First, Do No Harm - A Hippocratic Oath for Coders?

rhysweatherley asks: "With the increase in spyware, spam, etc, is it time for a Hippocratic Oath for Programmers? Should programmers be able to refuse to write code that harms the public more than it helps? Should they code defensively to prevent software and information being misused for unintended purposes? And how do we protect such programmers from being dismissed unfairly for standing on principle?"

Abigail's Oath is my favourite

[judd]

"I am hired because I know what I am doing, not because I will do whatever I am told is a good idea. This might cost me bonuses, raises, promotions, and may even label me as "undesirable" by places I don't want to work at anyway, but I don't care. I will not compromise my own principles and judgement without putting up a fight. Of course, I won't always win, and I will sometimes be forced to do things I don't agree with, but if I am my objections will be known, and if I am shown to be right and problems later develop, I will shout "I told you so!" repeatedly, laugh hysterically, and do a small dance or jig as appropriate to my heritage."
-- Abigail, as reworked by Mike Sphar

Re:Don't blame the programmers

[Lemmy+Caution]

"I was just following orders." Frankly, I'll blame both. And the fact that programming has the least sense of professional responsibility of any profession I can think of, even less than lawyers. (Gasp! But it's generally true.)

Huh? Of course, anyone can refuse to do wrong!

[markwelch]

> Should programmers be able to refuse to write code that harms the public ?

Of course. In the USA and most western countries, nobody is required to engage in conduct they believe is illegal, unethical, unsafe, or unpleasant -- with the exception of certain positions in the military, who are required to follow the chain of command in most circumstances.

Of course, there are economic pressures: if the only living-wage job in your community for which you are qualified is to work in a coal mine, or in a prison, or writing virus code, then you must make an economic decision: Balancing.

Nobody has to write bad code. If you believe that your shop should never release code unless it includes sixteen types of "defensive code" (resisting viruses and privacy-invading applets and so on), then you tell your employer those terms, and your employer will decide which action to pursue: ending your employment, or changing its practices.

We have all had those "moments" in our lives where we had to make a decision about Right and Wrong. If I do this, is it Right or is it Wrong? If I do this, can I accept the consequences? If I do this, will I be able to respect myself as a person? If I do this, how can I explain myself later to my child?

Sometimes, the decisions are easy: your employer assigns you to load toxic waste into drums and to pour it into a river. Sometimes, the decisions are really hard: your team has spent 1,000 hours testing your code and you are pretty sure that it's good, but you really wish that you had more time for testing, or a different regimen for testing, and now your team leader announces that he's going to release the code -- it certainly makes a difference if the code we are talking about is Doom III or the operating program for a nuclear reactor.

Everybody has a different benchmark. I've heard lots of stories, all of them quite respectable:

• I can't do this because if I ever run for public office, this would ruin my chances
• My religion prohibits this
• This violates the "golden rule" (do unto others...)
• My professional ethics prohibit this
• I cannot do this and still be a role model for my child
• This violates my personal beliefs
• This is just, plain wrong, and I won't do it.

In my opinion, you should use whatever test makes you pause and refuse as often as possible. When someone suggests that the problem is that "we might get caught," I lose all respect for that person: that statement already accepts that the action is wrong (nobody ever says "I'd love to help you rescue that child from the burning building, but I'm afraid I might get caught").

Sure, there are things we do that we wouldn't want to discuss with our kids -- not because they are "wrong" but because they are personal or unpleasant or simply not appropriate to discuss with a child.

Life is full of hard choices. I think that 99% of the time, we know what is the "right" thing to do. We often recognize that we are doing something 'wrong' and we have lots of excuses, and some of them feel quite tolerable (I need this job, my kids need health insurance, little harm will come, or harm is quite unlikely).

A long time ago, I found that when I was in certain kinds of situations, I found it "necessary" to do certain things. It was my job, it was legal, it was appropriate -- but it was unpleasant and people disliked me because of it. I had to decide whether I wanted to be the kind of person who did those things. I decided that I did not want to be that kind of person, and I recognized that I could not do my job competently without being that kind of person. I quit my job and changed my profession.

And now, to the question at hand:

> "Should [programmers] code defensively to prevent software and information being misused for unintended purposes? And how do we protect such programmers from being dismissed unfairly for standing on principle?"

Okay, now we are looking at something much less clear. What kind of application are we talking about, and what kind of abuse or misuse are we worried about?

There are various issues to balance, including potential legal liability, potential adverse publicity and adverse market response, and of course potential harm to the public.

Legal liability is a good starting point. If I am writing the code for a new version of a Microsoft operating system, and I already know that there are 1,000 viruses that attack Windows systems, I probably would be legally liable for releasing a product that is vulnerable to one of those existing viruses, if I could easily and inexpensively block them. An internet-ready operating system with no protection against known viruses, would be a defective product, and I'd probably be legally responsible for the damages, at least to consumers. Even if legal liability were avoided (for example, through enforceable contracts), the adverse publicity and of course the complete failure of the operating system to work, would result in complete market failure: people would not buy this product or my other products.

Now, let's look to the harder case. Suppose I am responsible for the coding for Doom III, a complex computer game that (I assume) includes internet-play. I know there are viruses out there, and I know that there are malicious people out there. I also suspect that someone could write a virus that would target my widely software, attaching itself and perhaps even trying to propegate to other users or distribute private data or system-access information by modifying the code that allows internet play. Must I write code to resist that potential virus? No matter what I do, a clever cracker will find a way to circumvent my efforts -- but what must I do? How much time, what portion of my budget, should be spent to fighting crime?

Basically, it's a balancing act.

Try another example: your employer asks you to write a database or accounting program. You know that it is quite likely that your program will be purchased and used by drug traffickers to track their shipments and profits. What duty do you have to prevent such uses, or to detect such uses and report them to law enforcement?

Try another example: your employer asks you to write a Napster-like computer program that will allow people to share files. You know that some people will misuse the program (sharing copyrighted materials), but you also know that many people will use the program lawfully.

Now, suppose you work for one of these latter two companies, and you decide that your employer is not doing enough to prevent misuse, and you refuse to write certain code, but you also refuse to resign. Maybe your employer's attorneys present you with a "severance agreement" that includes a generous cash severance and a confidentiality clause. Or maybe you already signed a confidentiality agreement, and your employer fires you with no severance.

Damn, I have to side with the employer. There's nothing illegal going on, and you aren't being asked to do something unsafe or improper -- you simply have chosen a set of personal ethical standards that conflict with your employer. So I'd probably agree that your employer could fire you, but I might be uncomfortable enforcing the confidentiality agreement, at least insofar as it might seek to prevent you from talking to appropriate law-enforcement agencies.

It will never happen

[rossz]

There are far too many people who will do just about anything for money. Hell, under the right circumstances, I would write spamming software, even though the very idea makes me sick. I am a family man. I have a wife and daughter to take care of. My first responsibility is to them. "Social responsibility" doesn't even come close. If I had to choose between buying food and paying rent for my family or being socially responsible - fuck society.