The Ethics of Attack Research:
What Are the Rules?
Robert E. Kraut
Carnegie Mellon University
Nuremberg
During the Nuremberg War
Crimes Trials, 23 German
doctors were charged with
crimes against humanity for “. . .
performing medical experiments
upon concentration camp
inmates and other living
subjects, without their consent,
in the course of which
experiments the defendants
committed the murders,
brutalities, cruelties, tortures,
atrocities, and other inhuman
acts . . . ”
Hypothermia Experiments with Submersion
Altitude Experiments at Dachau
Mengeles Research on Twins
2
Tuskegee Syphilis Study




US Public Health service ran a study from 1932 to 1972 on
syphilis
399 poor Black share croppers were told they were being
treated for “bad blood,” but in fact had syphilis and were
untreated for syphilis
Local physicians were given subject lists of people not to treat
Initially no syphilis treatment was available, but by 1947
penicillin, the standard treatment, was withheld from these men
–
–




Men died
Families infected
For participating in the study, the men were given free medical
exams, free meals and free burial insurance
Stopped in 1972 after PHS employees leaked info to the press
“I don’t know what they used us for. I ain’t never understood the
study. ~ a survivor ~
Info at http://www.cdc.gov/nchstp/od/tuskegee/
3
Belmont report (1979): Ethical Principles and Guidelines
for the Protection of Human Subjects of Research
http://ohrp.osophs.dhhs.gov/humansubjects/guidance/belmont.htm

Respect for Persons
–
–
–
–
individuals have
autonomy and choice
people can not be used
as a means to an end
provide protection to the
vulnerable
provide informed
consent and privacy

Beneficence
–
–
–
–

minimize risks, maximize
benefits
obligation to do good
obligation to do no harm
obligation to prevent
harm
Justice
–
–
treat all fairly
share equitably burdens
and benefits
4
Federal Regulation

Belmont principles instantiated in Federal
regulations for treatment of human subjects:
http://ohrp.osophs.dhhs.gov/humansubjects/
guidance/45cfr46.htm
 System of Institutional Review Boards (IRBs)
to monitor human subject research
5
Consider An Informed Consent Decision

How Does an Attack Study Look Through the
Lens of an IRB?
 Respect for persons  Informed consent
–
–
–

Give participants choice to participate
Prove them all relevant information to help them
make an informed decision about participation
Document informed consent
Jagatic et al didn’t provide informed consent
for either phase of their research
–
–
Harvesting social network information
Phishing attack experiment
6
Informed consent
not required
No
Yes
Informed consent
not required
Yes
Is it human subjects
research?
Research involves human
subjects if:
Data is collected through
intervention or interaction
with an individual
or
Data contains identifiable
private information
(Information where
individual can be identified
and individual had
reasonable expectation that
no observation was taking
place or that information
was collected for a specific
purpose, which the
individual could reasonably
expect would remain
private.
Yes
Informed consent
not required
No
Is the research exempt?
Research is exempt if:
Research involves the use of
educational tests, survey procedures,
interviews or observation of public
behavior, unless: (i) information
obtained is recorded in so that human
subjects can be identified and (ii) any
disclosure of responses outside the
research could reasonably place the
subjects at risk of liability or be
damaging to the subjects' financial
standing, employability, or reputation
or
Research involves the collection or
study of existing data, documents,
records … if these sources are
publicly available or if the
information is recorded by the
investigator so that subjects cannot be
identified
No
Can informed
consent be waived?
Can documentation
be waived?
Consent can be waived if
the following are true:
Documentation can be
waived if:
The research involves no
more than minimal risk to
the subjects;
The research presents
no more than minimal
risk of harm to subjects
and involves no
procedures for which
written consent is
normally required
outside of the research
context.
The waiver or alteration
will not adversely affect
the rights and welfare of
the subjects;
The research could not
practicably be carried out
without the waiver or
alteration;
Whenever appropriate, the
subjects will be provided
with additional pertinent
information after
participation.
or
The only record linking
the subject and the
research would be the
consent document and
the principal risk would
be potential harm
resulting from a breach
of confidentiality.
Social Network Harvesting Was Not Human
Subjects Research

Data collection is not human subject research if
–
–
Data is collected without intervention or interaction
with participant
and
Contains no identifiable private information


Data can not be linked to an individual identity OR
Participants had no reasonable expectation of privacy
(i.e., expectation that behavior wasn’t recorded or observed)
 Federal
regulations don’t apply
8
Did Participants Have An Expectation of
Privacy & Was It Reasonable?

Arguable that reasonable expectation of privacy should never apply to
online posts & group communication
“How did you get my address book?… Violation of privacy… Information on
[www…com] is not public…”
–
Although participants may think their online behavior is visible only to
known others, in many cases these expectations are not reasonable
– When any stranger can sign in and observe a web page
– When any reader can record and forward any message


Better to consider reasonable expectation of privacy as a continuum.
Reasonable expectations will change with technology features &
norms
Public Behavior
Less
Sample
Small membership
Low turnover
Synchronous=>recording optional
Membership vetting/password
More
Large membership
High turnover
Asynchronous=> recording necessary
No membership vetting/password
9
The phishing attack experiment is
more problematic
Spoofing – using “senders” identities without
permission
 Phishing – collecting data from human
subjects without informed consent
 Decision criteria

–
Risk/benefit analysis


–
Risk to participants
Value of the science to participants and society
Could the research be done any other way?
10
Waiver of informed consent requires
only minimal risk

The research involves no more than minimal
risk to the subjects
–
–
“The probability and magnitude of harm or discomfort
anticipated in the research are not greater in and of
themselves than those ordinarily encountered in daily life
…”
Daily-life standard = high probability of low magnitude harm

The waiver of informed consent does not
adversely affect the rights and welfare of the
subjects
 Debriefing provided after the fact
11
What Was the Potential Harm?



Revealing private, privileged or embarrassing
information, which puts participants at risk if revealed
outside of the research context
Direct physical or psychological harm to participants
resulting from research procedures
In phishing experiment probability of adverse event was
higher than daily life, but magnitude of harm was negligible
–
No loss of private information
– Embarrassment at being conned comparable to hassles of daily life
(e.g., the discomfort of a blood draw, stress of SAT test, loosing keys,
anger or embarrassment thru arguments)
– Debriefing offered (although could have been improved). Education may
have improved subjects’ welfare
12
Risk Should Be Proportional to Benefit



Risk to human subjects need to be justified by benefit
Even highly risky research can be justified if the
potential benefits are great enough
Even minimal risk research isn’t justified if no one
benefits
–
–

E.g., Because of poor research design
 IRB should judge research quality, if research not peerreviewed
In phishing experiment
–
–
Demonstration of incidence of vulnerability isn’t science, with
arbitrary sampling from undergrad at one university
However, there is good science in the manipulation of the
identity of the lure (friend or stranger; male or female) and
correlations with attributes of the target
13
Dealing With Minors

If minor are present some rules change
–
–
–
–
Minors can’t consent, only assent
Require permission of parent or guardian
Most categories of research exempt for adults are not exempt for
minors (e.g., interviews & surveys)
Children’s Online Privacy Protection Action is in play

–
–

Can’t collect personal information about children under 13 without
posting how the information will be use and getting parental consent
Non-human subjects research (i.e., no interaction, no
intervention and no identifiable private information) is still OK
Observations of public behavior is still exempt
Can we accurately assess whether minors are involved?
14
Factors Influencing the Ethics of
Online Observational Research

Is it intervention, participant observation or passive
observation?
 How much risk is involved?
 Is the behavior public or do participants have reasonable
expectations of privacy?
 Did participants expect their behavior was ephemeral or
recorded?
 Did participants expect that records about them would be
made public or kept private?
 Are participants identifiable or anonymous?
 Likelihood of the presence of minor
15
Conclusions



Online behavior provides rich data on social
processes relevant to security & privacy
Much of it can be considered either not human
subject research or exempt public behavior
But there are lots of ambiguities & boundary
conditions
–
–
–
Reasonable expectation of privacy, Identifiability, Risk
Group size, Presence of minors
…

Most recommendations require a case-by-case
analysis
 Educate your IRB
16
More information
Robert Kraut
Email: robert.kraut@cmu.edu
Web: www.cs.cmu.edu/~kraut
APA taskforce report
Psychological Research Online
www.apa.org/journals/features/amp592105.pdf