[Air-L] Ethics of a student project

Tim Libert tlibert at asc.upenn.edu
Thu Aug 21 16:48:18 PDT 2014


First time responding to this list, hopefully I’m obeying any conventions, good manners, etc.  I’m replying to a thread I read from the digest, so hopefully this does not get out of sync.

In regards to the experiment (which seems pretty cool) I would point out that when the data resides externally (on google, facebook, etc) those entities are the guardians and keepers of that data.  They may, depending on jurisdiction, have means to remove data at the request of a subject and while they hold it are liable for keeping it secure.  Once the researcher copies this information, she or he are now the guardian and keeper of the subject’s data, and therefore are responsible for data security.  Data security, done correctly, is not difficult these days, but neither is it trivial.  Learning how to do it well is good training for the student if she or he has an interest in privacy.

I recommend the researcher take precautions that the data used is collected within a defined scope (ie excluding credit reports for example), the data is locally stored in an encrypted virtual machine, and the encrypted data is subsequently destroyed.  I suggest using the following free software to accomplish this. First, create a virtual Ubuntu Linux [1] machine using VirtualBox [2].  When installing Ubuntu, you must set up disk encryption [3], meaning that if the device is stolen, the data is unreadable.  Within this ‘virtual’ computer the researcher can do whatever they like, surf the web, keep records, etc. - it functions like a normal computer, it just ‘lives’ inside your main one.  When the experiment is over simply delete the virtual machine file - as it is encrypted to start out with you don’t need to worry about much else.  This may sound difficult, but given a weekend, some persistence, and creativity, it is doable.  The Internet is full of guides on how to do this.  It is also fun.

Key point for me is that while the study will teach the student a lot about the research question, learning about privacy also means about learning about how to handle private data and picking up some basic opsec.

[INSERT HERE: whatever disclaimers are necessary to prove that I am not anybody’s lawyer and my advice may not meet the standards required when dealing with at-risk groups, etc.]

Again, I’m only on the digest list, so may miss an immediate reply, but feel free to follow up directly: tlibert at asc.upenn.edu

- tim libert, phd student, university of pennsylvania

[1] http://www.ubuntu.com/
[2] https://www.virtualbox.org/
[3] https://www.eff.org/deeplinks/2012/11/privacy-ubuntu-1210-full-disk-encryption
[4] https://www.torproject.org/


More information about the Air-L mailing list