1 / 17

The Ethics of Attack Research: What Are the Rules?

The Ethics of Attack Research: What Are the Rules?. Robert E. Kraut Carnegie Mellon University. Hypothermia Experiments with Submersion. Altitude Experiments at Dachau. Mengeles Research on Twins. Nuremberg.

lamond
Download Presentation

The Ethics of Attack Research: What Are the Rules?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. The Ethics of Attack Research: What Are the Rules? Robert E. Kraut Carnegie Mellon University

  2. Hypothermia Experiments with Submersion Altitude Experiments at Dachau Mengeles Research on Twins Nuremberg During the Nuremberg War Crimes Trials, 23 German doctors were charged with crimes against humanity for “. . . performing medical experiments upon concentration camp inmates and other living subjects, without their consent, in the course of which experiments the defendants committed the murders, brutalities, cruelties, tortures, atrocities, and other inhuman acts . . . ”

  3. Tuskegee Syphilis Study • US Public Health service ran a study from 1932 to 1972 on syphilis • 399 poor Black share croppers were told they were being treated for “bad blood,” but in fact had syphilis and were untreated for syphilis • Local physicians were given subject lists of people not to treat • Initially no syphilis treatment was available, but by 1947 penicillin, the standard treatment, was withheld from these men • Men died • Families infected • For participating in the study, the men were given free medical exams, free meals and free burial insurance • Stopped in 1972 after PHS employees leaked info to the press • “I don’t know what they used us for. I ain’t never understood the study.    ~ a survivor ~ • Info at http://www.cdc.gov/nchstp/od/tuskegee/

  4. Respect for Persons individuals have autonomy and choice people can not be used as a means to an end provide protection to the vulnerable provide informed consent and privacy Beneficence minimize risks, maximize benefits obligation to do good obligation to do no harm obligation to prevent harm Justice treat all fairly share equitably burdens and benefits Belmont report (1979): Ethical Principles and Guidelines for the Protection of Human Subjects of Research • http://ohrp.osophs.dhhs.gov/humansubjects/guidance/belmont.htm

  5. Federal Regulation • Belmont principles instantiated in Federal regulations for treatment of human subjects: http://ohrp.osophs.dhhs.gov/humansubjects/guidance/45cfr46.htm • System of Institutional Review Boards (IRBs) to monitor human subject research

  6. Consider An Informed Consent Decision • How Does an Attack Study Look Through the Lens of an IRB? • Respect for persons  Informed consent • Give participants choice to participate • Prove them all relevant information to help them make an informed decision about participation • Document informed consent • Jagatic et al didn’t provide informed consent for either phase of their research • Harvesting social network information • Phishing attack experiment

  7. Informed consent not required Informed consent not required Informed consent not required No Yes Yes Is it human subjects research? Is the research exempt? Can informed consent be waived? Can documentation be waived? Yes No No Research involves human subjects if: Data is collected through intervention or interaction with an individual or Data contains identifiable private information (Information where individual can be identified and individual had reasonable expectation that no observation was taking place or that information was collected for a specific purpose, which the individual could reasonably expect would remain private. Consent can be waived if the following are true: The research involves no more than minimal risk to the subjects; The waiver or alteration will not adversely affect the rights and welfare of the subjects; The research could not practicably be carried out without the waiver or alteration; Whenever appropriate, the subjects will be provided with additional pertinent information after participation. Documentation can be waived if: The research presents no more than minimal risk of harm to subjects and involves no procedures for which written consent is normally required outside of the research context. or The only record linking the subject and the research would be the consent document and the principal risk would be potential harm resulting from a breach of confidentiality. Research is exempt if: Research involves the use of educational tests, survey procedures, interviews or observation of public behavior, unless: (i) information obtained is recorded in so that human subjects can be identified and (ii) any disclosure of responses outside the research could reasonably place the subjects at risk of liability or be damaging to the subjects' financial standing, employability, or reputation or Research involves the collection or study of existing data, documents, records … if these sources are publicly available or if the information is recorded by the investigator so that subjects cannot be identified

  8. Data collection is not human subject research if Data is collected without intervention or interaction with participant and Contains no identifiable private information Data can not be linked to an individual identity OR Participants had no reasonable expectation of privacy(i.e., expectation that behavior wasn’t recorded or observed) Federal regulations don’t apply Social Network Harvesting Was Not Human Subjects Research

  9. Arguable that reasonable expectation of privacy should never apply to online posts & group communication “How did you get my address book?… Violation of privacy… Information on [www…com] is not public…” Although participants may think their online behavior is visible only to known others, in many cases these expectations are not reasonable When any stranger can sign in and observe a web page When any reader can record and forward any message Better to consider reasonable expectation of privacy as a continuum. Reasonable expectations will change with technology features & norms Small Did Participants Have An Expectation of Privacy & Was It Reasonable?

  10. The phishing attack experiment is more problematic • Spoofing – using “senders” identities without permission • Phishing – collecting data from human subjects without informed consent • Decision criteria • Risk/benefit analysis • Risk to participants • Value of the science to participants and society • Could the research be done any other way?

  11. Waiver of informed consent requires only minimal risk • The research involves no more than minimal risk to the subjects • “The probability and magnitude of harm or discomfort anticipated in the research are not greater in and of themselves than those ordinarily encountered in daily life …” • Daily-life standard = high probability of low magnitude harm • The waiver of informed consent does not adversely affect the rights and welfare of the subjects • Debriefing provided after the fact

  12. What Was the Potential Harm? • Revealing private, privileged or embarrassing information, which puts participants at risk if revealed outside of the research context • Direct physical or psychological harm to participants resulting from research procedures • In phishing experiment probability of adverse event was higher than daily life, but magnitude of harm was negligible • No loss of private information • Embarrassment at being conned comparable to hassles of daily life (e.g., the discomfort of a blood draw, stress of SAT test, loosing keys, anger or embarrassment thru arguments) • Debriefing offered (although could have been improved). Education may have improved subjects’ welfare

  13. Risk Should Be Proportional to Benefit • Risk to human subjects need to be justified by benefit • Even highly risky research can be justified if the potential benefits are great enough • Even minimal risk research isn’t justified if no one benefits • E.g., Because of poor research design •  IRB should judge research quality, if research not peer-reviewed • In phishing experiment • Demonstration of incidence of vulnerability isn’t science, with arbitrary sampling from undergrad at one university • However, there is good science in the manipulation of the identity of the lure (friend or stranger; male or female) and correlations with attributes of the target

  14. Dealing With Minors • If minor are present some rules change • Minors can’t consent, only assent • Require permission of parent or guardian • Most categories of research exempt for adults are not exempt for minors (e.g., interviews & surveys) • Children’s Online Privacy Protection Action is in play • Can’t collect personal information about children under 13 without posting how the information will be use and getting parental consent • Non-human subjects research (i.e., no interaction, no intervention and no identifiable private information) is still OK • Observations of public behavior is still exempt • Can we accurately assess whether minors are involved?

  15. Factors Influencing the Ethics of Online Observational Research • Is it intervention, participant observation or passive observation? • How much risk is involved? • Is the behavior public or do participants have reasonable expectations of privacy? • Did participants expect their behavior was ephemeral or recorded? • Did participants expect that records about them would be made public or kept private? • Are participants identifiable or anonymous? • Likelihood of the presence of minor

  16. Conclusions • Online behavior provides rich data on social processes relevant to security & privacy • Much of it can be considered either not human subject research or exempt public behavior • But there are lots of ambiguities & boundary conditions • Reasonable expectation of privacy, Identifiability, Risk • Group size, Presence of minors • … • Most recommendations require a case-by-case analysis • Educate your IRB

  17. More information Robert Kraut Email: robert.kraut@cmu.edu Web: www.cs.cmu.edu/~kraut APA taskforce reportPsychological Research Onlinewww.apa.org/journals/features/amp592105.pdf

More Related