Ethics and morals should be a big thing in our industry, and yet I’m beginning to think that some people have forgotten all about them recently.
I’ll tell you a story.
We have been working with a development company, who support a various range of their own products. Products that one of our clients use. Straight forward, when we have issues with their product we email their support line. The other day we discover that the client’s site was down, we trace the issue back to badly written script injection hack. Easy to fix.
This doesn’t normally happen often, but it does occur from time to time. Usually it’s a attack on the hosts server.
So immediately I began the process of isolating the cleaning the site. No major issue. Having daily backups of all our clients sites does help.
When the site was operational and all passwords have been changed I began the process of determine how this all happened. Seems a vendor support password had been activated once a few hours before and a file uploaded then deleted. Same time the site failed.
I contact the said support vendor. Only when presented with evidence of the compromised systems (via the FTP and PHP log) did they admit to the issue. No assurance of the issue not happening again, no statement that they have changed their security procedures. At least they said sorry, cold comfort really.
Now as a support company surely they have an obligation, if only from an ethical view point to inform their clients that their passwords have been compromised as soon as they are aware of the issue. This would at least allow their client to vigilant and reset any system passwords or the like.
It appears in this case, that the client (my client) was on their own, we have to discover the issue and work it out for ourselves. Despite the fact that the issue is clearly their fault. I know there are legal issues here, but putting those aside, there is the moral issue as well.
Trust and Obligation
If you consider that we have an extreme sense of trust with our clients. After all we have a guardianship to look after their web. We can control their information resources, the presentation and branding for their organisation online. There is a distinct duty of care that we have with each client.
Besides the various legislative requirements of the privacy and client information, do we have an ethical obligation to look after a clients data? Should we tell them when things go wrong that are under our control? Should we be 100% honest with our clients and work with them all the time. Or should we just deliver our service and leave it at that. Should we just play the deny everything game, until we are presented with evidence in an effort avoid any legal implications.
It may seem like a clear issue.
However, if you don’t tell your client, this gives your client the impression that you are just in it for the money and aren’t interested in them in the longer term. On the flip side if you do tell your client of the issue they may perceive you as incompetent, in that you let it happen in the first place. In a way your are damned both ways.
Still personally I have found that being 100% and up front is the way to go. Clients will respect you for this.
Other Issues of Ethics.
Our industry is just full of moral choices. Not just this duty of care and information guardianship.
As a User Experience Designer I know that I can use my skills to leverage the psychology of design and in fact I can influence customers, leading or tempting them to buy goods that they don’t really need. Now just because I can do this, does that mean I should. I can make a lot more money doing this, should I?
This also extends to what industries you will work with. From my view I don’t work with the gambling industry, religious groups and businesses that use high pressure sales tactics at any cost.
It could be said that we just have to provide our services and that’s it. All this duty of care and information guardianship is just a load of rubbish. It’s not like it’s in the contract or written anywhere.
This is true, to a degree. Maybe an industry code of conduct wouldn’t go a miss for our industry. Mind you I have yet to see any of the fledgling web industry associations move in that direction.
Still till that happens, we all have to make our own personal choices on these issues.
The burning question is what would have you done in the case above, not told your clients? Also where do you draw the line, what type of work would you not take on?