Unethical and Illegal Practices in Coding: From Prevention to Action

Cases of programming practices being abused and unethical and/or illegal coding have been reported all over the media, which isn’t great publicity for developers and engineers. The question of who bears the responsibility remains on everyone’s lips. But while employers are legally more accountable for bad decisions involving the company, developers won’t always find themselves exempt from criminal prosecution either. A senior executive at Volkswagen may have been sentenced to seven years in prison after the emissions scandal, but a VW engineer also got 40 months of jail time for his role in the case. Therefore, if you feel a request from an employer can’t be trusted, you need to think twice before embarking on a risky journey: It might end up costing you more than your conscience. But how to prevent these practices happening further upstream and what can you do to protect yourself from unethical and/or illegal requests at work?

A boom in cases

The Volkswagen scandal, which erupted in September 2015, made a lot of noise: Authorities found out that the firm’s engineers had been falsely programming their cars to meet US environmental standards in laboratory testing, when they were actually emitting up to 40 times more CO2 in real life. The illegal software had been implemented in about 11 million cars worldwide. It ended with a US federal judge ordering Volkswagen to “pay a $2.8 billion criminal fine for rigging diesel-powered vehicles to cheat on government emissions tests,” reported The Wall Street Journal in 2017.

The famous transport company Uber has also been under the spotlight during the past few years because of several algorithms its software developers created. The investigation revealed that these algorithms contributed to suspicious practices, such as exploiting underpaid drivers and ignoring regulations in cities around the world. Meanwhile, Supinfo, the private international university that specializes in computer science, reported how, following the publication of Bill Sourour’s account of the code he’s “still ashamed of”, which shook the whole IT industry, developers from all over the world started sharing their own experiences of being asked to participate in unethical and/or illegal programming during their careers.

To explain, in 2016, Sourour, that forerunner in this wave of denunciation, posted on his blog about his worst experience of an unethical request. In the post, he told how, at 21, he had landed a full-time coding job with an interactive marketing firm in Toronto, Canada, a country with strict regulations in place regarding the advertising of prescription drugs. Many of the firm’s clients were large pharmaceutical companies, who as a way of circumventing the law, would create websites presenting general information about the symptoms their drugs were meant to address. “Then, if a visitor could prove they had a prescription, they were given access to a patient portal with more specific info about the drug,” wrote Sourour.

For one website, targeted at young women, he was asked to code up a quiz whose questions would always lead to the client’s drug as the final recommendation. This practice was not illegal, but one day he was alerted to a news report that a young girl who had taken the drug had killed herself. That was when he discovered that some of the main side effects of the drug were severe depression and suicidal thoughts. And he has never been able to forgive himself for writing the code. “As developers, we are often one of the last lines of defense against potentially dangerous and unethical practices,” he wrote. It was time to take action.

Unethical vs. illegal: Where to draw the line?

If illegal requests usually seem clearer and easier to turn down, ethical matters can be fuzzier and more challenging to manage. But what does the term ethics stand for officially and what does it cover? Florence Mulliez, a partner at the French law firm FIDAL who specializes in digital and compliance technology, defines ethics as “the collective conscience in front of the major issues that personal-data privacy is posing.” Ethics is distinct from the legal sphere and more related to moral principles, although the line between ethics and law is blurred, as Maxime D’Angelo Petrucci, a data and technology attorney at Clifford Chance, explains. “When it comes to the field of personal-data protection, the line between legal and ethical is very thin and one does not go without the other,” he says. “One major aspect of GDPR [General Data Protection Regulation, a new regulation in EU law on data protection and privacy] is that it brings together both visions, integrating the notions of ‘lawfulness’ and ‘fairness’. It helps consider both aspects in new cases.”

For clarity, lawfulness is when something is allowed or permitted by law, while fairness is defined as impartial fair treatment, in line with individuals’ expectations, without any discrimination.

So can an ethical dilemma be brought before a court of law? “It can be admissible because, in France, we work with a civil-law-based system,” explains Mulliez. “Here, judges tend to apply legislation in its strictest sense, while Anglo-Saxon countries reason more based on the notion of equity.” This leaves more room for interpretation and unusual cases than it does in France, but serious ethical matters deserve a shot in court when needed. As mentioned, the line between legal and ethical is very thin. “The admissibility of ethical matters will have to be implemented over the long term anyway, especially with the new challenges that artificial intelligence will bring,” adds Mulliez.

How are developers reacting to unethical requests?

In 2018, a Stack Overflow study examined how 100,000 developers worldwide would respond when faced with an unethical request. Only 58.5% stated they would say no if they were asked to write code for an unethical purpose, while 36.6% were more ambivalent and claimed it would depend on what it was, and 4.8% said they would be prepared to do it. What we can take from those figures is that there is definitely a gray area around ethical matters, making it difficult to assess the lines that shouldn’t be crossed. More than half of the respondents, however, considered upper management responsible for ethical matters and any consequences that could arise from bad decisions, meaning that when it comes to such matters, prevention is better than the cure. The problem is there is no set of common standards that apply to the whole industry.

How can developers react?

Opposing the boss is no easy task, especially when there is no concrete law to cover the issue. The first thing to do when a request doesn’t feel right is to take your time. Do not answer straight away. Websites such as CNIL, which details GDPR and rules applying to personal-data-based technologies, give you an overview of the legitimacy of the request from a legal point of view. If it falls under the scope of ethics, you will have to trust your gut. Does the request seem reasonable or not? Does it match your personal values and what you wish to achieve professionally? Could it lead to further unreasonable tasks? What is at stake for the company and the customers? What do you risk, and what impact will it have on your vision of your work, of your company, and your reputation? You will have to process all this information before deciding. But always start by taking the time to evaluate the situation, the possibilities, and eventual compromises that can be made.

If there’s no room for compromise and your boss sticks to their opinion, you will have to take action. Timing is important, as Mulliez explains: “The first step is to take advice from a legal expert before production starts. You must take action as far up the chain as possible when the project is still at at the prototype stage. Afterwards, written proof of your discussions is essential. This falls under social law, but the best thing to do is to write a clear refusal to your direct supervisor, with the HR department in copy. One day, you might have to show that you clearly stated your refusal, so it is important to keep track of email discussions and any paper trail documenting the project. Legally, you need to bring proof that you clearly opposed the project if you do not want to be held accountable.” Express your reservations, making clear that you are not comfortable fulfilling the task requested because it does not match your values. This shows mental strength and professional conscience without any aggression.

Codes of ethics: A new way to prevent bad practice?

In order to prevent questionable practices that are not governed by law, some firms have started implementing a code of ethics for their employees. “There is indeed a trend among big tech companies to use codes of conduct. This is a practice encouraged by regulators and public authorities, especially in the field of artificial intelligence,” says D’Angelo Petrucci. The scope of these codes covers all kinds of practices that are discouraged in the company and mainly serve to prevent any discrimination or other unfair use of personal data. Anyone can prepare a code of ethics, but D’Angelo Petrucci recommends collaboration: “You do not officially need legal counseling to build up a code of conduct, but it is recommended you involve various stakeholders, including the company’s legal department, in its creation. This will help you proceed in line with employment, corporate, privacy, and all other procedures that must be complied with.”

However, Mulliez cautions to remain careful with expectations of codes like this, as they “don’t have a true legal value.” She adds that, on the other hand, “no employee can be forced to sign a code of conduct and an employee has the right to express reservations about some clauses.” Nevertheless, codes of conduct remain a useful insight into your company’s values and the practices it discourages or includes. It also indicates that the company is willing to preserve a sense of ethics and good practice in its business as well as in its culture, and will likely take action if needed. Companies should therefore be encouraged to set down common standards expected from employees and the moral guidelines to refer to in case of disagreements.

Stricter regulations: The first step in achieving better behaviors and data protection

The increase in scandals concerning unethical programming raises the question of regulation: What can authorities do to prevent such situations in the future? D’Angelo Petrucci explains that this surge of cases correlates with the increasing presence of data in our lives: “More and more companies use personal data to create, deliver, and improve their products and services. It has become an essential part of business. And the more companies use data to do business, the greater the risk of misuse.”

Mulliez points out that, with GDPR that applies to companies in the European Economic Area (EEA), and to those outside the EEA in certain circumstances, the sanctions for data misuse have become more significant and fines can now reach 2%-4% of turnover. “We’ve always had several regulations in France, such as law number 78-17—Informatique et libertés (Computing and Freedom)—passed in 1978, but much fewer sanctions, and their scope is much smaller than what GDPR can cover. It’s a new regulation that includes the notion of ‘Privacy by Design.’ This places specific prerequisites on a product or service you want to create, such as personal-data protection. Companies are now also obliged to carry out a Data Protection Impact Assessment (DPIA) when their project raises or is likely to raise high privacy risks. This tool assesses the concrete impact of personal-data use, checking the data’s nature, their purpose, and defining how exposed they are.”

This new kind of strict regulation is progressively expanding abroad, in a few states of the US and in Japan. The US cannot stay passive in the face of the major changes being implemented in Europe, but it does not intend to reproduce its model, at least not completely. In July 2018, the White House claimed that it was considering “a consumer privacy protection policy that is the appropriate balance between privacy and prosperity.” Obviously, GDPR is setting a new global standard and will change the game, although Mulliez warns, “There will be a need for adjustment, especially when facing new situations with the development of AI and blockchain. But I believe that the right balance will be found to protect both sides’ interests, companies and users.”

In conclusion, the new regulation should progressively encourage respectful and conscientious practices. Mentalities change and consumers are becoming more aware of what they share, forcing companies to protect consumers’ interests more. D’Angelo Petrucci concludes that, “We are facing a whole new trend, where public authorities, regulators, experts, and consumer groups are thinking about and trying to address emerging ethical issues related to personal data, technology, and profiling.” However, profit will always lead some managers to cross the line and to encourage them to take an unethical path. Keep in mind that you have the right to say no and keep track of all the exchanges that relate to an issue. And remember, prevention is better than the cure. Do not hesitate to try to focus your company more on ethical issues and to encourage the creation of a code of ethics. “In the future,” says D’Angelo Petrucci, “we can expect more and more tech-related codes of conduct to emerge in companies and be used as serious guidelines for professional ethics.”

This article is part of Behind the Code, the media for developers, by developers. Discover more articles and videos by visiting Behind the Code!

Want to contribute? Get published!

Follow us on Twitter to stay tuned!

Illustrations by WTTJ