I have been told many times in recent months, in a variety of contexts, that software developers do not need a code of ethics. I don't believe this to be the case, but upon investigation, it seems like very little effort has gone into understanding the unique properties of software and developing a consistent system of ethics or morality related to both software and information.
A great deal of effort has been put into maintaining a rather misguided status-quo by people who stand to lose a lot of money if things change; namely, the Business Software Alliance, the Motion Picture Association of America, and the Recording Industry Association of America.
A near equal amount of effort -- perhaps even more -- has been (albeit less efficiently and effectively) devoted to convincing the public that the ability to copy and modify software with no restrictions is a natural right, by the Free Software Foundation and others. I believe this is also a flawed argument, although in a more subtle sense.
However, nearly no discussion has arisen about what is required of us who create software -- for fun, or for profit -- and what impact our actions have on the world around us.
This is a discussion of ethics, but given the current litigious climate in the software industry, it is difficult to refrain from mentioning laws. In this article, I criticize many current industry practices and laws. While I break with conventions when possible, I do not break any of these laws, nor do I advocate that you do so. This is for one simple reason -- I do not want to go to jail, and I don't think you should either. The United States government and other governments under the auspices of the World Intellectual Property Organization form a fearsome and powerful entity that should not be challenged directly. We are still lucky enough to have some say in that process, at least nominally, so I try to participate through what remains of our democratic system, and through advocacy; not by breaking the law.
We need a framework for ethics in software development. The necessity for ethical practice extends to development outside of safety-critical systems, and in fact, is a more complex problem outside of such systems, when we do not have the metric of the loss of human life to make the questions starker and simpler.
Information is not a physical object, and does not adhere to the same rules that make sense for physical property. This is not to say that information follows no rules, but that there is a necessity to ask questions about what makes it different before we can understand the rules it follows.
There is a wealth of information about ethics relating to information present in the traditions of academia. This information has largely been ignored because of the shift of software from academia and government to commerce. Perhaps the lack of respect for academia endemic in American culture also contributes to this ignorance, but that is a different discussion.
Software is a form of expression, and can contain both entertainment and commentary on society, politics, and economics. Software may, in fact, be the ultimate form of expression, since it is expression which is able to re-express itself. This is true to varying degrees for different kind of software; but the fundamental act of expressing an idea is present in the medium of software, and should therefore be protected.
While the term "engineering" may apply to the development of a very narrow range of software, its use to describe software development in general is mere sophistry. A novelist does not, for example, engage in "narrative engineering"; he writes stories. The primary difference between engineering and software is the fact that in software, the plans are the product. The process of "manufacturing" a software "product" is completely automated, and more often than not, 100% free. The developer merely feeds their source code to a compiler, and the compiler produces output, which can then be copied. It is, in fact, this ease of production which creates a problematic environment for commercial software authors to distribute their works.
Both of these terms seem designed to confuse the idea of software as a physical object. "Software Piracy" equates the act of illegally copying a disk in private with murdering traders in the middle of the ocean with no one to come to their rescue. Even if you do believe that copying software without the author's permission is wrong, it is clearly a far, far different thing than mass murder.
So now, without further ado...
The normal starting place for discussions about software is copyright law. Why should this be so? Copyright law provides us with a system of government-enforced business practices designed for the technology of publishing in the 15th century. Our present system of copyright, patent, and intellectual property law is not based upon fundamental rights of the artist, but artificially created "rights" designed to "promote the progress of science and the useful arts.".
Let's assume, for the sake of argument, that I like high-brow literature and I don't like pulp fiction. Does this give me the moral authority to legislate that there be a national review board to evaluate and burn all poor-quality books, or subsidize writers, to "promote the progress of writing and quality literature"? Assuming such laws exist, do they genuinely validate my position?
There may be legitimate reasons why the government constructed these laws, but the fact that the laws exist does not prove their worth, or give us a legitimate basis for constructing an ethical system. Even their effectiveness at their stated purpose -- promoting science and the useful arts -- has been dubious in recent years. The public domain is a commons from which new intellectual endeavors must draw, in order to create new applications of old ideas, and our current system of intellectual property is jeopardizing it.
This argument has been repeated many times in the past, so I will not overstate it; but it should also be noted that copying information does not harm the author. Stealing a physical object removes it from its owners possession, diminishing its owner by its value; creating "damages", in a legal sense, of that amount. Copying information creates no void, but only increases the amount of total value; the information may simultaneously enrich both its owner and the recipient of the copy.
One often-neglected dimension to this train of reasoning is the concept of detecting the damages inflicted by copying vs. genuine theft. When an object is stolen, the owner can verify that damages have occurred by looking only at their own possessions, requiring no violation of a suspected thief's privacy before some evidence of the theft can be produced. However, in order to investigate the copying of information, one must first violate the privacy of the suspect in order to locate illegal copies, or entrap her by enticing her to make illegal copies of the software for an enforcer of the law. With the advent of the Internet, software may attempt to be a virtual stool pigeon for its own copying; the author has the ability to create self-monitoring software which can report where and when it is being run. This violates the trust of the user of that software by creating unexpected behavior, which I will discuss later.
The right to profit from every copy of a work produced is also problematic because it grants the producers of intellectual property a huge, unfair advantage over their physical counterparts. When one produces a work of literature, one does all the work necessary before the first copy is produced; and as the author (not the operator of the printing press!) no work is necessary beyond promoting and advertising the book. All copies sold are "passive" income. When one builds a tractor, however, once the tractor is sold, the only way to make more money is to build another tractor (do more work); a tractor manufacturer is not allowed to require that the when the machine is re-sold the purchaser pay the manufacturer and not the current owner. Why should creators of intellectual property be entitled to get paid for it an infinite number of times when a real manufacturer is only entitled to get paid once?
So what rights does this leave me with, as the hapless author of some blob of information on the Internet? First, I'll review the rights which I claim I do not have:
It would be wrong to invade the privacy or betray the trust of my readers; so I do not have any mechanism through which I could enforce this right.
Plenty of other professions have been superseded by technological advancements; there isn't much call for horse-and-buggy manufacturers any more, for example. Maybe, although people want to copy it for fun, my information simply has no economic worth.
Without the ability to modify new ideas, the commons of the public domain would dry up, and "knowledge workers" would have nothing to do but wage a constant, pitched legal battle over the use of existing patents and copyrights.
Looking at this list, the situation seems pretty bleak; I might as well not submit any information to the world, if I can't benefit from it in any way. However, there are two rights; one mine, and one the public's; that I can still exploit for personal gain.
This extends to the right to secrecy. No-one can break into my home and steal my furniture; neither can they break into my home to take my computer or my papers.
As a corollary, if I want to impel a customer who receives the information that I provide not to share it, I can do this the same way that I would protect my business in other ways -- a contract. This contract would have to carefully spell out my intent to secrecy, and specify explicit terms for severing the contract; the customer would have to understand what rights they are giving up when they sign it.
Additionally -- as a software company, I don't have to publish my source code along with my object code; I can't prevent my users from copying the binaries, but I am under no obligation to provide them with the source code if I don't feel like it. (Why I think this is a bad idea is addressed below.)
This is the basis of academic honesty. While BSA campaigns will often make reference to plagiarism, it is important to note that plagiarism is not the copying of another academic work; it is the copying of that work combined with the claim that it is original. I, as the author of a piece of information, have the right to request that my name be associated with the work, and that modifications to it be clearly marked. To do otherwise would essentially constitute fraud on the part of the copier.
Much of the ethics of other professions (Medicine, Engineering) is based primarily on assigning blame when things go wrong. Part of the problem with developing ethics in software development is that there are still significant technical challenges involved in assigning blame at all in software; all known solutions to these problems require software to be written according to different rules than are currently common practice in the industry. If a programmer makes an error, it is very difficult (especially without the presence of source code) to determine whether the error was really the fault of the application, the operating system, or a library in use by the application. This usually puts potential sources of blame in 5 or 6 different places; a legal rats-nest to untangle. Hence the extremely lenient warranty practices common in the software industry. ("This software comes with no warranty, expressed or implied, including, but not limited to the implied warranty of merchantability or fitness for a particular purpose.")
There is another problem with determining blame when a piece of software fails. What constitutes failure? Given that hardware failure is orders of magnitude less frequent than software failure, it's not that the program is doing something that it isn't written to do, it's doing something that someone didn't expect it to do. In this case, whose expectations matter? I believe that it is paramount that the user's expectations are the ones that are important, and that this has a significant impact on the way that software is written and sold.
When a person gets behind the wheel of a car, they take responsibility for what that car does on the road. If they kill someone with the car, it is their responsibility; if they wreck the car, they have to repair it. In other words, the car is not an independent agent; it is an agent on behalf of the driver, carrying out the driver's instructions to the (possibly fatal) letter.
Why do car companies let this happen? It is probably not an unsolvable problem to produce cars that had features which would correct the driver's maneuvering in dangerous situations; measuring the distance from other cars, the slickness of the road, etc. Instead, car manufacturers prefer to produce safety features that make the tracking of the driver's desires much more precise -- anti-lock brakes, balancing drive-trains, and transmissions that shift at the right times.
Car companies don't try to make the car guess what it should do, because if it guessed wrong, you could sue them for lots of money, and they might even go to jail. This does hamper the possible business opportunities available to car manufacturers; for example, your car can't automatically pull into every McDonald's drive-thru that you pass on the road. Despite this blow to American commerce, we nevertheless consider it a good idea that your car wouldn't accidentally kill you by turning into oncoming traffic, trying to get you a cup of coffee.
Software vendors, however, fall under no such pressure. Not only are they not required to be liable for their products, they are apparently allowed to blatantly lie about that liability. For example, Microsoft claims in their Windows XP Activation overview:
Authentic Microsoft software assures you of high-quality, virus-free software. Pirated software does not.I am not a user of Microsoft software, so I can't comment on whether or not their software is actually high-quality or virus-free with any great confidence. Nor do I intend to single them out, since this practice is completely standard across all companies in the software industry; breaks with this tradition are sufficiently rare that I have never heard of one. However, I have read their licensing agreements, and it is quite clear that nowhere do they actually assure the user of anything at all, including the fact that the software will even install in the first place, let alone function in a "high-quality, virus free" manner.
Let's take a step away from what should be strictly required by law. What does this mean for what's good and bad in software? A good program makes the user responsible for its mistakes, by allowing the user to clearly understand what they are causing the program to do. To extend the analogy to driving: the user is also responsible for reading the documentation for the program, to understand the ramifications of their actions; ignorance of the software's functionality does not shift the blame to the developer.
Outside this metaphor, though, what makes this important for software specifically? Again, the crime of fraud. On the Internet, one can't see a user's intent; only a computer's actions. Other programmers that are communicating with your software must assume that it is doing what the user asked it to; without this assumption, it would be impossible to create applications that involved commerce, or even expression. Would you want to use an e-mail program that would sometimes send e-mails about you or your friends to random people on the Internet? If not that, would you want to use a program that sent market data on you to be collected without your consent?
As computers increasingly become augmentations for the mind, it becomes more and more frightening that our minds might be subverted without our knowledge or consent. It is therefore very important for software developers to create software that does what the user wants it to do, on both a technical and philosophical level.
Another common practice in the software industry combines with this one to create yet another problem. Normally, commercial software vendors do not provide the source code to their applications or systems. Without providing their source code -- a description of the programmers' intent in very precise language -- it is impossible for a third party to verify that the software does what it is advertised to do. It becomes not only discouraged, but near technically impossible to assign blame when a failure occurs. In fact, under the DMCA, it is illegal to do such verification, as reverse-engineering of software can constitute circumvention of copy-protection technology.
There are a number of possible solutions to this problem. Unfortunately, none are feasible under current law. One possible compromise takes the Patent and Trademark Office as an example; inventors are forced to disclose their designs in order to receive government protection for their use. Why are software vendors, then, automatically granted that not-so-temporary monopoly?
A curious thing about the nature of software is that programmers can attempt to force their users to pay for it, by making it refuse to work until they present some token that they have done so. Despite the fact that this was never attempted by paper publishers, even long after the advent of the paper copier, it is a persistent convention in commercial software today.
When a program prompts for a licensing agreement or a registration code -- especially one that will be registered with a central server online -- it is violating the user's desires. When I start an accounting program, I want to do my accounting, not report myself as a statistic to the vendor of accounting software. This practice is less insidious that many others which software can do behind our backs, but it is nevertheless unintended and can have unpleasant side-effects.
Consider that a user might have to use your accounting program in an emergency. It is a late winter night, and our hypothetical elderly user is awake after a thunderstorm which crashed their operating system (accidentally corrupting the registration file for your program) and damaged and the central heating system in their home, and they need to pay their credit card bill in order to have sufficient funds to afford an emergency heater before their pipes freeze and burst. They can't find their CD case in the dark, and your friendly registration dialog won't let them into their own bank account! They probably won't die from this, but you can bet they won't buy your software next year.
This situation probably seems contrived, but it could happen. It probably has, at least once. You can't imagine all the bizarre situations that the user might want or need to use your program in, so don't try to second guess them! Make it do what they want, right away.
Users: Refuse to use applications which do not perform the functions that you request. Read the documentation to be sure that what you are "saying what you mean" to the program, and it can properly interpret your actions. Demand the source code to your applications, and pay to have them independently audited to verify that they're not doing anything dishonest behind the scenes. (If your software vendors aren't providing the code to you and they don't say why, maybe they have something to hide!)
Developers: Write programs that do exactly what users want. Don't try to trick or force your users into anything; the majority of them are honest people. Those who aren't will be dishonest with or without your help. Use the work of other developers and credit them, prominently, as you would in an academic work. If at all possible, provide your source code and be open and honest about the stability and quality of your software.
If you're a software developer or user who agrees with me and you read the previous section, you probably laughed. "Of course I would do that if I could, but that's not my decision! Agatha in Marketing would never go for it.". In my experience, marketing and/or purchasing executives are not all sub-human cretins; some are actually really cool people. Whether you agree with me or not: try to get on good terms with the decision-maker in your organization and engage her on these issues. Too often we assume that the marketing department will do the wrong thing simply because they're in marketing. This is the same as giving up our will to be independent people, and resigning ourselves to the whims of an irrational organization beyond our control.