a new wrinkle in internet research ethics
... don't mess with code! <https://thehackernews.com/2021/04/minnesota-university-apologizes-for.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+TheHackersNews+%28The+Hackers+News+-+Cyber+Security+Blog%29&_m=3n.009a.2470.ka0ao0d8cz.1kao> What is particularly interesting is that the IRB "had reviewed the study and determined that it was not human research, only to backtrack, adding 'throughout the study, we honestly did not think this is human research, so we did not apply for an IRB approval in the beginning. We apologize for the raised concerns.'" And: "Our community does not appreciate being experimented on, and being 'tested' by submitting known patches that are (sic) either do nothing on purpose or introduce bugs on purpose," Linux kernel maintainer Greg Kroah-Hartman said in one of the exchanges last week. Or, to quote a computer scientist engaged in exploring vulnerabilities in network engineering via Big Data approaches, thinking that no IRB review or approval was needed - "it's only data" - only to discover that there were direct, sometimes very negative consequences for human beings as a result: "Oh sh*t, it's people". Happy ethical reflexivity, folkens. best, - charles ess -- Professor Emeritus University of Oslo <http://www.hf.uio.no/imk/english/people/aca/charlees/index.html> Secretary, IFIP Working Group 9.8, Gender, Diversity, and ICT <http://ifiptc9.org/9-8/> Fellow, Siebold-Collegiums Institute for Advanced Studies, Julius-Maximilians-Universität Würzburg, Germany 3rd edition of Digital Media Ethics now out: <http://politybooks.com/bookdetail/?isbn=9781509533428>
On 21-04-27 12:56, Charles M. Ess wrote:
What is particularly interesting is that the IRB "had reviewed the study and determined that it was not human research, only to backtrack, adding 'throughout the study, we honestly did not think this is human research, so we did not apply for an IRB approval in the beginning. We apologize for the raised concerns.'"
I find this confusing: who determined human subjects weren't involved, the researchers or the IRB? I *think* the researchers argued they weren't human subjects research to their IRB, and the IRB accepted this and exempted them from review and consent procedures....? Looking at the handy OHRP flow charts, this seems like a big mistake. [a]: https://www.hhs.gov/ohrp/regulations-and-policy/decision-charts-2018/index.h... 1. They were collecting information about living people through intervention, interaction, or that was identifiable private information. And while the disciplinary "carve outs" aren't in the flow chart (e.g., (oral) history, journalism, biography), I've not seen an argument that experimenting on/with a community is precluded. 2. The typical exemptions don't apply (education). ... 13. It sounds like they wanted to make a 45 CFR 46.116(f) claim, that the work was so important yet benign and so they should forgo consent. But I don't think they ever made this argument to their IRB.
More items: (1) Researchers apologize to the Linux community, but the response is mixed.... https://lore.kernel.org/lkml/CAK8KejpUVLxmqp026JY7x5GzHU2YJLPU8SzTZUNXU2OXC7... <https://lore.kernel.org/lkml/CAK8KejpUVLxmqp026JY7x5GzHU2YJLPU8SzTZUNXU2OXC70ZQQ@mail.gmail.com/T/#u> Then this morning ... (2) ZDNet has obtained a copy of the Linux Foundation's letter to the University of Minnesota laying out what happened with the bad Linux kernel patches 'research project' and demanding 'all information necessary to identify all proposals of known-vulnerable code from any U of MN experiment'. < - > https://www.zdnet.com/article/the-linux-foundations-demands-to-the-universit... <https://www.zdnet.com/article/the-linux-foundations-demands-to-the-university-of-minnesota-for-its-bad-linux-patches/> I daresay this seems like a horrific matter all around with policy/process/advising loopholes/shortcomings/failures that need to be remedied ..... but as I said the other day, it was only a matter of time before something like this cropped up in the cybersecurity resarch space in a prominent way -- and that this situation presents an interesting conceptual & practical distinction between IRB approval for testing on "human subjects" vs on things that humans use which might "potentially cause human-harm" (ie malware research, social engineering projects, or doing what these ppl did.) Many aspects of cybersecurity research, especially deeply technical projects and/or investigation into the 'darker arts' of the discipline can straddle that fine line from time to time, and IRBs need to be aware of the potential consequences. -- rick
On Apr 27, 2021, at 13:52, Joseph Reagle <joseph.2011@reagle.org> wrote:
On 21-04-27 12:56, Charles M. Ess wrote:
What is particularly interesting is that the IRB "had reviewed the study and determined that it was not human research, only to backtrack, adding 'throughout the study, we honestly did not think this is human research, so we did not apply for an IRB approval in the beginning. We apologize for the raised concerns.'"
I find this confusing: who determined human subjects weren't involved, the researchers or the IRB? I *think* the researchers argued they weren't human subjects research to their IRB, and the IRB accepted this and exempted them from review and consent procedures....?
Looking at the handy OHRP flow charts, this seems like a big mistake.
[a]: https://www.hhs.gov/ohrp/regulations-and-policy/decision-charts-2018/index.h...
1. They were collecting information about living people through intervention, interaction, or that was identifiable private information. And while the disciplinary "carve outs" aren't in the flow chart (e.g., (oral) history, journalism, biography), I've not seen an argument that experimenting on/with a community is precluded.
2. The typical exemptions don't apply (education).
...
13. It sounds like they wanted to make a 45 CFR 46.116(f) claim, that the work was so important yet benign and so they should forgo consent. But I don't think they ever made this argument to their IRB.
_______________________________________________ The Air-L@listserv.aoir.org mailing list is provided by the Association of Internet Researchers http://aoir.org Subscribe, change options or unsubscribe at: http://listserv.aoir.org/listinfo.cgi/air-l-aoir.org
Join the Association of Internet Researchers: http://www.aoir.org/
Hi everyone, My new book _Undoing Optimization: Civic action and smart cities>_ is out with Yale University. Press. It looks at the politics and practices of communication, data and sensing technologies across a range of urban contexts. I try to move past the usual discussion of 'top-down' versus 'bottom up' use of technology and instead look how citizenship shifts in response to technological change. I end the book with discussions of other kinds of futures. Order from the press and get 25% off with code YEUDO: https://yalebooks.yale.edu/book/9780300223804/undoing-optimization The book' being launched TODAY April 28 at 4 PM BST alongside Dan Greene's _The Promise of Access_. The event is here: https://www.adalovelaceinstitute.org/event/technology-civic-engagement-doubl... All best! Alison. -- Dr Alison Powell Associate Professor, Director of MSc in Data & Society Department of Media and Communications London School of Economics and Political Science Director: JUST-AI Network on Data and AI Ethics Ada Lovelace Institute Twitter: @a_b_powell
participants (4)
-
Alison Powell -
Charles M. Ess -
Joseph Reagle -
Richard Forno