DATA MINING ON FACEBOOK: A FREE SPACE FOR RESEARCHERS OR AN IRB NIGHTMARE?
Lauren B. Solberg†
TABLE OF CONTENTS I. Introduction ...... 313 II. Current IRB Policies Governing Research Involving Data Mining on Facebook ...... 317 A. University Policies Governing Data Mining on Facebook ...... 318 III. Does Data Mining on Facebook Constitute Research with Human Subjects? ...... 320 A. Definitions of ―Research‖ and ―Human Subject‖ As They Apply to Data Mining on Facebook ...... 320 B. Does Data Mining on Facebook Involve an Intervention or Interaction? ...... 321 1. Interpreting ―Includes‖ to Determine Whether Data Mining on Facebook Involves Human Subjects ...... 321 2. Communication Between the Researcher and Facebook User ...... 322 3. Interpersonal Contact Between the Researcher and Facebook User .... 323 4. The Ambiguity of ―Communication‖ and ―Interpersonal Contact‖ ..... 323 C. The Right to Privacy on Facebook ...... 324 IV. IRB Review of Data Mining on Facebook ...... 329 A. Exemption of Data Mining on Facebook from Compliance with Federal Regulations ...... 329 1. Exemption of Data Mining on Facebook Under Category Two ...... 330 2. Exemption of Data Mining on Facebook Under Category Four ...... 332 B. Expedited Review of Data Mining on Facebook ...... 332 C. Full Review of Data Mining on Facebook ...... 334 V. Benefits of OHRP Guidance Discussing Internet Research and Data Mining on Social Networking Sites ...... 334 A. Avoid IRB Mission Creep ...... 335 B. Improve Efficiency in the IRB Review Process ...... 336 1. Preparing and Reviewing an IRB Submission for a Study Involving Data Mining on Facebook ...... 336
† J.D. Vanderbilt University Law School, 2010; M.T.S. Harvard University, 2003; B.A. University of Florida, 2001. I would like to express my gratitude to Professor Owen Jones for his many insightful comments on earlier drafts of this work, and to the students in the Fall 2009 Legal Scholarship seminar at Vanderbilt and Megan L. Bibb for their helpful feedback. All errors are my own.
311 312 JOURNAL OF LAW, TECHNOLOGY & POLICY [Vol. 2010
C. Eliminate Unnecessary Use of IRB Resources ...... 337 D. Avoid Consequences of Non-Compliant Research...... 339 1. Litigation Resulting from Noncompliant IRB Review ...... 339 2. Compliance Oversight Determination Letters...... 340 VI. Conclusion ...... 342
Abstract Social networking sites like Facebook are yielding much more than the opportunity to connect with friends, view and post photographs, or show support for a particular organization or cause. Researchers are currently using social networking sites like Facebook to gather data that will yield information about people’s political views, social interactions, or even their views on privacy, a practice referred to as data mining, often without the knowledge of the Facebook users from whom they are collecting data. A number of university Institutional Review Boards (IRBs) have recently adopted policies and procedures governing online research, particularly data mining on social networking sites. Federal regulations that have their basis in ethical standards governing research require IRB review for research that involves human subjects, but whether data mining on Facebook constitutes research with human subjects is questionable. If data mining on Facebook involves an interaction between the researcher and the Facebook user, or if the researcher is collecting identifiable, private information about Facebook users, this type of research involves human subjects, and the federal regulations mandate IRB review. Researchers and universities would therefore have both an ethical and a legal obligation to ensure that subjects whose online profiles are mined for data are adequately protected from harm. If IRB review is not required, it is unnecessary and inefficient to burden researchers and IRBs with preparation and review of an IRB application for research involving data mining on Facebook. This Article argues that data mining on Facebook does not constitute research with human subjects, but contends that if the Department of Health and Human Services’ Office for Human Research Protections determines that this type of research involves human subjects, it should either undergo expedited review or be deemed exempt. It discusses the benefits that both researchers and IRBs will reap if data mining on Facebook does not involve human subjects, as well as the consequences that researchers and IRBs face if the research requires IRB review and no such review is conducted. However, unless and until the Department of Health and Human Services issues guidance addressing or specific regulations governing Internet research, whether data mining on Facebook involves human subjects can only be speculated. No. 2] DATA MINING ON FACEBOOK 313
I. INTRODUCTION The purposes of social networking on the Internet—communicating with friends, showing support for interest groups—are, in theory, for the gain of the individual posting the information about herself online.1 Researchers at a number of universities have recently determined, however, that the abundance of personal information on social networking sites like Facebook can be put to a more academic use—for analysis in research studies in fields such as sociology and psychology.2 Such news may be horrifying, or at a minimum surprising, to the millions of Facebook users who take the privacy of the information they post seriously,3 never expecting that the information they posted on the site might be published in a peer-reviewed journal.4 These privacy implications raise the question of whether data mining on social networking sites for research purposes is research with human subjects that should be subject to applicable federal regulations and oversight.5 When Facebook launched in February 2004, Facebook only permitted Harvard University students to post and view information.6 By September 2005, students at almost 900 colleges maintained Facebook pages, and now anyone with an email address who is thirteen years of age or older may create a Facebook page.7 More than 500 million people currently maintain a Facebook page,8 and in mid-March 2010, Facebook was the most frequently accessed site on the Internet.9 On a Facebook page, a user can include approximately forty different types of personal information, including the user‘s date of birth, political party and religious affiliations, sexual preferences, hobbies and interests, education, and current employment.10 Users can also post photographs of themselves and others, and they can give other Facebook users the opportunity to search for and communicate with them via the web site.11 Researchers have realized that
1. See Matthew J. Hodge, Comment, The Fourth Amendment and Privacy Issues on the “New” Internet: Facebook.com and MySpace.com, 31 S. ILL. U. L.J. 95, 97 (2006) (detailing some of the functions of Facebook and MySpace). 2. Stephanie Rosenbloom, On Facebook, Scholars Link Up with Data: A Networking Site is Now a Magnet for Researchers, N.Y. TIMES, Dec. 17, 2007, at A1, available at http://www.nytimes.com/ 2007/12/17/style/17facebook.html. 3. See Press Room: Statistics, FACEBOOK, http://www.facebook.com/press/info.php?statistics (last visited Sept. 21, 2010) (stating that more than 500 million people actively use Facebook). 4. See James Grimmelmann, Saving Facebook, 94 IOWA L. REV. 1137, 1160 (2009) (―Facebook systematically delivers signals suggesting an intimate, confidential, and safe setting.‖). 5. See 45 C.F.R. § 46 (2010) (codifying the regulations promulgated by the Secretary of Health and Human Services that govern the conduct of research with human subjects). 6. Grimmelmann, supra note 4, at 1144. 7. Id. at 1144–45. 8. Press Room: Statistics, supra note 3. 9. Julianne Pepitone, Facebook Traffic Tops Google for the Week, CNNMONEY.COM (Mar. 16, 2010), http://money.cnn.com/2010/03/16/technology/facebook_most_visited/index.htm. 10. Grimmelmann, supra note 4, at 1149. 11. Carly Brandenburg, Note, The Newest Way to Screen Job Applicants: A Social Networker’s Nightmare, 60 FED. COMM. L.J. 597, 598 (2008). 314 JOURNAL OF LAW, TECHNOLOGY & POLICY [Vol. 2010 this abundance of personal information on Facebook, as well as on other similar social networking sites, can easily be gathered, or mined, to look for patterns in people‘s behavior.12 For example, social scientists at a number of different universities have collected data from Facebook pages to learn more about the ―lives and social networks of . . . college students.‖13 They have also mined for data on MySpace to learn about how men and women express emotion online14 and to assess, based on information posted on MySpace, what adolescents know about appropriate Internet conduct.15 Because academic researchers, especially those in the social sciences, are collecting data from Facebook and other Internet sites and publishing their findings,16 many university Institutional Review Boards (IRBs), committees charged by federal regulation to review research with human subjects,17 have established policies and procedures that govern research on the Internet.18 Some have even created policies specifically pertaining to data mining on social networking sites like Facebook.19 These policies serve as institution- specific supplements to Department of Health and Human Services (HHS) regulations governing the conduct of research with human subjects.20 The creation of these institution-specific policies implies that at least some university IRBs view data mining on Facebook as research with human subjects.21 Thus, at least at the universities where this is the case, research involving data mining on Facebook must undergo IRB review before the research may begin.22 However, whether or not research involving data mining on Facebook
12. See, e.g., Sameer Hinduja & Justin W. Patchin, Personal Information of Adolescents on the Internet: A Quantitative Content Analysis of MySpace, 31 J. ADOLESCENCE 125, 125 (2008) (examining the amount of personal information adolescents post on MySpace); Kevin Lewis et al., Tastes, Ties, and Time: A New Social Network Dataset Using Facebook.com, 30 SOC. NETWORKS 330, 331 (2008) (presenting and describing a dataset of information gathered from Facebook); Mike Thelwall et al., Data Mining Emotion in Social Network Communication: Gender Differences in MySpace, 61 J. AM. SOC‘Y INFO. SCI. & TECH. 190, 190 (2010) (examining the extent to which emotion is used in MySpace comments); Lindsay A. Thompson et al., The Intersection of Online Social Networking with Medical Professionalism, 23 J. GEN. INTERN. MED. 954, 954 (2008) (evaluating Facebook pages of medical students to determine what types of personal information they post, whether they keep their pages private, and whether they post inappropriate material on their pages). 13. Lewis et al., supra note 12, at 331. 14. See, e.g., Thelwall et al., supra note 12, at 190 (examining the extent to which emotion is used in MySpace comments). 15. See, e.g., Hinduja & Patchin, supra note 12, at 125 (examining the personal information that adolescents post on MySpace). 16. See supra text accompanying note 12. 17. See Institutional Review Board Guidebook, U.S. DEP‘T OF HEALTH & HUMAN SERVICES, http://www.hhs.gov/ohrp/irb/irb_introduction.htm (last visited Sept. 25, 2010) (describing federal regulations first promulgated in 1974 by the department formerly called Health, Education, and Welfare, which established IRBs as ―the mechanism through which human subjects [in research] would be protected.‖). 18. See infra text accompanying notes 56-60 for a discussion of Washington University‘s policy governing Internet research. 19. See infra text accompanying notes 47-55 for a discussion of IRB policies at Indiana University and the University of Massachusetts Boston that govern data mining on Facebook. 20. See generally 45 C.F.R. § 46 (2010) (describing basic HHS policy for protection of human research subjects). 21. See infra Part I.A (noting in particular Indiana University‘s IRB policy governing data mining). 22. See infra Part I.A (referencing several university IRBs‘ policies governing research involving data mining). No. 2] DATA MINING ON FACEBOOK 315 must undergo IRB review because federal regulations—and not just the universities themselves—mandate such review is unclear. According to the HHS regulations, all research with human subjects must undergo IRB review and receive IRB approval before the research may begin.23 This regulatory requirement seeks to assure that human subjects research is conducted as ethically as possible, in particular requiring that subject participation in research is voluntary, that the risks to subjects are proportional to the benefits, and that no subject population is unfairly excluded or included in research.24 HHS regulations define ―research‖ as a ―systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge.‖25 A ―human subject‖ is a ―living individual about whom an investigator (whether professional or student) conducting research obtains (1) data through intervention or interaction with the individual, or (2) identifiable private information.‖26 This Article presupposes that research in which data is mined on Facebook easily satisfies the regulatory definition of research.27 Thus, whether data mining on Facebook requires IRB review depends on whether this type of research is research with human subjects. The regulatory scheme that governs research with human subjects does not adequately address this question. Thus, this Article examines whether a researcher who collects data from Facebook pages engages in an ―intervention or interaction‖ 28 with the individual users or whether the information on Facebook that researchers collect is ―private information.‖29 If data mining on Facebook is not research with human subjects, universities need not—and should not—mandate IRB review of it.30 Universities are permitted to institute policies that are more stringent than the federal regulations governing research with human subjects and require review of research that does not involve human subjects.31 However, IRBs that
23. See 45 C.F.R. § 46.101 (2010) (discussing the extent to which the HHS regulations apply). 24. See Ken Gatter, Fixing Cracks: A Discourse Norm to Repair the Crumbling Regulatory Structure Supporting Clinical Research and Protecting Human Subjects, 73 UMKC L. REV. 581, 595–96 (2005) (describing the abuses of research subjects that occurred in the Tuskegee syphilis study). See generally NATIONAL INSTITUTES OF HEALTH, DEP‘T OF HEALTH, EDUC., AND WELFARE, THE BELMONT REPORT: ETHICAL PRINCIPLES AND GUIDELINES FOR THE PROTECTION OF HUMAN SUBJECTS OF RESEARCH (1979) available at http://ohsr.od.nih.gov/guidelines/belmont.html (explaining that the HHS regulations governing research with human subjects codified in 45 C.F.R. § 46 are based on three key ethical principle described in the Belmont Report: respect for persons, beneficence, and justice). The National Commission for the Protection of Human Subjects of Biomedical and Behavioral Research wrote the Belmont Report in response to the many abuses of human research subjects that had occurred in the last several decades, in particular the Tuskegee syphilis study. Id. 25. 45 C.F.R. § 46.102(d) (2010). 26. 45 C.F.R. § 46.102(f) (2010). 27. Researchers who mine data on Facebook typically do so systematically with the intent to contribute generalizable knowledge about a topic to their field of study. See Rosenbloom, supra note 2, at A1, A26 (describing research questions that data is collected in a systematic fashion to answer). 28. 45 C.F.R. § 46.102(f)(1) (2010). 29. 45 C.F.R. § 46.102(f)(2) (2010). 30. See 45 C.F.R. § 46.101(a) (2010) (requiring research involving human subjects comply with these regulations, and implicitly not requiring research that does not constitute research with human subjects to follow the same regulations). 31. See id. (requiring that all research with human subjects comply with these regulations). 316 JOURNAL OF LAW, TECHNOLOGY & POLICY [Vol. 2010 review research not ultimately within their purview needlessly use valuable time and other resources that could be spent reviewing other projects.32 Furthermore, the IRB review process is a complex one due to the significant amount of time that researchers spend preparing, and IRB members spend reviewing the researcher‘s application to the IRB to conduct the research.33 Thus, if researchers can lawfully avoid the IRB review process for research involving data mining on Facebook, then their research could be conducted more efficiently. On the other hand, if data mining on Facebook is deemed research with human subjects, IRBs must review the research.34 If they do not do so, the committee will not be compliant with federal regulations.35 Furthermore, ―IRB review‖ is a general term, as federal regulations permit IRBs to review a study in accordance with one of three possible types of review—full review, expedited review, or a designation of exemption.36 IRBs must therefore choose what type of review a study will undergo in accordance with the requirements imposed in the federal regulations. Because the amount of time and resources involved in the review process varies depending on the type of IRB review required,37 if data mining on Facebook is research with human subjects, IRBs and researchers should know what type of IRB review is required for the sake of compliance, as well as efficiency. Currently, HHS regulations do not address IRB review of research studies where data is collected from Internet sites, agency guidance documents do not address by topic the use of the Internet to obtain study data, and as a result, neither the regulations nor guidance documents address data mining on social networking sites.38 Thus, no authoritative or advisory materials indicate whether data mining on Facebook requires IRB review, and if so, what type of review is required. Ultimately, data mining on Facebook likely does not constitute research with human subjects, and therefore does not require IRB review, because a researcher who collects data from Facebook pages does not ―interact,‖ as the term is used in the regulatory definition of human subject, with the individual users.39 Additionally, the information on Facebook that researchers mine from
32. See infra Part IV.C (discussing the IRB resources required to conduct reviews). 33. See infra Part IV.B (discussing the complexity of the IRB application and review process). 34. See 45 C.F.R. § 46.101 (2010) (―[T]his policy applies to all research involving human subjects. . . .‖). See also infra Part IV.D. (discussing the consequences of non-compliance). 35. Id. 36. See 45 C.F.R. § 46.109 (2010) (listing requirements for IRB review of research); 45 C.F.R. § 46.110(a) – (b) (2010) (discussing the types of projects that may undergo an expedited review procedure); 45 C.F.R. § 46.101(b) (2010) (describing research with human subjects that qualifies for a designation of exemption). 37. See infra Part III for a discussion of the three types of IRB review that data mining on Facebook could undergo. 38. See 45 C.F.R. § 46 (2010) (explaining the policies ―for protection of human research subjects‖); Policy Guidance [by Topics], DEP‘T OF HEALTH, AND HUMAN SERVS., OFFICE FOR HUMAN RESEARCH PROTS., http://www.hhs.gov/ohrp/policy/index.html#topics (last visited Sept. 21, 2010) (providing policy guidance by topics). 39. 45 C.F.R. § 46.102(f)(1) (2010). No. 2] DATA MINING ON FACEBOOK 317 individual users‘ pages is not ―private information.‖40 If HHS were to suggest or explicitly state that data mining on Facebook involves human subjects, a designation of exemption is most likely appropriate. However, until the Office for Human Research Protections (OHRP), the office within HHS that enforces the regulations governing research with human subjects,41 issues guidance or promulgates new regulations discussing Internet research in general or data mining on social networking sites in particular, any analysis is purely academic. Given the number of research studies being conducted that involve data mining on Facebook,42 the OHRP should issue new guidance to assist IRBs in their review process.43 Part I of this Article discusses the policies implemented by some IRBs that govern research involving data mining on social networking sites and by which researchers on their campuses must abide. Part II dissects the meaning of ―human subject‖ as defined in the federal regulations and analyzes whether IRB review might be required for research involving data mining on Facebook based on this meaning. Part III identifies the different types of IRB review that data mining on Facebook might undergo if this type of research involves human subjects and discusses what type of review is likely the most appropriate given the nature of the research. Part IV suggests that the OHRP should issue guidance that addresses whether data mining on social networking sites is research with human subjects and discusses the benefits that such a guidance document would provide for researchers and IRBs.
II. CURRENT IRB POLICIES GOVERNING RESEARCH INVOLVING DATA MINING ON FACEBOOK An increasing number of university IRBs are implementing policies that require IRB review of research involving data mining on Facebook.44 A look
40. 45 C.F.R. § 46.102(f)(2) (2010) . 41. See OHRP Fact Sheet, DEP‘T OF HEALTH & HUMAN SERVS., OFFICE FOR HUMAN RESEARCH PROTS., http://www.hhs.gov/ohrp/about/ohrpfactsheet.htm (last visited Sept. 25, 2010) (providing an overview of OHRP‘s responsibility to interpret and enforce all HHS regulations governing human subjects research). 42. See Hinduja & Patchin, supra note 12, at 126 (mentioning Facebook as similar to MySpace in a study of adolescent personal information on the Internet); Lewis et al., supra note 12, at 330 (introducing ―a new public dataset based on manipulations and embellishments of . . . Facebook.com‖ and presenting findings from the ―first wave of data‖); Thelwall et al., supra note 12, at 192–93 (discussing Facebook in a study involving data mining for information about emotional expression online); Thompson et al., supra note 12, at 956 (concluding based on a study where researchers mined medical students‘ Facebook pages that medical students often post personal, and perhaps inappropriate information, and do not use all of the privacy settings available to them). 43. I suggest that the OHRP issue guidance, rather than promulgate new regulations, because the issue of whether data mining on Facebook constitutes research with human subjects seems more appropriate for explanation in a guidance document. Guidance documents are not legally binding on the issuing agency or on the regulated entities that follow them, but instead explain how regulated entities like university IRBs should follow the applicable regulations. Peter L. Strauss et al., ADMINISTRATIVE LAW 731 (10th ed. 2003). 44. See, e.g., Information Mining from the Internet, IND. UNIV. OFFICE OF RESEARCH ADMIN., http://www.researchadmin.iu.edu/HumanSubjects/IUB/hs_ic_infomine.html (last visited Oct. 19, 2010) (detailing a policy at Indiana University requiring the IRB‘s approval of research involving data mining on Facebook); Research and Information Mining from the Internet, ORSP NEWSLETTER, June 2009, at 1, available at http://www.umb.edu/uploads/research/ORSPNewsletterJune2009.pdf (detailing University of Massachusetts Boston‘s policy requiring the IRB‘s approval of research involving data mining on Facebook). 318 JOURNAL OF LAW, TECHNOLOGY & POLICY [Vol. 2010 at some of these policies is useful in understanding the kinds of burdens that IRB review of data mining on Facebook imposes on researchers, burdens which may be avoided if federal regulations do not require IRB review.
A. University Policies Governing Data Mining on Facebook Several university IRBs have adopted policies that specify procedures with which researchers must comply if they plan to mine data on a social networking site.45 These policies impose specific, often burdensome, obligations on the researchers and need not be imposed if data mining on Facebook is not research with human subjects.46 Indiana University‘s IRB, for example, adopted a strict policy governing data mining on Facebook.47 The IRB will not approve any study involving data mining on Facebook without written permission from Facebook sent directly to the IRB that grants the researcher permission to conduct such research.48 Should the researcher decide not to request this written permission from Facebook, or should permission be denied, he must obtain consent from each individual whose profile he wishes to mine data.49 Indiana University‘s policy imposes significant hardship on researchers, who must take the time to draft a letter to Facebook requesting permission to mine data on the site.50 The Facebook staff members who grant such approvals may not respond to the researcher‘s request promptly, if at all, thus delaying the commencement of the research.51 If the researcher is unable to obtain approval from Facebook, he would then need to contact and receive consent from every person from whose page he intends to collect information.52 This process could be very time consuming, if not entirely impossible due to the high number of Facebook pages from which data may be collected. If IRB review is not required because data mining on Facebook does not constitute research with human subjects, why impose this hardship on researchers?53 In a newsletter published in June 2009, the University of Massachusetts
45. See, e.g., IND. UNIV. OFFICE OF RESEARCH ADMIN., supra note 44 (stating the procedures for researchers to follow if they want to mine data on social networking sites); ORSP NEWSLETTER, supra note 44, at 1 (stating University of Massachusetts Boston‘s policy they want researchers to follow when data mining on Facebook). 46. See, e.g., IND. UNIV. OFFICE OF RESEARCH ADMIN., supra note 44 (implying that the primary reason for its policy is that the data mining constitutes research with human subjects). 47. See id. (stating that their IRB would not approve a study mining Facebook information without an independent statement from the site itself). 48. Id. 49. Id. 50. See id. (stating their requirement of an independent statement from Facebook directly before a data mining study would be approved). 51. See id. (noting that both Facebook and MySpace explicitly state the purpose of their site is social networking, not research). 52. Id. 53. If Facebook‘s terms of use require researchers to obtain such permission, researchers must comply with the contractual obligations that Facebook imposes. Id. However, whether Facebook‘s terms of use require the type of permission that Indiana University‘s IRB requires is outside the scope of this Article, as that question requires a separate analysis. No. 2] DATA MINING ON FACEBOOK 319
Boston‘s IRB published a policy prescribing procedures for researchers planning to mine data on Facebook that uses nearly identical language to that of Indiana University‘s IRB policy.54 It requires researchers who mine data on Facebook to obtain a permission letter from the site that should be sent directly to the IRB, or to obtain permission from each individual site user whose data will be collected.55 Consequently, if data mining on Facebook does not involve human subjects and therefore does not require IRB review, such burdensome requirements are unnecessary and should be eliminated. Washington University in Saint Louis‘s IRB has adopted policies pertaining to Internet research, although these policies do not specifically address data mining on social networking sites.56 The guidelines instead provide that the IRB will, in most circumstances, ―require that investigators inform participants that they are being observed for research purposes‖ when that researcher is conducting research using the Internet.57 While the policy refers only to Internet research in general and is not specific about data mining on Facebook, researchers at the university could fairly interpret it to mean that the IRB will require informed consent from individual site users to collect their data.58 Admittedly, Washington University‘s policy imposes less of a burden on researchers than the policies at Indiana University and University of Massachusetts Boston because researchers at Washington University need only inform Facebook users that they are recording information that is posted on their pages.59 Researchers need not obtain active consent from Facebook users to record the information, like the requirement that Indiana University and the University of Massachusetts Boston impose.60 However, Washington University‘s requirement is nonetheless a time consuming one for researchers. These IRBs‘ policies also impose an unnecessary burden on the IRBs themselves—and not just the researchers—if research involving data mining on Facebook is not technically within their purview because they could be devoting their resources to studies that actually require review.61 In accordance with these policies, the researcher must plan to submit his research
54. See ORSP NEWSLETTER, supra note 44, at 1 (noting that the University of Massachusetts Boston IRB would not approve a data mining experiment on Facebook without an explicit authorizing statement from the site). 55. Id. 56. Internet Research Guideline, WASH. UNIV. IN ST. LOUIS, HUMAN RESEARCH PROT. OFFICE, (Jan. 22, 2008), http://hrpohome.wustl.edu/study_team/guidelines/Internetguideline.rtf. In 2007, the University won the Health Improvement Institute‘s Award for Excellence in Human Research for its IRB‘s innovation of guidelines for Internet research. 2007 Human Research Protection Award Recipients Announced, REUTERS (Dec. 10, 2007, 3:17 PM), http://www.reuters.com/article/pressRelease/idUS205579+10-Dec- 2007+PRN20071210. 57. WASH. UNIV. IN ST. LOUIS, supra note 56. 58. See id. (defining ―Internet research‖ as any research of a human subject ―which is designed to recruit participants or collect data via the Internet‖). 59. Id. 60. Compare IND. UNIV. OFFICE OF RESEARCH ADMIN., supra note 44 (requiring written permission from Facebook or each individual site user), and ORSP NEWSLETTER, supra note 44, at 1 (requiring written permission from Facebook or each individual site user), with WASH. UNIV. IN ST. LOUIS, supra note 56 (requiring researchers to inform participants when conducting research). 61. See infra Part IV.C (discussing the need to eliminate the unnecessary use of IRB resources). 320 JOURNAL OF LAW, TECHNOLOGY & POLICY [Vol. 2010 proposal to the IRB, and the IRB must subsequently review and approve it.62 It is therefore beneficial for both researchers and IRBs to understand whether federal regulations require IRB review of research involving data mining on Facebook, and if so, what type of review is required.
III. DOES DATA MINING ON FACEBOOK CONSTITUTE RESEARCH WITH HUMAN SUBJECTS?
A. Definitions of “Research” and “Human Subject” As They Apply to Data Mining on Facebook A study involving data mining on Facebook must undergo IRB review if it is research with human subjects as defined in HHS regulations.63 A study involving data mining on Facebook will almost always amount to a ―systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge,‖64 and thus satisfies the regulatory definition of ―research‖ for two reasons. First, the review of the data will generally be systematic; otherwise, the researcher‘s ultimate conclusions will carry little weight in the academic community because a non-systematic approach to data collection and analysis would appear haphazard.65 Second, if the researcher plans to publish or present his data and conclusions at any point, he probably intends for these conclusions to contribute to generalizable knowledge in his field. Why else would he invest the time in conducting such a study? Thus, the question of whether a study involving data mining on Facebook requires IRB review hinges on whether this type of research involves human subjects. A human subject is defined as a ―living individual about whom an investigator (whether professional or student) conducting research obtains (1) data through intervention or interaction with the individual, or (2) identifiable private information.‖66 Most, if not all, data mining on Facebook will involve the collection of information about living individuals.67 Thus, we must next consider whether researchers who mine data on Facebook obtain information through an intervention or interaction with Facebook users, or if the data mining involves the collection of identifiable, private information.
62. See, e.g., WASH. UNIV. HUMAN RESEARCH PROT..OFFICE, POLICIES & PROCEDURES 5 (2010), available at http://hrpohome.wustl.edu/study_team/policies/HRPO_policies_and_procedures.pdf (requiring IRB review and approval before any research study with human subjects may begin). 63. See 45 C.F.R § 46.102(d) (2010) (defining ―research‖); 45 C.F.R. § 46.102(f) (2010) (defining ―human subject‖). 64. 45 C.F.R. § 46.102(d) (2010). 65. See Andreas Laupacis & Sharon Straus, Systematic Reviews: Time to Address Clinical and Policy Relevance as Well as Methodological Rigor, 147 ANNALS OF INTERNAL MED. 273, 273 (2007) (―Many consider systematic reviews to be the best source of information for making clinical and policy decisions.‖). 66. 45 C.F.R. § 46.102(f) (2010). 67. If a researcher accesses a Facebook page of a deceased user, the collection of data from that page does not satisfy the definition of research with human subjects, and IRB review of the collection of that data is not required under the regulations. See id. (defining a human subject as a ―living individual‖). No. 2] DATA MINING ON FACEBOOK 321
B. Does Data Mining on Facebook Involve an Intervention or Interaction? Federal regulations specify that collection of data from living individuals through intervention or interaction constitutes research with human subjects that requires IRB review.68 An intervention includes ―both physical procedures by which data are gathered (for example, venipuncture) and manipulations of the subject or the subject‘s environment that are performed for research purposes.‖69 Data mining on Facebook should not require the use of any interventions as defined in the regulations because all that the researcher is doing is viewing information and recording it.70 Thus, whether data mining on Facebook is research with human subjects may depend on whether an interaction between the researcher and Facebook user occurs when the researcher records data from a Facebook user‘s page.
1. Interpreting “Includes” to Determine Whether Data Mining on Facebook Involves Human Subjects An interaction ―includes communication or interpersonal contact between investigator and subject.‖71 We must first look at the meaning of the word ―includes‖ to determine whether an interaction occurs only in the event of communication or interpersonal contact between investigator and subject, or whether an action other than communication or interpersonal contact may amount to an interaction. If an interaction occurs only if communication or interpersonal contact between the researcher and Facebook user takes place, an analysis of the terms ―communication‖ and ―interpersonal contact‖ is essential for determining whether data mining on Facebook involves an interaction between the researcher and Facebook user (and therefore involves human subjects). If an action other than communication or interpersonal contact amounts to an interaction, an analysis of these terms is less dispositive of whether data mining on Facebook is human subjects research, but is useful nonetheless. Applicable federal regulations, case law, and legislative history do not address whether an interaction consists only of communication or interpersonal contact. Dictionary definitions of ―include,‖ as well as court opinions that interpret other statutory provisions indicate that communication and interpersonal contact are not the only types of actions that are interactions. The New Oxford American Dictionary defines ―include‖ as ―to make part of a whole or set,‖72 and notes that the word can ―also be used in a nonrestrictive way, implying that there may be other things not specifically mentioned that
68. Id. 69. Id. 70. This Article only contemplates that researchers mine data on Facebook on pages that they already otherwise have access to, because, for example, the users are in a network of which the researchers are a part. This Article contemplates no deception on the part of the researcher to gain access to Facebook pages, as research involving deception to encourage participation must undergo a separate analysis. 71. Id. 72. THE NEW OXFORD AMERICAN DICTIONARY 859 (Elizabeth J. Jewell & Frank Abate eds., 2001). 322 JOURNAL OF LAW, TECHNOLOGY & POLICY [Vol. 2010 are part of the same category.‖73 Black’s Law Dictionary defines ―include‖ as ―to contain as a part of something,‖ 74 and says that a phrase such as ―including but not limited to‖ means the same thing.75 Similarly, courts have consistently held that the use of the term ―includes‖ in statutes does not mean that a given list is all-inclusive but instead that the items in the list are used as examples only.76 The Supreme Court has opined that ―including‖ connotes simply an ―illustrative application of the general principle.‖77 The Court has also stated that ―the terms ‗means‘ and ‗includes‘ are not necessarily synonymous,‖78 and the Ninth Circuit declared that ―the word ‗includes‘ is usually a term of enlargement, and not of limitation.‖79 Therefore, it is reasonable to conclude that an action other than communication or interpersonal contact between the researcher and Facebook user could be an interaction. Thus, even if data mining on Facebook does not involve communication or interpersonal contact between the researcher and Facebook user, this type of research may involve human subjects nonetheless because another type of action might amount to an interaction. If data mining on Facebook involves communication or interpersonal contact between the researcher and Facebook user, then this type of research involves human subjects and therefore requires IRB review.80 The ambiguity as to what an interaction actually is suggests one reason why the OHRP should issue guidance addressing IRB review of data mining on social networking sites.
2. Communication Between the Researcher and Facebook User Because a communication between the researcher and Facebook user is an interaction, we must next consider whether data mining on Facebook actually involves communication between the researcher and Facebook user. If so, then this type of research is research with human subjects. The New Oxford American Dictionary defines communication as ―the imparting or exchanging of information or news.‖81 Black’s Law Dictionary defines communication as ―the expression or exchange of information by speech, writing or gestures.‖82 In law, the term ―communication‖ is often used to refer to communication protected under the attorney-client privilege.83 The
73. Id. 74. BLACK‘S LAW DICTIONARY 831(9th ed. 2009). 75. Id. 76. NORMAN J. SINGER & J.D. SHAMBIE SINGER, SUTHERLAND ON STATUTORY INTERPRETATION § 47:7 (7th ed. 2009) (―A term whose statutory definition declares what it ‗includes‘ is more susceptible to extension of meaning by construction than where the definition declares what a term ‗means‘ . . . . It, therefore, conveys the conclusion that that there are other items includable, though not specifically enumerated.‖). 77. Fed. Land Bank of St. Paul v. Bismarck, 314 U.S. 95, 100 (1941). 78. Helvering v. Morgan‘s Inc., 293 U.S. 121, 125 (1934). 79. U.S. v. Gertz, 249 F.2d 662, 666 (9th Cir. 1957). 80. See 45 C.F.R. § 46.101(a) (2010) (stating that IRB review is required for any ―research involving human subjects conducted, supported, or otherwise subject to regulation by any federal department or agency‖). 81. THE NEW OXFORD AMERICAN DICTIONARY, supra note 72, at 346. 82. BLACK‘S LAW DICTIONARY, supra note 74, at 316. 83. See THOMAS D. MORGAN, LAWYER LAW 246 (2005) (analyzing what a communication is). No. 2] DATA MINING ON FACEBOOK 323
Restatement of the Law Governing Lawyers defines communication as ―any expression through which a privileged person . . . undertakes to convey information to another privileged person.‖84 The Restatement definition is useful in that it shows that communication occurs where there is active conveyance of information, i.e. intent to convey information.85 Thus, one could extrapolate from the dictionary and Restatement definitions that there must be the intent to exchange information in order for data mining on Facebook to be an interaction.
3. Interpersonal Contact Between the Researcher and Facebook User Data mining on Facebook may also constitute research with human subjects if interpersonal contact occurs between the researcher and Facebook user. The term ―interpersonal‖ refers to communications or relationships between people,86 and a contact is ―a meeting, communication, or relationship with someone.‖87 Thus, data mining on Facebook involves interpersonal contact if the researcher and Facebook user meet, communicate, or have a relationship.
4. The Ambiguity of “Communication” and “Interpersonal Contact” The difficulty with determining whether data mining on Facebook involves a communication or interpersonal contact is that data mining on Facebook simply entails the researcher collecting information from Facebook pages that has already been posted.88 The regulations specify that the communication or interpersonal contact must be between the researcher and the Facebook user for an interaction to occur.89 ―Between‖ is defined as ―indicating a connection or relationship involving two or more parties.‖90 The use of the term ―between‖ in the HHS regulations, in conjunction with terms ―communication‖ and ―interpersonal contact,‖91 indicates that action must be taken on the part of the researcher as well as the Facebook users whose profiles are mined for information in order for a communication or interpersonal contact between them to occur. No such action on the part of Facebook users occurs when researchers mine data on Facebook.92 Furthermore, Ivor Pritchard, a former Acting Director of the OHRP and current senior advisor to the Director, explained that ―[a]ny time the researcher does something to or with someone and collects data about that individual, or
84. RESTATEMENT (THIRD) OF THE LAW GOVERNING LAWYERS § 69 (2000). 85. See MORGAN, supra note 83, at 247 (describing the concept of ―communication‖ and illustrating examples of communication). 86. THE NEW OXFORD AMERICAN DICTIONARY, supra note 72, at 887. 87. Id. at 369. 88. See, e.g., Lewis et al., supra note 12, at 331 (describing how the researchers downloaded the profile pages and network data of users in their sample population for viewing and analysis). 89. 45 C.F.R. § 46.102(f) (2010). 90. THE NEW OXFORD AMERICAN DICTIONARY, supra note 72, at 159. 91. 45 C.F.R. § 46.102(f) (2010). 92. See supra note 89 and accompanying text. 324 JOURNAL OF LAW, TECHNOLOGY & POLICY [Vol. 2010 any time the researcher‘s action elicits a response from a person and that reaction is recorded, interaction with a human subject[] takes place.‖93 When a researcher collects data from an individual simply by recording information that already exists on a Facebook page, the researcher does nothing to or with the Facebook user, and is not eliciting a response from the Facebook user.94 Thus, based on this analysis, data mining on Facebook likely is not an interaction as defined in the federal regulations governing research with human subjects. Additionally, a comparison of data mining on Facebook to a more well- known form of data mining such as medical record reviews in biomedical research95 is a useful way of determining whether data mining involves an interaction between the researcher and subject. It seems implausible that a physician-researcher who combs through patients‘ medical records, records data from the records, and looks for patterns in the data ―interacts‖ with the patient.96 This is not to say that medical record reviews are not research with human subjects. In fact, they are, but because the researchers are gathering identifiable, private information about these individuals, not because an interaction is involved.97 Based on this comparison to medical records research, data mining on Facebook likely is not an interaction between researchers and Facebook users. As a result, whether data mining on Facebook is research with human subjects likely hinges on whether this type of research involves the collection of identifiable, private information.98
C. The Right to Privacy on Facebook Although data mining likely does not involve an interaction between the researcher and Facebook user from whom he collects information, data mining on Facebook could be human subjects research if the researcher obtains identifiable, private information from Facebook users.99 The data that a
93. Ivor A. Pritchard, Searching for ―Research Involving Human Subjects,” IRB: ETHICS AND HUMAN RESEARCH, May-June 2001, at 7. 94. See id. (discussing interaction with human subjects). 95. Franklin G. Miller, Research on Medical Records Without Informed Consent, 36 J.L. MED. & ETHICS 560, 560 (2008) (―Research drawn from data contained in medical records is a common and immensely important means of scientific investigation. . . .‖). 96. See, e.g., Annette M. Matthews et al., Hepatitis C Testing and Infection Rates in Bipolar Patients With and Without Comorbid Substance Abuse Disorders, 10 BIPOLAR DISORDERS 266 (2008). In this study, for example, researchers in Portland, Oregon searched patients‘ medical records to examine whether individuals with bipolar disorder, substance abuse disorders, or co-occurring disorders (both bipolar disorder and substance abuse disorder) were more likely to be tested, and at an increased risk, for Hepatitis C than individuals in a control group. Id. at 267. 97. Miller, supra note 95, at 560 (―[M]edical records research is merely observational, without any interaction between investigators and human subjects. . .‖). This Article argues that unlike medical records, Facebook pages do not include identifiable, private information, which is why medical record reviews constitute research with human subjects, but data mining on Facebook does not. See infra section II(C) (discussing identifiable, private information). 98. See 45 C.F.R. § 46.102(f)(1)-(2) (2010) (defining ―[h]uman subject‖). Because research involves human subjects if it involves an interaction or the collection of identifiable private information, a conclusion that data mining on Facebook does not constitute an interaction between the researcher and Facebook user is not dispositive of whether the research involves human subjects. Id. 99. Id. No. 2] DATA MINING ON FACEBOOK 325 researcher collects from a Facebook page is certainly identifiable, as all Facebook users‘ names and main profile photographs (if any) are visible even to those without a Facebook account.100 Therefore, whether data mining on Facebook involves human subjects, and thus requires IRB review, likely depends on whether the information that a Facebook user posts on his page is private information. If the information is not private, data mining on Facebook likely is not research with human subjects. Federal regulations provide that private information is ―information about behavior that occurs in a context in which an individual can reasonably expect that no observation or recording is taking place.‖101 Private information is also ―information which has been provided for specific purposes by an individual and which the individual can reasonably expect will not be made public (for example, a medical record).‖102 Even before the HHS regulations were first promulgated, scholars maintained that the observation of individuals who were unaware that they were being observed, for example through one-way glass, had privacy implications.103 However, Facebook users should know that they may be observed. After all, they post information on their Facebook pages for the specific purpose of being seen (and hopefully contacted) by a large number of people.104 In fact, one research study found that 41% of Facebook users will reveal personal information, including their email address, home address, phone number, and date of birth, to a stranger.105 A stranger who successfully solicits this personal information from a Facebook user is no different than a researcher who gathers the same, or even less personal, information from Facebook page. If nearly half of Facebook users are unconcerned about sharing personal, identifying information with a stranger and post personal information online so that others will see it, these same individuals should reasonably expect that the information that they post on Facebook may be observed or recorded. For the other Facebook users who are serious about limiting access to other information posted on their page, the site provides a variety of privacy settings that users can activate to protect their information.106 For example, Facebook users can limit the ability of other users to view information or photographs on their pages, post messages on their pages, and identify them in a photo on a friend‘s page (called ―tagging‖).107 Facebook‘s privacy policy
100. Ryan Singel, Rogue Marketers Can Mine Your Info on Facebook, WIRED (Jan. 5, 2010), http://www.wired.com/epicenter/2010/01/facebook-email/. 101. 45 C.F.R. § 46.102(f) (2010). 102. Id. 103. See e.g., Oscar M. Ruebhausen & Orville G. Brim, Jr., Privacy and Behavioral Research, 65 COLUM. L. REV. 1184, 1196–97 (1965) (discussing the privacy implications for people who unknowingly or unintentionally participate in behavioral research). 104. Grimmelmann, supra note 4, at 1157. 105. Samantha L. Millier, Note, The Facebook Frontier: Responding to the Changing Face of Privacy on the Internet, 97 KY. L.J. 541, 542 (2009). 106. See id. at 544 (explaining different privacy settings offered by Facebook). 107. Id. Until December 2009, Facebook‘s privacy settings permitted users to restrict access to other information posted on their pages, such as the identity of their Facebook friends; however, this information is currently available to all Facebook users. Brad Stone, Facebook’s Privacy Changes Draw More Scrutiny, N.Y. TIMES BITS BLOG, (Dec. 10, 2009, 01:44 PM), http://bits.blogs.nytimes.com/2009/12/10/facebooks-privacy- 326 JOURNAL OF LAW, TECHNOLOGY & POLICY [Vol. 2010 warns site users that any information they post is posted at their own risk, and that activation of the site‘s privacy settings may be insufficient to guarantee restricted access to any posted information.108 This inability to guarantee restricted access is completely unlike the security of a medical record, which, while accessible to medical personnel, is nearly guaranteed (if not fully guaranteed) to remain inaccessible to others.109 Site users nonetheless continue to post personal information about themselves on Facebook.110 Many Facebook users post information on their pages without worrying about the privacy implications of doing so,111 although they may know that activation of privacy settings on Facebook protects their personal information only to a certain extent.112 Furthermore, some Facebook users fail to realize that they can restrict other users‘ access to their personal information through these privacy settings.113 Thus, a Facebook user who posts an embarrassing photo of himself on his page without activating the available privacy settings simply ―is a victim of his own reckless behavior. By publicizing embarrassing information, he voluntarily relinquished control— and a legally recognizable privacy right—over it.‖114 Additionally, those Facebook users who want to limit access to their pages cannot limit access to all of their information, unlike the ability of patients to limit access to the information contained in their medical records. Some individuals post information on their Facebook pages with the intent that it be viewed only by certain individuals.115 However, ―revelations intended for particular social networks are accessed with relative ease by employers, police, and other authority figures.‖116 Furthermore, Facebook settings mandate that certain information, such as a user‘s name, gender, networks, and primary photograph, remain publicly available.117 Some information posted on Facebook is, therefore, so public that all Facebook users, as well as other members of the general public, can view it. Facebook employees also have the right, per the site‘s terms of use, to access users‘ information on Facebook—
changes-draw-more-scrutiny/. Easy access to a Facebook user‘s list of friends could provide a researcher with an abundance of information about that person through which the researcher can make generalizations. Thus, Facebook‘s latest privacy settings indicate that certain information, like the identity of Facebook friends, is in fact not private. 108. Facebook, Privacy Policy, http://www.facebook.com/policy.php (last visited Sept. 21, 2010). 109. See, e.g., Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. 1320d–2 (2006) (outlining safeguards that allow medical personnel to access medical records while ensuring that the information remains otherwise confidential). 110. Avner Levin & Patricia Sanchez Abril, Two Notions of Privacy Online, 11 VAND. J. ENT. &TECH. L. 1001, 1002 (2009). 111. Id. 112. See id. at 1036 (―These data suggest that although respondents do the best they can with the tools afforded to them by their network, they realize that these tools are insufficient to effectively control everything posted about them on the network.‖). 113. Millier, supra note 105, at 542. 114. Levin & Abril, supra note 110, at 1009. 115. See Brandenburg, supra note 11, at 619 (discussing ways to limit information sharing to third parties). 116. Julie E. Cohen, Privacy, Visibility, Transparency, and Exposure, 75 U.CHI. L. REV. 181, 198 (2008). 117. Singel, supra note 100. No. 2] DATA MINING ON FACEBOOK 327 albeit in limited circumstances.118 Many Facebook users, however, have failed to realize that these individuals can not only access their information but also use that information to create new Facebook applications.119 Thus, Facebook users who anticipate that the only people who can view and use their information are the friends to whom they grant access to their page have an unreasonable expectation of privacy.120 Furthermore, the information that society historically has considered private is no longer as private as once thought. A New York Magazine article claimed that ―the idea of a truly private life is already an illusion. . . . Your life is being lived in public whether you choose to acknowledge it or not.‖121 For example, the mere posting of a date and place of birth on a Facebook page is enough to give a resourceful snoop the ability to predict that person‘s social security number.122 Perhaps the ease with which such private information can be discerned means that a traditional understanding of privacy is no longer applicable. Moreover, employers and admissions committees commonly use Facebook to research applicants for jobs or spaces in academic programs.123 Thus, the Facebook users who expect that their online behavior will not be observed or recorded by researchers have no reasonable expectation to this effect. A University of Massachusetts Dartmouth study revealed that 20% of college admissions offices look up student applicants on social networking sites like Facebook.124 A National Association of Colleges and Employers study reported that ―approximately one in ten employers report they plan to review potential hires‘ profiles and information posted on social networks.‖125 One Facebook user lost a summer employment opportunity after his potential new boss saw that he listed ―smokin‘ blunts‖ on his Facebook page as one of his interests.126 Additionally, courts are now opining on the public nature of information posted on social networking sites. The New York Supreme Court recently held that information on a plaintiff‘s Facebook page was discoverable despite the
118. Warren Riddle, Anonymous Employee Reveals Ugly Details of Facebook’s Inner Workings, SWITCHED.COM, (Jan. 15, 2010, 9:18 AM), http://www.switched.com/2010/01/15/anonymous-employee- reveals-ugly-details-of-facebooks-inner-work/. 119. Id. 120. See Millier, supra note 104–05, at 545 (describing how second parties are not controlled in their sharing of information). 121. Jonathan Shaw, Exposed: The Erosion of Privacy in the Internet Era, HARV. MAG., Sept.-Oct. 2009, at 38, 42 (citing Emily Nussbaum, Say Everything, N.Y. MAG., Feb. 12, 2007). 122. Id at 39. 123. Brandenburg, supra note 11, at 600; Alison Damast, The Admissions Office Finds Facebook, BUS. WK. ONLINE, Sept. 28, 2008, http://www.businessweek.com/bschools/content/sep2008/ bs20080928_509398.htm. 124. Steven Rothberg, College Admissions Officers Using Facebook, MySpace, and Other Social Networking Sites to Block Students, COLLEGERECRUITER.COM, Nov. 2, 2007, http://blog.collegerecruiter.com/ blog/2007/11/02/college-admissions-officers-using-facebook-myspace-and-other-social-networking-sites-to- block-students/ (cited in Darby Dickerson, Background Checks in the University Admissions Process: An Overview of Legal and Policy Considerations, 34 J.C. & U.L. 419, 492 n.514 (2008)). 125. Brandenburg, supra note 11, at 600 (citing New ―Background‖ Check, 23 No. 21 Emp. Alert (National Employment Law Institute), Oct. 12, 2006, at 11). 126. Grimmelmann, supra note 4, at 1165. 328 JOURNAL OF LAW, TECHNOLOGY & POLICY [Vol. 2010 privacy settings she had activated because ―as neither Facebook nor MySpace guarantee complete privacy, Plaintiff has no legitimate reasonable expectation of privacy.‖127 Furthermore, because the plaintiff agreed to share the information she posted on the social networking sites when she created her pages on the sites, she ―knew that her information may become publicly available, [and] she cannot now claim that she had a reasonable expectation of privacy.128 Furthermore, other courts have held more generally that an individual who provides information to some third parties waives his ability to invoke his right to privacy against other third parties.129 Thus, if researchers are able to mine data from Facebook pages that they access through friends of friends, for example, the Facebook user might argue that she only intended to disclose her information to her invited friends. However, because the Facebook user failed to limit access to friends of their friends, that user likely has waived any claims to privacy of the information posted online. All of these arguments indicate that information posted on Facebook should not be considered private, and data mining on Facebook should therefore not be considered research with human subjects. A counterargument is that information posted on Facebook is only intended to be shared with a specific group of individuals for purposes other than research purposes.130 However, the number of Facebook users who are willing to share their personal information freely, the changing nature of what information can really remain private in our technologically advanced society, and the use of Facebook for employment and admissions indicate that the few individuals who expect that their information on Facebook is private have no reasonable expectation of privacy. Thus, if personal information posted on Facebook is not private and data mining on Facebook does not involve an interaction between the researcher and individual Facebook users, data mining on Facebook does not constitute research with human subjects.131 This type of research therefore does not require IRB review.132 However, if personal information posted on Facebook is ultimately determined to be private, or if data mining involves an interaction between the researcher and Facebook user, then this type of research involves human subjects, and IRB review would be required.133
127. Romano v. Steelcase, Inc., 907 N.Y.S. 2nd 650, 656 (2010). 128. Id. at 657. 129. See e.g., Nader v. Gen. Motors Corp., 255 N.E.2d 765 (N.Y. 1970); Duran v. Detroit News, Inc., 504 N.W.2d 715 (Mich. Ct. App. 1993) (cited in Brandenburg, supra note 11, at 606–07) (ruling that third- party disclosures prevent claims of privacy invasion). 130. See Grimmelmann, supra note 4, at 1162 (―The powerful, if unspoken, message is that what you say on Facebook will reach your contacts and desired contacts but no one else.‖). 131. See 45 C.F.R. § 46 (2010) (codifying the regulations promulgated by the Secretary of Health and Human Services governing the conduct of research with human subjects). 132. See 45 C.F.R. § 46.102(d)-(f) (2010) (explaining what constitutes research with human subjects). 133. See 45 C.F.R. §§ 46.109-111 (2010) (explaining the requirements for IRB review, the procedures for expedited review, and the criteria for IRB approval of research). See infra Part IIIB for a discussion of expedited review. No. 2] DATA MINING ON FACEBOOK 329
IV. IRB REVIEW OF DATA MINING ON FACEBOOK If data mining on Facebook is research with human subjects, IRBs must review this type of research in order to comply with federal regulations governing research with human subjects. However, IRBs may review a research study in accordance with one of three types of review.134 IRBs must conduct the correct type of review for research involving data mining on Facebook because failure to do so means that the IRB will have not have complied with the applicable federal regulations.135 The IRB, the researcher, and the university as a whole will have to contend with the resulting consequences of this non-compliance.136 Thus, it is important to understand what type of review data mining on Facebook requires if this research involves human subjects.
A. Exemption of Data Mining on Facebook from Compliance with Federal Regulations If IRB review is indeed required, data mining on Facebook is most likely to receive a designation of exemption.137 Federal regulations provide that any research with human subjects that is of a certain low-risk nature and falls within one of six enumerated categories listed in the HHS regulations is exempt from compliance with these regulations.138 Exempt research studies still are research studies with human subjects, as federal regulations specify that ―research activities in which the only involvement of human subjects will be in one or more of the [exempt] categories are exempt from [these regulations].‖139 Thus, the term ―exempt‖ is a bit of a misnomer in that if data mining on Facebook warrants a designation of exemption, it is exempt from any further IRB review. However, a member of the IRB or other designated official must conduct an initial review to determine that the study meets the criteria for exemption.140 In fact, the OHRP specifically recommends in its policy guidance that researchers themselves not determine that their projects are exempt from
134. See infra Part III.A-C (describing the three types of IRB review that data mining on Facebook could undergo). 135. See 45 C.F.R. § 46 (2010) (codifying the regulations promulgated by the Secretary of Health and Human Services governing the conduct of research with human subjects). 136. See infra Part IV.D.1-2 (discussing the consequences of non-compliant research). 137. See infra Part III.A.1-2 (describing the two potential categories of exempt research under which data mining on Facebook may fall). 138. See 45 C.F.R. § 46.101(b) (2010) (enumerating six exceptions to the general policy of HHS protection for human subjects). Exemption from compliance with the federal regulations governing research with human subjects means that a study that fits into one of the six enumerated categories need not comply, for example, with the regulations governing informed consent in 45 C.F.R. § 46.116, or with the requirement in 45 C.F.R. § 46.109(e) that research with human subjects undergo review at least annually until complete. 139. 45 C.F.R. § 46.101(b) (2010) (emphases added). 140. Federal regulations do not mandate that the IRB determine if research is exempt under 45 C.F.R. § 46.102(b) (2010). However, the OHRP recommends that a determination of exemption be made by someone (like the IRB) with access to enough information to determine whether an exemption is appropriate. Dep‘t of Health and Human Services, Office for Research Protections, FAQs: Exempt Research Determination (Apr. 20, 2009), http://www.hhs.gov/ohrp/policy/exempt_res_det.html. 330 JOURNAL OF LAW, TECHNOLOGY & POLICY [Vol. 2010 further IRB review.141 The OHRP is concerned about the conflicts of interest that may result if researchers are permitted to determine whether their own projects fall under an exempt category.142 Despite this potential for conflict of interest, one scholar in particular has suggested that social scientists be permitted, as a time-saving measure, to determine whether their research is exempt.143 However, IRBs provide more than just a mere determination that a project falls under an enumerated exempt category. They are ―instructed by federal regulations to safeguard the rights of research subjects while continuing to allow the advancement of scientific research.‖144 Thus, IRBs must not unnecessarily hinder the progress of research, but at the same time, they must ensure that research complies with both federal regulations and is consistent with ethical research practices that exist to protect research participants. As a result, researchers who mine data on social networking sites are not permitted, and are unlikely to be permitted in the future, to determine whether their projects are exempt from further IRB review.145
1. Exemption of Data Mining on Facebook Under Category Two If data mining on Facebook involves human subjects and requires IRB review of some type, such research likely should be deemed exempt in accordance with federal regulations. Federal regulations enumerate six categories of exempt research, and there are two categories under which data mining on Facebook might fall.146 The first category, which is the second enumerated in the regulations, exempts research where public behavior is observed, as long as the information that the researcher obtains is recorded in such a way that the individual whose information was obtained cannot be identified based on how the information was recorded.147 Additionally, disclosure of the information collected must be unlikely to reasonably place the individuals whose information was collected ―at risk of criminal or civil liability or be damaging to [their] financial standing, employability, or reputation.‖148 Note, however, that an exemption under this category means that the researcher is conducting an observation of public behavior.149 How can data mining on Facebook be an interaction if only an observation is taking place? This Article has identified an interaction as an action through which
141. Id. 142. Id.; see also Dale Carpenter, Institutional Review Boards, Regulatory Incentives, and Some Modest Proposals for Reform, 101 NW. U. L. REV. 687, 702 (2007) (―[R]esearchers will tend to conclude that their work is exempt more often than IRBs would.‖). 143. Carpenter, supra note 142, at 702. 144. Gatter, supra note 24, at 637. 145. See generally 45 C.F.R. § 46 (2010) (codifying the regulations concerning conduct of research with human subjects); 45 C.F.R. § 46.101(b) (2010) (listing the categories of research that are exempt); cf. Carpenter, supra note 142, at 702 (suggesting as a possible reform that social science researchers, and not IRBs, should be allowed to decide whether their own studies are exempt, but noting that it is not yet a reality). 146. 45 C.F.R. § 46.101(b) (2010). 147. 45 C.F.R. § 46.101(b)(2) (2010). 148. Id. 149. Id. No. 2] DATA MINING ON FACEBOOK 331 information is actively exchanged.150 A researcher who observes an individual‘s public behavior is receiving information passively, with no relationship established between the researcher and that individual.151 Alternatively, how can a researcher obtain identifiable, private information from a Facebook user if the information is collected through observation of public behavior? Perhaps the best explanation is that the act of posting information on a Facebook page is, in itself, public behavior, but the information that researchers actually collect is private. For example, although the general population can create a Facebook page and thus obtain a password to the site at large,152 the need to possess a password to access information on Facebook pages in theory excludes some people. Additionally, Facebook users can activate the available privacy settings to limit who is able to see their profile and allow, for example, only those who are on their Facebook friends list to be able to view the information they post.153 Furthermore, in order for data mining on Facebook to be exempt under the second enumerated category, the researcher must not record any identifying information, such as names.154 Unless researchers plan to follow certain individuals‘ behavior over time and need to record identifying information to do so, one-time data collection from a Facebook page should not require researchers to record individuals‘ identifying information. Additionally, disclosure of the recorded information must not put the individual at risk of criminal or civil liability, or be damaging to her financial standing, employability, or reputation.155 Data mining on Facebook may pose such risk when, for example, a researcher includes in a published article a direct quote from an individual‘s Facebook page.156 Anyone who reads that article could easily enter that quote into Google and learn in a matter of seconds both the identity of the research subject as well as other information about him.157 As long as a researcher states—prior to data collection—that he will only report aggregate findings, and will publish no specific details like direct quotes from a Facebook page, Facebook users are likely not at risk as a result of the researcher‘s data collection.158 If, however, the researcher cannot make such a promise, an exemption under category two is unlikely to be appropriate.
150. See supra Part II.B (discussing the meaning of ―interaction‖ as used in federal regulations governing research with human subjects). 151. See id. (discussing the interaction between researcher and Facebook user). 152. Facebook, http://www.facebook.com (last visited Sept. 21, 2010) (stating that Facebook is ―free and anyone can join‖). 153. Millier, supra note 105, at 544. 154. 45 C.F.R. § 46.101(b)(2)(i) (2010). 155. 45 C.F.R. § 46.101(b)(2)(ii) (2010). 156. Special Series on Internet Research Challenges: Recruiting Etiquette in Cyberspace is Different from Conventional Methods, IRB ADVISOR 13, Feb. 1, 2002, at 15. 157. Id. 158. See generally id. (discussing when and in what manner researchers should obtain informed consent from people before collecting their data from the Internet). 332 JOURNAL OF LAW, TECHNOLOGY & POLICY [Vol. 2010
2. Exemption of Data Mining on Facebook Under Category Four Data mining on Facebook could also be deemed exempt under the fourth category enumerated in the regulations, which exempts research ―involving the collection or study of existing data‖ as long as it is obtained from a publicly available source, or as long as the researcher records the information in such a way that subjects cannot be identified.159 While data mining on Facebook could be exempt under category two, IRBs will likely have an easier time justifying an exemption under the fourth category because the requirement that a researcher record data from a Facebook page in a way that subjects cannot be identified is an easy one to satisfy in this context.160 When applying for an exemption under category two, the researcher can readily acknowledge that the information he is collecting is private, identifiable information, and whether the information posted on Facebook is private is not an issue. As long as the researcher plans to record the information in a way that does not identify each individual, i.e. without names, identifying quotes from Facebook pages, or the like, an exemption under this category is appropriate. If the researcher needs to record identifying information to be able to follow subjects over time, he could argue that he is simply mining data from a publicly available source—the other way to receive an exemption under category four.161 Of course, if Facebook is a publicly available source, perhaps the research is not research with human subjects. The counterargument, however, is that while Facebook is a publicly available source, the information that is posted on Facebook is identifiable, private information. Thus, a designation of exemption would generally be appropriate for research involving data mining on Facebook.
B. Expedited Review of Data Mining on Facebook If an IRB were to determine that data mining on Facebook does not qualify for exemption, the research will most likely need to undergo expedited review, i.e. review by just one member of the committee,162 rather than full review. The term ―expedited‖ does not refer to the time that it should take for an IRB to review the research study, but instead refers to the level of risk that the study poses to participants.163 A study is entitled to expedited review if it poses minimal risk to participants, i.e. if ―the probability and magnitude of
159. 45 C.F.R. § 46.101(b)(4) (2010). 160. See 45 C.F.R. § 46.101(b)(2) (2010) (stating that ―[r]esearch involving the use of educational tests . . . survey procedures, interview procedures or observation of public behavior‖ is exempt from the HHS regulations governing research with human subjects); see also 45 C.F.R. § 46.101(b)(4) (2010) (stating that information ―recorded in such a manner that subjects cannot be identified‖ is exempt from the HHS regulations governing research with human subjects). 161. 45 C.F.R. § 46.101(b)(4) (2010). 162. 45 C.F.R. § 46.110(b) (2010) (stating that one member of the IRB may conduct an expedited review of research, but just one reviewer may not disapprove the research entirely). See 45 C.F.R. § 46.108(b) (2010) (requiring that a study not qualifying for an expedited review be reviewed at a meeting of the full committee, at which at least one non-scientist member is present). 163. See Institutional Review Board: Expedited Review, LOYOLA UNIV. CHI., http://www.luc.edu/irb/ irb_VIIIC.shtml (last visited Sept. 21, 2010) (explaining the extent of the expedited review process). No. 2] DATA MINING ON FACEBOOK 333 harm or discomfort anticipated in the research are not greater in and of themselves than those ordinarily encountered in daily life or during the performance of routine physical or psychological examinations or tests.‖164 In 1998, the OHRP identified nine categories of research that qualify for expedited review,165 and if an exemption is not appropriate, data mining on Facebook could be reviewed under category seven of the enumerated expedited review categories.166 Category seven permits expedited review for research on individual or group characteristics or behavior.167 Researchers mine data on Facebook specifically to analyze the characteristics or behavior of individuals.168 With respect to the level of risk that Facebook users incur when researchers collect data from them, Facebook statistics indicate that half of the several hundred million users log on to Facebook each day.169 Of these millions of Facebook users who log on every day, some are employers seeking information about job applicants,170 some are researchers,171 and some are people who are looking to communicate with friends.172 Thus, as long as the researcher does not plan to report any information that could identify an individual user, any risk to Facebook users that may result from a researcher collecting their information is no greater than the risk posed by the typical, daily use of Facebook.173 Expedited review of data mining on Facebook under category seven is therefore appropriate, although perhaps unnecessary and less preferable than a designation of an exemption. If data mining on Facebook qualifies for an exemption under category two or four, such a designation is more helpful to both IRBs and researchers than an approval following an expedited review.174 Exempt studies are exempt from further compliance with regulations governing research with human
164. 45 C.F.R. § 46.102(i) (2010). 165. Categories of Research That May Be Reviewed by the Institutional Review Board (IRB) Through an Expedited Review Procedure, DEP‘T OF HEALTH & HUMAN SERVICES, http://www.hhs.gov/ohrp/ humansubjects/guidance/expedited98.htm (last visited Sept. 21, 2010). 166. See id. (―Research on individual or group characteristics or behavior (including, but not limited to, research on perception, cognition, motivation, identity, language, communication, cultural beliefs or practices, and social behavior) or research employing survey, interview, oral history, focus group, program evaluation, human factors evaluation, or quality assurance methodologies.‖). 167. Id. 168. See Rosenbloom, supra note 2, at A1 (providing an overview of different ways academic researchers have been using Facebook). 169. Press Room: Statistics, supra note 3. 170. See supra text accompanying notes 123-26 for a discussion of employers who use Facebook to learn more about job applicants. 171. See Handuja & Patchin, supra note 12, at 126–27; Lewis et al., supra note 12, at 330; Thelwall et al., supra note 12, at 190; Rosenbloom, supra note 2, at A1; Thompson, supra note 12, at 956 (all discussing different researchers searching Facebook for research data). 172. Hodge, supra note 1, at 97. 173. See 45 C.F.R. § 46.102(i) (2010) (defining minimal risk as the proposition that ―the probability and magnitude of harm or discomfort anticipated in the research are not greater in and of themselves than those ordinarily encountered in daily life or during the performance of routine physical or psychological examinations or tests‖). 174. See 45 C.F.R. § 46.101(b)(2), (4) (2010) (listing exemptions for educational tests, survey procedures, interview procedures, public observations, and research using data from sources that are publicly available or in which the subjects cannot be identified based on the way in which the researcher recorded the preexisting data). 334 JOURNAL OF LAW, TECHNOLOGY & POLICY [Vol. 2010 subjects.175 Thus, if data mining on Facebook is exempt, the IRB application need not address issues such as consent procedures because informed consent is not a requirement for exempt research (although it may be appropriate in certain instances).176 As a result, the IRB then need not review any consent documents.177 Even if research undergoing expedited review qualifies for a waiver of informed consent,178 the IRB must still review the waiver request and other relevant consent issues when conducting an expedited review.179 Thus, if the OHRP were to indicate in guidance documents that a designation of exemption is appropriate for at least most research studies involving data mining on Facebook, both the researcher and the IRB would benefit from this determination.
C. Full Review of Data Mining on Facebook If a study involving data mining on Facebook does not qualify for exemption or expedited review, the only remaining alternative is for the study to undergo full review.180 This means that the entire committee will review the study, rather than just one member of the IRB.181 However, full review is typically only required for research that involves greater than minimal risk.182 Given the relatively low risk that data mining studies generally pose,183 it would be a rare occasion when research involving data mining on Facebook would need to undergo full review. Thus, if data mining on Facebook involves human subjects and requires IRB review, an exemption under categories two or four, or expedited review, are likely the most appropriate types of review.
V. BENEFITS OF OHRP GUIDANCE DISCUSSING INTERNET RESEARCH AND DATA MINING ON SOCIAL NETWORKING SITES IRBs, researchers, and Internet users would benefit from OHRP guidance addressing IRB review of data mining on social networking sites like Facebook, or at a minimum, guidance discussing Internet research in general. Such guidance would eliminate confusion that IRBs and researchers may have about whether data mining on social networking sites involves human subjects. Furthermore, it would help protect these site users whose information is being
175. 45 C.F.R. § 46.101(b) (2010). 176. See 45 C.F.R. § 46.116(c)-(d) (2010) (listing exceptions to the informed consent requirement). 177. 45 C.F.R. § 46.117(c)(2) (2010). 178. See 45 C.F.R. § 46.116(c) (2010) (listing the situations in which a waiver of informed consent is permissible). 179. 45 C.F.R. § 46.110(b)(1) (2010). 180. See Review Categories: Exempt, Expedited, Full Board, NYU LANGONE MED. CENTER (describing review categories), http://irb.med.nyu.edu/forms-guidance-waivers/categories-review (last visited Sept. 21, 2010) (discussing the three categories of review). 181. Id. 182. See 45 C.F.R. § 46.101(b) (2010) (providing when a designation of exemption is appropriate); 45 C.F.R. § 46.110 (2010) (providing when expedited review procedures are permitted). Any research that does not meet the criteria for an exemption or expedited review must be reviewed by the full committee. 183. See supra text accompanying notes 162-73 (describing why using Facebook represents no greater risk than what that user would otherwise encounter in daily life). No. 2] DATA MINING ON FACEBOOK 335 collected for research purposes. Specifically, OHRP guidance addressing whether data mining on web sites like Facebook requires IRB review would help avoid IRB mission creep184 (or at a minimum, the perception of mission creep), improve efficiency in the IRB review process, eliminate unnecessary costs of IRB review, and avoid the consequences of non-compliant research.185 Although the benefits of OHRP guidance as discussed below address data mining on Facebook specifically, the same benefits would be realized through OHRP guidance relating to data mining on social networking sites in general, or even data mining on any web site on which individuals post information about themselves.
A. Avoid IRB Mission Creep One objective that OHRP guidance discussing IRB review of data mining on Facebook should address is avoiding IRB mission creep. A frequently cited white paper followed a 2005 conference at the University of Illinois devoted to the issue of mission creep. The authors define mission creep as ―a more and more expansive variety of cases needing to be reviewed, a consequently burgeoning workload, and an increasingly ambiguous set of criteria by which decisions must be made.‖186 The paper further identifies the causes of mission creep as ―rewarding wrong behaviors, such as focusing more on procedures and documentation than difficult ethical questions; unclear definitions, which lead to unclear responsibilities; efforts to comply with unwieldy federal requirements even when research is not federally funded; exaggerated precautions to protect against program shutdowns; and efforts to protect against lawsuits.‖187 It also discusses the need to stop IRB mission creep, and ways in which this goal may be accomplished.188 If data mining on Facebook is not research with human subjects but IRBs continue to mandate review of the research, IRB review of data mining on Facebook will be yet another example of mission creep. The issue of mission creep has been hotly debated by researchers, IRBs, and HHS officials alike, in particular with respect to whether certain types of research is human subjects research that requires IRB review.189 For example, many researchers contend that oral history research is not ―research‖ as the term is defined in the regulations.190 Research institutions also struggle with
184. See infra text accompanying note 186 (defining mission creep). 185. See infra Part IV.A-D. 186. C.K. Gunsalus et al., THE CTR. FOR ADVANCED STUDY, The Illinois White Paper: Improving the System for Protecting Human Subjects: Counteracting IRB “Mission Creep” 5 (2005), available at http://www.primr.org/uploadedFiles/PRIMR_Site_Home/Resource_Center/Articles/11.%20Illinois%20Whitep aper.pdf. 187. Id. at 2. 188. Id. at 12–23. 189. See Mary Ann Baily, Harming Through Protection?, 358 NEW ENG. J. MED. 768, 768 (2008) (―Currently, uncertainty about how the OHRP will interpret the term ‗human-subjects research‘ and apply the regulations in specific situations causes great concern among people engaged in data-guided activities in health care, since guessing wrong may result in bad publicity and severe sanctions.‖). 190. Linda Shopes, Forum on IRBs: Negotiating Institutional Review Boards, PERSP. ON HIST. (Mar. 2007), available at http://www.historians.org/perspectives/issues/2007/0703/0703vie1.cfm. 336 JOURNAL OF LAW, TECHNOLOGY & POLICY [Vol. 2010 whether certain quality improvement studies satisfy the regulatory definition of ―research.‖191 IRB review of data mining on Facebook has not yet been deemed a result of IRB mission creep in the way that IRB review of oral history research or certain quality improvement projects has been. However, the increasing use of Facebook as a tool that researchers can use to gather data, the ambiguity of the term ―human subjects,‖192 and new university policies requiring IRB review of research involving data mining on Facebook193 could cause this type of research to become the next target of the crusaders against IRB mission creep. OHRP guidance advising IRBs whether data mining on Facebook likely requires IRB review could prevent this type of research from becoming such a target.
B. Improve Efficiency in the IRB Review Process The complexity of the IRB review process is another reason that OHRP guidance discussing IRB review of data mining on social networking sites is essential. The review process is complex for both the researcher and the IRB because federal regulations mandate that the researcher provide the IRB with specific, detailed information about the study, and that the IRB consider specific issues before it may approve the study.194 Furthermore, the IRB application and review process often becomes more complex as the type of review required becomes more stringent, i.e. applying for an exemption is less onerous than applying for expedited review or full review.195 Thus, OHRP guidance would help researchers in their quest to prepare the least complex, but still compliant, IRB application (if an application is in fact required), and would help IRBs conduct only necessary reviews.
1. Preparing and Reviewing an IRB Submission for a Study Involving Data Mining on Facebook The process of preparing an IRB application (often referred to as a ―protocol‖) for a study involving data mining on Facebook is no simple task. The researcher must identify or provide: (1) his research question; (2) the information that the researcher would collect from Facebook pages to answer the research question; (3) a description of how the researcher would access the Facebook pages from which he was collecting information; (4) a description of how he planned to record the data he collected, i.e. whether he would record names or other identifying information along with the other data; (5) a
191. See, e.g., Franklin G. Miller & Ezekiel J. Emanuel, Quality-Improvement Research and Informed Consent, 358 NEW ENG. J. MED. 765, 766 (2008) (discussing the Johns Hopkins ICU infection rate study that the OHRP determined in 2007 was not a quality improvement project, and did not qualify for an exemption). 192. See supra Part II for an analysis of this ambiguity. 193. See supra Part I.A (describing the policies at Indiana University, University of Massachusetts Boston, and Washington University regarding IRB review of studies involving data mining on Facebook). 194. Criteria for IRB Approval of Research, 45 C.F.R. § 46.111(2010) (2010) (detailing what issues the IRB must consider in its review, and in effect, what issues the researcher must address in his IRB application). 195. See To What Does this Policy Apply?, 45 C.F.R. § 46.101(b) (2010) (describing the requirements for exemption); see 45 C.F.R. § 46.110 (2010) (describing the requirements for expedited review). No. 2] DATA MINING ON FACEBOOK 337 description of where the data would be stored; and (6) if necessary, a copy of any consent documents that he planned to distribute, i.e. if he needed consent from each individual whose page he viewed.196 Federal regulations require an IRB that reviews a study involving data mining on Facebook to consider: (1) whether the study will minimize risks to the extent that it can; (2) whether the risks that the study poses to participants exist in proportion to the benefits; (3) whether the proposed subject selection process is equitable; (4) whether informed consent will be sought, and if so, whether it will be sought in an appropriate manner; and (5) whether data collection and storage will take place in such a way that subjects will be protected, and in particular, whether the privacy and confidentiality of subjects will be adequately protected.197 An IRB may only approve the research once it is satisfied that these requirements have been met,198 and the type of review that the research undergoes affects how intensely the IRB may consider some of these elements. For example, studies that are deemed exempt under federal regulations typically do not require the researcher to obtain informed consent from each individual from whom he collects information.199 If data mining on Facebook does not require IRB review because it is not research with human subjects, neither researchers nor IRBs must undergo this complex process. If this type of research is exempt, the review is less onerous for researchers and IRBs than if it must undergo expedited review.200 Therefore, if IRB review of research involving data mining on Facebook is required, it is essential that the research undergo the appropriate type of review to ensure that the IRB remains efficient in its practices.
C. Eliminate Unnecessary Use of IRB Resources The complexity of the IRB review process means that IRBs must devote significant resources to reviewing protocols submitted to the committee. If data mining on Facebook is not research with human subjects and therefore need not undergo IRB review, the IRB can conserve its resources for protocols that actually involve human subjects, and the IRB will benefit. Furthermore, it is not just the complexity of the IRB review process that requires devotion of significant resources to the review process. The sheer number of protocols that IRBs review each year, combined with the complexity of the IRB review process, means that it is even more important to determine whether IRB review of data mining on Facebook is really necessary. IRBs review anywhere from as many as several hundred protocols (or
196. See 45 C.F.R. § 46.111 (2010) (listing the criteria required for IRB review, thus indicating what researchers need to provide in their applications so that the IRB can conduct the correct type of review). 197. Id. 198. Id. 199. See 45 C.F.R. § 46.116 (2010) (listing the requirements for obtaining informed consent from research subjects). 200. See supra Part III.A-B (discussing the differences between a designation of exemption and expedited review). 338 JOURNAL OF LAW, TECHNOLOGY & POLICY [Vol. 2010 fewer) to more than 700 new protocols per year.201 The University of Michigan Medical School‘s IRB, for example, reviews approximately 1,000 new protocols each year, in addition to the other types of IRB submissions that, per federal regulations, IRBs must review.202 It might cost academic medical centers more than one thousand dollars to conduct either a full review or an expedited review of a new study, with large institutions spending over one million dollars to operate the IRB as a whole on an annual basis.203 Adding protocols describing research involving data mining on Facebook to these IRBs‘ agendas will only increase the number of protocols that will be reviewed, thus consuming more financial resources than necessary if no IRB review for this type of research is required. Additionally, IRB administrative offices that employ staff members who process each IRB submission, communicate with researchers about the status of their protocols, document the discussions of each protocol at each IRB meeting, and perform other related responsibilities are generally understaffed.204 Thus, if already overworked staff members are asked to perform these tasks with respect to studies involving data mining on Facebook that really do not require IRB review, they will have even less time to devote to the studies that actually involve human subjects.205 Furthermore, if data mining on Facebook involves human subjects, the IRB must conduct the type of review required under the regulations, e.g., full review or expedited review, when it first reviews the protocol.206 If it neglects to do so, the IRB will have failed to comply with federal regulations governing research with human subjects.207 From a resource perspective, non-compliant review will ultimately necessitate a second review, which requires resources that would not have to be spent had the IRB initially complied with the
201. Jeremy Sugarman et al., The Cost of Institutional Review Boards in Academic Medical Centers, 352 NEW ENG. J. MED. 1825, 1825 (2005). 202. Tips for Getting Your IRB Application Approved, MICHIGAN CENTER FOR ORAL HEALTH RESEARCH, http://www2.dent.umich.edu/clinicalresearch/irb.html (last visited Sept. 21, 2010). These other types of submissions include annual reviews of studies that are in progress, adverse event reports, and study termination reports. Id. The number of these other types of submissions that University of Michigan reviews on an annual basis totals more than 4,000. Id. 203. See Sugarman et al., supra note 201, at 1826 tbl. 1 (―Estimated Median Costs of Institutional Review Boards at U.S. Medical Schools in 2002.‖). 204. See Todd H. Wagner et al., The Cost of Operating Institutional Review Boards (IRBs), 78 ACAD. MED. 638, 641 (2003) (describing government and private reports on administrative staffing in IRB offices). One study determined that IRBs have an average of 1.8 full time staff members supporting the committee (some institutions have more than one committee), and one committee oversaw on average more than 400 studies, with each employee managing on average 365 studies. See Raymond G. De Vries, What Do IRBs Look Like? What Kind of Support Do They Receive?, 9 ACCOUNTABILITY IN RES. 199, 211 (2002) (discussing support for IRBs); see also Dale Carpenter, Institutional Review Boards, Regulatory Incentives, and Some Modest Proposals for Reform, supra note 143, at 688 (―Some experts favor . . . larger budgets and staff for IRBs.‖). 205. See John H. Mueller, Ignorance is Neither Bliss nor Ethical, 101 NW. U. L. REV. 809, 822 (2007) (―Time taken from other truly productive activities is a hidden cost, unappreciated on campus perhaps, but a cost nonetheless.‖). 206. See 45 C.F.R. § 46.101(a) (2010) (noting that these regulations apply to all research involving human subjects, exempting from compliance only research that fits into one of the categories enumerated in 45 C.F.R. § 46.101(b)). 207. Id. No. 2] DATA MINING ON FACEBOOK 339 applicable regulations.208
D. Avoid Consequences of Non-Compliant Research One of the most important reasons for researchers, IRBs, and universities in general to know whether data mining on Facebook requires IRB review is to avoid the serious consequences that may result if this type of research requires IRB review and no such review is conducted, or if the type of review that is conducted, e.g. full review or expedited review, does not comply with the applicable federal regulations.
1. Litigation Resulting from Noncompliant IRB Review Imagine a situation where data mining on Facebook is research with human subjects and requires IRB review. The researcher who plans to mine data on Facebook either fails to submit a protocol for IRB review, or the IRB actually reviews a protocol but conducts the wrong type of review as required by the regulations (or worse, says no review is necessary when it in fact is). The researcher proceeds to collect data from Facebook and one of the individuals from whom he collects data is injured because the researcher improperly reveals some of the data collected from that individual‘s Facebook page.209 The university where the researcher is employed may then be the subject of a lawsuit because of the researcher or IRB‘s non-compliance with federal regulations governing research with human subjects.210 In 2000, for example, the University of Pennsylvania paid a settlement to the federal government of more than $500,000, 211 and settled a wrongful death lawsuit212 with the family of eighteen-year-old Jesse Gelsinger, who died while participating in a gene therapy trial at the University.213 The FDA noted that the IRB should have ―reviewed more carefully the prior animal studies and questioned the PI [Principal Investigator] about the three monkeys who died in the most recent test of the viral vector.‖214 In 2001, a Maryland Court of Appeals judge chastised a Johns Hopkins University-affiliated research institute because ―the IRB was willing to aid researchers in getting around
208. See infra text accompanying notes 228-32 (discussing Johns Hopkins‘s need to re-review certain studies to determine whether they really qualified for exemption). 209. See supra text accompanying notes 146-48 (providing an example of the type of injury that a Facebook user may incur as a result of a researcher mining data on Facebook). 210. See Brenda J. Russell, Research Compliance: Entering Phase II, 14 BAYLOR U. MED. CENTER PROC. 349, 349 (2001) (noting that failure to comply with regulations governing human subjects research has resulted in the suspension of research privileges for universities and has, in one case, resulted in a prison sentence for a researcher). 211. Marie McCullough, Penn Gene-Therapy Death Still Resonates, Years Later, PHILA. INQUIRER, May 8, 2009, at A20. 212. Penn Settles Suit on Genetic Test, N.Y. TIMES, Nov. 4, 2000, at A18. 213. Sheryl Gay Stolberg, Institute Restricted After Gene Therapy Death, N.Y. TIMES, May 25, 2000, at A20. 214. Barbara F. Mishkin & Monique V. Nolan, HEALTH LAW HANDBOOK 317–18 (Alice G. Gosfield ed. 2006). 340 JOURNAL OF LAW, TECHNOLOGY & POLICY [Vol. 2010 federal regulations‖215 governing research with human subjects when it approved a lead abatement study that could have caused lead accumulation in otherwise healthy children‘s blood.216 Furthermore, it is not just the university that may be liable as a result of an IRB‘s faulty review. IRB members may find themselves as parties to litigation brought by injured research subjects, though it is unclear whether such plaintiffs will be successful in their suits.217 In Robertson v. McGee, melanoma vaccine study subjects sued, among others, twelve members of the IRB at the University of Oklahoma Health Sciences Center.218 They argued that the IRB members‘ noncompliance with 45 C.F.R. § 46 caused their injuries;219 however, the case was ultimately dismissed for reasons unrelated to its merits.220 A Facebook user‘s injury is unlikely to be physical, unlike in the University of Pennsylvania and Johns Hopkins University cases, but the Facebook user could suffer emotional injury, psychological injury, or economic injury if a researcher were to improperly reveal that user‘s personal information. Thus, an IRB‘s failure to review a study involving data mining on Facebook in compliance with federal regulations, if such review is in fact required, could cost the university substantial sums of money in legal fees and settlement, not to mention the bad publicity that the university would receive as a result of such an injury.221 To avoid these consequences, the IRB should perform the correct type of review before the research even begins.
2. Compliance Oversight Determination Letters If a university‘s IRB fails to conduct the necessary review of research involving data mining on Facebook, such non-compliance also invites the OHRP, and not just the injured party, to impose serious consequences upon the research institutions.222 The OHRP may suspend all research with human subjects being conducted at the university, and not just the one study in question, for a period of time if an IRB or a researcher fails to comply with federal regulations.223 No research subjects need to die or become seriously
215. Grimes v. Kennedy Krieger Inst., Inc., 782 A.2d 807, 814 (Md. 2001). 216. Id. at 813. 217. See Mishkin & Nolan, supra note 214 (stating that the IRBs ―should have reviewed more carefully the prior animal studies and questioned the PI about the three monkeys who died in the most recent test of the viral vector‖). 218. Robertson v. McGee, No. 01-CV-60-C, 2002 U.S. Dist. LEXIS 4072, at *4 (N.D. Okla. Jan. 28, 2002), cited in Sharona Hoffman & Jessica Wilen Berg, The Suitability of IRB Liability, 67 U. PITT. L.R. 365, 383 (2005). 219. Id. 220. Hoffman & Berg, supra note 218, at 384. 221. The Jesse Gelsinger case is an often-discussed case of clinical research gone wrong, at least in part due to the media frenzy surrounding the young man‘s death. Rebecca Dresser, First-in-Human Trial Participants: Not a Vulnerable Population, but Vulnerable Nonetheless, 37 J.L. MED. & ETHICS 38, 38 (2009); Gary E. Marchant et al., What Does the History of Technology Regulation Teach Us About Nano Oversight?, 37 J.L. MED. & ETHICS 724, 725 (2009). 222. See supra Part IV.D.1 (discussing recourse for research subject injured as a part of non-compliant research). 223. See OHRP, Compliance Oversight, http://www.hhs.gov/ohrp/compliance/ (last visited September No. 2] DATA MINING ON FACEBOOK 341 injured for the OHRP to impose such penalties on universities, so noncompliant review of low-risk research like research involving data mining on Facebook will not necessarily be spared from these consequences.224 There are, in fact, a number of situations in which the OHRP has imposed consequences of some sort on a university‘s research program where non- compliance with federal regulations occurred but no one died, or was even injured. In 2000, the Office for the Protection from Research Risks (now the OHRP) required Virginia Commonwealth University (VCU) to cease all research involving human subjects for a number of months while it revised its IRB policies and procedures.225 The government imposed this consequence after it determined that a researcher was using noncompliant consent procedures in a research study where subjects were asked to respond to survey questions.226 It may seem surprising that the OHRP would be willing to suspend a university‘s research program even when no individual is physically harmed, but the VCU violation indicates that OHRP may impose sanctions regardless of the type of injury.227 In July 2007, the OHRP notified Johns Hopkins University that one of its federally-funded research studies ―represented non-exempt human subjects research that was conducted without appropriate IRB review and approval, in contravention of HHS regulations at 45 CFR 46.103(b) and 109(a).‖228 The research involved developing a checklist for hospital personnel to use to reduce patient infection rates while in the intensive care unit.229 In response to the OHRP, the University suspended all activities related to that particular research project pending compliant IRB review because the IRB exempted a study that the OHRP decided was not exempt. 230 The Hopkins incident is an important one because the principal issue was that the IRB had determined that the study was exempt, and more like a quality improvement project rather than research.231 Thus, the incident has increased dialogue regarding the differences between quality improvement studies and research,232 and likely
21, 2010) (providing that the OHRP may require ―corrective action‖ in the event of non-compliance). 224. J. Michael Oakes, Risks and Wrongs in Social Science Research: An Evaluator’s Guide to the IRB, 26 EVALUATION REV. 443, 450–51 (2002). 225. Jeffrey R. Botkin, Protecting the Privacy of Family Members in Survey and Pedigree Research, JAMA, Jan. 10, 2001, at 207. 226. Id. 227. DANIEL D. FEDERMAN ET AL., RESPONSIBLE RESEARCH: A SYSTEMS APPROACH TO PROTECTING RESEARCH PARTICIPANTS (National Academies Press, 2003). 228. Letter from Kristina C. Borror, Dir. of the Div. of Compliance Oversight, Office for Human Research Protections, to Daniel E. Ford, Vice Dean for Clinical Investigation, Johns Hopkins Univ. School of Medi., Donald M. Steinwachs, Inst. Official, Johns Hopkins Bloomberg School of Pub. Health & Eaton E. Lattman, Dean for Research, Johns Hopkins Univ. (July 19, 2007) (http://www.hhs.gov/ohrp/detrm_letrs/ YR07/jul07d.pdf). 229. Id. 230. Letter from Kristina C. Borror, Dir. of the Div. of Compliance Oversight, Office for Human Research Protections, to Daniel E. Ford, Vice Dean for Clinical Investigation, Johns Hopkins Univ. School of Med., Donald M. Steinwachs, Inst. Official, Johns Hopkins Bloomberg School of Pub. Health, & Eaton E. Lattman, Dean for Research, Johns Hopkins Univ. (Nov. 6, 2007) (http://www.hhs.gov/ohrp/detrm_letrs/ YR07/nov07c.pdf). 231. Miller & Emanuel, supra note 191, at 766. 232. See id. (evaluating the OHRP investigation of the John Hopkins University research project from an ethical and regulatory perspective). 342 JOURNAL OF LAW, TECHNOLOGY & POLICY [Vol. 2010 has alerted other university IRBs to be very careful about deciding that a study is quality improvement, rather than research requiring IRB review. Thus, a university‘s failure to provide any or adequate IRB review nonetheless places universities at risk of government censure and civil litigation. Research institutions need to assure that research involving data mining is conducted in accordance with federal regulations, as the OHRP will penalize universities for non-compliance in both biomedical and behavioral research, even if the research is seemingly low-risk and no physical injuries to subjects, i.e. Facebook users, may result.233
VI. CONCLUSION Unfortunately, and somewhat surprisingly, the OHRP has not issued guidance that addresses data collection on the Internet in general, let alone guidance specifically relating to the issue of data mining on social networking sites.234 Since at least 2002, researchers and IRBs have been aware of the privacy implications associated with data mining on the Internet, and have been especially concerned about people‘s lack of awareness regarding the accessibility of their information that is online.235 Because Facebook users should generally have limited expectations of privacy with respect to any information they post on their Facebook pages, most research studies involving data mining on Facebook should not require IRB review, not even to deem the project exempt. The Internet is a public space, and even with the password protections, security settings, and strict contractual terms of use that Facebook offers, Facebook users ultimately assume the risk that information posted on the Internet, and particularly on a social networking site, may become publicly available. Of course, this conclusion is a general one, and may be inapplicable depending on how the researcher plans to collect information from a Facebook page. For example, if the researcher actively contacts a Facebook user to seek permission to collect his data, that communication may constitute an interaction, and thus, human subjects may be involved at that point. However, given the ambiguity of the federal regulations governing human subjects research regarding the true meaning of an interaction and of private information, the OHRP should issue guidance documents specifically addressing Internet research, and in particular, data mining on the Internet. Questions about the proper conduct of Internet research have existed for a number of years now.236 Furthermore, universities and researchers alike face
233. See 45 C.F.R. § 46.123 (2010) (stating that agency support can be rescinded for failure to comply with the applicable regulations). 234. See OFFICE FOR HUMAN RESOURCE PROTECTIONS, Policy Guidance, http://www.hhs.gov/ohrp/ policy/ (last visited Sep 21, 2010) (listing and providing links to the guidance documents currently in effect). 235. “Virtual” Human Subjects Need Just as Much Privacy as Conventional Subjects, 2 IRB ADVISOR 1, 2 (2002). 236. Id.; see, e.g., Internet Research Raises Unique Ethical Concerns for IRBs, IRB ADVISOR, Mar. 1, 2008; Nora Jacobson et al., Disclosure of Information to Potential Subjects on Research Recruitment Web Sites, IRB: ETHICS & HUMAN RESEARCH, Jan.–Feb. 2008, at 15; Heidi E. Ehrenberger, The E-Recruitment of No. 2] DATA MINING ON FACEBOOK 343 serious consequences if they misinterpret the regulations and provide no review or inadequate review of the research. Conversely, IRB review requires a significant investment of time and other resources on the part of the IRB and the researcher.237 Thus, the OHRP should indicate to researchers and IRBs whether data mining on Facebook involves human subjects, and if so, what type of review might be appropriate. If the OHRP issues such guidance, IRBs can then assure that they are reviewing this type of research if such review is required, and are thus acting in compliance with federal regulations governing research with human subjects. Furthermore, IRBs can conduct the types of reviews that the OHRP deems appropriate. IRBs would then need not be concerned that they are designating research exempt that is not exempt, for example, or that they are conducting full reviews when either an exemption or expedited review is all that is required. If data mining on Facebook does not involve human subjects, IRBs will also know, based on OHRP guidance, that they can devote their time and other resources to reviewing other types of studies. Thus, to ensure efficient conduct of research and compliance on the part of researchers and IRBs, OHRP guidance documents addressing data mining on Facebook are essential.
Participants for Clinical Trials, IRB: ETHICS & HUMAN RESEARCH, July-Aug. 2002, at 16, 16–17. 237. See generally, 45 C.F.R. § 46.109 (2010) (outlining the HHS regulations governing IRB review of research).