In part 2 of this series we looked at some examples of how poor company culture resulted in wasting a great deal of both money and time for the company, hurting both it and its shareholders. But unfortunately, the lack of corporate ethics or commitment to the quality of their products often led to even more serious problems.
The Volkswagen emission scandal, aka dieselgate
In 2013, the International Council on Clean Transportation (ICCT) commissioned the West Virginia University Center for Alternative Fuels Engines and Emissions (WVU CAFEE) to conduct on-road emissions testing of diesel vehicles sold in the United States. Emissions tests were typically conducted in laboratory environments, and the on-road tests showed higher emissions of nitrous oxide than the laboratory tests, which raised suspicion. The inspections found that more than one vehicle model from various Volkswagen Group brands had a "defeat device" installed that produces lower emissions when it detects that the vehicle is running in a laboratory environment and releases emissions controls in favour of on-road performance.
In the laboratory environment, the car's tires are on a series of free-rolling cylinders, but the setup does not mimic the real-world scenario perfectly. Modern cars are equipped with what is called an electronic stabilisation control system, which detects unexpected tire movement using separate wheel speed sensors to prevent the driver from losing control on a slippery surface by trying to compensate for tire spin. This system must be disabled to allow the vehicle to drive in the laboratory environment without the system kicking in.
But that's not all. The deactivation device also checks the movement of the steering wheel (which does not occur in the laboratory environment), the change in barometric pressure (which is stable in the laboratory environment) and several other factors. This is a complicated piece of software that communicates with the vehicle's various sensors in an unusual way that cannot be handled by a single engineer alone. There is also a miniscule chance that this piece of software slipped past quality control unnoticed.
But only one of the nearly 307,000 people who worked for the automobile juggernaut faced trial, pleaded guilty and was sentenced to 40 months in prison. During the trial, his lawyer said, "What occurred here was wrong, but he was not the mastermind. He was not motivated by greed," and appealed, he is not "greedy or immoral," but was following orders to keep his job and support his family." One can sympathise with someone who steals food from the supermarket to feed his starving family, but it is harder to feel much sympathy for a top-notch engineer trying defend his motive for helping the company produce cars that emit ten times the legal limit of nitrogen oxide emissions with "I wanted to support my family."
That said, it is equally clear that he has been made a scapegoat. Although two other Volkswagen and Audi executives have pleaded guilty and face prison time, and the trial of Volkswagen's CEO is ongoing, an offence of this magnitude cannot be the work of these five individuals; something is rotten in the corporate culture.
According to the United States Environmental Protection Agency (EPA), Volkswagen had insisted for a year before the scandal broke that the discrepancies were merely technical glitches. There's no way that the company could not find the evidence of a defeat device internally at the time, but they waited a full year for the evidence to come out in the open to fully admit that it had manipulated emissions tests.
As we’ve noted before, like people, companies should have morals and ethics. But even then, it is the responsibility of individuals to uphold their morals and behave ethically. Because at the end of the day, corporations, with all their legal power, are usually punished far less than individuals in comparison.
You have to stay in prison, while we’re fixing the bugs on our software
In June 2019, the Arizona Senate signed Senate Bill 1310 into law. The law amended Arizona Revised Statutes to allow certain inmates convicted of nonviolent felonies to receive credit for 3 days for every 7 days they participated in certain correctional programmes, instead of 1 day for 6 days of serving as under the old law. This means that an "eligible" inmate who participates in these programmes can have their sentence reduced by up to 70%.
As of 2019, the Arizona Department of Corrections had spent more than $24 million contracting with the IT company Business & Decision for the development and maintenance of the application named ACIS. This application is responsible for all decisions in correctional facilities, including inmate health care, calculating release dates, and assessing the likelihood that an inmate will commit another crime if released early.
In February 2021, Jimmy Jenkins, a criminal justice reporter, reported that ACIS was still unable to calculate release times based on the 2019 bill, leaving hundreds of inmates behind bars beyond their earned release date. He also exhibited an internal bug report from October 2020 that clearly stated, "Currently this calculation is not in ACIS at all, ACIS can calculate 1 earned credit for every 6 days served, but this is a new calculation.".
Later, Arizona Department of Corrections spokesperson Bill Lamoreaux admitted that the application was unable to find inmates eligible for this programme, let alone calculate their release dates. He also said that "ADCRR is working with the vendor to update the software with the methodology and logic programmed for this new release criteria," and confirmed that "the data is calculated manually for now and then entered into the system."
ACIS proved to be a pain in the neck from the start, being released 3 years later than originally planned and well over budget. In its short life, 14,000 errors were reported, and the estimated effort for Bill 1310 was 2000 days.
As we said at the time, “Bad software ruins lives, even without AI.” Experienced people in the software industry would recognise the signals from the beginning. Software that is released "three years later than originally planned" does not bode well. That alone is an indicator of total failure in all areas of software development. An anonymous source told the reporter that everyone involved in the launch of ACIS literally "begged (Deputy Director) Profiri not to go live," but the department instructed them not to say a word about their concerns, saying, "We are too deep into it—too much money had been spent—we can not go back now."
A last-minute warning to management does not usually help, nor does it wash away the teams' guilt for the entire development period. There must have been millions of red flags all along, and it is an engineer's duty to build a quality gate and make sure the software cannot leave the door until all concerns have been addressed.
The British Post Office scandal
Although Dieselgate was a deliberate offence, there are also many examples where companies have wreaked havoc by simply refusing to admit a flaw in their system.
The British Post Office scandal is mostly seen as a judicial scandal, but the real cause was a problem with the Post Office's newly introduced Horizon software. The software, which cost £1 billion, was manufactured by ICL/Fujitsu Services, which means there are two companies that should have done their testing properly before putting the faulty software into service. In fact they did not find and/or admit the bug in their system though it was reported by users in the first week of using the system. The Post Office resisted the reports of faults in the system, insisted that the Sub-postmasters make up any shortfall of money and, when asked by a Sub-postmaster, denied that other Sub-postmasters had reported problems. Nearly a thousand people were charged and convicted. The case dragged on for over 20 years, and it took 21 years for the Post Office to replace the application.
The Equifax data breach
On March 7, 2017, a security patch for Apache Struts was released after a vulnerability was found and all users of the framework were asked to update immediately. 5 days later, on March 12, hackers exploiting this vulnerability penetrated the network of the U.S. credit reporting agency Equifax and used the time for a total of 76 days to tap credit and personal information of 163 million people worldwide.
On July 29, Equifax discovered the intrusion and fixed it the next day. However, they waited more than a month to make the public announcement, until Sept. 7, causing Equifax shares to fall 13% the next day. It was also later revealed that three Equifax executives sold nearly $1.8 million of their personal holdings in the company's stock, days after Equifax discovered the breach but more than a month before the breach was made public and Equifax's stock tanked. Whilst the company denied that its executives, including its chief financial officer, knew about the breach when they sold their shares, Bloomberg later noted that those transactions were not planned in advance and occurred on Aug. 2, three days after the company learned of the hack. A year later, Equifax's former CIO pleaded guilty and was sentenced to prison for insider trading.
As part of their remediation efforts, Equifax has created a website with the domain https://www.equifaxsecurity2017.com where its customers could check whether or not they have been the victim of a data breach. The fact that it was a completely separate website and that this service was not offered on Equifax's own website was seen as a manoeuvre to keep the incident off its own brand. But this website was also poorly secured and was developed on Wordpress, and systems like OpenDNS along with some browsers quickly flagged it as a phishing site. Nick Sweeting, an independent developer, created a similar website to show that Equifax's own website looked and acted like a phishing website, and published it under the domain securityequifax2017.com. Later, it turned out that Equifax's official Twitter account referred some of their customers to this version of the website.
Although the Equifax breach was not directly related to a software they developed themselves, I think their way of handling the situation deserves a mention in this article. After falling victim to one of the largest data breaches in the history of IT, every step they took to keep their brand clean made the situation worse and showed a lack of adequate processes to deal with these types of situations. In his fınal court hearing, the former CEO of Equifax blamed a single individual for not initially applying the patch. However, he did not elaborate on how the automated vulnerability check had failed or why a critical process such as applying security patches depended on a single person.
Regardless of whether it is the poor quality of the product, the misconduct of the company, or the expectations of the immoral or unethical behaviour of upper management, it is the engineers who make these things actualize. It is the engineers' job to draw a red line to protect their work ethic, morals and engineering principles. And to educate everyone about those lines and what they mean. Yes, it is the engineer's job to teach and coach everyone in their company on what they will accept to do, what they will not, and why.
Of course, the first goal of any business is to make a profit, and it is the executive team's job to achieve that. But it should be noted that a high-quality product, keeping the company people oriented and creating an ethical corporate culture will also create a more profitable company in the long run. This profitability is also healthier and more sustainable than short-term profits achieved through unethical practices or forcing engineers to do their jobs poorly.
Much like the burden of an engineer, it is the job of the CEO and other executives to teach the board of directors or shareholders that a different company is possible, and that it is good for everyone, in unimaginable ways. It is not always the profits of the company at stake, thousands of people's private data and financial security of hundreds of thousands of people, the freedom of thousands of people, or the life of a single engineer.
As an engineer if you find yourself in a difficult moral situation as an engineer, Helen Bartimote, lead psychologist at Container Solutions, has some fantastic advice for you. We’ve also explored the topics around ethical software previously on WTF, and Anne Currie, our tech ethicist, has written an eBook specifically around Cloud Native ethics.