Applying Ethical Principles to Information and Communication Technology Research A Companion to the Menlo Report October 2013 Applying Ethical Principles to Information and Communication Technology Research: A Companion to the Department of Homeland Security Menlo Report January 3, 2012 1 2 Authors This Companion document was inspired by discussions in the Menlo Report working group meetings held over a period of sixteen months. The authors of this Companion document and the Menlo Working Group participants are listed below. Michael Bailey, University of Michigan • Aaron Burstein, University of California Berkeley • KC Claffy, CAIDA, University of California San Diego • Shari Clayman, DHS Science & Technology • David Dittrich, University of Washington, Co-Lead Author • John Heidemann, University of California, ISI • Erin Kenneally, CAIDA, University of California San Diego, Co-Lead Author • Douglas Maughan, DHS Science & Technology • Jenny McNeill, SRI International • Peter Neumann, SRI International • Charlotte Scheper, RTI International • Lee Tien, Electronic Frontier Foundation • Christos Papadopoulos, Colorado State University • Wendy Visscher, RTI International • Jody Westby, Global Cyber Risk, LLC • 3 Contents A Introduction 4 A.1 Historical Basis for Human Subjects Research Protections ............. 4 A.2 Motivations for Ethical Guidelines in the ICTR Context ............... 5 A.3 The Characteristics of ICTR and Implications for Human Subjects Protection ... 5 B Relationship of the Menlo Principles to the Original Belmont Principles 8 B.1 Respect for Persons .................................. 8 B.2 Beneficence ...................................... 10 B.3 Justice ......................................... 11 B.4 Respect for Law and Public Interest ......................... 11 C Application of the Menlo Principles 12 C.1 Respect for Persons .................................. 12 C.1.1 Identification of Stakeholders ........................ 12 C.1.2 Informed Consent ............................... 13 C.2 Beneficence ...................................... 14 C.2.1 Identification of Potential Harms ....................... 15 C.2.2 Identification of Potential Benefits ...................... 17 C.2.3 Balancing Risks and Benefits ........................ 17 C.2.4 Mitigation of Realized Harms ........................ 18 C.3 Justice ......................................... 19 C.3.1 Fairness and Equity .............................. 20 C.4 Respect for Law and Public Interest ......................... 20 C.4.1 Compliance .................................. 21 C.4.2 Transparency and Accountability ...................... 21 D Synthetic Case Study 23 E Conclusion 25 F Appendices 25 F.1 Example Ethical Codes and Standards ........................ 25 F.2 Examples of Relevant U.S. Laws and Guidelines .................. 27 F.3 Examples of Relevant Foreign and International Laws and Guidelines ....... 27 F.4 Example Case Studies ................................. 28 G Acknowledgments 34 Bibliography 34 4 A Introduction Researchers are faced with time-driven competitive pressures to research and publish, to achieve tenure, and to deliver on grant funding proposals. That ethical considerations can be incongruent with these incentives is neither novel nor unique to information and communication technology (ICT) [55] research. Those conducting ICT research (ICTR) do, however, face a different breed of tensions that can impact research ethics risks. Unfortunately, institutionalized guidance on the protection of research subjects has not kept pace with the rapid transformations in information technology and infrastructure that have catalyzed changes in research substance and mechanics. The Menlo Report [17] summarizes a set of basic principles to guide the identification and res­ olution of ethical issues in research about or involving ICT. It illuminates a need to interpret and extend traditional ethical principles to enable ICT researchers and oversight entities to appropri­ ately and consistently assess and render ethically defensible research. The framework it proposes can support current and potential institutional mechanisms that are well served to implement and enforce these principles, such as a research ethics board (REB). This document is a living complement to the Menlo Report that details the principles and applications more granularly and illustrates their implementation in real and synthetic case studies. A.1 Historical Basis for Human Subjects Research Protections One of the watershed events that focused widespread attention on research ethics was the Nurem­ berg Doctors Trial following World War II which revealed the forced medical experimentation on Nazi-held prisoners of war throughout Europe. It motivated the 1947 Nuremberg Code which was unprecedented in its call for informed consent and voluntary participation in research experiments. Seven years later, the renowned Declaration of Helsinki was initially drafted by the Medical Ethics Committee of the World Medical Association and later adopted in 1964. It addresses issues with research protocols involving humans in terms of risks and benefits, informed consent, and qualifi­ cations of researchers, and informed a set of international standards that apply to clinical research known as Good Clinical Practices (GCP). There are now over one thousand laws, regulations, and guidelines worldwide that protect human subjects of research [45]. In the United States, one of the most infamous biomedical research abuse cases involved ex­ periments on low income African-American males in Tuskegee, Alabama. Commencing in 1932, these studies continued for decades until revealed to the public in 1972. Subjects were purposefully infected with syphilis, or penicillin was not administered to men diagnosed with syphilis despite the widespread knowledge obtained in the 1940s that the drug was an effective treatment. Doctors wanted to observe the longitudinal effects of the disease on patients up until their deaths. In 2010, the United States Government apologized for sponsoring similar experiments on Guatemalan cit­ izens – with the cooperation of health officials in Guatemala – from 1946 to 1948. Lesser known research abuses, such as injecting cancer cells into live patients and performing experimental sur­ gical procedures on patients without their knowledge or consent (often injurious to the point of death) have made their way into the press and the courts [52]. The U.S. formally responded to these research abuses by passing the National Research Act in 1974, which created the National Commission for the Protection of Human Subjects of Biomed­ ical and Behavioral Research. In 1979 (decades after the Nuremberg Code and the Declaration of Helsinki) the National Commission prepared a document known colloquially as the Belmont Report. Its constructs were formally implemented in Federal regulation in 1981 by the Depart­ 5 ment of Health and Human Services (45 CFR Part 46) and the Food and Drug Administration (21 CFR Part 50 and 56). These regulations define requirements for research involving human subjects that apply to individual researchers and their institutions. They also established the requirements for Institutional Review Board (IRB)1 oversight for entities conducting federally-funded research involving human subjects. In 1991, part of the regulation (45 CFR 46 Subpart A) was adopted by fifteen other U. S. federal departments and agencies in their respective regulations in what is known as the Common Rule. A.2 Motivations for Ethical Guidelines in the ICTR Context The rich field of Ethics offers mechanisms to consistently and coherently reason about specific issues, but those need to be extended and coalesced into a practical framework for ICTR. Manifold codes of conduct and ethical guidelines are available from professional organizations and societies, many of which are familiar to ICT researchers (see Appendix F.1). In aggregate they offer a solid conceptual foundation for ethical research but individually fall short of providing complete, pragmatic and applied guidance guidance in preparing research protocols or evaluating ethical issues in ICTR. Moreover, relative to our institutionalized and socially internalized understanding of harm re­ lated to physical interactions with human subjects, our abilities to qualitatively and quantitatively assess and balance harms and benefits in ICTR are immature. To illustrate, while there is no direct analog between biomedical and ICTR abuses it is possible to compare physical versus cyber (i.e., virtual) environments along two dimensions: the impact of harm resulting from research activities and the conditions necessary for that harm to occur. For example, in biomedical research the researcher may wish to draw blood from a subject to study the effect of an experimental drug. This requires that the subject is physically present in the research lab and that he manifests consent by signing a written form. The number of subjects is typically on the order of hundreds or thousands and the research proceeds at human speeds (i.e., the time necessary to explain the research protocol, read and sign the consent form, draw the blood, etc.). Quantitatively, the risk is often proportional to the number of subjects involved, meaning that it able to be bounded to the research subjects themselves. With computer security research, however, millions of computers and an equal or lower number of humans using those computers may be implicated as the subject of research, whether directly