Get the top HN stories in your inbox every day.
bryan_w
Waterluvian
> what the engineers thought when doing design reviews for a "selective stand down" feature.
Possibly a version of, “I lack the freedom to operate with a moral code at work because I’m probably replaceable, the job market makes me anxious, my family’s well-being and healthcare are tied to having a job, and I don’t believe the government has my back.”
Aurornis
From my experience, it’s more likely that the engineers who got far enough in the company to be working on this code believed that their willingness to work on nefarious tasks that others might refuse or whistle-blow made them a trusted asset within the company.
In industries like this there’s also a mindset of “Who cares, it’s all going to corporations anyway, why not send some of that money to the corporation that writes my paychecks?”
TheNewsIsHere
I have noticed that in addition to this perspective there are scores of developers who espouse the idea that “we just create, what people do with our work isn’t our business.”
I understand the utilitarian qualities of the argument, but I submit that there’s a reason that capital-E-Engineering credentials typically require some kind of education in ethics-in-design.
petterroea
I suspect you are right. It reminds me of the whole "at the government you can hack legally" argument used by government intelligence agencies to recruit hackers.
I think a lot of skilled engineers want interesting challenges where they break boundaries, and being in an environment that wants you to break those boundaries allows them to legitimize why they are doing it. That is, "someone else is taking moral responsibility, so I can do my technical challenge in peace"
zaphirplane
Do you know of anyone declining to work on a project For ethical in their view ( non military non killing) ?
I’ve led a sheltered life and never met one, people have told me they wouldn’t apply for a role with a company for ethical reasons maybe they even believed they would get the job
immibis
And they are right. It's not like anyone outside of the affiliate marketing "industry" was hurt by this - noting that some of your parasocials are likely to be in that "industry" and so you feel hurt on their behalf.
hinkley
Henchmen I think is the word you're looking for.
furyg3
I like the idea that what makes someone a 'professional' instead of just an employee is the wherewithal, agency, and expectation to say no to a particular task or assignment.
An architect or engineer is expected to signal and object to an unsafe design, and is expected by their profession (peers, clients, future employers) to refuse said work even if it costs them their job. This applies even to professions without a formalized license board.
If you don't have the guts and ability to act ethically (and your field will let you get away with it), you're just a code monkey and not a professional software developer.
nosianu
Maybe when the government and the shareholders start setting an example and hold the bosses and capital owners accountable, and reward instead of punish the whistleblowers, and when their are enough jobs so that losing the one you have is not a problem, moral behavior further down the hierarchy will improve.
steve_adams_86
In my experience, sometimes your employer blatantly lies to you about what you're making and how it'll be used. I was once recruited to work on a software installer which could build and sign dynamic collections of software which was meant to be used to conveniently install several packages at once. Like, here's a set of handy tools for X task, here are the default apps we install on machines for QA people, here is our suite of apps for whatever. It seemed to have genuine utility because it could pull data in real time to ensure it was all patched and current and so on. That could be great for getting new machines up and running quickly. Several options exist for this use case today, but didn't then as far as I recall. This was on Windows.
Ultimately it was only used to install malware in the form of browser extensions, typically disguised as an installer for some useful piece of software like Adobe Acrobat. It would guide you through installing some 500 year old version of Acrobat and sneakily unload the rest of the garbage for which we would be paid, I don't know, 25 cents to a couple dollars per install. Sneaking Chrome onto people's machines was great money for a while. At one point we were running numbers of around $150k CAD per day just dumping trash into unsuspecting people's computers.
At no point in the development of that technology were we told it was going to ruin countless thousands of people's browsers or internet experiences in general. For quite a while the CEO played a game with me where I'd find bad actors on the network and report them to him. He'd thank me and assure me they were on top of figuring out who was behind it. Eventually I figured out that the accounts were in fact his. They let me go shortly after that with generous severance.
I don't miss anything about ad tech. It was such a disheartening introduction to the software world. It's really the armpit and asshole of tech, all at once.
bostik
> Ultimately it was only used to install malware in the form of browser extensions, ...
Like any other MDM software.[0] Everyone who has been long enough in the infosec industry knows that MDM is fundamentally nothing more than a corporate-blessed malware and spyware package.
In the past 2-3 years the criminal gangs have realised that too. The modern form of socially engineered phishing quite often entices victims to install a legit MDM software package (eg. MS InTune) and hand over their device control for remote management. Why bother writing malware that has to fiddle with hooks to syscalls and screenshot capabilities when you have a vendor approved way of doing the same?
victorbjorklund
Those poor guards working in the concentration camps in nazi germany just wanted job security. They can’t be blamed for their actions.
dbtc
Also likely, some version of "get dat money"
autoexec
I think you can only get away with that excuse so long as you're actively looking for a new job while also collecting data to turn whistleblower (anonymously if need be) once you have one. Ultimately it falls on the employee to do the right thing or get out because they risk being held accountable for what they do. A replaceable employee (which is pretty much all of them) will be especially vulnerable since they can be thrown under the bus with minimal inconvenience to the company.
BiteCode_dev
It's a very charitable explanation.
My experience with the people around me who are in this situation is rather either:
- They just don't care. Society and others are not on their radar.
- They don't think it's that bad.
- They think it's not great, but the benefit is too good so they ignore the voice at the back of their head. Or they have a lifestyle and that takes priority.
- They think it's bad, but the friction to live according to their own moral view of the world is higher than their desire to adhere to such a moral view.
When I was 20, I declined interview offers from Facebook and Google. Huge opportunity cost. My friends looked at me like I was dumb.
I have friends regularly coming to me with ideas that are about spamming, selling personal data or basically fraud. They don't see a problem with it.
When you talk to people and say "advertising is basically normalized lying at the scale of the entire society", people just give you a blank stare.
There is no need to look for coercion every time you see something bad to explain it. The human population is diverse and they all draw the line of what's acceptable in different places.
It's not rocket science.
ocschwar
This is why we need Professional Engineer licenses for software.
There are times when a product design needs to be reviewed and approved by someone who cares more about his license than about his job. It doesn't happen as often with software as it does with civil engineering, but often enough that it needs to become a thing.
webstrand
And what happens when the licensing board gets politically compromised? You cant fix broken incentives by papering over another layer of administration. If the underlying incentives are opposed, the administration layer will be adapted to fit.
Civil engineering licensing works because underneath it all the incentive structure is aligned with the goals of the license. Its not about imposing morals, its about ensuring that buildings and devices are constructed to not fail, and to not fail catastrophically. The motivations of the ones who hire engineers are mostly aligned, they don't want the devices to fail either, and expose them to liability.
Medical doctor licensing also works because the incentives are mostly for patients not to be dying. But in the pharmaceuticals industry the incentive structure is different, where some rate of fatality is considered an acceptable cost of doing business, we see examples of subversion.
Sure software engineering licenses could be a great addition. But alone it will fail unless the incentive structure for those employing software engineers is aligned with the licensing goals.
pixl97
This works great inside a country where said software must be written in the country for compliance reasons...
How does is work for a fungible product that can be written anywhere and shipped at the speed of light?
dogleash
>I used to work for an ad tech company (which I know already makes me the devil to some around here)
everyone sets the bar below what they do
>even I think that they crossed a line with this
everyone sets the bar below what they do
>I would genuinely like to know what the engineers thought when doing design reviews for a "selective stand down" feature. There doesn't seem to be a legit way to spin it.
everyone sets the bar below what they do
ramraj07
This is no different, and frankly far less alarming to me, than Uber's project greyball from 2017, which should have tanked a company in a just world. I suppose some companies just promulgate a culture where its acceptable or even lauded to evade law and contracts: https://www.nytimes.com/2017/03/03/technology/uber-greyball-...
ferfumarma
You are right, but it's just a whataboutism argument, isn't it? There are lots of other evils by other businesses; why are they relevant here?
ramraj07
This comment was replying to someone asking "how could engineers possibly write such malicious code" so a more glaring example from a more mainstream company seemed quite appropriate.
shrubby
A nice set of examples can be found in Guido Palazzo's Dark Pattern.
“The Dark Pattern by Guido Palazzo and Ulrich Hoffrage teaches us about the power of context, which is stronger than reason, values, morals, and best intentions. It is an uncomfortable and painful lesson about the root causes of 'corporate infernos.' "
The context matters.
Think of the banality of evil in WW2 Germany.
We are capable of doing almost anything, good or bad, as long as the shoal around does it and pretends it normal.
gilrain
Ethically bankrupt software engineer startled that others aren’t holding the line of civilisation for them.
croes
> but I would genuinely like to know what the engineers thought when doing design reviews for a "selective stand down" feature.
First comes a full stomach, then comes ethics.
imiric
It's unfortunate then that the stomach is a bottomless pit for many people.
undefined
nerdsniper
See also: Uber's Greyball scheme. [0][1][2]
Uber developed a software tool called "Greyball" to avoid giving rides to known law enforcement officers in areas where its service was illegal such as in Portland, Oregon, Australia, South Korea, and China. The tool identified government officials using geofencing, mining credit card databases, identifying devices, and searches of social media. Uber stated that it only used the tool to identify riders that violated its terms of service, after investigations by the United States Department of Justice, Uber admitted to using the tool to facilitate violations of local regulations by obstructing law enforcement investigations of their illegal operations.
There were no criminal consequences for Uber (however, it reportedly contributed to a 2 year hiatus from London due to rejection of operating license renewal). So Honey may have decided the risk level was acceptable.
0: https://news.ycombinator.com/item?id=13785564
1: https://archive.is/DzQha ( https://www.theguardian.com/technology/2017/mar/03/uber-secr... )
2: https://archive.is/tqk3W ( https://www.nytimes.com/2017/03/03/technology/uber-greyball-... )
the_snooze
Original MegaLag video: https://www.youtube.com/watch?v=qCGT_CKGgFE
You'd think that if you were an engineer building and maintaing a system like this, you'd have an "are we the baddies?" moment, but guess not.
ZoneZealot
For context, Ben Edelman the author of the blog post was in the video at https://youtu.be/qCGT_CKGgFE?t=1980
Their personal site is also linked in the video description https://www.benedelman.org/honey-detecting-testers/
bedelman
Ben here. My real (substantive) write-up is https://vptdigital.com/blog/honey-detecting-testers/ . Happy to discuss / answer questions / etc.
vee-kay
I just love it - what's the chance that some internet stranger cites some site (pub intended) of another strange on some random forum, and that site/blog's owner immediately chimes in (as a member of that forum, no less) to take up the discussion, and to answer questions and share some (insider/off-the-beaten-track) insights. It is wonderful to see such positive interactions and knowledge sharing of humanity.
PUSH_AX
Getting “vptdigital.com unexpectedly closed the connection. ” errors on your site currently just fyi
milkytron
In your interview with MegaLag posted in the video, you say something along the lines that civil courts are probably the most likely place any lawsuits would be held (I forget the exact wording used).
If you had used Honey, would you join a civil or class action suit against them?
satvikpendem
Looks like the server is down, I get a connection reset error
undefined
fragmede
Capitalism is great at washing its hands of evil. I don't know how much slavery went into making the smart phone that I'm posting this from, but I'm sure it's not zero. I'm ethically complicit in the whole scheme. The C in ACAB stands for Capitalists. Which unfortunately, is all of us.
hofrogs
All of us? I don't own any capital and don't have employees who I trim profits off of.
immibis
Giving moral support to an evil thing is also evil.
walthamstow
You don't have a pension?
nkrisc
Culpability is not a binary thing, it’s a scale. A small number of people are far and away the most culpable for much of the evil in the world, and they know it (and don’t care).
autoexec
We're not fully complicit all of the time. You don't know how many slaves made your phone, but somebody does. If you had a choice between a phone you knew was made by slaves and a phone that wasn't I assume you'd pick the slave free version every time. While it's fine to feel guilty for your involvement in the scheme don't let that get in the way of placing the blame for it squarely on the people who set things up this way and put you in this position.
When you can't escape an evil system you just have to do your best within it, while either working to get out of it or working to improve it however you can. What more can anyone ask of you? Capitalism is pretty much inescapable, but thankfully I'm not convinced that capitalism is an evil system inherently, it just needs strong constraints and regulations to keep it from being used to do evil things.
SkyBelow
>If you had a choice between a phone you knew was made by slaves and a phone that wasn't I assume you'd pick the slave free version every time.
At the same cost? Sure.
At different costs? We see that is not the case.
People don't. A few do, but most don't. There are many who would still prefer the more popular phone and an ethical cost is something they only mention when asked but is given only minor weight when it comes to decision making. Some might try to justify it by saying you can't be sure a phone claiming to be ethically made actually is, but how many even considered that much when making the decision?
>While it's fine to feel guilty for your involvement in the scheme don't let that get in the way of placing the blame for it squarely on the people who set things up this way and put you in this position.
Who is really at fault on a systematic level if the population decides lower costs is what they really wants regardless of what sacrifices have to be made. If we look at a less morally challenging area, say air travel, and see how many people claim to want a nicer experience, yet airlines are always focused on cutting costs. Is that the fault of the airlines? Or is it the fault of the consumers who, despite what they say, show extreme preference for lower costing tickets? We can blame any seller at the moment, but we can't ignore the market pressures that picked the sellers who stayed and the ones who went out of business.
9763468975325
[flagged]
paranoidrobot
The original site is down for me, so going based on the app I was thinking it was about the actual edible Honey product, not Honey the discount coupon thing.
t0mas88
Over 15 years ago I worked with a telco that had similar affiliate issues. We decided to stop paying any affiliate commission at all and evaluate sales after some time to decide to continue the experiment or not. There was a little decrease in traffic to the site but no measurable decrease in sales of new plans. There were several check moments and data validation after that, but sales numbers remained as they were.
The conclusion was that affiliate marketing claimed a lot of sales in their reporting, but the brand was strong enough (this company was #2 by market share in the country and #1 on most brand metrics) to get those customers without affiliate links.
gonesilent
It started as a clone of the camelcamelcamel Amazon price history site and got kicked out by Amazon for abusing the system. It pivoted to a coupon site and started sucking down user data with the plugin when PayPal paid $4Bil CASH. Honey cost me affiliate marketing commissions.
throwaway81523
Apparently this thing got approved for the chrome store, which confirms that "store" approvals are near worthless for malware filtering.
immibis
It's not malware. Marketing companies stealing commission from each other isn't malware. Giving the user less than the best possible deal isn't malware. It doesn't even upload your cookies to see if you're a tester - it does that on the client.
freehorse
If I click on an affiliate link that I want to use and the extension changes that without me knowing, that’s malware for me. The intent of the user may be to use a specific affiliate link.
mikkupikku
What's the ratio of people deliberately clicking affiliate links, to people who just click links and have no clue what an affiliate link even is?
I already thought Honey was scummy so I never used it in the first place, but I honestly don't get the particular outrage over these specific practices. You're already using the extension to effectively scam online stores, by using coupons the company gave to somebody else, not you. I see it as barely more ethical than doing that old trick of generating your own manufacturer coupons. Probably it's a lot more legal, but ethically it's in the same ballpark.
kristofferR
That's not how malware is defined - Windows ain't malware just because they occasionally make Edge open instead of what you thought were your default browser. The malware definition is way more specific than simply software that doesn't always follow user intent.
doctorpangloss
one point of view is why bother with any of this, google knows exactly what honey is doing, they could remove honey from chrome with the stroke of a pen, and that would be that.
cwal37
arionmiles
there's something seriously wrong with this archived link. It's not staying still for one moment. It's constantly twitching and the text scrolls to weird positions. It's unreadable because of this.
Is it the archive at fault or is the original webpage this way?
kencausey
It constantly reloads for me (Firefox.) Just hit X which replaces the reload button while the page is loading and it will stop.
quesera
Disable JavaScript, reason #99e99.
Works for me here, and in 90% of the cases where someone complains of annoying page behaviour (cookie banners, revenue optimizations, subscription solicitations, "click here to ...", paywalls, ads, et alii ad nauseam).
Seriously, just disable JavaScript on unknown/untrusted/undeserving sites. It makes the web tolerable.
golem14
Is there actually a whitelist of sites where it's OK/necessary to enable JS ? I'd love to use that (although, I don't know how to load that list into safari or chrome.)
arionmiles
ah well... this is a first for me where I need to disable JS. Thanks!
bedelman
Was the VPT site not working for you, so you had to resort to archive.org? Original link https://vptdigital.com/blog/honey-detecting-testers/ . Anyone having trouble -- contact Ben Edelman (easily found by web search) and I will genuinely value the opportunity to get to the bottom of what is wrong.
cwal37
Yup, was just dead for me and stayed dead, so I went and grabbed an archived link.
Don’t recall precisely how it was dead, but I assumed via traffic.
arionmiles
I think I saw a 5xx error when I tried to see the original link. I assumed it might have been due to a hug of death.
It seems to be loading fine now.
bedelman
Your diagnosis is correct. VPT has been most focused on building our testing automation, then improving reports and dashboards. We knew this spike of traffic was coming, but we didn't finish sufficient WordPress optimizations. Apologies.
arijun
Why do Amazon and others pay out to Honey's affiliate accounts? They know no real referrals are coming from them.
flkiwi
Didn't this Honey fraud thing break like a year ago (or longer)? This is the second story I've seen about it in the last couple of days and I guess I'm surprised it's even still around.
AkshatJ27
The youtuber MegaLag released part 1 of his investigation roughly 1 year ago: https://youtu.be/vc4yL3YTwWk
Recently, he released 2 more parts with more new information that paints Honey in a pretty bad light: https://youtu.be/qCGT_CKGgFE https://youtu.be/wwB3FmbcC88
flkiwi
Thank you. I was confused about why this was suddenly bubbling up again. And ... paints Honey in a pretty bad light? LOL, they already looked like a fraudster scam to begin with! (But, again, thank you.)
xnx
The entire affiliate "ecosystem" is cancer. I'd love to see Amazon turn it off entirely.
orwin
I think affiliate links are the most fair/ethical advertisement can be. If i go on a random carpentry or painting blog, i'd rather have affiliate links to product they use rather than random google ads.
Ekaros
As consumer I would love to see lower prices directly. Or at least have available some official store affiliate discount code which would give me same discount which would be win win for everyone.
TheJoeMan
You cannot due to Amazon's stipulations that to list on Amazon.com, it must be the same as your advertised price on other retailers, including your own website. This raises overall costs, as Amazon.com sellers pay additional fees for placement, ads, etc. which get rolled into the price. As a workaround, you can have a MSRP on your website, with "coupons".
ThatMedicIsASpy
Cut the middleman and order directly from china
wiether
Which also offers cashback through Honey and similar!
a_paddy
TLDR;
- The Honey browser extension inserted their own affiliate link at checkout, depriving others of affiliate revenue.
- Honey collected discount codes entered by users while shopping online, then shook down website owners to have the discount codes removed.
- Honey should have "stood down" if an affiliate link was detected, but their algorithm would decide to skip the stand down based on if the user could be the an affiliate representative testing for compliance.
Allegedly.
Kwpolska
Re the second point, it specifically collected valuable codes that shouldn't be widely shared, e.g. employee discounts.
Re the third point, the algorithm would skip stand down for users who weren't likely to be testers (based on account history and lack of cookies for affiliate marketing admin panels).
phpnode
Wow, I am very surprised that cookie stuffing[0] is still a thing. This could have been written 20 years ago.
esafak
I thought this was going to be about honey adulteration, which is a major problem.
quesera
Same, and that topic would have been way more interesting (cf. EVOO).
Obviously Internet affiliate marketing schemes are built on mutual exploitation of asymmetric data collection. This cannot possibly surprise anyone.
With that said, this is a good article with excellent data collection and evidence presentation. It's great to have documentation of obviously corrupt practices, even if they are unsurprising.
rfrey
No honour among thieves, I guess.
Get the top HN stories in your inbox every day.
I used to work for an ad tech company (which I know already makes me the devil to some around here), and even I think that they crossed a line with this. A lot of industry terms are coded in corporate speak to make them sound better (think "revealed preferences" or "enabling personalization"), but I would genuinely like to know what the engineers thought when doing design reviews for a "selective stand down" feature. There doesn't seem to be a legit way to spin it.
Making a product to explicitly skirt agreements while working for a corporation is ... a choice