This is one of the reasons some industries create professional associations or trade unions. It is hard to argue against pressure from your boss, so when ethics issues start to become common, you need a reasonably reliable way to apply opposing pressure.
A professional association with a code of ethics offers a standard excuse that you swore an oath against e.g. knowingly creating software that is designed to be fraudulent.
Alternatively, a minimal trade union that was chartered to only address ethics problems can create an incentive (under threat of collective action by the union) to not even ask for anything unethical. I know that it's popular to have a low opinion of unions, but it's important to remember that they are just a tool. If all you need is pressure against unethical requests, that should only need a tiny, mostly hands-off union.
> all it takes is the next dev to come along and say yes
Sure, but that's at least it wouldn't be your ethical problem anymore. Even if a more willing replacement is found, that takes at least some time and resources, and it sends a clear message that some behavior isn't appropriate. If you don't send that message, you're just conditioning the responsible people to do more ask for more unethical things it the future.
> I don't want regulation and lobbyists pushing their tech onto me as a solution.
If regulation could work well as a solution to a specific type of problem, it might be a good idea to get there first. Get to the politicians before the lobbyists carrying cash, a clear and brief explanation of the problem, and your proposed regulation.
However, this may not be a useful approach in some situations. I think some sort of collective organization is usually a better approach, but it's worth at least considering the regulatory approach.
I've been thinking about this recently. Less on the trade union (even if that might make more sense, in the vein of actual leverage), and more on the professional association side. I've been long-enamoured with the Canadian Engineering 'Iron Ring' ceremony. I don't know how much actual leverage that bestows, but something similar in such an infrastructural discipline as software development seems appropriate.
I love it. I have yet to take the ring off. It's a great way to initiate conversations about ethics and a great way to tangibly emphasize my personal pursuit in being ethical.
I'm a software dev. with a background in a different engineering discipline and there isn't much reason for me to join an engineering professional association in Canada. Unlike, say, civil, where you have to be licensed to perform some of the duties, nothing in a software engineer position actually requires a license.
They have it in the US too:
A better approach might be to have a consumer advocacy organization/site that allows devs to anonymously leak and publicly shame the bad practices of their employers. Somewhat like the proliferate Business Software Alliance ads that used to say, "If your employer is using pirated software, report them in confidence at ~place. If we catch them, you'll get a reward".
The answer is "yes". There is no reason to assume that a union representing employees would be any more motivated by customers' interests than the employers themselves would be. (And there are plenty of actions by real-life unions in other industries suggesting otherwise.)
If I ever find myself in a situation where I'm tasked with making the commit on a "feature" like this, I would explain that I can provide technical assistance (up to and including writing/testing the code), but due to my professional ethical responsibilities, management will have to find another engineer to actually make the commit, deploy the code, and close the ticket. And I would also print out an email that proves I expressed my dissent and management dismissed my concerns.
I've read about Y Combinator actually encouraging some of its startups to violate laws (in the "hack the system" sense, not in criminal violations sense).
If you think about it, many of the top startups do: Uber, AirBnB (and others that are losing like Zenefits, FanDuel or DraftKings).
It's, sadly, one of the only effective ways to get them to be discussed or modified, laws have a lot of inertia going for them.
I'm definitely not happy about the ethics in the above case, though.
Another thing I was going to add is that some CEOs knowingly violate the laws and incorporate that into their risk models (cost of fine + lawyers weighted by chance of it happening), it's usually a lot more cost effective to violate them (The CTO in the above example might have done such cost/benefit calculation).
I am not arguing that dark patterns don't work in general, I just don't think this is a good example.
Maybe I was wrong.
I refused flatly. Phrased it as 'as a contractor I'd be liable. I don't have deep pockets'. So they just got an employee to do it, who had absolutely no compunctions about it.
Its not so much that a company wants to do wrong things. Its that there's always an engineer willing to do them.
Even if you're not interested in the financial reward you should still report it because you could be literally saving someone's life (possibly even that of your own) down the road.
To make a crude and polarizing comparison, especially since I happen to land somewhat on the other side of that argument:
You can't blame a tool (bat/knife/gun) for what its agent does with it. If one tool doesn't work for them, they'll get it done with something else.
So there is no particular person in a corporation that has direct incentive to be responsible.
As I opened with, yes, to some extent we all share the blame, but appealing to everyone to individually make the difference will never work, because it only takes a few to still get the (dirty) job done. If everyone played nice we wouldn't need any laws.
Somebody has to take a stand. In Canada they have an Engineering oath and code of ethics. We should all aspire to be our better selves. After all, we're not being executed; we'll just have to find another contract.
Ideally I absolutely agree with you, and we should all strive for the best and make a stand wherever possible, but the cynic in me believes that it can never completely solve the issues, just shift the burden to someone else down the line.
Not to be nit-picky but in this situation the company specifically asked you to do the wrong thing it wanted done.
This is a prime example of how free capitalism will never regulate itself. Sure, you can vote with your dollar from what you know, but odds are you'll never find out about most of the crap a company pulls.
Too much regulation is obviously stifling to innovation as well. I don't have an answer, but I believe the solution lies somewhere in the middle, as with most things.
And just for an, albeit small, recent example , where there could easily exist better solutions, and the regulation could be worded more generally instead of giving specific mandates.
I'm sure there are more and much better examples, but as with everything we humans do, there are good practices and bad practices.
Just to give you one example that hits very close to home: the EU parliament recently start this push for companies that provide OTT communication services (Whatsapp, Skype, Viber, etc...) to comply to phone companies regulations.
Among other things, this would mean that all of the companies that provide end-to-end encryption would simply have to stop doing it, given that phone companies need to be able to provide "Lawful Interception".
For instance, there's nothing in that sort of regulation that prohibits any innovation on encryption that would reconcile the user's reasonable expectation of privacy with the authorities' wish to have access to the user's communications.
And the issue of appropriate and adequate safeguards of such innovation so that the authorities themselves don't misuse it, is yet another issue altogether.
Encryption was an innovation. Communication that's private as a matter of technology rather than as a matter of legislation is an innovation.
Along the same lines: recording and time-shifting video and audio was an innovation. Enshrining the state of copyright law at the time would have prohibited it.
Innovation often does things that existing developers, users, and regulators didn't anticipate.
> For instance, there's nothing in that sort of regulation that prohibits any innovation on encryption that would reconcile the user's reasonable expectation of privacy with the authorities' wish to have access to the user's communications.
There's nothing in that sort of regulation that prohibits perpetual motion machines or time travel, either. The resolution of those two expectations is that one side loses and the other wins; the only question is which.
I don't believe that for a second. Innovation is constantly happening.
And as long as people are willing to give attention, time, money or a combination in exchange of something, it's highly likely that this 'something' will remain profitable and there lies the incentive to keep doing it.
For instance, if one were to work on a browser, who do you think has a greater incentive to allow adblocking: Firefox or Chrome?
Nitpick, but what the first comment said was that the signup happens regardless of whether you check/uncheck the box.
On the other hand, whistleblowing for misuse of customer data (which I'm sure is rampant) might be more effective.
The general public doesn't know how pervasive the problem is. They'd care more if they did.
Luckily the current regime seems to take a view far closer to mine, hopefully that will last beyond the current honeymoon period.
> If anyone has advice, I think this is a great thread to share thoughts.
The problem seems to be more-or-less endemic. Often the only solution is to break ranks and do the right thing against orders, or up sticks and go elsewhere, but these are very high risk strategies that most people wouldn't be able to justify when there is a mortgage to pay, especially as there is little chance the next place is much better.
Probably doesn't achieve much but it makes me feel better.
It would need to avoid allowing the unscrupulous to (falsely) badmouth competitors.
As for the terms and conditions violations, aka selling / using information - you're not going to get them. People stopped expecting privacy a while ago, and every conversation ive had on the subject the past three years always goes something along the lines of: "I always expect all my data to be given out and used"
If you don't want that to occur don't use the internet or use a company you trust. For example, I trust a university to keep my data secure because it's legally obligated to. Similarly, I trust most products I pay for, I don't trust pretty much any other app.
Instead, just add filters to drop everything from the email sender.
Or if you're like me, make an auto-responder that's directs to their CEO's inbox telling them to "Fuck Off Spammer". (I actually do this)
Leak it to the press.
One would hope laws about fraud would cover this situation.
Don't get me wrong: it's unethical. But I don't think, "I didn't check the box that said 'add me to the newsletter' and they sent me a newsletter anyway" is particularly powerful.
> the money talks louder.
> If anyone has advice,
You might want to look at your communication style. Railing and yelling doesn't work if you want to persuade people.