What if your superior asks you to archive all the emails and web activity logs of your coworkers and you get a sneaking suspicion that the formal legal company channels were ignored, though your coworkers would likely never know?
What if your company asks you to create software to aggregate content without paying or giving credit to creators and creators probably would never find out?
Would you create software to do these and numerous other questionable actions? How many questions can and should you ask before you begin?
The difference between what you, as a software developer, can do legally, a floor, and what you should do, a ceiling, is often vast, confusing, and not always intuitive. Loosely, this difference is ethics, and navigating it systematically as a pro requires perspective, experience, and most importantly, a framework of prioritized values. Many other groups of professionals – such as doctors and lawyers – have adopted ethical frameworks and have institutions that help members navigate concepts of right and wrong. But when it comes to software development – a profession that is shaping modern society like no other – this kind of ethical support structure is mostly missing.
What we have today
There are a few pledges, oaths, and codes of conduct that exist for software developers. For example, the International Standard for Professional Software Development and Ethical Responsibility by the IEEE-CS/ACM Joint Task Force on Software Engineering Ethics and Professional Practices promotes the development of ethical and professional practices that address software engineering. It recognizes in its preamble that “Computers have a central and growing role in commerce, industry, government, medicine, education, entertainment and society at large.” Furthermore, “Because of their roles in developing software systems, software engineers have significant opportunities to do good or cause harm, to enable others to do good or cause harm, or to influence others to do good or cause harm.” Then, it focuses on eight principles related to the public, client and employer, product, judgment, management, profession, colleagues, and self.
There are numerous other, less comprehensive efforts. For example, the Programmer’s Oath by “Uncle Bob” Martin, the “Never Again” Pledge, the Pledge of the Computing Professional, the Ten Commandments of Computer Ethics by the Computer Ethics Institute, the ACM Code of Ethics, and the Trustworthy Coder’s Pledge by Bill Sourour. There is an Online Ethics Center (OEC) resource maintained by the Center for Engineering Ethics and Society (CEES). Some universities, such as the Computer Science department at Stony Brook University’s College of Engineering and Applied Sciences, teach Professional Ethics for Computer Science. And sites like ComputingCases.org have historical cases, exercises, assignments, essays, information, advice, and guidance.
However, these efforts are underdeveloped, contradictory, ambiguous, and unenforceable. Critically, they lack oversight and accountability.
There is no comprehensive and widely-adopted framework to guide crucial daily decisions that will impact users for future generations. And many companies and software engineers do not ask hard questions as part of their software development process. They are not contemplating ethical consequences, what is the right thing to do, or who it affects. And software developers at powerful technology companies have no strong institution to rely on for support when an ethical dilemma does arise.
I conducted a short, unscientific survey to get a rough sense of how much software developers are trained to handle questions of ethics. The majority of professionals I spoke to who write code, make essential engineering decisions, and lead technical teams have not had a meaningful, in-depth ethics course in their life, definitely not since college. Indeed, there is no continuing education obligation to understand evolving ethics in a fast-paced innovation landscape or how even to identify ethics violations. Rigorous and systematic testing to make sure that software developers have a working knowledge of ethics applications in various contexts is missing.
This is not to say that the majority of software developers are unethical or don’t understand ethics. On the contrary, in my experience, many software developers ask critical questions about software ethics and often give unfiltered feedback. And, much of ethics is human and innate. So, there is hope. However, in the age of fake news, hacking, election interference, and many other unintended consequences of technology, it is irresponsible that software developers use their gut as a barometer to improvise what is right for our future. This “hope for the best” approach is ripe for improvement.
The effect on developers
Of course, it is currently not clear what software developers should do if they encounter an ethical violation that does not rise to illegal conduct. Without a formal ethics framework, they are not empowered to question their employer’s judgment without fear of losing their job. Their ability to pressure their employer to do the right thing is minimal at best. And unless they qualify under very narrow whistleblower exceptions, they have no legal support to back them, especially when ethics issues are at stake. Leaking, often anonymously, to a journalist and praying for favorable public outrage is often the only recourse.
Further, developers themselves could be held liable for decisions made elsewhere in their organization. In addition to the Computer Fraud and Abuse Act (CFAA), the well-developed body of fraud and criminal laws has been applied to software developers and founders. In the eyes of the law, any tool can become a weapon if it is used to harm others or violate laws, and software could be that tool.
Based on a recent US Commodity Futures Trading Commission (CFTC) speech on October 16, 2018, by the CFTC Commissioner, it seems individual software developers may be held liable for aiding and abetting CFTC rule violations. The commissioner explained, “The appropriate question is whether these software developers could reasonably foresee, at the time they created the code, that it would likely be used by US persons in a manner violative of CFTC regulations. … As such, the CFTC could prosecute those individuals for wrongdoing.”
(Relatedly, I predict that software developer professional liability insurance will soon become a hot topic.)
A comprehensive ethical framework would not only help developers and the public but would also help shield software companies and their stakeholders from ethics-related damage. Consider the recent train wrecks of Uber and Facebook that have unfolded in the public eye.
Towards a solution
The field of software development needs a more intentional, mature, and consistent ethical framework. There are many ways to design such a framework, but a formal and mandatory self-regulated model may be a good place to start because there are mature examples to follow from other industries. Professions that formally and mandatorily self-regulate, such as lawyers and doctors, provide models as to how software development can be professionalized with mature credentials process, ethics standards, continuing education requirements, violation adjudication process and body, and periodic guidance.
Independent of framework specifics, it is time for the software industry to stop hoping, start guiding software developers about ethics, and ultimately hold software professionals accountable. After all, we all depend on software developers to build an inhabitable world without unpleasant surprises.
Olga V. Mack is a technology strategist, experienced corporate board director, attorney, author, public speaker, and women’s advocate. She is Vice President of Strategy at Quantstamp, a decentralized security auditing blockchain platform. She previously worked at Visa, ClearSlide, Zoosk, Wilson Sonsini Goodrich & Rosati, and Yahoo.