Can we do research with data that is leaked or stolen and dumped on the internet? This is an ethical question that is difficult to answer as it quickly gets complicated. Unfortunately, WWJD? is of no help in a lot of situations. Ideas about research ethics developed before the information age can fall short where as often there are situations where a human is not present in the study but potential harm to a human is. Daniel R. Thomas and colleges at the Cambridge Cybercrime Centre in the UK have provided some insight into where we are currently on this issue. They look at the current information or structures available for assisting with ethical decisions for security (AoIR, REBs, IRBs, Menlo Report, etc.) They raise the ethical issues that require consideration when undertaking research.
- The Identification of Stakeholders
- Informed Consent
- Identify Harms
- Safeguards
- Justice, and
- Public Interest
They then look at some of the legal issues around cybersecurity research and note the particularly complicated environment that exisits here because of the ‘borderless internet’ and the need for security researchers to travel to present and engage in discussion with peers. Included in this examination is the newer GDPR coming to the EU in the new year. They then present a number of cases form AT&T to Snowden where the ethics of using illicit dataset was contentious.
This paper is openly available and if you are doing research on gathered datasets it is a good read. The ability to adequately explain ethical decisions made prior to conducting research is important in allowing a wider community to quickly and effectively develop and enforce norms. Security research has been riding a line between moral and legal issues, this paper is a good place to start forming an opinion, or to check your current thinking.
13 pages that read easily, Authors’ version available.
Cite:
Thomas, D. R., Pastrana Portillo, S., Hutchings, A. J., Clayton, R., & Beresford, A. R. (2017). Ethical issues in research using datasets of illicit origin.
Source:
Related Blog Post (link to Presentation Slides):