Software Engineering Ethics: Relevance and Importance

Software Engineering Ethics Dror Feitelson Hebrew University

What is ethics all about? Why is it relevant to software engineering?

Ethics Applying moral and social considerations (as opposed to technical) Relevant when there is a dilemma What is the right thing to do?

Software is pervasive So programmers rule the world Your decision might affect millions It might have consequences you didn t intend With great power comes great responsibility

Levels of Ethical Issues Professional: employer vs. client Unrealistic deadlines, buggy features Legal: software does illegal things VW emissions fraud Developing malware Social: software harms society Propagate biased information (business, politics) Platform for advancing racism / crime / terror Effect on social behavior (elections) 1995 : ( )

Software Engineering Code of Ethics Developed by joint task force of IEEE-CS and ACM Largest professional organizations with ~160,000 members worldwide Aspiration to affect everyday conduct Goal to make software engineering a beneficial and respected profession Reflects commitment to the health, safety, and welfare of the public

Software Engineering Code of Ethics 1. 2. PUBLIC - Software engineers shall act consistently with the public interest. CLIENT AND EMPLOYER - Software engineers shall act in a manner that is in the best interests of their client and employer consistent with the public interest. PRODUCT - Software engineers shall ensure that their products and related modifications meet the highest professional standards possible. JUDGMENT - Software engineers shall maintain integrity and independence in their professional judgment. MANAGEMENT - Software engineering managers and leaders shall subscribe to and promote an ethical approach to the management of software development and maintenance. PROFESSION - Software engineers shall advance the integrity and reputation of the profession consistent with the public interest. COLLEAGUES - Software engineers shall be fair to and supportive of their colleagues. SELF - Software engineers shall participate in lifelong learning regarding the practice of their profession and shall promote an ethical approach to the practice of the profession. 3. 4. 5. 6. 7. 8.

Public Interest 1.03. Approve software only if they have a well-founded belief that it is safe, meets specifications, passes appropriate tests, and does not diminish quality of life, diminish privacy or harm the environment. The ultimate effect of the work should be to the public good. 1.04. Disclose to appropriate persons or authorities any actual or potential danger to the user, the public, or the environment, that they reasonably believe to be associated with software or related documents. 1.05. Cooperate in efforts to address matters of grave public concern caused by software, its installation, maintenance, support or documentation. 1.06. Be fair and avoid deception in all statements, particularly public ones, concerning software or related documents, methods and tools. 1.07. Consider issues of physical disabilities, allocation of resources, economic disadvantage and other factors that can diminish access to the benefits of software.

Client and Employer 2.01. Provide service in their areas of competence, being honest and forthright about any limitations of their experience and education. 2.02. Not knowingly use software that is obtained or retained either illegally or unethically. 2.03. Use the property of a client or employer only in ways properly authorized, and with the client's or employer's knowledge and consent. 2.05. Keep private any confidential information gained in their professional work, where such confidentiality is consistent with the public interest and consistent with the law. 2.06. Identify, document, collect evidence and report to the client or the employer promptly if, in their opinion, a project is likely to fail, to prove too expensive, to violate intellectual property law, or otherwise to be problematic. 2.07. Identify, document, and report significant issues of social concern, of which they are aware, in software or related documents, to the employer or the client. 2.08. Accept no outside work detrimental to the work they perform for their primary employer.

Product 3.01. Strive for high quality, acceptable cost and a reasonable schedule, ensuring significant tradeoffs are clear to and accepted by the employer and the client, and are available for consideration by the user and the public. 3.02. Ensure proper and achievable goals and objectives for any project on which they work or propose. 3.05. Ensure an appropriate method is used for any project on which they work or propose to work. 3.06. Work to follow professional standards, when available, that are most appropriate for the task at hand, departing from these only when ethically or technically justified. 3.07. Strive to fully understand the specifications for software on which they work. 3.08. Ensure that specifications for software on which they work have been well documented, satisfy the users requirements and have the appropriate approvals. 3.09. Ensure realistic quantitative estimates of cost, scheduling, personnel, quality and outcomes on any project on which they work or propose to work and provide an uncertainty assessment of these estimates. 3.10. Ensure adequate testing, debugging, and review of software and related documents on which they work. 3.11. Ensure adequate documentation, including significant problems discovered and solutions adopted, for any project on which they work. 3.12. Work to develop software and related documents that respect the privacy of those who will be affected by that software. 3.15 Treat all forms of software maintenance with the same professionalism as new development.

ILLEGAL

VW Case Study Software to cheat in emissions testing Apply emission control technology for low NOx emissions when detecting lab test conditions Deactivate emission controls for better fuel economy (and high NOx emissions) otherwise Done in diesel engines of 2009-2015 models Recall of 11 million cars Company paid ~19.6 billion dollars US engineer got 40 months jail + $200K fine

Malware Case Study Freelance programmer Yuri Shmakov from Novosibirsk, Russia Worked several months on project to block calls and SMSs remotely from a web service Could be used for SPAM filter Suspected it was for malware but did it anyway Ended up in Pincer Trojan for Android devices Steals confidential information Opens backdoor to device https://krebsonsecurity.com/2013/08/who-wrote-the-pincer-android-trojan/

Lender Case Study Consumer finance companies that Make loans to people with limited access and understanding of their rights Charge interest much higher than the market rate Interest rates for different loans are limited Limits vary by state When you write software for such companies, how do you know where it will be used?

BIG DATA

Google Data Collection Case Study Initially competitive due to best search result ranking Then due to best personalization Of results Of ads (this is how they make money) Requires to know your users Competitive advantage over companies who don t have access to such data What about privacy?

What Google Collected ca. 2008 Google (Normal Search) Google Personalized Search Search Engine Result Pages Country code domain Query IP address Language Number of results Safe search Additional preferences can include: Street Address City State Zip/postal code Server log Query URL IP address Cookie Browser Date Time Clicks Logs every website visited as a result of a Google search. Content analysis of visited websites Google Account Used as resource to compile information on individual users Sign up Sign up date Username Password Alternate e-mail Location (country) Personal picture Usage Friends Google Services usage Amount of logins

What Google Collected ca. 2008 Toolbar Translate All websites visited Unique application number Sends all visited 404s to Google Toolbar synchronization function Stores autofill info with Google account Sends structure of web forms to Google Safe browsing Stores response to security warnings Stores autofill forms data Spellcheck sends data to Google servers Web History All text sent to Google servers Google Finance Stock portfolio User s stocks Amount of shares Date/time bought Bought at price Google Checkout Buyers Full legal name Credit card number Debit card number Card expiration date Card Verification Number (CVN) Billing address Phone number E-mail address Every website visited from Google SERP Date Time Search query Ads clicked Which service

What Google Collected ca. 2008 Sellers Personal address Business category Government-issued identification number Social Security Number Taxpayer Identification Number Sales Volume Transaction volume Business information from Dun & Bradstreet Transactions Amount Description of product Name of seller Name of buyer Type of payment used User trend data Web Beacons Referrer data YouTube Registered user data Videos uploaded Comments posted Videos flagged Subscriptions Contacts All videos watched Frequency of data transfers Size of data transfers Click location data Information display data E-mail Web Beacons for tracking E-mail opened or discarded Account basics E-mail Password Username Location (country) Postal code Birthdate Gender Bank account number Channels Groups Favorites YouTube SERP data

What Google Collected ca. 2008 Gmail Calendar Name Default language Time zone Usage statistics How long the service is used for Frequency of data transfers Size of data transfers Number of events Number of calendars Clicks Deletes every 90 days All events Who is going Who was invited Comments Descriptions Date Time Stores, processes, and maintains all messages Account activity Storage usage Number of log-ins Data displayed Links clicked Stores all e-mails Contact lists Spam trends Gchat All conversations and who they involve. When service is used Size of contact list Contacts communicated with Frequency of data transfers Size of data transfers Clicks

What Google Collected ca. 2008 iGoogle Desktop Settings stored in Cookies Settings linked to Google Account Blogger Indexes and stores Versions of your files Computer activity E-mails Chats Web history Mixed with web search results Content analysis of data on computer for integration into SERPs (opt-in) User photo Birth date Location Frequency of data transfers Size of data transfers Clicks Blogger Mobile Phone number Associates with Google Account Device identifiers Hardware Identifiers Google Docs Unique application number Application interacts with Google s servers Number of searches and response times Goog 411 E-mail address Number of logins Actions taken Storage usage Clicks All collaborators All text All images All changes (previous versions) Phone number Time of call Duration of call Options selected Phone number used as identifier Records all voice commands

What Google Collected ca. 2008 Orkut Groups Name Gender Age Location Occupation Religion Friend graph Hobbies Interests Photos Invites Messages Orkut Mobile Phone number Wireless carrier Content of message Date Time Everything a user writes Every blog post a user reads E-mail password Contents of posts Contents of custom pages Contents of external files Account activity Groups joined Groups managed List of members List of invitees Ratings made Preferred settings

What Google Collected ca. 2008 Picasa Double Click/AdWords Friend graph Favorite lists Clicks (almost all Google services track all clicks) All photos Geotags (Exif data) People who subscribe to albums Mobile Ads clicked Age Sex Location Trends of past visited websites IP address Health Phone number Device type Request type Carrier Carrier user ID Content of request Maps for mobile Location information (GPS) Address Websites visited if user asks Google to transcode Voice commands Web Accelerator Medial records Doctors Conditions Prescriptions Age Sex Race Blood type Weight Height Allergies Procedures Test results Immunizations Web requests Cache of websites before you go to them

What Google Collected ca. 2008 Postini Google Merchant Search E-mail address Traffic patterns Clicks GrandCentral Name Contact information E-mail address Phone number Notebook Credit card Credit card expiration date Credit card verification number Billing address Stores, process and maintains Voicemail messages Recorded conversations Contact lists Storage usage Number of log ins Data displayed Clicks Telephony log information Calling-party phone number Forwarding numbers Time of calls Date of calls Duration of calls Types of calls Stores, processes and maintains All content in notebook Nickname Storage usage Number of log-ins https://moz.com/blog/the-evil-side-of-google-exploring-googles-user-data-collection#list

Cambridge Analytica Christopher Wylie Mindf*ck: Cambridge Analytica and the Plot to Break America Random House 2019 how a liberal, gay, vegan, 24-year-old Canadian found himself part of a British military contractor developing psychological warfare tools for the American alt-right.

LEGAL, BUT

Deceitful Quiz Case Study Bill Sourour, 21, coder for interactive marketing firm with many pharma clients Task: site for drug for teenage girls Included a quiz: Answer a series of questions Get a recommendation for a drug https://medium.freecodecamp.org/the-code-im-still-ashamed-of-e4c021dff55e

Before submitting the website to the client, my project manager decided to give it a quick test. She tried the quiz, then came over to my desk: The quiz doesn t work, she said. Oh. What s broken? I asked. Well, it seems that no matter what I do, the quiz recommends the client s drug as the best possible treatment. The only exception is if I say I m allergic. Or if I say I am already taking it. Yes. That s what the requirements say to do. Everything leads to the client s drug. Oh. Okay. Cool.

Deceitful Quiz Case Study Turned out that the drug had side effects Depression Suicidal thoughts Saw report of a girl using the drug killing herself His sister was also using this drug Advised her to get off the drug ASAP Note: nothing he did was illegal

Deceitful Advertising

Deceitful Advertising

Facebook Addictiveness Case Study Psychology of addictiveness: Rewards at random times (better than regular) Rewards that give social validation (likes) Arouse curiosity (teasers, promos, trailers) Facebook (and many other sites) designed to hook users to spend more time on them Is this necessarily bad?

Flappy Bird Case Study Game created by Doug Nguyen Became most popular on AppStore and Google Play in Jan 2014 Taken down in Feb 2014 "Flappy Bird was designed to play in a few minutes when you are relaxed. But it happened to become an addictive product. I think it has become a problem. To solve that problem, it's best to take down Flappy Bird. It's gone forever."

Google Doodle Game Used as logo in May 2010 Demonstrate browser abilities Study showed people spent 36 sec more on google than usually on average Comes up to 4.8 million work hours total Worth $120 million

ETHICS AND YOU

Software is pervasive So programmers rule the world Your decision might affect millions It might have consequences you didn t intend With great power comes great responsibility

The Bottom Line You were hired for your knowledge. And your knowledge gives you the privilege and the responsibility to say no when no is the answer. -- Bob Martin https://www.youtube.com/watch?v=BSaAMQVq01E&t=59m

Google Pentagon Contract Google had a contract with the Pentagon developing AI for drones (project Maven) April 2018: 4000 employees signed petition against it, several resigned About same time, don t be evil motto removed from Google code of conduct June 2018: Google publishes AI principles Will not design or deploy AI for weapons October 2018: Google decided not to bid for Pentagon $10B cloud infrastructure contract