On 10/7/15 10:11 AM, Nathaniel Poor wrote:
I recently got into a discussion with a colleague about the ethics of using hacked data... I can see that some academic researchers -- at least those in computer security -- would be interested in this data and should be able to publish in peer reviewed journals about it, in an anonymized manner (probably as an example of "here's a data hack like what we are talking about, here's what hackers released").
Here are some references on this topic you might look at. David Dittrich and Erin Kenneally (co-lead authors). The Menlo Report: Ethical Principles Guiding Information and Communication Technology Research. http://www.dhs.gov/sites/default/files/publications/CSD-MenloPrinciplesCORE-..., December 2012. David Dittrich and Erin Kenneally (eds.). Applying Ethical Principles to Information and Communication Technology Research: A Companion to the Department of Homeland Security Menlo Report. http://www.dhs.gov/sites/default/files/publications/CSD-MenloPrinciplesCOMPA..., January 2012. David Dittrich, Katherine Carpenter, and Manish Karir. An Ethical Examination of the Internet Census 2012 Dataset: A Menlo Report Case Study. Technology and Society Magazine, IEEE, 34(2):40β46, June 2015. http://ieeexplore.ieee.org/xpl/articleDetails.jsp?arnumber=7128817 Ronald Deibert and Masashi Crete-Nishihata. Blurred boundaries: Probing the ethics of cyberspace research. Review of Policy Research, 28(5):531β537, 2011. David Dittrich and Erin Kenneally (eds.). The Menlo Report: Ethical Principles Guiding Information and Communication Technology Research. http://www.cyber.st.dhs.gov/wp-content/uploads/2011/12/MenloPrinciplesCORE-2..., December 2011. David Dittrich. The Ethics of Social Honeypots. Research Ethics, May 2015. http://rea.sagepub.com/content/early/2015/05/19/1747016115583380.abstract Serge Egelman, Joseph Bonneau, Sonia Chiasson, David Dittrich, and Stuart Schechter. Itβs Not Stealing If You Need It: A Panel on the Ethics of Performing Research Using Public Data of Illicit Origin. J. Blythe (Ed.): FC 2012 Workshops, LNCS 7398, pp. 124β132, 2012. Springer-Verlag Berlin Heidelberg 2012. Just as a side note, the Carna Botnet (the IEEE pub above) did in fact set a bad precedent for "researchers" who witnessed the exploitation of weak passwords to illegally obtain data, which turned into illegally accessing similar devices in a similar manner to clean them up without the owners' knowledge, involvement, or permission. "There was also a well-known research botnet called the Internet Census 2012, where some researchers used access to these devices to make measurements of the internet. Curiously, they decided to block access for some malware, too, so it is a kind of precursor, although their main intent was to publish data, and our main intent is to kill malware." If you ask me, letting researchers have an ethical "pass" on using illegally obtained data is giving a push to both academic reseachers, and self-proclaimed "researchers", as they head down that slippery slope. -- Dave Dittrich dittrich@u.washington.edu http://staff.washington.edu/dittrich PGP key: http://staff.washington.edu/dittrich/pgpkey.txt Fingerprint: 097B 4DCB BF16 E1D8 A06C 7512 A751 C80A D15E E079