Although researchers might be frustrated by the conclusions of this analysis, it is important to realize that the Common Rule is doing precisely what Congress intended when it passed the National Research Act: Congress wanted to put a stop to scientists saying ``trust me.'' For decades, scientists had argued that good scientific practice and ordinary research ethics would protect the interests of their subjects. Experience proved otherwise.
With the National Research Act, Congress concluded that some scientists were not worthy of trust when it came to evaluating the impact of their own experiments on experimental subjects. And with good reason: some research involving human beings frequently requires deception, stress, or bodily risk. The Act recognizes that it is sometimes unreasonable to ask a scientist to be both an advocate for their research and their research subjects wellbeing.
For example, Alice could data mine her logfiles, seek out the personally identifiable IP addresses, perform Google searches to correlate IP addresses with email addresses, and then create a web page that identifies people who have ``good'' security practices (because they run her program) and ``bad'' practices (because they uninstalled her program.) Perhaps she might even send phishing attacks to the subjects to see how they respond. The IRB structure provides a place for someone who has had training to review her research protocol.
There are many ways to ``anonymize'' log files: sometimes the anonymization is incomplete and personally identifiable information can be recovered. One reason to require IRB review of research involving ``anonymized'' logs is so that a neutral third-party can review protocol. Otherwise, we are just trusting the good judgement of the researcher--a person who has an inherent conflict-of-interest.
The analysis in Don's case seems silly: after all, Don already has the email messages, and they were voluntarily sent to him by his friends and colleagues. But those people didn't send Don the email for the purpose of being involved in an experiment. Part of the IRB process is to protect human beings who are involved in research without their knowledge or consent.
Since each of the scenarios above involve no more than minimal risk, we believe that an IRB would properly approve each protocol under the Common Rule's ``expedited review procedures''(§46.110). At many organizations the expedited review involves a form that is submitted by email and is administratively approved within days by either the IRB chair or a staff member. Although it appears to be a formality, expedited review has an important role: it forces the experimenter to create a written description of the research protocol. The mere act of writing down the protocol and discussing it with the IRB may help the experimenter to realize ways to further minimize the impact of the experiment on the human participants.