First, Do No Harm - A Hippocratic Oath for Coders?

rhysweatherley asks: "With the increase in spyware, spam, etc, is it time for a Hippocratic Oath for Programmers? Should programmers be able to refuse to write code that harms the public more than it helps? Should they code defensively to prevent software and information being misused for unintended purposes? And how do we protect such programmers from being dismissed unfairly for standing on principle?"

Can be used for good or evil

[BusterB]

This is the classic dilema with all technology, which can be used equally to promote good as well as well as evil. Encryption software enables privacy for bad guys as well as good, just like guns protect people indescriminately. While it's a good idea in a perfect world, it can't be done. Its a variant of the old 'guns don't kill, people do'.

Re:when you wont do it....

[Publicus]

they'd just fire you and hire someone else. If you are unwilling especialy now there will be 10 other people willing to do it and take your job if you aren't.

You're missing the point. First of all, I don't think there's 91% unemployment among software developers. Secondly, if there was any kind of organization among programmers independent of the employer then the employer would have a hard time bringing down this type of action.

I don't think a "union" would occur, but I wouldn't be surprised if a professional organization of ethical programmers would arise. I would imagine members could fetch a better salary, especially if there was some competency requirement, as doctors have the Medical Board exams.

It would hurt the self made programmer, but I would certainly rather see that type of accreditation than what we have today: MCSE, MCSA, etc...

Re:Even doctors are abanodning the Hippocratic Oat

[btempleton]

True enough, so let's get to the real meat of the issue.
<P>

Doctors take this oath, and follow other rules, as part of being a <b>certified</b> profession. To be a certified profession means there is a governing body, and often the government, which defines whether you are a doctor or not, and defines whether you can practice medicine.
<P>
Certification makes sense in a very limited set of professions where the practicioner will be doing something life-critical like cutting you open, or defending your freedom in court, or designing a bridge for you -- and just as importantly, in cases where you have a consulting relationship with the professional rather than an employment one.
<P>
If you're going to trust somebody you barely know with your life for a short-term contract, you bet you want some external means of certifying that they are capable of the job.
<P>
But with a very few exceptions, programming and sysadmin are not like this. THere are of course many consultants, but most are actually employees. Instead of the government defining who is a programmer, the employer decides who they want to hire.
<P>
What would an oath for programmers mean? Would there be a certifying body checking things? Would it get to define who was a programmer? Would somebody not be allowed to be a programmer if they didn't take the oath?
<P>
That's not what we want.

What exactly is disallowed?

[tapin]

The Hippocratic Oath, as I understand it (IANAD), didn't exactly have too many gray areas. "No harm" meant, among other things, "don't cut someone open" even if it meant, say, removing cancerous tissue.

The Geek Oath would be even worse off when it comes to gray areas. For example:

I used to work at a (now defunct, like the rest of 'em) dot-com. Our software was, by most definitions, spyware: If you downloaded and installed our software, it would keep track of what you listened to (via pretty much any media player -- we had the top twelve or so covered by the end) and send that info to our servers, which would respond with a wealth of information -- current news, tour dates in your area if you so chose, new releases, etc. The longer you listened, the more information you would get -- "Oh, I realize you're not listening to Radiohead right now, but by the way they've got an album coming out..."

Now: a) We never attempted to sneak onto someone's system; b) We made the uninstall as painless and obvious as possible; c) We never hid the fact that we were sending back listening statistics. But still, we *were* monitoring what you were listening to.

So would I have been in violation of this theoretical Geek Oath?

(Save your flames and your "I'd never!"s -- fact is, a lot of people did, myself included. It just Didn't Work Out, but our management handled the end -- once it was obvious that it was inevitable -- very well.)

Philosophy of the ACM Code of Ethics

[jesterzog]

The basic idea behind the ACM code of ethics, which was first developed in the 1960's (but has been amended many times since) is to avoid being specific or definitive in any way. There are good reasons for this that were published in an ACM paper titled "Rules for Ethics in Information Processing", by Donn B. Parker in the ACM journal for March, 1968, describing the reasons that the code of ethics was designed how it is.

If you look at the code of ethics carefully, there are virtually no declarations in the entire thing that state "thou shalt not" or "thou shalt". If there's anything that says that, it puts the judgement of what it means on the member themselves.

When it comes down to it, the code of ethics is more of a requirement that ACM members use their common sense and do what they truly believe is right and ethical in a way that is within reason acceptable to society. Every single person has their own idea of what is ethical, and the boundaries are very fuzzy. As soon as you start drawing lines, you create as many problems as you solve.

It has been used in the past to kick people out of the organisation. I think one of the first times it was used was to dismiss a member who'd put workarounds in some banking software so that his own account had certain financial advantages over everyone else's... or something similar. He was put before a committee representing ACM, he couldn't ethicly justify what he'd done in a way that satisfied the committee, and so he was thrown out.

The ACM paper above is a good read about why it isn't a good idea to have a strict code of ethics. Personally I think the ACM approach is a good way to do it.

Giving a code of ethics teeth

[Animats]

The National Society of Professional Engineers has a code of ethics that means something:

• 1. Engineers shall hold paramount the safety, health, and welfare of the public.
• a. If engineers' judgment is overruled under circumstances that endanger life or property, they shall notify their employer or client and such other authority as may be appropriate.
• b. Engineers shall approve only those engineering documents that are in conformity with applicable standards. ...
• e. Engineers having knowledge of any alleged violation of this Code shall report thereon to appropriate professional bodies and, when relevant, also to public authorities, and cooperate with the proper authorities in furnishing such information or assistance as may be required.

This works. Very few structures fall down in the developed world because of engineering errors.

One way would be to require that programs whose malfunction can cause nontrivial harm be signed and sealed by a registered professional engineer, the way building plans are signed. To give this teeth, certificates for code-signing would be issued only through registered professional engineers.

Someday, programming may grow up and go this route.

Programming requires at least 5 years university

[ciurana]

I don't know what kind of programmer you're refering to. It took me five years to get my degree in Computer Engineering, plus a lot more time of ongoing education since I graduated in 1990. That was an extra five years after getting my associate degree.

I actually have very little respect for doctors' attitude that 'we save lives'. So do I when I design control systems running heavy machinery, or avionics, or run an industrial plant, or whatever. Like any other profession, medicine is full of people who aren't as capable as others. The problem I see with doctors is that they all want us to believe that they're 'hollier than thou'. I don't accept that. If a doctor fucks up, a patient dies. If an avionics software engineer fucks up, a couple of hundred people die.

If the state of the medical profession, HMOs, drug manufacturers, and other health services in the United States is any indication, I'd much rather be an unlicensed software engineer than an "ethical" doctor. Why is it that medicines and medical attention cost as much as ten times as what they cost in other countries?

As for the cool technologies OSS has today, keep in mind that a great majority of them are re-implementations of software developed privately or under a university grant. Somebody did the research and h4x0rs re-implemented it. I support OSS (and not GPL'd, by the way; other licences like BSD are more to my liking but that's me), so don't go flaming me for this comment. A h4x0r != software engineer, though often a software engineer is also a h4x0r. People forget (even on /.) that coding is only the smallest part of the profession. System design, knowing how to analyze and apply the correct algorithms, understanding the OS (or how to build one), the compilers (or how to build them), and so on are as valuable as coding. I met many h4x0rs, even employed software "professionals" who don't have a clue of how to code something as simple as a Quick Sort.

Last time I checked, there are all kinds of charlatans developing 'miracle cures' and diets and what have you that, in the end, try to pass for members of the health industry. Turn midnight TV on and see for yourself.

Cheers!

E