oct
15
2012

Yo ho, yo ho, a researcher’s life for me: Lies, thievery, and the ethics of computer security experiments

Stuart Schechter, Microsoft Research

CRCS/Berkman Lunch Seminar

Date: Monday, October 15, 2012
Time: 12:00pm – 1:00pm
Place: Maxwell Dworkin 119

Abstract:     The study of human behavior as it relates to secure has raised numerous ethical dilemmas.  Should researchers be allowed to analyze databases of stolen passwords made public through others’ criminal acts?  Should researchers who identify compromised computers by spammers allow these computers to remain compromised in order to monitor how often people buy products from spammers?  Should researchers deceive participants and expose them to ruses indistinguishable from criminal attacks in order to determine how effective these attacks might be?

Researchers in all of the social sciences are moving into new ethical territory by running an increasingly proportion of their studies using online crowdsourcing systems, such Amazon’s Mechanical Turk.  These studies use a model of consent and disclosure envisioned at a time when researchers had personal interactions with participants.  These personal interactions not only offered participants to ask researchers to clarify the terms of a consent form or the use of deception, but they also allowed researchers to develop empathy for their participants and detect if a study might be causing more harm than anticipated.  With the introduction of online crowdsourcing, researchers may be out for a game of golf when their automated web forms obtain participants’ consent and disclose the use of deception.

I will present a series of experiments, in various stages of progress, to bring much-needed data to ongoing debates about research ethics.  We augment existing deception experiments so that, shortly after participants learn that we have deceived them, we can ask whether these participants feel the experiment should have been allowed to proceed.  In a second experiment, we survey prospective study participants to ask if they believe different types of studies, which we describe in more abstract terms, should or should not be allowed to proceed.  In a third experiment, victims of password data breaches are asked in what situations it is appropriate for researchers or others to use their password if it has already been made public by the attacker.

Our preliminary results show a remarkable difference between how participants feel about deception when it is presented in abstract, and how actual study participants feel after learning they have been deceived.  The results of our experiments also raise a new ethical dilemma for us, as ethics researchers.

Bio:  Stuart Schechter is a man of few accomplishments and so, the reluctant reader should be pleased to learn, his biography is correspondingly short.  Stuart researches computer security, human behavior, and occasionally missteps in such distant topics as computer architecture and, now, research ethics.  Those who have worked with Stuart rave about his “tireless efforts and disturbingly obsessive dedication… to brainstorming paper titles” and his knack for “carefully vetting ideas to expose every shortcoming… especially those ideas he cannot take credit for.”   Institutions that may or may not be re-evaluating their admissions or hiring policies as a result of past associations with Stuart include The Ohio State University College of Engineering (B.S.), Harvard’s School of Engineering and Applied Sciences (Ph.D.), MIT Lincoln Laboratory (his happily-former employer), Microsoft Research (his less-fortunate current employer), and KAIST (to use a Facebookism, “It’s complicated”).