if that might make more sense, in the vein of actual leverage), and more on the professional association side. I've been long-enamoured with the Canadian Engineering 'Iron Ring' ceremony. I don't know how much actual leverage that bestows, but something similar in such an infrastructural discipline as software development seems appropriate.


I'm currently an undergrad studying software engineering at a Canadian university, and I'm going to go through the whole Iron Ring ceremony when I graduate. The program here does seem to focus more on ethics, albeit in a somewhat generalized 'engineering' be-careful-when-you-build-a-bridge way, but I've still had some good takeaways that apply to building software.


The Iron Ring ceremony was one I didn't realize existed until our graduating class of nuclear engineers were told "Oh, by the way, you're all going." This was in The South in the USA.

I love it. I have yet to take the ring off. It's a great way to initiate conversations about ethics and a great way to tangibly emphasize my personal pursuit in being ethical.


Where was this done? I wouldn't mind doing so in Texas as a software engineer since we don't have PE's.


The ceremony is symbolic, the Iron Ring committee has no real power. There are professional engineering associations with actual power, unrelated to the ring, but software engineers are not usually part of them.

I'm a software dev. with a background in a different engineering discipline and there isn't much reason for me to join an engineering professional association in Canada. Unlike, say, civil, where you have to be licensed to perform some of the duties, nothing in a software engineer position actually requires a license.


Just wanted to chime in and say that I am in a position similar to yours, and agree with everything you have said, but would add that I believe the iron ring is a very good 'nudge' towards ethical decision-making.


>I've been long-enamoured with the Canadian Engineering 'Iron Ring' ceremony.

They have it in the US too:

https://en.wikipedia.org/wiki/Order_of_the_Engineer


Canadian engineering unions are basically a mafia. Their sole purpose is basically ensuring that their members pay dividends and preventing them to do any job if they dont.


Wouldn't the union only be composed of the same colleagues who were resigned to 'hushed mutterings in corners' and laughed at the grandparent poster for 'being on some kind of moral high horse'?

A better approach might be to have a consumer advocacy organization/site that allows devs to anonymously leak and publicly shame the bad practices of their employers. Somewhat like the proliferate Business Software Alliance ads that used to say, "If your employer is using pirated software, report them in confidence at ~place. If we catch them, you'll get a reward".


> Wouldn't the union only be composed of the same colleagues who were resigned to 'hushed mutterings in corners' and laughed at the grandparent poster for 'being on some kind of moral high horse'?

The answer is "yes". There is no reason to assume that a union representing employees would be any more motivated by customers' interests than the employers themselves would be. (And there are plenty of actions by real-life unions in other industries suggesting otherwise.)


Many European countries have IT trade unions and you are only legally allowed to have an Engineer title when the university is certified by the Engineering Association, which is also another door to knock to disclose such behaviors.


So they add email addresses to a newsletter mailing address even when the user specifically opted out of the newsletter?

If that's true, then they're almost certainly violating federal law. Instead of ranting about ethics, you should calmly explain to the CTO that what they are doing might be in violation of federal laws and regulations. Possibly laws related to spam. But if this practice contradicts the company's privacy policy (or if the privacy policy is vague enough and the user's intention and expectation of an opt-out is clear enough), then the company you worked for is almost certainly in violation of its contractual obligations to its users. The FTC is starting to take this sort of thing more seriously -- see https://www.ftc.gov/news-events/media-resources/protecting-c... for examples of enforcement actions.

If I ever find myself in a situation where I'm tasked with making the commit on a "feature" like this, I would explain that I can provide technical assistance (up to and including writing/testing the code), but due to my professional ethical responsibilities, management will have to find another engineer to actually make the commit, deploy the code, and close the ticket. And I would also print out an email that proves I expressed my dissent and management dismissed my concerns.

IANAL.


Companies violate federal or state (or country, in my case) laws all the time.

I've read about Y Combinator actually encouraging some of its startups to violate laws (in the "hack the system" sense, not in criminal violations sense).

If you think about it, many of the top startups do: Uber, AirBnB (and others that are losing like Zenefits, FanDuel or DraftKings).

See: https://blog.placeit.net/startups-ignored-law-won/

It's, sadly, one of the only effective ways to get them to be discussed or modified, laws have a lot of inertia going for them.

I'm definitely not happy about the ethics in the above case, though.

Another thing I was going to add is that some CEOs knowingly violate the laws and incorporate that into their risk models (cost of fine + lawyers weighted by chance of it happening), it's usually a lot more cost effective to violate them (The CTO in the above example might have done such cost/benefit calculation).


I presume it said "check the box to opt-out of the newsletter", instead of being "check the box to opt-in to the newsletter".


Note that this would be... Well, stupid. People sometimes opt in for newsletters they care about and with this scheme they would opt out. Not only that, you would get tons of "subscribers" who explicitly don't care for your mails.

I am not arguing that dark patterns don't work in general, I just don't think this is a good example.


My interpretation was that the box just doesn't do anything; i.e., you can click it or not click it, but either way, welcome to the news letter mailing list.

Maybe I was wrong.


IANAL also, so my reading of it may be incorrect, but I'm pretty sure it violates the CAN SPAM act.


SO many anecdotes we could share. Mine is, I contracted out to do work on an 80211 radio. The company wanted quicker connections on bands reserved for emergency communications in many countries. The FCC rule was, listen before you talk. But its quicker to ping the access point immediately. Quicker but illegal, and obstructive to emergency communications.

I refused flatly. Phrased it as 'as a contractor I'd be liable. I don't have deep pockets'. So they just got an employee to do it, who had absolutely no compunctions about it.

Its not so much that a company wants to do wrong things. Its that there's always an engineer willing to do them.


>Under the 2010 Dodd-Frank Act, whistleblowers who provide the FCC with original information that leads to a successful enforcement action in which monetary sanctions exceed $1 million will receive an award of not less than 10% and not more than 30% of the monetary sanction. In August 2012, the FCC issued its first award under the Whistleblower Bounty Program. The award was $50,000, or 30% of the amount collected by the FCC, the maximum allowed. [0]

Even if you're not interested in the financial reward you should still report it because you could be literally saving someone's life (possibly even that of your own) down the road.

[0] http://johnsonandbell.com/alerts-blog/employment/statutory-a...


Completely agree. While I like the idea that we all share some responsibility about the decisions we make, and I applaud you for yours, it shouldn't be on the implementor to fix. The companies/heads demanding this should be the ones liable, and heavily so.

To make a crude and polarizing comparison, especially since I happen to land somewhat on the other side of that argument:

You can't blame a tool (bat/knife/gun) for what its agent does with it. If one tool doesn't work for them, they'll get it done with something else.


Sadly I suspect corporate decisions get made in a microcosm. Whatever is good for the next quarter or next product. A middle manager would be fired for doing anything else. Or at least reviewed badly. "Sure you did the right thing; but your numbers were down. Sorry no raise/promotion"

So there is no particular person in a corporation that has direct incentive to be responsible.


So we need to change that. We need to make sure there is a heavy stick being used against those that decide to make these unethical decisions.


After all, I was just following orders ...


Yes, I understand that this is the logical followup, but there were individuals standing up to orders and being executed, and it didn't make a lick of difference when the problem was systemic.

As I opened with, yes, to some extent we all share the blame, but appealing to everyone to individually make the difference will never work, because it only takes a few to still get the (dirty) job done. If everyone played nice we wouldn't need any laws.


Still, if there's nobody at the 'top' making decisions (and unless the CEO micromanages there isn't) then we've just moved the problem from Engineers to Middle Managers.

Somebody has to take a stand. In Canada they have an Engineering oath and code of ethics. We should all aspire to be our better selves. After all, we're not being executed; we'll just have to find another contract.


Sure, but I as an engineer can't control a middle manager, but a CEO most definitely can. If you make the CEO liable, he/she sure as hell will move the incentives towards better practices.

Ideally I absolutely agree with you, and we should all strive for the best and make a stand wherever possible, but the cynic in me believes that it can never completely solve the issues, just shift the burden to someone else down the line.


Its not so much that a company wants to do wrong things.

Not to be nit-picky but in this situation the company specifically asked you to do the wrong thing it wanted done.


Right, conceded. But it won't happen unless someone is willing; that's my point.


Yeah your right, and with one company and 100's of employees with families to feed, there is always someone willing to do it.


I highly encourage whistleblowing in situations like this.


> I don't want regulation and lobbyists pushing their tech onto me as a solution. If anyone has advice, I think this is a great thread to share thoughts.

This is a prime example of how free capitalism will never regulate itself. Sure, you can vote with your dollar from what you know, but odds are you'll never find out about most of the crap a company pulls.

Too much regulation is obviously stifling to innovation as well. I don't have an answer, but I believe the solution lies somewhere in the middle, as with most things.


That regulation is stifling innovation is in no way obvious. It is a commonly repeated talking point but I am unaware of any factual arguments that back this assertion up.


Well, it can at least be in situations where incumbants lobby for needlessly complex regulation to stifle competition. See: for example tax code and fda process for epipen alternatives.

And just for an, albeit small, recent example [1], where there could easily exist better solutions, and the regulation could be worded more generally instead of giving specific mandates.

I'm sure there are more and much better examples, but as with everything we humans do, there are good practices and bad practices.

[1] http://www.npr.org/sections/thetwo-way/2016/11/14/502082110/...


Really?!

Just to give you one example that hits very close to home: the EU parliament recently start this push for companies that provide OTT communication services (Whatsapp, Skype, Viber, etc...) to comply to phone companies regulations.

Among other things, this would mean that all of the companies that provide end-to-end encryption would simply have to stop doing it, given that phone companies need to be able to provide "Lawful Interception".


The issue with that is not that innovation is being stiffled though, it's rather an issue of privacy.

For instance, there's nothing in that sort of regulation that prohibits any innovation on encryption that would reconcile the user's reasonable expectation of privacy with the authorities' wish to have access to the user's communications.

And the issue of appropriate and adequate safeguards of such innovation so that the authorities themselves don't misuse it, is yet another issue altogether.


> The issue with that is not that innovation is being stiffled though, it's rather an issue of privacy.

Encryption was an innovation. Communication that's private as a matter of technology rather than as a matter of legislation is an innovation.

Along the same lines: recording and time-shifting video and audio was an innovation. Enshrining the state of copyright law at the time would have prohibited it.

Innovation often does things that existing developers, users, and regulators didn't anticipate.

> For instance, there's nothing in that sort of regulation that prohibits any innovation on encryption that would reconcile the user's reasonable expectation of privacy with the authorities' wish to have access to the user's communications.

There's nothing in that sort of regulation that prohibits perpetual motion machines or time travel, either. The resolution of those two expectations is that one side loses and the other wins; the only question is which.


IP law including copyrights and patents, as currently implemented, undoubtedly stifle innovation.


Trying working at a startup in a heavily regulated industry, such as finance or telecommunications. It becomes obvious very quickly why those industries converge around large players, and that reason is a huge regulatory hurdle to even get started.


How about the Uber cases where cities or countries are banning the company because the Taxi companies are mad they are evading the transport regulations. http://www.businessinsider.com/heres-everywhere-uber-is-bann...


Your claim that Uber is being banned because "taxi companies are mad" ignores several documented issues around driver safety, background checks, and driver pay (to name a few) that have been cited as cause for bans.


"Too much regulation is obviously stifling to innovation as well."

I don't believe that for a second. Innovation is constantly happening.


The best way to encourage innovation is to "stifle" it by producing unusual and complex situations that require creativity to circumvent. Regulation, because it is at least theoretically a codification of the desires of a large population, forces whatever innovation happens into a set of forms that are expected to be in line with the good of the people, while simultaneously making anything achieved more innovative in proportion with how much more intellectual and creative effort was required to achieve it.


That's encouraging innovation, but it's innovation specifically related to the regulation. It's a bit like saying, the best way to help people climb to higher ground is to first drop them into a pit.


We really need some way for whistleblowers to reveal all the dysfunctions within their company, and a way for consumers to easily get access to this information while they are surfing the web. Some combination of wikileaks + Glassdoor + yelp, in a fraud-resistant manner, that's easily accessible on-the-fly without too much effort. If companies knew they would be held accountable for breaking user trust, they would really think twice.


The problem is that the general public doesn't care as much as you'd care about these things. If one were to call oneself a whistleblower by announcing that a company made the email signup 'opt-out' instead of 'opt-in', in all likeliness, no one will take it seriously.

And as long as people are willing to give attention, time, money or a combination in exchange of something, it's highly likely that this 'something' will remain profitable and there lies the incentive to keep doing it.

For instance, if one were to work on a browser, who do you think has a greater incentive to allow adblocking: Firefox or Chrome?


> by announcing that a company made the email signup 'opt-out' instead of 'opt-in', in all likeliness, no one will take it seriously.

Nitpick, but what the first comment said was that the signup happens regardless of whether you check/uncheck the box.

On the other hand, whistleblowing for misuse of customer data (which I'm sure is rampant) might be more effective.


> The problem is that the general public doesn't care as much as you'd care about these things.

The general public doesn't know how pervasive the problem is. They'd care more if they did.


Under our old management I had to fight tooth and nail to get security problems in production prioritised over things that might make money, and I caved in far more times that I care to admit (too many times I threatened to hand in my notice over it, and backed down due to promises of change and/or guilt trips about leaving my colleagues in the lurch).

Luckily the current regime seems to take a view far closer to mine, hopefully that will last beyond the current honeymoon period.

> If anyone has advice, I think this is a great thread to share thoughts.

The problem seems to be more-or-less endemic. Often the only solution is to break ranks and do the right thing against orders, or up sticks and go elsewhere, but these are very high risk strategies that most people wouldn't be able to justify when there is a mortgage to pay, especially as there is little chance the next place is much better.


I think a lot of us faced these kinds of situations. When I was just starting out I was writing drivers, and asked to write code to detect that a driver benchmark program was running (as opposed to an end-user's application), and if so, route the benchmark to a special code path who's sole purpose was to perform well in the benchmark. I didn't think that was right and expressed my concerns to management. The result was I could just move on to fixing other bugs and they got one of the contractors to do the benchmark detection instead. This echoes what others have said in this thread: for any ethical issue you feel uncomfortable with, there are plenty of other programmers lined up to do it if you won't.


When I'm a customer on the receiving end of spam like this I often write a reply to the company in question congratulating them on losing my business permanently, and that of anyone who I happen to talk to about their business arena.

Probably doesn't achieve much but it makes me feel better.


Name and shame them? Make very sure your anonymity is preserved lest they try to sue you, but exposing these practices on here might be a start to get the word out on it.


Just a casual naming online stating that these practices are on purpose and not a bug, so when I search for the company and the issue on google, I'll know to not give them the benefit of the doubt.


The sentiment is ok, but not sure how to make that work in a practical sense.

It would need to avoid allowing the unscrupulous to (falsely) badmouth competitors.


Ethical violations are an endemic problem. If everybody named and shamed companies for every ethical violation they encounter, every company would end up named and shamed. And the really bad stuff would get buried in an avalanche of comparatively trivial violations.


Well, if they don't provide a way to unsubscribe it is actually illegal to do what they did, and could be fined per email sent. Given the situation you described I kind of doubt they did.

As for the terms and conditions violations, aka selling / using information - you're not going to get them. People stopped expecting privacy a while ago, and every conversation ive had on the subject the past three years always goes something along the lines of: "I always expect all my data to be given out and used"

If you don't want that to occur don't use the internet or use a company you trust. For example, I trust a university to keep my data secure because it's legally obligated to. Similarly, I trust most products I pay for, I don't trust pretty much any other app.


It's a numbers game once they subscribe, even if the link is there. Some people, myself included, won't hit that unsubscribe button. I'll just forever mark it as spam until it no longer shows up in my inbox.


Isn't this better? I know at my company we'd rather a person unsubscribe rather than delete without reading or god-forbid mark it as spam. Saves us money.


Clicking an "unsubscribe" link just confirms the email was received. So, don't ever do that.

Instead, just add filters to drop everything from the email sender.

Or if you're like me, make an auto-responder that's directs to their CEO's inbox telling them to "Fuck Off Spammer". (I actually do this)


Or be a bigger bitch and find an internal mailing list that contains the top level / tech department. One email becomes a company-wide email :)


They'd have to really piss me off, but it's a useful idea. :D


> It bothers me that I don't even know how to fight it since all it takes is the next dev to come along and say yes to end months of protests against something unethical. [...] If anyone has advice, I think this is a great thread to share thoughts.

Leak it to the press.


Also, it's worth remembering that whether something is the right thing to do or not does not depend on whether you can prevent it from happening or from being carried out by someone else (you can note similar vile sentiments when people say things like "if I don't do it, someone else will" ). In other words, you should refuse to do something you know is wrong because it's wrong, end of story. The fact that someone willing can or will take your place is irrelevant. Concerns over prevention are distinct from concerns over where you should act in some manner. Where prevention is concerned, kareemsabri's suggestion is a viable option.


Sending unwanted emails - this is a great way to get added to spam filters... Do it to too many gmail users and no one will receive any of your emails.


"...receiving mail even though she specifically made sure that that box was unchecked..."

One would hope laws about fraud would cover this situation.


It's not fraud. At best, it's a violation of CAN-SPAM, but I doubt it.

Don't get me wrong: it's unethical. But I don't think, "I didn't check the box that said 'add me to the newsletter' and they sent me a newsletter anyway" is particularly powerful.


> 'I wasnt even manager level but I lost it and yelled at the CTO.'

Bold strategy.


> I've railed and yelled

> the money talks louder.

> If anyone has advice,

You might want to look at your communication style. Railing and yelling doesn't work if you want to persuade people.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: