YES people take this seriously [LWN.net]

YES people take this seriously

Posted May 11, 2021 6:24 UTC (Tue) by epa (subscriber, #39769)
In reply to: YES people take this seriously by david.a.wheeler
Parent article: The TAB report on the UMN affair

I very much care about being experimented on. I'm just questioning whether a duff patch submission, or an April Fool's joke, or an advertisement placed in the press to see who's interested, are really on the same ethical scale as actual "experiments on humans" involving medicines, or surgery, or real world deception. By conflating the two and and trying to escalate this rather trivial timewasting into a serious ethics breach, I think people are trivializing the very serious matters that the Nuremberg Code, Belmont Report and so on are addressing.

I think penetration testing and test social engineering attacks are fairly common practice, and they don't have the consent of those who are being tested, not of the individual employees at least. My workplace regularly sends deliberately false messages as a phishing test to see who clicks on them. It's annoying, but I would not try to place it on the same ethical scale as administering drugs to employees without their consent, or deliberately depriving them of sleep to see what happens.

to post comments

YES people take this seriously

Posted May 11, 2021 6:56 UTC (Tue) by amacater (subscriber, #790) [Link]

If your workplace regularly sends fake phishing emails to see who clicks:
1. It will have been signed off by somebody senior at some stage that this is appropriate.
2. It will be an authorised exercise.
3. It's probably a condition of employment that, if you're at work/using work systems then you are taken to have consented to terms of appropriate use of the system. You probably have signed up to terms of use at some point/had them pointed out to you.
4. That set of terms will permit login/security monitoring if appropriate.

If 1 and 2 don't apply, then somebody else is in breach of 3 and 4 :) If none of these
apply, you're in a similar position to the kernel devs. here.

The UMN researchers may have been unknowing/careless at best: devious and exploitative at worst. Their IRB may have been on the ball and questioned everything they saw before allowing it or they may have been unsighted/misled/not understood the scope of the work. The combined effect was that their actions impacted a bunch of third party developers, caused work, created a degree of mayhem. That's not OK.

A bunch of far smarter people than I am can argue the exact cost and harm but it's left a sour taste in the mouth for major kernel developers who are the people I rely on to provide me reliability and security every time I start my machine.