Thursday, March 27, 2008

U.S. Patriot Act causes ethical concerns for software developers

Here's the topic from the third paper:

“Pick an example from Chapter 2 or 5 and show if the people who built the software acted ethically according to Appendix A and your general sense of ethics.”

It occurs to me that I haven't noted which textbook we are using. It is A Gift of Fire, by Sara Baase, Third Edition.

Here's my paper, I tried not to include too much reference to the book, but it was needed for this assignment.

A good example of software that has been built upon questionable ethics is the software and procedures that the government uses to obtain personal information about suspected criminals.[1] “The U.S. Patriot Act, passed in the weeks after the September, 2001, terrorist attacks in the United States, gives authorities the means to secretly view personal data held by U.S. Organizations” from the article Patriot Act haunts Google service on This law conflicts with many other government's privacy laws, which require organizations to protect all private information, and also require that the consumer is informed when this information is obtained, regardless of the process, by a third party. According to the Software Engineering Code of Ethics and Professional Practice (Version 5.2) section 1.04 Software engineers shall, as appropriate “Disclose to appropriate persons or authorities any actual or potential danger to the user, the public, or the environment, that they reasonably believe to be associated with software or related documents.” It is my argument that the U.S. Patriot Act causes the potential threat of private data being obtained by an outside party, in this case, the U.S. government, and that this causes an ethical dilemma for software developers, specifically in the U.S.

Some people have recently noted effects of the law. In the recent article posted on, and also covered on, there is a discussion of how the U.S. Patriot Act affects the use of Gmail, specifically in countries outside of the U.S. The information obtained by Google when a user uses Gmail can legally be reviewed by the U.S. government under loose controls. Not only is the ethicalness of the U.S. Patriot Act in the regards to privacy put into question, but it also causes an ethical dilemma for software developers. If the government can obtain personal information about someone without a warrant, is it ethical for a software company to keep data about you without informing you of the potential breach of privacy? A well defined privacy policy such as Google's are likely to provide a clause for this situation, such as “We may also share information with third parties in limited circumstances, including when complying with legal process, preventing fraud or imminent harm, and ensuring the security of our network and services.” It is my opinion that privacy policies are created to protect the organization, instead of to protect the end user.

Many people would argue that the privacy policy is a solution to the ethical issues prevented here, but I do not think that it provides a full solution. The majority of users will never read a privacy policy, and of those that do, many of them will not understand the complete implications of it. It's likely the privacy policy misses some small detail that is important to the user, or some situation that the writer completely overlooked. It would be nearly impossible for the writer to know the complete set of laws that govern their organization, especially with the recent globalization of Internet based companies. How far do you have to go in informing the end user of possible dangers of using the service for you to have done what can be considered ethical?

Unfortunately, I don't have a solution to this problem. Ethical guidelines dictate that you should inform the end user of all potential danger to them, and breaches of privacy clearly fall in this category. However, “because no matter what promises companies make (or what privacy laws Congress might enact), data leaks happen.”, so maybe that should be taken into account when writing up a privacy policy. If there is a distinct possibility of a third party obtaining a user's personal data without the permission of that user, the software developer should make this information apparent to all of it's users. It doesn't matter if the third party is a government, or someone malicious looking to steal your identity, it still constitutes a breach of privacy, and the user needs to be informed.


Amma said...

People should read this.

Ryan Svoboda said...

Thanks Amma, I think so too :)