I disagree with some of the earlier responses to this inquiry. In my opinion, IRB requests are intended to get you to think through your methods and the potential for harm or unintended consequences. You should be willing to think through a reasonably rigorous and grounded assessment of risk for any activity you are considering. This assessment should interrogate issues such as: what personally identifiable data are produced at every step? are there nonvisible copies produced that we usually don't think about? where are they stored? what are the security issues associated with these storage functions? is there a risk of reidentification of anonymized data? what are reasonable interventions for the identified risks? which risks are most probable? Generally, I agree that the risks are probably low, but identifying them and writing them up is part of the justification that the risks are low. However, you also have to think about how these risks apply not only to you and your machines, but also to the machines of your participants. For this reason, I disagree that this research is similar to a phone interview or to a face to face interview in a cafe. In my opinion, the most probable risks are: a) losing physical control over the machine (theft, loss, etc) b) virus/malware compromising the machine c) password loss or hacker or virus compromising the skype/im/chat account (because the data is stored in the cloud) If I were using skype with my research subjects I would consider the following security precautions: a) make a bootable thumbdrive with a lightweight version of linux on it, install skype there. a distant second choice would be to create a new user/login on a current machine (because most of skype and chat programs store their data in the user profile). if it were a longer term research project I would have a dedicated computer for it that is locked down. b) make a new skype account that is only used for this research (or chat/im account) with a strong password c) make sure that the system is only used are on a wired network or secure vpn. d) have a secure, password protected and firewalled place to put the research data (anonymized is more secure, but then you need to consider where and how to store the anonymization key) e) make sure the participants understand that they are responsible for security on their end, that if they want to be anonymous, they need to (at minimum) make a new skype/chat/im account and consider the security of the machine they are using. After the research is finished: d) delete and overwrite the thumbdrive (or user profile) e) delete the skype/im/chat accounts Why bother with all this? Your personal computer may or may not be secure depending on a whole host of factors. Setting up an independent account and software environment will give you control over it in a more finite way in comparison to personal or office computers. It ensures that the account or machine won't be compromised, lost or stolen at a later date. It might not be sensitive data, but you would still lose face if you had to write all of your participants and inform them that the hard drive you kept the data on was lost in a public place, or if you had to tell them that the account was hacked and some unknown hacker had the data. But why worry about all this? Setting up a good workflow that reduces risks in the long term is about showing honest and ethical due diligence for your research and your methods. It is easier to set up some reasonable precautions than it is to worry about potential unintended consequences. It is definitely easier than mopping up the mess if your colleagues and participants feel a loss of confidence in you because of a data collection accident. And since I'm going on about it: don't forget to back up your data. Don't put it off. It's easy to ignore. I know folks who've made it three quarters of their way through their dissertation writing process and lost a hard drive without having any of it backed up. Nope. None of it. It sucks. Don't put it off. -l On Wed, Mar 7, 2012 at 10:41 AM, Jenni Whitmer <jmariewhitmer@gmail.com> wrote:
I'm in the midst of revising an IRB protocol for my dissertation. I will be interviewing fashion bloggers about their experiences with blogging and their thoughts on the relation between blogging and fashion media. The bloggers I will be interviewing are all public figures, to one degree or another, and I don't see the questions I'm asking as being very sensitive in nature. I planned to interview respondents using their choice of Skype or instant messaging service. The IRB reviewer asked me to clarify how I plan to ensure privacy and confidentiality over Skype and IM specifically because they are online. I'm a little unsure of what to say. I suppose I can't guarantee privacy 100% over a public network, but is the threat really much more notable than being overheard during a face to face or phone interview? I was wondering if anyone had any advice or could refer me to any articles that address this issue. Are there any IM programs I could use that might minimize threats to privacy?
-- Jennifer Whitmer, MA Dept. of Sociology University of Nevada, Las Vegas Las Vegas, NV 89154-5033 phone: 440-429-5957 _______________________________________________ The Air-L@listserv.aoir.org mailing list is provided by the Association of Internet Researchers http://aoir.org Subscribe, change options or unsubscribe at: http://listserv.aoir.org/listinfo.cgi/air-l-aoir.org
Join the Association of Internet Researchers: http://www.aoir.org/