Check out the new USENIX Web site. next up previous
Next: Researcher's Can't Say ``Trust Up: Research Implications Previous: Scenario 7: Online EXIFs.

Analyzing the Scenarios

Scenarios 1, 2, 3, and 4 clearly require IRB approval under the Common Rule:

1. Alice needs IRB approval because she is recruiting, interacting with, and collecting information from her subjects. Furthermore, her users reveal their IP address when the toolbar reports its statistics; although IP addresses do not necessarily reveal personal information, they frequently do--especially in a university environment where an address may be assigned to a specific person.

2. Even though Bob is not collecting IP addresses, he still needs IRB approval because the information in the webserver logs was generated by human subjects and is not publicly available.

3. Likewise, Christine requires IRB approval because the data is generated by human beings and is not publicly available. Christine could avoid IRB involvement if the security website published the search terms on a public web page rather than encrypting them and sending them to her Gmail account. (Although it seems that this creative way to bypass the Common Rule has exactly the opposite of the desired effect, presumably the website would do its own privacy audit before releasing such information.)

4. Don has thousands of legitimate and spam messages, but the Common Rule prohibits him from analyzing incoming email without IRB approval.

The other scenarios are more troublesome:

5. Elaine might not require IRB approval for his survey because she is not observing people: She is observing wireless access points. But these devices were configured (or not configured) by people. And in some rural areas the GPS coordinates might identify specific individuals.

6. Guy's research with Word documents literally involves ``existing ... documents'' that are ``publicly available,'' so it should be exempt under the Common Rule. But the documents might have been inadvertantly placed on the Internet and contain private information.

7. Felicity's research, like Guy's, probably does not fall under the Common Rule if she only collects documents (e.g., the photographs) that are publicly available. But what if the images were available to a large community but not the general public?

next up previous
Next: Researcher's Can't Say ``Trust Up: Research Implications Previous: Scenario 7: Online EXIFs.
Simson L. Garfinkel 2008-03-21