Hacker News new | past | comments | ask | show | jobs | submit login

> If you want to see what you should never do as a software engineer if you like not being in jail, this is it.

Strange comment.

Are the engineers who made the code change responsible?? Do engineers need to be lawyers and financial gurus too, and evaluate every ticket they are given for possible illegality in every country the software is used??




Yes of course they need to know the law. Anyone who might potentially break the law during the course of their work needs to know what that law is. ‘Just following orders’ is not a defence.

This is very odd special pleading by programmers. Every industry needs to do this: journalists learn media law in their university degrees, architects have to learn the building regulations. Why is programming any different?


Because programming is usually applied to different industries. Yes, you should know the laws of your own industry (in tech that would be privacy, licenses, export rules, copyright, some patent basics etc.) but you can‘t know the law of each industry you write software for.


Holding people personally liable is the exception and not the norm. It makes sense too, like if the company lawyers say something is fine then you have to be able to trust them, unless it's something obviously wrong.


> Yes of course they need to know the law. Anyone who might potentially break the law during the course of their work needs to know what that law is.

Complete nonsense. This is criminal law. Google "Mens rea".


Stay civil.

This is not an argument against programmers, like other professionals, learning the aspects of the law which are relevant to their job. Why should programming be the one profession where this is not required?


Because to be criminally liable for something requires both a) actually doing something that is against the law and b) doing so with intent (i.e. you knew what you're doing is against the law and you did it anyway... because you thought you will not get caught or just didn't care). It is then up to the prosecution to prove, beyond reasonable doubt, that you actually intended to break the law. (With the exception of strict liability crimes, which are limited in scope to minor infractions and things like drunk driving or statutory rape.)

You can still get sued in civil court of course, but that's not the state trying to put you in a cage and so the standard goes from beyond reasonable doubt to most likely.

If you're a coder coding shady shit for your shady employer, you most likely know you're doing so and there's typically some trace or record left. But coders are not investment bankers and in fact may not even know anything about investment laws and regulations. And it's completely unreasonable to expect them to know. I worked on many projects, including medical and education... if I had to question and investigate every executive decision impacting my work then I wouldn't get anything done.


"Mens rea" is a requirement for certain crimes, but not all, you definitely can be criminally liable for doing something without intent. The trivial example is murder vs manslaughter, the latter does not require intent but obviously can be and is criminally prosecuted.

Furthermore, even in cases where mens rea is required, it gets satisfied if you intended to achieve the prohibited result even if you thought that the result was permitted. "Intent" is not about intent to break the law, it's about the intent to do the thing that happens to be illegal. In this case, it matters if you knew what the thing you're making was going to be used for (e.g. hide some stuff from auditors) but your knowledge or ignorance of the relevant laws and regulations doesn't matter at all - as another poster noted, https://en.wikipedia.org/wiki/Ignorantia_juris_non_excusat .


Sorry but this is completely wrong. “Mens rea” means knowing you were doing a particular thing. It doesn’t mean knowing that it was illegal.

E.g. if I take your wallet off of a table because I thought it was mine, I’m probably not guilty of theft. If I took it because I didn’t know theft was illegal, I probably still am.


> Yes of course they need to know the law

That's absolutely ridiculous, and no court would expect it.


In English courts, there’s some debate about a defendant’s ignorance of the law.

In this Chancery case from 2021, the judge mulls over what it means that a defendant is “unaware”. He considers the distinction between someone who knows about the relevant law and misunderstands it vs someone who doesn’t know at all. And the judge briefly wonders whether someone working in regulated activity (like finance) and completely unaware poses the most risk to the public.

The judge left the issue unsettled, but it raises the possibility that ignorance might count against a defendant. The Chancery Division handles business disputes, though, and I imagine the criminal courts have their own rules.

Paragraphs 22-25 are most relevant: https://www.bailii.org/ew/cases/EWHC/Ch/2021/995.html


They won't until they do. When it's something seemingly egregious like this, it has the potential to be something that makes an example and changes curriculum for CS students across the country for decades.

I expect other engineers to know laws when creating things (not like having a JD). Accredited business schools in the US teach business law to their undegrads. It's absolutely not ridiculous or a stretch to have a similar expectation.


There's a big difference between the HN crowd shouting "they should know the laws!" vs. licensed and controlled professionals like architects and structural engineers that "follow the law" via established codes, which have clear boundaries that can be evaluated and prosecuted when violated.

> When it's something seemingly egregious like this

You don't even know what "this" is. So the BI engineer that stitches together data for a report should have known that combining these two values was illegal? What silliness.


‘clear boundaries that can be evaluated and prosecuted when violated.’

Have you ever looked at media law or libel law? It does not have clear boundaries, but journalists are still expected to follow the law. Journalists are not absolved of the responsibility because it’s complicated.

You just need to not break the law. It’s how it works. If you don’t want exposure to liability, you need to acquaint yourself with relevant law.


> It does not have clear boundaries

They absolutely have boundaries that a lawyer or prosecutor can use to make a case in a court of law. How do you think the law works? Interpretation of laws is a big part of how the common law system works.


If there are clear boundaries, there would be no need for interpretation. Interpretation is needed to resolve questions that arise because the boundaries are not clear.


> If there are clear boundaries, there would be no need for interpretation

You can't prosecute someone for murder just for insulting you. You can't prosecute someone for robbery if all they did was jaywalking. Media laws have clear boundaries sufficient for legal professionals to do their job. Building codes have clear boundaries sufficient for legal professionals to do their job.


Interpretation is exactly where the boundaries become fuzzy.


I don't know, we hold other engineers responsible for the consequences of their work, personally I think the industry would be better off if we had more accountability for programmers.


But we don't hold the gun-industry accountable for mass-shootings. Maybe we should. But situation is a little bit similar here. The engineer created the gun. He didn't use the software to shoot people. Or maybe he did. The question is did he personally benefit from the change made more than his usual salary?

Or think about people who build bridges. They just follow the orders they get from higher ups. Bridge collapses. The higher-ups should be held accountable not the workers. The question I think is did the engineer here just follow orders? Perhaps he understood very little about finance, only about programming.


A gun has many purposes, some legitimate (law enforcement, "defense" etc), others less so. A code change that allows the company to do illegal things has no legitimate purpose.

I think what's up to debate is to what extent the developers were lied to regarding the purpose of the code. Maybe they were told it was for testing purposes only, or the higher ups managed to convince them that it's ok despite them questioning it. I suppose those things will come up during investigation and will certainly affect their sentences, but I don't think they will be off the hook that easily.


A `DELETE FROM` function can be used for good or bad. A gun can be used for good or bad (see the war in Ukraine, it can be used to murder or protect your family from murderers).

A code change excluding a known, named entity from safety checks is more like rigging a bridge to explode when your enemy crosses the bridge.

Zero ambiguity.


The gun manufacturers have a special law passed at the federal level to prevent civil liability (PLCAA). That is being chipped away at but it’s currently a special privilege they hold enacted by the legislature of the US.


> "The question is did he personally benefit from the change made more than his usual salary?"

I would guess the compensation structure at FTX included a lot of their own crypto tokens, since the company can mint those at no cost. And Alameda was a big holder of those FTT/Serum tokens.

So you're a software engineer who owns theoretically millions of dollars worth of FTT tokens, and then the boss comes to you and asks to make an exception for Alameda... Since you work at FTX, you're probably aware that Alameda holds and trades a lot of FTT. If you do the code change to make Alameda look better and maintain the value of your own crypto portfolio, there's no question that you're a part of the fraud.


> The question is did he personally benefit from the change made more than his usual salary?

That’s not the question — as in, it won’t be an element of any of the crimes he’s eventually charged with. The question is whether he was knowingly or recklessly involved in a scheme to defraud people.

And just generally, legal reasoning does frequently use analogies but they need to be tighter than the ones you’re using. This case isn’t much like building a faulty bridge.


I would think that in most crimes the motivation of the accused is a factor. Think about hate-crimes. They are not hate-crimes unless the person did them out of hate for the PURPOSE of hurting members of some minority.

Murder-in-first-degree means you didn't just recklessly cause the death of somebody, it means you did it intentionally, on purpose.

See Mens Rea, "Criminal Intent" https://www.law.cornell.edu/wex/mens_rea

Was this engineer knowingly and intentionally helping to commit the crime? We don't know because we haven't seen many details or testimonies in this case. He must be assumed innocent until proven guilty. And proving him guilty must include proving he had criminal intent, Mens Rea. The court of public opinion as in Hacker News is of course a different matter.


If a bridge collapses it's the /engineer/ that's held accountable. Engineers sign off on things. They are accoutable to the product that they build and those that use their product. This guy calls himself a software engineer, so he should accept all the responsibility and accountability that goes with that title.

Your gun analogy is not fair and it does not translate well to the actual situation at hand. A gun engineer is not responsible for all the deaths the weapon causes. But said engineer will be very much accountable if the weapon blows up in the wielder's hands during normal use (even though practically this might not be the case due to liability disclaimers and all that).

We have case studies where deaths were caused by shit software, where the engineer of that wrote the software is clearly the accountable one.


> we had more accountability for programmers

You could make this argument for literally every profession.


Software engineers are some of the highest quality engineers there are. Objectively by a simple metric: lives ended through incompetence. Software engineers lead. No other engineering discipline comes close.


"I was only following orders" is generally seen as a bad defense since the end of WW2.


This is why I don't get why the phrase/excuse/justification "I'm just doing my job" is so commonly used.


It can be hard to do the right thing, especially if there are real-world consequences like "do this bad act or lose your job" threats.

However, "do this bad act and we'll all get rich" seems a bit ... harder to sympathize with.


When an executive level manager is paid multiple times (or orders of magnitude) what an engineer is paid, I feel there should be a different assignment of responsibility and exposure to risk.


Because there’s not been a large obvious reminder for some time. In fact the last such reminder was before most currently living software developers were born.


Yet owners and management get to say, 'it's business' or 'it's just business'.


Not according to me, they're both wrong in the exact same way to me.


Yes? You don't need to be lawyers or financial gurus, you just need to have common sense and strong ethics.


In some cases, yes, they are held responsible. When I was trained on HIPAA compliance lawyers made it clear that individual employees could be held responsible for some violations. And yes, we restricted service availability based on region until we achieved compliance with GDPR and various regional PII/PHI data export laws.

I work in another regulated industry today, and throughout the year sign off on understanding various regulations and trainings of 3 letter agencies, that are essentially in place to indemnify the company in case of a violation. I’d expect financial services follows similar steps.


Yes, engineers are also held responsible. If you're being serious, here us some education about the origin of this principle: https://en.wikipedia.org/wiki/Ignorantia_juris_non_excusat


If the engineer(s) should be responsible or not doesn't really matter, you could still get blamed either way.


But if you only told someone to do it and haven’t actually done it yourself, are you guilty of breaking the law?

Yes, you are. Splitting responsibility between those who give orders and those who follow them to avoid penalties is exactly why both are persecuted and put in jail.


> persecuted and put in jail.

That sounds like Julian Assange. Did you mean "prosecuted"?


Yes a bad case of autocorrection…


Agreed.

The person who commissioned this change, knowing the potential financial ramifications that it opened them and their depositors money up to, is the one who should be charged.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: