As more security researchers turn their attention to usability and other human factors issues, many are surprised to discover that they must comply with regulations governing the use of human beings as experimental subjects.
These regulations, known collectively as ``The Common Rule,'' were created after a series of well-publicized abuses in the 1960s and 1970s. These regulations require those working with US Government funds to receive approval from their organization's designated Institutional Review Board (IRB) before most research involving human subjects can commence.
There seems general understanding among researchers that hands-on laboratory usability experiments are covered under the IRB rules. But many other kinds of less-invasive research may still require IRB notification and approval. Furthermore, it appears that many researchers either do not understand their legal obligations, or else have simply chosen to ignore them.
While this paper concerns itself solely with US law, there are ``approximately 900 laws, regulations, and guidelines that govern human subjects in 84 countries, as well as from a number of international and regulation organizations''[#!ichrp!#]. A list can be found in the reference.