YES people take this seriously

Posted May 8, 2021 16:30 UTC (Sat) by david.a.wheeler (subscriber, #72896)
In reply to: The TAB report on the UMN affair by epa
Parent article: The TAB report on the UMN affair

Short answer, YES. People DO take this seriously. You may not care if you're experimented on without your consent, but other people do care very much. As soon as you do experiments in the US, there are a number of rules and guidelines that are required, once humans are subjects. It can be drugs, it can be behavioral research, whatever, it doesn't matter.

The key in the US is the The Belmont Report: Ethical Principles and Guidelines for Protection of Human Subjects of Biomedical and Behavioral Research (1979), which says, “Respect for persons requires that [experimental] subjects... be given the opportunity to choose what shall or shall not happen to them… the importance of informed consent is unquestioned... the consent process [contains] information, comprehension and voluntariness [and generally includes the opportunity to] withdraw at any time from the research.” The Belmont Report is widely cited in the US as an ethical framework, it's the basis for the "Common Rule" required by US government agencies for federally-funded research.

A follow-on report, the Menlo Report (2012), was published by the U.S. Department of Homeland Security Science & Technology Directorate, Cyber Security Division, and outlines an ethical framework specifically for research involving Information and Communications Technologies (ICT). The Menlo Report adapted the original Belmont Report principles (Respect for Persons, Beneficence, and Justice) to the context of cybersecurity research & development, as well as adding a fourth principle, "Respect for Law and Public Interest." A companion report to the Menlo report provides case studies. Note that the Menlo report, since it built on the Belmont Report, also strongly emphasized the need for informed consent.

The IEEE released a statement that the paper "did not follow [ethical] guidelines". That's pretty harsh stuff in this space.

The good news is that UMN has agreed that this was a mistake. The paper's been withdrawn, and they're working to prevent recurrence. So while this affair was unfortunate, I think it's on its road to resolution.

to post comments

YES people take this seriously

Posted May 11, 2021 6:24 UTC (Tue) by epa (subscriber, #39769) [Link] (1 responses)

I very much care about being experimented on. I'm just questioning whether a duff patch submission, or an April Fool's joke, or an advertisement placed in the press to see who's interested, are really on the same ethical scale as actual "experiments on humans" involving medicines, or surgery, or real world deception. By conflating the two and and trying to escalate this rather trivial timewasting into a serious ethics breach, I think people are trivializing the very serious matters that the Nuremberg Code, Belmont Report and so on are addressing.

I think penetration testing and test social engineering attacks are fairly common practice, and they don't have the consent of those who are being tested, not of the individual employees at least. My workplace regularly sends deliberately false messages as a phishing test to see who clicks on them. It's annoying, but I would not try to place it on the same ethical scale as administering drugs to employees without their consent, or deliberately depriving them of sleep to see what happens.

YES people take this seriously

Posted May 11, 2021 6:56 UTC (Tue) by amacater (subscriber, #790) [Link]

If your workplace regularly sends fake phishing emails to see who clicks:
1. It will have been signed off by somebody senior at some stage that this is appropriate.
2. It will be an authorised exercise.
3. It's probably a condition of employment that, if you're at work/using work systems then you are taken to have consented to terms of appropriate use of the system. You probably have signed up to terms of use at some point/had them pointed out to you.
4. That set of terms will permit login/security monitoring if appropriate.

If 1 and 2 don't apply, then somebody else is in breach of 3 and 4 :) If none of these
apply, you're in a similar position to the kernel devs. here.

The UMN researchers may have been unknowing/careless at best: devious and exploitative at worst. Their IRB may have been on the ball and questioned everything they saw before allowing it or they may have been unsighted/misled/not understood the scope of the work. The combined effect was that their actions impacted a bunch of third party developers, caused work, created a degree of mayhem. That's not OK.

A bunch of far smarter people than I am can argue the exact cost and harm but it's left a sour taste in the mouth for major kernel developers who are the people I rely on to provide me reliability and security every time I start my machine.