Ask HN: What is the most unethical thing you've done as a programmer?

432 points by 88e282102ae2e5b ↗ HN
There was an article a while back about how cell service providers were selling extremely granular location data, and some of the programmers working on those systems immediately showed up on HN to comment on their moral dilemma. I suspect it's not an isolated case.

519 comments

[ 2.7 ms ] story [ 338 ms ] thread
Did a project using Cold Fusion.
Literally Hitler.
I have been working in Cold Fusion for the past year and I feel the same way.
Used some of the more advanced features in git to delete commit history and cover up bunch of illegal activity shortly before an acquisition.

I used to feel really bad about this, but apparently there are whole teams dedicated to this sort of "cleanup" in M&A nowadays. Now I just feel bad about everything!

Without going into specifics, can you outline the kind of illegal activities that might appear in a git commit history? I'm guessing copyright infringements mostly?
Basically lots of tracking of users and reselling that data in extremely detailed ways. Whatever the marketing team demands or you're fired, that kind of environment.
(comment deleted)
I did some contract work for an online “payday loan” company for a bit. It didn’t take me long to realize I was ashamed of working with such a terrible industry, but my professionalism kept me there until I finished the job. Definitely a low point.
Having spent most of my spare time for the past 8 months on a FinTech idea (which I now question the cost of launching) I spent the day yesterday looking into PayDay loans as one of the URL's I got for said biz is pretty damn catchy for a PDL endeavor. Case in point--GoDaddy has all kinds of loan ads on the parked page.

I agree with you though, that's a sleazy way to make money, IMO.

Payday loans are bad but they are not that unethical. The alternative option for people reliant on payday loans are actual loan sharks, which will turn out a lot worse for the debtor. So don’t be so hard on yourself.

I think it would be difficult, but possible to run an ethical payday loan company that focuses on building people up and out of long term debt.

(comment deleted)
>Definitely a low point.

I totally understand. It just made me feel dirty. I quit as soon as I was able.

I once got pulled into an arbitration hearing to explain how certain code functions operated. While not necessarily unethical it was a moral moment because I knew the inquiry came with the loaded intent to twist whatever explanation I gave into the worst possible extreme.

Sure enough that's exactly what happened and a really hard working and honest developer lost their job so an executive could save face.

Left that company a month later but I still feel horrible

Without giving away more details than you feel comfortable with, could you share more about what the developer was fired for and how it made that executive safe face?
It was a feature set that was supposed to provide additional reporting views and expose data to customers when queried. Turns out one exec had some very embarrassing transactions that emerged from this and he wanted that info suppressed and the person who leaked it fired.

The feature worked as designed, and this exec was the one who pushed for it to go to market despite all warnings that a review of the depth of exposed data was needed first. Nothing was ever leaked, as I mentioned it worked exactly as we were instructed to build by the product managers and our engineering lead.

The outcome is the outcome scoped for.

Fwiw many engineers left after that moment. We were already at odds with leadership and when they showed their colors in that incident it resulted in nearly the entire engineering department bailing.

This never made it publicly, it was an internal product demo to the whole company leading up to launch. To my knowledge no customers or media outlet caught wind of the transactions or the internal coup that resulted.

Are we talking personal transactions on behalf of the exec that happened to be in scope because they were also a user of the software/in the data set? Or are we talking about business transactions by this exec that were professionally embarrassing?
I was once assigned a task that had been estimated at 8 hours of development time, but only required the modification of a single line of code.

I finished it in 5 minutes. My boss asked what happened, I told him, and he told me to revert the code, work on other tasks, and redo it at the end of the day so he could bill for 8 hours (in addition to billing for the other tasks I worked on).

I did it and didn’t say anything. This was just a few weeks into my career.

I’m surprised this kind of thing doesn’t happen more often, to be honest. The people handling the business and writing the checks never seem to know anything about software. You could probably get away with telling them just about anything.

I’ve only ever seen it happen once, though. Software industry has been pretty honest in my experience (at least as far as billing goes...)

Guess I haven't had enough coffee -- I'm struggling to remember the joke in which the punchline is the professional telling the client something like "You're not paying me to do [one simple/small thing], but for the years of experience it takes to know that [it's that one simple thing]".

The problem with trying to charge for programming work is that so much non-trivial work can be summed up as a few keystrokes, or an addition of a single line, or even producing less code (by deletion/refactoring). That said, I don't understand why your boss thought this subterfuge was necessary. If the client is non-technical enough to approve 8 hours of billing for something that takes 5 minutes to fix, how is that client competent enough to look through the git history to know that it was only 5 minutes of work?

My art history textbook has a similar story about James McNeill Whisler, who when challenged on charging 200 guineas for a painting, responded, "I ask it for the knowledge of a lifetime."
I think this is extremely common in payed-by-the-hour scenarios, when the person doing the tasks aren't on-site.

I also think most people are aware that's the case, and are fine with it since they've got an estimate that they've approved. The estimate was good enough to justify the business value so they expect to pay the full hours.

Letting people know you need more time is probably a bigger issue.

Your mistake was getting it done too quickly. I hope you learned to manage your time better for future endeavors.
For a salaried position, this wouldn't even be unethical. When I finish my work, I take off and have fun. Even for hourly contracting, it's dubious whether this is unethical. The only mistake is telling people it took five minutes. Ideally you'd spend the day having fun and check this in at the end. Not getting paid for actual work done is so common in contracting, however, that I certainly wouldn't feel bad about using up the whole time estimate for a five minute task.
That’s how consulting usually works. You scope out stories and commit to the number of stories in a sprint. Even if you wanted to add more to the sprint you’d just mess up the allocated time of QA and add more stuff for the dev ops team. That’s why more than one person (and people who know the system) should be giving estimates.

Otherwise, if it takes half the time use the other half to test, or train yourself to be better at your job. IMO

not mine, but someone programmed The Drop https://www.youtube.com/watch?v=pCOCKS5AJI8
Is this real? Can't find any sources on it.
I don't think that particular feature made it onto the record, but Garret's confession rings true because AT&T did have a lot of capacity problems for a few years after the iPhone launch, especially in New York and San Francisco. I can find a lot of articles from 2009 mentioning dropped calls.
While working at a services / consulting company, I've been privy to cases where we put our own interests over the client's, essentially getting them to pay us to screw them over.
You’re kidding. I can’t even imagine something like this happening in business.
The Big Short - nice movie, check it out :-)
I agree. I’ve both seen it and read the book.
Ok, so you are trolling. Sometimes is hard to tell.

Good movie indeed, I will make some room for the book.

Yeah, I should've put a "/s" after my original comment, sorry.

After 20+ years in the business, I'd be more surprised if a consulting company didn't bill for extra hours and screw over their clients. haha.

I have literally never seen a consulting engagement where this wasn’t the case. I’m sure they exist, I just personally haven’t witnessed it.
I’ve fired people on behalf of more senior managers too cowardly to do it themselves.
Implemented ads to be served to customers who had specifically paid for an “ad-free experience.”
How did that work?
They were ads to upsell them on a higher level of subscription. The argument was that they were "promotions" from US, not advertisements, which were from a "third party."

Of course, this is nonsense. An in-house ad is still an ad. When someone pays for an "ad-free" experience, we know they don't expect that they will still receive a full-screen modal popup, even if it is a house ad.

Took liberties with our interpretation of a third party TOS so that we could utilize a product. I surfaced this to leadership when I realized we were not in compliance, but we kept the outcome of what we needed from it, although we did cease to use the tool. I chose less career friction over fighting further.
Saving data from something like google places API?
Worked on an automated system to skim tips from crowdsourced 'contractors' without them realizing it was being done. Don't worry, legal says it wasn't technically against the law and the fine print of the contracts said we could do it.
In my first job out of college i worked at a big consulting company on a project at a company that used interwoven teamsite cms. Teamsite was a cms written in Perl, JavaScript, and Java with lots of xml sprinkled in. It was a horrible system.

I blogged about it on my personal blog. All the posts were about how to solve issues I had using it. This was before stack overflow.

After I had about 10 such posts I wrote a post titled "interwoven teamsite sucks" and linked all the other posts there.

I started noticing traffic to that post from specific ips accross the country.

A week later I was pulled into a meeting with the top see directors and told to remove my blog. Interwoven was an Accenture client.

I removed it.

I like how you dropped the name of the "big consulting company" in the end, there.
Yeah that was a mistake on my part, but you can easily find it on my resume anyway.
Ever so slightly surprised you didn’t get fired immediately.
I had already given notice at this point, so maybe that is why they didn't fire me. They could still tell interwoven "this asswipe is no longer with us".
What was your experience like in Consulting?
I've done a lot of work involving scraping, data analysis and reversing private API access from mobile applications. A lot of this work is legally defensible (if you do it correctly) and not particularly unethical. After doing a bunch of this type of work I started to accrue subject matter expertise in the area that led other companies to come to me with more questionable projects in mind. I turned down many of these, but two projects stand out to me as unethical or borderline. In fact, this was the reason I eventually stopped working with these companies.

The first project was for a large, (now) well-known fintech company. They needed to develop login integrations with consumer banks to acquire customer account information for verification purposes. But many such banks didn't particularly want to grant them any special API access. More importantly, these banks typically forbid scraping and made it explicitly difficult by implementing JavaScript-based computational measures required on the client in order to successfully login. I helped this company develop methodologies for bypassing the anti-scraping measures on several banking websites. However, I stopped working on this because 1) I felt uncomfortable with the cavalier way they were ignoring banks' refusals, then using the reversed integrations and onboarded customers as a bargaining chip for more formal partnerships, and 2) performing huge amounts of analytics on customer data acquired as part of the account verification process.

The second project was for a tech startup working on insurance and credit analytics. This company is one of several that popped up in recent years to use machine learning and social data in order to develop a more "complete" credit score (in their eyes). They had an impressive team of machine learning researchers but their data acquisition team was comparatively mediocre. So I worked with them to improve their acquisition methodologies for a variety of social media websites. I stopped working with them for three reasons: 1) fundamentally, I lost faith that their product was actually generating a meaningful signal over traditional means, 2) I was worried that the data they were collecting might introduce spurious correlations or illegal biases, and 3) if any team was going to do this correctly, I didn't think this particular team was the qualified one to do it.

> A lot of this work is legally defensible (if you do it correctly)

Could you expand on the correctness aspect? I'm currently working in this space for what I believe to be good reasons (to improve the accessibility of a particular service for visually impaired users). But I'm eager not to abuse my position and knowledge.

Depends on jurisdiction OP operates in, but clean room reverse engineering is one technique, i.e. OP reverse engineers a piece of software, documents how it works at a high level, and hands off the documentation to legal counsel who reviews it for IP infringement etc. The doc is then handed off to a completely different team/engineer who implements the API contract documented by OP.
To be clear, I'm talking about scraping. I think the sibling commenter is talking about developing competing products via reverse engineering ("clean room implementation"). I am also not a lawyer, so I can only tell you the guidance I received from one for the projects I worked on.

Technically speaking you can scrape data in a legally defensible way if you do not need to accept any terms of service explicitly prohibiting scraping in the course of grabbing the data. The distinction is that browsewrap T&C have plausible deniability, but clickwrap T&C do not. And if you receive a cease and desist order, you abide by it with a mea culpa. This also means you don't scrape so loudly as to be noticed, which has the happy side effect of probably not disrupting the target's service.

But again: The grey areas of ethics are a separate question from legality. Please engage a lawyer for your specific work.

Depends on the jurisdiction. For instance Europe allows reverse engineering for inter compatibility. Terms of services carry little value here (none for this clause that's already covered by a specific law).

However, it would be interesting in the case of bank services. Accessing the account from the customer probably let you initiate a variety of actions like money transfers or loans, it's sensible to argue for limited and controlled inter interoperability.

Also, customers are not allowed to share their credentials and he is in breach of his contract. The account should be considered compromised and be locked.

I don't necessarily agree that the first project was unethical, the banks were saying no because they wanted to develop a product of their own to compete with the company that hired you, not because they had any moral standing to prevent the customer from running analytics on their own data. The company you did the work for is immensely helpful to the consumer, and banks refusing to let consumers interact with their own data is, IMO, more of the moral violation than forcibly scraping that data out.
Even worse, the banks preventing users from straightforwardly accessing their own data is exactly what is pushing users right into the arms of these "fintech" surveillance companies.

The technology (OFX direct connect) and software (Quicken, now Moneydance) for users to privately track their finances has been around for quite some time. But the protocol appears to be getting deprecated in favor of this "web download" rigmarole as banks attempt to decommodify.

I had thought about futzing with Plaid for my own monitoring purposes, figuring since they were B2B they wouldn't be directly surveilling (leaving that up to customers instead). Apparently I was wrong. Surveillance capitalism, indeed!

First project sounds like Coinbase.
I was thinking the first is Mint
Thank you for sharing. This is why I never sign up for any fintech services. The amount of data I hand over is never worth the "benefits" they provide.
Most of those sorts of companies (both B2C and B2B) ultimately end up selling the user transaction data (or some derivative analytics thereof) to hedge funds. It's used (for example) to forecast the revenue of B2C companies in advance of equity earnings announcements.

NB: I don't have an issue with user data being mined for things like market research if it's a situation where the product is free and users can be easily made aware of it. But I find it dishonest if the company mining that data is doing so without direct user consent, or in a "backdoored" manner using their status as a downstream client's "affiliate" for T&C purposes.

I'm guessing the first company is Plaid. I'm in the ACH payments space so we're a potential customer of Plaid and I vaguely remember a presentation or something where they (Dwolla + Plaid) promise merchants the ability to grab 12 months worth of transaction history from a user's bank account. Could be wrong about that. I do know for sure I made a mental note to myself to never use Plaid as a consumer.
Well, since you already guessed it: yes, it was Plaid.
I would have no issues working on this. Doesn't seem very unethical. (For people who know the space, it's pretty obvious that you're talking about Plaid :))
Well I subscribe to moral relativism, so I don't have an issue with you not finding it to be unethical. But personally, it bothered me that so much user data would be mined from their financial statements.

I know B2C companies like Mint do this as well, and I don't have an issue with user data being used for market research. But it seemed underhanded since most customers aren't aware of it. If you use Mint you can read their T&C and understand your data is mined. But Plaid is not sold to users, it's sold to companies. So end users of a completely different company which simply uses Plaid for account verification would be implicitly volunteering their data.

The other thing that bothered me is that companies which have valid reasons for not wanting to develop API integrations for Plaid would be strong armed into doing so once Plaid had acquired a critical mass of their users using the methods I helped them develop.

Throwing in a guess for the second company, was it Zest Finance?

I know this isn't the point of the thread, but I couldn't help myself. I will ask for forgiveness (as I am sure we have all done in both technical and ethical matters)

Sounds like you would be a valuable member of any company, especially a startup. I’d love to hear your thoughts on more ethical ideas for analyzing difficult to obtain data. Feel free to ping me directly.
> hear your thoughts on more ethical ideas for analyzing difficult to obtain data.

See, this data is not difficult to obtain if you're operating in an ethical manner.

You can't do ethical analysis of data obtained in an unethical fashion. Fruit of the poisoned tree and all that. I guess it worked for radiologists after nazi germany however...

What's wrong with allowing customers to fetch their own data from their bank? I hold the opposite point of view, that banks withholding information from their customers is unethical.
As a gentle satire of a much-hated London-based design company we were working with during a project for a major brand, I added something called 'disco mode' to the customer's site if you crafted the correct query string. It progressively added more and more random jQuery effects to the page on a timer, while the customer's logo jumped to a beat.
How did you get that past code review?
It's cute that you think every company, even the kind that did brochureware sites for brands more than 10 years ago, does code review.
It’s cute that you think it’s cute.
I downvoted you because you were condescending while providing an otherwise relevant piece of information.
> Please respond to the strongest plausible interpretation of what someone says, not a weaker one that's easier to criticize. Assume good faith.

> Please don't comment about the voting on comments. It never does any good, and it makes boring reading.

https://news.ycombinator.com/newsguidelines.html

Yeah there are plenty of companies that don't do code reviews still to this day. I worked for an ad agency for a bit and we were still using SVN (afaik they are still using SVN for many projects today). Everyone would just push code straight to trunk with no review process.

I created a cool little easer egg where if you clicked in the bottom left corner of the browser window and dragged in a circle, the site would flip upside down. A coworker and I also photoshopped some of the client's imagery that was used on the site and hosted it on another domain. If you typed a variation of the Konami code while on the site, the images would be replaced with our meme-ified versions of their imagery. Even if we had a code review process, none of my coworkers would have even noticed that little bit of extra code in the mess of jQuery spaghetti that was their codebase.

That's an Easter egg.
Circumvented browser features to force autoplay on videos with high volume on our websites. While not a morally bankrupt thing to do especially compared to some of the other examples, we all felt dirty doing it.
> While not a morally bankrupt thing to do

Could you explain this position? (Honestly asking.)

From my perspective, at least you could stop going to the website if they did stuff like this, and TBH anyone's free to do whatever they want on their website. A lot of these other stories are doing things without informing customers, or using customer data illegally, and stuff like that.

It's sure not great if you want people to come back to your site, but it's not morally bankrupt.

>TBH anyone's free to do whatever they want on their website

That's where you're wrong, kiddo. There's laws now.

No there aren't, none relevant to this conversation at least.
Check out the Americans with Disabilities Act.
ADA applies to companies with 15 or more employees. Nobody is under any obligation to make their blog ADA compliant.
I think we're talking about different comments. I'm certainly not talking about a blog. Instead, I was referring to the parent's application. The parent wrote:

Circumvented browser features to force autoplay on videos with high volume on our websites. While not a morally bankrupt thing to do especially compared to some of the other examples, we all felt dirty doing it.

There's no information about the size of the company there. I replied to a comment that said there are no relevant laws and suggested that that person check out the ADA. The ADA might be relevant.

The ADA isn't relevant with respect to auto-playing videos, but is it relevant with respect to forcing a volume increase? I think that's a hard sell.
Insultingly diminutive language aside, you're just wrong. Assuming you're referring to the ADA, "there's [been] laws now" since the 90s. The line you quoted is clearly referencing personal websites, which are not bound by ADA.
Aside from the accessibility issues pointed out by another comment, this was mostly an annoyance upon our users that the higher-ups decided converted well. FWIW we did try to argue against it but profits dictate behavior in a large corporation. :-/

Either way, it doesn't exist any more and if you were ever bothered by it (I apologize), there are no over-arching effects that you have to worry about.

I doubt it leads to actual profits but the morons at the top think it will for some reason.
Most of the dark patterns lead to more profits, or sign ups, or something measurable. That's why they are everywhere, they really have a purpose.
I believe the key word is 'something measurable'. People remember their obtrusive ads more so they think mission accomplished even though they now try to avoid them as 'the guys with the obnoxious advertisements'. It might be ultimately detrimental to the company but their bosses think it is a good thing and they get rewarded for it.

Metricitisis is a major management disease of our times and neither corporate, nor government nor nonprofits are safe from missing the point completely in the quest for meeting irrelevant metrics so they can say they are a good manager.

Also, the question is, who did the measuring?

I worked once for a small company that had a social media marketing side (separate from what I did for them, but we sat in the same open space). From what I've observed, the social media marketing business mostly boiled down to our people writing reports which shown nicely growing metrics to customers who then happily paid. The metrics might or might not have been correlated with any real-world increase in profits, and really neither side understood any of that. But it looked believable, so customers paid.

I suspect a lot of that is happening in adtech these days - people with no understanding of statistics bullshitting each other with pretty charts.

From an accessibility point of view this can be more than an annoyance. If your video means I can't hear my screen reader, and I'm the sort of user not to plan for this inevitable sort of event, my computer is unusable until it finishes or until I recover sufficiently from being disoriented to remember the hotkeys to get out of there. So please never do this again. Thx.
So what you're saying is that loud ads are grounds for an ADA suit? Color me interested.
Your superiors thought this was a good thing? Funny how people do t realize that makes your product insta-toxic. Or am I naive?
(comment deleted)
Sites like that is why I have the Chrome plugin "Quick JavaScript Switcher" that instantly disables JavaScript and reloads the page. As soon as noise starts blasting when it's uncalled for, I just hit the panic button next to the address field!
Did your company made any money off that? It sounds like a great way to make sure people don't stay there and to get downranked by Google.
As a frequent victim of this, perhaps you can satisfy my curiosity: What is the logic behind auto-starting videos at MAX VOLUME?

That just sends me stampeding for the [X] on the tab button all the faster.

What's it like to work for CNN? Did you ever get to meet Wolf Blitzer?
Let ye who hasn't exploited a web browser for commercial gain cast the first stone.
Amazing there’s nothing here about crypto.
Probably because the people in question are still drinking the Kool Aid.
Sounds about right. I've only met a handful of devs in crypto. They were all in college or recently graduated individuals. I don't know if they were getting paid in cash or tokens, but it was hinted at that they were being paid, at least in part, under the table.

Most of the crypto workers I've met in the last six months have been mostly freshly minted MBAs or marketing people with tons of money to burn.

There's nothing wrong with developing cryptography software.
While I haven't done anything nefarious other than putting a few tracking/analytics frameworks into our product, I have heard a few stories from my colleagues...

E.g. at a contractor company, a client wanted to lease 5 developers for a project. We didn't have enough free developers, so they assigned a single guy to the project, who was making commits from 5 different accounts. The client was paying for 5 devs of course.

There was also a client who was building slot machines, and we wrote the software for it. We ran experiments to figure out the best way to rip off gambling addicts.

The first company I worked for took EU innovation grants and when the deadline came, they simply copied their existing product, replaced the logo and showcased it as something they used the grant for.

Most unethical?

Probably pre checking one of those cookie policy checkboxes or what not. Wasn't too happy about that, especially when the software used removed the feature before for exactly the reason you may expect.

I also previously used a mod to read personal messages on a forum once, though that's one of those things which is heavily, heavily debated about on community management sites, with about half the audience saying its an unethical breach of privacy and the other half saying either that it's their site and property deal with it or that it's a good way to stop poaching and abusers.

But that one wasn't exactly coded by myself, so eh, it's an edge case for this question.

So probably a tie between those two, depending on what you count by 'as a programmer'. Fortunately, everything else I've been asked to do in my career has been pretty normal/ethical.

I suspect you're not going to get many personal stories here because it would be self-incriminating. But I have a couple from some people I know in tech.

1. I know the guy who, pre-Snowden, actually designed many of the pieces of network gear needed for the dragnet. His perspective was basically: Yes it's wrong, but what do I know? I just design electronic circuits.

2. Same guy also mentioned how at another company he worked at they used DNS tricks to exfiltrate data out of their enterprise clients. Nothing crazy, mostly just analytics to aid in things like product design. They got caught though. First Intel went out, then a couple hours later 4 other big tech companies (including Apple and Microsoft). Then a huge swath of devices stopped reporting. They got acquired shortly afterwards for a large, but sub-billion dollar amount.

3. I know a couple people that crack into devices and sell the 0days to the highest bidder. I consider this practice for anything cyber-physical (self-driving cars, etc) to be so unreasonably unethical that it should be against international law. It's one thing to sell these things to an allied government, it's quite another to have them on the open market.

> Yes it's wrong, but what do I know? I just design electronic circuits.

This outlook, along with "well if I don't do it someone else will anyway", is why tech workers are quickly becoming the new bankers in the view of the public.

Yeah, some hackers wear white hats, others wear black hats, and then there are those who wear paper bags over their heads.
> This outlook, along with "well if I don't do it someone else will anyway", is why tech workers are quickly becoming the new bankers in the view of the public.

Which really annoys me, because while moral indifference of some tech workers is wrong, there are still the business guys actually giving the immoral orders. Those are conveniently forgotten in the new narrative.

At what level of technical skill/background does a business guy become a tech guy?

People are people and this "oh the business guys are the bad ones, not poor little programmer making $200k/yr implementing business guy's idea" mindset is odd.

It's not about the skills/background, but decisionmaking capacity. The blame for executing an order is separate from the blame for issuing one. If a tech worker is both the decisionmaker and the implementer then they get to be blamed for both, of course.
I am not sure I understand the distinction you make between a government and the higher bidder? How can you be reasonably sure that your findings will not be used wrongfully by X gov official?
The highest bidder is likely to be a government agency.
You can't, but if the NSA or CIA wanted to kill a bunch of people they could. Whereas ISIS and company can't. Not knowing who is buying your 0day is dangerous to public safety.
Was the second company Meraki?

EDIT: I don't expect to receive an answer to this (and that's fine), but I'll give more color to my guess. Meraki had a side venture in internet connectivity-enabled location analytics which was more profitable than its actual router sales. This is one of the reasons why its acquisition price was so high. It has since contributed to a location analytics service within Cisco.

> 1. I know the guy who, pre-Snowden, actually designed many of the pieces of network gear needed for the dragnet. His perspective was basically: Yes it's wrong, but what do I know? I just design electronic circuits.

In case anyone wonders, this is why so many engineering schools are increasing their focus on teaching ethics.

>It's one thing to sell these things to an allied government, it's quite another to have them on the open market.

Honest question...why?

The result/intent seems the same whether done by a state or nonstate actor. In fact a state actor seems more likely to use it because of a greater feeling of moral justification.

Because terrorists target civilians on purpose.
1) Those are incredibly arbitrary labels and you either know that or should know that

2) The US drone program regularly targets first aid personnel and rescuers.[0]

[0] https://www.thebureauinvestigates.com/stories/2012-02-04/cia...

What does nr. 2 have to do with anything? The fact that the US kills civilians doesn't make this more ethical.
Because the original implication was that state actors don't target civilians.
Nice job, we know it's you.
You forgot to add “confiding for a friend”
Take people's content and put ads on it. TOS compliant but shady.
Do you work at Google?
I worked for a major gambling tech company. There was almost no oversight and I pretended to work when I really didn't.