Research, the Cloud, and the IRB:

abnormalobeisanceSecurity

Nov 3, 2013 (3 years and 10 months ago)

111 views

Research, the Cloud, and the IRB:

NEW OPPORTUNITIES :: NEW CHALLENGES

Michael Zimmer, PhD

Assistant Professor, School of Information Studies

Director, Center for Information Policy Research

University of Wisconsin
-
Milwaukee

zimmerm@uwm.edu

www.michaelzimmer.org


A
nyone
who has studied the history of
technology knows that technological change is
always a Faustian
bargain


Technology
giveth

and technology
taketh

away,
and not always in equal measure
.



A new technology sometimes creates more than
it destroys. Sometimes, it destroys more than it
creates. But it is never one
-
sided
.


Neil
Postman

10/12/2012

Virginia IRB Consortium Conference

2

Agenda


What is Cloud Computing?


Opportunities for Use in Research


Ethical Dimensions


Subject confidentiality & anonymity


Data privacy & security


Data ownership & stewardship


Research integrity

& authorship


Conceptual Gaps & Policy Vacuums


What can Researchers and IRBs do?

10/12/2012

Virginia IRB Consortium Conference

3

What is Cloud Computing?

KEXINO (CC BY
-
NC
-
ND 2.0) http
://
www.flickr.com
/photos/
kexino
/4202662815/

10/12/2012

Virginia IRB Consortium Conference

4

What is Cloud Computing?


On
-
demand, network
-
based access to computing
recourses


Features


Location independent; supports increased mobility


Flexible, scalable, robust


On
-
demand performance; big data processing


Little (if any) local support or maintenance

10/12/2012

Virginia IRB Consortium Conference

5

What is Cloud Computing?


Milestones


1999


Salesforce.com

delivers enterprise services via the
web


2002


Amazon Web Services (storage, computation, human
intelligence via the cloud)


2004


Gmail reboots web
-
based email, follows with Google
Docs


2006


Amazon’s Elastic Compute Cloud (EC2)


2007


IBM shifts focus to the cloud


Popularity


As early as 2008
, 69 percent of Americans were using
webmail services, storing data online, or otherwise using
software
programs

located
on the
web


By 2011, 80% of Fortune 500 companies use IBM cloud

10/12/2012

Virginia IRB Consortium Conference

6

3 Layers of Cloud Computing

http://
en.wikipedia.org
/wiki/
File:Cloud_computing.svg

(
CC BY
-
SA 3.0
)

10/12/2012

Virginia IRB Consortium Conference

7

Application Layer


“Software as a service”


Providing productivity applications via the Web;
no local software needed

10/12/2012

Virginia IRB Consortium Conference

8

Platform Layer


“Platform as a service”


Providing application development platforms and
operating systems via the Web


Can deploy applications without needing your
own infrastructure or distribution channels

10/12/2012

Virginia IRB Consortium Conference

9

Infrastructure Layer


“Infrastructure as a service”


Provide computing infrastructure on demand


Outsourcing servers,
storage, network
equipment, processing power, data centers

10/12/2012

Virginia IRB Consortium Conference

10

Research Opportunities for Cloud
Computing


Application layer


Most common and easiest application of cloud


Data gathering, storage, collaboration


Platform layer


Hosted apps for recruitment & surveys


Infrastructure layer


Access to increased processing power for large
-
scale
research projects


Some non
-
traditional uses


10/12/2012

Virginia IRB Consortium Conference

11

Research Opportunities:
Applications


Data gathering

using web
-
based survey
applications


SurveyMonkey


Zoomerang


Qualtrics


Typically used
“in the wild”, sometimes
institutionally
-
bound

10/12/2012

Virginia IRB Consortium Conference

12

Research Opportunities:
Applications


Data storage & sharing

using cloud
-
based
applications


Dropbox


Box.net


iCloud


Communication & collaboration

using cloud
-
based applications


Gmail, IM, Skype


Google Docs, Office Live


Wikis

10/12/2012

Virginia IRB Consortium Conference

13

Research Opportunities:
Platforms


With skilled programmers, can build
custom apps
to deploy

via cloud
-
based platforms


Subject recruitment and screening apps on Facebook


Building and deploying test instruments within online
gaming platforms


Monitoring
and activity tracking apps on mobile
device
platforms

10/12/2012

Virginia IRB Consortium Conference

14

Research Opportunities:
Infrastructure


Leverage cloud
-
based computing infrastructures to
handle resource
-
intensive processing tasks


Clinical trial data storage & processing


Sharing extremely large databases


Innovative, non
-
traditional use of cloud
-
based
processing “resources”


____@Home (distributed computing)


Fold.It


Amazon Mechanical Turk


10/12/2012

Virginia IRB Consortium Conference

15

Fold.It



Web
-
based puzzle
video game
to assist with
protein folding research


Leverage millions of gamers to assist in data
processing

10/12/2012

Virginia IRB Consortium Conference

16

Fold.It


10/12/2012

Virginia IRB Consortium Conference

17

http://
fold.it
/

Fold.It



Web
-
based puzzle
video game
to assist with
protein folding research


Leverage millions of gamers to assist in data
processing


P
layers
produced an accurate 3D model
of and
AIDS
-
related enzyme
in just
10 days


Researchers had been trying for
15 years

10/12/2012

Virginia IRB Consortium Conference

18

Amazon Mechanical Turk


Facilitates outsourcing of computational or other
mundane tasks


Requesters post “Human Intelligence Tasks”
offering minimal fees


Workers select tasks to complete for
micropayments

10/12/2012

Virginia IRB Consortium Conference

19

Amazon Mechanical Turk


10/12/2012

Virginia IRB Consortium Conference

20

3 Layers of Cloud Computing

http://
en.wikipedia.org
/wiki/
File:Cloud_computing.svg

(
CC BY
-
SA 3.0
)

10/12/2012

Virginia IRB Consortium Conference

21

Ethical Dimensions


Subject confidentiality & anonymity


Data privacy & security


Data ownership & stewardship


Research integrity

& authorship

10/12/2012

Virginia IRB Consortium Conference

22

Subject Confidentiality & Anonymity


When recruiting subjects or collecting data with
cloud
-
based applications…


Are IP addresses logged in such a way to allow re
-
identification of subjects


Using a Facebook app might provide researchers access
to unnecessary personal information


Are cloud providers tracking data and usage
themselves? Delivering ads? Selling user data?

10/12/2012

Virginia IRB Consortium Conference

23

Data Privacy & Security


Critical concern of any cloud system, takes on even
more importance when dealing with subject data


Are cloud
-
based communication and collaboration systems
using SSL encryption?


Is data stored on cloud
-
servers encrypted?


What is service’s policy regarding 3
rd

party access


Advertisers


Investigative inquiry vs. subpoena vs. warrants?


Electronic Communication Privacy Act (ECPA)

10/12/2012

Virginia IRB Consortium Conference

24

Data Ownership & Stewardship


Who owns, and who controls (meta)data in the
cloud?


Are you granting the cloud provider any license to use your
data or activities (for advertising, data mining,
etc
)?


Can you ensure data remains in the U.S.?


Can data be
destroyed on demand,
including backups?


Can you ensure cloud provider won’t hold your data
“hostage”, or disappear?



10/12/2012

Virginia IRB Consortium Conference

25

Research Integrity & Authorship


Should researchers rely on cloud
-
based data
processing and analysis?


Can you trust (or audit?) external/collaborative processing
platforms


Ethical to use Mechanical Turk, or otherwise outsource
mundane tasks to unknown persons for nominal wages?


Authorship claims?

10/12/2012

Virginia IRB Consortium Conference

26

Conceptual Gaps & Policy Vacuums


Emergence of new technologies often lead to
conceptual gaps in how we think about ethical
problems, and reveal policy vacuums for how we
should best address them



Computer technology transforms “many of our human
activities and social institutions,” and will
“leave us with
policy and conceptual vacuums about how to use
computer technology”


“Often, either no policies for conduct in these
situations exist or
existing policies seem inadequate
.


Jim
Moor, “What is Computer Ethics?”


10/12/2012

Virginia IRB Consortium Conference

27

Conceptual Gaps & Policy Vacuums


The fluidity
and complexity of
cloud
-
based tools
and platforms creates potential
conceptual gaps


Are these ethical dimensions merely the same as before,
or fundamentally different due to the cloud?


Does the nature of anonymity, privacy, consent, even
harm change when dealing with cloud
-
based research?

10/12/2012

Virginia IRB Consortium Conference

28

Conceptual Gap: Privacy


Presumption that because subjects make information
available on a cloud
-
based service, they don’t have an
expectation of privacy


Researchers/IRBs might assume everything is always public, and
was meant to be


Assumes no harm could come to subjects if data is already
“public”


New ethical problems…


Ignores
contextual

nature of sharing


Fails to recognize the strict dichotomy of public/private doesn’t
apply in the 2.0 world


Need to track if
ToS
/architecture have changed, or if users even
understand what is available to researchers

Nissenbaum
,
H
. 2011. “Privacy
in Context: Technology,
Policy, and the Integrity of Social
Life”

Virginia IRB Consortium Conference

29

10/12/2012

Conceptual Gap: Anonymity vs.
Identifiability


Presumption
that stripping names & other obvious
identifiers provides sufficient
anonymity when
sharing data in the cloud


Assumes only PII allows re
-
identification


New ethical problems…


Ignores how
anything

can potentially identifiable
information and become the “missing link” to re
-
identify
an entire dataset


“Anonymous” datasets are not achievable and provides
false sense of protection

Ohm, P. “Broken promises of privacy: Responding to the
surprising failure of
anonymization
.” UCLA Law Review

Virginia IRB Consortium Conference

30

10/12/2012

Conceptual Gap: Consent


Presumption that because something is shared or
available without a password, the subject is
consenting to it being harvested for research


Assumes no harm can come from use of data already
shared with friends or other contextually
-
bound circles


New ethical problems…


Must recognize that a user making something public
online comes with a set of assumptions/expectations
about who can access and how


Must recognize how
research
methods
might allow un
-
anticipated access to “restricted”
data

Virginia IRB Consortium Conference

31

10/12/2012

Conceptual Gap: Harm


Presumption that “harm” means risk of physical or
tangible impact on subject


Researchers often imply “data is already public, so what
harm could possibly happen”


New ethical problems


Must move beyond the concept of harm as requiring a
tangible consequence


Protecting from harm is more than protecting from hackers,
spammers, identity thieves, etc


Consider dignity/autonomy theories of harm


Must a “wrong” occur for there to be damage to the subject?


Do subjects deserve control over the use of their data streams?

Virginia IRB Consortium Conference

32

10/12/2012

Conceptual Gap: Human Subjects


Researchers (esp.
CompSci
) often interact only
with datasets, objects, or avatars, thus feel a
conceptual distance from an actual human


Often don’t consider what they do as “human subject”
research


New ethical problems


Must bridge this (artificial) distance between
researcher and the actual human subject


Also consider other stakeholders within the complex
arrangement of information intermediaries

Carpenter, K &
Dittrich
, D
. “Bridging the Distance: Removing the Technology Buffer and
Seeking Consistent Ethical Analysis in Computer Security
Research”

Virginia IRB Consortium Conference

33

10/12/2012

Conceptual Gaps & Policy Vacuums


The fluidity
and complexity of
cloud
-
based tools and
platforms creates potential
conceptual gaps


Are these ethical dimensions merely the same as before, or
fundamentally different due to the cloud?


Does the nature of anonymity, privacy, consent, even harm
change when dealing with cloud
-
based research?


Leaving researchers & IRBs with considerable policy
vacuums


How should researchers deal with
using the cloud in
their
projects?


How should IRBs review them?


And how can we
ensure good research still gets
done…

10/12/2012

Virginia IRB Consortium Conference

34

What can Researchers & IRBs do?

-

broadly


Get educated, find recourses


Events like today; PRIM&R


Utilize disciplinary resources


For example: “
Ethical decision
-
making and Internet research:
Recommendations from the
AoIR

Ethics Working Committee”


Keep up on research


Utilize experts


Look for guidance


Increased attention hopefully will prompt guidance

from HHS and related regulatory bodies

10/12/2012

Virginia IRB Consortium Conference

35

What can Researchers & IRBs do?

-

practically


Read and understand the Terms of Service


Incorporate in risk analysis


Include mention of cloud
-
based services in
consent forms


Level of detail?


Monitor/audit cloud services over life of project


Have terms or practices changed?


All this is new, complex, and difficult…

10/12/2012

Virginia IRB Consortium Conference

36


A
nyone
who has studied the history of
technology knows that technological change is
always a Faustian
bargain


Technology
giveth

and technology
taketh

away,
and not always in equal measure
.



A new technology sometimes creates more than
it destroys. Sometimes, it destroys more than it
creates. But it is never one
-
sided
.


Neil
Postman

10/12/2012

Virginia IRB Consortium Conference

37

Research, the Cloud, and the IRB:

NEW OPPORTUNITIES :: NEW CHALLENGES

Michael Zimmer, PhD

Assistant Professor, School of Information Studies

Director, Center for Information Policy Research

University of Wisconsin
-
Milwaukee

zimmerm@uwm.edu

www.michaelzimmer.org