Coding Ethics

[Iamred1]

Not trying to start a big flame here, but with the partial theft of source code for windows out on the street I was wondering how company's that hire software engineers keep that information tightly within the company? Are you allowed to work with all aspects of that high end activity, or are the direct employees the only ones that get to view the whole picture? When working for aerospace company's, I usually have to sign an nondisclosure agreement concerning proprietary info, going outside the doors. However that is usually a formality since there really is nothing the competition doesn't already know. It looks as though the source code would be closely "watched".

[The Gorn]

Companies try to pretend that they can control the source code. Sometimes, internal development LANs are disconnected from the internet. And yes, non-disclosure contracts are de rigeur for contract software developers and FTEs of software development organizations.

Generally, FTEs sign agreements that give their employer work-to-hire ownership of anything they do on their employer's time (and sometimes, anything they do *period* while they're employed.)

Basically, the enforcement mechanism is tacit trust combined with the implied threat of legal action, more than it is any specific security measures. Obviously this can be quite leaky.

I mean, we're talking files of plain old unencrypted text, and in this era of email attachments, keyring USB drives, etc, just  how 'secure' can physical plant security get w/o monitoring employees every second they are at work?

[TRexx]

Almost every one of my clients has asked me to sign a non-disclosure agreement. Usually the stuff I have access to isnt really confidential, but on a few occasions I have been privy to unannounced products or proprietary programs.   In those cases the confidential stuff was tightly controlled  locked rooms, no remote access, etc.

Back in the 80s I remember interviewing a programmer who worked for Syncsort.  She told me that the actual sorting algorithm was only known to a few people, but other parts of the product, such as the I/O routines she worked on were pretty much open to everyone on the project.      

[A Murricun]

Quote:Not trying to start a big flame

Glad to hear that!

Your post is not really about ethics, but about enforcement of confidentiality.

Truth is that very few software ideas are original, or not easily and legally replicated.

There are business secrets, like the Coca-Cola formula, the Bush's Beans recipe, KFC's "eleven herbs and spices", or the SyncSort algorithms.  And those companies guard them well.

It still pays most companies to make a big deal about their source code and other "trade secrets" while shoving intimidating documents under employees' and contractors' noses, just because most people will at least disguise their use or disclosure of information they acquire during employment or a contract, if not avoid using it altogether.  Even though it's largely unenforceable.

[David Cressey]

You ask a very interesting question.  I'm going to suggest that there are both contracturally binding agreements here,  and professional ethics.  That is, the ethical professional will not do certain things, even if the other party signed a contract that does not forbid them.

Back when I was consulting, I often appeared in the role of "visiting database expert".  As such, I had direct access to live company confidential data.  If you think "company software" is proprietary,  well that goes double for data.  Try the names and credit card numbers of everybody that flew on a certain airline.  Or the names of everybody that watched porn on pay per view.  Or the release schedule for a company's future products.  

Well, I sometimes viewed this stuff before I had signed anything in the way of non disclosure.  But, like a lawyer follows a certain "canon of ethics", and won't use what's  between you and your lawyer to your detriment,  a "database guy" has to develop a certain "canon of ethics",  about what part of the customer's stuff is privileged,  even if the customer doesn't specifically assert it.

This is probably less true for SW engineers,  but there is a cetain area where it's still true.

And, as ethics usually are,  there's a "gray zone" between the black and the white.  

[A Murricun]

This is slightly off-topic.

A few years ago on RR, there was a lively (read heavy flamage) thread on using confidential information that came to one's attention in the course of a gig.

Now, it's definitely bad, IMO, to disclose or use a client's data, like credit cards.  In fact, it could be criminal.

OTOH, and this was my example, it is good business to use information about your own contract, even if you came upon it accidentally.  As I was retreiving copy from the network printer, a page with my name in caps was on top of the heap, spelling out my rate (I knew that already), and also the exact amount of my budgeted hours and the fact that there would be no extension.  

Well, I was roundly flamed on RR for admitting to reading that.  I was supposed to ignore it even though it directly concened me.  My counter was that if client was serious about my not seeing it, they would have taken steps to hide it or at least not leave it lying in a public place.  And since it had my name on it, I would have to read enough to see in what way it did or did not "concern" me.

A lot of confidential information gets disclosed in just that way.  Documents lying about in a common area near faxes and printers are just waiting for "unauthorized" reading, but if it's just lying there, who's to stop you?

[A Murricun]

Another example:

I was the SAS/RAMIS guru to a bunch of HR "analysts", one of whom asked me to give her a count of employees by pay grade.  My first pass produced a nice detail line of grade, high end, low end and count.  Except for this one guy who was below the minimum of his pay grade.  

This couldn't be correct, but I was using a snapshot of the most recent pay period, so it had to be.  One of the constraints I worked under was never to produce any report that identified an individual employee, so I couldn't just select his pay record.  But by narrowing it down to department, gender, and some other specifics, I looked up and it was the guy sitting next to me!  Next stop, shredder.  Poor schmo!

And no, I didn't even point out the anomaly to the analyst, and she didn't ask.

[Iamred1]

thanks for the input, kinda scary when a laymen starts to consider the possible implications, the country's  defense, identity theft etc.

[David Cressey]

It's very scary.

In my lifetime,  lawyers have gone from a noble profession,  the kind of people everyone can admire,  from Clarence Darrow to Perry Mason,  all the way down to  calling 10,000 lawyers at the bottom of San Francisco Bay "a good start".

I think that,  even more than the body of laws that supports a free people,  the canons of ethics by which people regulate themselves are the basis of civilization.  And it's important that EVERYBODY does the right thing.  And that they do it even when nobody's watching.

If you're an accountant working for the union pension fund,  don't divert some investment money to your brother in law's startup business.  And if you work at McDonald's, and a burger falls on the floor,  don't slide it back into the bun.  If you're a laywer, don't break the law.  If you're a doctor,  don't make people sick.  If you're an athlete, don't take steroids.

And if you work in cybernetics  (the field of communication and control),  use your power wisely and ethically.  

There will be some crooks among us.  But if we all start imitating the worst among us,  we're doomed.

[Iamred1]

and if your a priest, leave the boys alone.

www.boston.com/news/natio...s_accused/  

[David Cressey]

Even if you're not.