How to be diplomatic in refusing to write code that breaches the privacy of our users

Question

I am a team lead in a company located in Manila, and I am currently writing an app that has a seriously questionable feature request for its Android users -- which is to secretly record its surroundings using the phone camera. When I asked the CEO why we have to write this feature, I am told that it would achieve user safety and it would give cops leverage by way of investigation in case something in the videos can be used as evidence.

Having this feature is impossible for iOS users, so that leaves Android. This, of course, could place the company under serious fire for invading users' privacy when we get found out. In fact, as far as my country's laws go, it not only illegal, it is unconstitutional. This argument fell on my CEO's deaf ears, citing the legalistic "terms of service" that users would be made to agree upon, and he pointed out in jest that I should not question his business ideas.

Developing this feature is also problematic from a development standpoint. Operating the camera from the background would put too much toll on the phone's battery. Uploading the videos would also be vampiric on the user's internet connection. Lastly, it is impossible to do on iOs.

While the entire development team agrees with my assessment and is just as uncomfortable with the feature request as I am, the product owner explains to me that while the feature is truly useless, it still has to be made so as to attract investors. And it did please the investors based on the last meeting with them.

My team has thus far insisted that Apple does not allow its developers to run the camera in the background and that we have agreed that instead of a video recording, we would instead take pictures every ten seconds. But I am a hardliner about this and I do not want us developing anything close to this feature.

As this feature is definitely "marketing-driven" as the product owner suggests, I want to know counter-arguments from an investor's standpoint so that the feature would be scrapped in its entirety.

In general, how do I become diplomatic about this matter? I believe I can still talk some sense into the CEO. I have no qualms leaving this company on account of the poor management but I love my dev team, their superior skills, and the workplace culture that we have cultivated. As much as I would want to use our value to the company as leverage against the CEO--If you insist that we do this feature, we will leave--I wish to be charitable still.

Thank you!

Answer 1

This of course could place the company under serious fire for invading users' privacy when we get found out. In fact, as far as my country's laws go, it not only illegal, it is unconstitutional.

You're being asked to break the law and do things that might land you in prison or otherwise in serious trouble.

This argument fell on my CEO's deaf ears, citing the legalistic "terms of service" that users would be made to agree upon, and he pointed out in jest that I should not question his business ideas.

And you've already explained this to the CEO.

Your problem isn't how to explain it, your problem is how to get out before the business is shut down.

1. Document everything that is going on. You might need it for future "courtroom" reasons.

2. Get out.

If you want to try explaining it again you can talk about it being illegal and unconstitutional, but imho you're past the point where "the boss doesn't know" and into "he don't care".

Answer 2

Since your boss doesn't care that this is incredibly invasive, warn him that starting on Android Q, to be released later this year, Android will (finally) block apps from recording video and sound while not in the foreground. Therefore, it will be the same situation you have with iOS.

Of course it will take sometime until Android Q has a significant marketshare, but you could ask him if developing a functionality that will be rendered useless in the near future is worth the trouble.

Therefore, you don't need to be "diplomatic". You can show him hard, technical facts.

https://www.theverge.com/2018/3/7/17091104/android-p-prevents-apps-using-mic-camera-idle-background

Disclaimer: I've misread the article. Apparently background recording is already blocked on Android P, the current version, which means there should already be a larger marketshare where this kind of stuff wouldn't work.

Answer 3

1. Document everything, starting now. You will likely need it.

2. Do not start building this feature. Do not prioritize it, do not write tickets for it, do not task your team with anything to do with it.

3. If management wants to chastise you over dereliction of duty, allow them to do so, and simply ignore everything they say. Document these situations as well.

4. Go as high as you can in the food chain. If your boss won't listen, go to their boss. If their boss won't listen, go to their boss. And so on. What you should explain to them is the worst-case-but-possible scenario that you could get in trouble for. Other answers suggest going the child porn route, and that's not a bad idea, but if you can think of something more dangerous then go for it. I would do something like this:

   (to CEO) Hey, John [or however you want to address the CEO], I'm having an issue with this new feature we're developing. I know the purpose of the feature is [explain what product management told you], but I feel like we could get in a lot of trouble for this. For example, what happens if we're recording and we accidentally record an underage child changing their clothes? That gets us in a lot of trouble, not with the customer, but with the police directly. I don't think an EULA handles that use case, because minors can't legally give permission to record pornography of themselves. We should rethink this.

   Another way you can come at this is from a user engagement perspective:

   Hey John, [...]. Because this feature uses the camera constantly, it will use a lot of battery power. Since it uploads the video to our servers, it also uses a lot of user data. What do you think would happen if our users suddenly see their batteries decreasing rapidly and their data usage spiking, and then find out it's our app that did it? Would you use an app which causes a significant drain on your phone like this? Do you think our users will? What will you tell your investors if user engagement falls off a cliff due to these issues?

   See what he says. If this doesn't convince him, then:

5. Make them fire you, or, better, make them force you to quit. Come into work every day and do everything they ask as normal, except do not do this project. Then they have 2 choices: Abandon the project, or fire you and bring in someone who will do the project. In the first case, you win! In the second case, if they fire you then you should contact a lawyer. Bring all the evidence you have concerning the project, the concerns you raised, who you raised them to, everything. Remember, document everything. You likely have a case (IANAL). If they force you to quit, then on top of the above legal case, you may also have a case for constructive dismissal; the tl;dr of Wikipedia is that the definition (IANAL) is when your company makes your life a living hell, but does not fire you, to the point at which you have no choice but to quit.

6. If you get wind of the project being redirected (i.e. your team is removed from it and another team is given the task instead), contact the local authorities ASAP. You likely have protection as a whistleblower. Dump everything you have to the authorities as soon as you can and in as much detail as you can.

Answer 4

Since it seems that your CEO is either a bit clueless (at best) or morally bankrupt I don't think you're going to get anywhere with persuading them that this is abhorrent. Especially given they are just casually brushing off such fripperies as it being rather illegal. What you might have some success with is point out some of the myriad ways that this could easily become utterly ruinous for both them and the company.

e.g. If this "feature" captures images/video of an underage person getting changed - congratulations your company is now on the hook for producing, transmitting and storing indecent images of children! Can't see investors flocking to a company with that one on their record.

But I have to say why waste your time? At the end of the day scumbags gonna scumbag and life's too short to waste it working for or being diplomatic to scumbags. I'd honestly just recommend leaving as soon as you have something else to go to and make sure no-one you know ever installs or uses this app or anything else the company produces.

Answer 5

TLDR: Openly, brazenly start collecting documents that prove you were not a decider in this matter, that you advised management against this feature for privacy reasons, and are simply following orders to retain your good job status. Ask the boss flat-out to give you a letter stating exactly that. This may sober him up.

If that doesn't work, I'd find another company who wants a good team, and take your team with you.

The eavesdropping is a very big deal

Eavesdropping is a criminal charge that varies by state or nationality. Some are "1-party states", where if 1 party in the room gives permission, it's legal.

Most others are "all-party states", meaning everyone being recorded must give permission.

The user doesn't know about your company's eavesdropping, which makes this 0-party; no one in the room is aware. That makes it a crime just about everywhere. What will your criminal defense be? Language buried deep in the EULA? Juries aren't going to accept that because then you would be accusing your customers of breaking the law by not reading the EULA thoroughly enough. Juries, who don't either, will say "no sale".

The feature would send customers through legal hell

But it gets worse. Consider Curtis, your customer, and imagine he's in a civil lawsuit about something totally unrelated. The plaintiff subpoenas from you all the data you have about them. You hand over the eavesdropped content (which makes perfect sense to your boss, since he's such a help-the-police guy). Plaintiff recognizes the eavesdropping, and blows up, assuming Curtis did this.

• In an all-party state: Curtis is up the creek. This smokes any chance of a settlement, and horribly prejudices the civil case: Curtis loses HARD. Then the judge refers it to the DA for criminal prosecution; Curtis must be punished. The whole time, nobody knows how this happened. All parties assume Curtis did it on purpose. Curtis assumes he accidentally turned on some feature he's unaware of.

• In a 1-party state, Curtis is safe from legal peril, because he had a right to eavesdrop. But if he says he did it on purpose, he enrages the plaintiff. So he is better off saying the app did this without his permission, which will not be believed. Showing it's true will calm the plaintiff and create a "common enemy".

Both of these end in an interesting problem for you. Curtis's best bet is to prove that you do indeed eavesdrop. He already has subpoena power because of the civil suit. So he'll use it to get the same records about any of plaintiff's staff (turnabout is fair play) -- or better, the judge. Can you imagine the civil court judge looking at photos of himself naked?? The judge will have confidence he did not turn this on. He will say to the D.A. "At first I didn't believe defendant, but the company did it to me too". Curtis is out to save his bacon, not get your company, but to save his bacon he must nail you.

---

All this to say, getting caught is inevitable. It will be viewed by every US state as your company committing a criminal act for money, and presumably lots of other nations and provinces as well.

It will particularly enrage the EFF, ACLU and privacy organizations, especially if it's uncovered that part of your boss's motivation was to "help law enforcement".

Now, when your company gets caught, I don't know how things work in the Philippines, but it sounds like there'd be an internal scramble to blame the next guy. Your boss would obviously have an advantage there, and would try to sell it as "I had no idea OP and her developers were doing that, send them to jail not me".

Sober up your boss, by covering your tail

So your top job is to cover yourself (CYA) and your team against that possibility. What you want is a "get out of jail free card" that shows management was fully aware of the privacy issues and wanted the project built anyway, and their reasoning. Now, when your boss sees you trying to collect those CYA documents, that's going to sober them up right quick: Why do my subordinates think they need this? The boss may have indulged in fantasy when it comes to the legal implications, now he's thinking. Fair chance you will get a memo saying "drop the feature".

---

I considered this a final answer, but some are contemplating what happens in a mad world where your boss goes "here you go, here's a letter making me fully responsible for legal consequences".

At this point your "get out of jail free card" would become a Nuremberg defense. Aside from any contemplation of whether Nuremberg bears on complex questions of law, I honestly don't foresee you hanging around to find out. If your boss persists, you've got a great team and I expect you to find better work and take your team with you.

Answer 6

If you do not want to make this a fight:

You know you're making an app that is against Google's rules on privacy (specifically camera use), so please do immediately report it. I think it's anonymous, but you can pretend to be a user I guess. I'm sure the same thing can be done for IOS. Act surprised this happened, and then get busy "fixing it" back to how it was.

This isn't the best way, but is a non-direct way to protect your users, if it proves impossible to kill this idea before development.

Answer 7

Did you consider the humorous approach?

Maybe it's late for this, but your CEO may be overwhelmed with soft-toned legal boilerplate stuff he reads everyday that he is indeed not grasping the gravity of the situation.

If I was asked to develop a feature that would secretly record video and upload it from users phones, my answer would be something like:

"For real? We are gonna get SO MANY celebrity nudes! Is FamousPerson in our user base? We are so going to jail... Were is the iCloud hacker serving time again?"

This is meant to send the "this is illegal" message with a catch phrase, that he's likely to remember.

Others have given good enough "serious professional answers" but to avoid sounding reckless, here's my version of it: Simply don't do the code, try to get written documents/requests from your boss specifying what is to be developed. Once you do, that is your evidence. If the company is big enough, there should be a compliance channel for this kind of whistle blowing. If company is small, once you get fired you can sue the company.

As usual, a boilerplate text is due here: I am not a lawyer! Seek specialized help instead of relying on what may sound as legal advice from this website!

Answer 8

I don't disagree with the answer by Dark Matter, but I wanted to offer you an option that isn't mentioned there.

In many companies there is an ethics officer, whose job is to ensure that the company complies with ethical standards. I'm guessing your company doesn't have one, but future readers of this might try that. Also sometimes contacting the company lawyer is effective. Lawyers have an obligation to uphold the law, and if they know their client is engaging in illegal activity they are much less able to ignore it than other people.

The final option is to gather enough evidence to document what you are being asked to do, and then send it to the authorities. Or the news media. Or both.

It goes without saying that this is a nuclear option. While it is possible to do anonymously (Wikileaks?) there is a pretty good chance you will be at least suspected of being the leaker, and probably fired. Technically you are also exposing confidential information, and there is a chance that you could be pursued in the courts. In my country you would be protected by whistleblower legislation, but I don't imagine the Philippines has that.

So the consequences for you might be severe. Don't take this action unless you are prepared for them. But on the upside you would be exposing a corrupt CEO and possibly a corrupt company, which would be a serious deterrent to other companies who want to do the same thing.

Answer 9

Slightly different approach than the other (mostly very good) answers.
This answer is an attempt for you to keep your job and not have to write the feature.

the product owner explains to me that while the feature is truly useless, it still has to be made so as to attract investors

My alternative is to approach the company lawyer directly.
You have a legal issue that could sink the whole company that he might understand.

Approach the lawyer like this: (use an innocent / concerned expression)

"Hey [lawyer], I previously had a problem with that video feature - CEO may have mentioned this. But after talking to him I told [product owner] about it he said we had to do it anyway. So I went back to try to figure out how to do it because it looks like everyone is on board with it."

You are just playing the good employee so he will listen closely to what you are saying (instead of just nod and pay half-attention to someone that doesn't want to do what the CEO and the investors want to do).

"One pretty big legal issue occurred to me that I thought I should run by you."
"Because the customer doesn't know about the video, they could be in their home unknowing filming their children while they get dressed. Even if the EULA TOS exempts us from this, if it comes out that we have taken images of naked children and stored them on our servers - wouldn't that be a PR nightmare for both the company and the investors?"
"All it would take is a Mom or Dad using another app while changing a baby... or being in a bathroom with their small child. I don't know how to detect this, so I cannot prevent our storing compromising pictures on our servers.
"That would be a big deal, right? Especially since we aren't telling the parents?"
"There are apps that track how often an infant goes to the bathroom, so it is reasonable."

Best wishes on this.

Hope you will tell us how it comes out in a few weeks.

---

As an aside... whistle-blower laws in the US only protect you from legal action when you tell the authorities. Tell the press, or anyone else, and you're open to be sued.
I'm not a lawyer, but this information came from a lawyer who was speaking at a conference I attended several years ago.

Answer 10

Ask your CEO whether he will be using the app. Or whether it is possible police or politicians will use the app.

If so, tell him it is a security risk because all the engineers in the company will be able to spy on him and on others. Maybe it works as a deterrent if he is concerned himself.

Also make him aware of the commercial risk of doing this: he might lose his entire user base if they find out. Play on his ego, surely he is too smart to take such a risk?

I'm adding this answer because you explicitly ask for a diplomatic solution. Simply quitting or paper trailing is not necessarily diplomatic.

Answer 11

Some very powerful and unpleasant people in the past have used technology (for example old fashioned audio tapes) to record meetings secretly. They get the victim to admit to disliking another powerful figure and then use the tapes as a form of blackmail or simply to set opponents against each other, e.g. "This is what X said about you, and I've got the tape to prove it."

It is not impossible that someone has been searching around for a firm willing to produce this sort of software and there might be considerable bribes involved.

You didn't say what the app does. Could it be used for blackmail, or spying for industrial secrets in a certain sphere? Could it be used to predict fluctuations in the financial markets?

I would get out ASAP because if anything like this is going on, it won't be the big players who get prosecuted, it will be the ones at the bottom of the chain.

Answer 12

Your boss is ordering you to engage in crime. By proceeding, you will become their accomplice because you will be knowingly engaging in criminal activity.

So threaten to quit, or otherwise refuse to proceed, but not because you dislike whatever but because they can't possibly pay you enough to compensate several years of your life spent in jail. (Or maybe they can? Provide this as an option -- they will surely refuse to pay such an astronomical sum but this will open their eyes on how inadequate their demands are to what they are paying you. (Note that income from illegal activity will probably be illegal, too, so more trouble for you and the company to conceal it and yet another premium for the inconvenience this would be causing you!) The fact that they can't demand of you more than their pay is worth is something they can't argue with.)

Share the above with your co-workers and they will probably come to the same conclusion.

P.S. In fact, the above is (roughly) what I said to my past employer when they asked if I could do some online hacking for them. They never brought up the topic again.

Answer 13

I would like to approach a resolution to this issue in a slightly different way. The question was specifically:

How to be diplomatic in refusing to write code that breaches the privacy of our users

There are two ways to approach this:

1. Refuse to write the code
2. Make the case that this feature will negatively impact the project vision and you feel responsibility to steadfastly object to anything that will derail the project success

They both result in the same thing -- a refusal to implement the feature -- but the latter approach roots the refusal in the general desire for the app and business success, rather than for the users privacy. User privacy is a means to application success, but vise versa is not necessarily true.

To do this I would:

• Seek to establish common ground and good intent
• Ground any justifications in risks that I deem are important for the CEO
• Be enthusiastic about the project and the company, but steadfast in the refusal to implement

i.e. "I am really sorry but I cannot continue with this as it stands."

For example:

Dear ${CEO},

I am a member of the software development team working on ${APP}. I am passionate about ${STATED_APPS_PURPOSE} and have enjoyed working on ${PREVIOUS_NON_CREEPY_THINGS}.

However, I recently learned of this new feature that will require the recording of users at all times through their camera. While I understand the benefits of this feature, including:

• ${CREEPY_BENEFIT_A}
• ${CREEPY_BENEFIT_B}
• ${INVESTORS_HAPPY_C}

I feel compelled to note that this new feature deviates significantly from ${STATED_APPS_PURPOSE}. It may be that I have misunderstood the nature of the requirements from this feature, but as the feature has been requested I see significant new project risks introduced, including:

• User backlash at discovering the unexpected behaviour of the application
• Potential violations of users privacy law ${EXAMPLE} in Manilla and within other locales
• Punitive damages associated with the aforementioned violations of law

It is my assessment that this feature has deviated enough from ${STATED_APPS_PURPOSE} that I no longer feel comfortable with the tradeoffs the application has made, and I am thus not a suitable candidate for the ongoing development of this application.

I am reaching out to you now such that I may understand more the nature of this feature to clarify whether it should be implemented as stated, or whether our project would better grow in other areas.

Kind regards, ${YOU}.

Couching a justification in moral grounds that we know and understand are different from our own is an uncomfortable process. However, while it might be easier if our friends and colleagues shared our own values we each arrived in each others company via a different path and arguing a point to a given audience will be much more successful at homogenising the practical outcomes of our values, if not their roots.

Answer 14

While IT is not as professionalised as many other occupations, there are still professional standards organisations which will provide advice and assistance in these situations. In your instance, you should contact the Philippine Computer Society and notify them you have been instructed to breach their Code of Ethics.

Answer 15

Presumably the OP has reason to suppose that this app is "intended" to be used illegally, but stepping back from the general feeling of moral outrage in this thread, there is not much evidence (if any) to support that.

I can't see anything in the OP's post which doesn't fit a use case like "this app converts your cellphone into a dashcam for use in your car". In that situation, battery usage is irrelevant since the phone would be running from the car battery. And dashcams are perfectly legal in many countries (including the UK, for example), and used as police evidence in court, just like images from any other type of security camera. In some countries, the use of dashcams is almost a necessity to support road accident insurance claims and protect oneself against insurance fraud by other people, who may well be criminals themselves.

Of course the app could be used for illegal purposes as well, but so could many other items which it is perfectly legal to buy an sell - kitchen knives, for example.

If the OP doesn't want to be involved in this software project for personal reasons, that's a perfectly reasonable position to take, but IMO there is far too little information given here to jump to the conclusion that the whole project, or the project leader, is operating outside of the law.

Answer 16

If I were in this situation, I would give the CEO 2 choices:

1. either he could stop this highly illegal (at least in the USA) project and everything else can go on as normal, or
2. he can accept your letter of resignation and you will be getting a lawyer and reporting his activities to the proper authorities, whom can do what they need to do as soon as he releases this piece of software.

It is expected that you may have to do things that you don't want to do for your job, but once the issue crosses the line to illegal, there is no longer any grey space. Personally my job is definitely not worth ruining my life over by spending years in prison or in court battles.

Answer 17

In fact, as far as my country's laws go, it not only illegal, it is unconstitutional

Answer: There is no diplomacy in saying "According to rule n. X, paragraph Y, etc".

You have said it in simple words. You have stated that your rules forbid using this technology in such way. Laws have obviously precedence against employer's orders. Think your boss wants you to kill somebody. Blatantly unethical or not, this will get both to jail. For sure. And you have escalated to the CEO. There is no other escalation here. You already spoke to Pope Francis, his boss is too busy to escalate. (I often use this metaphore)

From your question, I see no more than two options:

1. Accept to work on the project in order to obey to your employer, but be aware that both your boss, you and whoever codes for the project can be accused if somebody will ever find this out. And believe me, eventually somebody will do.

2. Refuse to work on the activity, explain in writing the reason why it is illegal. This will, in the worst case, get you dismissed. In that case you have no other choice than finding a good lawyer to help you with the case.

In such case, you could also sue your company not just for having fired you unjustly, but for committing a crime.

You will probably need to face the human consequences, e.g. to have a hard time to spend finding a new job, questions from interviewers, etc. According to the cultural context (you mentioned Philippines, but I have no record for the country), it may be harder or not for a whistleblower to find another job. I do not want to discuss this here.

And that brings us to a third option: silently whistleblow. Get all written evidence of

• The project being approved by the chain of command
• Your CEO approving the project despite the roadblocks

Make an envelope and send it to your government's privacy authority.

Whistleblow option 2: work on the project, get the app delivered to consumers. Then contact a software security company or a security researcher (Symantec, TrendMicro, Kaspersky, Mr. Troy Hunt) and report them anonymously that you did this by company's order. Show them as most technical information as possible to find the guilty code (your company will likely obfuscate).

The security guys will probably try to conduct code disassemblies, tests etc. to determine that malicious code is present. They value the privacy of whistleblowers.

Google themselves ban applications that implement malicious code.

Remember that all this will cause damage to your company, up to bankruptcy. You can start polishing your resume today