[Air-L] Ensuring privacy in online interviewing

L. Wynholds wynholds at ucla.edu
Wed Mar 7 14:48:54 PST 2012

I disagree with some of the earlier responses to this inquiry.  In my
opinion, IRB requests are intended to get you to think through your
methods and the potential for harm or unintended consequences.  You
should be willing to think through a reasonably rigorous and grounded
assessment of risk for any activity you are considering.

This assessment should interrogate issues such as: what personally
identifiable data are produced at every step? are there nonvisible
copies produced that we usually don't think about?  where are they
stored? what are the security issues associated with these storage
functions? is there a risk of reidentification of anonymized data?
what are reasonable interventions for the identified risks?  which
risks are most probable?

Generally, I agree that the risks are probably low, but identifying
them and writing them up is part of the justification that the risks
are low.  However, you also have to think about how these risks apply
not only to you and your machines, but also to the machines of your
participants.  For this reason, I disagree that this research is
similar to a phone interview or to a face to face interview in a cafe.

In my opinion, the most probable risks are:

a) losing physical control over the machine (theft, loss, etc)
b) virus/malware compromising the machine
c) password loss or hacker or virus compromising the skype/im/chat
account (because the data is stored in the cloud)

If I were using skype with my research subjects I would consider the
following security precautions:

a) make a bootable thumbdrive with a lightweight version of linux on
it, install skype there.  a distant second choice would be to create a
new user/login on a current machine (because most of skype and chat
programs store their data in the user profile).  if it were a longer
term research project I would have a dedicated computer for it that is
locked down.
b) make a new skype account that is only used for this research (or
chat/im account) with a strong password
c) make sure that the system is only used are on a wired network or secure vpn.
d) have a secure, password protected and firewalled place to put the
research data (anonymized is more secure, but then you need to
consider where and how to store the anonymization key)
e) make sure the participants understand that they are responsible for
security on their end, that if they want to be anonymous, they need to
(at minimum) make a new skype/chat/im account and consider the
security of the machine they are using.

After the research is finished:
d) delete and overwrite the thumbdrive (or user profile)
e) delete the skype/im/chat accounts

Why bother with all this?

Your personal computer may or may not be secure depending on a whole
host of factors.  Setting up an independent account and software
environment will give you control over it in a more finite way in
comparison to personal or office computers.  It ensures that the
account or machine won't be compromised, lost or stolen at a later
date.  It might not be sensitive data, but you would still lose face
if you had to write all of your participants and inform them that the
hard drive you kept the data on was lost in a public place, or if you
had to tell them that the account was hacked and some unknown hacker
had the data.

But why worry about all this?

Setting up a good workflow that reduces risks in the long term is
about showing honest and ethical due diligence for your research and
your methods.  It is easier to set up some reasonable precautions than
it is to worry about potential unintended consequences.  It is
definitely easier than mopping up the mess if your colleagues and
participants feel a loss of confidence in you because of a data
collection accident.

And since I'm going on about it: don't forget to back up your data.

Don't put it off.  It's easy to ignore.  I know folks who've made it
three quarters of their way through their dissertation writing process
and lost a hard drive without having any of it backed up.  Nope. None
of it.  It sucks.  Don't put it off.


On Wed, Mar 7, 2012 at 10:41 AM, Jenni Whitmer <jmariewhitmer at gmail.com> wrote:
> I'm in the midst of revising an IRB protocol for my dissertation. I will be
> interviewing fashion bloggers about their experiences with blogging and
> their thoughts on the relation between blogging and fashion media. The
> bloggers I will be interviewing are all public figures, to one degree or
> another, and I don't see the questions I'm asking as being very sensitive
> in nature. I planned to interview respondents using their choice of Skype
> or instant messaging service. The IRB reviewer asked me to clarify how I
> plan to ensure privacy and confidentiality over Skype and IM specifically
> because they are online. I'm a little unsure of what to say. I suppose I
> can't guarantee privacy 100% over a public network, but is the threat
> really much more notable than being overheard during a face to face or
> phone interview?  I was wondering if anyone had any advice or could refer
> me to any articles that address this issue. Are there any IM programs I
> could use that might minimize threats to privacy?
> --
> Jennifer Whitmer, MA
> Dept. of Sociology
> University of Nevada, Las Vegas
> Las Vegas, NV 89154-5033
> phone: 440-429-5957
> _______________________________________________
> The Air-L at listserv.aoir.org mailing list
> is provided by the Association of Internet Researchers http://aoir.org
> Subscribe, change options or unsubscribe at: http://listserv.aoir.org/listinfo.cgi/air-l-aoir.org
> Join the Association of Internet Researchers:
> http://www.aoir.org/

More information about the Air-L mailing list