Ethics In IT

chiefloko writes "I am presently taking a Business Ethics class while earning my MBA. For my final paper topic I have chosen 'Ethics within the Information Technology realm.' Over the past 13 years I have worked for three corporations and have seen everything from the typical BOFH to ungodly pirated software use. I also bore witness to a remote user logging in to a poorly administrated Sun station, finding out s/he was root, and then reading co-workers' emails. I am interested in what the norm is for ethics in the IT world and some of the stories and outcomes."

Re:The difference between IT and other professions

[Anonymous Coward]

Hmm.. the closest that I know of is that developers/programmers can join IEEE and/or ACM, and those organisations do have codes of ethics they expect their members to adhere to.

(It's helpful if you're ever asked to do something you consider unethical, and you can state your professional organisation membership's code of ethics forbids such behaviour. It helps you stick to your ethics because it backs you up.)

ACM Code of Ethics

[floki]

The Association for Computer Machinery (ACM) [acm.org] has a Code of Ethics [acm.org]. Have a look at it. It gives quite a lot of guidance converning professional conduct in IT.

SAGE: System Administrators' Code of Ethics

[ukh]

And so does SAGE (for system administrators), more to the point: http://www.sage.org/ethics/ethics.html [sage.org]

What ethics?

[sr8outtalotech]

Maximizing shareholder value > anything else. Seriously, ethics? I'm in the SMB consulting industry. I sign NDA's on a regular basis with consulting companies so when the consulting company violates an ethical obligation to a client I'm contractually bound not to say anything. 13 passwords all the same for 13 company's but they (not me) billed their managed services as following best practices. PPTP VPN instead of LT2P/IPSEC (a stand alone certificate server = $), no account auditing(disk space = $), no logon failure limits(disrupted users = lost $), no port security at the switch (network admin = $), etc... I've yet to run across a salesperson that didn't upsell/oversell. I think most techs realize what's ethical behavior and what's not but they get pressured into not saying anything by management and sales.

Here's a scenario that happened to me in 2006. I had a contract terminated with no reason given. 4 days before the contract was terminated I sent a memo to the CEO (I reported to him) about sending bulk email without an opt-out option and without the companies physical address. I included relevant state and federal laws regarding the issue, mainly the Can Spam Act. 3 days before the contract was terminated the CEO confronts me in front of the whole office about how they were the following the law. I flatly told him I wouldn't send them or train anyone to send them until they added physical contact information and a way to opt-out. This was in front of his entire office staff. I wanted to discuss it in private and he wanted to discuss it in front of everyone. Friday, my contract got terminated, no reason given. Take a guess as to why it was terminated?

Re:You need to clarify your question

[pdwalker]

That's sociopaths [caltech.edu], not psychopaths [wikipedia.org].

Think of it as the difference between a politician and a serial killer.

late payment

[pbhj]

Kupfernigk >>> "When I was a general manager, one of my policies was always to pay the small suppliers promptly, because they need it most."

Well, most companies don't hold to that.

Oft repeated rhetoric here is that a companies only purpose is to make money. You're actually depriving your shareholders of a small amount of capital by paying on time if it's possible to avoid.

I find that (as a director in a small business) we get paid late by big businesses and government organisations. They can pay late, we can't afford to sue and we need them more than they need us. We've been paid over a month late by a local council (!) for an amount equal to about 50% of our wages bill ... that doesn't help cash flow much!

Inspired by Google's early ethical policy of "do no evil" ours is "be nice". We've many times checked our behaviour, and adapted it (sometimes to our financial detriment), by following this code.

Ethics is a personal attribute, not a rule set..

[Anonymous Coward]

From what I've seen in 25 years, the difference is simple personal committment. I have been put under pressure to charge clients for hours I didn't work, for being 'creative' with the truth so the real facts wouldn't show (i.e. readers would be mislead), for 'accidentally' overlooking problems because it would be politically convenient and for coming to a pre-determined conclusion by a biased look at the facts.

You have in each case two options: do what's right or do what is convenient. I prefered to do what is right, but you have to accept that in many cases this will be held against you by those that are more of the morally lazy persuasion (or who need their numbers to stack up).

The good news is that such a reputation also works in a positive way: you can become regarded as utterly unbiased, and as long as you don't have personality defects to go with it (I get on with almost anyone) you sometimes end up becoming an example.

In many cases the requested behaviour was contradicting ethics policies. Ethics policies are treated by most organisations as a marketing exercise, not as a code of behaviour. Given the examples of thos who make a real profit I can't see this change overnight..

There is no norm for ethics in IT I think

[oldbamboo]

I've had to familiarise myself with Sarbanes Oxley (which applies only to US listed companies anyway) and that is the only piece of legislation which I am aware of which requires regular sign off of ethical conduct, and that only applies to the board I belive. Elsewhere, for IT workers, both the CISSP and CISA certifications require that a standard of ethical conduct is maintained, and a declaration of such is made by the applicant. I think ethics are only defined in this way, as a requirement for membership of specific professional organisations or for the holding of certain credentials, but these are the only ones I'm aware of. Beyond that, and this is the point, having conducted audits and reviews of a number of companies and the governance of their IT, I think this topic is universally ignored for IT staff specifically. I can not recall once seeing the discreet topic of "Ethics" enshrined within the IT policies and standards of any major company I have inspected. The best thing you can do is collect and review a number of general "End User" policies from different places and see to what degree promises to not view porn, sell secrets, access stuff you shouldn't, etc, etc, are reflected, and quantify them against the ethical requirements being taught on your MBA. IT User policies can be dredged up from the Internet ten a penny, and they should allow you to gather sufficient of them to launch an academic argument as to the provisions for ethical conduct they establish within companies or public bodies in general. The degree to which they are obeyed is impossible to measure, but you can certainly speculate on the need for regular training on ethics.

Programmer Ethics

[sticks_us]

There are at least a few different angles here, and I suggest that management (bad management, at least) is largely to blame for a special, invisible, type of ethics violation in the IT world.

Let me begin by reviewing three modalities of ethical behavior:

1) How the IT worker functions vis-a-vis their co-workers: the usual stuff--office politics, gossip, backstabbing, etc. and has been well-covered elsewhere.

2) How the "visible" IT worker functions in relation to his/her job: Email snoops, BOFHs, yeah, yeah, we get it.

3) Invisible work: Poor management doesn't understand the value of patching, refactoring, debugging, commenting--and because of this forces the worker to compromise their ethics. These operations are often invisible to the unwashed masses.

The third category is hard for management to grasp. They don't understand what it means to cross the line from "useful hack" to "pure garbage."

Code like this:

try (something) {
// hey, it works, let's get busy!
} catch (exception) {
// do nothing, rotsa ruck, suckers!
}

...should be considered a special type of ethics violation (there are probably better examples--but this one should suffice).

Lots of programmers make evil shortcuts or write halfass algorithms, not (always) because they're lazy or incompetent, but because they're implicitly asked to, by managers and product teams who don't understand. Where is the ethical violation in an empty 'catch' block? Could it be the result of:

A) Management who lied about the man-hours required to complete a project,
B) Product teams who didn't take the time to gather requirements properly, or
C) Decision-makers who don't consider programmer input or advice.

The programmer is often forced to make an ethical decision: what is the right thing to do when the boss says "STFU about revising your code and push it into production?" Usually the programmer will just throw whatever they have ready, knowing that they're not putting their best work forward.

Who suffers? The programmer who feels they're forced to make an evil choice, the enduser who pays for shoddy product, the next person who looks at your code, etc.

Sometimes this choice is validated based on expediency, sometimes, it does nothing but let the manager check a milestone off in their excel spreadsheet.

As a fellow MBA Student Ill give some insight.

[jellomizer]

What ethics in is NOT: Choosing Open Source or Closed Source Software, Choosing one Hardware/Software over the other, wether you code you produce is open sourced or closed source, open Spec or Closed Spec ( Although I think they should put more effort in Open Spec vs Open Source) Those are Business decisions and have no real morality issues.

What are Ethical issues:
Finding loop holes in software to avoid paying extra license fee (lets make sure that everyone loges onto this server as this name)
Knowing there has been a security breach and possible data has gotten lost wether to tell the company or not
Change the ways hours for projects are recorded to put more hours in one project and less in an other.
Contracting consultants to replace your current work force just because they are billed from a different source and makes you look good.
Not contracting consultants when your project really needs more people or skills. or a new set of skills for the job for a project.
Changing a project from Fixed Priced to Time and material or vice versa because it just suits your needs.
Expecting Free Quotes or Specs for a new project then going to a different group to do the work.
Work with a third party reseller to get the design you need then go to to the source just because they can give you a better deal.
If you have third party resellers choosing to undercut them after they have done all the relationship building and advertising for your projects.

Ethis is an issue of trust. If your actions shows that you cannot be trusted then things really backfire. Any one ethic violation may not hurt anyone but a combination will generally get the company of employees and venders shit lists and you will get less quality and service and value over time.

Islamic angle

[mapkinase]

"ungodly pirated software": From this blog entry: [wordpress.com]:

A group of contemporary scholars does not approve the concept of "intellectual property"....

and

On the other hand, some contemporary scholars take the concept of "intellectual property" as acceptable in Shariah....

First group arguments:

* concept of ownership in Shariah is confined to the tangible objects only
* no precedent in religious practice where an intangible object has been subjected to private ownership or to sale and purchase
* concept of "intellectual property" leads to monopoly of some individuals over knowledge, which can never be accepted by Islam

Second group arguments:
* there is no express provision in the Holy Qur'an or in the Sunnah which restricts the ownership to the tangible objects only
* there are several instances in Shariah where such intangible rights have been transferred to others for some monetary considerations
* concept of "intellectual property" does in no way restrict the scope of knowledge

Read more of it through the reference. I know there are tons of Muslims from subcontinent in IT industry and (inevitably) on /., so this should be interesting at least to them.

"reading co-workers' emails":
1. Sahih Bukhari is book number 2 for Muslims:

Hadith - Sahih Bukhari 9:38.2, Narrated Sahl bin Sa'd As-Sa'idi
A man peeped through a hole in the door of Allah's Apostle's house , and at that time, Allah's Apostle had a Midri (an iron comb or bar) with which he was rubbing his head. So when Allah's Apostle saw him, he said (to him), "If I had been sure that you were looking at me (through the door), I would have poked your eye with this (sharp iron bar)." Allah's Apostle added, "The asking for permission to enter has been enjoined so that one may not look unlawfully (at what there is in the house without the permission of its people)."

2. Less solid hadeeth (has somewhat flawed chain of narrators)

Hadith - Mishkat, Narrated AbuDharr , Tirmidhi transmitted it, saying this is a gharib tradition

Allah's Messenger said, "If anyone removes a curtain and looks into a house before receiving permission and sees anything in these which should not be seen, he has committed an offence which it is not lawful for him to commit. If a man confronted him when he looked in and put out his eye, I should not blame him. But if a man passes a door which has no curtain and is not shut and looks in, he has committed no sin, for the sin pertains only to the people inside."

I guess second part of the second hadeeth does not apply to BOFH.

Re:You need to clarify your question

[Z34107]

We have got into a world where some companies want to return a greater profit each year and this idea becomes more important to them, than providing a steady living for people.

Businesses aren't welfare programs. Nobody started Microsoft or Proctor & Gamble or big evil entity name here thinking "Hmm, maybe I could employ 400,000 people if only I worked 80 hour weeks for the next ten years or so on the off-chance I might be successful?"

Businesses are supposed to make money. Period. We have laws to keep them from drinking the blood of kittens. Barring unions and closed shops, you are always free to look for another job that will give you a steadier living.

Which is why most places (in my limited experience) try their hardest to make sure their best employees have a "steady living." In any place outside of fast food, turnover is hard on a business. There are financial and opportunity costs involved with training new employees, and a boss that screws over the company for the sake of his paycheck won't be employed long. (Even the most profitable companies will die with enough people bleeding them dry.)

Businesses are here to make money. That's not bad - where do you think your paycheck comes from?