[Air-L] Ethics of using hacked data.

Charles Ess charles.ess at gmail.com
Wed Oct 7 20:06:38 PDT 2015 

Dear all,
what a great question, and what helpful responses!
First of all, I appreciate this relatively new case as it helps illuminate
the need for continually updating and refreshing the AoIR guidelines.  That
is, as Nathaniel's careful efforts to make use of the guidelines
demonstrates,  there's a kind of hole here that clearly needs specific
consideration and reflection.
(At the same time, Aristotle warned against the impossibility of developing
final rules for every new case. In a powerful metaphor (to my mind at
least) - guideline and rule-making is somewhat akin to weaving or knitting:
every time you weave in a new thread to "cover" a new example or case, you
thereby also multiply the holes in your weaving ...)

Secondly, without being able to do justice to the full richness of this
discussion, a couple of additional observations.  One is that I espy some
important cultural differences in the ethical argumentation.  Correct me
where I'm wrong, but a good portion of the argumentation in favor of using
the hacked data turns on efforts to consider the consequences of doing so -
including possible consequences to the data subjects as well as to the
researchers.  So far, so good - but this sort of ethical consequentialism
is more prevalent in (but by no means exclusive to) U.S./U.K./ and to some
degree Australian approaches.  (No surprise: the utilitarian philosophers
come out of and importantly stamp English-speaking philosophies and
cultures in the early 19th century, if not earlier.)
By contrast, the example of Stine Lomborg asking for informed consent
nonetheless in my mind is an example of the more deontological emphases,
especially (but again, by no means exclusively so) in northern Europe and
Scandinavia.  That is, there is a sense of the importance of respecting
foundational rights, with less regard to the consequences of doing so
(beginning with making the researcher's life that much more complicated -
perhaps to the point of scuttling a project). (Again, no surprise: for all
their well-deserved criticism, Kant and Habermas (among others) are
regularly invoked in ethical discussions here, especially in connecting our
ethics with basic democratic norms, rights, and practices.)
While this is clearly painting with a broad brush that screams for a great
deal of nuance and counterexample - the contrast, I think, is nonetheless
useful in at least two ways.  One, it helps more sharply articulate the
specific ethical approaches we tend to take up within a given cultural
context and tradition, so that we can be clearer about the strengths and
limits of those approaches.  Two, it helps foreground the ethical
difficulty common to much Internet-facilitated research - namely, that our
data often draws from and crosses important national and cultural borders,
thereby requiring us to pay attention to these culturally-variable emphases
insofar as they may apply to a given data set.
In the Stine Lomborg example: her taking the more demanding ethical step of
asking for informed consent has the advantage of not only  going further to
ensure basic rights protections - and this, I'm pretty sure, on both
deontological and feminist grounds; in addition, had this been an
international project, the stronger ethical approach here would have
simultaneously met the comparatively weaker demands of a consequentialist
approach.

Lastly, I'm wondering if anyone has developed analogies from biomedical
ethics, i.e., of using medical data drawn from clearly illegal and
unethical work (most notoriously, Nazi and Japanese experiments, but
certainly also the infamous Tuskeegee Institute work - when they can be
legitimately called that)?  Insofar as any such analogies might hold -
broadly, a consequentialist would argue that great good can come of using
data and information, whatever their source, as long as further foreseeable
risks are minimal.  Some deontologists might argue differently.
I dunno - I need more coffee - and it might well be that such analogies
would turn out to be fruitless.

But in the meantime, again, many thanks for this, and I hope we can take
this up as part of the ethics panel at AoIR this year: Friday, October 23,
from 1.00-2.50 p.m. (just FYI).

Best in the meantime,
- charles
--
Professor in Media Studies
Department of Media and Communication
University of Oslo

Director, Centre for Research in Media Innovations (CeRMI)
Editor, The Journal of Media Innovations
<https://www.journals.uio.no/index.php/TJMI/>
President, INSEIT <www.inseit.net>

Postboks 1093
Blindern 0317
Oslo, Norway
c.m.ess at media.uio.no

On Thu, Oct 8, 2015 at 4:06 AM, Dave Dittrich <dittrich at apl.washington.edu>
wrote:

> On 10/7/15 10:11 AM, Nathaniel Poor wrote:
> > I recently got into a discussion with a colleague about the ethics
> > of using hacked data...
> > I can see that some academic researchers -- at least those in computer
> > security -- would be interested in this data and should be able to
> publish
> > in peer reviewed journals about it, in an anonymized manner (probably as
> an
> > example of "here's a data hack like what we are talking about, here's
> what
> > hackers released").
>
> Here are some references on this topic you might look at.
>
> David Dittrich and Erin Kenneally (co-lead authors). The Menlo Report:
> Ethical Principles Guiding Information and Communication Technology
> Research.
>
> http://www.dhs.gov/sites/default/files/publications/CSD-MenloPrinciplesCORE-20120803.pdf
> ,
> December 2012.
>
> David Dittrich and Erin Kenneally (eds.). Applying Ethical Principles to
> Information and Communication Technology Research: A Companion to the
> Department of Homeland Security Menlo Report.
>
> http://www.dhs.gov/sites/default/files/publications/CSD-MenloPrinciplesCOMPANION-20120103-r731.pdf
> ,
> January 2012.
>
> David Dittrich, Katherine Carpenter, and Manish Karir. An Ethical
> Examination of the Internet Census 2012 Dataset: A Menlo Report Case
> Study. Technology and Society Magazine, IEEE, 34(2):40–46, June 2015.
> http://ieeexplore.ieee.org/xpl/articleDetails.jsp?arnumber=7128817
>
> Ronald Deibert and Masashi Crete-Nishihata. Blurred boundaries: Probing
> the ethics of cyberspace research. Review of Policy Research,
> 28(5):531–537, 2011.
>
> David Dittrich and Erin Kenneally (eds.). The Menlo Report: Ethical
> Principles Guiding Information and Communication Technology Research.
>
> http://www.cyber.st.dhs.gov/wp-content/uploads/2011/12/MenloPrinciplesCORE-20110915-r560.pdf
> ,
> December 2011.
>
> David Dittrich. The Ethics of Social Honeypots. Research Ethics, May
> 2015.
> http://rea.sagepub.com/content/early/2015/05/19/1747016115583380.abstract
>
> Serge Egelman, Joseph Bonneau, Sonia Chiasson, David Dittrich, and
> Stuart Schechter. It’s Not Stealing If You Need It: A Panel on the
> Ethics of Performing Research Using Public Data of Illicit Origin. J.
> Blythe (Ed.): FC 2012 Workshops, LNCS 7398, pp. 124–132, 2012.
> Springer-Verlag Berlin Heidelberg 2012.
>
>
> Just as a side note, the Carna Botnet (the IEEE pub above) did
> in fact set a bad precedent for "researchers" who witnessed the
> exploitation of weak passwords to illegally obtain data,
> which turned into illegally accessing similar devices in a similar
> manner to clean them up without the owners' knowledge, involvement,
> or permission.
>
> "There was also a well-known research botnet called the Internet Census
> 2012, where some researchers used access to these devices to make
> measurements of the internet. Curiously, they decided to block access
> for some malware, too, so it is a kind of precursor, although their main
> intent was to publish data, and our main intent is to kill malware."
>
> If you ask me, letting researchers have an ethical "pass" on
> using illegally obtained data is giving a push to both
> academic reseachers, and self-proclaimed "researchers",
> as they head down that slippery slope.
>
> --
> Dave Dittrich
> dittrich at u.washington.edu
> http://staff.washington.edu/dittrich
>
> PGP key:     http://staff.washington.edu/dittrich/pgpkey.txt
> Fingerprint: 097B 4DCB BF16 E1D8 A06C  7512 A751 C80A D15E E079
> _______________________________________________
> The Air-L at listserv.aoir.org mailing list
> is provided by the Association of Internet Researchers http://aoir.org
> Subscribe, change options or unsubscribe at:
> http://listserv.aoir.org/listinfo.cgi/air-l-aoir.org
>
> Join the Association of Internet Researchers:
> http://www.aoir.org/
>

More information about the Air-L mailing list