[Air-L] Ethics of using hacked data.

Dave Dittrich dittrich at apl.washington.edu
Wed Oct 7 19:06:21 PDT 2015


On 10/7/15 10:11 AM, Nathaniel Poor wrote:
> I recently got into a discussion with a colleague about the ethics
> of using hacked data...
> I can see that some academic researchers -- at least those in computer
> security -- would be interested in this data and should be able to publish
> in peer reviewed journals about it, in an anonymized manner (probably as an
> example of "here's a data hack like what we are talking about, here's what
> hackers released").

Here are some references on this topic you might look at.

David Dittrich and Erin Kenneally (co-lead authors). The Menlo Report:
Ethical Principles Guiding Information and Communication Technology
Research.
http://www.dhs.gov/sites/default/files/publications/CSD-MenloPrinciplesCORE-20120803.pdf,
December 2012.

David Dittrich and Erin Kenneally (eds.). Applying Ethical Principles to
Information and Communication Technology Research: A Companion to the
Department of Homeland Security Menlo Report.
http://www.dhs.gov/sites/default/files/publications/CSD-MenloPrinciplesCOMPANION-20120103-r731.pdf,
January 2012.

David Dittrich, Katherine Carpenter, and Manish Karir. An Ethical
Examination of the Internet Census 2012 Dataset: A Menlo Report Case
Study. Technology and Society Magazine, IEEE, 34(2):40–46, June 2015.
http://ieeexplore.ieee.org/xpl/articleDetails.jsp?arnumber=7128817

Ronald Deibert and Masashi Crete-Nishihata. Blurred boundaries: Probing
the ethics of cyberspace research. Review of Policy Research,
28(5):531–537, 2011.

David Dittrich and Erin Kenneally (eds.). The Menlo Report: Ethical
Principles Guiding Information and Communication Technology Research.
http://www.cyber.st.dhs.gov/wp-content/uploads/2011/12/MenloPrinciplesCORE-20110915-r560.pdf,
December 2011.

David Dittrich. The Ethics of Social Honeypots. Research Ethics, May
2015.
http://rea.sagepub.com/content/early/2015/05/19/1747016115583380.abstract

Serge Egelman, Joseph Bonneau, Sonia Chiasson, David Dittrich, and
Stuart Schechter. It’s Not Stealing If You Need It: A Panel on the
Ethics of Performing Research Using Public Data of Illicit Origin. J.
Blythe (Ed.): FC 2012 Workshops, LNCS 7398, pp. 124–132, 2012.
Springer-Verlag Berlin Heidelberg 2012.


Just as a side note, the Carna Botnet (the IEEE pub above) did
in fact set a bad precedent for "researchers" who witnessed the
exploitation of weak passwords to illegally obtain data,
which turned into illegally accessing similar devices in a similar
manner to clean them up without the owners' knowledge, involvement,
or permission.

"There was also a well-known research botnet called the Internet Census
2012, where some researchers used access to these devices to make
measurements of the internet. Curiously, they decided to block access
for some malware, too, so it is a kind of precursor, although their main
intent was to publish data, and our main intent is to kill malware."

If you ask me, letting researchers have an ethical "pass" on
using illegally obtained data is giving a push to both
academic reseachers, and self-proclaimed "researchers",
as they head down that slippery slope.

-- 
Dave Dittrich
dittrich at u.washington.edu
http://staff.washington.edu/dittrich

PGP key:     http://staff.washington.edu/dittrich/pgpkey.txt
Fingerprint: 097B 4DCB BF16 E1D8 A06C  7512 A751 C80A D15E E079



More information about the Air-L mailing list