[Air-L] a new wrinkle in internet research ethics

Richard Forno rforno at infowarrior.org
Tue Apr 27 11:41:24 PDT 2021 

More items:

(1) Researchers apologize to the Linux community, but the response is mixed....
https://lore.kernel.org/lkml/CAK8KejpUVLxmqp026JY7x5GzHU2YJLPU8SzTZUNXU2OXC70ZQQ@mail.gmail.com/T/#u <https://lore.kernel.org/lkml/CAK8KejpUVLxmqp026JY7x5GzHU2YJLPU8SzTZUNXU2OXC70ZQQ@mail.gmail.com/T/#u>

Then this morning ...

(2)  ZDNet has obtained a copy of the Linux Foundation's letter to the University of Minnesota laying out what happened with the bad Linux kernel patches 'research project' and demanding 'all information necessary to identify all proposals of known-vulnerable code from any U of MN experiment'.

< - >

https://www.zdnet.com/article/the-linux-foundations-demands-to-the-university-of-minnesota-for-its-bad-linux-patches/ <https://www.zdnet.com/article/the-linux-foundations-demands-to-the-university-of-minnesota-for-its-bad-linux-patches/>


I daresay this seems like a horrific matter all around with policy/process/advising loopholes/shortcomings/failures that need to be remedied ..... but as I said the other day, it was only a matter of time before something like this cropped up in the cybersecurity resarch space in a prominent way -- and that this situation presents an interesting conceptual & practical distinction between IRB approval for testing on "human subjects" vs on things that humans use which might "potentially cause human-harm" (ie malware research, social engineering projects, or doing what these ppl did.)  Many aspects of cybersecurity research, especially deeply technical projects and/or investigation into the 'darker arts' of the discipline can straddle that fine line from time to time, and IRBs need to be aware of the potential consequences.

-- rick



> On Apr 27, 2021, at 13:52, Joseph Reagle <joseph.2011 at reagle.org> wrote:
> 
> 
> On 21-04-27 12:56, Charles M. Ess wrote:
>> What is particularly interesting is that the IRB "had reviewed the study and determined that it was not human research, only to backtrack, adding 'throughout the study, we honestly did not think this is human research, so we did not apply for an IRB approval in the beginning. We apologize for the raised concerns.'"
> 
> I find this confusing: who determined human subjects weren't involved, the researchers or the IRB? I *think* the researchers argued they weren't human subjects research to their IRB, and the IRB accepted this and exempted them from review and consent procedures....?
> 
> Looking at the handy OHRP flow charts, this seems like a big mistake.
> 
> [a]: https://www.hhs.gov/ohrp/regulations-and-policy/decision-charts-2018/index.html
> 
> 1. They were collecting information about living people through intervention, interaction, or that was identifiable private information. And while the disciplinary "carve outs" aren't in the flow chart (e.g., (oral) history, journalism, biography), I've not seen an argument that experimenting on/with a community is precluded.
> 
> 2. The typical exemptions don't apply (education).
> 
> ...
> 
> 13. It sounds like they wanted to make a 45 CFR 46.116(f) claim, that the work was so important yet benign and so they should forgo consent. But I don't think they ever made this argument to their IRB.
> 
> _______________________________________________
> The Air-L at listserv.aoir.org mailing list
> is provided by the Association of Internet Researchers http://aoir.org
> Subscribe, change options or unsubscribe at: http://listserv.aoir.org/listinfo.cgi/air-l-aoir.org
> 
> Join the Association of Internet Researchers:
> http://www.aoir.org/

More information about the Air-L mailing list