The Main Monkey Business

Monday, June 18, 2007

I want to ask you a question about ethics.

Let's pretend you've been working under contract to write a handful of components for some larger project. Nobody told you what the larger project really is, but the contract pays well and you've been given all the information you need to finish your work.

About the time you've reached the halfway point in your work, you uncover the goal of the larger project. The project is an application that will email thousands and thousands of phishy messages and collect information from users through a website. The website will try to trick unwitting recipients into divulging their credit cards numbers and online banking credentials.

At this point, you have to make a choice. Let keep this hypothetical questions simple, and restrict you to one of two choices:

  1. Finish your work. Take the money.
  2. Breach the contract. Cease work immediately.

Do you consider #1 unethical? What about #2?

Let's throw in one more option:

     3. Keep working on the project, but inject some monkey business.

What if, for #3, you delivered some code like this:

class CustomMailMessage
{
    
// ... other code ...

    ~CustomMailMessage()
    {
        
new CustomMailMessage();
        
new CustomMailMessage();
    }
}

Or this:

class BulkSmtp
{
    
public void ConnectToServer()
    {
        
// ... other code ...

        WaitCallback muHaha = delegate(object state)
        {
            Thread.Sleep(TimeSpan.FromSeconds(10).Milliseconds);
            ((Thread)state).Abort();
        };

        ThreadPool.QueueUserWorkItem(muHaha,
                                     Thread.CurrentThread);
    }
}

Or this:

class EmailAddress
{
    
public EmailAddress()
    {
        
//  ... other code ...
        try
        {
            Process[] list = Process.GetProcesses();
            list[
new Random().Next(list.Length - 1)].Kill();
        }
        
catch (Exception) { }
    }

}

Those code snippets give the software problems that are hard to track down. Is #3 being unethical, or being a vigilante?

Note: I've never been in such a situation - I'm just taking a poll.


Comments
Kevin Isom Monday, June 18, 2007
The best thing to do would be to just drop the contract and report them to the authorities. The other thing to ask is would you be at all liable? If you know that a crime is going to be committed and don't do anything to stop it you, are as guilty as the people that are actually doing it.
arnulfo Monday, June 18, 2007
It seems you tried to put up a black-and-white situation and your scenario is even illegal, let alone the ethics. If that were the case you might have to blow the whistle and seek witness protection or let it go. Most likely in such extreme scenario you would be told upfront the stakes. On the other hand, given a different scenario that does not cross the line of legality and middle of the project you realize it has to do with a situation you consider unethical there will a dilemma as all 3 scenarios incur in unethical behavior. It will a matter of which stain is the most bothersome to you or in other words what do you value most: being a professional; a programmer, or a citizen?
scott Monday, June 18, 2007
Kevin: Liability is a good point. I wonder what a judge would think. On the other hand, what if this was a well setup operation across several countries. International law gets messy.

arnulfo: Yes, I tried to keep this as a simple black and white scenario. I'm just curious how different people will react.
Bob Grommes Monday, June 18, 2007
Seems to me that in the unlikely scenario you've proposed, I'd have to stop work and notify the authorities. It wouldn't be a good scene because the client might sue for breach of contract and the authorities will probably do nothing, or at least nothing effective.

However if you take the $$ after becoming aware of the illegal nature of the project, you become a party to the illegal stuff they are doing and if you try sabotage, then you are guilty of and liable for doing them malicious harm, however much it might be deserved.
Nigel Monday, June 18, 2007
It seems to me, that even with the modification suggested by arnulfo, there really is only one one option.

Stop working on the projcet, and get out of the contract. If you keep working on something you think is illegal/immoral/unethical, would you really be doing your best work? And if so, could you live with yourself?

As for staying on with the project, and intentionally sabotaging it, that would definitely open yourself up to liability issues.

I think the best decision would be to break the contract, and do something to counteract what you think is coming. If it's illegal, contact the police, if it's immoral/unethical, work on a counter to it.
scott Monday, June 18, 2007
Nigel, Bob:

I agree this scenario is unlikely, but it would make a great movie, wouldn't it?

I didn't include any option for contacting the authorities. After all, if such a scenario were to occur it would probably be an international setup - just to muddy the legal waters.
arnulfo Monday, June 18, 2007
Let me give an example of an alterantive scenario where all options are unethical.
Supose you working on data mining components and you find out that these components will be used in a profiling and tracking application to monitor email. This software will be used
--to detect terrorist activity potentially saving lives
-- tracking of political dissidentes in different countries, potentially taking lives.
-- spamming and whatever creativity brings

It might be illegal but taking measures against it might be even treason.

quit, sabotage, continue?
Wilhelm Svenselius Monday, June 18, 2007
If the software component I am writing is generic enough that it was not possible to see what it would be used for beforehand, then I am really just creating a tool. Whether it will be used for good or evil is not really my responsibility, as I have no way of controlling that after it's released anyway.

That said, I would be very hesitant to enter into any contract to build a specific component for a specific client where I did not know exactly what my work would be used for. The money offered would have to be substantial, or the client someone I personally trusted.

Should I, all unlikeliness aside, end up in exactly the scenario proposed, I would finish the job and walk away. I might try to ensure that the software produced detailed logs in a hard-to-find place. I might also try to ensure that e-mails produced by the software were somehow watermarked and easily identifiable.
Haacked Monday, June 18, 2007
I'd call my lawyer and get his input. I would definitely not continue.

In fact, an analagous scenario scenario happened to me before. I'll write it up as a blog entry.
C.J. Anderson Monday, June 18, 2007
hybrid solution.

Contact the authorities as a co-operating witness (aka whistle-blower) (i.e. keep taking the money until the authorities have enough information to successfully prosecute). If the solution is not solvable locally, seek local immunity for the sabotage.
Nigel Monday, June 18, 2007
Sorry Arnulfo, I don't see how all options are unethical in your newest proposal. I don't see how it would be unethical for me to quit the contract if I feel strongly aganist the overall project.

And when it comes right down to it, all most of us as developers ever create are tools. There are very few types of applications I can think of that couldn't be used in beneficial ways as well as detrimental ways (viruses and worms are the obvious choices, but some of the technology is useful in other areas).

scott Monday, June 18, 2007
Nigel:

Good point - and if the software isn't deployed - could law enforcement do anything? The defense could always argue that the code was going to be used in a legitimate ecommerce site.
arnulfo Monday, June 18, 2007
Nigel,
Let´s say that there are issues with all the alternatives.
1. If you continue you would be cooperating with Big Bro. As The NRA said; guns don´t kill, people do, but guns are for killing and in this case the developer knows that he is building a tool for government repression, for whatever reasons.
2. If you quit your avoiding your duty to protect country against terrorism. If the tool can be used for repressing no violent people tough luck.
3. If you sabotage the system you are violating the trust that was put on you and maybe putting your country on jeopardy
Joe Brinkman Monday, June 18, 2007
I agree with Phil. The best approach is to consult a lawyer about breaking the contract. Sabotaging the code is unethical in an of itself as is continuing on the project. For me, legal/illegal is pretty easy, it is the ethical side of the equation where things get much dicier since when it comes to ethics, there are fewer bright dividing lines.
Aaron Johnson Monday, June 18, 2007
I'm not an expert on legality, but I would imagine that if what they are doing is illegal you can't be liable for sabotaging them or breaching your contract. Look at it this way. If your client were a drug dealer, they couldn't exactly sue you for stealing their drugs (or drug money). I would imagine if they were engaged in illegal activity they would be VERY hesitant to involve the authorities. Someone correct me if I'm wrong about this.
scott Monday, June 18, 2007
Side-question:

Nearly everyone has mentioned soemthing along the lines of "contact the authorities".

If it was so easy to get illegal web sites into trouble - why are there so many of them? Why do I still get nigerian bank scam emails everyday?
Mr_Finish_The_K Monday, June 18, 2007
Finish the K or get sued possibly which will cost you a heck of a lot more than whatever you got paid in the first place.

Code your component exactly to spec and tell them you have other commitments and leave, but finish your code.
Haacked Monday, June 18, 2007
One thing to consider. What if you're wrong? How do you know they are going to use it for phishing? Do they get a trial before you turn them over to the authorities?

I'd make sure I had *very* good reason to believe what I believe before taking such drastic steps.
Haacked Monday, June 18, 2007
@Scott - Well the Nigerean scams operate outside of the U.S. Not only that, maybe their devs aren't as ethical as your commenters are. ;)
joe Tuesday, June 19, 2007
This is no brainer. It is far and away more unethical to continue working. They should be reported to the authorities immediately. And don't give me this it's a tool I didn't know what it was for BS. Clearly now you do know and you should do something about. This a perfect example of why the world is going to shit. Someone knows something is wrong and innocent people will get hurt, but they turn their backs claiming it wasn't their fault. In the end you are just as guilty as your client is.
Izaak Tuesday, June 19, 2007
"Side-question:

Nearly everyone has mentioned soemthing along the lines of "contact the authorities".

If it was so easy to get illegal web sites into trouble - why are there so many of them? Why do I still get nigerian bank scam emails everyday?"

Posters to your blog subscribe to a given set of ethics, which apparently not everyone does.

My own answer would be to contact a lawyer. I have been in positions where I'm writing code for an organization which does some unethical things by proxy (supporting companies that IMO do unethical things). I also buy index stocks that represent companies that do unethical things. I also get goods that I'm sure some of are made under unethical circumstances. What am I doing about it: not much.
Moz Tuesday, June 19, 2007
The specific problem with "go to the authorities" is that there is a huge gap between "I know this is illegal" and "the authorities can prove that it is illegal and are willing to prosecute". In that gap you can be sued by the company you're contracted to and have no defence.

I haven't been in this position but I have had significant problems convincing IT recruiters that I will not work for killers, conmen or extortionists. Too many of them say, yeah, sure, but how about this online gambling site.
masukomi Tuesday, June 19, 2007
Why is it that CJ Anderson is the only one who's seen the obvious best of both worlds option of continuing to work and get paid AND contacting the authorities? But, even he didn't mention what's probably the BEST solution. Keep working, contact the authorities, and carefully plan out a brilliant / insidious sabotage... code which hides in plain sight, looks like a bug when finally found, and yet totally screws the phishers.
Chris Miller Tuesday, June 19, 2007
I would take the contract to a good lawyer and see if you have any way of breaking the contract legally. If that that doesn't pan out, ask to be let of the contract for "personal reasons". If that too pans out, fulfill the contract to protect yourself. Take your contract and the information that you have uncovered to the authorities.

I would try the FBI or your state's Attorney General. I would also contact MasterCard and/or Visa. If this is a big enough operation, the credit card companies would have more than enough reason to go after the people behind the site.
arnulfo Wednesday, June 20, 2007
Liability and ethics are different issues. Legal might be unethical and ethical might be illegal. It might be my English but seems for most ethical equals safe social acceptable behavior so in English safe = right?
Pablito Thursday, June 21, 2007
I think it depends on if you consider yourself a "Software Engineer". As an engineer you are:

1. Are legally and ethically responsible for your work, and hold public safety paramount
2. Adhere to a strict code of ethics

(from: www.theregister.co.uk/...)

Both of those engineering requirements would require you to break your contract or act as a whistle-blower as C.J. Anderson suggested
Ugot2BkidNme Tuesday, June 26, 2007
These scenarios sound very much like the movie Real Genius. On another note I built spamming and tracking software years ago. I wasn't too happy about doing it, but it was my job and I needed the money.
Comments are now closed.
by K. Scott Allen K.Scott Allen
My Pluralsight Courses
The Podcast!