, Editor in chief
Pages: pp. 3-4
Ethical behavior has concerned computer security researchers and practitioners for decades. A quarter-century ago, the publication of Fred Cohen's papers defining and describing computer viruses ignited a discussion about the ethics of publishing
attack information. Since then, we've seen lengthy discussions of the proper behavior for those who find vulnerabilities in systems—whom they should contact, how long they should wait before making findings public, whether it's ethical to pay people to find vulnerabilities, and so on. But the continuing intertwined evolution of technology and society keeps raising new ethical issues. Consider:
Although these situations raise interesting points for discussion (and Fred Cohen addresses one of them elsewhere in this issue), let's focus on the last one. The security research community today is increasingly asked to provide a scientific basis for its work and quantified evidence of improvements in security. Both of these imperatives lead to a demand for more data, either from controlled experiments or real-world observations. The demand for more usable security functions also motivates data collection involving human subjects.
The rise in botnet activity and financially motivated computer crime in the past few years has led to several research initiatives to study the botnets' structure and operation. But to study a botnet, you need to detect it and even get inside of it. Because botnets generally operate by inserting software on an unwitting user's computer, one tactic is to insinuate the measurement software into the botnet's structure. This could mean inserting software on that unwitting user's computer. Because the user's computer is already compromised, and we expect an ethical researcher at minimum to do no additional harm, perhaps such actions are ethically justified. Some researchers have included explicit discussions of measurement ethics in their papers to address this point. 1 Even so, the compromised user is now also an unwitting experimental subject.
Research funded by the US government that involves human subjects must in general be reviewed and approved by the Institutional Review Board (IRB) of the institution receiving the funding. IRBs were created to prevent the recurrence of the scandalous Tuskegee syphilis medical experiments that were finally terminated in 1972. The scandal led to the creation of a Commission for the Protection of Human Subjects of Biomedical and Behavioral Research. In 1978, that commission produced a 12-page document known as the Belmont Report (US Gov't Printing Office, 1978) that's now the basis for IRBs throughout the USA.
Because of this history, most IRBs have much deeper experience reviewing proposals from biologists and psychologists than from computer scientists and engineers. But as Simson Garfinkel has noted, 2 computer scientists and particularly people working in security research need to become much more familiar with IRBs, the scope of research they cover, and the ethical principles their research proposals need to incorporate.
One of the fundamental principles is that of informed consent. Only adults are deemed capable of providing informed consent—minors can only "assent" and require parental consent. But on the Internet, how does the experimenter establish the subject's age? We might also need to reconsider just what it means to involve a "human subject"—is the analysis of publicly available information (say, a blog post), where authors are clearly identified, a human subjects issue?
Returning to botnet research, some program committees have recently devoted considerable time discussing precisely the questions posed in the last bulleted example. If an IRB has approved the research, should the program committee accept that judgment? Mark Allman 3 has argued that today IRB approval is necessary but not always sufficient, precisely because their staffs might lack the appropriate expertise.
In May 2009, the US Department of Homeland Security's Science and Technology directorate organized a workshop on Basic Ethical Principles for Network Research at which a wide range of potential application areas and experiments were discussed. The workshop report is still in preparation at this writing, but should appear within the next few months.
While I have focused on only one of the examples in my earlier list, the others deserve attention as well. How should our field proceed? Here are three actions we can take:
Even if it takes time, as it surely will, to establish consensus on the complex issues involved, it's imperative that we keep the discussion of ethics and cybersecurity on the front burner.