Ask HN: What is the most unethical thing you've done as a programmer?
There was an article a while back about how cell service providers were selling extremely granular location data, and some of the programmers working on those systems immediately showed up on HN to comment on their moral dilemma. I suspect it's not an isolated case.
519 comments
[ 2.7 ms ] story [ 338 ms ] threadI used to feel really bad about this, but apparently there are whole teams dedicated to this sort of "cleanup" in M&A nowadays. Now I just feel bad about everything!
I agree with you though, that's a sleazy way to make money, IMO.
I think it would be difficult, but possible to run an ethical payday loan company that focuses on building people up and out of long term debt.
I totally understand. It just made me feel dirty. I quit as soon as I was able.
Sure enough that's exactly what happened and a really hard working and honest developer lost their job so an executive could save face.
Left that company a month later but I still feel horrible
The feature worked as designed, and this exec was the one who pushed for it to go to market despite all warnings that a review of the depth of exposed data was needed first. Nothing was ever leaked, as I mentioned it worked exactly as we were instructed to build by the product managers and our engineering lead.
The outcome is the outcome scoped for.
Fwiw many engineers left after that moment. We were already at odds with leadership and when they showed their colors in that incident it resulted in nearly the entire engineering department bailing.
This never made it publicly, it was an internal product demo to the whole company leading up to launch. To my knowledge no customers or media outlet caught wind of the transactions or the internal coup that resulted.
I finished it in 5 minutes. My boss asked what happened, I told him, and he told me to revert the code, work on other tasks, and redo it at the end of the day so he could bill for 8 hours (in addition to billing for the other tasks I worked on).
I did it and didn’t say anything. This was just a few weeks into my career.
I’m surprised this kind of thing doesn’t happen more often, to be honest. The people handling the business and writing the checks never seem to know anything about software. You could probably get away with telling them just about anything.
I’ve only ever seen it happen once, though. Software industry has been pretty honest in my experience (at least as far as billing goes...)
The problem with trying to charge for programming work is that so much non-trivial work can be summed up as a few keystrokes, or an addition of a single line, or even producing less code (by deletion/refactoring). That said, I don't understand why your boss thought this subterfuge was necessary. If the client is non-technical enough to approve 8 hours of billing for something that takes 5 minutes to fix, how is that client competent enough to look through the git history to know that it was only 5 minutes of work?
https://www.buzzmaven.com/old-engineer-hammer-2/
I also think most people are aware that's the case, and are fine with it since they've got an estimate that they've approved. The estimate was good enough to justify the business value so they expect to pay the full hours.
Letting people know you need more time is probably a bigger issue.
Otherwise, if it takes half the time use the other half to test, or train yourself to be better at your job. IMO
Good movie indeed, I will make some room for the book.
After 20+ years in the business, I'd be more surprised if a consulting company didn't bill for extra hours and screw over their clients. haha.
Of course, this is nonsense. An in-house ad is still an ad. When someone pays for an "ad-free" experience, we know they don't expect that they will still receive a full-screen modal popup, even if it is a house ad.
I blogged about it on my personal blog. All the posts were about how to solve issues I had using it. This was before stack overflow.
After I had about 10 such posts I wrote a post titled "interwoven teamsite sucks" and linked all the other posts there.
I started noticing traffic to that post from specific ips accross the country.
A week later I was pulled into a meeting with the top see directors and told to remove my blog. Interwoven was an Accenture client.
I removed it.
The first project was for a large, (now) well-known fintech company. They needed to develop login integrations with consumer banks to acquire customer account information for verification purposes. But many such banks didn't particularly want to grant them any special API access. More importantly, these banks typically forbid scraping and made it explicitly difficult by implementing JavaScript-based computational measures required on the client in order to successfully login. I helped this company develop methodologies for bypassing the anti-scraping measures on several banking websites. However, I stopped working on this because 1) I felt uncomfortable with the cavalier way they were ignoring banks' refusals, then using the reversed integrations and onboarded customers as a bargaining chip for more formal partnerships, and 2) performing huge amounts of analytics on customer data acquired as part of the account verification process.
The second project was for a tech startup working on insurance and credit analytics. This company is one of several that popped up in recent years to use machine learning and social data in order to develop a more "complete" credit score (in their eyes). They had an impressive team of machine learning researchers but their data acquisition team was comparatively mediocre. So I worked with them to improve their acquisition methodologies for a variety of social media websites. I stopped working with them for three reasons: 1) fundamentally, I lost faith that their product was actually generating a meaningful signal over traditional means, 2) I was worried that the data they were collecting might introduce spurious correlations or illegal biases, and 3) if any team was going to do this correctly, I didn't think this particular team was the qualified one to do it.
Could you expand on the correctness aspect? I'm currently working in this space for what I believe to be good reasons (to improve the accessibility of a particular service for visually impaired users). But I'm eager not to abuse my position and knowledge.
Technically speaking you can scrape data in a legally defensible way if you do not need to accept any terms of service explicitly prohibiting scraping in the course of grabbing the data. The distinction is that browsewrap T&C have plausible deniability, but clickwrap T&C do not. And if you receive a cease and desist order, you abide by it with a mea culpa. This also means you don't scrape so loudly as to be noticed, which has the happy side effect of probably not disrupting the target's service.
But again: The grey areas of ethics are a separate question from legality. Please engage a lawyer for your specific work.
However, it would be interesting in the case of bank services. Accessing the account from the customer probably let you initiate a variety of actions like money transfers or loans, it's sensible to argue for limited and controlled inter interoperability.
Also, customers are not allowed to share their credentials and he is in breach of his contract. The account should be considered compromised and be locked.
The technology (OFX direct connect) and software (Quicken, now Moneydance) for users to privately track their finances has been around for quite some time. But the protocol appears to be getting deprecated in favor of this "web download" rigmarole as banks attempt to decommodify.
I had thought about futzing with Plaid for my own monitoring purposes, figuring since they were B2B they wouldn't be directly surveilling (leaving that up to customers instead). Apparently I was wrong. Surveillance capitalism, indeed!
NB: I don't have an issue with user data being mined for things like market research if it's a situation where the product is free and users can be easily made aware of it. But I find it dishonest if the company mining that data is doing so without direct user consent, or in a "backdoored" manner using their status as a downstream client's "affiliate" for T&C purposes.
I know B2C companies like Mint do this as well, and I don't have an issue with user data being used for market research. But it seemed underhanded since most customers aren't aware of it. If you use Mint you can read their T&C and understand your data is mined. But Plaid is not sold to users, it's sold to companies. So end users of a completely different company which simply uses Plaid for account verification would be implicitly volunteering their data.
The other thing that bothered me is that companies which have valid reasons for not wanting to develop API integrations for Plaid would be strong armed into doing so once Plaid had acquired a critical mass of their users using the methods I helped them develop.
I know this isn't the point of the thread, but I couldn't help myself. I will ask for forgiveness (as I am sure we have all done in both technical and ethical matters)
See, this data is not difficult to obtain if you're operating in an ethical manner.
You can't do ethical analysis of data obtained in an unethical fashion. Fruit of the poisoned tree and all that. I guess it worked for radiologists after nazi germany however...
> Please don't comment about the voting on comments. It never does any good, and it makes boring reading.
https://news.ycombinator.com/newsguidelines.html
I created a cool little easer egg where if you clicked in the bottom left corner of the browser window and dragged in a circle, the site would flip upside down. A coworker and I also photoshopped some of the client's imagery that was used on the site and hosted it on another domain. If you typed a variation of the Konami code while on the site, the images would be replaced with our meme-ified versions of their imagery. Even if we had a code review process, none of my coworkers would have even noticed that little bit of extra code in the mess of jQuery spaghetti that was their codebase.
Could you explain this position? (Honestly asking.)
It's sure not great if you want people to come back to your site, but it's not morally bankrupt.
That's where you're wrong, kiddo. There's laws now.
Circumvented browser features to force autoplay on videos with high volume on our websites. While not a morally bankrupt thing to do especially compared to some of the other examples, we all felt dirty doing it.
There's no information about the size of the company there. I replied to a comment that said there are no relevant laws and suggested that that person check out the ADA. The ADA might be relevant.
Either way, it doesn't exist any more and if you were ever bothered by it (I apologize), there are no over-arching effects that you have to worry about.
Metricitisis is a major management disease of our times and neither corporate, nor government nor nonprofits are safe from missing the point completely in the quest for meeting irrelevant metrics so they can say they are a good manager.
I worked once for a small company that had a social media marketing side (separate from what I did for them, but we sat in the same open space). From what I've observed, the social media marketing business mostly boiled down to our people writing reports which shown nicely growing metrics to customers who then happily paid. The metrics might or might not have been correlated with any real-world increase in profits, and really neither side understood any of that. But it looked believable, so customers paid.
I suspect a lot of that is happening in adtech these days - people with no understanding of statistics bullshitting each other with pretty charts.
That just sends me stampeding for the [X] on the tab button all the faster.
Most of the crypto workers I've met in the last six months have been mostly freshly minted MBAs or marketing people with tons of money to burn.
E.g. at a contractor company, a client wanted to lease 5 developers for a project. We didn't have enough free developers, so they assigned a single guy to the project, who was making commits from 5 different accounts. The client was paying for 5 devs of course.
There was also a client who was building slot machines, and we wrote the software for it. We ran experiments to figure out the best way to rip off gambling addicts.
The first company I worked for took EU innovation grants and when the deadline came, they simply copied their existing product, replaced the logo and showcased it as something they used the grant for.
Probably pre checking one of those cookie policy checkboxes or what not. Wasn't too happy about that, especially when the software used removed the feature before for exactly the reason you may expect.
I also previously used a mod to read personal messages on a forum once, though that's one of those things which is heavily, heavily debated about on community management sites, with about half the audience saying its an unethical breach of privacy and the other half saying either that it's their site and property deal with it or that it's a good way to stop poaching and abusers.
But that one wasn't exactly coded by myself, so eh, it's an edge case for this question.
So probably a tie between those two, depending on what you count by 'as a programmer'. Fortunately, everything else I've been asked to do in my career has been pretty normal/ethical.
1. I know the guy who, pre-Snowden, actually designed many of the pieces of network gear needed for the dragnet. His perspective was basically: Yes it's wrong, but what do I know? I just design electronic circuits.
2. Same guy also mentioned how at another company he worked at they used DNS tricks to exfiltrate data out of their enterprise clients. Nothing crazy, mostly just analytics to aid in things like product design. They got caught though. First Intel went out, then a couple hours later 4 other big tech companies (including Apple and Microsoft). Then a huge swath of devices stopped reporting. They got acquired shortly afterwards for a large, but sub-billion dollar amount.
3. I know a couple people that crack into devices and sell the 0days to the highest bidder. I consider this practice for anything cyber-physical (self-driving cars, etc) to be so unreasonably unethical that it should be against international law. It's one thing to sell these things to an allied government, it's quite another to have them on the open market.
This outlook, along with "well if I don't do it someone else will anyway", is why tech workers are quickly becoming the new bankers in the view of the public.
Which really annoys me, because while moral indifference of some tech workers is wrong, there are still the business guys actually giving the immoral orders. Those are conveniently forgotten in the new narrative.
People are people and this "oh the business guys are the bad ones, not poor little programmer making $200k/yr implementing business guy's idea" mindset is odd.
EDIT: I don't expect to receive an answer to this (and that's fine), but I'll give more color to my guess. Meraki had a side venture in internet connectivity-enabled location analytics which was more profitable than its actual router sales. This is one of the reasons why its acquisition price was so high. It has since contributed to a location analytics service within Cisco.
In case anyone wonders, this is why so many engineering schools are increasing their focus on teaching ethics.
Honest question...why?
The result/intent seems the same whether done by a state or nonstate actor. In fact a state actor seems more likely to use it because of a greater feeling of moral justification.
2) The US drone program regularly targets first aid personnel and rescuers.[0]
[0] https://www.thebureauinvestigates.com/stories/2012-02-04/cia...