This came up in a Facebook comment thread, and it'd be helpful to get wider input:
Malicious hackers have released data from around 32 million users of the Ashley Madison site (a dating site for married people). This includes names, addresses, profile information, and purchase from Ashley Madison. Getting reliable info on adultery is notoriously difficult, so researchers may want to analyze the data and publish findings on causes/correlates of adultery. But would using the data for research without consent be (A) Legal, (B) institutionally permissible (i.e., would IRB/RECs approve), and/or (C) morally permissible?
The big wrinkle for A and B (which may vary by country/ institution) is that the data is publicly available, thereby appearing to be exempt from many research regulations, including consent. But the law and morality often come apart. FWIW, journalists seem to have no qualms in publishing quick-and-dirty analyses of the data - but journalists are hardly the arbiters of morality.
If there's an existing lit on this (use of stolen publicly available data in research) links would be useful. If not, we research ethicists should get cracking!
http://www.wired.com/2015/07/hack-brief-attackers-spill-user-data-cheating-site-ashley-madison/
http://www.theverge.com/2015/8/19/9178855/ashley-madison-data-breach-implications
Thank you for raising this important question. The work of Stine Lomborg, using data from personal blogs and Twitter, is relevant here. She is a Danish researcher, and under Danish law (at least at the time of her research which was published in 2012) that kind of data was regarded as freely available for use. However, in Lomborg's view, as people's own blogs and tweets contain a lot of personal and identifiable information, the generators of those texts might see them as comparatively private. It is very unlikely that the writers of personal blogs and tweets would have intended them for use in research, or even considered that they might be used in that way. So Lomborg decided that she needed to seek informed consent from her potential participants.
I think she was absolutely right to do so, though I know some argue in the opposing direction (always one of the joys of ethics!). But in the research literature that I have read on using online data, most people are coming down in favour of seeking consent. Last year's now notorious Facebook case seemed to strengthen this position (Kramer et al 2014). I think that too has parallels with the Ashley Madison case, though the Facebook researchers manipulated people's data and then used it without consent. When this came to light, most users were clearly unhappy with what had been done.
I can't imagine the users of Ashley Madison are happy to have their data in the public domain. And I can't see any way in which it could be ethical for researchers to increase their unhappiness by using that data in research without their consent. Of course it would be possible to argue that it wouldn't make them more unhappy, identities could be protected, data aggregated, society would benefit, etc etc. But I don't think society would benefit - though of course some researchers' careers might.
In many countries, it is a legal offence to receive stolen goods. I understand what you say about the law and morality not always going hand-in-hand - but sometimes they do. Perhaps the key question here is whether or not they do in this respect. I am inclined to think that they do. For these reasons, I would not choose to work with stolen data, however fascinating it might be. I realise others may think differently, and will be interested to see how this debate develops.
Thank you for raising this important question. The work of Stine Lomborg, using data from personal blogs and Twitter, is relevant here. She is a Danish researcher, and under Danish law (at least at the time of her research which was published in 2012) that kind of data was regarded as freely available for use. However, in Lomborg's view, as people's own blogs and tweets contain a lot of personal and identifiable information, the generators of those texts might see them as comparatively private. It is very unlikely that the writers of personal blogs and tweets would have intended them for use in research, or even considered that they might be used in that way. So Lomborg decided that she needed to seek informed consent from her potential participants.
I think she was absolutely right to do so, though I know some argue in the opposing direction (always one of the joys of ethics!). But in the research literature that I have read on using online data, most people are coming down in favour of seeking consent. Last year's now notorious Facebook case seemed to strengthen this position (Kramer et al 2014). I think that too has parallels with the Ashley Madison case, though the Facebook researchers manipulated people's data and then used it without consent. When this came to light, most users were clearly unhappy with what had been done.
I can't imagine the users of Ashley Madison are happy to have their data in the public domain. And I can't see any way in which it could be ethical for researchers to increase their unhappiness by using that data in research without their consent. Of course it would be possible to argue that it wouldn't make them more unhappy, identities could be protected, data aggregated, society would benefit, etc etc. But I don't think society would benefit - though of course some researchers' careers might.
In many countries, it is a legal offence to receive stolen goods. I understand what you say about the law and morality not always going hand-in-hand - but sometimes they do. Perhaps the key question here is whether or not they do in this respect. I am inclined to think that they do. For these reasons, I would not choose to work with stolen data, however fascinating it might be. I realise others may think differently, and will be interested to see how this debate develops.
It's a very interesting question. I can that see some would make the case that this information is 'in the public domain' and therefore can be used in research - with the usual safeguards about anonymity and soon.
However, if this came before any University or Professional Ethics committee that I've been on, I would agree with Helen. These people have most certainly *not consented* to let you use their data. Without that consent, most universities (I expect) would forbid you to use it. There's space for debate about this - researchers at my institution have used things like email traffic patterns or eye movement data in public spaces without getting formal consent from those providing the data. I'm uneasy about it in general but it would have to be considered on a case-by-case basis.
There's an added element to to this particular case in that the data was obtained by a criminal act. By using it as a researcher you might be giving tacit approval to such acts. I would oppose using it on this ground alone unless you could show a really important benefit to humanity that might stem from the research. I don't think you can offer the chance of a cure for cancer from looking at this data, so disapproval of theft is more important than scientific curiosity.
I come down on the side of the necessity for obtaining consent. I will use an analogy from law - this data is clearly fruit from the poison tree. The Ashley Madison consumers did not consent to the publication of their data. A criminal act by a third party can hardly be the mechanism to overcome that lack of consent.
The informed consent is required for human subjects research by informing, at least, participants their rights, the purpose of the study, and potential risks and benefits of participation. In the case of obtaining and using hacked data is certainly inappropriate and violates the research fundamental ethical principle.
For a researcher who condones criminal acts like hacking, and wanting to make quick gains, such information can be used. But on ethical grounds, there is no consent and I do not see value added to the research. One may succeed using it now if they mange to convince IRB that it was in the public space; however in future the work can be challenged especially if resulted into publications and perhaps disqualified on moral grounds.
In Sweden such research would be illegal if it had not first been approved by an ethical review board. And it would most likely not be approved.
It’s not a question of consent. Provided that hacking is morally wrong (at least in this case) the use of the data in research can be seen as a moral approval of the hack, thereby encouraging further attacks on private data. Beyond that, seen in a consequentialist perspective, it surely wouldn’t increase happiness and safety in society. A deontologist will probably come to a similar conclusion.
Aside from what others have said which I agree with, I think Marco adds an important dimension. Hacking is all too common and violates privacy. I don't know why it would seem proper to do research on information that was made public without informed consent and ethics approval. It is wrong and the wrong is independent of the purpose of the website. If this was seen as morally acceptable, it could also lead to a slippery slope where all sorts of sensitive chat lines and support groups were fair game for hacking and exposure.
This is a great question. I agree with others that it cannot be ethical to use data that was obtained in an unethical way and you'd need consent from participants (which would be very difficult to get, I suspect).
- Badges
- Science topic
- Similar topics
- Philosophy
- Ethics