There's a lot of discussion now of human subjects in Computer Science / security research, the role of the IRB, and ethics

I thought I'd give my 2🪙
/thread 1/34
My background: In 2017 we ran an experiment to measure the effectiveness of telephone scams, sending out 3k phone scams to unsuspecting users (at our university)

đź“ś: https://adamdoupe.com/publications/users-really-do-answer-phone-scams-usenix2019.pdf 2/34
If you've taken IRB training (if you haven't, and you're interested in this, I highly recommend it), you know that some of the cornerstones of conducting ethical research is (paraphrasing): no harm, no deception, and informed consent 3/34
These are clearly at odds with the goals of the research, and satisfying them would negatively impact the research 4/34
For instance, informed consent is almost impossible in this scenario, because a participant's knowledge of the study will clearly impact their behavior 5/34
So, we submitted this study to our university's Institutional Review Board (IRB) 6/34
For those not familiar, this is an in-depth process.

The entire study design needs to be explained (everything, all text/communication with people), and we also provide our assessment of potential for harm, as well as mitigations. 7/34
As an aside, the three determinations that the IRB can make (at least our IRB, I can't speak to another university's IRB): not human subject research, exempt, and full review. 8/34
Not human subject research means that, based on the study design sent to the IRB, the IRB determines that it does not fall under their purview 9/34
Exempt (which is strangly named) means that the IRB determines that the study *does involve* human subjects, but the risk of harm is minimal, and the study does not require a full IRB board review 10/34
Full review is when the entire IRB convenes to discuss the research design, and is required when the study has higher risk for harm, involved no consent, or involves deception 11/34
Our study had all three: deception is required, no consent is also required, and, because we are attempting to scam people, there is an increased risk of harm 12/34
So, as part of the IRB process, we worked directly with the IRB to reduce the potential for harm 13/34
This actually reduced the scientifically interesting data that we could collect for our experiment 14/34
Specifically, as part of the scam, we asked to users to input their Social Security Number (SSN), which is a common goal in many scams 15/34
Collecting this information would strength our results: we could see how many people input clearly fake information (all zeros), could try to determine the validity of the SSN, etc. 16/34
Our IRB asked us if there was another way we could accomplish the goals of our research without this information, because asking for SSN significantly increases the risk for harm (users would actually be deceived, potential leaking of PII, psychological harm to users, etc.) 17/34
We agreed and changed the study design to only ask for the last four digits of the SSN, which prior research shows can be enough to determine the whole SSN 18/34
The IRB was still worried about us collecting this information, so we agreed and changed our study design to only collect if any digit was present 19/34
Ultimately, we derived a notion of "potentially tricked" from the data that we had available, but this was the tradeoff we made: to conduct a deceptive and no consent human subjects experiment, we reduced harm as much as possible 20/34
We also worked with the university's IT department (and this was part of the study design we submitted to the IRB) so that they and customer support would be aware when we conducted our study so that users could be assured that this was a real research study 21/34
Part of the reason that we had such a great experience with our IRB was that ASU's IRB had Computer Science professors on it, and that person helped bridge the gap between me and the IRB 22/34
With all that background, here are what I think are interesting takeaways that many folks are missing about research and IRBs: 23/34
1. The purpose of the IRB is not to prevent any harm from any experiment, but to reduce the harm and weight the harm vs. the benefits (beneficence in IRB lingo) 24/34
2. Any research experiment that has potential for harm to humans, involves deception, or has no consent should require full IRB approval 25/34
3. Any CS or security research that involves humans should be submitted to the IRB *before* conducting the research 26/34
4. It's the responsibility of the PI (lead person, usually a professor) and researchers to clearly communicate to IRBs about potential for harm and human involvement so that they can make accurate determinations 27/34
5. The Computer Science community is (finally) starting to realize that much of our research involves human subjects 28/34
We (all of us) should be working with our IRBs to help educate them on the types of research that we do that involve humans or has possible harm to humans 29/34
IRBs can sometimes have a limited view of what constitutions human subjects research (e.g., directly studying human behavior or responses), and it's our job to help inform on potential (perhaps unclear) incidental harm to humans b/c of our experiments 30/34
6. We should recognize that we're a bit in uncharted waters as a field, and that we should be forgiving of mistakes so that we can all learn and grow 31/34
For instance, some papers I wrote from early in my career should probably have been submitted for IRB review 32/34
I'm confident that they would be ruled exempt and that we minimized harm, but I didn't know as much about conducting human studies research (and it was not the norm in our area at the time) 33/34
And, if you made it this far, then you now know something about conducting human studies research and the challenges involved 34/34
Great points by @bradreaves about the difficulty of predicting harm in advance: https://twitter.com/bradreaves/status/1385010157940318212?s=20
You can follow @adamdoupe.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled: