|Keep It Simple, Stupid|
Ethics of Dealing with Evilby gryphon (Abbot)
|on Oct 16, 2002 at 18:58 UTC||Need Help??|
Greetings fellow monks,
I recently had an interesting and extremely annoying situation happen to me at work that resulted in the inspiration for my seeking of assistance from the monks. After following some advice from tye, I was able to find a technical pseudo solution to the problem. However, in reading the posts in that thread, I've come upon a bit of an ethical dilemma for which I write this post.
Background: I am an independent consultant (a.k.a. I own my own company) who works for a small group of clients. My primary client is a small-sized company that handles contracts for a variety of their own clients, but the bulk of these contracts are with groups and teams within a single company, a gigantic Redmond, Washington based software company (referred to hereafter as GRWBSC).
My primary client received a project request from their primary client to build a fairly complex Web application service including user account management, online testing, product catalog, online ordering and fulfillment, and lots of reporting. The project lead from within GRWBSC has been notorious for providing minimal if any documented requirements and for changing her mind frequently regarding functionality. In another words, I had to build a system that was extremely flexible so as to rework major sections at the drop of a hat to hit a moving and often zigzagging target. Sounds like a job for Perl using CGI::Application and HTML::Template.
The service itself was explicitly intended to be hosted by my client's Web site, something thatís been on LAMP (Linux, Apache, MySQL, Perl) since the beginning. When the contract from GRWBSC came in, it mentioned nothing about required or even preferred technology. (In fact, it was really vague about what we were supposed to deliver at all, but that's another story.) Anyway, we worked very hard on this and delivered the system. It was reviewed by the project lead from GRWBSC, and both she and her boss gave the green light to launch. We did so and started maintaining the traffic and service.
A couple weeks later, someone within GRWBSC reported to the project lead's boss' boss that our service, which was and is being used by thousands of GRWBSC employees, was running on LAMP. This concerned him because he expected that if it "leaked out" somehow that GRWBSC was using LAMP to deliver service, badness might ensue in the press. The comments received from this and others within GRWBSC were specifically upset over the fact that NetCraft's site was reporting our LAMP status.
Pleas to reason and facts supporting LAMP were ignored as was proof that other teams within GRWBSC use LAMP frequently for a variety of services. We had to migrate our solution to GRWBSC-only technology. For us, the actual recoding of this solution would not have taken us much time due to the manner in which we used Perl. However, support for this new solution would have been extremely time consuming. Hence, my boss asked if there was a way to forge or spoof our use of GRWBSC-only technology. That's where my original question to PerlMonks came from.
I implemented by means of a forged HTTP header a solution that caused NetCraft's site to report us using GRWBSC technology. My client's CEO then wrote a carefully worded email to the project lead at GRWBSC informing her that the site on which her service was running was now being reported as using GRWBSC technology by NetCraft.
Meditation: So now the GRWBSC people are happy again, and my client is happy. At no time did I or my client lie to GRWBSC. At no time did GRWBSC actually request that we recode everything to work on their technology. They were just freaked out about the reporting on NetCraft and wanted us to "fix it." There are no documents or phone calls where a specific means of fixing the "problem" were requested.
So technically and legally, my client provided exactly what GRWBSC wanted both prior to the NetCraft reporting "problem" and after. At no time did I actually make any decisions about how to solve the "problem," rather I suggested several options and my client picked the easiest path: spoofing. So my meditation and questions are: Am I ethically liable to inform anyone from GRWBSC? Am I or my client ethically responsible for recoding the GRWBSC Web service at no extra charge to GRWBSC even though technology-specific requirements were never discussed? If GRWBSC ever found out about the spoofing (unlikely since we're talking about marketing types, but possible), would not my client have a reasonable position?