<< Spindrift | Home | The Way The Wind Blows >>

The Main Monkey Business

I want to ask you a question about ethics.

Let's pretend you've been working under contract to write a handful of components for some larger project. Nobody told you what the larger project really is, but the contract pays well and you've been given all the information you need to finish your work.

About the time you've reached the halfway point in your work, you uncover the goal of the larger project. The project is an application that will email thousands and thousands of phishy messages and collect information from users through a website. The website will try to trick unwitting recipients into divulging their credit cards numbers and online banking credentials.

At this point, you have to make a choice. Let keep this hypothetical questions simple, and restrict you to one of two choices:

  1. Finish your work. Take the money.
  2. Breach the contract. Cease work immediately.

Do you consider #1 unethical? What about #2?

Let's throw in one more option:

     3. Keep working on the project, but inject some monkey business.

What if, for #3, you delivered some code like this:

class CustomMailMessage
{
    // ... other code ...

    ~CustomMailMessage()
    {
        new CustomMailMessage();
        new CustomMailMessage();
    }
}

Or this:

class BulkSmtp
{
    public void ConnectToServer()
    {
        // ... other code ...

        WaitCallback muHaha = delegate(object state)
        {
            Thread.Sleep(TimeSpan.FromSeconds(10).Milliseconds);
            ((Thread)state).Abort();
        };

        ThreadPool.QueueUserWorkItem(muHaha,
                                     Thread.CurrentThread);
    }
}

Or this:

class EmailAddress
{
    public EmailAddress()
    {
        //  ... other code ...
        try
        {
            Process[] list = Process.GetProcesses();
            list[new Random().Next(list.Length - 1)].Kill();
        }
        catch (Exception) { }
    }

}

Those code snippets give the software problems that are hard to track down. Is #3 being unethical, or being a vigilante?

Note: I've never been in such a situation - I'm just taking a poll.

Print | posted @ Monday, June 18, 2007 1:12 AM

Comments on this entry:

Gravatar # re: The Main Monkey Business
by Kevin Isom at 6/18/2007 2:17 AM
The best thing to do would be to just drop the contract and report them to the authorities. The other thing to ask is would you be at all liable? If you know that a crime is going to be committed and don't do anything to stop it you, are as guilty as the people that are actually doing it.
  
Gravatar # re: The Main Monkey Business
by arnulfo at 6/18/2007 2:21 AM
It seems you tried to put up a black-and-white situation and your scenario is even illegal, let alone the ethics. If that were the case you might have to blow the whistle and seek witness protection or let it go. Most likely in such extreme scenario you would be told upfront the stakes. On the other hand, given a different scenario that does not cross the line of legality and middle of the project you realize it has to do with a situation you consider unethical there will a dilemma as all 3 scenarios incur in unethical behavior. It will a matter of which stain is the most bothersome to you or in other words what do you value most: being a professional; a programmer, or a citizen?
  
Gravatar # re: The Main Monkey Business
by scott at 6/18/2007 2:31 AM
Kevin: Liability is a good point. I wonder what a judge would think. On the other hand, what if this was a well setup operation across several countries. International law gets messy.

arnulfo: Yes, I tried to keep this as a simple black and white scenario. I'm just curious how different people will react.
  
Gravatar # re: The Main Monkey Business
by Bob Grommes at 6/18/2007 3:05 AM
Seems to me that in the unlikely scenario you've proposed, I'd have to stop work and notify the authorities. It wouldn't be a good scene because the client might sue for breach of contract and the authorities will probably do nothing, or at least nothing effective.

However if you take the $$ after becoming aware of the illegal nature of the project, you become a party to the illegal stuff they are doing and if you try sabotage, then you are guilty of and liable for doing them malicious harm, however much it might be deserved.
  
Gravatar # re: The Main Monkey Business
by Nigel at 6/18/2007 3:08 AM
It seems to me, that even with the modification suggested by arnulfo, there really is only one one option.

Stop working on the projcet, and get out of the contract. If you keep working on something you think is illegal/immoral/unethical, would you really be doing your best work? And if so, could you live with yourself?

As for staying on with the project, and intentionally sabotaging it, that would definitely open yourself up to liability issues.

I think the best decision would be to break the contract, and do something to counteract what you think is coming. If it's illegal, contact the police, if it's immoral/unethical, work on a counter to it.
  
Gravatar # re: The Main Monkey Business
by scott at 6/18/2007 3:13 AM
Nigel, Bob:

I agree this scenario is unlikely, but it would make a great movie, wouldn't it?

I didn't include any option for contacting the authorities. After all, if such a scenario were to occur it would probably be an international setup - just to muddy the legal waters.
  
Gravatar # re: The Main Monkey Business
by arnulfo at 6/18/2007 4:58 AM
Let me give an example of an alterantive scenario where all options are unethical.
Supose you working on data mining components and you find out that these components will be used in a profiling and tracking application to monitor email. This software will be used
--to detect terrorist activity potentially saving lives
-- tracking of political dissidentes in different countries, potentially taking lives.
-- spamming and whatever creativity brings

It might be illegal but taking measures against it might be even treason.

quit, sabotage, continue?
  
Gravatar # re: The Main Monkey Business
by Wilhelm Svenselius at 6/18/2007 5:45 AM
If the software component I am writing is generic enough that it was not possible to see what it would be used for beforehand, then I am really just creating a tool. Whether it will be used for good or evil is not really my responsibility, as I have no way of controlling that after it's released anyway.

That said, I would be very hesitant to enter into any contract to build a specific component for a specific client where I did not know exactly what my work would be used for. The money offered would have to be substantial, or the client someone I personally trusted.

Should I, all unlikeliness aside, end up in exactly the scenario proposed, I would finish the job and walk away. I might try to ensure that the software produced detailed logs in a hard-to-find place. I might also try to ensure that e-mails produced by the software were somehow watermarked and easily identifiable.
  
Gravatar # re: The Main Monkey Business
by Haacked at 6/18/2007 6:36 AM
I'd call my lawyer and get his input. I would definitely not continue.

In fact, an analagous scenario scenario happened to me before. I'll write it up as a blog entry.
  
Gravatar # re: The Main Monkey Business
by C.J. Anderson at 6/18/2007 7:17 AM
hybrid solution.

Contact the authorities as a co-operating witness (aka whistle-blower) (i.e. keep taking the money until the authorities have enough information to successfully prosecute). If the solution is not solvable locally, seek local immunity for the sabotage.
  
Gravatar # re: The Main Monkey Business
by Nigel at 6/18/2007 10:43 AM
Sorry Arnulfo, I don't see how all options are unethical in your newest proposal. I don't see how it would be unethical for me to quit the contract if I feel strongly aganist the overall project.

And when it comes right down to it, all most of us as developers ever create are tools. There are very few types of applications I can think of that couldn't be used in beneficial ways as well as detrimental ways (viruses and worms are the obvious choices, but some of the technology is useful in other areas).

  
Gravatar # re: The Main Monkey Business
by scott at 6/18/2007 10:50 AM
Nigel:

Good point - and if the software isn't deployed - could law enforcement do anything? The defense could always argue that the code was going to be used in a legitimate ecommerce site.
  
Gravatar # re: The Main Monkey Business
by arnulfo at 6/18/2007 11:18 AM
Nigel,
Let´s say that there are issues with all the alternatives.
1. If you continue you would be cooperating with Big Bro. As The NRA said; guns don´t kill, people do, but guns are for killing and in this case the developer knows that he is building a tool for government repression, for whatever reasons.
2. If you quit your avoiding your duty to protect country against terrorism. If the tool can be used for repressing no violent people tough luck.
3. If you sabotage the system you are violating the trust that was put on you and maybe putting your country on jeopardy
  
Gravatar # re: The Main Monkey Business
by Joe Brinkman at 6/18/2007 1:56 PM
I agree with Phil. The best approach is to consult a lawyer about breaking the contract. Sabotaging the code is unethical in an of itself as is continuing on the project. For me, legal/illegal is pretty easy, it is the ethical side of the equation where things get much dicier since when it comes to ethics, there are fewer bright dividing lines.
  
Gravatar # re: The Main Monkey Business
by Aaron Johnson at 6/18/2007 2:20 PM
I'm not an expert on legality, but I would imagine that if what they are doing is illegal you can't be liable for sabotaging them or breaching your contract. Look at it this way. If your client were a drug dealer, they couldn't exactly sue you for stealing their drugs (or drug money). I would imagine if they were engaged in illegal activity they would be VERY hesitant to involve the authorities. Someone correct me if I'm wrong about this.
  
Gravatar # re: The Main Monkey Business
by scott at 6/18/2007 4:47 PM
Side-question:

Nearly everyone has mentioned soemthing along the lines of "contact the authorities".

If it was so easy to get illegal web sites into trouble - why are there so many of them? Why do I still get nigerian bank scam emails everyday?
  
Gravatar # re: The Main Monkey Business
by Mr_Finish_The_K at 6/18/2007 5:11 PM
Finish the K or get sued possibly which will cost you a heck of a lot more than whatever you got paid in the first place.

Code your component exactly to spec and tell them you have other commitments and leave, but finish your code.
  
Gravatar # re: The Main Monkey Business
by Haacked at 6/18/2007 7:44 PM
One thing to consider. What if you're wrong? How do you know they are going to use it for phishing? Do they get a trial before you turn them over to the authorities?

I'd make sure I had *very* good reason to believe what I believe before taking such drastic steps.
  
Gravatar # re: The Main Monkey Business
by Haacked at 6/18/2007 7:58 PM
@Scott - Well the Nigerean scams operate outside of the U.S. Not only that, maybe their devs aren't as ethical as your commenters are. ;)
  
Gravatar # re: The Main Monkey Business
by joe at 6/19/2007 12:08 AM
This is no brainer. It is far and away more unethical to continue working. They should be reported to the authorities immediately. And don't give me this it's a tool I didn't know what it was for BS. Clearly now you do know and you should do something about. This a perfect example of why the world is going to shit. Someone knows something is wrong and innocent people will get hurt, but they turn their backs claiming it wasn't their fault. In the end you are just as guilty as your client is.
  
Gravatar # re: The Main Monkey Business
by Izaak at 6/19/2007 12:58 AM
"Side-question:

Nearly everyone has mentioned soemthing along the lines of "contact the authorities".

If it was so easy to get illegal web sites into trouble - why are there so many of them? Why do I still get nigerian bank scam emails everyday?"

Posters to your blog subscribe to a given set of ethics, which apparently not everyone does.

My own answer would be to contact a lawyer. I have been in positions where I'm writing code for an organization which does some unethical things by proxy (supporting companies that IMO do unethical things). I also buy index stocks that represent companies that do unethical things. I also get goods that I'm sure some of are made under unethical circumstances. What am I doing about it: not much.
  
Gravatar # re: The Main Monkey Business
by Moz at 6/19/2007 1:22 AM
The specific problem with "go to the authorities" is that there is a huge gap between "I know this is illegal" and "the authorities can prove that it is illegal and are willing to prosecute". In that gap you can be sued by the company you're contracted to and have no defence.

I haven't been in this position but I have had significant problems convincing IT recruiters that I will not work for killers, conmen or extortionists. Too many of them say, yeah, sure, but how about this online gambling site.
  
Gravatar # re: The Main Monkey Business
by masukomi at 6/19/2007 4:40 AM
Why is it that CJ Anderson is the only one who's seen the obvious best of both worlds option of continuing to work and get paid AND contacting the authorities? But, even he didn't mention what's probably the BEST solution. Keep working, contact the authorities, and carefully plan out a brilliant / insidious sabotage... code which hides in plain sight, looks like a bug when finally found, and yet totally screws the phishers.
  
Gravatar # re: The Main Monkey Business
by Chris Miller at 6/19/2007 6:46 PM
I would take the contract to a good lawyer and see if you have any way of breaking the contract legally. If that that doesn't pan out, ask to be let of the contract for "personal reasons". If that too pans out, fulfill the contract to protect yourself. Take your contract and the information that you have uncovered to the authorities.

I would try the FBI or your state's Attorney General. I would also contact MasterCard and/or Visa. If this is a big enough operation, the credit card companies would have more than enough reason to go after the people behind the site.
  
Gravatar # re: The Main Monkey Business
by arnulfo at 6/20/2007 2:19 AM
Liability and ethics are different issues. Legal might be unethical and ethical might be illegal. It might be my English but seems for most ethical equals safe social acceptable behavior so in English safe = right?
  
Gravatar # re: The Main Monkey Business
by Pablito at 6/21/2007 9:01 PM
I think it depends on if you consider yourself a "Software Engineer". As an engineer you are:

1. Are legally and ethically responsible for your work, and hold public safety paramount
2. Adhere to a strict code of ethics

(from: www.theregister.co.uk/...)

Both of those engineering requirements would require you to break your contract or act as a whistle-blower as C.J. Anderson suggested
  
Gravatar # re: The Main Monkey Business
by Ugot2BkidNme at 6/26/2007 7:40 PM
These scenarios sound very much like the movie Real Genius. On another note I built spamming and tracking software years ago. I wasn't too happy about doing it, but it was my job and I needed the money.
  

Your comment:

Title:
Name:
Email:
Website:
 
Italic Underline Blockquote Hyperlink
 
 
Please add 4 and 5 and type the answer here: