Computer underground Digest Tue Jul 11, 1995 Volume 7 : Issue 58

Computer underground Digest Tue Jul 11, 1995 Volume 7 : Issue 58
ISSN 1004-042X

Editors: Jim Thomas and Gordon Meyer ([email protected]
Archivist: Brendan Kehoe
Shadow Master: Stanton McCandlish
Field Agent Extraordinaire: David Smith
Shadow-Archivists: Dan Carosone / Paul Southworth
Ralph Sims / Jyrki Kuoppala
Ian Dickinson
la Triviata: Which wine goes best with Unix?

CONTENTS, #7.58 (Tue, Jul 11, 1995)

File 1--The Ethical Lapses of the Carnegie Mellon "Cyberporn" Study
File 2--Cu Digest Header Info (unchanged since 19 Apr, 1995)

CuD ADMINISTRATIVE, EDITORIAL, AND SUBSCRIPTION INFORMATION APPEARS IN
THE CONCLUDING FILE AT THE END OF EACH ISSUE.

---------------------------------------------------------------------

Date: Tue, 11 Jul 1995 18:07:12 -0500
From: [email protected](Jim Thomas)
Subject: File 1--The Ethical Lapses of the Carnegie Mellon "Cyberporn" Study

THE ETHICS OF CARNEGIE MELLON'S "CYBER-PORN" STUDY

Jim Thomas
Department of Sociology
Northern Illinois University
(July 10, 1995)

It's unfortunate that there are some researchers, even prestigious
ones, who fail to recognize that the same ethical principles that
apply to off-line research apply on-line as well. Conventions that
prohibit deception, invasion of privacy, placing human subjects at
risk, and possible fraudulent data gathering are not considered a
normal part of research. It is especially sad when a research study
carrying the name of a prestigious national university errs so
egregiously as occured in the Carnegie Mellon study of "Net
pornography."

The Carnegie Mellon study was published in the Georgetown Law
Journal (Vol. 83, 1995: pp 1839-1934) and featured as the cover
story of Time Magazine (July 3, 1995; See CuD 7.56). The primary
focus of the study was an analysis of the text descriptions from
adult BBSes specializing in erotica, and a secondary focus was on
Usenet erotica files from the alt.binaries hierarchy. The
intellectual substance of the study has been convincingly
discredited (see the Hoffman/Novak critique at
http://www2000.ogsm.vanderbilt.edu). However, the ethics of the
study have not yet fully been addressed. Because of the
implications of the ethical violations for cyberspace, and because
the violations occured in the name of Carnegie Mellon University
(CMU), the implications cannot go unaddressed.

PART I: CONVENTIONAL ETHICAL GUIDELINES

It seems indisputable that the study to which Carnegie Mellon
University lends its name and its credibility contains disturbing
ethical lapses. These lapses seem sufficiently serious that they
should be of concern to both the CMU administration and to social
scientists and computer professionals elsewhere. If the methodology
of the study is correct as described in the GLJ article, and if the
medias' reporting of the comments of the study's principal
investigator are accurate, then the Carnegie Mellon study violates
fundamental canons against deceptive data gathering, informed
consent, and revelation of potentially harmful information.

Federal guidelines (eg, The Belmont Report, 1979; Federal Register
(Part II): Federal Policy for the Protection of Human Subjects;
Notices and Rules, 1991) provide a boiler plate model followed by
state institutions in establishing principles and policies that
ought be followed by all researchers, whether funded or non-funded,
who conduct research under the university's name. The wording of
Northern Illinois University's (NIU) Graduate School Office of
Research Compliance guidelines is fairly standard:

I. ETHICAL PRINCIPLES

A. This institution is guided by the ethical principles
regarding all research involving humans as subjects, as
set forth in the report of the National Commission for
the Protection of Human Subjects of Biomedical and
Behavioral Research (entitled: _Ethical Principles and
Guidelines for the Protection of Human Subjects of
Research_ ((the "Belmont Report"))), REGARDLESS OF
WHETHER THE RESEARCH IS SUBJECT TO FEDERAL REGULATION, OR
WITH WHOM CONDUCTED, OR SOURCE OF SUPPORT (I.E.,
SPONSORSHIP). (emphasis added--jt)

Unlike Federal or institutional rules, the Belmont Report (BR)
specifies three broad principles (rather than explicit rules) to
guide research.

1) RESPECT FOR PERSONS.

Respect for persons incorporates at least two ethical
convictions: first, that individuals should be treated as
autonomous agents, and second, that persons with diminished
autonomy are entitled to protection (BR: 4).

Although intended primarily to protect from abuse those persons not
fully capable of making an informed decision to participate in
research (eg, the mentally disabled or institutionalized persons),
respect for persons extends to others, and includes providing
adequate information about the research:

In most cases of research involving human subjects, respect for
persons demands that subjects enter into the research
voluntarily and with adequate information (BR: 4).

2) BENEFICENCE: This principle extends the Hippocratic maxim of "do
no harm" to the ethical obligations of a researcher:

Persons are treated in an ethical manner not only by respecting
their decisions and by protecting them from harm, but also by
making efforts to secure their well-being. Such treatment falls
under the principle of beneficence. The term "beneficence" is
often understood to cover acts of kindness or charity that go
beyond strict obligation. In this document, beneficence is
understood in a strong sense, as an obligation. Two general
rules have been formulated as complementary expressions of
beneficent actions in this sense: (1) do not harm and (2)
maximize possible benefits and minimize possible harms (BR: 4).

The principle of beneficence assumes that scholars will carefully
think through the implications of their research, especially in
sensitive topics where the subjects could be placed in physical,
social, or legal jeopardy.

3) JUSTICE: The principle of justice centers on "who ought to
receive the benefits of research and bear its burdens" (BR: 5). The
Belmont Report conceptualizes the principle of justice as placing an
obligation on the researcher to assess the distribution of
"fairness" toward the research subjects and social interests.

HOW SHOULD THESE PRINCIPLES BE APPLIED?

The Belmont Report identifies several ways by which the principles
of respect for persons, beneficence, and justice can be implemented.
One way is INFORMED CONSENT:

While the importance of informed consent is unquestioned,
controversy prevails over the nature and possibility of an
informed consent. Nonetheless, there is widespread agreement
that the consent process can be analyzed as containing three
elements: information, comprehension, and voluntariness (p. 5).

INFORMATION:

Most codes of research establish specific items for disclosure
intended to assure that subjects are given sufficient
information. These items generally include: the research
procedure, their purposes, risks and anticipated benefits,
alternative procedures (where therapy is involved), and a
statement offering the subject the opportunity to ask questions
and to withdraw at any time from the research (BR: 5).

COMPREHENSION

Another way to implement the Belmont Report principles is by
assuring that research subjects comprehend the information and
understand what they are consenting to:

The manner and context in which information is conveyed is as
important as the information itself. For example, presenting
information in a disorganized and rapid fashion, allowing too
little time for consideration or curtailing opportunities for
questioning, all may adversely affect a subject's ability to
make an informed choice (BR: 6).

VOLUNTARINESS

Finally, the Belmont Report principles can be implemented only if
the subjects give consent voluntarily:

This element of informed consent requires conditions free of
coercion and undue influence. Coercion occurs when an overt
threat of harm is intentionally presented by one person to
another in order to obtain compliance. Undue influence, by
contrast, occurs through an offer of an excessive, unwarranted,
inappropriate or improper reward or other overture in order to
obtain compliance (BR: 6).

The spirit and letter of the Belmont report is explicitly and
unequivocally clear:

1. Researchers are ethically bound to protect their subjects from
potential risks or unnecessary harm.

2. Researchers are ethically bound to obtain consent from their
research subjects

3. Researchers are ethically obligated to inform their subjects of
the nature of the study and potential risks

4. Deception or other trickery employed to manipulate subjects into
participating in research is a fundamental violation of the
Belmont Report principles.

WHAT IS HUMAN SUBJECTS RESEARCH?

Professional societies such as the APA (American Psychological
Association) and ASA (American Sociological Association) provide
ethical guidelines shaped by Federal, institutional, and other
sources. Federal guidelines found in the Federal Register (e.g.,
"Federal Policy for the Protection of Human Subjects; Notices and
Rules" (FP)) specify a number of reasonable explicit rules.
Violations of these rules place a research project or an institution
in non-compliance with Federally and other mandated ethical
standards.

The term "research" refers to "a systematic investigation, including
research development, testing and evaluation, designed to develop or
contribute to generalizable knowledge" (FP 102(d)).

(f) _Human Subject_ means a living individual about whom an
investigator (whether professional or student) conducting
research obtains
(1) data through intervention or interaction with the
individual, or
(2) identifiable private information....INTERACTION includes
communication or interpersonal contact between investigator and
subject. "Private information" includes information about
behavior that occurs in a context in which an individual can
reasonably expect that no observation or recording is taking
place, and information which has been provided for specific
purposes by an individual and which the individual can
reasonably expect will not be made public (for example, a
medical record). Private information must be individually
identifiable (i.e., the identity of the subject is or may
readily be ascertained by the investigator or associated with
the information) in order for obtaining the information to
constitute research involving human subjects (FP, 102(f)(2).

Institutions that receive federal research funds, including private
ones, are required to implement procedures to assure compliance with
Federal guidelines:

(a) Each institution engaged in research which is covered by
this policy and which is conducted or supported by a federal
department or agency shall provide written assurance
satisfactory to the department or agency head that it will
comply with the requirements set forth in this policy (FP:
103(a)).

There are some exceptions to the review requirement for human
subjects, such as when conducting general educational tests or
surveys, engaging in policy evaluation, or gathering data that is
either public.

Federal guidelines also specifically and unequivocally require
informed consent (FP: 116):

Except as provided elsewhere in this policy, no
investigator may involve a human being as a subject in research
covered by this policy unless the investigator has obtained the
legally effective informed consent of the subject or the
subject's legally authorized representative.

The exceptions include the type of research exempted from human
subjects review. The elements of informed consent include a)
identification of the research project, and the purposes, duration,
and procedures to be followed; 2) A description of foreseeable risks
or discomforts; 3) A description of benefits to the subject; 4) A
description of the extent to which confidentiality of records
identifying the subject will be maintained.

SUMMARY

Human subjects research guidelines defining and mandating ethical
pre/proscriptions function as more than regulations to which
institutional recipients of federal grants must adhere. They also
establish explicit conventions recognized by professionals as the
minimal model of ethics for identifying subjects, acquiring data,
protecting subjects' privacy and other legitimate interests, and
writing or disseminating final results to the public.

That the Carnegie Mellon study may not be required by law to comply
with accepted guidelines for their "pornography study" is
irrelevant. It is clear that the study is intended as
"research," that it involves human subjects (BBS sysops) with whom
"interaction" occurred as defined by accepted guidelines, and that
this interaction occurred for the express purpose of gathering
sensitive data.

One irony of the Carnegie Mellon study is that while professing to
contribute to the national legislative and policy debate on morality
and ethics, Carnegie Mellon identifies with, and thus would condone,
a research project that raises fundamental ethical questions.

PART II: THE ETHICAL PROBLEMS SIMPLY STATED

When Laud Humphries published _Tea Room Trade_ over two decades ago,
he drew unprecedented criticism from social scientists for the
ethics of his study of gay culture and lifestyles. Humphries
developed an innovative method to identify subjects and gather data.
First, he hung out in truckstop restrooms and watched for gay sexual
activity, on occasion even serving as "lookout" for the
participants. Then, he recorded the automobile license numbers of
the participants as they left the area. From the licenses, He
obtained the names and addresses of the gay participants and, after
many months, contacted them as if they were randomly selected for an
unrelated sociological study. His follow-up data, gathered under the
guise of another topic, was in fact intended to acquire data on gay
life. Although his published works did not reveal personal or other
damaging information, did not provide any details of individuals,
and was a sympathetic portrait that put no subjects at risk,
Humphries was castigated as an unethical scholar who should be
censured. His study also generated considerable debate over the
ethical obligations of social scientists toward human subjects. The
resulting uproar over the Humphries study contributed to a renewed
sensitivity of the ethical obligations of social scientists toward
their subjects. Subsequent professional codes and Federal
guidelines, including those mentioned above, established a few basic
principles, including: Don't lie to subjects, protect subjects, and
don't engage in manipulative or deceptive practices.

The recent publication of the Carnegie Mellon "cyberporn" study by
the Georgetown Law Journal (GLJ) illustrates how history repeats
itself. Despite the voluminous writings on the ethics of human
subjects research and an abundance of guidelines from Federal,
institutional, and professional organizations, Carnegie Mellon
appears to have violated some of the most basic ethical precepts
that are routinely taught to undergraduates in research methods
classes.

Now, there are times, especially in research dealing with close
interaction in which ethical guidelines are not as clear cut as they
seem. This is true especially in participant observation or other
research in which boundaries can be blurred by the ambiguity of
roles between researcher or subject, or when it's not always clear
when the researcher is acting in a personal or a professional
capacity. However, the Carnegie Mellon study doesn't fit this
category, because the Carnegie Mellon research team was not engaged
in a study of the BBS culture from the subjects' point of view, but
rather manipulated the subjects to obtain data that had nothing to
do with the culture and everything to do with amassing information
that excluded the subjects' interpretation of the meanings of the
erotica BBS enterprise.

The assumption guiding this discussion is that if a research project
is demonstrably in non-compliance with ethical conventions reflected
by commonly accepted standards of human subjects research, that
project may be said to be unethical. There are two levels of
ethical breaches that mar the Carnegie Mellon study and taint the
participants as unethical researchers.

First is the level of INTELLECTUAL INTEGRITY. As has been documented
elsewhere (eg, Hoffman and Novak, Thomas, Godwin, Reid, et. al., all
available at http://www2000.ogsm.vanderbilt.edu), the Carnegie
Mellon study reflects intellectual deception in how the data are
analyzed (reckless conflating of conceptual categories that inflate
findings to support the study's premise), how the study is presented
(the study claims to be about nearly one million images, short
stories, animations, and descriptions, when in fact it excludes
animations and analyzes instead text descriptions, and far less than
the one million claimed), and how generalized claims are made
without supporting data. If CMU wishes to identify with such
research, that is its business, and its reputation will rise or fall
according to the critiques given by independent scholars. Such
breaches can normally be corrected through revision following peer
review, through subsequent reinterpretation of data, or--in extreme
cases when the first two corrections fail--by disavowing the study.
Had the GLJ article gone through a normal peer review prior to
publication, or had the study been made available to objective
readers than kept "secret" prior to publication, it is likely that
many of the intelletual errors could have been prevented.

Of more serious concern, and one that affects all empirical social
scientists, is the violation of fundamental professional ethics in
HUMAN SUBJECTS research. This concern is global for several
reasons. First, when unethical research is published in a reputable
journal under the name of one of the nation's most prestigious
institutions, it jeopardizes the reputation and credibility of all
social science. After all, if a prestigious university does research
like this, what must other institutions be doing? Second, ethical
lapses in research have the potential for increasing monitoring by
external overseers and for making it more difficult for scholars to
engage in inquiry into sensitive areas because of restrictions on
what is or is not permissible in research. Third, such research
makes it more difficult for other scholars to acquire information
because of the potential suspicion that researchers may use
deception as a routine method. Finally, when students (or even
other scholars) see an unethical study sponsored by a major
university published in a respected journal, it makes it more
difficult for those who teach methods courses or who struggle with
ethical issues to convey the importance of acting responsibly. More
simply, such research sets a counter example for how researchers
ought treat their subjects.

THE ETHICAL VIOLATIONS OF THE CMU STUDY

The Carnegie Mellon study centered on three main data gathering
techniques. The primary data were gathered by initial modem or
voice contact with "approximately 1,000" BBS systems to collect an
initial pool (GLJ, p. 1877). From these, 91 were ultimately chosen
(although for some unstated reason, apparently only 35 were used in
the final analysis (GLJ, p. 1889). The goal of the CMU research
team, according to the methodological discussion in the GLJ text,
was to download the descriptions of "pornographic files" for
analysis by linguistic parsing software designed for the study. The
BBSes were not public, and the methodological discussion indicates
that at least half of the BBSes required proof of age, among other
information (GLJ, p. 1878). In other words, the BBSes were not
accessible to the general public, thus removing any compliance
exemption that a project might receive for conducting research in
public settings. A secondary research goal included obtaining
information directly from sysops about files, users, and other
information.

Supplemental data came from a public document listing the 40 most
popular Usenet groups, and from usage statistics from a university
computer site that allowed tracking of "the number of individual
users at the university who accessed pornographic and/or
non-pornographic Usenet newsgroups one a month or more (pp.
1865-66).

Drawing from the criteria listed above in part I, it is indisputable
that the Carnegie Mellon study was intended as research, and it is
equally indisputable that it involved gathering information from
human subjects. It is also indisputable that the research involved
direct interaction between at least some BBS sysops, and that the
data collection included gathering information from non-public
sources for which there is no evidence that permission was acquired
to make it public. Hence, the Carnegie Mellon study is subject to
the professional conventions and norms of human subjects research
regardless of whether CMU is required by law to follow the
guidelines.

There are several areas of ethical concern in the Carnegie Mellon
study. Some are relatively minor and simply raise questions. Others
appear quite serious.

1. The CMU research team gathered data on the Usenet reading habits
of 4,227 users on a university computer system (GLJ, p. 1865-66;
1870-71). It is not clear precisely how these figures were
gathered, because the methodological discussion leaves room for
considerable ambiguity. Only one cryptic footnote provides clues,
which itself raises questions about how the CMU administration
protects privacy of computer users:

The research team consulted with several privacy experts
and opted not to report detailed demographics of the university
population of computer pornography consumers. These
demographics included age, sex, nationality, marital status,
position (faculty, staff, student), and department. Although
the research team obtained such demographics by means available
to any authorized user of the campus network, reporting them
would raise complex ethical and privacy issues. The data would
have to be disguised in a manner that could not be
reconstructed to identify individual users (p 1869, n40).

The text suggests that the the CMU team had licit access to
individual rather than aggregate data, and that these data--along
with other personal user data--were publicly available. While it is
possible that such data may be "world-readable" in configuration
files or through licit means, there is room for considerable debate
over whether it is ethical for researchers themselves to access such
data. The text's implication, however, is that a computer
administrator responsible for monitoring site statistics acquired
the data (GLJ, p. 1865, n. 30), and in responding to two of his
critics, the CMU principal investigator acknowledges that the Usenet
data were collected by "network engineers"
(http://trfn.pgh.pa.us/guest/mrstudy.html - "Rimm response to
Hoffman/Novak").

If an individual researcher snoops through personal files, even
if--like an open window from a public street--they are visible, the
ethical acceptability of peeping cyber-Toms is not clear cut. Such
an act ought not be accepted as a licit part of a research method
without careful consideration and justification. If, however,
network engineers collected the Usenet data on individual users,
then it raises the question of the propriety of a second party
collecting and distributing information to a third party for public
consumption about the aggregate viewing habits of individual users.
It also suggests that the users' reading habits were not public, and
scrutiny of their files required systematic surveillance that, while
even if defensible for system maintenance, seems not as defensible
when such data are passed to a third party who ordinarily might not
be authorized to receive it.

Whether this is an ethical breach or not can only be determined by
examining the nature of the statistics provided to the researchers
and reviewing site user policies to determine the level of the
expectation of privacy. Perhaps no ethical violations occurred, but
the data gathering technique does raise questions not answered by
the Carnegie Mellon study.

2. Another seemingly minor peccadillo derived from the site data
gathering is the implication that those site users who protected
their privacy by blocking monitoring by site statisticians might be
pedophiles:

First, 11% of the computer users in this study block the site
Second, some users have multiple accounts and avoid detection
by using a second account to access the Usenet.
While there is no evidence to suggest that Usenet and
Internet users who block the monitoring of their accounts
access pornography more frequently than those who do not, one
also cannot assume that a notable difference does not exist.
This is especially true in the context of pedophilia and child
pornography consumption. Preferential molesters (i.e.,
pedophiles with a true sexual attraction to children)
frequently employ inventive mechanisms to evade discovery, as
discovery will likely lead to incarceration (GLJ, p. 1865,
n30).

The defamatory implication of such wording aside, the inexplicable
association of persons on whom data is unavailable with pedophilia
and worse violates the principles both of "respect for persons" and
"justice." In the guise of "objective research," a category of users
is defined as possible felons simply because, perhaps wisely, they
chose to protect their privacy. That Carnegie Mellon's study would
resort to such a rhetorical ploy that explicitly violates two
principles of the Belmont Report would likely be criticized by the
ethics committees of any national social science society.

3. More serious than the preceding concerns is the explicit
prescription that researchers minimize risk to subjects by using
caution and discretion in revealing data. The Carnegie Mellon study
does not appear to have exercised acceptable caution. Conventional
canons of research ethics proscribe revealing potentially harmful
data. That a researcher is able to acquire private and potentially
sensitive data does not confer a right to publish that data. Rather,
it confers upon researchers an obligation to exercise special
caution when information is obtained from informants who do not know
they are the subjects of a study and are enticed to provide
information about third parties who are unaware that information
about them is being gathered, studied, and eventually made public.
Here are a few examples where Carnegie Mellon behaved in a way that
departs from established ethical guidelines:

a) "Respect for persons" extends beyond protecting an
individual. It also requires consideration for group privacy. If
the data on the "porn-reading" habits of users on the study site's
system were gathered when the readers had an expectation of privacy,
the data ought not be compiled, let alone be made public. In the
context of the article, "porn" is stigmatized, and making
assumptions about, as well as revealing, a groups' reading habits in
a way that stigmatizes without evidence violates the "respect for
persons" tenet.

b) Also of concern is the Carnegie Mellon study's commentary of
Robert Thomas and his Amateur Action (AA) BBS. AA BBS is a private
system in California that requires registration and a fee before
access is given. Consequently, the information is not public, and
information is not intended for public consumption. Although some
of the information in the CMU discussion is cited as derived from
court records, much appears to have come directly from the BBS
itself. As will be shown below, there is the strong probability
that the CMU research team did not reveal their research identity to
Thomas or other sysops. Thus, it would appear that they collected
data deceptively. It is curious that of all the BBSes studied, only
Thomas is identified by name and enterprise. He is also stigmatized
in the discussion in a separate subjection titled "The Marquis de
Cyberspace" (GLJ, p. 1912).

It is unlikely that Thomas (or any other subject) would approve of
such public stigmatizing and revelation of private data of the
enterprise and user habits. The information revealed includes not
only file lists and file descriptions, but also (and especially
disturbing) publication of presumably private information that the
AA BBS subscriber list includes subscribers from two cities in which
Thomas faced legal problems. One might argue that because Thomas is
currently incarcerated on charges related to distribution of
pornography, the researcher would therefore be released from the
ethical obligations to protect the privacy and safety of informants.
However, as both the Belmont Report and Federal Policies indicate,
precisely because Thomas is unable to provide full consent increases
the ethical obligation to protect him. Recall the wording of the
Belmont Report:

Respect for persons incorporates at least two ethical
convictions: first, that individuals should be treated as
autonomous agents, and second, that persons with diminished
autonomy are entitled to protection (BR: 4).

Because of Thomas's legal vulnerability, it is especially important
that a researcher not disclose information about a subject,
regardless of whether consent was given. Both the nature of the
information about Thomas and AA BBS and the tone of the discourse in
which it is delivered (p 1912-13) constitute an explicit violation
of established ethical conventions intended to assure the respect,
well-being, and autonomy of human subjects. The disclosure is of
special concern because AA BBS remains in existence as a viable
enterprise.

c) The Carnegie Mellon study identifies several defunct BBSes by
name (GLJ, p. 1909). Assuming that the sysops of these BBSes were
unaware that they were being monitored and their logs captured by
researchers who would make their name public, revealing the names of
the BBSes publicly in a stigmatizing context constitutes a violation
of privacy restrictions. That the BBSes are defunct is irrelevant.

d) The most serious violation in this category, one that
constitutes an explicit breach of the principles to minimize risk to
subjects, is Appendix D of the Carnegie Mellon study, in which the
cities from which BBS users called are listed. Given the
stigmatizing language and context of the article, such revelation
reflects failure to comply not only with privacy norms of sysops,
but it also puts at potential risk third parties (users) who would
be unaware of data collection and subsequent publication. The CMU
article acknowledges that in some countries, the penalty for
possession of pornography is death. Yet, these countries are
included in Appendix D. Small U.S. communities with a population of
only a few thousand or less are also included. What is the risk of
such a list to third-parties who are unaware of covert surveillance
of their activities? How might prosecutors, politicians, or parents
in a small town react if they suspected a "porn consumer" lurked in
the community? Perhaps serious, perhaps not. But, given the manner
in which the data are presented as "paraphilia," "pedophilia," or
worse, the consequences of discovery or suspicion would be of no
small consequence to users in the current climate of "anti-porn"
concern. Even if risks to users were negligible, it is simply not
the right of Carnegie Mellon University to make the decision to put
others at even minimal risk. Further, nothing is served by Appendix
D that couldn't have been equally--indeed, better--served with a
simple table summarizing, rather than detailing, the data. Appendix
D reflects an exceptionally egregious violation.

4. The most serious and explicit ethical violation is the deceptive
nature in which Carnegie Mellon collected the data. Virtually every
principle of informed consent was breached, because there is
sufficient evidence to conclude that the research team gathered data
deceptively, perhaps even fraudulently.

The Carnegie Mellon study's research team indicated that it
initially contacted over 1,000 BBSes by modem or voice to create a
final population of (apparently) 91 BBSes (GLJ, p. 1853).

Then the team either subscribed to, or logged on as a new user
or guest, to a number of representative pornographic BBS (sic)
and collected descriptive lists of the files offered by each
(GLJ, p. 1876).

The Carnegie Mellon study indicates (p 1879, 1880) that:

Many BBS (sic) either hide this information from their
customers or do not provide it because of space or software
limitations (pp. 1879-80).

..........

In these instances, MEMBERS OF THE RESEARCH TEAM EITHER
SCREEN CAPTURED THE "ALLFILES" LIST IN DOUBLE LINE FORMAT, OR
PERSUADED THE SYSOP TO PROVIDE THE LIST PRIVATELY (GLJ, p.
1880, emphasis added).

The CMU research team also indicates that they conducted "chats"
(private computer interaction) with the sysops to obtain information
(1875). Not only is there no indication that the sysops knew they
were being studied covertly, but there is every indication that they
did not:

MEMBERS OF THE RESEARCH TEAM DID NOT, AS A RULE, IDENTIFY
THEMSELVES AS RESEARCHERS (GLJ, p. 1878, emphasis added).

Recall the words from the Belmont Report:

In most cases of research involving human subjects, respect for
persons demands that subjects enter into the research
voluntarily and with adequate information (BR: 4).

If subjects do not know they are being researched, it's not
immediately obvious how they can enter into a project voluntarily
with adequate information. And, again from the Belmont Report:

Persons are treated in an ethical manner not only by respecting
their decisions and by protecting them from harm, but also by
making efforts to secure their well-being (BR, p. 4).

There are numerous ways to secure the well-being of subjects in a
research project in which there is the risk of revealing potentially
damaging or embarrassing information. In a climate of public and
legislative fears of "pornography" and in the midst of the proposed
Exon legislation/Computer Decency Act to restrict "indecent"
material on the Information Highway, dramatizing "pornography"
through misleading data and rhetoric isn't one of them. Nor is
increasing the visibility of the discredited findings of such a
study by shopping them around to major media sources one of them. As
Brock Meeks reported, the Carnegie Mellon study seemed more an
exercise in media promotion than in intellectual inquiry (CyberWire
Dispatch, July 4, 1995). Not only did the Carnegie Mellon team make
no apparent effort to protect the well-being of their subjects, but
by deceptive data collection and high-profile revelation, they seem
to have done the opposite.

It is absolutely and unequivocally clear that Carnegie Mellon
University engaged in deception to gather the data in a way that
violated informed consent, privacy, and other explicit conventions
followed by social scientists and mandated by federal principles and
guidelines. If the remarks of the principle investigator were
reported accurately (CyberWire Dispatch, July 4, 1995), it is
possible that Carnegie Mellon University might even have gathered
data fraudulently:

Dispatch asked Rimm: "Did your team go uncover, as it were,
when getting permission from these [BBS operators] to use their
information?" He replied only: "Discrete, ain't we?"

When asked how he was able to obtain detailed customer profiles
from usually skeptical operators of adult BBSs he says: "If
you were a pornographer, and you don't have fancy computers or
Ph.D. statisticians to assist you, wouldn't you be just a wee
bit curious to see how you could adjust your inventories to
better serve your clientele? Wouldn't you want to know that
maybe you should decrease the number of oral sex images and
increase the number of bondage images? Wouldn't you want
someone to analyze your logfiles to better serve the tastes of
each of your customers? (Cyberwire Dispatch July 4, 1995).

SUMMARY

The broad principles and explicit guidelines that alert human
subjects researchers to potential ethical problems are intended to
1) protect subjects from risk, 2) minimize potential harm resulting
from exposure to research methods or results, 3) assure the subjects
are fully informed that research is occurring, 4) assure that data
is collected in a manner consistent with privacy tenets, and 5)
assure that deception or fraud in research do not occur. The
Carnegie Mellon study demonstrably violated each of these tenets.

Some might argue that the principle investigator bears the
responsibility for the ethical lapses. Perhaps. But, as the NIU
guidelines--which are standard among research
universities--indicate, the faculty advisor and oversight committees
within an institution's administration are ultimately responsible.
It is the principle faculty advisor who bears the immediate
responsibility for socializing and mentoring the student into the
world of empirical research, and this socialization includes
imparting ethical precepts.

Because the research was funded with four Carnegie Mellon Small
Undergraduate Research Grants (SURG) (GLJ, p. 1849), those who
reviewed grant proposals are also responsible for the ethical
failures of the study. If the CMU human subjects review board read
the proposals and did not respond negatively to the deceptive
methodology (which would presumably be specified in the proposals),
they, too must accept responsibility for the deception. If, as the
principal investigator's comments suggest, subjects were defrauded
into participating by being deceived into believing that they were
receiving marketing consultation rather than being the subjects of a
covert study that would put them and their users at potential risk,
then perhaps the human subjects' review committee should re-read
Federal and other documents or, better, take a refresher course in
basic ethics.

In the end, however, Carnegie Mellon University must accept the
ultimate responsibility for their unethical behavior. This is,
after all, the CARNEGIE MELLON study: It has been so-labeled in the
GLJ article; It is so-labeled by the media; It is so-labeled by
Congressional observers; It is so-labeled by the commentators of the
study in the GLJ review who respond to the study; and, above all, it
is so-labeled by Carnegie Mellon University itself. When asked
point-blank if this is a Carnegie Mellon study conducted under the
auspices of Carnegie Mellon, and a study to which Carnegie Mellon
gives its name, a spokesperson in the public relations office said,
"Yes." She then indicated as evidence the list of nearly two dozen
CMU and other personnel, including professors, deans, and
administrators, who participated[1].

There seems to be a rather long list of people on the Carnegie
Mellon research team who might have benefited from familiarization
with social science ethics. On the other hand, if Carnegie Mellon
condones such ethical lapses, then the debates following Laud
Humphries' research were over nothing. But, I doubt if any serious
social scientists would accept that.

-------------------------------------------------------------------

[1] The Following are listed in the GLJ article footnotes as members
of the research team, as contributors, or acknowledged for other
assistance. To date, three of those listed (Lisa Siegel,
Adam Epstein, and Daniel Weitzner, have disavowed the study).

Researcher and Principal Investigator, College of Engineering,
Carnegie Mellon University. This interdisciplinary project was made
possible by four grants from Carnegie Mellon University. The author
[hereinafter "principal investigator" wishes to thank members of the
research team for their encouragement, patience, and support.
Principal faculty advisor: Dr. Marvin Sirbu, Department of Engineering
and Public Policy. Faculty advisors: Dr. David Banks, Department of
Statistics; Dr. Timothy McGuire, Dean, Charles H. Lundquist School of
Business, University of Oregon; Dr. Nancy Melone, Associate Professor
of Management, Charles H. Lundquist School of Business, University of
Oregon; Carolyn Speranza, Artist/Lecturer, Department of Art; Dr.
Edward Zuckerman, Department of Psychology. Senior Programmer: Hal
Wine. Programmers: Adam Epstein, Ted Irani. Research Assistants:
Patrick Abouyon, Paul Bordallo, G. Alexander Flett, Christopher Reeve,
Melissa Rosenstock. Administrative Assistant: Timothy J. Burritt.
Administrative Support: Dr. Chris Hendrickson, Associate Dean,
Carnegie Institute of Technology; Robert P. Kail, Associate Dean,
Carnegie Institute of Technology; Barbara Lazarus, Ph.D., Associate
Provost for Academic Projects; Jessie Ramey, Director, SURG.
Contributors: Lisa Sigel, C.J. Taylor, Erikas Napjas, John Gardner
Myers. Special thanks to Ron Rohrer, Wilkoff University Professor,
Department of Electrical and Computer Engineering; and Daniel
Weitzner, Deputy Director, Center for Democracy and Technology, for
review of the legal notes.

--------------------

Jim Thomas is a professor of sociology/criminal justice at
Northern Illinois University. He is also co-editor of Cu Digest.
Homepage: http://www.soci.niu.edu/~jthomas
E-mail: [email protected]

------------------------------

Date: Sun, 19 Apr 1995 22:51:01 CDT
From: CuD Moderators <[email protected]>
Subject: File 2--Cu Digest Header Info (unchanged since 19 Apr, 1995)

Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are
available at no cost electronically.

CuD is available as a Usenet newsgroup: comp.society.cu-digest

Or, to subscribe, send a one-line message: SUB CUDIGEST your name
Send it to [email protected]
The editors may be contacted by voice (815-753-0303), fax (815-753-6302)
or U.S. mail at: Jim Thomas, Department of Sociology, NIU, DeKalb, IL
60115, USA.

To UNSUB, send a one-line message: UNSUB CUDIGEST
Send it to [email protected]
(NOTE: The address you unsub must correspond to your From: line)

Issues of CuD can also be found in the Usenet comp.society.cu-digest
news group; on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of
LAWSIG, and DL1 of TELECOM; on GEnie in the PF*NPC RT
libraries and in the VIRUS/SECURITY library; from America Online in
the PC Telecom forum under "computing newsletters;"
On Delphi in the General Discussion database of the Internet SIG;
on RIPCO BBS (312) 528-5020 (and via Ripco on internet);
and on Rune Stone BBS (IIRGWHQ) (203) 832-8441.
CuD is also available via Fidonet File Request from
1:11/70; unlisted nodes and points welcome.

EUROPE: In BELGIUM: Virtual Access BBS: +32-69-844-019 (ringdown)
Brussels: STRATOMIC BBS +32-2-5383119 2:291/[email protected]
In ITALY: Bits against the Empire BBS: +39-464-435189
In LUXEMBOURG: ComNet BBS: +352-466893

UNITED STATES: etext.archive.umich.edu (192.131.22.8) in /pub/CuD/
ftp.eff.org (192.88.144.4) in /pub/Publications/CuD/
aql.gatech.edu (128.61.10.53) in /pub/eff/cud/
world.std.com in /src/wuarchive/doc/EFF/Publications/CuD/
wuarchive.wustl.edu in /doc/EFF/Publications/CuD/
EUROPE: nic.funet.fi in pub/doc/cud/ (Finland)
ftp.warwick.ac.uk in pub/cud/ (United Kingdom)

JAPAN: ftp://www.rcac.tdi.co.jp/pub/mirror/CuD

The most recent issues of CuD can be obtained from the
Cu Digest WWW site at:
URL: http://www.soci.niu.edu:80/~cudigest/

COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing
information among computerists and to the presentation and debate of
diverse views. CuD material may be reprinted for non-profit as long
as the source is cited. Authors hold a presumptive copyright, and
they should be contacted for reprint permission. It is assumed that
non-personal mail to the moderators may be reprinted unless otherwise
specified. Readers are encouraged to submit reasoned articles
relating to computer culture and communication. Articles are
preferred to short responses. Please avoid quoting previous posts
unless absolutely necessary.

DISCLAIMER: The views represented herein do not necessarily represent
the views of the moderators. Digest contributors assume all
responsibility for ensuring that articles submitted do not
violate copyright protections.

------------------------------

End of Computer Underground Digest #7.58
************************************