Codes of Ethics | Ethics in IT

Slide 1 of 35  |  ETH-W4C  |  Week 4 of 8  |  Appendices
Codes of
Ethics
ACM  •  IEEE  •  PMI  •  AITP  •  SE Code  •  Applying Principles to Practice
A senior software engineer discovers that the AI system their company has deployed for hiring decisions is producing racially biased outputs. Management is aware but has not acted. The engineer asks themselves: "What do the professional codes require of me?" They look up the ACM Code. Principle 1.4: "Be fair and take action not to discriminate." Principle 2.7: "Foster awareness and understanding of impacts." Principle 3.7: "Recognize and take special care of negative consequences." The codes are unambiguous. The action they imply is not comfortable. That is precisely when codes matter.
35 Slides ETH-W4C Week 4 of 8 Appendices
Slide 2 of 35
Why Codes of Ethics Exist
Professional codes of ethics serve multiple functions that cannot be served by law alone.
Guidance Beyond Law
Law sets minimum standards. Ethics codes articulate aspirational professional standards that exceed legal minimums. A behavior can be legal and still be professionally unethical -- and professionals who live only at the legal minimum are not meeting the obligations of professionalism. Codes provide the framework for evaluating conduct in the space between "clearly illegal" and "morally required." This is the space where most professional ethics decisions actually live.
Professional Identity and Trust
Professions that have codes of ethics establish a basis for public trust. When you consult a physician, you trust that their obligation to your health overrides their personal financial interests in recommending treatment -- because the medical code of ethics requires it and the licensing system enforces it. Professional codes in computing attempt to establish the same basis for trust: that a computing professional's obligation to the user and the public overrides commercial pressures. The extent to which this trust is warranted is a question about code enforcement, not code content.
Shared Framework for Difficult Decisions
When facing a novel ethical situation -- and computing professionals encounter novel ethical situations regularly -- a code provides a shared reference framework. Instead of each professional reasoning from scratch, the code provides principles that have been developed through collective deliberation, tested in application, and refined over time. This does not eliminate the need for judgment -- it provides principled starting points for that judgment and a shared vocabulary for discussing ethical disagreements.
The Limits of Codes
Codes alone do not produce ethical behavior. They require: professional awareness (knowing the code exists), understanding (being able to apply it), organizational cultures that support application, and enforcement mechanisms that create consequences for violations. A code without these elements is a document. A code with them is infrastructure for professional ethics.
Slide 3 of 35
ACM Code of Ethics: Overview
The Association for Computing Machinery Code of Ethics and Professional Conduct (2018). The most widely adopted computing ethics code globally.
Structure
Four sections: (1) General Ethical Principles (8 principles applying to all people), (2) Professional Responsibilities (9 principles specific to computing professionals), (3) Professional Leadership Principles (6 principles for those in leadership), and (4) Compliance with the Code (2 principles requiring adherence and promoting the code). The 2018 version was a significant update from the 1992 original, addressing AI, privacy, and digital systems not present in 1992.
First Principle: Contribute to Society
ACM Principle 1.1: "Contribute to society and to human well-being, acknowledging that all people are stakeholders in computing." This anchors the entire code in a social purpose -- computing professionals are not merely technical workers, they are participants in a technology that affects everyone. The obligation to contribute positively to society is foundational, not optional or aspirational. All other principles flow from this commitment to human and social benefit.
Avoid Harm (1.2)
Among the most operationally important principles: "Avoid harm." The code explicitly includes harms to users, third parties, and society. It states that "when a harmful outcome is foreseeable," the professional is obligated to address it. This is a proactive obligation -- not merely refraining from causing harm, but actively working to prevent foreseeable harm. The Therac-25, Boeing MCAS, and IBM Watson cases all involved foreseeable harm that was not adequately addressed. This principle directly speaks to those failures.
Enforcement
ACM's enforcement mechanism is limited: membership can be revoked for code violations. Since ACM membership is voluntary and not required to practice computing, this sanction is relatively mild. There is no licensing board, no practice prohibition, and no fine structure. The code's force is primarily moral rather than regulatory. This is both a weakness (limited deterrent power) and a strength (it applies to the full scope of computing practice rather than only to a narrow licensed subset).
Slide 4 of 35
ACM Code: General Principles
Section 1: Eight principles that apply to computing professionals as members of society.
1.1 Contribute to society and to human well-being, acknowledging that all people are stakeholders in computing. Prioritize public good. Protect civil liberties. Minimize negative consequences to health, safety, and personal security.
1.2 Avoid harm. Foreseeable harms must be reported to appropriate parties. When interests conflict, professionals must minimize harm to the less powerful party. "Harm" includes physical, economic, psychological, and societal harms.
1.3 Be honest and trustworthy. Includes honest assessment of capabilities, honest reporting of flaws and defects, and honest communication with users about risks. Deception and omission that result in harm are prohibited.
1.4 Be fair and take action not to discriminate. Prohibits discrimination based on protected characteristics. Includes obligation to recognize and address algorithmic bias. Actively work to include underrepresented groups in the profession.
1.5 Respect the work required to produce new ideas, inventions, creative works, and computing artifacts. Intellectual property respect. Proper attribution. No plagiarism or unauthorized use.
1.6 Respect privacy. Collect only necessary data. Use data only for intended purpose. Protect data from unauthorized access. Support individuals' rights to control their personal information.
1.7 Honor confidentiality. Protect organizational confidences unless doing so would violate law, the code, or cause serious harm. Confidentiality obligations do not supersede ethical obligations to the public.
Slide 5 of 35
ACM Code: Professional Responsibilities
Section 2: Nine principles specific to computing professionals in their technical roles.
2.1 Strive to achieve high quality in both the processes and products of professional work. Pursuit of excellence. Commitment to quality standards proportional to the system's impact and harm potential. Not meeting the applicable standard of care is a code violation.
2.2 Maintain high standards of professional competence, conduct, and ethical practice. Continuous learning obligation. Know the limits of your competence and do not misrepresent them. Seek to improve skills relevant to your current and emerging work.
2.3 Know and respect existing rules pertaining to professional work. Includes laws, regulations, contracts, and organizational policies. Understanding the legal and regulatory environment is part of professional competence, not an optional specialization.
2.4 Accept and provide appropriate professional review. Code review, design review, safety case review, and independent testing are professional norms. Resisting review undermines the quality and accountability mechanisms that protect users.
2.5 Give comprehensive, accurate assessments of computer systems and their impacts. No cherry-picking of results. Honest reporting of limitations and risks. This principle directly prohibits the kind of selective disclosure documented in the Boeing 737 MAX and IBM Watson cases.
2.6 Perform work only in areas of competence. Do not accept assignments you are not qualified to execute. When work requires expertise you do not have, seek collaboration with those who do or disclose the limitation.
2.7 Foster public awareness and understanding of computing, related technologies, and their consequences. Includes obligation to correct public misconceptions and to communicate risks in accessible terms to non-technical stakeholders.
Slide 6 of 35
ACM Code: Leadership and Compliance
Section 3 (Leadership Principles) and Section 4 (Compliance) -- the parts of the ACM Code most relevant to managers and organizations.
3.1 -- Ensure Good Social Context
Leaders must articulate the social responsibilities of their organizations, products, and employees. This principle recognizes that leadership sets the ethical tone -- a leader who only communicates commercial objectives and never communicates social obligations creates an organization where social obligations are effectively deprioritized. Explicitly communicating and modeling ethical responsibilities is a leadership obligation, not an option.
3.4 -- Design for Inclusivity
Systems must be designed to serve all users, including those with disabilities, those with limited technical literacy, and those in resource-constrained environments. Accessibility is an ethical design requirement under the ACM Code, not a feature to be added if time permits. This principle requires proactive design for inclusion rather than reactive accommodation after the fact -- and it places the obligation on leaders who can make resource allocation decisions that enable inclusive design.
3.7 -- Recognize and Manage Conflicts of Interest
Leaders must recognize when organizational or personal financial interests conflict with ethical obligations to users or the public. The Boeing MCAS, Facebook Papers, and IBM Watson cases all involved organizational leadership facing this conflict and prioritizing financial interests. Section 3.7 is the provision that makes those leadership choices code violations -- not just business decisions -- when they result in documented harm that leaders knew or should have known was foreseeable.
4.2 -- Uphold, Promote, and Respect the Code
Members are obligated not only to follow the code themselves but to promote it, to encourage others to follow it, and to report violations to appropriate parties. This creates an active obligation -- not a passive compliance standard. A member who knows of code violations by colleagues and says nothing has failed the code as surely as if they committed the violation themselves. This principle is the code's foundation for collective professional accountability.
Slide 7 of 35
IEEE Code of Ethics: Overview
The Institute of Electrical and Electronics Engineers Code of Ethics. Focuses on engineering practice with emphasis on safety and public interest.
Structure and Focus
The IEEE Code (most recently updated 2020) consists of a single commitment statement followed by ten specific commitments. It is shorter than the ACM Code but shares its core principles: public safety paramount, honesty in technical matters, non-discrimination, and professional competence. The IEEE Code's engineering background gives it particular emphasis on safety, accuracy of technical claims, and the obligation to challenge unsafe decisions -- reflecting the tradition of engineering ethics that traces to Challenger, Tacoma Narrows, and earlier disasters.
Article I: Public Safety Paramount
IEEE Code Article I: "to hold paramount the safety, health, and welfare of the public in keeping with our responsibility as professionals." "Paramount" is a strong word -- it means above all other considerations. When safety conflicts with schedule, safety takes precedence. When safety conflicts with cost, safety takes precedence. When safety conflicts with employer instruction, safety takes precedence. This is not a soft aspiration -- it is the foundational commitment from which all other professional obligations flow in the IEEE framework.
Honesty in Technical Claims (Article IV)
IEEE Article IV: "to be honest and realistic in stating claims or estimates based on available data." No overpromising. No understating risks. No cherry-picking favorable data. This article speaks directly to cases like IBM Watson (overpromised capability), Boeing MCAS (understated risks), and Cambridge Analytica (misleading claims about data use). Honest technical claims are not merely a matter of accuracy -- they are the foundation of the trust relationships between computing professionals and the public they serve.
Slide 8 of 35
IEEE Code: Ten Commitments
The specific commitments of the IEEE Code of Ethics, annotated for application to computing contexts.
I Hold paramount the safety, health, and welfare of the public. Foundational commitment. Safety above commercial pressure, schedule, or employer instruction. Applies to all engineering and computing work, not only safety-critical systems.
II Only perform services in areas of competence. Mirror of ACM 2.6. Parallel across both codes. No misrepresentation of qualification. Seek additional expertise when needed.
III Be honest and realistic in stating claims or estimates based on available data. Core honesty obligation. Applies to technical specifications, performance claims, risk assessments, and project status reporting equally.
IV Reject bribery in all its forms. No acceptance of improper personal gain in exchange for technical judgment. Broader than financial bribery -- includes any arrangement that compromises independent professional judgment.
V Improve the understanding of technology, its appropriate application, and its potential consequences. Education and communication obligation. IEEE engineers are not only practitioners -- they are stewards of public technical literacy in their domains.
VI Maintain and improve technical competence. Continuous learning obligation. Seek collaboration with others whose knowledge supplements your own.
VII Seek, accept, and offer honest criticism of technical work; acknowledge errors; and credit properly the contributions of others. Review culture obligation. Covers both giving and receiving honest feedback, and the attribution of intellectual contributions.
Slide 9 of 35
PMI Code of Ethics: Overview
The Project Management Institute Code of Ethics and Professional Conduct. Relevant to IT professionals in project management roles, which is a significant portion of the IT workforce.
Structure: Four Values
The PMI Code is organized around four core values: Responsibility, Respect, Fairness, and Honesty. For each value, the code distinguishes between "aspirational" standards (what we strive for) and "mandatory" standards (what is required of all PMI members and credential holders). This two-tier structure explicitly acknowledges the difference between ethical aspiration and ethical minimum -- a useful pedagogical device that most other professional codes do not make explicit.
Responsibility
Aspirational: take responsibility for decisions and their consequences, own mistakes, and correct them. Mandatory: report unethical conduct to appropriate management, act in the best interest of clients, and report conflicts of interest. PMI's responsibility standard requires both individual accountability and active reporting of organizational ethics violations -- paralleling the ACM's 4.2 obligation to promote compliance with the code, but with stronger mandatory specifications.
Fairness
Aspirational: proactively examine for bias and correct it. Mandatory: not discriminate, not engage in undisclosed conflicts of interest, not favor one project stakeholder at the expense of others. The fairness standard explicitly addresses conflicts of interest in project decisions -- relevant to IT project managers who influence vendor selection, contractor relationships, and resource allocation in ways that create conflict of interest exposure.
Honesty
Aspirational: proactively share information that stakeholders would want to know. Mandatory: not deceive, not engage in dishonest communication, not misrepresent qualifications. PMI's proactive sharing aspiration goes beyond mere non-deception -- it articulates a duty to volunteer material information that others would want, even when not specifically asked. This is more demanding than a strict non-deception standard and is particularly relevant to project status reporting, which is a chronic source of project ethics failures.
Slide 10 of 35
AITP Code of Ethics: Overview
The Association of Information Technology Professionals Code of Ethics -- focused on IT practitioners and managers, with attention to organizational loyalty alongside public interest.
Structure and Audience
The AITP Code is organized around obligations to four parties: society and society's institutions, the employer, clients, and colleagues and the profession. This multi-party structure makes explicit a feature that other codes address less directly: professional ethics involves navigating obligations to multiple parties who may have conflicting interests. The code's explicit acknowledgment of employer obligations alongside public obligations makes it particularly useful for analyzing cases where these interests conflict.
Obligations to Society
AITP requires that its members: protect the privacy of others, protect the safety of the public (using professional skill and knowledge), and act in the general public interest when performing duties. These obligations are stated first -- before obligations to employers or clients -- which signals their priority in the AITP ethical hierarchy. This ordering matters when obligations conflict: public safety and privacy come before employer loyalty in the AITP framework.
Obligations to Employers
AITP members commit to: making decisions based on best available information, avoiding conflicts of interest, using employer resources only for authorized purposes, and notifying employers of conflicts between employer instructions and ethical obligations. Crucially, the obligation to notify employers of ethical conflicts -- rather than silently complying with problematic instructions -- creates a clear professional path for handling situations where employers ask professionals to do things the code prohibits.
Slide 11 of 35
Four Codes: Comparative Analysis
How do ACM, IEEE, PMI, and AITP approach the same ethical dimensions? A structured comparison.
Dimension
ACM (2018)
IEEE (2020)
PMI (2006)
AITP
Public safety paramount
Yes -- Explicit (1.2)
Yes -- Article I
Implied in Responsibility
Yes -- Society first
Honesty in technical claims
Yes -- 1.3, 2.5
Yes -- Article III
Yes -- Honesty value
Yes -- Explicit
Competence maintenance
Yes -- 2.2, 2.6
Yes -- Article VI
Implied
Yes -- Ongoing education
Non-discrimination / bias
Yes -- 1.4 (explicit on AI bias)
Article VIII (general)
Yes -- Fairness value
Implied in fairness
Privacy protection
Yes -- 1.6 (detailed)
Not specific
Limited
Yes -- Explicit
Whistleblowing support
Yes -- 4.2 (promote code)
Yes -- Challenge unsafe
Yes -- Mandatory report
Yes -- Notify employer
Enforcement mechanism
Membership revocation
Membership revocation
Credential revocation
Membership revocation
Slide 12 of 35
Where the Codes Agree
Despite different structures and emphases, all four major IT professional codes converge on a core set of obligations.
Public Interest Primacy
All four codes place public safety, welfare, and interest above organizational loyalty and personal gain. The ordering may be stated differently -- "paramount" (IEEE), "first" (AITP), or "foundational" (ACM) -- but the hierarchy is consistent. When an IT professional's employer instructs them to do something that harms the public, all four codes require the professional to prioritize the public interest. No code authorizes compliance with instructions that damage public safety or welfare.
Honesty as Non-Negotiable
All four codes require honesty in technical claims, risk assessments, and professional communications. No code permits deception, misrepresentation, or selective disclosure that misleads stakeholders about risks. This consensus is particularly relevant given how many technology ethics cases involve selective disclosure, overpromised capabilities, or suppressed internal research. The codes are unanimous: honest communication is not optional.
Competence as Obligation
All four codes require that professionals only perform work within their competence, maintain their competence over time, and honestly represent the limits of their competence. This creates a continuous obligation in a field that changes as rapidly as IT -- what constituted competence five years ago may not today. The obligation is not to be omniscient, but to be honest about the boundaries of what you know and to actively work to keep those boundaries current.
Whistleblowing as Obligation
All four codes require some form of reporting when professionals observe violations of ethical obligations -- whether to internal parties (AITP), to code-compliance bodies (ACM 4.2), or to appropriate external parties when internal channels fail. Silence in the face of known violations is not ethically neutral under any of the four codes. The specific pathway differs, but the obligation to do something rather than nothing is consistent.
Slide 13 of 35
Where the Codes Differ
The significant differences in emphasis, specificity, and scope across the four codes -- and what those differences mean for application.
Specificity on Contemporary Issues
ACM's 2018 update addresses AI bias, data privacy, and algorithmic systems explicitly. The IEEE Code (2020) is more general. The PMI Code (2006) and AITP Code were written before AI-specific ethics issues became central to computing practice. This means ACM provides more actionable guidance for AI-era dilemmas, while the other codes require more interpretive work to apply. The gap in AI specificity reflects the date of last update, not a deeper disagreement about principles.
Employer Obligations
The AITP Code is the most explicit about obligations to employers: specific confidentiality requirements, conflict of interest procedures, and authorized use of resources. The ACM and IEEE codes address employer relationships less directly, through the general honesty and harm-avoidance principles. PMI's approach is stakeholder-specific. For IT professionals navigating complex employer-public interest conflicts, the AITP Code's explicit structure may be more practically useful than codes that address employer relationships only implicitly.
Privacy
ACM's privacy principle (1.6) is the most developed across the four codes: data minimization, purpose limitation, individual rights, and protection obligations are all addressed explicitly. IEEE does not have a specific privacy article. PMI addresses privacy only in terms of project client confidentiality, not user or public privacy. AITP has explicit privacy obligations but less detail than ACM. For computing professionals working on data systems, ACM's privacy framework is the most directly applicable.
Leadership Obligations
ACM's Section 3 is unique in providing explicit principles for professionals in leadership roles -- a recognition that organizational leadership has distinct ethical obligations beyond individual professional conduct. IEEE, PMI, and AITP do not have equivalent leadership-specific sections. For IT managers and executives, ACM's leadership principles provide guidance that is not available in the other codes -- particularly on creating ethical organizational cultures and managing conflicts of interest at the organizational level.
Slide 14 of 35
Software Engineering Code of Ethics
The ACM/IEEE Software Engineering Code of Ethics and Professional Practice -- a joint code specifically for software engineers.
Origins and Status
Developed jointly by ACM and IEEE in 1997 as part of the initiative to establish software engineering as a recognized engineering discipline. Adopted by both organizations. Consists of eight principles organized around the key stakeholder relationships of software engineering practice. The SE Code was a response to the growing recognition that software engineering required a domain-specific ethics framework, not just the application of general computing or general engineering codes to software contexts.
Eight Principles (Abbreviated)
PUBLIC: Software engineers shall act consistently with the public interest. CLIENT AND EMPLOYER: Act in a manner consistent with the best interests of clients and employers, consistent with the public interest. PRODUCT: Ensure that the products and related modifications meet the highest professional standards possible. JUDGMENT: Maintain integrity and independence in professional judgment. MANAGEMENT: Promote ethical management. PROFESSION: Advance integrity and reputation of the profession. COLLEAGUES: Be fair and supportive of colleagues. SELF: Participate in lifelong learning.
The Product Principle in Detail
SE Code Principle 3 (PRODUCT) is the most operationally detailed for software quality ethics: ensure that specifications are complete and not in conflict; produce adequate documentation; use appropriate methods and tools; test adequately; identify, define, and address ethical, economic, cultural, legal, and environmental issues related to work projects. The requirement to address ethical issues in product work is explicit and specific -- making it a directly actionable standard for software engineers facing quality vs. schedule tradeoffs.
Relationship to ACM and IEEE Codes
The SE Code does not replace the ACM or IEEE codes -- it provides domain-specific elaboration of principles that both codes state more generally. A software engineer is bound by both the SE Code and (as applicable) the ACM and IEEE general codes. When the SE Code and a general code conflict, the general code's principles take precedence. In practice, the codes are consistent and complementary -- the SE Code is best understood as operationalizing general principles for the specific software engineering context.
Slide 15 of 35
SE Code: Public Principle
Principle 1 of the SE Code -- the foundational public interest commitment, with its specific operational requirements.
SE Code Principle 1 -- PUBLIC
Software engineers shall act consistently with the public interest. In particular, software engineers shall, as appropriate: accept full responsibility for their own work; moderate the interests of the software engineer, the employer, the client and the users with the public good; approve software only if they have a well-founded belief that it is safe, meets specifications, passes appropriate tests, and does not diminish quality of life; disclose to appropriate persons or authorities any actual or potential danger to the user, the public, or the environment, that they reasonably believe to be associated with software or related documents; cooperate in efforts to address matters of grave public concern caused by software.
A "Approve software only if they have a well-founded belief that it is safe" -- this is why signing off on Therac-25, MCAS, or defective medical device software when you have doubts about safety is a code violation, not just a business decision.
B "Disclose to appropriate persons any actual or potential danger" -- this is the whistleblowing obligation of the SE Code. It does not require waiting for management permission. It requires disclosure when danger is reasonably believed to exist.
C "Cooperate in efforts to address matters of grave public concern" -- this principle requires cooperation with investigations, regulatory reviews, and public accountability processes, not obstruction of them.
Slide 16 of 35
Applying Codes to Cases
A structured method for using professional codes to analyze ethical situations systematically.
Step 1: Identify the Stakeholders
Who is affected by the decision? Users, clients, employers, colleagues, third parties, the public, future generations. Map out all affected parties before beginning ethical analysis. The tendency to overlook indirect or diffuse stakeholders (society, future users, environmental communities) produces analysis that underweights the most significant long-term harms. Systematic stakeholder identification is the precondition for complete ethical analysis.
Step 2: Identify the Applicable Principles
Which principles from which codes apply to this situation? Start with the most specific applicable code (SE Code for software development, PMI Code for project management decisions). Identify the specific principles, not just the general values. "The IEEE Code requires safety to be paramount" is less useful than "IEEE Article I requires that I hold safety paramount, which means I cannot approve this design without resolving the identified safety concern in item 4 of the risk assessment."
Step 3: Identify the Conflicts
Where do the identified obligations conflict -- with each other, with employer instructions, with personal interests, or with legal requirements? Map the conflicts explicitly. This step is where the hard work is. An obligation to maintain confidentiality conflicts with an obligation to disclose danger. The code provides guidance on how to resolve this conflict (public safety overrides confidentiality) -- but the analysis must first identify that a conflict exists before the resolution can be applied.
Step 4: Apply the Priority Ordering
All codes agree: public safety is paramount. When conflicts are resolved by the code's own priority ordering (public safety over employer interest), apply it. When the code does not clearly resolve the conflict, apply ethical reasoning frameworks (utilitarian, deontological, virtue ethics) to reach a principled position. Document your reasoning. The ability to articulate the ethical basis of professional decisions is itself a professional competence the codes require.
Step 5: Act and Document
Act on the conclusion the analysis requires. Document the analysis and the decision. If the action involves reporting a concern, document the specific concern, the reporting pathway used, the date, and the response received. Documentation is not just good practice -- it is the evidentiary foundation that protects you if your decision is later challenged, and it creates the record of ethical conduct that professional accountability requires.
Step 6: Review After the Fact
After a decision is made and its consequences are visible, review the analysis: was the right framework applied? Were all stakeholders adequately considered? Were the consequences foreseeable in retrospect even if not foreseen? This retrospective review is how professional ethical judgment improves over time. It is also how professional communities build the case studies and precedents that inform future ethical reasoning -- which is why the cases in this course exist.
Slide 17 of 35
What Would You Do?
Apply the code analysis framework to these scenarios. Identify the applicable principles before reaching a conclusion.
What Would You Do? Scenario A
You are the lead software engineer on a hospital management system. Your project manager has scheduled the go-live date for three months from now. You assess that completing adequate security testing will require an additional six weeks. The project manager says the date cannot move and that the security testing can be done after launch. Identify: which principles from at least two codes apply. What do they require you to do? At what point, if any, does your obligation change if the project manager is also the CIO?
What Would You Do? Scenario B
You are a certified PMP managing an IT contract for a city government. You discover that your employer has been billing the city for hours not worked. The billing appears to be intentional -- you find evidence suggesting it is a pattern, not an error. Your manager, who approves the billing, is also your performance evaluator. Identify: which PMI Code principles apply. What do they require you to do? Does it matter that you are not personally involved in the billing? What does the PMI Code say about reporting to external parties (the city)?
What Would You Do? Scenario C
You are a senior data scientist at a consumer credit company. Your model has a documented 12% false-positive rate for minority applicants compared to a 6% false-positive rate for majority applicants on adverse credit decisions. Your director says the overall accuracy of the model is high and within regulatory guidelines. Identify: which principles from ACM and the SE Code apply. Does the fact that you are within regulatory guidelines affect your ethical obligation? What does the code require you to do when your analysis conflicts with your director's determination?
Slide 18 of 35
The Limits of Codes
What codes of ethics cannot do -- understanding the limitations that must be addressed through other mechanisms.
Codes Cannot Enforce Themselves
No code of ethics enforces itself. Enforcement requires: awareness (professionals must know the code exists), understanding (professionals must be able to apply it), organizational cultures that support application, compliance monitoring, and consequences for violations. A professional who has never read their professional code cannot apply it. An organization that does not reference codes in its culture has effectively neutralized them. Codes are tools -- they require wielders.
Membership Is Voluntary
ACM, IEEE, PMI, and AITP membership is all voluntary. Unlike the bar association or medical board, they cannot prevent non-members from practicing. A software engineer who is not an ACM member is not bound by the ACM Code. Even members who are bound face only membership revocation as the maximum sanction -- they can continue to practice computing. This structural limitation means professional codes have far less regulatory force than codes in licensed professions, and their effectiveness depends primarily on professional culture rather than enforcement.
Codes Cannot Resolve All Conflicts
Professional codes provide frameworks for ethical reasoning, not algorithms that produce determinate answers to every ethical question. When two legitimate principles conflict -- confidentiality vs. transparency, honesty vs. harm avoidance -- codes provide priority orderings and general principles, but applying them to specific situations requires judgment. An engineer who says "the code tells me exactly what to do" is probably misreading the code. It tells you what principles apply and what considerations take priority. Judgment about specific application is still required.
Codes Are Not Politically Neutral
Professional ethics codes reflect the values of the communities that produce them. ACM and IEEE are North American-dominated professional associations whose membership skews toward employed engineers in commercial settings. The codes reflect those perspectives. They are less developed on issues of global labor justice, environmental sustainability, and the political economy of technology development than on technical quality and individual professional conduct. Reading the codes critically -- aware of what they emphasize and what they underemphasize -- is part of sophisticated professional ethics.
Slide 19 of 35
Professional Codes and AI
How existing codes apply to the ethical challenges of AI development and deployment -- and where new guidance is needed.
ACM's AI-Specific Guidance
ACM Principle 1.4 explicitly addresses algorithmic bias: computing professionals must "design and implement systems that are robustly and reliably usable by a diversity of people." Principle 2.5 (give comprehensive, accurate assessments) directly applies to AI performance claims. Principle 1.6 (respect privacy) applies to training data and inference systems. The 2018 update made ACM the most AI-ready of the major codes -- but even it was written before large language models and generative AI were the defining challenges of the field.
Where Existing Codes Fall Short on AI
Existing codes do not explicitly address: obligations regarding training data consent and copyright, the explainability requirement for high-stakes AI decisions, algorithmic impact assessment requirements, obligations regarding AI-generated content labeling, the governance of AI systems that make decisions affecting many people simultaneously, or the environmental obligations created by large-scale AI training. These gaps are being addressed through supplemental guidance documents and proposed new principles, but they represent limitations in the current code frameworks.
Applying Existing Principles to AI
The core principles apply even when specific AI guidance is absent: avoid harm (AI systems that cause documented harm violate this); be honest (AI performance claims must be accurate and not misleading); respect privacy (AI systems must not use data beyond their stated purpose); be fair (AI systems must be tested for disparate impact before deployment in consequential contexts); maintain competence (AI engineers must understand the capabilities and limitations of their systems). The principles generalize -- applying them to AI requires judgment, but not new principles.
Slide 20 of 35
Codes vs. Employer Instructions
All four codes address the situation where employer instructions conflict with professional obligations. What do they require?
The Hierarchy
All four codes establish the same hierarchy when employer instructions conflict with professional obligations: (1) Legal requirements -- follow them, or withdraw from the work. (2) Public safety and welfare -- these override employer instructions. (3) Professional code obligations -- these override employer instructions that conflict with them. (4) Employer instructions -- follow them within the bounds established by 1-3. The hierarchy is not ambiguous. Professionals who follow employer instructions that violate the first three levels are not sheltered by the "following orders" rationale -- the codes explicitly reject it.
The Internal Escalation Pathway
When a supervisor gives a professionally unacceptable instruction, the codes generally expect: (1) communicate the concern clearly to the supervisor, with the specific professional obligation invoked, (2) if the supervisor maintains the instruction, escalate to the next level of management, (3) if organizational escalation fails, consider reporting to the relevant professional body, regulator, or (for safety issues) public disclosure. Not every concern requires immediate external escalation -- the process gives organizations an opportunity to correct problems before external action is required.
When Internal Escalation Is Not Required
Internal escalation is not required when: the wrongdoing involves senior management (they are the escalation target), reporting internally would expose the reporter to immediate retaliation before the concern can be addressed, the harm is ongoing and immediate and cannot wait for the internal process, or internal reporting has already been tried and suppressed. In these circumstances, the codes support and in some cases require external disclosure without exhausting internal channels.
The Professional's Final Recourse
All four codes implicitly recognize withdrawal from participation as the ultimate professional recourse when complying with an employer instruction would require violating the code. "I cannot perform work that violates my professional obligations" is a legitimate professional position, recognized by the codes, even when it results in termination. The codes do not make this easy -- they acknowledge the personal cost. But they are consistent that professional obligation does not end when an employer demands otherwise.
Slide 21 of 35
Codes and Corporate Ethics Programs
How professional codes relate to organizational ethics and compliance programs -- and what distinguishes effective programs from theater.
Compliance vs. Ethics Programs
Compliance programs focus on preventing legal violations. Ethics programs focus on promoting ethical behavior beyond legal minimums. Most large organizations have compliance programs; fewer have genuine ethics programs. The distinction matters: a compliance culture asks "is this legal?" An ethics culture asks "is this right?" A professional whose employer has only a compliance program must supply the ethical analysis themselves -- the organization will not prompt it. This makes professional codes more, not less, important in compliance-only environments.
Ethics Hotlines and Their Effectiveness
Most large organizations have ethics hotlines or reporting mechanisms. Research on their effectiveness is mixed: they are most useful when: reporters can report anonymously, reports are investigated by a genuinely independent function (not HR that reports to the people being reported on), reporters are protected from retaliation, and reports produce visible consequences for violations. Hotlines that exist to satisfy regulatory requirements without these features function as ethics theater -- creating the appearance of accountability without its substance.
Ethics Training and Code Literacy
Effective integration of professional codes into organizational ethics programs requires: including code content in professional development training, making code application part of performance expectations, referencing codes in ethics policy documents, and creating mechanisms for professionals to raise code-based concerns (not just compliance violations). Organizations that have never asked their IT professionals whether they have read the ACM or IEEE code have tacitly communicated that the codes are irrelevant to their work. That communication is consequential.
External Accountability
Organizational ethics programs without external accountability structures can be captured by the organizations they are meant to hold accountable. Boeing's ethics program, Volkswagen's compliance program, and Wells Fargo's internal controls all failed to prevent major ethical violations because they reported to management rather than independent oversight. External accountability -- through regulatory oversight, independent audit, third-party compliance verification, or board-level ethics committee independence -- is required for organizational ethics programs to function where the stakes are highest.
Slide 22 of 35
Building an Ethical Case
When you need to make an argument for an ethical position in a professional context, how do you construct it persuasively?
Ground It in the Code
Reference the specific principle, not the general value. "I believe this is wrong" is easy to dismiss. "ACM Principle 2.5 requires comprehensive and accurate assessment of risks, and the current reporting omits the identified vulnerability from the client's risk presentation" is specific, objective, and harder to dismiss. Grounding ethical arguments in recognized professional codes provides external authority for positions that might otherwise appear as personal preference or political opinion. It also demonstrates that the position is principled, not arbitrary.
Quantify the Risk
Abstract ethical arguments are less persuasive than concrete risk assessments. "Deploying this with the known defect creates ethical issues" is less persuasive than "Deploying this with the known defect exposes approximately 40,000 users to potential data loss, creates regulatory penalty exposure under HIPAA Section 164.312(a)(2)(iv), and would require disclosure under the SE Code Principle 1 if it results in harm." Connecting ethical obligations to concrete risks makes the argument actionable and removes the abstraction that allows decision-makers to delay.
Document in Writing
Verbal objections leave no record. Written objections -- memos, emails, formal risk assessments -- create a record of the concern, the date it was raised, and the response. This documentation protects you if the feared harm materializes; it creates evidence of good-faith professional conduct; and it takes the argument out of the interpersonal dynamic where power differentials are most operative and into the documentary record where the content of the argument matters more. If you raise an ethical concern, put it in writing.
Slide 23 of 35
Codes Applied: Case Set 1
Apply the analysis framework to the cases covered earlier in this course.
A Therac-25: SE Code Principle 1 (approve software only with well-founded belief it is safe), SE Code 3 (test adequately), IEEE Article I (hold safety paramount). The AECL engineers who tested inadequately and shipped without hardware interlocks violated all three. The institutional suppression of operator reports also violated SE Code 1 (cooperate in efforts to address matters of grave public concern).
B Boeing 737 MAX: ACM 2.5 (give comprehensive, accurate assessments -- violated by not disclosing MCAS's full authority), IEEE Article I (hold safety paramount -- violated by prioritizing schedule over safety validation), SE Code 1 (disclose actual or potential danger -- violated by not informing pilots and airlines of MCAS existence).
C IBM Watson for Oncology: ACM 1.3 (be honest and trustworthy -- violated by misleading marketing of capabilities), ACM 2.5 (give accurate assessments -- violated by omitting training data limitations), IEEE Article III (be honest and realistic in stating claims -- violated by overpromising clinical performance).
D Cambridge Analytica: ACM 1.6 (respect privacy -- violated by API design enabling mass data harvest without meaningful consent), ACM 1.3 (be honest -- violated by not disclosing the breach to affected users), PMI Fairness (mandatory standard against undisclosed conflicts of interest -- violated by concealing the breach investigation from regulators).
E COMPAS: ACM 1.4 (be fair, take action not to discriminate -- violated by deploying an algorithm with documented racial error disparities without remediation), ACM 2.5 (give comprehensive assessments -- violated by not disclosing the algorithm's performance disparities to the courts using its output).
Slide 24 of 35
Codes Applied: Case Set 2
Applying the analysis to the Week 4 cases.
F Frances Haugen (Facebook): ACM 4.2 (uphold and promote the code, report violations) -- supports her disclosure. ACM 1.7 (honor confidentiality) -- in tension, but the code is clear that public safety obligations override confidentiality. ACM 3.7 (recognize conflicts of interest) -- her disclosure identified a systematic conflict between Facebook's revenue interests and user safety that organizational leadership was failing to manage.
G Amazon Resume Screening (Algorithmic Bias): ACM 1.4 (be fair, take action not to discriminate) -- required either retraining the model to remove the gendered bias or not deploying it. ACM 2.5 (give accurate assessments) -- required honest communication to users of the tool about its documented bias before deployment. ACM 1.2 (avoid harm) -- required addressing the foreseeable harm to women applicants from deployment.
H Myanmar (Facebook Content Moderation Failure): ACM 1.2 (avoid harm -- foreseeable harm from inadequate moderation capacity required action), ACM 1.1 (contribute to human well-being -- deploying a platform as primary internet infrastructure for a country without investing in adequate safety for that language violated this obligation). SE Code Principle 1 (cooperate in efforts to address matters of grave public concern) -- required cooperation with UN investigators rather than resistance.
I H-1B Wage Suppression: ACM 1.4 (be fair, take action not to discriminate) -- paying equivalent workers less based on visa status, when the visa status is a legally engineered power asymmetry, is a fairness violation. AITP Obligations to Colleagues -- treating H-1B colleagues as second-class workers based on immigration status violates the obligation to treat colleagues with respect and fairness. PMI Fairness (mandatory standard) -- managers who approve discriminatory pay arrangements violate PMI's mandatory fairness standard.
J Gig Worker Misclassification: AITP Obligations to Society -- denying employment protections to economically dependent workers by intentional misclassification harms public welfare. ACM 1.2 (avoid harm) -- knowingly depriving workers of health insurance, minimum wage protection, and labor rights constitutes a foreseeable harm that the code requires be addressed. PMI Responsibility (mandatory) -- acting in the best interest of affected parties requires honest classification of the economic reality of the relationship.
Slide 25 of 35
The Emerging Professional
How do you build the professional ethics infrastructure you will need throughout your career?
Read the Codes
The ACM Code is approximately 4,000 words. The IEEE Code is shorter. The SE Code is comprehensive. The PMI Code is well-organized. Reading these documents -- actually reading them, not scanning -- takes a few hours total. For documents that govern professional obligations that can determine whether people live or die, that is a reasonable time investment. Most working IT professionals have never read the codes that govern their profession. This is a remediable situation. Remedy it today.
Develop an Ethics Vocabulary
Having the language to articulate ethical concerns precisely is a professional skill. "This feels wrong" does not function in a professional context the way "ACM Principle 2.5 requires comprehensive disclosure of known risks, and this deliverable omits the three risk factors documented in the testing report" does. The cases in this course, the frameworks from this module, and the terminology of ethical reasoning all contribute to a professional ethics vocabulary that makes you more effective when ethical concerns must be raised.
Practice Before the Crisis
The worst time to develop your ethical analysis skills is when you are in the middle of a crisis, under time pressure, and professionally exposed. The best time is now -- in case studies, classroom discussions, and low-stakes professional situations where you can reason carefully without consequences. The skills you develop in analyzing Therac-25 and Cambridge Analytica are the skills you will need when you discover a security vulnerability in your company's production system the day before a major launch.
Slide 26 of 35
Codes and Licensure
The ongoing debate about whether software and IT engineering should require licensure -- and what professional codes would look like if backed by regulatory enforcement.
The Case for Licensure
Medicine and law are licensed because their practitioners can cause serious harm to clients who cannot adequately evaluate their competence. Software engineers can cause the same caliber of harm -- Therac-25, Boeing MCAS, and medical device defects make this clear. Licensure would require demonstrated competence, bind practitioners to enforceable ethical codes, enable license revocation for violations, and create the professional accountability structure that voluntary membership in associations cannot provide. The Texas PE licensing for software engineers (for safety-critical work) is the most significant US experiment in this direction.
The Case Against Licensure
Software evolves too rapidly for licensure frameworks to remain current. Entry barriers to practice would reduce innovation and harm smaller development communities. Most software development does not have the same direct harm potential as medical practice or structural engineering. Licensure would favor established practitioners over newcomers, entrench incumbents, and create bureaucratic costs without equivalent safety benefits. The open source community, which has produced much of the most reliable software infrastructure, would be particularly burdened by licensure requirements.
Current State
No jurisdiction requires software engineering licensure for general practice. The Texas State Board of Professional Engineers has a software engineering PE license. Canada's provincial engineering associations issue Professional Engineer designations to software engineers. The UK established the Chartered Engineer pathway for software and systems engineers. For safety-critical system development (avionics, nuclear, medical devices), regulatory certification requirements effectively function as a form of licensure for the specific work, if not the general profession.
The Middle Ground
Some proposals suggest risk-tiered credentialing: general software development requires no license; development of safety-critical software (defined by the harm potential of failure) requires demonstrated competence and ongoing professional development; and management of safety-critical software projects requires certification. This approach targets regulatory burden at the highest-risk activities without creating barriers across the full breadth of computing practice. It is analogous to how the FAA certifies commercial pilots but not all aircraft operators.
Slide 27 of 35
The Virtue Ethics Supplement
Why codes alone are not sufficient -- and what virtue ethics adds to professional ethics reasoning.
What Virtue Ethics Asks
Rule-based ethics (follow the code) and outcome-based ethics (maximize welfare) are both important. Virtue ethics asks a different question: "What kind of person do I want to be, and what would that person do in this situation?" Aristotle's framework identifies virtues -- courage, honesty, practical wisdom, justice, temperance -- as dispositions that guide right action across contexts, not rules to be applied mechanically. A virtuous professional does not ask "does the code require this?" They ask "is this what an honest, courageous, practically wise professional would do?"
Where Virtue Ethics Fills the Gaps
Codes have gaps -- situations they do not cover, ambiguities about application, and conflicts they do not resolve. Virtue ethics provides guidance in those gaps by asking what a person of good character would do. In the space between "clearly required by the code" and "clearly prohibited by the code" lies a large domain of professional discretion. Virtue ethics guides the exercise of that discretion toward what an honorable professional -- not merely a compliant one -- would choose.
Professional Courage
The virtue most directly relevant to whistleblowing, raising safety concerns, and challenging management decisions is courage -- the disposition to do what is right even when it is difficult, costly, or threatening. Roger Boisjoly had the courage to argue against the Challenger launch. Frances Haugen had the courage to copy documents and testify before Congress. Professional courage is not recklessness -- it is the willingness to act on a principled position despite personal cost. This is a virtue, not a code requirement, and it must be cultivated, not just mandated.
Slide 28 of 35
Ethical Frameworks: Comparative Summary
A structured comparison of the four ethical frameworks used throughout this course -- and how they interact with professional codes.
Utilitarianism
Maximize aggregate welfare. Minimize aggregate harm. The right action produces the best outcomes for the most people. Strength: provides a systematic framework for weighing competing harms. Weakness: can justify harm to individuals or minorities if the aggregate benefit is large enough. Relationship to codes: utilitarian reasoning underlies "avoid harm" principles -- code requirements to minimize foreseeable harm reflect utilitarian logic. But codes also contain deontological constraints that limit pure utilitarian calculation.
Deontology (Kant)
Act only on principles you could will to be universal laws. Treat persons as ends, never merely as means. Rights are inviolable regardless of consequences. Strength: provides clear constraints against exploiting individuals for aggregate benefit. Weakness: can produce rigidly counterproductive results when rules conflict or consequences are catastrophic. Relationship to codes: deontological thinking underlies honesty requirements (you must tell the truth even when lying would produce better outcomes), non-discrimination (you cannot treat people as means to efficiency), and the prohibition on concealing safety risks.
Virtue Ethics
Focus on the character of the moral agent rather than rules or outcomes. Ask what a person of good character would do. Cultivate virtues (honesty, courage, justice, practical wisdom) that guide right action across contexts. Strength: handles novel situations and ambiguous cases that rules cannot fully specify. Weakness: less action-guiding in specific situations than rule-based frameworks. Relationship to codes: virtue ethics provides the motivational foundation for code compliance -- the virtuous professional follows the code because they are honest and care about public welfare, not merely because the code requires it.
Social Contract / Contractarianism
Moral norms are principles that rational persons would agree to behind a "veil of ignorance" (Rawls) -- not knowing their position in society. Focus on fairness and the rules that would be acceptable to all parties. Strength: provides a framework for evaluating distributional fairness and social institutions. Relationship to codes: social contract thinking underlies privacy and consent requirements (people would agree to information norms that protect their autonomy if they did not know whether they would be the data subject or the data collector) and non-discrimination standards (principles should be acceptable regardless of which group you are in).
Slide 29 of 35
What Would You Do?
Code conflict scenarios -- situations where two valid principles point in different directions.
What Would You Do? Scenario A -- Confidentiality vs. Disclosure
You are an IT security consultant who has completed an assessment for a healthcare client. The assessment is confidential under your contract. You find significant security vulnerabilities. The client receives the report and says they will address the issues next quarter due to budget constraints. You assess that in the current state, patient data is at material risk of breach. The client invokes confidentiality and instructs you not to disclose. How do you navigate ACM 1.7 (honor confidentiality) against ACM 1.2 (avoid harm) and the SE Code's obligation to disclose potential danger?
What Would You Do? Scenario B -- Competence vs. Refusal
Your employer assigns you to lead development of an AI fraud detection system for a financial services client. AI development is not your core expertise -- you have general software engineering skills and have taken one AI course. The timeline is aggressive. You can either accept the assignment (risking inadequate work and code violations for working outside competence) or refuse (risking your employment and the client relationship). The codes say only perform work in areas of competence. But you could also learn. Where is the competence threshold, and who decides it?
What Would You Do? Scenario C -- Public Disclosure Timing
You are a security researcher who has found a critical vulnerability in widely used medical device software. You notify the vendor. After 90 days (Google's standard coordinated disclosure timeline), the vendor has not patched the vulnerability. You have evidence the vendor has known about a similar vulnerability for two years. Patients may currently be at risk. Do you disclose publicly? Notify the FDA? Contact a journalist? The SE Code says disclose potential danger "to appropriate persons or authorities." Who is the appropriate authority here?
Slide 30 of 35
Emerging Ethics Domains
Areas where professional codes are being extended or where new guidance is most actively being developed.
Autonomous Systems Ethics
IEEE has published "Ethically Aligned Design" -- a comprehensive framework for autonomous and intelligent systems. It addresses: embedding human values in AI, avoiding harm, accountability for autonomous system decisions, and transparency in how autonomous systems make decisions. The ACM and IEEE codes did not anticipate autonomous vehicles, autonomous weapons, or autonomous medical decision systems. These are areas where new principled frameworks -- not merely extensions of existing codes -- are being developed to address qualitatively new ethical challenges.
Quantum Computing Ethics
Quantum computers capable of breaking current encryption standards would make most current privacy and security infrastructure obsolete. The ethical obligations around transition to quantum-resistant cryptography, the timeline for disclosure of quantum capabilities, and the national security implications of quantum computing are beginning to receive attention in professional ethics communities. These are areas where current codes apply in principle but where domain-specific guidance will be needed as the technology matures.
Brain-Computer Interface Ethics
Devices that interface directly with the human brain -- for medical purposes (treating Parkinson's, restoring motor function) and potentially for commercial purposes (direct neural input to computing systems) -- raise ethical questions about bodily autonomy, cognitive privacy, the right to mental integrity, and the fairness of cognitive enhancement access that existing codes do not address. These are not distant future problems -- Neuralink and other companies are conducting human trials now. Professional ethics frameworks are lagging the technology.
Slide 31 of 35
The Professional Ethics Landscape
An overview of the full ecosystem of documents, organizations, and frameworks that compose professional IT ethics in 2025.
A Professional codes: ACM (2018), IEEE (2020), SE Code (1997), PMI (2006), AITP. Voluntary but authoritative. Define professional obligations. Used in ethics analysis, litigation, and regulation.
B Industry AI ethics frameworks: Google AI Principles, Microsoft Responsible AI, IBM AI Ethics, Partnership on AI. Vary in specificity and enforcement. Generally weaker than professional codes on enforcement. Reflect corporate interests alongside genuine ethical commitments.
C Government frameworks: NIST AI RMF, EU AI Act (legally binding), UK AI Safety Institute, Biden Administration AI Executive Order (partially rescinded). Range from voluntary guidance to binding regulation. EU AI Act is the most comprehensive binding framework globally.
D Academic and research frameworks: Belmont Report principles adapted to AI, Algorithmic Fairness research community, AI safety research community (DeepMind, Anthropic, OpenAI safety teams). Developing technical and conceptual frameworks that will eventually inform codes and regulation.
E International standards: ISO/IEC 42001 (AI Management Systems), IEEE Std 7000-2021 (ethical concerns in system design), ISO/IEC 27001 (security). Standards provide technical specifications for implementing ethical principles that codes state at a higher level of abstraction.
Slide 32 of 35
The Course in Review
The themes that have run through Weeks 1-4 and how they connect to the codes covered in this module.
Ethics Frameworks in Practice
Utilitarianism, deontology, virtue ethics, and social contract theory are not competing answers -- they are complementary lenses. The most robust ethical analysis uses multiple frameworks. When they converge (the Therac-25 failure was wrong under all four frameworks), the case is clear. When they diverge (the trolley problem, whistleblowing tradeoffs), the analysis must engage with the divergence rather than defaulting to one framework. The codes integrate elements of all four -- which is part of why they remain useful across such diverse situations.
Systemic vs. Individual Ethics
Most technology ethics failures are not produced by individual bad actors. They are produced by systemic failures: commercial incentives that outweigh safety considerations, organizational cultures that suppress concerns, regulatory gaps that permit harms, and market structures that reward under-investment in quality and safety. Individual professional ethics is necessary but insufficient. Systemic responses -- regulation, liability reform, governance structures, professional accountability -- are required alongside individual virtue. Both matter. Neither alone is sufficient.
The Practitioner's Agency
The consistent message of every case in this course: real people made choices that produced the outcomes. AECL engineers chose not to conduct formal safety analysis on the Therac-25. Boeing engineers chose to certify MCAS on a single sensor. Facebook chose not to implement available fixes for teen mental health harm. These choices were not inevitable. Other choices were available. The practitioners who made them had professional codes that pointed toward different choices. The distance between the code and the decision is the space where professional ethics lives -- and where you will spend your career.
Slide 33 of 35  |  Discussion Questions
Discussion Questions
Final module discussion questions. These integrate material from the full course.
1 All four codes agree on the priority of public safety over employer interests. Yet in every major case in this course, professionals prioritized employer interests over public safety. What does this gap between code and practice tell us about the limits of professional codes, and what structural changes would reduce it?
2 Compare how the ACM Code and the SE Code handle the obligation to disclose safety risks. Which is more actionable in a specific professional situation? Are they consistent, or do they create any tension in their application?
3 The AITP Code explicitly addresses obligations to employers as well as to society, while the ACM Code addresses employer relationships more indirectly. When an IT professional faces a conflict between these two sets of obligations, which code provides better practical guidance? Why?
4 Should software engineering require professional licensure for safety-critical work? Construct a complete argument for and against, and take a position. What specific criteria would you use to define "safety-critical" for this purpose?
5 Identify a current technology product or practice that you believe is ethically problematic but does not clearly violate any existing code. Analyze it using the codes, identify the nearest applicable principles, and explain whether the gap indicates a limitation of the codes or a feature (that is, whether the codes' silence reflects genuine ethical permissibility or an oversight in code development).
Slide 34 of 35  |  Exercises
Final Exercises
Capstone exercises for the Ethics in IT course. These integrate material from all eight weeks.
1 Read the ACM Code of Ethics in full (acm.org/code-of-ethics). Identify the three principles you find most difficult to apply in practice, explain why each is difficult, and describe a specific professional scenario in which you would face the difficulty you identify.
2 Select one of: Therac-25, Boeing 737 MAX, IBM Watson for Oncology, Cambridge Analytica, or COMPAS. Prepare a complete code analysis: identify all applicable principles from at least two codes, the specific code violations, what the codes required but was not done, and what professional intervention at what point in the timeline could have produced a different outcome.
3 Write a two-page personal ethics statement for your professional practice: which code(s) you commit to following, which three principles you consider most fundamental to your own practice, how you will handle situations where employer instructions conflict with your code obligations, and what you will do if internal escalation fails. This document is for you -- write it as if you intend to keep it.
4 Compare the enforcement mechanisms of ACM, IEEE, PMI, and the state bar association (lawyers) and the state medical board (physicians). What explains the difference in enforcement power? What would need to change for computing professional codes to have equivalent enforcement power? Would you support those changes? Why or why not?
5 Design a 30-minute ethics training module for a hypothetical 100-person IT department that has never explicitly engaged with professional codes of ethics. Specify: the learning objectives, the content covered, the format, the cases or scenarios used, how you would assess whether the training produced genuine ethical understanding versus rote compliance, and how you would connect the training to daily professional practice rather than leaving it as a one-time event.
Slide 35 of 35  |  Course Capstone
Course Capstone
What this course has been, what the codes require, and what you are responsible for from here.
The cases in this course are not historical curiosities. They are templates. The pattern -- a technology creates foreseeable harm, the organization knows, the codes require action, the action does not happen, people are hurt -- will recur throughout your career. You will be in the room when the decision is made. You will know the codes. The question is whether knowing will be enough to produce action.
9 Principles to Carry Into Practice
1 ACM, IEEE, SE Code, PMI, and AITP all agree: public safety is paramount. When it conflicts with employer interest, schedule, or commercial pressure, safety wins. This is not a soft aspiration. It is the foundational commitment of professional computing ethics.
2 Honesty in technical claims is non-negotiable under all four codes. No overpromising, no selective disclosure, no suppression of risk information. The IBM Watson case, the Boeing MCAS case, and the Cambridge Analytica case all centrally involve violations of this principle.
3 Competence is a continuous obligation. In a field that changes as rapidly as IT, what constituted competence five years ago may not today. The obligation to maintain competence and to honestly represent its limits is ongoing, not a one-time certification.
4 All four codes support and, in some circumstances, require whistleblowing when internal channels fail. The obligation is uncomfortable. The codes do not make it comfortable. They make it clear.
5 Fairness includes proactive bias testing. ACM 1.4 does not merely prohibit discrimination -- it requires action to prevent it. Deploying systems with documented disparate impact without attempting to remediate is a code violation, not merely a business risk.
6 Professional codes do not enforce themselves. They require aware, capable, courageous professionals operating in organizational cultures that support ethical behavior. Individual virtue and structural accountability are both necessary.
7 Codes apply beyond technical work. How you treat colleagues, contractors, H-1B workers, gig workers, and the communities affected by your organization's environmental footprint are all within the scope of professional ethics.
8 Technology determinism is an ethical choice. When you call technological change inevitable, you are declining responsibility for its outcomes. Real professionals own the choices in the systems they build -- including the choices about what the systems do and to whom.
9 Professional courage is a virtue, not a rule. No code can compel it. It must be cultivated. The practitioners in this course who acted rightly -- Boisjoly, Haugen, the Google engineers who walked out -- did so at personal cost. That is what professional courage means in practice.