Practical Software Engineering

Social, Ethical and Professional Issues

Using the new ACM code of ethics in decision making

Communications of the ACM, 36(2) 1993 pp.98-107.


Historically, professional associations have viewed codes of ethics as mechanisms to establish their status as a profession or as a means to regulate their membership and thereby convince the public that they deserve to be self-regulating.

Self-regulation depends on ways to deter unethical behavior of the members, and a code, combined with an ethics review board, was seen as the solution.

Codes of ethics have tended to list possible violations and threaten sanctions for such violations. ACM's first code, the Code of Professional Conduct, was adopted in 1972 and followed this model. The latest ACM code, the Code of Ethics and Professional Conduct, was adopted in 1992 and takes a new direction.

ACM and many other societies have had difficulties implementing an ethics review system and came to realize that self-regulation depends mostly on the consensus and commitment of its members to ethical behaviour.

The essential social function is to clarify and formally state those ethical requirements that are important to the group as a professional association.

A code of ethics holds the profession accountable to the public. This tends to yield a major payoff in terms of public trust.

To the extent that a code confers benefits on clients, it will help persuade the public that professionals are deserving of its confidence and respect, and of increased social and economic rewards.

The final and most important function of a code of ethics is its role as an aid to individual decision making.

Nine cases that call for ethical decision making

These cases address in turn the topics of: Case 1

Jean, a statistical database programmer, is trying to write a large statistical program needed by her company.

Programmers in this company are encouraged to write about their work and to publish their algorithms in professional journals.

After months of tedious programming, Jean has found herself stuck on several parts of the program. Her manager, not recognizing the complexity of the problem, wants the job completed within the next few days.

Not knowing how to solve the problems, Jean remembers that a coworker had given her source listings from his current work and from an early version of a commercial software package developed at another company.

On studying these programs, she sees two areas of code which could be directly incorporated into her own program.

She uses segments of code from both her coworker and the commercial software, but does not tell anyone or mention it in the documentation.

She completes the project and turns it in a day ahead of time.

Case 1: Intellectual Property

The Code addresses questions of intellectual property most explicitly in imperative 1.6: "Give proper credit for intellectual property . . . Specifically, one must not take credit for other's ideas or work . . ."

This ethical requirement extends the property rights principle ( 1.5) that explicitly mentions copyrights, patents, trade secrets and license agreements. These restrictions are grounded in integrity (1.3) and in the need to comply with existing laws (2.3).

Jean violated professional ethics in two areas:

failure to give credit for another's work and using code from a commercial package that presumably was copyrighted.

Suppose that Jean only looked at her coworker's source code for ideas and then completely wrote her own program; would she still have an obligation to give credit?

Yes, she should have acknowledged credit to her coworker in the documentation. There is a matter of professional discretion here, because if the use of another's intellectual material is truly trivial, then there probably is no need to give formal credit.

Jean's use of commercial software code was not appropriate because she should have checked to determine whether or not her company was authorized to use the source code before using it. Even though it is generally desirable to share and exchange intellectual materials, using bootlegged software is definitely a violation of the Code.

Case 2

Three years ago Diane started her own consulting business. She has been so successful that she now has several people working for her and many clients.

Their consulting work included advising on how to network microcomputers, designing database management systems, and advising about security.

Presently she is designing a database management system for the personnel office of a medium-sized company. Diane has involved the client in the design process, informing the CEO, the director of computing, and the director of personnel about the progress of the system.

It is now time to make decisions about the kind and degree of security to build into the system.

Diane has described several options to the client.

Because the system is going to cost more than they planned, the client has decided to opt for a less secure system. She believes the information they will be storing is extremely sensitive. It will include performance evaluations, medical records for filing insurance claims, salaries, and so forth.

With weak security, employees working on microcomputers may be able to figure out ways to get access to this data, not to mention the possibilities for on-line access from hackers.

Diane feels strongly that the system should be much more secure. She has tried to explain the risks, but the CEO, director of computing and director of personnel all agree t hat less security will do.

What should she do? Should she refuse to build the system as they request?

Case 2: Privacy

In the Code of Ethics, principle number 1.7 deals with privacy and 1.8 with confidentiality. They are integrally related but the privacy principle here is the most explicit.

The Guidelines of the Code say that computer professionals are obligated to preserve the integrity of data about individuals "from unauthorized access or accidental disclosure to inappropriate individuals."

The Code also specifies that organizational leaders have obligations to "verify that systems are designed and implemented to protect personal privacy and enhance personal dignity" (3.5), and to assess the needs of all those affected by a system (3.4).

The company officials have an obligation to protect the privacy of their employees, and therefore should not accept inadequate security.

Diane's first obligation is to attempt to educate the company officials, which is implied by imperative 2.7 to promote "public understanding of computing and its consequences."

If that fails, then Diane needs to consider her contractual obligations as noted under imperative 2.6 on honoring assigned responsibilities.

We do not know the details of Diane's contract, but she may have to choose between her contract and her obligation to honor privacy and confidentiality.

Case 3

Max works in a large state department of alcoholism and drug abuse.

The agency administers programs for individuals with alcohol and drug problems, and maintains a huge database of information on the clients who use their services. .Some of the data files contain the names and current addresses of clients.

Max has been asked to take a look at the track records of the treatment programs. He is to put together a report that contains the number of clients seen in each program each month for the past five years, length of each client's treatment, number of clients who return after completion of a program, criminal histories of clients, and so on.

In order to put together this report, Max has been given access to all files in the agency's mainframe computer.

After assembling the data into a new file that includes the client names, he downloads it to the computer in his office.

Under pressure to get the report finished by the deadline, Max decides he will have to work at home over the weekend in order to finish on time. He copies the information onto several disks and takes them home. After finishing the report he leaves the disks at home and forgets about them .

Case 3: Confidentiality

This scenario resembles the previous one that dealt with privacy considerations. However, it raises several additional issues.

From the Code of Ethics, principles 1.7 on privacy and 1.8 on confidentiality apply.

Imperative 2.8 on constraining access to authorized situations is also central to a computer user's decisions in this type of situation. Additionally, the Code specifies that organizational leaders have obligations to "verify that systems are designed and implemented to protect personal privacy and enhance personal dignity," (3.5) and it also states that they should specify appropriate and authorized uses of an organization's resources (3.3).

The government agency should have had policies and procedures that protected the identity of its clients.

Max's relatives and friends might accidentally discover the files and inappropriately use the information to harm the reputation of the clients. The files that Max worked with for his report did not need to have any names or other information in the records that made it possible to easily identify individuals.

The agency should have removed the identifying information from the files it allowed Max to use. If that procedure had been followed, it would not have mattered that Max copied the file to his computer. Thus the organizational context created many ethical issues for Max, but unfortunately he was not attentive to these ethical issues ahead of time.

Case 4

A computer company is writing the first stage of a more efficient accounting system that will be used by the government. This system will save taxpayers a considerable amount of money every year.

A computer professional, who is asked to design the accounting system, assigns different parts of the system to her staff. One person is responsible for developing the reports; another is responsible for the internal processing; and a third for the user interface.

The manager is shown the system and agrees that it can do everything in the requirements. The system is installed, but the staff finds the interface so difficult to use that their complaints are heard by upper-level management.

Because of these complaints, upper-level management will not invest any more money in the development of the new accounting system and they go back to their original, more expensive system .

Case 4: Quality In Professional Work

The Code of Ethics advocates that computer professionals "strive to achieve the highest quality in both process and products" (2.1).

Imperative 3.4 elaborates that users and those affected by a system have their needs clearly articulated.

We presume that in this case the failure to deliver a quality product is directly attributable to a failure to follow a quality process. It is likely that most of the problems with this interface would have been discovered in a review process, either with peers or with users, which is promoted by imperative 2.4.

When harm results, in this case to taxpayers, the failure to implement a quality process becomes a clear violation of ethical behavior.

Case 5

In determining requirements for an information system to be used in an employment agency, the client explains that, when displaying applicants whose qualifications appear to match those required for a particular job, the names of white applicants are to be displayed ahead of those of nonwhite applicants, and names of male applicants are to be displayed ahead of those of female applicants.

According to the general moral imperative on fairness, an ACM member will be "fair and take action not to discriminate."

Case 5: Fairness and Discrimination

In this case the system designer is being asked to build a system that, it appears, will be used to favor white males and discriminate against non-whites and females.

It would seem that the system designer should not simply do what he or she is told but should point out the problematic nature of what is being requested and ask the client why this is being done.

Making this inquiry is consistent with 2.3 (to respect existing laws) and 2.5 (to give thorough evaluations) and 4.1 (to uphold and promote the Code of Ethics).

If the client concludes that he or she plans to use the information to favor white males, then the computer professional should refuse to build the system as proposed.

To go ahead and build the system would be a violation not only of 1.4 (fairness), but of 2.3 (respecting existing laws) and would be inconsistent with 1.1 (human well-being) and 1.2 (avoiding harm).

Case 6

A software development company has just produced a new software package that incorporates the new tax laws and figures taxes for both individuals and small businesses.

The president of the company knows that the program has a number of bugs.

He also believes the first firm to put this kind of software on the market is likely to capture the largest market share.

The company widely advertises the program. When the company actually ships a disk, it includes a disclaimer of responsibility for errors resulting from the use of the program.

The company expects it will receive a number of complaints, queries, and suggestions for modification.

The company plans to use these to make changes and eventually issue updated, improved, and debugged versions.

The president argues that this is general industry policy and that anyone who buys version 1.0 of a program knows this and will take proper precautions.

Because of bugs, a number of users filed incorrect tax returns and were penalized by the IRS.

Case 6: Liability for Unreliability

The software company, the president in particular, violated several tenets of the ACM code of ethics.

Since he was aware of bugs in the product, he did not strive to achieve the highest quality as called for by 2.1.

In failing to inform consumers about bugs in the system, principle 2.5 was also violated.

In this instance the risks to users are great in that they have to pay penalties for mistakes in their income tax which are the result of the program. Companies by law can make disclaimers only when they are "in good conscience." The disclaimer here might not meet this legal test, in which case imperative 2.3 would be violated.

As a leader in his organization the president is also violating 3.1, for he is not encouraging his staff to accept their social responsibilities.

Case 7

A small software company is working on an integrated inventory control system for a very large national shoe manufacturer. The system will gather sales information daily from shoe stores nationwide.

This information will be used by the accounting, shipping, and ordering departments to control all of the functions of this large corporation.

The inventory functions are critical to the smooth operation of this system.

Jane, a quality assurance engineer with the software company, suspects that the inventory functions of the system are not sufficiently tested, although they have passed all their contracted tests.

She is being pressured by her employers to sign off on the software.

Legally she is only required to perform those tests which had been agreed to in the original contract.

However, her considerable experience in software testing has led her to be concerned over risks of the system.

Her employers say they will go out of business if they do not deliver the software on time.

Jane contends if the inventory subsystem fails, it will significantly harm their client and its employees.

If the potential failure were to threaten lives, it would be clear to Jane that she should refuse to sign off. But since the degree of threatened harm is less, Jane is faced by a difficult moral decision.

Case 7: Software Risks

In the Code of Ethics, imperative 1.2 stresses the responsibility of the computing professional to avoid harm to others.

In addition, principle 1.1 requires concern for human well-being; 1.3 mandates professional integrity, and 2.1 defines quality as an ethical responsibility.

These principles may conflict with the agreements and commitments of an employee to the employer and client.

The ethical imperatives of the Code imply that Jane should not deliver a system she believes to be inferior, nor should she mislead the client about the quality of the product (1.3).

She should continue to test, but she has been told that her company will go out of business if she does not sign off on the system now.

At the very least the client should be informed about her reservations.

Case 8

A software consultant is negotiating a contract with a local community to design their traffic control system.

He recommends they select the TCS system out of several available systems on the market.

The consultant fails to mention that he is a major stockholder of the company producing TCS software.

Case 8: Conflicts of Interest

According to the Guidelines, imperative 2.5 means that computer professionals must "strive to be perceptive, thorough and objective when evaluating, recommending, and presenting system descriptions and alternatives."

It also says that imperative 1.3 implies a computer professional must be honest about "any circumstances that might lead to conflicts of interest." Because of the special skills held by computing professionals it is their responsibility to ensure that their clients are fully aware of their options and that professional recommendations are not modified for personal gain.

Case 9

Joe is working on a project for his computer science course. The instructor has allotted a fixed amount of computer time for this project.

Joe has run out of time, but he has not yet finished the project. The instructor cannot be reached.

Last year Joe worked as a student programmer for the campus computer center and is quite familiar with procedures to increase time allocations to accounts. Using what he learned last year, he is able to access the master account.

Then he gives himself additional time and finishes his project.

Case 9: Unauthorized Access

The imperative to honor property rights (1.5) has been violated.

This general, moral imperative leads to imperative 2.8, which specifies that ACM members should "access communication resources only when authorized to do so."

In violating 2.8 Joe also is violating the imperative to "know and respect existing laws" (2.3).

As a student member of the ACM he must follow the Code of Ethics even though he may not consider himself a computing professional.


These nine cases illustrate the broad range of issues a computer scientist may encounter in professional practice. While the ACM Code does not precisely prescribe what an individual must do in the situations described, it does identify some decisions as unacceptable.

Often in ethical decision making many factors have to be balanced. In such situations computer professionals have to choose among conflicting principles adhering to the spirit of the Code as much as to the letter.

The reader may wonder why we did not have a whistle-blowing case.

In a prototypical scenario, a professional has to take action which threatens the employer after concluding that the safety or well-being of some other group must take priority.

Three of our cases--5, 6, 7-- dealt with whistle-blowing indirectly.

In all three cases, the computing professional served an outside client rather than an employer. This adds other dimensions to whistle-blowing.

In Case 5, suppose the system designer learns that his client plans to use the database to discriminate and he refuses to design the system. Later he finds that a friend of his designed the system as the client wanted. He would then have to decide whether to "blow the whistle" on his ex-client.

Practical Software Engineering, Department of Computer Science 12-Jan-96