In March 2022, the author of node-ipca software library with over 1 million weekly downloadsdeliberately broke their code.
If the code finds that it’s running in Russia or Belarus, it attempts to replace the contents of every file on the user’s computer with a heart-shaped emoji.
A software library is a collection of code that other programmers can use for their purposes. The node-ipc library is used by Vue.jsa framework that powers millions of websites for companies such as Google, Facebook and Netflix.
This critical security flaw is just one example of a growing trend of programmers self-sabotaging their own code for political purposes. When programmers protest through their code – a phenomenon known as “protestware” – it can have consequences for the people and businesses that rely on the code they create.
Different forms of protest
Malignant protestware is software that intentionally damages or takes control of a user’s device without their knowledge or consent.
Benign protestware is software created to raise awareness of a social or political issue, but does not damage or take control of a user’s device.
Modern software systems are prone to vulnerabilities because they rely on third-party libraries. These libraries consist of code that performs particular functions, created by someone else. Using this code allows programmers to add existing functions into their own software without having to “reinvent the wheel”.
Use of third-party libraries is common among programmers – it speeds up the development process and reduces costs. For example, the libraries listed in the popular NPM Registrywhich contains more than one million libraries, relies on average on five to six other libraries of the same ecosystem. It’s like a car manufacturer using parts from other manufacturers to complete their vehicles.
These libraries are usually maintained by one or a handful of volunteers and made freely available to other programmers under an open source software license.
The success of a third-party library relies on its reputation with programmers. A library builds its reputation over time as programmers gain confidence in its capabilities and the responsiveness of its maintainers to reported defects and feature requests.
If weaknesses in the third-party library are exploited, it could give attackers access to a software system. For example, a critical security flaw was recently discovered in the popular Log4j library. This flaw could allow a remote attacker to access sensitive information saved by applications using Log4j, such as passwords or other sensitive data.
What if the vulnerabilities were not created by an attacker looking for passwords, but by the programmer himself with the intention of making his library users aware of a political opinion? The emergence of protestware raises such questions, and the answers are mixed.
Ethical issues abound
A blog post on the Open Source Initiative website responds to the rise of protest software stating that “protest is an important part of free speech that must be protected” but concludes with a warning:
“The disadvantages of vandalizing open source projects far outweigh any possible benefit, and the backlash will ultimately damage responsible projects and contributors.”
What is the main ethical issue behind protestware? Is it ethical to make something worse to make a point? The answer to this question largely depends on the individual’s personal ethical beliefs.
Some people may see the impact of the software on its users and argue that protest software is unethical if it is designed to make their lives more difficult. Others may argue that if the software is designed to make a point or raise awareness of an issue, it may be considered more ethically acceptable.
From a utilitarian perspective, one could argue that if a form of protestware is effective in bringing about a greater good (such as political change), then it may be morally justified.
From a technical perspective, we are developing ways to automatically detect and counter protest software. Protestware would be a unusual Where surprising event in the change history of a third-party library. Mitigation is possible through redundancies – for example, code that is similar or identical to other code in the same library or in different libraries.
The rise of protestware is a symptom of a larger social problem. When people feel they are not being heard, they can use different measures to get their message across. In the case of programmers, they have the unique ability to protest through their code.
Although protest software is a new phenomenon, it is likely to stay. We need to be aware of the ethical implications of this trend and take steps to ensure that software development remains a stable and secure domain.
We rely on software to run our businesses and our lives. But every time we use software, we place our trust in the people who wrote it. The emergence of protestware threatens to destabilize that trust if we don’t act.