The Ethics of Attack Research: What Are the Rules? Robert E. Kraut Carnegie Mellon University Nuremberg During the Nuremberg War Crimes Trials, 23 German doctors were charged with crimes against humanity for “. . . performing medical experiments upon concentration camp inmates and other living subjects, without their consent, in the course of which experiments the defendants committed the murders, brutalities, cruelties, tortures, atrocities, and other inhuman acts . . . ” Hypothermia Experiments with Submersion Altitude Experiments at Dachau Mengeles Research on Twins 2 Tuskegee Syphilis Study US Public Health service ran a study from 1932 to 1972 on syphilis 399 poor Black share croppers were told they were being treated for “bad blood,” but in fact had syphilis and were untreated for syphilis Local physicians were given subject lists of people not to treat Initially no syphilis treatment was available, but by 1947 penicillin, the standard treatment, was withheld from these men – – Men died Families infected For participating in the study, the men were given free medical exams, free meals and free burial insurance Stopped in 1972 after PHS employees leaked info to the press “I don’t know what they used us for. I ain’t never understood the study. ~ a survivor ~ Info at http://www.cdc.gov/nchstp/od/tuskegee/ 3 Belmont report (1979): Ethical Principles and Guidelines for the Protection of Human Subjects of Research http://ohrp.osophs.dhhs.gov/humansubjects/guidance/belmont.htm Respect for Persons – – – – individuals have autonomy and choice people can not be used as a means to an end provide protection to the vulnerable provide informed consent and privacy Beneficence – – – – minimize risks, maximize benefits obligation to do good obligation to do no harm obligation to prevent harm Justice – – treat all fairly share equitably burdens and benefits 4 Federal Regulation Belmont principles instantiated in Federal regulations for treatment of human subjects: http://ohrp.osophs.dhhs.gov/humansubjects/ guidance/45cfr46.htm System of Institutional Review Boards (IRBs) to monitor human subject research 5 Consider An Informed Consent Decision How Does an Attack Study Look Through the Lens of an IRB? Respect for persons Informed consent – – – Give participants choice to participate Prove them all relevant information to help them make an informed decision about participation Document informed consent Jagatic et al didn’t provide informed consent for either phase of their research – – Harvesting social network information Phishing attack experiment 6 Informed consent not required No Yes Informed consent not required Yes Is it human subjects research? Research involves human subjects if: Data is collected through intervention or interaction with an individual or Data contains identifiable private information (Information where individual can be identified and individual had reasonable expectation that no observation was taking place or that information was collected for a specific purpose, which the individual could reasonably expect would remain private. Yes Informed consent not required No Is the research exempt? Research is exempt if: Research involves the use of educational tests, survey procedures, interviews or observation of public behavior, unless: (i) information obtained is recorded in so that human subjects can be identified and (ii) any disclosure of responses outside the research could reasonably place the subjects at risk of liability or be damaging to the subjects' financial standing, employability, or reputation or Research involves the collection or study of existing data, documents, records … if these sources are publicly available or if the information is recorded by the investigator so that subjects cannot be identified No Can informed consent be waived? Can documentation be waived? Consent can be waived if the following are true: Documentation can be waived if: The research involves no more than minimal risk to the subjects; The research presents no more than minimal risk of harm to subjects and involves no procedures for which written consent is normally required outside of the research context. The waiver or alteration will not adversely affect the rights and welfare of the subjects; The research could not practicably be carried out without the waiver or alteration; Whenever appropriate, the subjects will be provided with additional pertinent information after participation. or The only record linking the subject and the research would be the consent document and the principal risk would be potential harm resulting from a breach of confidentiality. Social Network Harvesting Was Not Human Subjects Research Data collection is not human subject research if – – Data is collected without intervention or interaction with participant and Contains no identifiable private information Data can not be linked to an individual identity OR Participants had no reasonable expectation of privacy (i.e., expectation that behavior wasn’t recorded or observed) Federal regulations don’t apply 8 Did Participants Have An Expectation of Privacy & Was It Reasonable? Arguable that reasonable expectation of privacy should never apply to online posts & group communication “How did you get my address book?… Violation of privacy… Information on [www…com] is not public…” – Although participants may think their online behavior is visible only to known others, in many cases these expectations are not reasonable – When any stranger can sign in and observe a web page – When any reader can record and forward any message Better to consider reasonable expectation of privacy as a continuum. Reasonable expectations will change with technology features & norms Public Behavior Less Sample Small membership Low turnover Synchronous=>recording optional Membership vetting/password More Large membership High turnover Asynchronous=> recording necessary No membership vetting/password 9 The phishing attack experiment is more problematic Spoofing – using “senders” identities without permission Phishing – collecting data from human subjects without informed consent Decision criteria – Risk/benefit analysis – Risk to participants Value of the science to participants and society Could the research be done any other way? 10 Waiver of informed consent requires only minimal risk The research involves no more than minimal risk to the subjects – – “The probability and magnitude of harm or discomfort anticipated in the research are not greater in and of themselves than those ordinarily encountered in daily life …” Daily-life standard = high probability of low magnitude harm The waiver of informed consent does not adversely affect the rights and welfare of the subjects Debriefing provided after the fact 11 What Was the Potential Harm? Revealing private, privileged or embarrassing information, which puts participants at risk if revealed outside of the research context Direct physical or psychological harm to participants resulting from research procedures In phishing experiment probability of adverse event was higher than daily life, but magnitude of harm was negligible – No loss of private information – Embarrassment at being conned comparable to hassles of daily life (e.g., the discomfort of a blood draw, stress of SAT test, loosing keys, anger or embarrassment thru arguments) – Debriefing offered (although could have been improved). Education may have improved subjects’ welfare 12 Risk Should Be Proportional to Benefit Risk to human subjects need to be justified by benefit Even highly risky research can be justified if the potential benefits are great enough Even minimal risk research isn’t justified if no one benefits – – E.g., Because of poor research design IRB should judge research quality, if research not peerreviewed In phishing experiment – – Demonstration of incidence of vulnerability isn’t science, with arbitrary sampling from undergrad at one university However, there is good science in the manipulation of the identity of the lure (friend or stranger; male or female) and correlations with attributes of the target 13 Dealing With Minors If minor are present some rules change – – – – Minors can’t consent, only assent Require permission of parent or guardian Most categories of research exempt for adults are not exempt for minors (e.g., interviews & surveys) Children’s Online Privacy Protection Action is in play – – Can’t collect personal information about children under 13 without posting how the information will be use and getting parental consent Non-human subjects research (i.e., no interaction, no intervention and no identifiable private information) is still OK Observations of public behavior is still exempt Can we accurately assess whether minors are involved? 14 Factors Influencing the Ethics of Online Observational Research Is it intervention, participant observation or passive observation? How much risk is involved? Is the behavior public or do participants have reasonable expectations of privacy? Did participants expect their behavior was ephemeral or recorded? Did participants expect that records about them would be made public or kept private? Are participants identifiable or anonymous? Likelihood of the presence of minor 15 Conclusions Online behavior provides rich data on social processes relevant to security & privacy Much of it can be considered either not human subject research or exempt public behavior But there are lots of ambiguities & boundary conditions – – – Reasonable expectation of privacy, Identifiability, Risk Group size, Presence of minors … Most recommendations require a case-by-case analysis Educate your IRB 16 More information Robert Kraut Email: robert.kraut@cmu.edu Web: www.cs.cmu.edu/~kraut APA taskforce report Psychological Research Online www.apa.org/journals/features/amp592105.pdf