I've been helping with some work for a small local gang- we do the usual (murder-for-hire, "debt collection", extortion, etc). Although I only do administrative work - keeping records and such. Pays great. But you know what? My wife- my wife of five years- left me when she found out.

Can you believe that? What a fucking fascist. I didn't do anything wrong. I never killed anybody. And, sure, I did also help machine firearms for folks, and I did help with some supply chain issues to make sure we have a reliable supply of bullets, but I never shot anyone. Not one person.

How dare anybody discriminate against me?

You intended to supply a local gang with guns and ammo to earn profit from it, along with the other actions you took. You purposefully set out to profit from their criminal behaviour in full knowledge of what that entailed.

I'm not surprised your wife left you. Good on her.

Here is a circumstance where your point is not valid, where there is no malicious intent:

- Developer A in dept X finds out developer B in dept Y is working on Z. Is uncomfortable with anything to do with Z.

- Dev A raises this with line manager C and gets pushed back.

- Dev A tries to raise this up higher. Gets push back.

- Dev A decides to leave the company because the workplace has now become increasingly hostile.

Dev A tried to do the right thing and raise up the fact that project Z was unethical. By presuming guilt by association, Dev A is treated exactly the same as Dev B.

Consider engineers at Google. Did every Google engineer work on project dragonfly? Did every engineer know about it until it was leaked to the press? Do the project zero team work on ad tracking?

Bringing it back to your example now. If you were an accountant for a printing shop that just happened to be a front, but you never knew about it or suspected it, that's another story. There's no intent to profit from or knowledge of the criminality. Now you're an innocent bystander who was taking advantage of.

If your wife left you in this situation, I'd feel for you.

This is why we presume innocence until guilt is proven. I, for one, would rather some guilty people slip through the net of justice if it helps us to not habitually punish innocent people for crimes they did not commit.

The world is not perfect, nothing is ever black and white.

Anyway, we can evaluate the permissibly of moral actions using the principle of double effect. As you suggest, we do not always have the luxury of choosing courses of action without some kind of negative side effect. At the same time, it is not morally permissible to engage in intrinsically immoral acts (sorry, utilitarians/consequentialists) nor is it permissible to intend the evil effect. We may also not use the evil effect as a means of attaining the desired good. Finally, there must be a proportionality between the good and bad effects that justifies the toleration of the bad effect.

The parent comment of the comment I replied to (try saying that twice as fast backwards) was attempting to point out that we should avoid using guilt by association. i.e. We should focus on innocence for the individual until guilt is proven.

How do you know for absolute certainty that at least one developer (who has ever worked at NSO at any point in time) never said "this is completely illegal and I'm not comfortable with being near it."?

How do you know for absolute certainty that at least one developer (who has ever worked at NSO at any point in time) never said "You know what, I'm really not comfortable doing this work. I thought this was a good gig and I'd be okay with type of work... but I'm really not. It's killing my soul and I can't stand it."?

> at least I won't give you the benefit of the doubt if you're working there as a dev.

Fair enough. You're entitled to that position.

For me: People can make mistakes. People can get in over their head. People can mistakenly believe the lies other people tell them. I'd rather assume someone is innocent until guilt is proven by evidence.

> Likewise, if you work for Hacking team, you know what you are doing.

What even is a "Hacking" team?

Project Zero could be considered a "Hacking" team. Are they bad people for doing what they do? We know about loads of new zero days thanks to them. Extending this, am I part of a hacking team? I do white hat research. Does that mean I'm bad?

Do you mean "malicious adversary" perhaps? Because that is an entirely different concept. Then we are dealing with malicious intent. That's when someone may indeed be guilty (if backed up evidence, of course).

I believe @black_puppydog is talking about the company that literally is called "Hacking Team"

https://en.wikipedia.org/wiki/Hacking_Team

> HackingTeam is a Milan-based information technology company that sells offensive intrusion and surveillance capabilities to governments, law enforcement agencies and corporations.

From your comment I do take the point that maybe not everyone is aware of all of these actors. But if you sign a contract with them, you either know what you're doing and are cool with it, or you didn't care enough to google them. (And I have a very hard time believing the latter.)

The former I find morally wrong, the latter I find negligent (note the "I find", indicating personal choice here) and I do think both should be disqualifying if not explained well.

Edit: even though my personal attitude towards this doesn't matter in the grand (or even small) scheme of things, I'd consider this a situation where I'd invert the burden of proof. Yes, being associated with these companies should put a burden on the person working there if they want a different job. They should have to think about that before they sign. High-skilled people who consider their offers should have a strong incentive to decline.

I also have a friend named Sammy, who's a doctor. Last night I discovered Sammy got a new job at Planned Parenthood, where a significant part of her time will be spent performing surgical abortions.

How many articles on the web should I read before I'm allowed to stop being friends with Sammy?

Also, do you have the same feeling for the reverse situation? If instead of being an employee, you're the boss. You're aware that your employees are doing something morally wrong and you do nothing to stop them, but you aren't doing it yourself. Do you have any responsibility? In the ethics of war, there is the concept of command responsibility[0], where leaders are responsible for the actions of people under their command. Do you think that is a bad doctrine because the leaders aren't the ones shooting people? No one dies through their individual actions even if their subordinates commit war crimes.

[0]: https://en.wikipedia.org/wiki/Command_responsibility

Have some decency to call your actions what they are.

If you want to harm somebody in retaliation for doing something you don't approve of, don't call it 'the opposite of harassment'.

This pretty much looks like harassment to me:

"the developer community need to start ostracising people working for these companies. Don't hire former employees, don't hang hang out with people who work for these companies and conferences. Don't supply services to these companies (build their website, network...)."

Maybe everyone in that organisation is evil and corrupt, but you cannot just assume that and apply summary judgment without due process.

But in this case it is not a criminal organisation, by law, it is a company selling "software weapons" to a government the western governments view as legitimate and therefore ok to sell weapons to, even though it is not at all democratic.

So the company is acting within the law (probably), but we probably agree, that it is not moral to do so. If we agree on that, than it is also not ok, to support a company who is doing wrong. So I agree, to avoid people, who do no ethical work. But I don't know enough of the companies in question to make that final judgement and judge case by case, like always.

Rules/laws/policies are to prevent abuse/evil things and to serve people! RULES ARE ALWAYS MUTABLE and should punish abusers of law/rules/policies, NOT the people it is built to serve. Rules must/will change and they should always benefit people who are doing the right thing.

I will give a simple example on why we should go above the law and think a lot of things using basic common sense;

Recently our country introduced camera's on highways to avoid speeding. The govt is so rigid on the rule now that they have already fined people who were speeding in an event of emergency and even ambulances. And I read complains of these people on Facebook. Instead of the laws working to protect and serve, we see it happening the other way.

What we as a society lack is process/structure to handle the outstanding/exceptional scenarios. We need to build a system which tolerates outstanding/exceptional situations so that the system doesn't break down. But unfortunately, we don't tolerate any outstanding situations and it breaks down.

This organisation is doing bad things, and this is not the first or second time this has happened. So the whole world and especially the employees should definitely know what they are doing. They are engineers aren't they? So they are bound to be smarter than the average folks. There is no need for benefit of the doubt with them.

And let's starts acknowledging that many countries are still only in the drafting phase when it comes to dealing with most of the digital abuses, bad things. Most democratic systems are super slow when it comes to digital crimes and laws. So current laws are not sufficient and hence should not be used gauge the severity of the incidents the law cannot handle.

Also remember, Facebook started struggling a lot after the cambridge analytica scandal to hire, because people didn't want to affiliate with them. So this works. We should call them and the employees out for a better world. :)

You didnt have a choice to be born German, you do have a choice to work for NSO.

So the question is more, does the accountant who was keeping books of the belongings taken from the Jews have moral (and legal?) responsibility? And yes I believe he does (and the courts in Germany agreed look up Oskar Gröning).

My point of view is, yes! Unless he opposed in a meaningful way. But most did their duty and did so proudly. And after the war everyone just did their duty because hey had to and no one was a nazi.

But the question also applies to today. The US for example use turtore and murder. So for some family members of people being murdered, because they attended a wedding in afghanistan, the whole US is guilty and therefore a legimitate target. I do not think so, but I think people in the US should take this more into consideration when thinking about terrorist. Most terrorist legitimate their actions (and get support) by saying they fight back the evil empire.that brings them only bombs.

If we talk about its legal, whose laws should we even apply?

And it makes sense. The concept is valid, if you knowingly support criminal activity, which you do by associating with them, you are guilty (by varying degree). Mere familiy members of the mafia in italy for example will usually not being prosecuted, even though they are part of it.

What you mean with guilt by association, is when the nazis for example enprisoned whole families, because one member was part of the resistance. And from the point of view of the Nazis this also makes sense. Because family members do support each other and are close(in ideology), so one enemy in a group means, there are probably more and if not, then it is an example for others not to help anyone resisting even if it is your brother and rather stop or support them.

So the problem with guilt by association to me is not the concept, but how it is applied.

The cruel, despotic government is the problem in the first place, not the tactics they use.

And this concrete case here is about supporting authorian, cruel governments, by (indirectly) working for them.

And I am free to despise and avoid people by my own standards, no matter that they are within the borders of the law.

In the case of criminal and civil proceedings, sure, but a boycott on my part is an application of my own moral compass, not of the law. I don't owe anyone a "fair trial" for the judgement that guides my own free actions.

If for any other reason than absolute necessity you work for an organization that serves authoritarian, anti-democratic regimes with tools designed specifically to implement policies to that end, I will think poorly of you for no other reason. I won't trust that you are able to make decent moral choices. I will base my own conduct on that judgement. My conduct insofar that it's clearly legal should not be the subject of a fair trial.

Your argumentation is exactly how how totalitarian governments commit atrocities, divide the responsibilities up enough so that every little cog can justify to themselves that what they are doing is not morally wrong. I know I'm coming close to invoking Godwins law, but Oskar Gröning had a moral (and even legal) responsibility for his actions, even if he did not kill anyone himself.

This is absurd. A "right to a fair trial" is the standard for criminal trials, which are associated with criminal punishments -particularly but not always- imprisonment and execution. The right to a fair trial has never been a standard we as individuals are obliged to follow in other contexts; for example: it would be ridiculous to think "a trial" is needed before we decide whether we should continue doing business with a company that dismisses its employees for being gay or trans.

Similarly, there is a long history of consumer boycott movements to pressure both companies and nations into acting more ethically; from Apartheid South Africa, to confectionary and fruit companies, to oil companies, to which eggs we might choose to buy. In none of those circumstances is a "right to a fair trial" a relevant concern.

A better question might be: How unethical does a company have to be before the act of just working for them should be considered immoral enough to merit public rebuke and repudiation? I don't think there's a lot of companies that reach that threshold, but I'm adamant that some should: Blackwater is the most obvious choice here.

My emotionally charged actions to not be your friend or colleague requires no evidence or proper investigation. If you want to be my friend/colleague, stop being an asshole. It's that simple.

Fair trial is about the government enforcing laws, not about social groups enforcing morals and ethics. No one has the right to a trial when you act like an asshole and no one wants to be your friend because of it.

On the other hand, their product is just a tool which can be used for good (stopping terrorists) or evil (spying on human rights activists). Just like a kitchen knife can be used for good (cooking a meal) or evil (stabbing people). So I find it hard to find the moral justification for the actions you suggest. The problem is not the tool or the tool's manufacturer, it's how it gets used.

But hacking tools: to what extent are they actually being used for good? Stuxnet is the clearest example I know of these tools almost certainly decreasing a threat to US citizens (at least for the time before it was found out). But beyond that, there’s very little publicly accessible information demonstrating that these tools are actually effective at stopping or decreasing terrorism. Moreover, even if they turn out to be effective at that, their use in this manner comes with other questionable effects on law and personal rights. I don’t think the knife is a good analogy because while everyone agrees that a knife can be put to either good or bad effect, there’s not consensus on whether hacking tools can even be used for any good.

In that particular case (but not the majority of cases) the target of the hack was an Israeli citizen who was practicing terrorism (against the Arab minority). After their info was intercepted they were arrested and the situation was de-escalated.

Tech like this saved lives that day. I don't think it justifies the freedom cost, but let's not forget real lives are saved by tools like Pegasus.

Additionally, even if the tools are developed and used only by governments that are deemed democratic today (e.g. USA, Israel, Germany) and under strict independent and parliamentary oversight, who can guarantee that future governments of these country will be democratic (obvious recent cases Brazil, Poland, Hungary, but one might also ask that question about the US)?

These are tools of the Regime, and some regimes will wield them against minorities (like Uyghurs in China), journalists (in Mexico and Jamal Khashoggi in Saudi Arabia) and protesters (in Belarus).

Should we stop selling steel to the US because it could be used to put migrant kids in cages, or weapons because it could be used to invade random countries? I’m not saying the answer is obvious, I’m saying the problem is complex and multifaceted.

Take Morocco: not the best government (somewhat theocratic, absolutist monarchy, big on unaccountable and torture-oriented secret police), but overall more peaceful and stable than its neighbors. Do “we” help continuing this state of thing, or do “we” let malcontent bubble up and risk turning it into a failed state and civil war? It’s shades of grey all around, sadly.

I think the question, although genuine, has a flaw, that is, reasoning in terms of "good or bad".

"Good or bad" for whom? Is something that is "not good" inherently "bad" and viceversa?

Is something "good" only because is "decreasing a threat to US citizens"? What about the consequences of "decreasing a threat"? Like Guantanamo Bay, Patriot Act, this poor guy (https://news.ycombinator.com/item?id=23625215), bombing a country thousands of miles away?

"Good or bad" is relative, just like right or wrong. It's difficult to correctly grasp a concept or conceal an idea by just defining it as "good or bad".

> Stuxnet is the clearest example I know of these tools almost certainly decreasing a threat to US citizens...

However, you still have to make value judgements at some point when organizing a society. It’s literally impossible to do so otherwise. Even if you make a conscious effort to not organize socially — I.e. to embrace anarchy — you’ve made at least an implicit value judgment that governance isn’t worth the limitations it requires of the people (I.e. limitation of individual freedom is “bad”).

“good” and “bad” are messy things to deal in, but they still have their place. Any answer to “should we allow NSO group to operate” has to make a value judgement at some point. I think it actually helps to make that explicit — for example my point should still stand in most other value systems precisely because it refers to “good” and “bad” — which vary across value systems — without prescribing what is good or bad.

I could have been more clear about separating an example (stuxnet — the thing which brings in a value system) out of the argument itself. But I couldn’t find a way to do it without sacrificing brevity or readability. Such are the limitations of communication, particularly written :|

There is a whole branch of philosophy dedicated to that: it's called Ethics (https://en.wikipedia.org/wiki/Ethics).

When an entire branch of philosophy exists for that sole purpose, categorizing things into to "bad" or "good", in whatever area, is oversimplifying.

By this logic an equally good use would be to sabotage American military-industrial complex thus reducing threat to the citizens of many countries around the world.

Absence of evidence is not evidence of absence, particularly in this context where the actors involved are highly incentivized to keep success stories well-hidden and well-guarded.

You'll never know about all of the terrorist attacks that didn't happen.

That applies to lots of technology things though. With the NSO group specifically though, wouldn't their tech have Sales people that need to actively court and sell it to potential customers?

NSO knowingly sells tools to repressive regimes that use them to violate human rights. If you sell a knife to someone you know is going use it for murder then you're culpable and your behavior is immoral.

I'm sure there are dozens of companies like NSO that you just don't know about.

It's more like a self guiding missile. It's meant to hurt, so that makes NSO pretty dodgy.

We should focus on making things more secure. While security is a tough problem, it's also somewhat surprising that properly sandboxing a browser is so difficult.

Maybe, but it'll make them way way more expensive.

Higher prices are how you attract MORE talent!

In order for a company to attract superior talent, they need the entire package to be better than the competition (lifestyle, salary, free pizza, prestige, etc).

Even with a mitm attack on your browser, this shouldn't have happened.

Couple that with compliance being driven by ethics and non-compliance being driven by money - it will never work.

We should focus on increasing security

However it's worth mentioning they really don't see it that way. A lot of people working for NSO (or the NSA) see themselves as making a personal sacrifice for public safety.

Also, NSO doesn't operate said technology it just sells it - so it's a bit more like going after people making anti DRM software or p2p sharing software. The only big difference is that NSO is making money.

To say, ‘we will only sell our software to countries who promise not to use it to violate human rights, and if we catch them doing it, we will suspend it’ is just hand waving. The software is designed to be undetected. That’s the whole point.

A actual policy would be that ‘we do not sell our software to countries who have a bad human rights track record, as defined by <independent group>’ ... but that would cut into sales.

I am just saying NSO is an extension and a tool of the US government and its regional (mostly controlled but somewhat autonomous) colonial ally Israel. So arguing about who gets Pegasus when the US government regulates it rather directly (through the "ethics subcommittee" in Israel that is semi-supervised by the US delegate) is ironic and funny.

> However it's worth mentioning they really don't see it that way. A lot of people working for NSO (or the NSA) see themselves as making a personal sacrifice for public safety.

Yes we as humans are very good in justifying our own actions to ourselves. It also doesn't help if it's in your employers interest to reinforce this perception, creating a culture of "we are what stands against evil". This makes it even more important that outsiders will tell them that we hold a different moral judgement.

> Also, NSO doesn't operate said technology it just sells it - so it's a bit more like going after people making anti DRM software or p2p sharing software. The only big difference is that NSO is making money.

Apart from the fact that people don't die or get tortured because of p2p software, the question is also should someone working on e.g. biological weapons be able to absolve themselves by saying "I did not throw the bomb?". Yes, they did not throw the bomb, but they made a tool designed for one purpose only, to be put into that bomb, and they were fully aware of its purpose. They hold as much responsibility as the person using it.

If you work for a company like NSO you are willingly complicit in violations of human rights. That's not the kind of person I want to work with.

I do agree that individuals should be held accountable for their work but it's the degree of the work that is problematic. Is it direct contribution or is it indirect contribution?

If I am working on an open source project used by NSA to hack you, am I responsible? No. That type of moral policing would be bad.

If someone is writing software directly for hacking you, then yes they are responsible but then you must consider all the actions of the org where they used that tool. People might work on these tools because of terrorism or believe in security of the state. That's by no means bad but how the org go about that can be bad and infringe rights. They don't have control over it. Now if they don't quit over the bad reuse of their tool and are not constraint by something (a person working for NSA is likely to get another job without problem), then I think there's something to be said about the personal responsibility.

Verifying the degree of contribution from outside is very hard to do as most details of what happens inside the orgs remains a secret. What their employees are told is wildly different than what they end up doing.

That said, I don't believe targeting individuals will have much effect. It's actively bad because there's an easy road here. Hold the org accountable. If we go down the path of wasting energy on ex-communicating individuals, orgs may get a free pass. It's not hard to replace people in a big org especially a monopoly. Go for the low hanging fruits. Boycott the org.

What we have is the logical extension of the social justice, or SJW, movement. Which even 2 years ago, in my recollections, would have been met with utter disdain. Somehow we've arrived at a time when social justice has a new-found legitimacy and few detractors still speaking out about it.

To me this is scarier than a mob, who usually have a figurehead around whom they rally. The SJWs have been building their seat of power on the shoulders of social media celebrities.

This is Huxleyan populism. People 'follow' others from their sofa, they 'like' things without critical assessment, bolstering support for an ill-defined cause based on memetic catchphrases and sound-bite signals.

I do refuse to own a cellphone. What about you. Since you're suggesting the boycott, can you?

If the phone wasn't proprietary, would it have made any difference?

The answer is obvious.

Is it? I'm not overly familiar with any security exploits, but my understanding is that (at least for Android) the phone OS is often woefully out of date simply because the vendor stopped supplying updates. The end user generally can't supply updates themselves because everything is locked down in a decidedly user hostile manner.

For the vendor's part, they often stop supplying updates (as I understand it) because the proprietary hardware doesn't have it's drivers upstreamed into the kernel (they're proprietary after all) which leads to a completely unjustifiable maintenance burden. They can't simply open source things because the hardware manufacturers generally require NDAs.

As far as the hardware goes, my (probably woefully incomplete) understanding is that it remains proprietary due to a combination of attempting to maintain a competitive edge through secrecy, licensing complexities due to containing third party IP, and DRM issues (which are again a licensing concern).

The iOS exploits that have historically allowed the device to be jailbroken have been zero-day vulnerabilities. And I'm assuming the TFA is about a zero-day too.

Also Android is open source (AOSP). How does that help?

Yes AOSP is open source but that doesn't help as much as one might hope for the reasons I outlined in my previous comment. Basically most end user devices aren't actually running AOSP at the end of the day, and can't without investing a nontrivial amount of effort. (And that still wouldn't prevent vulnerabilities related to out of date firmware.)

The comment of yours that I originally responded to seemed to me to insinuate that having access to fully open sourced phones wouldn't be able to do anything to improve device security as a foregone conclusion. I was objecting to that, pointing out that there are a number of real world examples where access to a fully open source mobile stack would immediately and drastically improve the current situation. In a hypothetical world full of such stacks perhaps this article would never have been written.

It seems to me this has already happened. We only call these things phones for legacy reasons, but the iPhone broke the design link with actual phones and turned the phone aspect into just another communications app.