9 min read
When Technology Harms People: The Responsibility of Software Builders
Capability creates responsibility. As software becomes infrastructure, builders owe users more than compliance with their terms of service.
TL;DR
- Software companies routinely point to their terms of service as the boundary of their responsibility. We think that line is drawn in the wrong place, and the AP/FRONTLINE investigation into the global scam economy is a clear example of why.
- The investigation found no illegality by these companies, but raised direct questions about whether they are enforcing their own terms of service against documented abuse.
- The people who built a product understand better than anyone how it could be misused. That proximity to potential harm is where we believe the moral obligation begins, not at the moment abuse occurs.
- We believe builders have a responsibility to their users that goes beyond terms of service. That belief is shaping what we are building next.
Corsair Media Group
Where responsibility begins
When a platform is used to harm people, the company that built it tends to have a ready response: the terms of service prohibit that use, so the responsibility belongs to whoever broke them. That answer is legally defensible. It is also, we think, an insufficient description of what builders owe the people their products reach.
The argument we are making is not about legal liability. We are not suggesting that every platform should bear responsibility for every bad actor that touches it. What we are arguing is more specific: that building software at scale creates a genuine moral obligation to investigate credible abuse, to design against foreseeable harm, and to treat user safety as a product problem rather than a legal one.
The standard we apply to those questions is not a regulatory framework or a legal doctrine. It is simpler than either, and it predates the software industry by a few thousand years. We will come back to it. First, the evidence.
What the investigation found
The AP and FRONTLINE investigation documents how AI tools, cloud infrastructure, and internet connectivity have become integral parts of industrial-scale fraud operations. ChatGPT and Gemini were embedded into software that scam centers used to generate fake personas and manage thousands of simultaneous conversations across dozens of languages. One person documented in the investigation, trafficked to a compound against his will, targeted roughly 50,000 victims in a single month using software built on these tools.
The FTC estimates that scams cost Americans nearly $200 billion in 2024. The United Nations estimates approximately 300,000 people have been drafted into scam operations in Southeast Asia, often against their will.
The investigation does not accuse any of the companies involved of acting illegally. It instead raises a different question: what responsibility does a builder have once credible evidence of abuse exists?
The terms of service problem
Every company named in the investigation has terms of service that explicitly prohibit illegal activity and fraud. Most had documented abuse patterns that AP shared in advance of publication.
OpenAI said it banned three accounts after reviewing the evidence and noted that it detects fraud with 95% accuracy and takes down 100,000 scam accounts per month. Those are meaningful numbers. They also suggest the problem is operating at a scale where enforcement, even when active, has not caught up to the volume of abuse. Starlink did not respond to detailed questions.
What the investigation did find was a consistent gap between the documented evidence of abuse and the enforcement actions that followed.
Outside the United States, the United Kingdom, the European Union, Australia, and Singapore have each introduced requirements that place a higher duty of care on platforms. In the US, the DOJ's Scam Center Strike Force disrupted more than 1.4 million accounts in a single four-day exercise in May 2026, working with industry on a voluntary basis.
Building an app or platform? Let's talk about what responsible data handling looks like.
Talk with CorsairWhat builders are actually responsible for
A telecommunications researcher quoted in the investigation put the incentive problem plainly:
"If there's no disincentive to continuing this, if there's no cost to actually facilitating scamming, then why would I spend a dollar to prevent scamming?" — Sascha Meinrath, Palmer Chair in Telecommunications, Penn State University
That is a fair description of how incentives work. But underneath the incentive question is a more fundamental one: what does a software company actually owe to the people downstream of what it builds?
Capability creates responsibility. The people who build a product are usually in the best position to anticipate its foreseeable misuse. When an engineering team designs a system capable of generating convincing fake personas, managing hundreds of simultaneous conversations, and operating fluently across dozens of languages, they already understand what that capability could be turned toward. The risk is not something discovered later, in an investigation. It is visible during the design process, before the product ships.
That proximity to the potential for harm is where moral responsibility begins. Not at the moment abuse occurs, but at the moment capability is understood. A company that ships software with foreseeable misuse potential, treats countermeasures as optional, builds no meaningful reporting infrastructure, and fails to investigate credible claims of abuse has made a series of product decisions. Calling it a terms of service issue does not change what those decisions were.
The obligation we are describing is not legal liability for every bad actor who touches a platform. It is moral and operational responsibility: to investigate credible abuse, to design against foreseeable harm, and to treat user safety as a product requirement rather than a liability function. Companies that hold that view behave differently. They investigate credible reports. They build reporting systems people can actually use. They design against foreseeable misuse before it surfaces in an investigation.
If a company does not hold that view, the terms of service function as a ceiling rather than a floor. The distinction between the two becomes visible the moment credible evidence of abuse arrives.
The user in the room
The FTC reported $3.5 billion in losses to imposter scams in 2025, nearly three times what Americans reported losing to the same category five years earlier. The FBI documented $893 million in losses tied specifically to AI-related scams, including voice cloning and deepfake investment schemes.
In March 2026, Google, Meta, Amazon, OpenAI, and several other major technology companies signed the Industry Accord Against Online Scams and Fraud at the UN Global Fraud Summit in Vienna. The commitments include improved detection, clearer reporting channels, and shared intelligence across platforms. The accord is voluntary, with no financial penalties attached.
The principle we hold ourselves to predates summits and investigations, and it is simpler.
"Therefore all things whatsoever ye would that men should do to you, do ye even so to them: for this is the law and the prophets."Matthew 7:12, KJV
We build with that in mind.
What we are building
Technology will only become more capable, and the scale of potential harm will grow with it. What changes that trajectory is whether the companies building these tools treat user safety as a product obligation from the start, rather than a problem to address after the fact.
Risk Bastion reflects that belief. We are building it as a training and risk management resource: a way to give ordinary people a clearer picture of how AI-powered scams operate, what the warning signs look like, and what to do when they recognize one.
The scam economy the investigation describes has industrialized. The people running these operations have access to AI tools that automate outreach, generate convincing personas, and manage hundreds of conversations simultaneously. An ordinary person navigating that environment without training is at a significant disadvantage. Bastion is built to close that gap.
Every generation of software expands what people can do. It also expands what people can do to one another. We believe those two realities cannot be separated. Capability creates responsibility.
We will have more to share as it gets closer to launch. If you are building a product that handles sensitive data or interacts with users in ways that could be exploited, we are glad to talk about what detection, reporting, and responsible architecture look like from the start. Is your product built to resist being used against the people it was meant to serve?
Building software that reaches real people? Let's talk about building it responsibly.
Talk with CorsairContinued reading
Keep exploring related topics that connect strategy, implementation, and long-term maintenance.
Why giving AI full access to your data is riskier than most companies realize
Minimized, scoped, and observable AI data access is the configuration most organizations should be running, and rarely are.
Software vendor lock-in: why AI platforms make an already expensive problem harder to escape
Vendor lock-in has existed across enterprise software for decades, and AI deals add data, model, and orchestration dependencies that are harder to untangle than a typical SaaS migration.
Your app collects location data. Here is what the Supreme Court's geofence warrant ruling means for your business.
The Supreme Court's decision in Chatrie v. United States changed how courts view government access to precise location data held by technology companies.

