Hacker News new | past | comments | ask | show | jobs | submit login
Just Say No (jacquesmattheij.com)
563 points by janvdberg on April 28, 2017 | hide | past | favorite | 353 comments

It's not just crime that you shouldn't use your skills for, it's all immoral or unethical activity.

It's a surprisingly urgent problem in a field that enables mass government surveillance, dark patterns, big data aggregation, and cyber warfare.

As an attorney, I wonder if software engineers should consider implementing some kind of rules for professional conduct and an organization to enforce it like the lawyers have.

You're right in that you shouldn't use your skills for unethical activity. However, since you mentioned you're an attorney I'm wondering if an official professional code of conduct does really help with that. There are plenty of lawyers engaging in unethical behaviour and the Bar often doesn't bar them from doing so.

Case in point: The way Aaron Schwartz was treated. The prosecution seriously overstepped the boundaries of what can be considered ethical behaviour. Even worse, they did it for shady political reasons and personal career considerations.

Software has a professional code of ethics, it isn't universally read/adhered to though: http://www.acm.org/about/se-code

A professional code of ethics with no weight behind it is about as effective as a code of ethics I upload on a random blog tomorrow. That's what ACM's might as well be, since it's not even universally known by professionals, let alone adhered to.

Depends on where you are, in some US states you can get licensed to call yourself a software engineer. This holds you legally liable to the code of ethics. It often influences court cases involving companies too: http://ethics.acm.org/code-of-ethics/using-the-code/

If you're a licensed engineer and you break ethics rules, be prepared to pay fines.

That would satisfy "weight." It's conspicuously lacking in the ACM code of ethics (and basically every other code of ethics someone puts online with no industry buy-in).

That is awesome. I didn't know it existed but I do love it.

Thank you for sharing this!

It clearly doesn't help.

Who are the most successful lawyers? Politicians. Try and think of an unethical one...too many to chose from. Hell, if religious laws don't prevent people from doing horrible things and then justifying it (and they don't), why would a code of conduct help anything?

If the heart of a profession is greed (and tech is or is getting there), then your code of conduct means nothing. You just gotta justify your actions, and tech companies already do that.

"We're changing the world for the better! (But don't mind us if we track, spy, manipulate, and price-gouge you along the way)."

Is that unfair? It feels unfair, but the actions of too many tech companies are deplorable and yet we've got tens of thousands of people working for them. Where do you draw the line? When do you become complicit (someone abuses data because you've built systems which allows and encourages it)?

It's really an argument of social norms, and how do you change those, especially (if like law was at one point), you are the industry to get into to make money? If that is the main reason lots of people get involved (from management on down), how do you build and maintain norms that say that quality and concern for the user comes before all else?

You think the most successful lawyers are politicians? It's usually the other way around the most successful politicians are lawyers.

Obama, Clinton(s), Ghandi, Lincoln...none of whom were "successful" lawyers, but they all did just fine in politics.

As to your point about laws/code not preventing horrible things...they often times do. But no one is claiming laws always eradicate behavior (they can and have) that's why we put people on notice and create penalties because we know people violate the laws/rules anyway. Say Bill Clinton lying under oath, he was caught and the only one who disciplined home was the Bar of his home state: totally disbarred him. In other cases, the law itself might be immoral -take the British colonial law against Indian's making salt, and Ghandi violating it and being arrested, even after, as a politician he was able to change the law and the norms.

> none of whom were successful lawyers

I think your main point is likely right, but your supporting examples are not. Wikipedia (at https://en.wikipedia.org/wiki/Abraham_Lincoln#Early_career_a...) says:

Lincoln became an able and successful lawyer with a reputation as a formidable adversary during cross-examinations and closing arguments

Likewise, we have https://en.wikipedia.org/wiki/Hillary_Clinton#Later_Arkansas...

She was twice named by The National Law Journal as one of the 100 most influential lawyers in America: in 1988 and in 1991.[123] When Bill Clinton thought about not running again for governor in 1990, Hillary Clinton considered running, but private polls were unfavorable and, in the end, he ran and was re-elected for the final time.[124]

I'll stand by my statement, I didn't say they were failures as lawyers they just simply are not what legal professionals would call the most successful lawyers.

A compliment on Lincoln's cross examination skills does not make a successful lawyer, though he did practice and litigate and unlike the others (that I know about) established case law. As far as Hillary, I wouldn't put to much stock in The National Law Journal - it's like the national dean's list, rising star lawyers, AV rating. What do you really know of her career? Did she take cases of first impression; set case law; argue before SCOTUS; set a record on a monetary judgment/damages; become partner at an AM100 firm or white shoe firm; hold a meaningful judicial clerkship; become a federal judge?

These are all smart people, successful politicians, but as lawyers I'm not sure anything ranks them in the upper echelons ...that certainly doesn't mean they were failures, which is being read into my statement, I think. Despite the thread opposing me, I don't see any merit based support they were the most successful lawyers.

> most successful lawyers

You added the word "most" :) Your revised statement is probably right

The word "most" was in OP and my original comment

my bad, can't read

"Gandhi" is the correct spelling.

Just FYI, Obama taught at University of Chicago Law School. And he was pretty successful as a lawyer. Looks like he chose to do less corporate work (not judging), which may have resulted in him earning less, but U of C profs definitely do OK. https://en.wikipedia.org/wiki/Barack_Obama#Law_career

Obama's non-academic legal work was fairly brief and secondary to (and overtly a stepping stone for) his public advocacy and political work, but AFAICT he was plenty successful at it.

well if you consider that the most successful one can be as a lawyer could be to write or interpret the law then the most successful lawyers would be either politicians or judges. It really depends on your criteria for success.

It's difficult to argue against Balzac's "behind every great fortune is a great crime". There's a lot of exploitation of edge cases, which are quickly patched in order to shut the door behind them. Similarly, people get famous by speaking outrageously, and then lambaste anyone who does the same once they're famous. There doesn't seem to be a lot of exceptions to this when you're talking about the upper-echelon.

Proper quote (from https://en.wikiquote.org/wiki/Honor%C3%A9_de_Balzac#Le_P.C3....)

The secret of great fortunes without apparent cause is a crime forgotten, for it was properly done

The key part that people keep omitting is "without apparent cause". If the cause is apparent, there is no need to speculate about possible crimes: just look at the cause and decide if it's criminal or not.

"Who are the most successful lawyers? Politicians"

The most public ones, sure. But not necessarily the most successful.

> It clearly doesn't help.

I don't know about that. Judging by OliverJones' post, corrupt lawyers could well be even worse without the formal code of ethics.

A lot of people think that laws and ethics are interchangeable. If something's illegal, it must be wrong; otherwise, it must be right.

Laws don't define ethics. They're only an implementation of justice. It's up to us to decide what's right and what's wrong.

I once had a very senior manager tell me "No, it's fine, we consulted with legal and they said it was technically legal. And PR has a plan for if it comes out!" or something along those lines. I argued that it wasn't about whether it was legal, it was about whether it was moral. He just... didn't understand what I meant.

I soon found other employment. It pays less, but I sleep a lot better at night.

"Technically legal" is a pretty poor form of legal protection, anyway. Judges aren't computers; they are human beings who are free to interpret (within reason). Lots of people have wound up on the wrong side of the law because they convinced themselves that what they were doing was OK because of some technicality.

I basically said that I won't be the "rogue engineer" like at Volkswagen. If the management are willing to demonstrate that ethics aren't important, why would I imagine they wouldn't use me as a scapegoat?

That is a very good point.

At my work if you work more than 8 hours in a day, they just won't pay you for the extra. It looks bad on reports, and doesn't matter if the job must be completed by midnight you still can't work 12 hours on paper. What you have to do is split off anything you work in overtime, and put it on the next day's time sheet.

Legally, if your time sheets are inaccurate, you open yourself up for all sorts of legal action including significant fines and imprisonment, so what they've done to cover themselves here is require you to sign it as a true and accurate record of your hours worked. (They refuse to pay you if you don't, which in turn is illegal.)

I think I will follow your example, and find myself another job in a business that follows a basic code of ethics.

>sign it as a true and accurate record of your hours worked.

This is small print on timesheets anywhere I have worked. The point is that they have something that department of labor can see where employees asserted that the hours reported are correct. That's all DOL cares about if they check. It they are coercing employees to falsify time sheets DOL will have strong feelings. Record your hours independently and have those records ready for side by side comparison. After you leave for a better job, consider reporting their illegal practices so that hopefully others will no longer have to put up with it either. It does not help anybody to have a long history of lying on timesheets. ... Is this timesheet rule in writing anywhere? This would halo help a lot. Sorry I'm really interested in this. I'm a manager and I make sure my team records everything they are possibly entitled to be paid for because I'm a reasonable human being. End of rant ;)

Some people literally never develop a postconventional morality. I remember developing to that stage no later than 14 years old. It's pretty strange.

I have also noticed, dissapointingly, that some people never seem to ask themseves moral questions. I think a room full of people in suits serves as a heuristic that tells them that someone else has already asked the requisite moral questions. This is partly how you end up with a city of 100,000 expats working for the government of Saudi Arabia, etc. Imagine living there. You could probably go years without anyone ever having a discussion about morality.

In my ethics and values class, I was told that law is the lowest form of morality.

It's interesting...my father-in-law is a lawyer, and while he's a very nice guy, he has a certain mindset to look at things from the perspective of legality, rather than what's morally right or wrong.

For example, he had a hip replacement a couple of years ago and received a handicap placard so he could park in the handicapped designated parking spots. He's much better now and doesn't really need it anymore, but he keeps getting it renewed (I guess they don't really check to make sure you're still "handicapped"). Sure, it's technically legal, but there are probably truly handicapped people (in wheelchairs etc.) that could use those spots much more.

I suspect that it is actually illegal (obtaining or rather renewing the permit under false pretenses or some such), but it has a very low probability of getting caught or any consequences beyond losing the permit if he is caught.

The law can also be totally immoral.

(E.g. following a bad law like Jim Crow laws used to make profit or to exploit people etc).

The law is the implementation, it's not morality at all. Absolutely immoral things can be legal and absolutely moral things can be illegal.

What does it mean for something to be "absolutely moral" or "absolutely immoral"? What test can I perform to find out which bucket something falls into?

Depends on your value system, but something that comes to mind is Deontology. You should read about the categorical imperative. To give you a taste, “Act only according to that maxim whereby you can at the same time will that it should become a universal law without contradiction.” – Immanuel Kant, Groundwork of Metaphysic of Morals

This, for example, suggests that lying is absolutely immoral, because if lying were universally accepted as good, we would not be able to trust each other.

Depends on your value system

It seems odd that an absolute would depend on something subjective, doesn't it?

we would not be able to trust each other.

That sounds like a pretty utilitarian concern to me, rather than a contradiction.

>It seems odd that an absolute would depend on something subjective, doesn't it?

Go deep enough and eventually everything is subjective. Even things like fundamental axioms.


That there exists more than one explanation for a phenomenon, like ethics and moral values, doesn't mean that choosing any of those at random yields a good explanation. It also doesn't mean that there is no valid explanation at all.

That's just lazy not-100%-sure-therefore-I-substituite-my-own-reality-ism.

It does seem odd that an absolute would depend on something subjective... existential crises ensues

Sure, if 95% (or any percentage you wish to set) agree on something, then it's probably not a moral gray area. It can't be 100% because you will always find one person to disagree, but it can be close.

For example, I would say that crossing the street on a red light when you can see that there are no cars for miles is going to be considered moral by a huge percentage of people. It will also be considered illegal in most places.

It seems odd that something can be absolutely moral one polling cycle and not absolutely moral the next polling cycle, if a whole bunch of subjective opinions change, as they have a tendency to do.

What we consider pedophilia now was considered okay in Ancient Greece. Subjective opinions do influence morality.

What you're talking about doesn't sound very absolute to me then, but relative.

Everything is relative. You might say "But murder is not allowed in any society!" but definitions of murder may vary. So in one society euthanasia might be allowed, but not in another. In one society abortion is murder, and allowed in another.

What is truly ethically absolute?

What is truly ethically absolute?

Nothing, as far as I know.

That's like saying light worked different on the time of the Greeks because they thought our eyes shoot beams. Face palm

Their understanding of the thing was different, and wrong, the thing in of it self wasn't.

I agree, the suggested test for determining if something is absolutely moral would lead to that kind of off result.

Let me ask you this: we can test theories about how light works by making predictions about how light will behave in some circumstance and then by running an experiment and checking if the prediction was correct.

If instead I have a moral theory which suggests something is absolutely moral, what prediction can I make based on that theory?

You're so sure Ancient Greeks were categorically wrong, in their behavior towards individuals modern society would consider underage?

Hmmm, something tells me that their era was profoundly different in serious ways that aren't captured in recorded evidence that is available to us.

Before you even get to social interaction among peers, simply weather, disease, medicine, wild animals and poverty were all probably profound dangers to everyone across the face of the earth.

Nevermind literacy, and writing, just imagine how many normal human beings were completely feral, or mute, or inacapable of communicating verbally, for a wide range of reasons, including growing up in isolated wilderness and simply never learning organized speech, as part of a formal language.

Anyone who might help another person by sharing food and staying warm was probably of marginal pratical use, until the next period of hard times, either because of the random of marauders or nature taking its course.

I'm pretty sure healthy people who you could hold a conversation with were in short enough supply that once familiar, everyone made quick use of any luxuries available. No books or formal education, meant bootstrapping these things as new ideas which had no generational inertia, which means probably very nearly everything for most societies was very comfortably (or not comfortably at all) based on oral traditions.

Also people fucking died. Early. Lots of people's teeth were probably gone by 25. Blindness in an eye or both was probably kind of a little bit normal by 30 for many.

So, age was probably a different thing back then. In places where misery is coming from all directions, I'll allow for degrees of moral relativism. Especially for any period pre-dating the emergent modernity of ancient Rome. Any nomadic society that can't exactly distinguish diseases from curses and witchcraft, or even weather and plagues from punishing deities, kind of gets a hall pass.

I'd say that if 95% or any majority of population agree on something, it can make something LEGAL. There are some ethical systems that prescribe universal morals regardless of however many people agree. For example, in utilitarianism, killing someone who is about to poison a water supply (thus probably killing many others) would be morally good. Deontology or absolutist moral theories prescribe that killing is always immoral.

> For example, in utilitarianism, killing someone who is about to poison a water supply (thus probably killing many others) would be morally good.

Maybe, depending on other alternatives available.

> Deontology or absolutist moral theories prescribe that killing is always immoral.

Most real deontological systems prescribe situations in which murder is justified, and self-defense and defense of others are common examples, and the broad outline ends up looking a lot like what common utilitarian approaches would yield. (There's a good argument to be made that most moral systems are rationalizations from preferred treatments of common situations and that people don't really tend to reason forward from principles, anyway, so it's not that surprising that the radically different root principles of utilitarian and deontological approaches end up with similar results, because they are mostly alternate rationalizations for those results.)

And in fact, jury nullification is the ability of a jurist to find a defendent innocent when they believe the law is wrong, even if they've determined the defendent to have violated the law.

I'm married to an attorney. I like to think she's generally honest. She has put together some form contracts for software businesses I've been in, and they have the nice attribute that everybody says "this is a fair deal" and signs them.

I can say that the legal code of ethics has some bright lines in it.

If a client gives you funds to hold for some reason, and you put them into your own account, and you get caught doing that, you get disbarred : you lose the right to call yourself a lawyer and/or appear in court for your clients.

If you give another lawyer money to induce him to tell his client to sue your client so you both get fees, you get hauled up before the bar overseers on charges.

If you talk about your clients' business without their permission, you get hauled up on charges.

To say "lawyers are unethical" is to fall prey to the availability heuristic. We all know about scumbag pols who happen to be lawyers.

I think gregwtmnto has a point. If we software people had something like Professional Engineer (PE) registration (civil engineers have that), it would help. Companies gathering sensitive information could ask for a PE to sign off on the security measures. That would serve them as a defense should somebody sue them for damages after a leak.

The same is true for bridge designers. PEs sign off on the designs, after making sure the bolts are strong enough and the pilings are deep enough and all that stuff.

This cyber security subject is near to me; my present (small) company finished our PCI (payment card industry) audit yesterday. We've worked hard to avoid the stupid webdev tricks in Troy's article, and even some not-so-stupid vulnerabilities. These stupid tricks erode confidence in all of us.

Hold my beer. Watch this!

Security is near and dear to me too, so I'll use that example for my rebuttal.

Would you like to know how many companies I have found serious vulnerabilities in which had previous audits for things like PCI and ISO 27001? Their CISOs had cute certifications, too. They could talk all day about what XSS is, what a good business continuity plan looks like, all the different types of "risk treatment"...

I've sat on the other side of an audit, as an internal security engineer for a bank. Our QSA literally said to my team one day, "That sounds great, now can we switch gears and talk about your cyber program?" I like to think we honestly did well on those PCI audits, but I also know that we didn't have to do well. We could bullshit our way through it. And even if you try hard, it has little to no signal. Requiring engineers to know OWASP, or to memorize organizational risk facts doesn't work. Requiring your company to get a third party audit sort of works, if you know what a reputable firm actually looks like. Requiring your company to get third party "network segmentation scans" is a waste of time that will leave you wondering how a company stays in business that reports false positives all over your infra.

The security industry is a rabbit hole of oblivion. Vendors don't know what they're doing. Consulting firms barely know what they're doing. What you suggest will not meaningfully change that. As I repeat time and time again, the most talented and effective individuals I've known in the security industry have no certifications, or reluctantly get them to shut HR up. Some of them never even went to college. You would need to dramatically rethink what an enforcing agency looks like to have effective certifications without allowing them to be the rent-collecting they currently are.

I would be genuinely interested in hearing a concrete proposal for what an effective certification or licensing body would look like and how it would fairly enforce its requirements. If it's a model that could work, then fine; hit reset on the current organizations or dramatically improve their processes. But comparisons to other industries aren't good enough, and thus far the evidence is stacked against it.

You are right about the porousness of certifications.

I guess part of the problem is the legalistic approach we take to security, in practice. A crude example: to be secure, passwords have to be changed every 90 days. Check.

If the QSA firm finds we're following all the rules, we get certified.

But rules lull us into complacency. Rules give cybercreeps an accurate roadmap of our cyberdefenses. If they know ways around our defenses, we're pwned. So, adhering to the letter of the security regulations, while not actually bad, isn't enough.

Dealing with the OWASP top ten is good. But, if I were a cybercreep, I'd be working on the down-chart problems, OWASP 13, 14, 15 etc.

A related question: How do we frame laws to outlaw corruption among politicians? Laws create loopholes.

As you point out, lots of charlatans and idiots hold themselves out as cybersecurity experts. How do we deal with the problem? My immediate objective is to keep cybercreeps outside my firewall and away from my customers. And if they get in, my objective is to expel them quickly.

I argue that transparency is key. We can only defend against what we can see. The open source movement helps. I argue that a registered professional engineer certification provides at least some transparency about qualifications and ethical motivation, a transparency our industry now lacks.

can you please link to troy's article? i'm interested in reading it.

Agreed, but it also goes even farther than just avoiding doing things that are immoral. We should be breaking laws that prevent us from doing the right thing.

Snowden probably broke some laws, but we're all better off for it.

Fortunately, most people in tech understand this!

thats the grey area in a global network. your probably breaking some ones rules. you need a good foundation of what you believe and take resposonsibility and stand up for that.

The problem aren't really rules so much as a lack of substance in the industry. Even in this case where the author takes a stand and says to "just say no" the top right menu says "domains for sale". Even if you don't consider the domain industry itself shitty there's a huge overlap between that industry and things that are ethically questionable online. If one wants to change things, the system has to change first.

> If one wants to change things, the system has to change first.

Isn't that a bit of a chicken and egg problem there? The way I see it, the system won't change if those who want change are waiting for the system to change first.

> If one wants to change things, the system has to change first.

Ha! Show me your mettle.

In my 20 years of IT, I've worked for a health insurance company (during the height of the 2008 debates), a defense contractor (I only made software licensing servers for them, but we still got e-mails about what bills we should support), multiple telecom companies, two governments, a news agency, a debt collection firm, a shoe shop, a University, etc.

I don't think I've ever been asked to do anything illegal (to my knowledge) but I've seen tons of things that have been very unethical. No matter what field you are in, if you open your eyes, you'll see what your company does to stay on top, how their lawyers will stretch things and often settle out of court, and how your industry will lobby for laws that do not protect consumers. I've only written about health care because I think that was the most blatant and currently affects the most people:


You should always leave if you're asked to do something illegal (and luckily that's never happened to me), but even if your company isn't an Uber or Wal-Mart, they're probably still doing something questionable, even if it's just to compete with the bigger players. It is a reality we have to deal with.

I'll say my favourite position was probably the University. I enjoyed working for a place that, although paid a lot less, was less about a product and more about supporting the staff, faculty and students. Don't get me wrong, I still saw a lot of problems and money wasted on stupid stuff, but overall it was a good, non-morally objectionable work environment.

I work at university now and agree. I worked as an IT person and a compliance person at a bak as well. Was never asked to do anything illegal or unethical.

I have known people that do bookkeeping who see transactions that give them pause. Family trips written off as business trips and things like that.

>some kind of rules for professional conduct and an organization to enforce it like the lawyers have.

... how's that working out for you guys?

I mean, no offense, but the two professions require roughly the same mental acumen and amount of investment in learning materials (though lawyers go down a more academic path and must pass a bar exam, strictly there is more they "must" master) -- but out of "sleazy lawyer" and "sleazy programmer" which do you hear?

Likely because lawyers must represent their clients - some if whom are sleazy.

But I wouldn't take the ethical standard set by the legal profession as a paragon for other professions to emulate. Obviously it has severe limits.

I don't know why we don't hear "sleazy programmer" more often. It's pretty apt. If you're going to write stuff to track people online, that's pretty sleazy. If you're writing stuff for governments to surveil mass populations, that's pretty sleazy. If you're writing a lot of those mobile "freemium" games who's goal is to hook whales, that's pretty sleazy.

I wouldn't call those faults. What you call sleazy lawyers the software profession call those cowboy coders working in advertising, finance, or comp sec.

They are just those outside the mainstream. The fact that those sleazy lawyers win cases should show they perform a valuable service from the ambulance chasers to the corporate defenders.

How many TV shows are there about lawyers compared to how many TV shows are there about programmers?

The general public doesn't hear enough about programmers to have much of an opinion on whether some of them are sleazy or not.

> same investment in learning materials

Don't you need to go to law school to become a lawyer in most places? That's a lot of money. You can learn to be a programmer using a cheap laptop and public library WiFi.

I meant time investment - both need to master an objectively large body of knowledge. (By the way it is also possible to "read the law"[1] though not common.)

[1] https://en.m.wikipedia.org/wiki/Reading_law

There are a lot of places where you can't take the bar exam through just reading the law, you need a degree.

There is such a code, jointly published by the ACM and IEEE CS[0]. It's simple and sound. In many ways anyone of ordinary decency can intuit the principles.

It has no teeth and I expect it never will, despite numerous attempts by national bodies to entrench an accounting/legal/medical style of enforceable professional standards.

[0] http://www.acm.org/about/se-code

For those of us who got degrees in college with the word "Engineering" in the name, there's also the Order of the Engineer, which is entirely about professional responsibility and ethics.


In Canada it's known as the Ritual of the Calling of an Engineer.


This is something of a tangent, but I have started to wonder if the push to teach "everyone" to learn to code has resulted in a growing population of software developers who are not acquainted with professional ethics. Does anyone know, does the typical coding bootcamp or hacker school curriculum cover ethics? IIRC, ethics education is part of the accreditation requirements for both computer science and computer engineering programs.

The Engineers Order was established after a very public bridge failure with loss of life, where engineers signed off plans that should never have been approved.

Things got better, in the Western world bridge and building collapses are rare. But software on the other hand - data breaches are a common occurrence, and those who signed off on the weak security are never held accountable.

This was entirely moderate, reasonable, and well thought-out! To be honest, I was expecting vague committe-written platitudes. I was wrong. This is well worth a read.

You'd need some insane malpractice insurance if you agreed to some of the things in there. The first rule alone is way too broad "Accept full responsibility for their own work."

That's an interesting point. I wasn't reading this as a binding legal framework. That would be a recipe for disaster. This document is full of sound ethical advice. It's not unreasonable to say that you're morally responsible for the code you write. If you work for a bad company that does bad things, I'm going to judge you for that, just as I expect to be judged. And this document sets up a reasonable standard by which we can judge software developers.

But legally? That's a whole other can of worms. Giving this document the force of law would just make it easier to shift the blame in a crooked organization onto the people writing its software. At most, I could see affirmation of this document and an oath to abide by it as the basis for membership in a voluntary professional organization.

Yes, but who is doing the judging, and how? What does taking "moral responsibility" mean?

Laws are not perfectly correlated with morality (regardless of your ideology), but they at least provide a methodology of implementation and disciplinary action.

If I stand to gain from unethical software, and the worst thing that happens to me is some vague entity with no power holds me in disrepute, why do I care? It's not an effective code at all, it just feels good for its proponents.

> Yes, but who is doing the judging, and how? What does taking "moral responsibility" mean?

Hasn't this already been solved? Take a leaf out of Engineering or Medical licensing.

A little broad and opinionated at points I thought.

> diminish quality of life, diminish privacy or harm the environment.

Could you work at a targeted advertising company or at resource extraction (eg mining)?

> Consider issues of physical disabilities, allocation of resources, economic disadvantage and other factors that can diminish access to the benefits of software.

Seems like some economic SJW stuff, and would you break your oath if you didn't add blind accessibility to your GUI?

> 3.03. Identify, define and address ethical, economic, cultural, legal and environmental issues related to work projects.

This seems way outside the scope of a developer, especially if we are speaking of technical and deep fields like health care or finance.

The rest isn't too bad. I often fear things are this would just be used to best people over the head that disagree with "best practices" in the industry or work in unfavored industries.

> Could you work at a targeted advertising company or at resource extraction (eg mining)?

You're on the right track. These moral codes are supposed to get people thinking whether their acts are really ethical, or just rationalized as such.

I work in high frequency trading - I'm sure many would try to disbar me if we had a bar.

Since lawyers deal in argument, I think they are better at knowing where to draw lines like this. Reading HN or worse /. I don't think developers can do this well. I used to poke around legal forums a lot and their discussions were much better and well argued compared to dev forums

>> Consider issues of physical disabilities, allocation of resources, economic disadvantage and other factors that can diminish access to the benefits of software. >Seems like some economic SJW stuff, and would you break your oath if you didn't add blind accessibility to your GUI?

If you forgot about maybe ensuring blind accessibility, then you goofed. If you were informed of this issue, and refused to seriously consider the matter, then you broke the code of conduct. If you seriously consider the matter, and decide not to implement blind accessibility after estimating the cost/time for doing so, then you are in agreement with the code.

>> diminish quality of life, diminish privacy or harm the environment. > Could you work at a targeted advertising company or at resource extraction (eg mining)?

Environmental: I would guess the typical example of unethical software engineering is the big VW diesel scandal. As far as I understood, the Bosch engineers who wrote the offending code clearly documented that it is for debug purposes only, and use in production would be unethical and probably illegal. Were these engineers in breach of the code-of-conduct? In my view this depends on whether there is a good debug justification for the code; if not, then they acted unethically by even writing it and should have refused. The code-of-conduct requires them to think about whether such a feature is justified for debug purposes.

Did the VW people who put this into production break the code-of-conduct? Absolutely.

>> 3.03. Identify, define and address ethical, economic, cultural, legal and environmental issues related to work projects. >This seems way outside the scope of a developer, especially if we are speaking of technical and deep fields like health care or finance.

I think that the code-of-conduct just requires that you carefully think about these matters, and accept that your personal ethical responsibility cannot be discharged by "my boss/customer told me to do this".

> Seems like some economic SJW stuff

I love how the existence of whiny college students becomes a shorthand excuse to write off anyone who wouldn't be chosen to appear in a Mentos commercial.

Like the ACM/IEEE Software Engineering Code of Ethics and Professional Practice [1]? The tricky part is enforcement because Professional Licensure in Software Engineering is relatively new and I suspect won't become widespread.

We had to study this code in my Computer Science program's ethics course.

[1] http://www.acm.org/about/se-code

Any suggestions as to how those rules for professional conduct would be enforced?

A lawyer can be disbarred, and this is easy to enforce because they can't go into a courtroom and defend or prosecute afterwards.

Developers have no equivalent. There is no way to dictate who can and can't work as a developer. Perhaps you could create some sort of agency that every developer needs to be a part of to work, but I don't ever see developers all agreeing to give an organization that much power.

Sorry, I have trouble seeing lawyers as example for professional conduct. In my view it's often lawyers that push the limits of ethical behavior to the absolute limits.

Exactly. Plenty people complains about the state of our privacy right now. But when Google offered a job interview to me, I refused and my entourage though it was a bad move. Well, you live in the word you create.

I don't see how such a system could be implemented in a meaningful way. If any system would have a chance of being supported by the US government, then it probably wouldn't rule out the bad behaviour examples you give. If by some chance it did anyway, it still wouldn't be likely to apply to many parts of the world (or at least would be unenforced).

Also, since you mention doctors and lawyers, it is my feeling that many bar associations and state medical boards are more interested in protecting the finances of their senior professionals as well as their own organization than the public that they should be serving. That is not to say that I feel we would be better off without those organizations (certainly not in the short term), but it makes me hesitant to want to see such organizations brought to any more fields.

But then what, no one is allowed to own a compiler or interpreter until they get a degree?

I don't know, currently they don't make pencils and paper illegal to own unless you have an engineering or architecture degree. And you can even legally use those tools to draw buildings and work out math formulas. You just can't represent the final work as an engineer in specific contexts.

The software equivalent would be that you can't sign off on code for a safety critical system without proper credentials. Now that doesn't mean you can't write such code, just like the guy swinging the hammer and striking a nail doesn't need to be an engineer.

I think that would be one of the major issues.

Here's how that situation is handled on the legal side in the US. Anyone is permitted to practice law for themselves, but to practice law on someone's behalf, you need to be admitted to the bar.

I'm not endorsing it, but I can imagine a situation where anyone can write code on their own, but to get paid to do it, you need a license (subject to ethics rules). Again, I'm not supporting the idea, but it could work that way.

>Here's how that situation is handled on the legal side in the US. Anyone is permitted to practice law for themselves, but to practice law on someone's behalf, you need to be admitted to the bar.

Important caveat: companies must be represented by a licensed attorney. A non-attorney startup founder cannot represent his/her own company in court. This is technically legally compliant with "someone else" since the corporation is a distinct legal entity, but it means that if you can't afford a lawyer (and which of us working slobs can these days?) and someone sues your company you are SOL.

Courts are seeing a massive rise in pro se litigants over the last 15 years, entirely because legal services are stretching to costs that put them outside the reach of non-millionaires.

Law is a great example of the nightmare that software can become if we go overboard on regulation. There was once a time where becoming a self-taught lawyer was not all that different than becoming a self-taught programmer. You could learn just by "reading the law" and shadowing professionals, much like you can learn just by reading (and writing) code today. It was at least partially merit based and some of the best legal minds of the last generation came up this way.

Now, you have to sacrifice 6 years of your life and easily half a million dollars to be allowed to even try to sell legal services, and the market is so flooded with low-end graduates who are stuck in this desperate situation that many of them can't even sell their services anyway, due to the extreme competition in the lower rungs (driven by student desperation to find work to pay down that massive debt and the artificially constrained supply by the ABA's excessive licensing requirements).

This is the worst possible idea ever. Get government out of our lives!

More likely a license, granted by some developer's guild (or worse, a government body) that allows you legal access to SWE tools and the ability to be a paid developer. Lose your license and the few proprietary tools around can reject your code signature or the guild can sue you. This sounds like fiction when RMS proposed this dystopia in the 90s but consider a future where complexity is so large only a handful of tools exist that can manipulate said complexity, or medical programming where access to 'bio IDEs' is licensed like dentists/nurses are because of insurance requirements.

That sounds horrific.

no, you just wouldn't be able to practice professionally until licensed, the same way medicine, law and "real" engineering work.

Lots of engineers work professionally without a PE.


Most engineers work professionally without a PE. I think it's something like 80% of engineers never get a PE.

This idea that all other engineers have a PE is rampant in the software field, but it's just not true.

Most engineers don't offer services to the public. Every public building, bridge and road you've ever used were all overseen and signed off by a PE. Same with the infrastructure for your local utility companies.

Most software engineers don't provide services directly to the public either, but licensure would a necessary first step to regulating the field.

Having PEs sign off and oversee projects is not the same as all "real" engineers being licensed. If you believe that "real" engineering is the model for software engineering, then only a small fraction of software engineers would have a PE.

That's not necessarily a bad thing. At the very least, I think it's reasonable to require that certain software engineering projects have some professional oversight, but that doesn't mean that the intern needs to be licensed, just that the important architectural bits of a project are approved by a competent professional.

That's a stupid attempt at solving this though. It would drive every capable but un-licensed programmer right in the arms of organized crime who would be more than happy to employ them.

Just like all the unlicensed doctors?

I don't think it's a good idea to require licensing for most software engineers, but I think this specific concern is not actually a significant issue.

I think it could be a significant issue.

1) Quite simply, software is much easier to learn than medicine, so you have a larger supply of capable software engineers than doctors. If the market for their services is being artificially suppressed, they will gravitate to wherever their services can make money.

2) There is a black market for medical services. Ever heard of a back-alley abortion?

> Quite simply, software is much easier to learn than medicine, so you have a larger supply of capable software engineers than doctors. If the market for their services is being artificially suppressed, they will gravitate to wherever their services can make money.

The black market for exploits is already very lucrative. Devs willing to take that money are probably doing so already.

> There is a black market for medical services. Ever heard of a back-alley abortion?

Back alley abortions exist mostly because of restrictions on legal abortions, not because doctors aren't allowed to practice without license.

So if a teenager who is getting into programming has an aunt who is selling quilts on the side, he can't help her set up a custom website?

Or he can, as long as he only writes static HTML and not a line of javascript, or he can do that as long as she doesn't pay him even a nickel or a free quilt?

He can't represent her in court or officially do her taxes, why should he be allowed to officially render other professional services to her?

Because the alternative is rent collecting. What you're proposing would make it illegal to upload HTML you can wrote yourself to a domain you own and collect money for it. It's one thing to require credentials for specific specializations within the industry that have critical safety impact (like aviation); it's another thing entirely to require my nephew to be licensed before he can upload code to the internet.

It's mind boggling to me that you'd even make this argument...taxes aren't even a good example. I can officially do my own taxes and I'm not an accountant. So would the aunt have to "unofficially" have her nephew write the code, then pretend to have written it herself and everything is fine? That's currently legal with taxes - I help my own family with them.

Furthermore, ask me how often I'm seen a company get hacked that had ISO 27001 certification from a security firm with more letters after their names than employees.

Define "professional services." Forget programming, can she pay him to help her build a shed in her backyard?

It makes sense to require some sort of accreditation for systems that must be failsafe against significant financial, legal, or physical harm. But it doesn't make sense to require it for the digital equivalent of a backyard shed.

And even safety-critical systems don't require the force of law.

I develop embedded software for safety-critical systems. There is no force of law governing that in the US, but there are industry-recognized service providers that will evaluate your design and provide a certificate affirming that it adheres to specific standards such as ISO13849 and IEC61508. No-one in this industry will buy an uncertified product, despite no law telling them they have to. There is no need to create a law that will have massive unintended consequences.

I'd see it more like the Writer's Guild, Director's Guild, or Screen Actor's Guild. They don't stop you from entering the field, or from doing smaller work, but once you start doing professional work, you would need to join the guild. (I don't know where that line would be drawn, and right now, it's not important to me.) The existence of such guilds does not mean that non-members can't buy paper, director's chairs, or cameras.

That reminds me of the HTML Writer's Guild, which used to be a thing in the 90's: http://hwg.org

The laws, ethics, morality were all constructed by people who disregarded them and was able to build massive fortunes and influence before they invented the gun with force.

Except we don't have kings anymore but hundreds of thousands f corporations writing the rules to benefit their shareholders who collectively act as the brain.

We are nowhere close to understanding our field well enough to define it as carefully as that. There have been lawyers since the Roman Empire. We've had software development for a few decades. Check back in 50 years or so.

> We are nowhere close to understanding our field well enough to define it as carefully as that. There have been lawyers since the Roman Empire. We've had software development for a few decades.

That's an important point, but even so, not knowing a lot doesn't mean we know nothing. We certainly know that using source control is important, we know some languages, some APIs and some practice are inherently unsafe, and projects using those should implement stringent security audits in particularly vulnerable deployments. They largely don't, and it's hard to argue that this isn't unethical.

I guess I sort of agree with this, but you just "knew" virtually every mainstream OS, database, and web server into "unethically unsafe", and if you believe that: are you going to stop using them right now? Keeping up with the competition isn't a license to surrender your ethics.

I'm just saying it's complicated, and part of that is because we don't really have a good grip on the problem.

It's unethical if there are any safer, viable alternatives. In systems programming, there is little reason not to use Ada for instance (hopefully Rust soon).

Finally, classifying the creation of something as unethical doesn't necessarily entail its use is unethical. An unethically developed cure for cancer would certainly be widely prescribed and used, despite the long history of medical ethics.

Engineer is a title in France, you sign an oath. In my eng. school, not following this oath later in your career condemn you to prison, lost of title and interdiction of practicing the job ever again. Does work pretty well.

The problem is that software engineers have a lot of "power" and not a lot of "management that goes to bat for them".

I had this issue at a previous job, someone above me wanted access to some info they didn't need for their job and I ended up sending an email saying "As the Jr Developer, I have the authority to tell you to go through HR and prove your business need for this". The problem is that developers are put under IT and that's not exactly perfect.

You forgot the smiley at the end of your last sentence.

As an attorney myself, I wonder if you are insinuating that participating in lawful government programs conducted by DoD or the IC, like SIGINT or cyber warfare operations amounts to professional misconduct (edit)?

By that logic, providing legal counsel to any number of federal government departments or agencies is a violation of professional conduct. Which, of course, it is not.

A lawful program can be immoral and participating in it probably is going to inherit that problem.

You seem not to admit that possibility in your phrasing.

No. I'm speaking to professional misconduct. Touching on their point, that a professional conduct regulatory body would not preclude participating in the precise activities they reference as unethical.

Your edited comment is harder to misread.

All professional engineers (including software engineers) do have such a code of ethics. Which isn't to say they necessarily adhere to it any better or worse than most software developers.

I would consider it immoral to be a member of such an organization.

> enables mass government surveillance, dark patterns, big data aggregation, and cyber warfare.

It's far from obvious that these things are unethical or immoral.

Sure, that's the consensus among a vocal segment of the readership of HN, but I imagine that the security services have no problem finding people who think surveillance and cyber warfare are necessary and patriotic duties, or that adtech companies can find people who think targeted advertising is a glorious expression of efficient free market entrepreneurship.

You will find plenty of lawyers working for the Justice and Defense departments, and also defending tech companies against privacy-related lawsuits.

In Canada, software engineers are bound by a code of ethics that are shared by all engineers, and you can't use the label engineer without it.

Like the Bush lawyers and the torture enabling memos?

Or the DoJ lawyers filing uncontested FISA warrants for inappropriate things?

I know! You must mean the federal prosecutors who overcharge as a matter of course to have negotiating leverage for plea deals.

Or maybe the patent trolls? Upstanding folks those are!

Lawyers definitely don't (categorically) do anything besides what their client wants, externalities and ethics be damned.

It is true that some lawyers do bad things. But what you're ignoring is the great number of bad things that lawyers don't do because either a) they are afraid of the professional consequences, b) they can get their clients to easily back off because they say, "professional ethics!" and people know it's a real thing, or c) they get disbarred and can't act as a lawyer any more.

As an example, look at the Prenda Law guy, who was basically using his status as a lawyer to run a high-tech extortion scam. He's had his license suspended, and will surely be disbarred:


Or look at Jack Thompson, famous hater of video games, who got disbarred for making "defamatory, false statements and attempted to humiliate, embarrass, harass or intimidate" people:


And of course there are plenty of people who have been disbarred for cheating and abusing clients.

I too would like the legal ethics to be stronger on the "do no harm to society" side. But there's no denying that legal ethics have real teeth. Our industry could learn something from them.

Sure, lawyer rules have a great deal of influence as to obligations of a contractor and the decorum they're supposed to operate with. Programmers could do better there.

That's not what the post I was responding to was talking about. It was talking about "all immoral or unethical activity", and specifically about surveillance, dark patterns, data aggregation, and cyber warfare.

Lawyers have signed off on all of those behaviors at their organizations (particularly the surveillance and cyber warfare ones). They've done contortions to get them "approved" in contracts. If the lawyers at those organizations okayed it, it's fascicle to pretend engineering ethics would've stopped it.

Further, when talking about "all immoral or unethical activity" it's entirely germain to point out lawyers routinely engage in both without consequence.

tl;dr: Lawyer rules are about professional standards, not conduct. You can represent the devil in his suit to rule the world, you just need to be polite and bill fairly.

> But what you're ignoring is the great number of bad things that lawyers don't do because either a) they are afraid of the professional consequences, b) they can get their clients to easily back off because they say, "professional ethics!" and people know it's a real thing, or c) they get disbarred and can't act as a lawyer any more.

Most lawyers don't do bad things because they're decent people. Ethics codes don't stop unethical behavior any more than laws stop crimes. There is some small percentage of the population who will shy away from a crime specifically because of the potential punishment, but most people wouldn't steal or murder regardless of the law. Ditto for lawyers.

Not at all. Codes of ethics are very helpful in preventing unethical behavior because they summarize a large amount of careful thought about ethics. That's one of the reasons so much of religious thought and literature, theistic and non-, is about the finer details of good behavior.

Being a decent person is a good start, but that's just not enough. It's a complicated world, and the obvious thing isn't always the right thing. Especially when people are embedded in an economic system that strongly rewards behavior that could easily be ethically dubious.

And unethical people tend to follow ethical guidelines?

Ethical guidelines can be useful for times when the person wants to do the right thing and the area is gray (e.g. should I represent a client I believe is guilty), but people who are content with unethical behavior will not be swayed by a code they promised to follow. An imperative to honor a promise implies intrinsic ethics.

Most of the actions that would actually get you disbarred are pretty flagrant.

> And unethical people tend to follow ethical guidelines?

This is a false dichotomy. Some people are deeply unethical. Some people are deeply ethical. Most people are just getting along in their lives and can be pushed in either direction by the practical and social context. Codes of ethics are helpful for everybody except the ardently unethical.

It's not a false dichotomy. You started by saying that ethical codes were responsible for stopping most/much of the bad things lawyers could do. I'm saying that's patently untrue. Most of the bad things lawyers could do don't happen because most lawyers are decent people.

Codes of ethics are helpful precisely when things are not clearly "bad", but in the gray areas.

> You started by saying that ethical codes were responsible for stopping most/much of the bad things lawyers could do.

Would you care to tell me where I said that? Because I don't see that at all.

Reviewing the bidding, gregwtmtno, a lawyer, said maybe we could use a professional code of ethics like his profession had. SomeStupidPoint suggested that ethics didn't matter to lawyers, and his proof was naming some things lawyers did that he thought were bad.

My point was that one can't say that legal professional ethics is totally worthless just because of when they've failed (or at least failed to prevent things you dislike). You have to look at its successes as well as its failures.

> Would you care to tell me where I said that? Because I don't see that at all.

That's how I read this: But what you're ignoring is the great number of bad things that lawyers don't do because either a) they are afraid of the professional consequences, b) they can get their clients to easily back off because they say, "professional ethics!" and people know it's a real thing, or c) they get disbarred and can't act as a lawyer any more.

> My point was that one can't say that legal professional ethics is totally worthless just because of when they've failed (or at least failed to prevent things you dislike). You have to look at its successes as well as its failures.

That's fair enough. I don't think codes of ethics are worthless either.

It seems like you disagree with me. Can you please state your argument without the sarcasm?

implementing some kind of rules for professional conduct and an organization to enforce it like the lawyers have.

The rules for professional conduct, and the organization to enforce it for lawyers, did not prevent the NSA/DOJ lawyers from determining that mass surveillance was legal, and could be implemented legally.

In the face of that, what rules for professional conduct and an organization to enforce it like lawyers have, could engineers have implemented that would have prevented those engineers from building that system?

I'm not convinced that what the NSA/DOJ lawyers did here was unethical. One of a lawyer's roles is to answer the question: "Is what I'm about to do legal? On what grounds?" Here, they analyzed existing laws and determined an approach to doing mass surveillance that, they believed, would be legal.

They didn't build the surveillance system, nor did they pass the laws in the first place that would allow for such a system to be legally built.

Regarding the engineers here, it's not black and white. Looking at the ACM code of ethics, #1 is "Software engineers shall act consistently with the public interest." Is building a mass surveillance system "in the public interest?" That's grey. My personal opinion is "no", but I can see the point of view of "Protecting my country from terrorists is in the public interest."

If we're going to look at the NSA surveillance systems, the first place to look is at the legislators. If we want to prevent the government from building such systems, step 0 is to make these systems illegal. That ripples down all the way through this: the lawyers' analysis would have come up negative instead of positive, and it's clearly not in the public interest to build systems that have been democratically-determined to be negative.

Yes, having legislators not make laws that are against the public interest should be step 0, but that isn't really relative to a professional code of conduct for software engineers.

Note that I specifically mentioned mass surveillance because the original poster pointed it out as "field that enables mass government surveillance", then wonders about the implementation of a "rules of conduct". The natural implication being that those rules of conduct would have helped stop the enabling of mass government surveillance.

I'm not convinced that what the NSA/DOJ lawyers did here was unethical. One of a lawyer's roles is to answer the question: "Is what I'm about to do legal? On what grounds?"

The lawyer says, "This is legal, here are the grounds for believing it is so. I'll go into court and defend it". The engineer says, "This is technically possible, there are the grounds for believing it is so. I'll build it and maintain it". What is the reasoning for saying then that a lawyer has acted ethically (even though mass surveillance is not in the public interest), but the engineer has acted unethically (because mass surveillance is not in the public interest)? What is the quintessential concept that allows lawyers to ignore the public interest, but precludes the engineer from doing so?

And if there is nothing that we can point to that differentiates lawyers and engineers in this manner, then how would a professional code of conduct (like lawyers have) prevent the actions that the original poster specifically highlights.

Hopefully this isn't seen as splitting hairs, but I'm going to take your statement from the engineer and divide it up:

> This is technically possible, there are the grounds for believing it is so.

I don't see an ethical conundrum here. Determining whether a system could be built is amoral at worst, or in the public interest at best. If an engineer says "this could be built" and a lawyer says "this could legally be built", that's when you get into a spot where you can have real societal discussions about whether or not it should be built.

If something is legal to build, but impossible to build (given current technology), then it's mostly an idle curiosity. If something's illegal to build, but technically possible, then there's reasonably compelling evidence that you probably shouldn't build it (save for, e.g. civil disobedience).

> I'll build it and maintain it.

That's where the ethics comes into play, and the grey area. If something is both legal and feasible, then it's up to you to decide whether or not it's something you want to be part of. I can look at the folks who built the mass surveillance system and say "I don't believe that was ethical", and others can look at it and say "I'm so proud of these people for defending my country".

An opposing piece of technology would be end-to-end encrypted messaging. In my world view, end-to-end encrypted messaging is perfectly moral. I believe that people should be able to communicate without having their conversations eavesdropped. But I also recognize that this does enable immoral/unethical activity as well; it's just that, to me, the balance leans towards private communication. Others may (and do!) disagree.

Not should it. That is point of courts. If the courts uphold the decision, the it by definition within the code of conduct.

Maybe I can help.

Among the various professions that do have an ethical code of conduct, generally speaking lawyers/solicitors are not seen by a large amount of people as being particularly compliant with it.

Now of course it is very possible that it is a wrong perception by the masses, but it is in my opinion quite unlikely that at the moment the argument "engineers lack a code of conduct, they should take lawyers as an example" will gain much popularity.

Maybe you ought to respond. Sarcasm or not their point was crystal clear, it seems like you're deliberately avoiding an answer.

Your proposed solution doesn't address the stated problem in the field you're discussing (law), why would it solve it in a different field (tech/software)?

It just so transparently doesn't work in that field it's hard to even take the proposal as in good faith, since it has to ignore newsmaking and routine behavior. Rather, it comes across as a self-righteous comment: we have ethical standards (even if we routinely don't adhere to them and do terrible things as a matter of course) so clearly those engineers would be better if they were more like us!

The sarcasm likely wasn't constructive, so I'll apologize for that.

I'll certainly agree that the rules of professional conduct in the legal profession don't prevent all unethical conduct, but that doesn't mean that they are completely ineffective.

Having enforceable rules may improve ethical standards in the field without solving the problem entirely.

I'd also like to point out that I did not propose a solution. I think it should be considered, but I'm a long way from supporting the idea fully. There are a lot of negatives that come with license requirements that attorneys have.

They're so ineffective that they might as well not exist.

The only rules I've seen applied to lawyers with any regularity are those governing decorum (eg, don't be an ass in court) or client obligations (ie, don't be a shitty contractor) or those that are also criminal (eg, if you commit fraud, we'll yank your license too). Technology could do better there.

But to call out government surveillance or cyber warfare, which are both overseen by legal departments that work diligently to inventively authorize the acticity? Or dark patterns and data collection, where lawyers go through contortions to authorize it in "agreements"?

I would say all four of your chosen examples are more failings of lawyers than engineers. (Though both bear some responsibility.)

It just seems strange to suggest professional rules for engineers would've stopped something that clearly professional rules for lawyers did not.

Their argument is pretty clear.

As you might expect, lawyers have a fairly crisply defined set of rules about what their ethical (sorry, "professional") responsibilities are [1]. On the Multi-state Professional Responsibility Exam (part of the bar exam required to practice law), there are questions where you are penalized for selecting an answer that is too ethical (i.e., where you may believe it to be the right thing to do, but where the Code of Professional Responsibility imposes no such duty on you).

[1] https://www.law.cornell.edu/ethics/ny/code/NY_CODE.HTM

My constitutional law professor Ron Rotunda got himself entwined in those torture memos, at least as far as being mentioned in connection with their authoring. What exactly his role is remains unclear but that shook me pretty deeply:


> If you’re reading this as a technical person: there will always be technically clueless people who will attempt to use you and your skills as tools to commit some crime.

You may be overstating that a bit. I've been doing tech for a while, and I can't recall anyone ever asking me to abuse my skills for ill-gotten gain.

I didn't read that as "this will definitely happen to you", it's more like "these people will always exist, so don't be surprised if it does happen".

That sounds pretty bleak. You SHOULD be surprised if this happens to you.

How exactly does whether or not you are surprised make a difference in anything?

Why should I be surprised? Questionable people exist. People in general are going to ask for questionable activities to be performed regardless of if they realize what they are really asking for.

>You may be overstating that a bit. I've been doing tech for a while, and I can't recall anyone ever asking me to abuse my skills for ill-gotten gain.

A few years ago, a guy contacted me from HN, asking if I wanted to team up on some stuff. He sounded pretty convincing, and like an all-round decent guy.

For some reason, despite his likability, something seemed not quite right. I searched for a few variations on his name and email, and eventually stumbled across various reports of low-level frauds directly attributable to him. Really a very unpleasant individual, targeting the self-employed and taking them for ~$5,000 each.

If I'd spent less time researching, I'm certain two things would have happened:

1. He would've screwed me out of whatever agreement him and I came up with.

2. Whatever I worked on would have been used to defraud people one way or another.

When someone approaches you, it's not always immediately obvious that they're trying to do bad stuff.

EDIT: I'd nearly forgotten, a good few years ago, someone tried outright recruiting me for illegal work after seeing a LOOKING FOR WORK post I'd written here on HN.

Of all things, they asked me to hack some local authority's death records. Bless them, they'd taken the "hacker" part of Hacker News to be a literal news site for illegal hackers.

I have left a senior role when I found out that what they were doing could conceivably be treated as criminal - deciding factor was pretty much speaking to a lawyer and they said "leave now" (NB the lawyer in question being my wife).

They went on to have a decent exit so that decision cost me roughly £1 million - I've never regretted it, I don't really have the temperament for a life of crime.... :-)

Maybe you don't hang out with the kind of crowd that thinks like that, but the number of times, I've been requested to do commit crimes - form classic fraud and insider trading all the way to straight up hacking is insane.

Funny enough, even the semi-technical ones are guilty of such requests too.

Over the course, I've learnt the hard way that saying no upfront is better than dealing with the fallout later

Probably, but you didn't realise.

There are a lot of people interested that simply lack the technical insight to know exactly how to approach you or if what they want is even possible. If you are not the kind to boast about work at the pub, they will simply fail to find an opening that let them know: that their scheme is possible, that you can do it, and that you would do it.

Of course, I comes from a relatively bad area too. It is filled with people that share the spirit of Valley Startup Founders: nothing is ever really idle chat, every conversation is an opportunity and every minute must be productive. Their business model and area of expertise are a lot more shady though.

On that last line you're referring to MLMs, right?

A company I worked for basically told me to make the "opt-out of emails" checkbox not work. Which means whether you opt in to our emails or you don't, you get emails anyway. Most people would just assume they left it checked (even if they did uncheck it). Being the lazy person that I am, I just said "oh, that's just less work for me implementing that functionality"

but I'm sure that's technically breaking some anti-spam law

Deceptive subscription of email addresses to a mailing list will lead to a larger percentage of emails reported as spam. This will in turn increase the chance that Gmail / etc. mailbox provider will take actions to prevent you from contacting users in the future. If the newsletter is an important part of your business, losing it could be devastating.

Sometimes a matter of ethics can be reframed in the context of long-term reputational risk. "X bad incident related to our reputation" can be a lot easier to attach a dollar value to than "being unethical", and that is (in the end) what many engineer-employing companies care most about.

I definitely think thats a more realistic example of the things that might happen. It won't be the shady guy on the street corner, it'll be your boss asking you to do just one little thing.

While working in billing IT at a CLEC, I was asked to produce a phone bill for the CEO, with a printed physical address that didn't correspond to where he actually lived. I assumed (and still do) that it had something to do with a school district scam: he wanted his kids to attend a good school, without paying extra tuition. It was easy enough to do, and I don't feel there's much about the funding of USA public education that's worth defending anyway, but I can see how it could possibly have led to a series of increasingly immoral/illegal escalations.

Same here. The only thing I can think of is that I've been contacted by a client to log in to a locked machine. He knew that I could theoretically log in to the machine with an account of a former employer. The intent wasn't criminal or illegal, but it didn't feel right, so I didn't do it.

I've been asked to do something unethical twice. Both times I was able to talk the boss into something ethical instead. In one case, the alternative was better, so I can't really be sure I convinced them on the ethical merits, but the other one definitely revolved around ethics.

I've also told every company that has hired me, during the interview, that I refuse to do anything unethical. Of course they didn't bat an eye at it, but I wonder how many would have been surprised that I actually meant it and would stand up for it.

I remember it happening as a kid, but mostly being asked by other kids who want me to hack into a ex's email account - nothing (so far!) of the sort of thing that would get me dragged into a shadowy underworld.

Except that the law is so complicated, the company might have itself asked you unlawful things unknowingly.

I agree, but I don't think the OP was trying to include (practically) unknowable laws in his main point.

Try living in Miami for a while.

You do live on planet Earth don't you? human=corruption

When I was a teen I was offered cash to turn back speedometers many times, and always refused. This started after I set the speedo on my own car back to zero, but I was customizing it for myself, not flipping it for a fast buck, and it was already 25 years old anyway.

Back around the turn of the century I was offered a bit of cash to build a "Revenge Porn" site. The guy who called me sounded very mild and calm, even nice. He did say he'd been turned down a few times but he also seemed determined to make the site.

I had never heard of this idea at the time and was pretty surprised with the concept. I turned him down, of course, but what surprised me most was how many friends and acquaintances told me I should've taken the cash when I told them the story.

I'm 58 years old now and the number of people who've asked me to help with their scams, and have tried to scam me, is far more than I can remember. With all that experience I can spot them easily now but it never ceases to amaze me how willing some people are to do that.

The only scam I've ever been asked about was at an SEO conference. I was talking about how awesome selenium and browser automation was. Someone asked if I could make selenium log into gmail and click "not spam".

What are the odds, that a potential scam would be proposed at an SEO conference?

That is hilarious. I would've been speechless, and at the same time resisting the urge to punch them in the nose :D

> what surprised me most was how many friends and acquaintances told me I should've taken the cash when I told them the story.

This has been my experience as well. It doesn't inspire confidence in people.

I don't wish for the feeling of desperation on anybody. Even for someone who has morals, desperation can warp your sense of reality. Back when I was a truck driver, I had a substantial offer from someone to transport a duffle bag in my utility lock box across state lines. I was desperate, and it was a lot of money. I rationalized, told myself it was just gonna be some drugs, and I never get pulled over anyway. No big deal, I told myself. Until I grabbed the bag, and realized it wasn't drugs. Took a peek once I was out of sight, and it was definitely submachine guns. I started panicking and about 10 miles down the road came up with my plan. I pulled over, punctured a cooling hose, ran my engine til I overheated, and then called my contact and told him I had overheated and steamed out all my coolant and wasn't going to make it. That interaction was probably the most terrifying experience of my life. Never again.

That plan could have backfired horribly. The police would have stopped to help you. Or your contact could have refused to pick up the phone, or could have just said "you made a deal. Now deliver the bag, no matter what it takes."

Depends on the drugs. A duffel bag of weed isn't going to hurt anyone. A duffel bag of meth or oxy will most likely kill many more people than a bag of machine guns. Unless your country was in a civil war at the time, I imagine those weapons never saw use. Hard drugs, on the other hand, get consumed and regularly kill people and destroy lives.

Don't be naive. I heard guns like these from my bedroom window growing up, and that was in Stockton CA. And the Central Valley, along with AZ, NM, and TX have a huge problem with transporting guns to Mexico where they are in a civil war.

Those guns were probably going to the drug cartels in Mexico.

So what happened to the submachine guns?

> Took a peek once I was out of sight, and it was definitely submachine guns

Can't you order that stuff over the mail in the US?

No. An example of a submachine gun is the ubiquitous H&K MP5 [0]. It cannot be easily purchased (legally) because it is a fully automatic weapon, meaning that it has a setting where pulling the trigger once can fire > 1 bullets, and it's less than 26 inches in length, classifying it as a short barreled rifle (SBR).

A MP5 can be legally owned, with a few caveats:

* It must have been manufactured and registered with the ATF as a machine gun prior to 1986. Guns meeting this criteria are fairly rare and very expensive. I don't know the price for a registered MP5, but I would guess > $20000.

* You must apply for and receive a special approval to purchase a machine gun.

* You must apply for and receive a special approval to purchase a SBR.

However, a variety of companies make semi-auto (one trigger pull = one bullet) MP5 clones that can be purchased more easily. Clones are sometimes built with an extended barrel so they are not considered a SBR and can be treated like any normal rifle. A common strategy is to hide the extra barrel beneath a fake non-functional suppressor [1]. Alternatively some are made as SBRs for people who are willing to get the SBR approval.

[0]: http://discovermilitary.com/wp-content/uploads/2010/02/mp5.j...

[1]: http://mfiap.com/images/F30028878.jpg

This kind of information is very useful to know - even if you firmly believe regulation of automatic firearms is a good idea. I'm not a gun enthusiast, but this summary helps shed some light on a debate many folks are badly informed on. Thanks.

Thanks for the thorough answer! My impression was largely based on Gus van Sant's movie "Elephant", where the boys bought some real badass looking rifles over the mail.

Interesting. Well, I don't know what the movie portrays, but there are two ways that I know of to legally order a gun and have it delivered to your door (though I doubt either is exciting enough for a movie).

* You can get a Curio & Relic (C&R) license from the ATF which is basically a collectors license. It applies to eligible guns (i.e. not machine guns or SBRs) > 50 years old such as [0]. When you do an online/mail order the seller will require you to send a copy of your C&R license before shipping.

* Some guns aren't legally considered to be firearms by the ATF. This primarily (only?) applies to replicas of black powder guns [1][2].

Any other purchase must be sent to a licensed dealer, and when you pick it up from them you'll do the same paperwork as when purchased directly off their shelves.

[0]: https://www.classicfirearms.com/m9130-hex-receiver-russian-m...

[1]: http://www.cabelas.com/product/shooting/black-powder/traditi...

[2]: http://www.cabelas.com/product/shooting/black-powder/black-p...

For a firearm purchased by mail from another state they have to be shipped to a federally licensed dealer and the transaction has all the same requirements as if you were just buying from the dealer in person.

There's lots more details than that, but it isn't a free for all.

You can buy functional relics that are well over 30 years old if they were registered before they were banned, and you're gonna need to be federally licensed to possess them, and you're gonna be paying in the 5 digit range for the privilege. Needless to say, these weren't those.

You can definitely order a black powder pistol (and the caps and balls and powder) through the mail, no background check required (I guess some states do have restrictions, mine apparently did not).

I ordered one years ago and the delivery service left it with my neighbor who's id they did not check.


Granted it's not a sub-machine gun and takes a bit to load but it is a repeating firearm every bit as deadly as one that uses conventional shells.

Semi-automatic firearms are perfectly legal in all 50 states. (With some restrictions on barrel length, magazine size, accessories, etc)

Fully automatic weapons are more heavily regulated. Large taxes, permits, etc.

I believe the author’s post is a little condescending and ignores the nuances of such situations. Sure, it's easy enough to "just say no" if you're already pretty successful and have a lot to lose by engaging in illegal activity. But what about the talented hacker who has failed career wise and is going through a really tough phase financially. It might seem that there's everything to gain and nothing to lose.

If you have a choice of being able feed your family or “just say no” to modifying an odometer, what would you choose?

Practical ethical behavior isn't just about decisions in the moment. It's about making good long-term decisions so you are in a position to make good short-term decisions.

You can always create some hypothetical narrow situation that will justify a bad action. But so what? If you do the bad action, you are still morally responsible for the bad action. And you have still fucked up enough in your life that you let bad people put you in a position of having to choose between one bad action or another.

In the early days of the consumer Internet, I'd often call up spammers and talk with them. A lot of the time I heard this blame-shifting, self-justifying nonsense. They had bills to pay! Families to feed! They were just going through a bad patch! They were good people, it wasn't their fault, they had to spam!

Circa 2009 there were a lot of people who were losing their suburban homes because they took out loans to cover "bills". And in the sympathetic articles about them, you'd see the house with the picture of two nice cars and a boat and they'd be wearing nice, name-brand clothes. Ah, those bills. And sure, I get that consumer capitalism ruthlessly exploits the primate status drive. But c'mon, people: you have no good choices now because you made some pretty bad choices before. Own your shit.

You see the same exact moral vacuity in startup founders who get in over their heads. "I'm a good person! But we just had to sell your personal data to the highest bidder! But I'm a good person!" Well sure, but you also took millions of OPM to start a tech company with no clear revenue model while simultaneously telling your users that you were the most ethical company ever. Water runs downhill, genius.

TL;DR: Ethics aren't cheap. If you really want to have them, you have to prepare.

I'm not sure that's a great example, if you're in the position to sell data to the highest bidder that means people were stupid enough to give you that data and you're free to do what you like with it.

Then again, maybe this is just an ethical divide.

If your theory of ethics is "when people trust me I can do anything I want to them", then we are at best on opposite sides of an ethical chasm. But I'm not sure that "I will take advantage of anybody I can" qualifies as ethics at all.

It's not really taking advantage if they gave it to you consensually. You're not taking anything from them, they're not losing anything, they gave you info voluntarily, you're just selling it.

That's just ridiculous. So much of taking advantage is in the context of apparent consent. Confidence games, for example. Abusive relationships are by and large consensual. Shitty bosses take advantage of workers all the time, even those those workers are there voluntarily.

Comparing a very common business practice today to an abusive relationship? Really? Merely to call it "taking advantage of" is highly questionable - often it's just part of the deal - you get a free service, that's how you pay. No one is taken advantage of, it's mutally advantageous.

There is no substance to this reply. You just dismiss my points without addressing them and assert as true things that are disputed. You conflate is with ought, and normal with moral.

I can't tell if you're trolling or not, but at this point I'm not sure it matters.

So let's just clarify quick here, you're on a tech focused startup oriented site, making comments saying that you genuinely think that one the most common tech startup business models is immoral in its entirety and that people don't have the free will to choose it, because it's inherently that abusive?

How would you apply that thought if a friend gave you their credit card and asked you to buy something for them?

What about if you ran an online store that held credit card numbers, or any other sensitive data?

Both situations are different - they're losing something that they didn't give you - their money.

I disagree - in both situations, they gave you something for one purpose, and you used it for a different purpose that they didn't consent to. They didn't give you their info so that you could sell it.

What's the difference between someone being 'stupid' enough to accidentally give you access to their money and someone being 'stupid' enough to give you their private information?

It's not private information, it's information they gave me in exchange for a service.

Are you kidding me? I would just say no.

It's much more to lose your family and life by going to jail than it is to use public services to get assistance for food and shelter. Even if you don't go to jail, the amount lost in legal expenses are going to far outweigh the money brought in from said activities. Moreover, it's going to seriously impair your ability to get a job in the future, in the particular field that you've currently been experiencing failure in.

>It's much more to lose your family

That's exactly the point. If you didn't have a family, didn't have a career, if you were already broke and don't have money for rent, maybe you have a drug habit or some other personal demons, what's to stop you? What other opportunities do you have? What do you have to lose? The calculus is completely different.

That assumes you live in a country where "public services to get assistance for food and shelter" exist. Not everybody is so lucky.

It certainly isn't always _just_ say no.

Yes, it is. If you are willing to do bad things, it doesn't matter the reason. Those people in 3rd world countries calling with tax scams or calling "from Windows" about a virus are bad people, straight up.

I don't think there's all that much nuance there.

> It might seem that there's everything to gain and nothing to lose.

There's almost always more to lose, it just might take time. If you think providing for your family is hard today, how much more difficult would it be for them if you were in prison, or were paying restitution, or were unable to find work due to a past conviction?

No. The truth is desperation you describe is faced everyday by many and they still don't commit crimes. What you do is choose to keep working at what's right.

We can certainly justify stealing a loaf of bread during hard times to keep your child from starving after you've tried everything else you could, but not making a career out of turning back speedos. One speedometer, maybe, but not one a week. That's a racket.

> If you have a choice of being able feed your family or “just say no” to modifying an odometer, what would you choose?

Let me generalize that for you: If you have a choice of being able to feed your family or "just say no" to commit a crime, what would you choose?


If it's a Robin Hood scenario it can be morally justifiable.

If the crime is stealing from anyone, rich or poor, so I can live easier, then no.

The circumstances don't matter. If it's unethical when you're rolling in dough, it's unethical when you're poor. You say no, period.

Great advice. I once let a company license legitimate software (a history cleaner before browsers offered this functionality) I wrote and they wrapped it in adware and caused a lot of people headaches. It felt gross. They didn't make it clear what they were going to do with it beforehand, but there were signs I should have noticed--their business model description sounded too good to be true. You can't just wash your hands of these things and have a clear conscience because you didn't do it personally.

The low point was finding their adware on my mom's computer.

Personally, I made it a rule after that to avoid business relations with the morally questionable. They drag you down.

My first co-founder was a brilliant engineer. One day I borrowed his car (a fancy late model sports car) for an errand because mine was blocked in. But the speedometer didn't work which made for some strange driving. When I asked him about it, he said, "Oh I disconnected it to improve it's resale value."

We didn't remain together much longer.

To this day, the value of a relationship with another businessperson = sum(assets) * EthicsFactor. EthicsFactor is 1 or 0. There is no in-between.

Nice post, Jacques. It sure feels nice to comment in one your threads again.

That's a nice formula, but how do you quantify ethics? You've committed the Wittgensteinian sin of attempting to quantify something without first defining it. You'd have a difficult time just qualifying ethical behavior with any substantive agreement, based on this thread.

It also sounds like you'd need to be inconsistent in your value judgement or accept being lonely with your ideology. You cut off someone you trusted enough to be a cofounder, who you considered brilliant, because he disconnected the speedometer? It doesn't sound like a pattern of behavior here so...what do you do if your closest friend shoplifts but is otherwise okay? What if your significant other doesn't do the dishes? Do you ask people why they do things you consider reprehensible, or give them a chance to explain themselves and understand the chain of events that led to their decisions? I'm assuming not if you really do mean "binary"...

Think of the most minor unethical thing you can. Would you cut ties with your parents because they did that? If not, your ethical system is not actually binary. The real world is messy, and your philosophy frankly doesn't seem to work.

I think your point is well taken, but, on the other hand, I think that a willingness to screw other people over really is a pretty major red flag for business partnerships.

Yeah, good point. I'd agree.

"EthicsFactor is 1 or 0. There is no in-between."

I can't wrap my head around how naive this sounds. You've never come across morally-grey situations?

I'm trying - but for the life of me I can't figure out how a disconnected speedometer would improve the resale value of the car. Did you mean he disconnected the odometer - or is there something I'm not picking up on here?

In vehicles I am familiar with, the speedometer and odometer are both on the same circuit. Removing the fuse will cut functionality to both devices.

The odomoter is driven by the speedometer in many vehicles.

Ah - I wasn't aware of that fact. Thank you!

So naive it's funny. He could have lied ("Oh, a wire came loose, but I have a service appointment booked later this week") and you would have been none the wiser. So does him telling you the truth raise or lower his EthicsFactor?

All a binary EthicsFactor does is reward pure goodness (doesn't exist) or pure evil (hopefully doesn't exist). That's also why video games with Karma meters don't work. If you can't achieve an EthicsFactor of 1 (spoiler alert: you can't), then you might as well go for 0 and try and benefit from that as much as possible. So your binary EthicsFactor thinking incentivises people towards bad behaviour. Fail.

Luckily, most people and the law is more nuanced than that.

If I adhered to the same system of morality as you do... I'd have most likely ended up working as a counterintelligence operative.

I'd like to hear your opinion on the following:

1)Is capital punishment 1 or 0?

2)Is euthanasia 1 or 0?

3)Is abortion 1 or 0?

I love the formula you pose for thinking about this, and it's so true. Ethical behavior is binary, and a lack of ethical behavior isn't compartmentalized into one small area.

My moral system is so incredibly far away from viewing ethical behavior as binary that I can not relate to how someone would think that way. How do you place the line, where an instance of behavior you don't agree with makes you view someone as not ethical?

When you come from a place of privilege, it's easy to think human behavior is binary.

For example, I would never steal a car! I can afford one, and to be quite honest, I don't need one.

If I was deep into poverty, and needed a car for a job or to be able to provide some function to my family, that temptation might be there. It might be so great that it distorts the ethics of the person so much so they don't see it as unethical.

Instead of stealing a car, they're borrowing it or the other person can just get another one. They would legitimately not see wrong because they feel like they have been wronged when they do not have the ability to get a car.

TL;DR: Ethics are not binary. To even suggest that undermines the entirety of the philosophy dedicated to studying it.

What you described is rationalization. That doesn't make the act of stealing a car any more moral. It's still incredibly immoral.

Not if you don't believe in the concept of property; then stealing has no meaning.

Except you're still acting immorally by forcing your belief system onto others who don't share that belief system. It doesn't matter if you don't believe in property; the person who owned that car does.

Inversely, the other person in your example is forcing their concept of property on others.

When you grow up in an ivory tower so you never have to make hard choices, you have no frame of reference as to the chain of decisions that lets someone commit an "immoral" act.

I put it in quotes, because in the real world morality is subjective, despite what the privileged hackers in this thread will tell you with formulas.

It's easy to make ethics binary when you just stop at what is legal and isn't. If you're the kind to jay walk because you know there's no car so it doesn't matter your ethics are probably a lot more nuanced though.

I'm not sure whether you're being sarcastic. In any case, your comment is the perfect n-gate.com fodder.

Is your name Javert?

I have a story of temptation and pressure---not as good as Jacques's but maybe interesting anyway. I was leaving grad school (not for tech) and getting back into programming. I had two new kids, and I was really ready to stop living on $21k/yr (my student stipend), but I didn't have a lot of work yet, and I wasn't sure how my 5-year hiatus would look.

I had done a few projects for a small agency, and the owner was having me spec & quote work for potential new customers. One of these customers wanted us to build a "dashboard" to control a fleet of machines that would generate fake reviews for sites like Yelp or Amazon. I'm not even sure if that is illegal, but it didn't seem good. I told him it didn't sound like work we could do. If he had been just my customer, it would have been easy, but it raised my anxiety to say it to my customer's customer.

I think Jacques's conclusion about "a bad beginning" is very wise, and I'm glad he had to foresight to see all that. I hope his story helps keep other people out of trouble. His writing it up is really a gift to them.

I am curious how much this extends to: A) Facebook and Google mining people's data B) Cisco building extensive survellance systems C) Microsoft was blatantly abusing it's monopoly

I could go on but all these had many many engineers involved. And best of it all, most of it was .. legal. When something is outright illegal, it's easy to say no.

If you're offered a job from Facebook should you say "no"?

If you believe that Facebook is unethical, yes. Stand up to what you believe. It's harder in the short run, but it's much easier so sleep at nights in the long run.

I suspect lots of people would like to go back and change things they did.

I certainly would. Strip-mining social graphs might have some interesting technical challenges, but I'd go back to factory work before doing that.

Up to you. Follow your heart.

Yes, same goes for Amazon.


I've had people try to get me to do illegal things for 25 years. It was much more aggressive and enticing when I was young. It's easier for adult me to recognize and reject these advances than it was for teenage me. It wasn't always even money that was on the table, but recognition and acceptance which can make you do crazy things.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact