Slashdot Mirror
First, Do No Harm - A Hippocratic Oath for Coders?
rhysweatherley asks: "With the increase in spyware, spam, etc, is it time for a Hippocratic Oath for Programmers? Should programmers be able to refuse to write code that harms the public more than it helps? Should they code defensively to prevent software and information being misused for unintended purposes? And how do we protect such programmers from being dismissed unfairly for standing on principle?"
Coders are human, and therefore assholes. Exactly how much spamware do you think is written by enslaved hackers, bewailing the evil they're forced to write? And how much of it is written by people who don't give a shit?
An hippocratic oath is all very well, but it's not going to accomplish anything. Conscientious programmers will refuse to write stuff to which they object, other programmers won't. That'll always be the case, irrespective of any resolution.
I believe teh British Computer Society has a clause in its members' charter which is akin to this sort of thing; it says something along the lines of programmers having to bear in mind the social impact of their work, but I don't know whether they've every kicked any spamware programmers out. I kinda doubt it.
Software Engineering Code of Ethics and Professional Practice
ACM/IEEE-CS Joint Task Force on Software Engineering Ethics and Professional Practices
Short Version
PREAMBLE
The short version of the code summarizes aspirations at a high level of the abstraction; the clauses that are included in the full version give examples and details of how these aspirations change the way we act as software engineering professionals. Without the aspirations, the details can become legalistic and tedious; without the details, the aspirations can become high sounding but empty; together, the aspirations and the details form a cohesive code.
Software engineers shall commit themselves to making the analysis, specification, design, development, testing and maintenance of software a beneficial and respected profession. In accordance with their commitment to the health, safety and welfare of the public, software engineers shall adhere to the following Eight Principles:
1. PUBLIC - Software engineers shall act consistently with the public interest.
2. CLIENT AND EMPLOYER - Software engineers shall act in a manner that is in the best interests of their client and employer consistent with the public interest.
3. PRODUCT - Software engineers shall ensure that their products and related modifications meet the highest professional standards possible.
4. JUDGMENT - Software engineers shall maintain integrity and independence in their professional judgment.
5. MANAGEMENT - Software engineering managers and leaders shall subscribe to and promote an ethical approach to the management of software development and maintenance.
6. PROFESSION - Software engineers shall advance the integrity and reputation of the profession consistent with the public interest.
7. COLLEAGUES - Software engineers shall be fair to and supportive of their colleagues.
8. SELF - Software engineers shall participate in lifelong learning regarding the practice of their profession and shall promote an ethical approach to the practice of the profession.
they'd just fire you and hire someone else. If you are unwilling especialy now there will be 10 other people willing to do it and take your job if you aren't.
You're missing the point. First of all, I don't think there's 91% unemployment among software developers. Secondly, if there was any kind of organization among programmers independent of the employer then the employer would have a hard time bringing down this type of action.
I don't think a "union" would occur, but I wouldn't be surprised if a professional organization of ethical programmers would arise. I would imagine members could fetch a better salary, especially if there was some competency requirement, as doctors have the Medical Board exams.
It would hurt the self made programmer, but I would certainly rather see that type of accreditation than what we have today: MCSE, MCSA, etc...
My Karma was at 49, then they switched to words. All that work for nothing!
To all companies:
If any of you programmers turns down work on principle, please send it to me. Since I'm a whor^H^H^H^Hconsultant, I'm in business to make money. And I'm willing to write whatever you ask for without giving a single thought to youthful idealism.
Sincerely,
infinite9
Disconnect your television. Do your own research. Draw your own conclusions. They're probably lying. Don't be a sheep.
"I am hired because I know what I am doing, not because I will do whatever I am told is a good idea. This might cost me bonuses, raises, promotions, and may even label me as "undesirable" by places I don't want to work at anyway, but I don't care. I will not compromise my own principles and judgement without putting up a fight. Of course, I won't always win, and I will sometimes be forced to do things I don't agree with, but if I am my objections will be known, and if I am shown to be right and problems later develop, I will shout "I told you so!" repeatedly, laugh hysterically, and do a small dance or jig as appropriate to my heritage."
-- Abigail, as reworked by Mike Sphar
True enough, so let's get to the real meat of the issue.
<P>
Doctors take this oath, and follow other rules, as part of being a <b>certified</b> profession. To be a certified profession means there is a governing body, and often the government, which defines whether you are a doctor or not, and defines whether you can practice medicine.
<P>
Certification makes sense in a very limited set of professions where the practicioner will be doing something life-critical like cutting you open, or defending your freedom in court, or designing a bridge for you -- and just as importantly, in cases where you have a consulting relationship with the professional rather than an employment one.
<P>
If you're going to trust somebody you barely know with your life for a short-term contract, you bet you want some external means of certifying that they are capable of the job.
<P>
But with a very few exceptions, programming and sysadmin are not like this. THere are of course many consultants, but most are actually employees. Instead of the government defining who is a programmer, the employer decides who they want to hire.
<P>
What would an oath for programmers mean? Would there be a certifying body checking things? Would it get to define who was a programmer? Would somebody not be allowed to be a programmer if they didn't take the oath?
<P>
That's not what we want.
Has it been over a year since you last donated to the Electronic Frontier Foundation
The Geek Oath would be even worse off when it comes to gray areas. For example:
I used to work at a (now defunct, like the rest of 'em) dot-com. Our software was, by most definitions, spyware: If you downloaded and installed our software, it would keep track of what you listened to (via pretty much any media player -- we had the top twelve or so covered by the end) and send that info to our servers, which would respond with a wealth of information -- current news, tour dates in your area if you so chose, new releases, etc. The longer you listened, the more information you would get -- "Oh, I realize you're not listening to Radiohead right now, but by the way they've got an album coming out..."
Now: a) We never attempted to sneak onto someone's system; b) We made the uninstall as painless and obvious as possible; c) We never hid the fact that we were sending back listening statistics. But still, we *were* monitoring what you were listening to.
So would I have been in violation of this theoretical Geek Oath?
(Save your flames and your "I'd never!"s -- fact is, a lot of people did, myself included. It just Didn't Work Out, but our management handled the end -- once it was obvious that it was inevitable -- very well.)
To that end, I volunteer to put together the first annual Who's Who in Computer Programming. This book will chronicle the most important, ethical people in the industry and will be invaluable to prospective employers who are looking for the creme de la creme of morally introspective code artisans.
If you feel you should be in this book, please send me your name, e-mail address, and the most complicated typedef or template instantiation you have ever written or even tried to read. Only the top programmers will be selected for publication but for $35 I can see to it that you are given priority consideration, your own half-page, a leather-bound edition of the 2003 Who's Who as well as a certificate (suitable for framing) with your name in large-point gothic letters.
"I was just following orders." Frankly, I'll blame both. And the fact that programming has the least sense of professional responsibility of any profession I can think of, even less than lawyers. (Gasp! But it's generally true.)
Of course. In the USA and most western countries, nobody is required to engage in conduct they believe is illegal, unethical, unsafe, or unpleasant -- with the exception of certain positions in the military, who are required to follow the chain of command in most circumstances.
Of course, there are economic pressures: if the only living-wage job in your community for which you are qualified is to work in a coal mine, or in a prison, or writing virus code, then you must make an economic decision: Balancing.
Nobody has to write bad code. If you believe that your shop should never release code unless it includes sixteen types of "defensive code" (resisting viruses and privacy-invading applets and so on), then you tell your employer those terms, and your employer will decide which action to pursue: ending your employment, or changing its practices.
We have all had those "moments" in our lives where we had to make a decision about Right and Wrong. If I do this, is it Right or is it Wrong? If I do this, can I accept the consequences? If I do this, will I be able to respect myself as a person? If I do this, how can I explain myself later to my child?
Sometimes, the decisions are easy: your employer assigns you to load toxic waste into drums and to pour it into a river. Sometimes, the decisions are really hard: your team has spent 1,000 hours testing your code and you are pretty sure that it's good, but you really wish that you had more time for testing, or a different regimen for testing, and now your team leader announces that he's going to release the code -- it certainly makes a difference if the code we are talking about is Doom III or the operating program for a nuclear reactor.
Everybody has a different benchmark. I've heard lots of stories, all of them quite respectable:
- I can't do this because if I ever run for public office, this would ruin my chances
- My religion prohibits this
- This violates the "golden rule" (do unto others...)
- My professional ethics prohibit this
- I cannot do this and still be a role model for my child
- This violates my personal beliefs
- This is just, plain wrong, and I won't do it.
In my opinion, you should use whatever test makes you pause and refuse as often as possible. When someone suggests that the problem is that "we might get caught," I lose all respect for that person: that statement already accepts that the action is wrong (nobody ever says "I'd love to help you rescue that child from the burning building, but I'm afraid I might get caught").Sure, there are things we do that we wouldn't want to discuss with our kids -- not because they are "wrong" but because they are personal or unpleasant or simply not appropriate to discuss with a child.
Life is full of hard choices. I think that 99% of the time, we know what is the "right" thing to do. We often recognize that we are doing something 'wrong' and we have lots of excuses, and some of them feel quite tolerable (I need this job, my kids need health insurance, little harm will come, or harm is quite unlikely).
A long time ago, I found that when I was in certain kinds of situations, I found it "necessary" to do certain things. It was my job, it was legal, it was appropriate -- but it was unpleasant and people disliked me because of it. I had to decide whether I wanted to be the kind of person who did those things. I decided that I did not want to be that kind of person, and I recognized that I could not do my job competently without being that kind of person. I quit my job and changed my profession.
And now, to the question at hand:
> "Should [programmers] code defensively to prevent software and information being misused for unintended purposes? And how do we protect such programmers from being dismissed unfairly for standing on principle?"
Okay, now we are looking at something much less clear. What kind of application are we talking about, and what kind of abuse or misuse are we worried about?
There are various issues to balance, including potential legal liability, potential adverse publicity and adverse market response, and of course potential harm to the public.
Legal liability is a good starting point. If I am writing the code for a new version of a Microsoft operating system, and I already know that there are 1,000 viruses that attack Windows systems, I probably would be legally liable for releasing a product that is vulnerable to one of those existing viruses, if I could easily and inexpensively block them. An internet-ready operating system with no protection against known viruses, would be a defective product, and I'd probably be legally responsible for the damages, at least to consumers. Even if legal liability were avoided (for example, through enforceable contracts), the adverse publicity and of course the complete failure of the operating system to work, would result in complete market failure: people would not buy this product or my other products.
Now, let's look to the harder case. Suppose I am responsible for the coding for Doom III, a complex computer game that (I assume) includes internet-play. I know there are viruses out there, and I know that there are malicious people out there. I also suspect that someone could write a virus that would target my widely software, attaching itself and perhaps even trying to propegate to other users or distribute private data or system-access information by modifying the code that allows internet play. Must I write code to resist that potential virus? No matter what I do, a clever cracker will find a way to circumvent my efforts -- but what must I do? How much time, what portion of my budget, should be spent to fighting crime?
Basically, it's a balancing act.
Try another example: your employer asks you to write a database or accounting program. You know that it is quite likely that your program will be purchased and used by drug traffickers to track their shipments and profits. What duty do you have to prevent such uses, or to detect such uses and report them to law enforcement?
Try another example: your employer asks you to write a Napster-like computer program that will allow people to share files. You know that some people will misuse the program (sharing copyrighted materials), but you also know that many people will use the program lawfully.
Now, suppose you work for one of these latter two companies, and you decide that your employer is not doing enough to prevent misuse, and you refuse to write certain code, but you also refuse to resign. Maybe your employer's attorneys present you with a "severance agreement" that includes a generous cash severance and a confidentiality clause. Or maybe you already signed a confidentiality agreement, and your employer fires you with no severance.
Damn, I have to side with the employer. There's nothing illegal going on, and you aren't being asked to do something unsafe or improper -- you simply have chosen a set of personal ethical standards that conflict with your employer. So I'd probably agree that your employer could fire you, but I might be uncomfortable enforcing the confidentiality agreement, at least insofar as it might seek to prevent you from talking to appropriate law-enforcement agencies.
-- http://www.MarkWelch.com/ Pleasanton California
The basic idea behind the ACM code of ethics, which was first developed in the 1960's (but has been amended many times since) is to avoid being specific or definitive in any way. There are good reasons for this that were published in an ACM paper titled "Rules for Ethics in Information Processing", by Donn B. Parker in the ACM journal for March, 1968, describing the reasons that the code of ethics was designed how it is.
If you look at the code of ethics carefully, there are virtually no declarations in the entire thing that state "thou shalt not" or "thou shalt". If there's anything that says that, it puts the judgement of what it means on the member themselves.
When it comes down to it, the code of ethics is more of a requirement that ACM members use their common sense and do what they truly believe is right and ethical in a way that is within reason acceptable to society. Every single person has their own idea of what is ethical, and the boundaries are very fuzzy. As soon as you start drawing lines, you create as many problems as you solve.
It has been used in the past to kick people out of the organisation. I think one of the first times it was used was to dismiss a member who'd put workarounds in some banking software so that his own account had certain financial advantages over everyone else's... or something similar. He was put before a committee representing ACM, he couldn't ethicly justify what he'd done in a way that satisfied the committee, and so he was thrown out.
The ACM paper above is a good read about why it isn't a good idea to have a strict code of ethics. Personally I think the ACM approach is a good way to do it.
Seriously. How would your boss like it if he found out that you wouldn't add a feature like banner ads on an ICQ window because you took some kind of oath? I realize that the question asked in the submission, probably doesn't include things like this, but still.
This is why we need some sort of association (I don't think the term "union" is really applicable) to point out breaches of the ethics code, and if nothing else publicly shame companies which fire employees for refusing to violate it.
Writing up a standard employment-contract term that obligated companies to not allow/coerce their employees to break the code, and urging programmers to demand it, would help a lot, too.
--
Benjamin Coates
There are far too many people who will do just about anything for money. Hell, under the right circumstances, I would write spamming software, even though the very idea makes me sick. I am a family man. I have a wife and daughter to take care of. My first responsibility is to them. "Social responsibility" doesn't even come close. If I had to choose between buying food and paying rent for my family or being socially responsible - fuck society.
-- Will program for bandwidth
This works. Very few structures fall down in the developed world because of engineering errors.
One way would be to require that programs whose malfunction can cause nontrivial harm be signed and sealed by a registered professional engineer, the way building plans are signed. To give this teeth, certificates for code-signing would be issued only through registered professional engineers.
Someday, programming may grow up and go this route.
OK.. I'm gonna rant now.
Coders.. your not holy men.. your not preachers.. you write code.. you a job like anyone else does a job.. why should you need or take a an oath? thats just plain dumb and silly.. if someone doesn't take this oath would that mean they can't get access to development tools? Would'nt that go against the very spirit of open source and the GNU license and the whole spirit of sharing..
sure most people hate adware and spyware stuff as much as i do(a ton). but fact of the matter is thats the current support(MONEY) system for some "free" software out there.. perhaps if people paid for the software there would'nt be all that crap added on..
Its up to you to use that software or ad laden website.. free choice.. stop whining about extras on free software.. its free for a reason, especially the companies that aren't in it for a "greater good" they're in it for making money.. we live in a capitalist society.. get used to it.
end rant