Dear all, what a great question, and what helpful responses! First of all, I appreciate this relatively new case as it helps illuminate the need for continually updating and refreshing the AoIR guidelines. That is, as Nathaniel's careful efforts to make use of the guidelines demonstrates, there's a kind of hole here that clearly needs specific consideration and reflection. (At the same time, Aristotle warned against the impossibility of developing final rules for every new case. In a powerful metaphor (to my mind at least) - guideline and rule-making is somewhat akin to weaving or knitting: every time you weave in a new thread to "cover" a new example or case, you thereby also multiply the holes in your weaving ...) Secondly, without being able to do justice to the full richness of this discussion, a couple of additional observations. One is that I espy some important cultural differences in the ethical argumentation. Correct me where I'm wrong, but a good portion of the argumentation in favor of using the hacked data turns on efforts to consider the consequences of doing so - including possible consequences to the data subjects as well as to the researchers. So far, so good - but this sort of ethical consequentialism is more prevalent in (but by no means exclusive to) U.S./U.K./ and to some degree Australian approaches. (No surprise: the utilitarian philosophers come out of and importantly stamp English-speaking philosophies and cultures in the early 19th century, if not earlier.) By contrast, the example of Stine Lomborg asking for informed consent nonetheless in my mind is an example of the more deontological emphases, especially (but again, by no means exclusively so) in northern Europe and Scandinavia. That is, there is a sense of the importance of respecting foundational rights, with less regard to the consequences of doing so (beginning with making the researcher's life that much more complicated - perhaps to the point of scuttling a project). (Again, no surprise: for all their well-deserved criticism, Kant and Habermas (among others) are regularly invoked in ethical discussions here, especially in connecting our ethics with basic democratic norms, rights, and practices.) While this is clearly painting with a broad brush that screams for a great deal of nuance and counterexample - the contrast, I think, is nonetheless useful in at least two ways. One, it helps more sharply articulate the specific ethical approaches we tend to take up within a given cultural context and tradition, so that we can be clearer about the strengths and limits of those approaches. Two, it helps foreground the ethical difficulty common to much Internet-facilitated research - namely, that our data often draws from and crosses important national and cultural borders, thereby requiring us to pay attention to these culturally-variable emphases insofar as they may apply to a given data set. In the Stine Lomborg example: her taking the more demanding ethical step of asking for informed consent has the advantage of not only going further to ensure basic rights protections - and this, I'm pretty sure, on both deontological and feminist grounds; in addition, had this been an international project, the stronger ethical approach here would have simultaneously met the comparatively weaker demands of a consequentialist approach. Lastly, I'm wondering if anyone has developed analogies from biomedical ethics, i.e., of using medical data drawn from clearly illegal and unethical work (most notoriously, Nazi and Japanese experiments, but certainly also the infamous Tuskeegee Institute work - when they can be legitimately called that)? Insofar as any such analogies might hold - broadly, a consequentialist would argue that great good can come of using data and information, whatever their source, as long as further foreseeable risks are minimal. Some deontologists might argue differently. I dunno - I need more coffee - and it might well be that such analogies would turn out to be fruitless. But in the meantime, again, many thanks for this, and I hope we can take this up as part of the ethics panel at AoIR this year: Friday, October 23, from 1.00-2.50 p.m. (just FYI). Best in the meantime, - charles -- Professor in Media Studies Department of Media and Communication University of Oslo Director, Centre for Research in Media Innovations (CeRMI) Editor, The Journal of Media Innovations <https://www.journals.uio.no/index.php/TJMI/> President, INSEIT <www.inseit.net> Postboks 1093 Blindern 0317 Oslo, Norway c.m.ess@media.uio.no On Thu, Oct 8, 2015 at 4:06 AM, Dave Dittrich <dittrich@apl.washington.edu> wrote:
On 10/7/15 10:11 AM, Nathaniel Poor wrote:
I recently got into a discussion with a colleague about the ethics of using hacked data... I can see that some academic researchers -- at least those in computer security -- would be interested in this data and should be able to publish in peer reviewed journals about it, in an anonymized manner (probably as an example of "here's a data hack like what we are talking about, here's what hackers released").
Here are some references on this topic you might look at.
David Dittrich and Erin Kenneally (co-lead authors). The Menlo Report: Ethical Principles Guiding Information and Communication Technology Research.
http://www.dhs.gov/sites/default/files/publications/CSD-MenloPrinciplesCORE-... , December 2012.
David Dittrich and Erin Kenneally (eds.). Applying Ethical Principles to Information and Communication Technology Research: A Companion to the Department of Homeland Security Menlo Report.
http://www.dhs.gov/sites/default/files/publications/CSD-MenloPrinciplesCOMPA... , January 2012.
David Dittrich, Katherine Carpenter, and Manish Karir. An Ethical Examination of the Internet Census 2012 Dataset: A Menlo Report Case Study. Technology and Society Magazine, IEEE, 34(2):40β46, June 2015. http://ieeexplore.ieee.org/xpl/articleDetails.jsp?arnumber=7128817
Ronald Deibert and Masashi Crete-Nishihata. Blurred boundaries: Probing the ethics of cyberspace research. Review of Policy Research, 28(5):531β537, 2011.
David Dittrich and Erin Kenneally (eds.). The Menlo Report: Ethical Principles Guiding Information and Communication Technology Research.
http://www.cyber.st.dhs.gov/wp-content/uploads/2011/12/MenloPrinciplesCORE-2... , December 2011.
David Dittrich. The Ethics of Social Honeypots. Research Ethics, May 2015. http://rea.sagepub.com/content/early/2015/05/19/1747016115583380.abstract
Serge Egelman, Joseph Bonneau, Sonia Chiasson, David Dittrich, and Stuart Schechter. Itβs Not Stealing If You Need It: A Panel on the Ethics of Performing Research Using Public Data of Illicit Origin. J. Blythe (Ed.): FC 2012 Workshops, LNCS 7398, pp. 124β132, 2012. Springer-Verlag Berlin Heidelberg 2012.
Just as a side note, the Carna Botnet (the IEEE pub above) did in fact set a bad precedent for "researchers" who witnessed the exploitation of weak passwords to illegally obtain data, which turned into illegally accessing similar devices in a similar manner to clean them up without the owners' knowledge, involvement, or permission.
"There was also a well-known research botnet called the Internet Census 2012, where some researchers used access to these devices to make measurements of the internet. Curiously, they decided to block access for some malware, too, so it is a kind of precursor, although their main intent was to publish data, and our main intent is to kill malware."
If you ask me, letting researchers have an ethical "pass" on using illegally obtained data is giving a push to both academic reseachers, and self-proclaimed "researchers", as they head down that slippery slope.
-- Dave Dittrich dittrich@u.washington.edu http://staff.washington.edu/dittrich
PGP key: http://staff.washington.edu/dittrich/pgpkey.txt Fingerprint: 097B 4DCB BF16 E1D8 A06C 7512 A751 C80A D15E E079 _______________________________________________ The Air-L@listserv.aoir.org mailing list is provided by the Association of Internet Researchers http://aoir.org Subscribe, change options or unsubscribe at: http://listserv.aoir.org/listinfo.cgi/air-l-aoir.org
Join the Association of Internet Researchers: http://www.aoir.org/