Well, privacy is the big thing in the industry right now. People have started caring about it and are becoming more aware of how their data is being used. New companies with more transparent data policies are coming forward, but that's not enough. Most big companies we know still store alarmingly high amounts of user data, with or without our consent. Because let's admit it, most people don't read those long T&C documents.
So let’s say, the company where you work as a dev is doing something similar, and you are the one who is supposed to write such a module. What would you do?
Latest comments (36)
What unethical thing could possibly happen at a bank?! O.o
Thankfully I'm not in this position but if I were I would plead my case the the higher powers to try to make a convincing argument to create value without the security or privacy risks.
Now, let's say that failed and now we're in the sprint where this module has to be written. Single me probably would quit and look for a new job. Married with children me does not have such a luxury. Even though the job market for developers is great, it's still not easy. Let's be real, even an experienced developer has to do serious refreshers to pass some of these interviews. There's also tons of crappy companies out there to sift through. So I would likely have to continue doing my work until I found a new job at which point I'd be free to blow the whistle. I wouldn't be able to quit on the spot though. I think the ease of getting a senior level developer job is not quite as easy as people make it sound in bootcamp advertisements.
I understand your point also man. Clearly it’s a problem. But what if there is a way to keep your job as well as do good the world. By blowing the whistle Anonymously. 😈
I've been in similar situations in the past and my first reaction is to ask why. Often someone will have an idea without considering the security, privacy or other ethical considerations, and on closer examination will adapt or drop their proposal
If that's not enough, refuse to do it unless there's protection in writing - a clear change to the privacy policy, very clear opt in within the app. If you don't get that, don't write it because those decisions aren't yours to make.
Disclaimer: I live in the EU so I do have legal obligations under the GDPR which make the easier for me. The quickest way to shut down a conversation is to ask "is this GDPR compliant?". Outside the EU, it's worth reminding your employer what Apple did when they found policy violations in apps from Facebook and Google and killed their certs, stopping all their apps from working.
Being in the UK, and still under GDPR (for now), both companies I've worked for during this period have taken GDPR incredibly serious. Thankfully it's the punishment is so severe that I imagine a large number of companies are scared of it.
But if they weren't, I'd certainly look for another job and likely anonymously report them.
That’s bold man. 😊
I think this presumes a developer knows the law around privacy. I have a passing familiarity with the privacy act in New Zealand, and so I know that collecting data that isn't necessary to do business isn't legitimate, but that is a pretty wide definition.
Generally you will be given a specification and it is up to the company to determine the legal implications in detail.
However, if you are asked to do something you are aware is illegal don't do it. Sometimes it isn't illegal but just very ill advised. For example, when you are given a requirement which is very difficult to do in a secure way but easy to do by 'relaxing' security.
In such situations you need to make it clear to the management what the problem is, what the risks are, and have them make the decision. Clients have asked me to do some ill advised things sometimes. I've always been direct in my communications and usually they reconsider.
Not everything needs to be built like Fort Knox, but certainly weight needs to be given when you are storing critical or confidential data. Sometimes having the client take explicit responsibility for a decision is needed. In one occasion I walked away from a project rather than be implicated in what might follow.
The real question is what happens when the data becomes of interest to law enforcement in a criminal case. That gets interesting from a integrity point of view.
I think that’s the reason government also try to be soft in making these laws. After all it’s the easiest way to track people for them.
Ethical.
Anybody "loyal", or as I call it, a brown-nosing egotistical dimwit, should be prosecuted. In fact I think my local law has provisions for employee responsibility. You are at least required to point out security issues to your employer.
Oh that’s cool, where are you from? 😮
I'd rather not disclose that, but GDPR mentions employee responsibility
So employees have obligations.
That’s good.
😂😂
I suspect this kind of thing already happens... ?
The ethical route would be to provide users with informed choice...? (aka a modal or question about allowing push-notifications or microphone access)
But I guess the design decisions in the case of a crazy scenario would already be made... :(
I know 🙁 but change can be made anytime.
Is there anything I'm legally liable for?
For me, there is a huge divide between:
I think the first kind should not face any prosecution. It's the default. How dare you lose your company data that they could analyse? It's simply not your call as the designer of the product.
It's one of the reasons we use patterns such as Event Sourcing - to avoid losing potentially valuable data.
The second kind is definitely fraud and should be dealt with at a technical, societal, and legal levels with extreme prejudice.
Finally, there are provisions to the for example GDPR(Ew, disgusting.) other than consent/privacy, such as that the users must be able to download their data. I don't think this should be a legal requirement, but I do think this is a nice-to-have, and the market will reward a feature like that when it's convenient.