My theory is that companies are not the sum of their employees. Employees are generally good; toxic humans are a small minority (unfortunately they tend to be over-represented at the head of companies).

But put employees together into a profit-maximisation machine, and the machine will try to maximise profit, with dark patterns and downright evil things.

Similar with our species as a whole: nobody is actively working to break the climate so much that their kids will die long before they reach the age of retirement. But that's what we as a species are doing together, somehow. Individually, we don't want that, but that's not enough.

That explains passively malignant processes, like not radically overhauling your business to address climate change. It doesn't explain actively malevolent things like "let's bury the "Decline Cookies" dialog under 3 layers of clicks. That's a proactive choice, that some software developer chose to implement.

I'm guessing that in many cases, it's not one software developer who decides. Most people are told what to do, and for many websites I'm guessing that it's just some kind of Wordpress add-on.

Someone realised that they sold more add-ons if they implement those dark patterns, so they did it ("it's not me, I offer a good one but they buy the evil one"). In my experience in startups, the website was managed by marketing people who honestly had no clue: they seemed to genuinely believe that they needed those cookies ("I am in marketing, I need the data") and they did not understand the consequences. "I just install this Google thing, and then Google gives me nice data for free".

Why do people build weapons? That's a lot worse than a cookie popup, but I'm sure every single person in that industry will tell you that they "save lives".

That's why we need to realize, that decisions in the small constitute what happens in the large. If some person comes and tells me to implement dark patterns into the consent popup, I'll tell them that this is illegal. I'll also tell people, when their current consent is manufactured or when their cookie/consent popup does not conform with GDPR. Been there, done that. Only unfortunate, that it was not my role to deal with that. It was simply that most people didn't care (I must assume frontend developer knew better, otherwise they were utterly uninformed about their job), some people who should have known better didn't (everyone else in the engineering team), some people wanted dark patterns to be in there (project management and marketing/sales, as usual), and I was the only one pointing out the tiny problem with the law. Of course no one ever thanked me for that.

It's not that people who implement those things don't care, per se. It's that they care about getting their paycheck more (or, in the current climate, retaining their job). And they are also acutely aware that if they refuse to do it, a replacement that won't is easy to find.

Your moral integrity is tested, when your paycheck depends on it, not when it doesn't have repercussions to you.

I have been in that situation in a startup. The boss would come to me and ask for some dark pattern (not cookies, I don't remember exactly what it was). I said I wouldn't do it. They literally asked a guy in the adjacent room, and he took it as a new task and did it.

He was not a bad guy: I did not care about getting fired (I was young and single), he did (he had a family). And in his opinion, if the boss wanted it, anyway it would end up being done. His job was to implement what the boss wanted, not to contradict the boss.

Both understandable and good that you stood up to it!

Sometimes though bosses need some contradiction, for the business to be successful. It is not the best approach to have no opinions or ethics.

Having coded multiple such buttons in the past, I'd like to ask to consider that the person doing the coding is barely the person making the decision. It's hard to reject such a request when your lifelihood depends on the job

It might be hard in some places, with especially toxic higher ups. A good start is pointing out the law a few times. If that doesn't get them to stop, what you can do is ask them to give you a signed piece of paper, where it says, that against your objection and warning about this being illegal, they want you to still do that. Usually at that point they will find someone else, or stop trying to do it.

I agree with everything you say, except

> Usually at that point they will find someone else

is not really something a lot of people can afford to risk

This is why am glad to live in a country with comparatively good employee protections. In other countries, where people can be fired at will, this might be more problematic. But at least in this country, it would be a very clear cut case, if your employer asks you to do something illegal, that they will not be able to legally fire you. Of course you might have to go to court to get your right.

Which is why we need professional licensure: You get to tell your boss "If I tell you to go fuck yourself, then I risk this job. If I implement your feature, I risk losing every future job by losing my license. And everybody you can hire to do this will tell you the same thing".

I don't want to live in your hellscape where my government tells me I can't program a website without a license.

Grow up and tell someone you won't implement a feature because you don't like it. I do it all the time - "that's a bad idea, I'm not doing that". I still manage to eat, it's not either/or, you have agency, you can refuse without resorting to regulation saying you must.

Maybe you could still program a website. But you might not be able to do it professionally.

But yes, more people should tell other people that they won't do that.

Should contributing code to open source software require professional licensure?

As far as I know most (all?) open source and free software licenses include terms, that explicitly states, that there is no warranty. So I think maybe a license there wouldn't be required. It is an interesting question though.

But many people are paid by their companies to work on OSS.

Most commercial software doesn’t have a warranty either.

In that case I would say, since they are getting paid for their work by the company, they are in a different position than someone developing FOSS on their own private time.

I think a lot of commercial software that is not open source or free software, doesn't have licenses in the same sense. They are proprietary and they might have an EULA, that prohibits you from reverse engineering or something like that, or that declares the no warranty. But not licenses like for example GPL or MIT license. Such a license would be useless for proprietary software projects, because the user isn't supposed to ever get the code.

Lucky you. In my experience it ends up with talks to HR, where they will explain that "you are being difficult to work with" and "things are going to have to change" or "we are going to have to look for alternative avenues"

IMO, this is a great example of the lack of professionalism in the software development field. No individual software developer is responsible for violating the GDPR's prohibitions on cookie banners in a legal sense, but we could be. Real engineers have that leverage: A PE who thinks a bridge's design amounts to professional malpractice gets to refuse to approve that design, and anybody who the employer could find to approve it risks their entire career, on top of personal liability.

But that's a great example of why we might not need to turn into professionally licensed experts: the risk of messing the implementation of GDPR up is nowhere near messing a bridge or even a single family home up.

Now sure, with software controlling everything today (even the tools an engineer would use to design and build a bridge: imagine a bug in software setting the cement ratio in concrete being used), there are accountability reasons to do it.

Sure, we programmers aren't likely to kill anyone with malpractice (in most software development disciplines, anyway). But we have a much, much broader impact. An exceptionally bad bridge collapse kills maybe a couple hundred people. Incompetent or malicious coding practices on a site negatively effect millions, with some sites getting up to the billions.

No disagreement there, but opportunity costs are present and unregulated everywhere: eg. a bad traffic light design (timings) might increase congestion and greenhouse gasses emissions 10×, but nobody is losing their traffic engineering license for that.

someone coded it once, everyone else just adds another dependency that fulfills the spec, they don't even have to search for "dark patterns", just "most effective"

How much incompetence do we accept or tolerate, before we deem it negligence? If someone adds a consent popup or similar thing to a website, usually knowing, that there is a reason why this must be done, and that this reason is GDPR, it seems quite incompetent to not know the first bit about what is required, and not doing their due diligence to read up on it when not one doesn't know.

Perhaps it would change things for the better, if this special kind of people were at least temporarily removed from the job, until they have gained basic knowledge about their job and how it affects other people.