Communications - June 2010

Are Internet Protocol addresses per-
sonally identifiable information? What
is “public” and what is not? Is encrypt-
ed data secure? Can anonymized data
be re-identified? Researchers we have
spoken with are occasionally rebuffed
by their IRBs—the IRBs insist that no
humans are involved in the research—
ignoring that regulations also apply to
“identifiable private information.”
Another mismatch between com-
puter science research and IRBs is
timescale. CS research progresses at a
much faster pace than research in the
biomedical and behavioral fields. In
one case we are aware of, an IRB took
more than a year to make a decision
about a CS application. But even two
or three months to make a decision—
typical of many IRBs—is too slow for a
student in a computer science course
who wants to perform a social network
analysis as a final project.

For example, one of our studies, which involved observing how members of our university community responded to simulated phishing attacks over a period of several weeks, had to be shortened after being delayed two months by an understaffed IRB. With the delayed start date, part of the study would have taken place over winter break, when few people are on campus. Another study we worked on was delayed three months after an IRB asked university lawyers to review a protocol to determine whether it would violate state wiretap laws.

In another case, researchers at Indiana University worked with their IRB and the school’s network security group to send out phishing attacks based on data gleaned from Facebook.g Because of the delays associated with the approval process, the phishing messages were sent out at the end of the semester, just before exams, rather than at the beginning of the semester. Many recipients of the email complained vociferously about the timing.

Another reason computer scientists have problems with IRBs is the level of detail the typical IRB application requires. Computer scientists, for the most part, are not trained to carefully plan out an experiment in advance, to g T. Jagatic, N. Johnson, M. Jakobsson, and F. Menczer. Social phishing. Commun. ACM 50, 10 (Oct. 2007), 94–100.

it is becoming
increasingly easy
to collect human
subjects data over
the internet that
needs to be properly
protected to avoid
harming subjects.

figure out which data will be collected, and then to collect the results in a manner that protects the privacy of the data subjects. (Arguably, computer scientists would benefit from better training on experimental design, but that is a different issue.) We have observed that many IRB applications are delayed because of a failure on the part of CS researchers to make these points clear.

Finally, many computer scientists are unfamiliar with the IRB process and how it applies to them, and may be reluctant to engage with their IRB after having heard nothing but complaints from colleagues who have had their studies delayed by a slow IRB approval process. While the studies that CS researchers perform are often exempt or extremely low risk, it is becoming increasingly easy to collect human subjects data over the Internet that needs to be properly protected to avoid harming subjects. Likewise, the growing amount of research involving honeypots, bot-nets, and the behavior of anonymity systems would seem to require IRBs, since the research involves not just software, but humans—both criminals and victims.

The risks to human subjects from
computer science research are not al-
ways obvious, and the IRB can play an
important role in helping computer sci-
entists identify these risks and insure
that human subjects are adequately
protected. Is there a risk that data col-
lected on computer security incidents
could be used by employers to identify
underperforming computer security
administrators? Is there a risk that ano-
nymized search engine data could be
re-identified to reveal what particular
individuals are searching for? Can net-
work traffic data collected for research
purposes be used to identify copyright
violators? Can posts to LiveJournal and
Facebook be correlated to learn the
identities of children who are frequent-
ly left home alone by their parents?

h § 46. 110 (b)

Simson L. Garfinkel ( slgarfin@nps.edu) is an associate professor at the u.S. naval Postgraduate School in Monterey, CA.

Lorrie Faith Cranor ( lorrie+@cs.cmu.edu) is an associate professor of computer science and engineering and public policy and the director of the CyLab usable Privacy and Security Laboratory at Carnegie Mellon university in Pittsburgh, PA.