Ethics in IT — Week 4 · Module 12
Social Media Ethics
The platforms that connect us run on data nobody knew they were giving away. The ethics caught up late.
13 slides ~13 minutes Reynolds Ch. 9
Slide 2 of 13
"The algorithm doesn't have ethics. The person who wrote it does."
A platform serves billions. It is built by a few hundred engineers. The product manager who set the engagement target shipped a value choice and called it a feature.
This module covers four things: how social platforms blur personal/business lines, why Section 230 made the modern internet possible, what Cambridge Analytica taught us about API design, and what IT professionals owe users their employer's lawyers cannot discharge for them.
Slide 3 of 13 · 01 / 05
Personal Use, Business Use, and the Line Between
Same platform. Many simultaneous functions. The norms collide at the edges.
Personal use
Family photos, friends, identity expression. Posted in a context the user understands.
Business use
Brand, recruitment, customer service, market research. Posted in a context the org understands.
Advertising
Behavioral data extracted from personal context, repurposed to target the user. The line crosses here.
Surveillance
Employee monitoring, hiring screens, political profiling. The line is already gone.
The ethical complexity: norms that govern one context are routinely violated when data crosses into another. A photo posted for friends is not consent for ad targeting. The user did not knowingly provide what the system extracted.
Slide 4 of 13 · The recruitment screen
Common Practice vs. Ethical Issue
Use CategoryCommon PracticeEthical Issue
Recruitment screeningReviewing candidate social media before hiringAccess to protected-class data (age, religion, race) that legally cannot influence hiring — but does
Employee monitoringTracking employee posts inside and outside workConflicts with privacy expectations; chills protected speech; may violate NLRA
Targeted advertisingBehavioral data feeding demographic/psychological profilesExploits vulnerable populations; data given in one context, used in another
Social commerceInfluencer marketing, embedded checkout, algorithmic recsBlurs disclosure lines between editorial content and paid promotion
The brain has no off switch. The hiring manager who views a candidate's Instagram before the interview has seen religion, age, race, family status, and political views. The law says these cannot influence the decision. The neuroscience says they will.
Slide 5 of 13 · 02 / 05
CDA Section 230: Platform Immunity
The 26 words that built the modern internet.
"No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider." — 47 U.S.C. § 230(c)(1), 1996
What it allows
Platforms host user content at scale without being sued for every post. Moderation does not trigger publisher liability.
Why it was written
1996 internet was emerging. Without immunity, platforms either refused user content or were liable for every word. Section 230 chose neither.
Plain terms: platforms are not liable for what users post. Without Section 230, Facebook, YouTube, Reddit, and the comment section under every newspaper article do not exist in current form.
Slide 6 of 13 · The 230 debate today
Is Algorithmic Amplification Editorial Judgment?
Critics' position
Algorithms that promote, downrank, and amplify content are making editorial choices. Editorial choices imply publisher status. Publisher status implies liability. 230 was for hosts, not curators.
Defenders' position
Removing immunity forces over-moderation (anything risky removed) or under-moderation (no moderation = liability shield gone). Either outcome harms speech and users.
The ethical reality: Section 230 does not prevent platforms from moderating. It prevents them from being sued for moderating. The decisions about what stays and what goes are ethical choices made by product managers insulated from the consequences.
Slide 7 of 13 · 03 / 05
Misinformation vs. Disinformation
The distinction matters legally and ethically.
Misinformation
False information spread without intent to deceive. The poster believes it. Platform liability turns on knowledge and amplification.
Disinformation
False information spread with intent to deceive. Coordinated campaigns. Foreign influence operations. Profit-driven fake news factories.
The algorithm has no truth oracle. Engagement systems optimize for interaction. False or emotionally provocative content generates more interaction than accurate content. So when both exist, the algorithm amplifies the false content. By design.
"The algorithm is neutral" is technically illiterate and ethically evasive. Algorithms embed the values of whoever designed the objective function.
Slide 8 of 13 · The engineer's role
The Objective Function Is the Ethics
Whoever picks what to optimize has made the moral choice.
Engagement
Optimize for clicks, shares, time-on-site. Maximizes attention. Skews toward outrage.
Accuracy
Optimize for verified, sourced, contextual content. Reduces engagement. Reduces ad revenue.
User well-being
Optimize for satisfaction, mental health, time-well-spent. Hard to measure. Rarely picked.
The choice is the ethics. The engineer who set the engagement target knew — or should have known — that high-engagement content skews toward outrage. The choice to ship that target was an ethical decision. It just was not framed as one.
Slide 9 of 13 · 04 / 05
Case Study: Cambridge Analytica
The defining reference for social media data ethics.
The mechanism
A third-party quiz app (thisisyourdigitallife) collected Facebook profile data on ~87M users — including users' entire friend networks — via Facebook's then-permitted API.
The use
Harvested data fed psychographic profiles for targeted political ads. Deployed in the 2016 US presidential election and the UK Brexit referendum.
The violation
FB's terms forbade selling data to third parties. CA violated those terms. FB knew the data had been improperly obtained and did not inform users for over two years.
The consequence
$5B FTC fine — largest in FTC history at the time. CA dissolved. GDPR enforcement accelerated. US privacy debates shifted permanently.
Cambridge Analytica did not steal data. It used data Facebook provided through an API Facebook built. The question of who bears ethical responsibility when a platform is weaponized is still being litigated.
Slide 10 of 13 · What FB chose
The API Was the Ethical Failure
Friend-network harvesting was a design choice, not an oversight.
1. The design
Allow apps to read friend data without friend consent. Result: bigger ecosystem, more engagement.
2. The audit gap
No real review of how API access was used downstream. Apps could pull and resell.
3. The non-disclosure
Once breach was known, FB sat on it for two-plus years. Users were not told.
The deeper question: is it ethical to use behavioral data to manipulate political preferences? The law does not clearly prohibit it. Professional ethics codes that require respect for privacy and the public interest clearly implicate it.
An engineer built the friend-network API. Another engineer built the app review pipeline. A third decided what to disclose. None of them needed to break the law to enable Cambridge Analytica. They just needed to not slow down.
Slide 11 of 13 · 05 / 05
What the IT Professional Owes the User
Obligations the platform's legal team cannot discharge for you.
Contextual integrity
Data should flow only in ways consistent with the context in which it was shared. Photos for friends are not photos for advertisers.
No discrimination proxies
Do not build systems that enable hiring or credit discrimination based on social media as a proxy for protected class.
Meaningful consent
Flag when data collection exceeds what users have meaningfully consented to. "Accept all" is not consent.
ACM Code 1.6 & 1.2: "Respect privacy" and "avoid harm." A developer who builds a system that harvests friend-network data without consent is not insulated from those obligations by the fact that the legal team approved the terms of service.
Slide 12 of 13 · The privacy policy trap
A Privacy Policy Is Not an Ethical Framework
What a privacy policy does
Disclose enough to limit liability. Written by lawyers. Optimized for the bottom of an enforcement curve.
What a privacy policy does not do
Tell you whether the practice is right. Provide a basis for refusing unethical work. Discharge professional obligation.
The fact that the platform's privacy policy permits something does not mean it is ethical. Lawyers minimize liability. Engineers minimize harm. The two are not the same job, and one cannot substitute for the other.
If your only defense for shipping a feature is "legal cleared it," you have already conceded the ethical analysis was never done.
Slide 13 of 13
Module 12 Takeaways
Six ideas to carry into the rest of Week 4.
1Context collapse: data shared in personal context is routinely repurposed for business, surveillance, and advertising contexts users never consented to.
2Section 230 is the legal foundation of the modern internet. Removing it forces over- or under-moderation; reforming it remains an open ethical question.
3Mis- vs. dis-information: intent matters legally, but algorithmic amplification of either is an engineering choice that embeds values.
4The objective function is the ethics. "The algorithm is neutral" is technically illiterate. Whoever set the target picked the values.
5Cambridge Analytica: 87M users, $5B fine, FB knew for 2+ years. The API was the ethical failure, not the breach.
6The privacy policy is not an ethical framework. The fact that legal cleared it does not discharge the engineer's obligation under ACM/IEEE codes.
Next up: ETH-13 — Ethics of IT Organizations. From the platform's design to the workforce that builds it: contingent workers, outsourcing, gig economy, whistleblowing, and what we do with the e-waste.