The problem here is that the Common Rule was written to cover biomedical and psychological research. It is clear that the authors never imagined a day that not just researchers, but most members of our society would have desktop computers containing personal information created by thousands of individuals with whom we have no direct relationship.
The penalities for performing research without approval include forced termination of research and loss of funding: we ignore the rules at our own peril. But in the long term, society would be better served with broader exemptions that could be automatically applied by researchers without going to an IRB.
Revisions to the Common Rule should also address a particularly wasteful practice: the intentional destruction of data which was collected without IRB approval: this practice certainly seems to violate the Belmont Report's ``respect for persons'' principle.
The Common Rule was created because of abuses in medical and psychological research, but the Rule was very broadly written. If it cannot be revised or reinterperted, the impact on computer security research may be severe.