Just because you can, it doesn’t mean that you should

Gareth Marlow , , , ,

I was first given the keys to an organisation’s IT infrastructure in early 1997 at the tender age of 24. In previous roles I’d been the person tinkering away with a PC, trying to find ways of using computers to help my “proper job” – but this was my first experience of IT being the “proper job”.

I’d never run a mail server, or a network, or supported hundreds of users before – this was the glorious period when computing and networking was affordable enough for the first time to deploy at scale. “A computer on every desk and in every home” was becoming a reality, and if you knew one end of an ethernet cable from the other (!) you could get a job.

No training. No documentation. No supervision. No guidance. No frames of reference. We were just figuring it out as we went, largely though poking around, “Altavista-ing” and asking people for help on email lists and Usenet.

One of my first jobs was to figure out how email actually worked. I knew that one of the servers ran something called “sendmail”, which had an almost incomprehensible configuration file, and it seemed to create files in a directory called “/var/spool/mail”

I can remember as if it was yesterday the moment I realised that these files were in plain text. That as the person running the system, I could read everyone’s email. That I could read everyone’s documents.

Networks back then were usually comprised of “routers”, which joined networks together, and “repeaters”, which made sure that network signals were replicated across the networks. Pretty much all network traffic was unencrypted, which meant that anyone who knew where to look could see both passwords, and all of the websites that anyone was visiting.

First reaction: shock. I felt sick and giddy with this new power. Second reaction: excitement. Third reaction? “How would I feel if someone did this to me?”. Violated? Appalled? Angry?

It became pretty obvious that the vast majority of people using the network, using these systems, had absolutely no idea that this kind of snooping was possible. Although the legislation started to catch up, it was also pretty obvious that the technology was always going to be years ahead of the legislation. And it was also obvious that governance in most organisations was probably going to be ignorant of this, or at least impotent.

This was going to come down to me doing the right thing. A real question of ethics. I realised at that point, that although I could go and look, and get away with it, that I shouldn’t. Now, I’d like to believe that this was entirely because of my deep sense of integrity, but a big part of this decision was knowing that I have a shit poker face. I’m just not very good at telling lies. But either way, the maxim was clear.

Just because you can, it doesn’t mean that you should.

As my career developed, these questions kept cropping up. In a field like tech, you’re doing stuff that has never been done before all the time. Much of the conversation is about logic – what’s the “smart” thing to do. If you’re lucky, and in the right organisation, some of the conversation is about empathy – what’s the “sensitive” thing to do. Very seldom it’s about ethics – what’s the “morally correct” thing to do. Using behavioural data? We did mention it in the privacy policy. Structuring your international operations so you pay next to no taxes? We weren’t breaking any laws. Discriminatory bias in your machine learning algorithms?

A big fat ¯\_(ツ)_/¯.

Which brings me to the reason for this post – the recent Superhuman email tracking/privacy discussion. The debate kicked off with this post: Superhuman is Spying on You, to which Superhuman’s CEO Rahul Vohra responded: Read Statuses.

Full disclosure: I’ve been a Superhuman customer since November last year, and I think it’s a great product. I first met Rahul when he and the Rapportive team were based in the Red Gate offices for a brief period – I know him well enough to say hello to but not much beyond that. And I was really impressed by his response:

When I set up my own business in 2016, faced with the relentless dispiriting slog of outbound business development, a friend had suggested that I install the Hubspot email tracking plugin, so I could see when my emails were being read. Email tracking! Of course! That’s a thing! I can be more effective! I think I’m quite hot on privacy issues but my ethics trip-wire hadn’t been touched. Instead, a statement (“most commercial email is tracked”) seemed to have replaced any critical or empathetic thinking on my part as a customer, never mind as a vendor.

Many of these ethical calls are trade-offs. Whose needs are we going to prioritise? Ours, and our shareholders, or society’s need to raise taxes? Our customers, and their challenges, or their users, and their right to privacy? In some of these cases, the answer is obvious – and the right to privacy is an important value for me – fascinating how “everyone does it” is an easy trap to fall into.

In Superhuman’s case, the really interesting challenges come towards the end of Rahul’s blog post. Your customers’ needs are important, but you’re playing in an ecosystem, and you have other stakeholders. How do you prioritise their needs? Who wins? Ultimately, these have to be ethical choices. Just because tracking is useful, it’s expected by professional users and because everyone else does it, should that always trump the recipient’s wants and needs?

Whether you’re building email software or the next social medium, you’re taking little decisions all the time, some of which will have big consequences. We’re used to examining things through the lenses of desirability, feasibility and viability. How are you going to start thinking critically about morality?

Just because you can, it doesn’t mean that you should.