Stealing from the Cambridge Public Library
March 5, 2010
Who’s to blame when IT projects fail? Michael Krigsman argues that blame should generally be shared among the three major culprits (software company, consulting company, customer), and a recent torrid discussion among the Enterprise Irregulars largely supported him. If anything, several pundits have told me in private, blame the customers. “If a customer’s going to be stupid, we can’t stop him,” said one.
I’m not comfortable with this argument, because I don’t think it’s sufficiently rigorous. In any unfortunate chain of events, many people have a hand. But it’s simply wrong to blame them all. Some, because of their role or their power or their ability to influence events are principally responsible, while others are merely incidentally involved or are even victims. To get the blame right, you have to dig down and figure out where the power lies.
To see what I mean, let me use an example used by philosophers in the area. You all probably know that World War I began after Gavrilo Princip assassinated the Archduke Ferdinand in Sarajevo. The problem is, who do you blame? Princip (who, it happened was so indecisive and incompetent that he was walking away from the spot he’d picked), the Archduke, who went to Sarajevo only because he wanted to have an outing with his mistress, or the political situation in Europe? Hard to say. But the one thing you don’t want to do is blame the coachman, who, as it turns out, turned down the wrong street and thereby brought the Archduke right to Princip.
In my view, the closer you are to setting the parameters for a project, the more likely it is that you’re setting the course of future events. So if I want a culprit, I look at the person who’s holding the gun, because it’s his decision whether to fire or not. For that reason, I tend to think that the software vendors are presumptively responsible. They’re the ones who decide what can and can’t be done with the tool they sell, and if they create a situation where dominos like misuse, misunderstanding, careerism, stupidity, etc., fall into each other one after the other, like the great countries of Europe, they are responsible, because they could have and often should have anticipated this and done what they can to prevent it.
This isn’t just because they set the conditions and they are responsible if they design conditions that don’t work. It’s also because they give the people the idea that that’s what they’re doing. We tend to give these mandarins the benefit of the doubt, believing that these products are fully tested, that they accord with best practices, that the most experienced people are working on them, etc., etc., etc. And once they realize that this is the expectation, that people do expect them to be good engineers, etc., etc., they take on extra responsibility. It may be fooish, yes, and If the customers believe that tommy-rot, perhaps their foolishness is contributing to the problem. But it still seems to me that the people who accept the power given them by this false belief need to take the responsibility that goes with it.
And that’s why they are presumptively responsible.
I was reminded, forcibly, of this by a recent event at the local library, which just re-opened in a brand new facility with brand new automatic checkout machines. I’m a good citizen, so when I went in the other day with my seven-year-old red-headed daughter, I renewed a book she hadn’t finished. Thirty minutes later, we checked out a couple of new items that she had found.
In the meantime, somebody had checked out seven videos on my account. I still don’t exactly know how, but let’s just assume for the sake of argument that when I finished renewing, I walked away from the terminal, leaving my session “live,” and somebody later walked up to the terminals and just added a few videos to what “I” was doing.
The sessions do time out, and the first thing you’re supposed to do is scan your card, so there’s at least some possibility that this was done with malice aforethought. Somebody had realized that you can steal the Cambridge Public Library blind, if you just hang around the terminals and act quickly after somebody walks away from them. It’s kind of a public-spirited stealing actually, because the person who gets stuck with the bill is not the taxpayer, but the person who used the terminal. The books appear on their account, and as the supervisor told me later, it’s the library policy to make people take responsibility for the books on their account.
“If you use plastic,” he said, “There are tradeoffs, and you just have to accept that fact, my friend.”
You see, as soon as I found these spurious borrowings on my account, I had immediately gone and found said supervisor and told him. My feeling was, “This is a new system, and it’s flawed. If one person has figured out how to do this, others will, too, and pretty soon, it will be open season on the pitifully few books in the aforementioned library. Somebody had better get cracking and fix this.”
Well, that was my feeling, until I talked to the supervisor, who corrected me. “What you say is impossible. We have never had a case like this. You are responsible for the books. Case closed.” I didn’t take this quietly, so eventually, he took down my name and the list of spuriously borrowed videos, and after I left, he shoved the list in his drawer.
The only reason I know even this much is that three days later, I came in to borrow another book, and the videos were still on my account. “I called the assistant director, but he/she is out of town,” he said. I think if he honestly believed that one could steal lots of books with impunity from the library, he would not have reacted this way. But he didn’t. He just thought I was a liar.
Here is where the aforementioned presumption comes in. This guy simply couldn’t believe that the computer system that he had been given could have a flaw. Rather than believe that, he preferred to believe that I, standing there with my seven-year-old daughter, had checked out the videos (seven of them), secreted them somewhere in the library, gone up to him and tried to get them off my account. After I succeeded, I guess he was thinking, I would then go back to the hidden cache, put the seven videos under my arm and walk out right in front of him.
Now I ask you, which of these scenarios is more implausible. One, the designers of the checkout system did so imperfectly, leaving a security hole, which somebody found, possibly inadvertently. Two, this white-haired father of a seven-year-old was trying to steal from the Cambridge Public Library by claiming that he had not checked out videos that the system said he had just checked out (even though the videos were nowhere about his person).
Implausible as it is, this well-educated person who by his choice of profession shows that he has dedicated himself to the life of the mind simply found it impossible to believe that there was anything wrong with the system. He believed this so firmly and so thoroughly that he couldn’t even be bothered to notify anybody about the problem, even though, if there were a problem, it would be a good idea to fix it as quickly as possible, before the library shelves were emptied. So far as I can tell, he still believes it.
The thing is, I almost fell into the trap, too. I’d had my probity questioned, so you know who I was blaming? That supervisor. I really had to sit down and think before I realized who was really at fault. That’s right, it was the vendor. To see why, think about what happens in an analogous situation, at the bank machine. When you take money out of these machines, you simply can’t leave the machine open for the next guy to use. You have to get your card back, and if you try to leave without doing so, you are alerted, loudly. Clearly, best practice in the area is to make it really hard for somebody else to pirate a session. And the vendor didn’t follow this best practice.
I should have known this from the beginning, because I should have remembered that the vendor is presumptively responsible. But as long as I don’t remember it or the supervisor doesn’t know it, the vendor is off the hook. Instead of blaming Princip (or maybe the Archduke or the political situation in Europe), that supervisor is doing the natural thing and blaming the coachman, the guy who made the last and most visible mistake. And until he can be taught that this is a mistake, books will continue to be stolen from the Cambridge Public Library.