Should developers be responsible for potentially harmful software?

With the recent news concerning the arrest of Marcus Hutchins — the security researchers who stopped the biggest-ever ransomware attack — I’ve been thinking (more than usual) about the ethics of software development. But before we go into that, who’s Marcus Hutchins and what did he really do?

Hutchins, is a so-called security researcher which means he’s testing and developing software that will help with understanding and stopping computer viruses, malware, ransomware etc. When the Wannacry ransomware spread across the globe Hutchins was the first one to stop it. He is now arrested by US authorities because he developed another malware that someone else used in attacks against banking software. Hutchins supposedly developed the malware for research purposes, with clear and good intentions. But despite this he’s now being arrested.

The case around malware is obviously a grey area, because the primary intention of malware is to cause harm (although there are malware used with good intentions). Should it be allowed to develop malware? It’s a reasonable question to ask, however, my answer to that question is yes, as long as there’s no ill intent. But where do you draw the line? How do you define purpose and intentions? These are mostly subjective questions, so it depends on who’s asking and who’s answering.

I applied this question to something relevant to myself. Because I’m a core maintainer of Drupal, should I be held responsible for criminal use of Drupal, e.g. distribution of illegal drugs or child pornography? In line with my answer above, I should probably not be held responsible. But should criminals be allowed to use Drupal for criminal purpose? Obviously not.

But as a contributor to Ethereum, the next questions became a bit harder to answer for myself. Ethereum by design makes anonymity and financial transactions easy, which in turn lends itself really well to illegal use. Tax evasion and money laundering, just to mention two obvious examples, could have dramatic consequences to our society if blockchain technology like Ethereum become mainstream. Vlad Zamfir’s blog post titled “Blockchains Considered (Potentially) Harmful” is a very interesting read on this subject.

The conversation around harmful use of blockchain technology needs to be approached slightly differently to the general conversation around privacy and encryption on the Internet. Transport Layer Security works on such a low infrastructure level that it’s not reasonable to consider it harmful in my opinion. But blockchain technology such as Ethereum works on a higher level with very direct and obvious applications for illegal use.

I will obviously continue to contribute to both Drupal and Ethereum because I believe that both of these projects ultimately are enablers of digital freedom and privacy, rights that otherwise are being taken away from us by corporations and governments.

But this is still an important conversation to be had. How do we define and communicate intended use of the software we distribute? Should we even need to? Where do we draw the line on subjective matters like these? When robotics and artificial intelligence comes into the picture the potential impact of software development can have even more drastic consequences.