• A system security administrator discovers malware on a server that stores personally identifiable information. It will take a substantial effort to determine whether the malware has actually exfiltrated any of the information, and it might in fact be impossible to determine this with certainty. What are the administrator's responsibilities?
• A computer scientist studying a communications protocol with a new method of analysis discovers a previously unknown vulnerability. The protocol is widely used. Should she write a paper touting the success of the analytic method and submit it for publication, write a research proposal for further development of the analysis method, notify the maintainers of the protocol of the problem, or offer information about the protocol vulnerability for sale on the black market?
• A software engineer tasked with implementing the design for a new application realizes that security and privacy considerations have not been attended to. The problems will occur in the future, and deadlines for delivering the software are looming. What alternatives should the engineer pursue?
• A researcher with access to statistical summaries of data from a social networking site discovers that a new way of looking at the data not only reveals new relationships but also makes it possible to infer the identities of individuals in the study who had been assured of their anonymity. What action should he take? What are the responsibilities of the organization that released the statistical summaries?
• A conference program committee receives a research paper that reports some fascinating new results concerning observed human behavior in cyberspace, but the data were collected from machines whose owners unwittingly downloaded software from a public Web site. Should the committee judge the work solely on the technical merits and accept it, or should it consider whether the data were collected ethically in making its decision? And what does it mean for the data to be ethically collected?
• Security researchers need to inform themselves about the ethics of human subject experimentation. There is a growing literature on the ethics of data collection from networks, and those proposing and conducting research have an obligation to inform themselves on these issues. For example, the National Academy of Engineering has recently expanded its Online Ethics Center ( www.onlineethics.org) which provides case studies and course materials that illuminate several of the examples I presented. That said, the site will benefit from further contributions focused on cybersecurity ethics. An online journal for Internet research ethics published its first issue in 2008 ( http://ijire.net).
• IRBs need to develop staffs who are well-informed about the situations and consequences of human subject experimentation in cyberspace. Ultimately, it should be appropriate to rely on an IRB's approval to assure that a given research proposal in fact satisfies ethical guidelines. That is not yet the case.
• Professional societies need to begin developing ethical guidelines for cyberspace monitoring and experimentation. The IEEE, the ACM, and Usenix provide the major publication outlets for research in this field. If these three societies could work together to develop a set of ethical guidelines, the guidelines could have the broad impact we would hope to see. IRBs are required only for US government-funded research. A broadly accepted set of guidelines covering professional society members, who work in many countries and for private firms as well as governments and universities, could have global reach.