Computer underground Digest Tue Jul 11, 1995 Volume 7 : Issue 58 ISSN 1004-042X Editors: Jim Thomas and Gordon Meyer (TK0JUT2@MVS.CSO.NIU.EDU Archivist: Brendan Kehoe Shadow Master: Stanton McCandlish Field Agent Extraordinaire: David Smith Shadow-Archivists: Dan Carosone / Paul Southworth Ralph Sims / Jyrki Kuoppala Ian Dickinson la Triviata: Which wine goes best with Unix? CONTENTS, #7.58 (Tue, Jul 11, 1995) File 1--The Ethical Lapses of the Carnegie Mellon "Cyberporn" Study File 2--Cu Digest Header Info (unchanged since 19 Apr, 1995) CuD ADMINISTRATIVE, EDITORIAL, AND SUBSCRIPTION INFORMATION APPEARS IN THE CONCLUDING FILE AT THE END OF EACH ISSUE. --------------------------------------------------------------------- Date: Tue, 11 Jul 1995 18:07:12 -0500 From: jthomas@SUN.SOCI.NIU.EDU(Jim Thomas) Subject: File 1--The Ethical Lapses of the Carnegie Mellon "Cyberporn" Study THE ETHICS OF CARNEGIE MELLON'S "CYBER-PORN" STUDY Jim Thomas Department of Sociology Northern Illinois University (July 10, 1995) It's unfortunate that there are some researchers, even prestigious ones, who fail to recognize that the same ethical principles that apply to off-line research apply on-line as well. Conventions that prohibit deception, invasion of privacy, placing human subjects at risk, and possible fraudulent data gathering are not considered a normal part of research. It is especially sad when a research study carrying the name of a prestigious national university errs so egregiously as occured in the Carnegie Mellon study of "Net pornography." The Carnegie Mellon study was published in the Georgetown Law Journal (Vol. 83, 1995: pp 1839-1934) and featured as the cover story of Time Magazine (July 3, 1995; See CuD 7.56). The primary focus of the study was an analysis of the text descriptions from adult BBSes specializing in erotica, and a secondary focus was on Usenet erotica files from the alt.binaries hierarchy. The intellectual substance of the study has been convincingly discredited (see the Hoffman/Novak critique at http://www2000.ogsm.vanderbilt.edu). However, the ethics of the study have not yet fully been addressed. Because of the implications of the ethical violations for cyberspace, and because the violations occured in the name of Carnegie Mellon University (CMU), the implications cannot go unaddressed. PART I: CONVENTIONAL ETHICAL GUIDELINES It seems indisputable that the study to which Carnegie Mellon University lends its name and its credibility contains disturbing ethical lapses. These lapses seem sufficiently serious that they should be of concern to both the CMU administration and to social scientists and computer professionals elsewhere. If the methodology of the study is correct as described in the GLJ article, and if the medias' reporting of the comments of the study's principal investigator are accurate, then the Carnegie Mellon study violates fundamental canons against deceptive data gathering, informed consent, and revelation of potentially harmful information. Federal guidelines (eg, The Belmont Report, 1979; Federal Register (Part II): Federal Policy for the Protection of Human Subjects; Notices and Rules, 1991) provide a boiler plate model followed by state institutions in establishing principles and policies that ought be followed by all researchers, whether funded or non-funded, who conduct research under the university's name. The wording of Northern Illinois University's (NIU) Graduate School Office of Research Compliance guidelines is fairly standard: I. ETHICAL PRINCIPLES A. This institution is guided by the ethical principles regarding all research involving humans as subjects, as set forth in the report of the National Commission for the Protection of Human Subjects of Biomedical and Behavioral Research (entitled: _Ethical Principles and Guidelines for the Protection of Human Subjects of Research_ ((the "Belmont Report"))), REGARDLESS OF WHETHER THE RESEARCH IS SUBJECT TO FEDERAL REGULATION, OR WITH WHOM CONDUCTED, OR SOURCE OF SUPPORT (I.E., SPONSORSHIP). (emphasis added--jt) Unlike Federal or institutional rules, the Belmont Report (BR) specifies three broad principles (rather than explicit rules) to guide research. 1) RESPECT FOR PERSONS. Respect for persons incorporates at least two ethical convictions: first, that individuals should be treated as autonomous agents, and second, that persons with diminished autonomy are entitled to protection (BR: 4). Although intended primarily to protect from abuse those persons not fully capable of making an informed decision to participate in research (eg, the mentally disabled or institutionalized persons), respect for persons extends to others, and includes providing adequate information about the research: In most cases of research involving human subjects, respect for persons demands that subjects enter into the research voluntarily and with adequate information (BR: 4). 2) BENEFICENCE: This principle extends the Hippocratic maxim of "do no harm" to the ethical obligations of a researcher: Persons are treated in an ethical manner not only by respecting their decisions and by protecting them from harm, but also by making efforts to secure their well-being. Such treatment falls under the principle of beneficence. The term "beneficence" is often understood to cover acts of kindness or charity that go beyond strict obligation. In this document, beneficence is understood in a strong sense, as an obligation. Two general rules have been formulated as complementary expressions of beneficent actions in this sense: (1) do not harm and (2) maximize possible benefits and minimize possible harms (BR: 4). The principle of beneficence assumes that scholars will carefully think through the implications of their research, especially in sensitive topics where the subjects could be placed in physical, social, or legal jeopardy. 3) JUSTICE: The principle of justice centers on "who ought to receive the benefits of research and bear its burdens" (BR: 5). The Belmont Report conceptualizes the principle of justice as placing an obligation on the researcher to assess the distribution of "fairness" toward the research subjects and social interests. HOW SHOULD THESE PRINCIPLES BE APPLIED? The Belmont Report identifies several ways by which the principles of respect for persons, beneficence, and justice can be implemented. One way is INFORMED CONSENT: While the importance of informed consent is unquestioned, controversy prevails over the nature and possibility of an informed consent. Nonetheless, there is widespread agreement that the consent process can be analyzed as containing three elements: information, comprehension, and voluntariness (p. 5). INFORMATION: Most codes of research establish specific items for disclosure intended to assure that subjects are given sufficient information. These items generally include: the research procedure, their purposes, risks and anticipated benefits, alternative procedures (where therapy is involved), and a statement offering the subject the opportunity to ask questions and to withdraw at any time from the research (BR: 5). COMPREHENSION Another way to implement the Belmont Report principles is by assuring that research subjects comprehend the information and understand what they are consenting to: The manner and context in which information is conveyed is as important as the information itself. For example, presenting information in a disorganized and rapid fashion, allowing too little time for consideration or curtailing opportunities for questioning, all may adversely affect a subject's ability to make an informed choice (BR: 6). VOLUNTARINESS Finally, the Belmont Report principles can be implemented only if the subjects give consent voluntarily: This element of informed consent requires conditions free of coercion and undue influence. Coercion occurs when an overt threat of harm is intentionally presented by one person to another in order to obtain compliance. Undue influence, by contrast, occurs through an offer of an excessive, unwarranted, inappropriate or improper reward or other overture in order to obtain compliance (BR: 6). The spirit and letter of the Belmont report is explicitly and unequivocally clear: 1. Researchers are ethically bound to protect their subjects from potential risks or unnecessary harm. 2. Researchers are ethically bound to obtain consent from their research subjects 3. Researchers are ethically obligated to inform their subjects of the nature of the study and potential risks 4. Deception or other trickery employed to manipulate subjects into participating in research is a fundamental violation of the Belmont Report principles. WHAT IS HUMAN SUBJECTS RESEARCH? Professional societies such as the APA (American Psychological Association) and ASA (American Sociological Association) provide ethical guidelines shaped by Federal, institutional, and other sources. Federal guidelines found in the Federal Register (e.g., "Federal Policy for the Protection of Human Subjects; Notices and Rules" (FP)) specify a number of reasonable explicit rules. Violations of these rules place a research project or an institution in non-compliance with Federally and other mandated ethical standards. The term "research" refers to "a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge" (FP 102(d)). (f) _Human Subject_ means a living individual about whom an investigator (whether professional or student) conducting research obtains (1) data through intervention or interaction with the individual, or (2) identifiable private information....INTERACTION includes communication or interpersonal contact between investigator and subject. "Private information" includes information about behavior that occurs in a context in which an individual can reasonably expect that no observation or recording is taking place, and information which has been provided for specific purposes by an individual and which the individual can reasonably expect will not be made public (for example, a medical record). Private information must be individually identifiable (i.e., the identity of the subject is or may readily be ascertained by the investigator or associated with the information) in order for obtaining the information to constitute research involving human subjects (FP, 102(f)(2). Institutions that receive federal research funds, including private ones, are required to implement procedures to assure compliance with Federal guidelines: (a) Each institution engaged in research which is covered by this policy and which is conducted or supported by a federal department or agency shall provide written assurance satisfactory to the department or agency head that it will comply with the requirements set forth in this policy (FP: 103(a)). There are some exceptions to the review requirement for human subjects, such as when conducting general educational tests or surveys, engaging in policy evaluation, or gathering data that is either public. Federal guidelines also specifically and unequivocally require informed consent (FP: 116): Except as provided elsewhere in this policy, no investigator may involve a human being as a subject in research covered by this policy unless the investigator has obtained the legally effective informed consent of the subject or the subject's legally authorized representative. The exceptions include the type of research exempted from human subjects review. The elements of informed consent include a) identification of the research project, and the purposes, duration, and procedures to be followed; 2) A description of foreseeable risks or discomforts; 3) A description of benefits to the subject; 4) A description of the extent to which confidentiality of records identifying the subject will be maintained. SUMMARY Human subjects research guidelines defining and mandating ethical pre/proscriptions function as more than regulations to which institutional recipients of federal grants must adhere. They also establish explicit conventions recognized by professionals as the minimal model of ethics for identifying subjects, acquiring data, protecting subjects' privacy and other legitimate interests, and writing or disseminating final results to the public. That the Carnegie Mellon study may not be required by law to comply with accepted guidelines for their "pornography study" is irrelevant. It is clear that the study is intended as "research," that it involves human subjects (BBS sysops) with whom "interaction" occurred as defined by accepted guidelines, and that this interaction occurred for the express purpose of gathering sensitive data. One irony of the Carnegie Mellon study is that while professing to contribute to the national legislative and policy debate on morality and ethics, Carnegie Mellon identifies with, and thus would condone, a research project that raises fundamental ethical questions. PART II: THE ETHICAL PROBLEMS SIMPLY STATED When Laud Humphries published _Tea Room Trade_ over two decades ago, he drew unprecedented criticism from social scientists for the ethics of his study of gay culture and lifestyles. Humphries developed an innovative method to identify subjects and gather data. First, he hung out in truckstop restrooms and watched for gay sexual activity, on occasion even serving as "lookout" for the participants. Then, he recorded the automobile license numbers of the participants as they left the area. From the licenses, He obtained the names and addresses of the gay participants and, after many months, contacted them as if they were randomly selected for an unrelated sociological study. His follow-up data, gathered under the guise of another topic, was in fact intended to acquire data on gay life. Although his published works did not reveal personal or other damaging information, did not provide any details of individuals, and was a sympathetic portrait that put no subjects at risk, Humphries was castigated as an unethical scholar who should be censured. His study also generated considerable debate over the ethical obligations of social scientists toward human subjects. The resulting uproar over the Humphries study contributed to a renewed sensitivity of the ethical obligations of social scientists toward their subjects. Subsequent professional codes and Federal guidelines, including those mentioned above, established a few basic principles, including: Don't lie to subjects, protect subjects, and don't engage in manipulative or deceptive practices. The recent publication of the Carnegie Mellon "cyberporn" study by the Georgetown Law Journal (GLJ) illustrates how history repeats itself. Despite the voluminous writings on the ethics of human subjects research and an abundance of guidelines from Federal, institutional, and professional organizations, Carnegie Mellon appears to have violated some of the most basic ethical precepts that are routinely taught to undergraduates in research methods classes. Now, there are times, especially in research dealing with close interaction in which ethical guidelines are not as clear cut as they seem. This is true especially in participant observation or other research in which boundaries can be blurred by the ambiguity of roles between researcher or subject, or when it's not always clear when the researcher is acting in a personal or a professional capacity. However, the Carnegie Mellon study doesn't fit this category, because the Carnegie Mellon research team was not engaged in a study of the BBS culture from the subjects' point of view, but rather manipulated the subjects to obtain data that had nothing to do with the culture and everything to do with amassing information that excluded the subjects' interpretation of the meanings of the erotica BBS enterprise. The assumption guiding this discussion is that if a research project is demonstrably in non-compliance with ethical conventions reflected by commonly accepted standards of human subjects research, that project may be said to be unethical. There are two levels of ethical breaches that mar the Carnegie Mellon study and taint the participants as unethical researchers. First is the level of INTELLECTUAL INTEGRITY. As has been documented elsewhere (eg, Hoffman and Novak, Thomas, Godwin, Reid, et. al., all available at http://www2000.ogsm.vanderbilt.edu), the Carnegie Mellon study reflects intellectual deception in how the data are analyzed (reckless conflating of conceptual categories that inflate findings to support the study's premise), how the study is presented (the study claims to be about nearly one million images, short stories, animations, and descriptions, when in fact it excludes animations and analyzes instead text descriptions, and far less than the one million claimed), and how generalized claims are made without supporting data. If CMU wishes to identify with such research, that is its business, and its reputation will rise or fall according to the critiques given by independent scholars. Such breaches can normally be corrected through revision following peer review, through subsequent reinterpretation of data, or--in extreme cases when the first two corrections fail--by disavowing the study. Had the GLJ article gone through a normal peer review prior to publication, or had the study been made available to objective readers than kept "secret" prior to publication, it is likely that many of the intelletual errors could have been prevented. Of more serious concern, and one that affects all empirical social scientists, is the violation of fundamental professional ethics in HUMAN SUBJECTS research. This concern is global for several reasons. First, when unethical research is published in a reputable journal under the name of one of the nation's most prestigious institutions, it jeopardizes the reputation and credibility of all social science. After all, if a prestigious university does research like this, what must other institutions be doing? Second, ethical lapses in research have the potential for increasing monitoring by external overseers and for making it more difficult for scholars to engage in inquiry into sensitive areas because of restrictions on what is or is not permissible in research. Third, such research makes it more difficult for other scholars to acquire information because of the potential suspicion that researchers may use deception as a routine method. Finally, when students (or even other scholars) see an unethical study sponsored by a major university published in a respected journal, it makes it more difficult for those who teach methods courses or who struggle with ethical issues to convey the importance of acting responsibly. More simply, such research sets a counter example for how researchers ought treat their subjects. THE ETHICAL VIOLATIONS OF THE CMU STUDY The Carnegie Mellon study centered on three main data gathering techniques. The primary data were gathered by initial modem or voice contact with "approximately 1,000" BBS systems to collect an initial pool (GLJ, p. 1877). From these, 91 were ultimately chosen (although for some unstated reason, apparently only 35 were used in the final analysis (GLJ, p. 1889). The goal of the CMU research team, according to the methodological discussion in the GLJ text, was to download the descriptions of "pornographic files" for analysis by linguistic parsing software designed for the study. The BBSes were not public, and the methodological discussion indicates that at least half of the BBSes required proof of age, among other information (GLJ, p. 1878). In other words, the BBSes were not accessible to the general public, thus removing any compliance exemption that a project might receive for conducting research in public settings. A secondary research goal included obtaining information directly from sysops about files, users, and other information. Supplemental data came from a public document listing the 40 most popular Usenet groups, and from usage statistics from a university computer site that allowed tracking of "the number of individual users at the university who accessed pornographic and/or non-pornographic Usenet newsgroups one a month or more (pp. 1865-66). Drawing from the criteria listed above in part I, it is indisputable that the Carnegie Mellon study was intended as research, and it is equally indisputable that it involved gathering information from human subjects. It is also indisputable that the research involved direct interaction between at least some BBS sysops, and that the data collection included gathering information from non-public sources for which there is no evidence that permission was acquired to make it public. Hence, the Carnegie Mellon study is subject to the professional conventions and norms of human subjects research regardless of whether CMU is required by law to follow the guidelines. There are several areas of ethical concern in the Carnegie Mellon study. Some are relatively minor and simply raise questions. Others appear quite serious. 1. The CMU research team gathered data on the Usenet reading habits of 4,227 users on a university computer system (GLJ, p. 1865-66; 1870-71). It is not clear precisely how these figures were gathered, because the methodological discussion leaves room for considerable ambiguity. Only one cryptic footnote provides clues, which itself raises questions about how the CMU administration protects privacy of computer users: The research team consulted with several privacy experts and opted not to report detailed demographics of the university population of computer pornography consumers. These demographics included age, sex, nationality, marital status, position (faculty, staff, student), and department. Although the research team obtained such demographics by means available to any authorized user of the campus network, reporting them would raise complex ethical and privacy issues. The data would have to be disguised in a manner that could not be reconstructed to identify individual users (p 1869, n40). The text suggests that the the CMU team had licit access to individual rather than aggregate data, and that these data--along with other personal user data--were publicly available. While it is possible that such data may be "world-readable" in configuration files or through licit means, there is room for considerable debate over whether it is ethical for researchers themselves to access such data. The text's implication, however, is that a computer administrator responsible for monitoring site statistics acquired the data (GLJ, p. 1865, n. 30), and in responding to two of his critics, the CMU principal investigator acknowledges that the Usenet data were collected by "network engineers" (http://trfn.pgh.pa.us/guest/mrstudy.html - "Rimm response to Hoffman/Novak"). If an individual researcher snoops through personal files, even if--like an open window from a public street--they are visible, the ethical acceptability of peeping cyber-Toms is not clear cut. Such an act ought not be accepted as a licit part of a research method without careful consideration and justification. If, however, network engineers collected the Usenet data on individual users, then it raises the question of the propriety of a second party collecting and distributing information to a third party for public consumption about the aggregate viewing habits of individual users. It also suggests that the users' reading habits were not public, and scrutiny of their files required systematic surveillance that, while even if defensible for system maintenance, seems not as defensible when such data are passed to a third party who ordinarily might not be authorized to receive it. Whether this is an ethical breach or not can only be determined by examining the nature of the statistics provided to the researchers and reviewing site user policies to determine the level of the expectation of privacy. Perhaps no ethical violations occurred, but the data gathering technique does raise questions not answered by the Carnegie Mellon study. 2. Another seemingly minor peccadillo derived from the site data gathering is the implication that those site users who protected their privacy by blocking monitoring by site statisticians might be pedophiles: First, 11% of the computer users in this study block the site Second, some users have multiple accounts and avoid detection by using a second account to access the Usenet. While there is no evidence to suggest that Usenet and Internet users who block the monitoring of their accounts access pornography more frequently than those who do not, one also cannot assume that a notable difference does not exist. This is especially true in the context of pedophilia and child pornography consumption. Preferential molesters (i.e., pedophiles with a true sexual attraction to children) frequently employ inventive mechanisms to evade discovery, as discovery will likely lead to incarceration (GLJ, p. 1865, n30). The defamatory implication of such wording aside, the inexplicable association of persons on whom data is unavailable with pedophilia and worse violates the principles both of "respect for persons" and "justice." In the guise of "objective research," a category of users is defined as possible felons simply because, perhaps wisely, they chose to protect their privacy. That Carnegie Mellon's study would resort to such a rhetorical ploy that explicitly violates two principles of the Belmont Report would likely be criticized by the ethics committees of any national social science society. 3. More serious than the preceding concerns is the explicit prescription that researchers minimize risk to subjects by using caution and discretion in revealing data. The Carnegie Mellon study does not appear to have exercised acceptable caution. Conventional canons of research ethics proscribe revealing potentially harmful data. That a researcher is able to acquire private and potentially sensitive data does not confer a right to publish that data. Rather, it confers upon researchers an obligation to exercise special caution when information is obtained from informants who do not know they are the subjects of a study and are enticed to provide information about third parties who are unaware that information about them is being gathered, studied, and eventually made public. Here are a few examples where Carnegie Mellon behaved in a way that departs from established ethical guidelines: a) "Respect for persons" extends beyond protecting an individual. It also requires consideration for group privacy. If the data on the "porn-reading" habits of users on the study site's system were gathered when the readers had an expectation of privacy, the data ought not be compiled, let alone be made public. In the context of the article, "porn" is stigmatized, and making assumptions about, as well as revealing, a groups' reading habits in a way that stigmatizes without evidence violates the "respect for persons" tenet. b) Also of concern is the Carnegie Mellon study's commentary of Robert Thomas and his Amateur Action (AA) BBS. AA BBS is a private system in California that requires registration and a fee before access is given. Consequently, the information is not public, and information is not intended for public consumption. Although some of the information in the CMU discussion is cited as derived from court records, much appears to have come directly from the BBS itself. As will be shown below, there is the strong probability that the CMU research team did not reveal their research identity to Thomas or other sysops. Thus, it would appear that they collected data deceptively. It is curious that of all the BBSes studied, only Thomas is identified by name and enterprise. He is also stigmatized in the discussion in a separate subjection titled "The Marquis de Cyberspace" (GLJ, p. 1912). It is unlikely that Thomas (or any other subject) would approve of such public stigmatizing and revelation of private data of the enterprise and user habits. The information revealed includes not only file lists and file descriptions, but also (and especially disturbing) publication of presumably private information that the AA BBS subscriber list includes subscribers from two cities in which Thomas faced legal problems. One might argue that because Thomas is currently incarcerated on charges related to distribution of pornography, the researcher would therefore be released from the ethical obligations to protect the privacy and safety of informants. However, as both the Belmont Report and Federal Policies indicate, precisely because Thomas is unable to provide full consent increases the ethical obligation to protect him. Recall the wording of the Belmont Report: Respect for persons incorporates at least two ethical convictions: first, that individuals should be treated as autonomous agents, and second, that persons with diminished autonomy are entitled to protection (BR: 4). Because of Thomas's legal vulnerability, it is especially important that a researcher not disclose information about a subject, regardless of whether consent was given. Both the nature of the information about Thomas and AA BBS and the tone of the discourse in which it is delivered (p 1912-13) constitute an explicit violation of established ethical conventions intended to assure the respect, well-being, and autonomy of human subjects. The disclosure is of special concern because AA BBS remains in existence as a viable enterprise. c) The Carnegie Mellon study identifies several defunct BBSes by name (GLJ, p. 1909). Assuming that the sysops of these BBSes were unaware that they were being monitored and their logs captured by researchers who would make their name public, revealing the names of the BBSes publicly in a stigmatizing context constitutes a violation of privacy restrictions. That the BBSes are defunct is irrelevant. d) The most serious violation in this category, one that constitutes an explicit breach of the principles to minimize risk to subjects, is Appendix D of the Carnegie Mellon study, in which the cities from which BBS users called are listed. Given the stigmatizing language and context of the article, such revelation reflects failure to comply not only with privacy norms of sysops, but it also puts at potential risk third parties (users) who would be unaware of data collection and subsequent publication. The CMU article acknowledges that in some countries, the penalty for possession of pornography is death. Yet, these countries are included in Appendix D. Small U.S. communities with a population of only a few thousand or less are also included. What is the risk of such a list to third-parties who are unaware of covert surveillance of their activities? How might prosecutors, politicians, or parents in a small town react if they suspected a "porn consumer" lurked in the community? Perhaps serious, perhaps not. But, given the manner in which the data are presented as "paraphilia," "pedophilia," or worse, the consequences of discovery or suspicion would be of no small consequence to users in the current climate of "anti-porn" concern. Even if risks to users were negligible, it is simply not the right of Carnegie Mellon University to make the decision to put others at even minimal risk. Further, nothing is served by Appendix D that couldn't have been equally--indeed, better--served with a simple table summarizing, rather than detailing, the data. Appendix D reflects an exceptionally egregious violation. 4. The most serious and explicit ethical violation is the deceptive nature in which Carnegie Mellon collected the data. Virtually every principle of informed consent was breached, because there is sufficient evidence to conclude that the research team gathered data deceptively, perhaps even fraudulently. The Carnegie Mellon study's research team indicated that it initially contacted over 1,000 BBSes by modem or voice to create a final population of (apparently) 91 BBSes (GLJ, p. 1853). Then the team either subscribed to, or logged on as a new user or guest, to a number of representative pornographic BBS (sic) and collected descriptive lists of the files offered by each (GLJ, p. 1876). The Carnegie Mellon study indicates (p 1879, 1880) that: Many BBS (sic) either hide this information from their customers or do not provide it because of space or software limitations (pp. 1879-80). .......... In these instances, MEMBERS OF THE RESEARCH TEAM EITHER SCREEN CAPTURED THE "ALLFILES" LIST IN DOUBLE LINE FORMAT, OR PERSUADED THE SYSOP TO PROVIDE THE LIST PRIVATELY (GLJ, p. 1880, emphasis added). The CMU research team also indicates that they conducted "chats" (private computer interaction) with the sysops to obtain information (1875). Not only is there no indication that the sysops knew they were being studied covertly, but there is every indication that they did not: MEMBERS OF THE RESEARCH TEAM DID NOT, AS A RULE, IDENTIFY THEMSELVES AS RESEARCHERS (GLJ, p. 1878, emphasis added). Recall the words from the Belmont Report: In most cases of research involving human subjects, respect for persons demands that subjects enter into the research voluntarily and with adequate information (BR: 4). If subjects do not know they are being researched, it's not immediately obvious how they can enter into a project voluntarily with adequate information. And, again from the Belmont Report: Persons are treated in an ethical manner not only by respecting their decisions and by protecting them from harm, but also by making efforts to secure their well-being (BR, p. 4). There are numerous ways to secure the well-being of subjects in a research project in which there is the risk of revealing potentially damaging or embarrassing information. In a climate of public and legislative fears of "pornography" and in the midst of the proposed Exon legislation/Computer Decency Act to restrict "indecent" material on the Information Highway, dramatizing "pornography" through misleading data and rhetoric isn't one of them. Nor is increasing the visibility of the discredited findings of such a study by shopping them around to major media sources one of them. As Brock Meeks reported, the Carnegie Mellon study seemed more an exercise in media promotion than in intellectual inquiry (CyberWire Dispatch, July 4, 1995). Not only did the Carnegie Mellon team make no apparent effort to protect the well-being of their subjects, but by deceptive data collection and high-profile revelation, they seem to have done the opposite. It is absolutely and unequivocally clear that Carnegie Mellon University engaged in deception to gather the data in a way that violated informed consent, privacy, and other explicit conventions followed by social scientists and mandated by federal principles and guidelines. If the remarks of the principle investigator were reported accurately (CyberWire Dispatch, July 4, 1995), it is possible that Carnegie Mellon University might even have gathered data fraudulently: Dispatch asked Rimm: "Did your team go uncover, as it were, when getting permission from these [BBS operators] to use their information?" He replied only: "Discrete, ain't we?" When asked how he was able to obtain detailed customer profiles from usually skeptical operators of adult BBSs he says: "If you were a pornographer, and you don't have fancy computers or Ph.D. statisticians to assist you, wouldn't you be just a wee bit curious to see how you could adjust your inventories to better serve your clientele? Wouldn't you want to know that maybe you should decrease the number of oral sex images and increase the number of bondage images? Wouldn't you want someone to analyze your logfiles to better serve the tastes of each of your customers? (Cyberwire Dispatch July 4, 1995). SUMMARY The broad principles and explicit guidelines that alert human subjects researchers to potential ethical problems are intended to 1) protect subjects from risk, 2) minimize potential harm resulting from exposure to research methods or results, 3) assure the subjects are fully informed that research is occurring, 4) assure that data is collected in a manner consistent with privacy tenets, and 5) assure that deception or fraud in research do not occur. The Carnegie Mellon study demonstrably violated each of these tenets. Some might argue that the principle investigator bears the responsibility for the ethical lapses. Perhaps. But, as the NIU guidelines--which are standard among research universities--indicate, the faculty advisor and oversight committees within an institution's administration are ultimately responsible. It is the principle faculty advisor who bears the immediate responsibility for socializing and mentoring the student into the world of empirical research, and this socialization includes imparting ethical precepts. Because the research was funded with four Carnegie Mellon Small Undergraduate Research Grants (SURG) (GLJ, p. 1849), those who reviewed grant proposals are also responsible for the ethical failures of the study. If the CMU human subjects review board read the proposals and did not respond negatively to the deceptive methodology (which would presumably be specified in the proposals), they, too must accept responsibility for the deception. If, as the principal investigator's comments suggest, subjects were defrauded into participating by being deceived into believing that they were receiving marketing consultation rather than being the subjects of a covert study that would put them and their users at potential risk, then perhaps the human subjects' review committee should re-read Federal and other documents or, better, take a refresher course in basic ethics. In the end, however, Carnegie Mellon University must accept the ultimate responsibility for their unethical behavior. This is, after all, the CARNEGIE MELLON study: It has been so-labeled in the GLJ article; It is so-labeled by the media; It is so-labeled by Congressional observers; It is so-labeled by the commentators of the study in the GLJ review who respond to the study; and, above all, it is so-labeled by Carnegie Mellon University itself. When asked point-blank if this is a Carnegie Mellon study conducted under the auspices of Carnegie Mellon, and a study to which Carnegie Mellon gives its name, a spokesperson in the public relations office said, "Yes." She then indicated as evidence the list of nearly two dozen CMU and other personnel, including professors, deans, and administrators, who participated[1]. There seems to be a rather long list of people on the Carnegie Mellon research team who might have benefited from familiarization with social science ethics. On the other hand, if Carnegie Mellon condones such ethical lapses, then the debates following Laud Humphries' research were over nothing. But, I doubt if any serious social scientists would accept that. ------------------------------------------------------------------- [1] The Following are listed in the GLJ article footnotes as members of the research team, as contributors, or acknowledged for other assistance. To date, three of those listed (Lisa Siegel, Adam Epstein, and Daniel Weitzner, have disavowed the study). Researcher and Principal Investigator, College of Engineering, Carnegie Mellon University. This interdisciplinary project was made possible by four grants from Carnegie Mellon University. The author [hereinafter "principal investigator" wishes to thank members of the research team for their encouragement, patience, and support. Principal faculty advisor: Dr. Marvin Sirbu, Department of Engineering and Public Policy. Faculty advisors: Dr. David Banks, Department of Statistics; Dr. Timothy McGuire, Dean, Charles H. Lundquist School of Business, University of Oregon; Dr. Nancy Melone, Associate Professor of Management, Charles H. Lundquist School of Business, University of Oregon; Carolyn Speranza, Artist/Lecturer, Department of Art; Dr. Edward Zuckerman, Department of Psychology. Senior Programmer: Hal Wine. Programmers: Adam Epstein, Ted Irani. Research Assistants: Patrick Abouyon, Paul Bordallo, G. Alexander Flett, Christopher Reeve, Melissa Rosenstock. Administrative Assistant: Timothy J. Burritt. Administrative Support: Dr. Chris Hendrickson, Associate Dean, Carnegie Institute of Technology; Robert P. Kail, Associate Dean, Carnegie Institute of Technology; Barbara Lazarus, Ph.D., Associate Provost for Academic Projects; Jessie Ramey, Director, SURG. Contributors: Lisa Sigel, C.J. Taylor, Erikas Napjas, John Gardner Myers. Special thanks to Ron Rohrer, Wilkoff University Professor, Department of Electrical and Computer Engineering; and Daniel Weitzner, Deputy Director, Center for Democracy and Technology, for review of the legal notes. -------------------- Jim Thomas is a professor of sociology/criminal justice at Northern Illinois University. He is also co-editor of Cu Digest. Homepage: http://www.soci.niu.edu/~jthomas E-mail: jthomas@sun.soci.niu.edu ------------------------------ Date: Sun, 19 Apr 1995 22:51:01 CDT From: CuD Moderators Subject: File 2--Cu Digest Header Info (unchanged since 19 Apr, 1995) Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are available at no cost electronically. CuD is available as a Usenet newsgroup: comp.society.cu-digest Or, to subscribe, send a one-line message: SUB CUDIGEST your name Send it to LISTSERV@VMD.CSO.UIUC.EDU The editors may be contacted by voice (815-753-0303), fax (815-753-6302) or U.S. mail at: Jim Thomas, Department of Sociology, NIU, DeKalb, IL 60115, USA. To UNSUB, send a one-line message: UNSUB CUDIGEST Send it to LISTSERV@VMD.CSO.UIUC.EDU (NOTE: The address you unsub must correspond to your From: line) Issues of CuD can also be found in the Usenet comp.society.cu-digest news group; on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of LAWSIG, and DL1 of TELECOM; on GEnie in the PF*NPC RT libraries and in the VIRUS/SECURITY library; from America Online in the PC Telecom forum under "computing newsletters;" On Delphi in the General Discussion database of the Internet SIG; on RIPCO BBS (312) 528-5020 (and via Ripco on internet); and on Rune Stone BBS (IIRGWHQ) (203) 832-8441. CuD is also available via Fidonet File Request from 1:11/70; unlisted nodes and points welcome. EUROPE: In BELGIUM: Virtual Access BBS: +32-69-844-019 (ringdown) Brussels: STRATOMIC BBS +32-2-5383119 2:291/759@fidonet.org In ITALY: Bits against the Empire BBS: +39-464-435189 In LUXEMBOURG: ComNet BBS: +352-466893 UNITED STATES: etext.archive.umich.edu (192.131.22.8) in /pub/CuD/ ftp.eff.org (192.88.144.4) in /pub/Publications/CuD/ aql.gatech.edu (128.61.10.53) in /pub/eff/cud/ world.std.com in /src/wuarchive/doc/EFF/Publications/CuD/ wuarchive.wustl.edu in /doc/EFF/Publications/CuD/ EUROPE: nic.funet.fi in pub/doc/cud/ (Finland) ftp.warwick.ac.uk in pub/cud/ (United Kingdom) JAPAN: ftp://www.rcac.tdi.co.jp/pub/mirror/CuD The most recent issues of CuD can be obtained from the Cu Digest WWW site at: URL: http://www.soci.niu.edu:80/~cudigest/ COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing information among computerists and to the presentation and debate of diverse views. CuD material may be reprinted for non-profit as long as the source is cited. Authors hold a presumptive copyright, and they should be contacted for reprint permission. It is assumed that non-personal mail to the moderators may be reprinted unless otherwise specified. Readers are encouraged to submit reasoned articles relating to computer culture and communication. Articles are preferred to short responses. Please avoid quoting previous posts unless absolutely necessary. DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Digest contributors assume all responsibility for ensuring that articles submitted do not violate copyright protections. ------------------------------ End of Computer Underground Digest #7.58 ************************************