IT and Ethics. March 18, 2008

Call it what you will: Black hat, bad, abusive, evil, wrong, illegal. There are many things that are greatly looked down upon in the online world of the internets. Some things are outright illegal, and others just annoying. In my 10 or so years of being in IT I’ve only had to outright refuse one request from an employer. I was fortunate in that the combination of my prior performance/attitude outweighed the importance of the requested action. On many other occasions I’ve won at talking the company out of the action or modifying the request so that it met my standards.

You’d think that the actions that are outright illegal wouldn’t come up often… but one specific request comes up very often, especially in small businesses.

Manager: “Please install photoshop on Chuck’s computer.”
You: “We don’t have any more licenses for photoshop.”
Manager: “It’s important that he has it, install it anyway. We’ll get a PO started to get a new license asap.”

And you know that PO never gets started. So what do you do? Let it slide and install software illegally?

Other non-illegal things can come up too. The most common one for me is bulk email. You get sent an email template and a mysterious list of email addresses and are told to send it to all on the list. The email has no information about why they are on the list and has no clear and visible means of opting-out of future emails. I always stress really hard that all bulk emails should be can-spam act compliant. Particularly in these areas:

1. Double opt-in lists ONLY. No buying lists. No collecting random email addresses from lists at trade shows. Only use double opt-in.
2. Provide a very clear and visible message explaining why they just received the email.
3. Provide a very clear and very easy to use method for opting-out of future emails.
4. Process your bounces!

But often most/all of these demands are responded with, “No, we don’t need that. Just send the bulk email out.”

I’ve also been requested to scrape content from sites and publish it as our own. I’ve been asked to write a denial of service tool. I don’t know where all these ideas come from, but somehow such requests do come up in small companies.

So where do you draw the line? When is putting your job at risk worth saying “no” to something that’s not illegal but isn’t ethical either? I have given in on several occasions and not followed my standards 100%. And in retrospect I still believe I’d do it again if I were in the same situation.

I don’t know what my criteria is for when it’s OK to compromise your standards… I don’t think I could adequately put it in to words. It greatly depends on what you’re being asked of and where you are in your life. Fortunately it doesn’t come up often at all. With the more experience you have and the more trust your employer has in you, it comes up even less often. If your employee trusts you, and values your opinion, then it’s a lot easier to come to a compromise where you’re happy with the action and they’re happy with the action.

When trying to argue for doing the action in an ethical way, the greatest argument I have found is image. Sending bulk email to random lists of random email addresses without proper opt-out rules or bounce handling is similar to a certain governor who preaches cleaning up all the dirt getting caught being involved in a prostitute ring. Well, maybe not to that extent, but send enough bulk email in this way and it could really taint the company’s name. This argument can be used with just about any request to do something in an unethical way.

Other arguments greatly depend on the task requested. Perhaps mention that you could be included in the spamhaus blacklist. Then almost no email server will give you the time of day, even for corporate emails. Or bring up a horror story of Microsoft auditing your small business because they got an “anonymous” tip that they were breaking license agreements.

So, what do you do when you’re asked to do some IT related task that doesn’t meet your ethical standards?