Research.securityresearch.at

Email: sebastian.schrittwieser@tuwien.ac.at Abstract—Recently, several research papers in the area of certainly are not as fundamental to humankind such as, for information security were published that may or may not be example, stem cell research or other issues in natural science, considered unethical. Looking at these borderline cases is relevant we still feel the need to address these ethical questions. One as today’s research papers will influence how young researchers important reason is that security professionals and researchers conduct their research. In this paper we discuss fundamentalethical principles and their role in recent literature. We argue that personal ethics are the discerning factor between white and the establishment of ethical guidelines or frameworks without black hats; we need to determine how far we can go in prior discussion and consensus in the research community research. For researchers in computer security the recent probably would not lead to clarity on which lines in academic success of papers such as the aforementioned are an incentive to follow along this line of research.
Index Terms—information security; research ethics; ethical In this work, we want to focus on the latter type of ethical implications and aim at motivating a discussion onhow research activities in the field of information security can be evaluated from an ethical point of view and how, we as Recently, a new trend in computer security research can a community, can establish ethical standards similar to other be observed. There are several new papers that quantitatively analyze important security issues (e.g. [1], [2], [3], [4], [5]).
While many earlier works looked at threats theoretically (e.g.
Thompson et al.’s famous “Trusting Trust” [6] from 1984), In this section, we introduce and discuss four, in our current researchers would probably validate their research by opinion, controversial papers and their ethical considerations.
implementing an attack and testing it “in the wild”. To some We want to point our that all these papers got IRB approval extent, this trend certainly comes from several major paradigm and it is certainly not our intention to criticize the authors for shifts we are facing in technology. Data moves from local their research. Their papers should just server as examples for storage to distributed services on the Internet, massive amount of user generated content is added to social networking sites, A. Spamalytics – An empirical analysis of spam marketing etc. Consolidated under the term “big data” these fundamental changes in technology usage drive the trend towards research The basic idea of this research project was to analyze the that directly influences real people and real data.
economics behind a botnet used to send millions of spam Ethical implications in this line of research are obvious and messages per day. To this end, the researches broke into a twofold. First, we always have to think about how research botnet, analyzed it and manipulated a small percentage of the results could be misused. A line from a satirical song on messages in a way that the receivers actions such as clicking Wernher von Braun’s attitude toward the consequences of his on links was trackable for the researchers. The authors argued work in Nazi Germany on the V2 rocket says “Once the that their research was ethical because they were just “passive rockets are up, who cares where they come down? / That’s actors”, “ensuring neutral actions” and that “users should not my department”. Wernher von Braun was interested in never be worse off due to [their] activities”.
researching on rocket technology and accepted that the resultsof his work were used to develop a weapon. Similar to this, B. Your Botnet is My Botnet: Analysis of a Botnet Takeover [2] we have to estimate how our research could be misused. Is This paper describes the takeover of a botnet for analysis developing analysis methods for an anonymization network purposes. The authors were well aware of the ethical implica- such as Tor [5] ethical in consideration of the likeliness tions of breaking into a botnet’s C&C server and brought the that oppressive regimes would use the research results to • “The sinkholed botnet should be operated so that any Second, we have to ensure that our research activities them- harm and/or damage to victims and targets of attacks selves do not harm others. While the possible consequences • “The sinkholed botnet should collect enough information Tuskegee syphilis experiment1 is one of the most important to enable notification and remediation of affected parties” cases of ethics in medical research. Started in 1932 it aimedat analyzing spread and possible treatments for syphilis. In C. Pharmaleaks – understanding the business of online phar- 1947 Penicillin was found be be an effective treatment for syphilis. Nevertheless, the experiments continued for 25 years In this paper the underground economics of affiliate net- before it was shutdown on public pressure in the 70’s. During works for pharmaceutical products on the Internet was ana- the 40 years of runtime, patients were not informed about lyzed with the help of leaked data. At the time of research available treatments, no precautions were taken that patients that data already was “in the wild”, so the researchers used did not infect others, and they were also actively given false information regarding treatment. Today, it is obvious that such • “[.] ethics of using data that was, in all likelihood, a study is unethical. Doctors are not only not allowed to gathered via illegal means. [.] We justify our own choice withhold information about effective treatment but also have to explain patients the study design. In randomized double-blind • “some [.] contents have already been widely and pub- studies neither the patient nor the doctor can decide whether licly documented. Consequently, we cannot create any a patient receives a new and potentially better drug or the new harm simply through association with these entities standard treatment. No one would withhold standard treatment Today the lines that should not be crossed in medical D. Is the Internet for Porn? An Insight Into the Online Adult research are well defined (such as in the Helsinki Discords [9]) and the possible impact of unethical studies is known in detail The authors of this paper analyzed the economics behind though a large number of research scandals: medial research traffic trading networks for websites offering adult content and directly affects human lives. Arguably, the impact of research even actively participated in the business by setting up their in information security cannot be compared to medial research.
own website with mature content. Ethical considerations were However, several cases throughout past years have shown that it still can have dramatical impacts on involved people. While • “Clearly, one question that arises is if it is ethically not academic research the “Craigslist Experiment”2 has shown acceptable [.] to participate in adult traffic trading. [.] the impact of unethical studies in a very drastic way and it we believe that realistic experiments are the only way is absolutely possible to imagine that with a similar setup to reliably estimate success rates of attacks in the real- privacy-impacting behavior (such as [10]) or cyber-bullying on a social network may be analyzed in an academic study.
• “we did not withdraw any funds but forfeited our traffic Another problematic aspect are unpredictable effects on the trading accounts at the end of the experiments” analyzed systems. Often it is difficult to calculate the impactof actions performed for research purposes and harm could occur even if it was not intended. For instance, a botnet is a At first glance, all the brought arguments for ethical justifi- complex and in most cases undocumented system. How can cation of the introduced research projects seem to be valid and analysis be done while assuring that the performed actions do fair. We now want to discuss fundamental ethical principles not interfere with the system and its involuntary participants and compare them to the papers and their argumentation regarding research ethics. These principles do not follow anyparticular ethical guidelines nor are they borrowed from other science areas such as medicine. We rather tried to derive The second principle is to not watch bad things happening the most fundamental principles from common sense. The without helping. In real life there is even the term “non- reasoning is that we strongly believe that without a broad assistance of a person in danger”. For instance, if you witness a consensus across the information security community about car accident with injured people, you have the legal obligation the most fundamental basics of ethical research methods, the to give first aid. At first glance, this principle seems as proposal of too detailed guidelines and frameworks would not obvious as the first one. However, an analysis of the previously find acceptance among researchers. In Section IV this idea is discussed papers shows how difficult it is to observe it.
The authors of the Spamalytics research [1] argued to be just “passive actors” and were “ensuring neutral actions”.
It is correct that the research activities did not actively harm A seemingly straightforward principle is that researchers affected users (the first principle). Further, the authors argued should not actively harm others. For example, writing your that by manipulating some of the spam messages, they have own malware to study user infection numbers and different done good to at least some of the receivers of spam messages.
dissemination strategies is obviously a bad idea. However,history has shown that in other science areas, even obvi- 1http://en.wikipedia.org/wiki/Tuskegee syphilis experiment ously looking principles sometimes get violated. The so-called 2http://en.wikipedia.org/wiki/Jason Fortuny#.22Craigslist Experiment.22 However, that is exactly the crucial point. The researcher did would be tempting to buy botnet resources to send spam to not prevent that still millions of real spam messages were evaluate how well the advertised quality matches the actual sent over the botnet causing damage to network operators performance. Even if all recipients are not real people but and mail service providers. The researchers knew which prepared test-email addresses as to not really harm anybody computers were infected, but simply watched without helping.
by sending them spam, an ethical problem persists: You spent One could argue that spam is an annoying aspect of today’s research money to finance illegal activity. Would it thus be a email communication to which most users do not pay much wise choice to use stolen credit card numbers to pay the botnet attention. However, it should be kept clearly in mind that there rental? The credit card company will most likely revoke the is still a large number of people who fall for these messages – payment once the card is locked thus depriving the criminals otherwise the spam business would not pay off for the sender.
of their income. Nonetheless, the fact of using a stolen credit A 2012 report by Commtouch [11] shows that still more card by itself could be considered unethical.
than 50 percent of spam messages sent worldwide advertise In [2] the authors describe how they broke into a botnet in medicine or other pharmaceutical products, which are to a order to analyze it. Intercepting and modifying messages of large percentage counterfeited and a major health threat. Thus, a “legal botnet” such as distributed computing projects (for preventing spam messages from being sent probably would instance SETI@home [12] and Folding@home [13]) would protect people from ordering harmful fake drugs.
be unethical. Is a similar activity ethical simply because it is In [2] the authors argued that “damage to victims [.] aimed at “bad” people – though no argument of self-defense would be minimized”. The problem is that it is difficult to can be made? Similarly, breaking into a thieve’s house “to define “minimizing damage”: Ultimately, it would mean that analyze which good he had stolen” is probably a bad excuse no research is possible, because the authors of the paper would for scholarly researcher when arrested by police.
have had to take actions to shut down the botnet once they got access to it. Informing victims after finishing the experimentsmight not meet the principle of “minimizing damage”.
Law enforcement has rules defining which actions in un- The next obvious question is whether not to collect certain dercover work are permitted and which not and some forms data or discard it to avoid having all information required of investigation require the cooperation with law enforcement.
to inform people. Assume that we would consider the last For instance, to become a member of a group of criminals example (botnet analysis) to be unethical, that is, we define some form of joining ritual such as committing a crime to that if we see someone is harmed by malware and probably not prove one’s ability and loyalty may be required. In academic aware of it, we should contact him. If management decides, research, cooperation with law enforcement in not yet common however, that it is still bad for business we could simply not in many countries. Researchers trying to understand market store (or delete) the IP addresses of affected machines connects mechanisms of local drug trafficking cannot simply go out but keep all the other data. We could still do our statistical and sell drugs at different prices and quality to figure out analysis for the research project but “unfortunately” we would price elasticity and ways of disturbing an illegal market.
no longer have the data required to contact the users. Would Besides the risk of being shot by other drug dealers, their that (under the previous assumption) be considered ethical? research would be illegal. Similarly, “testing” illegal markets The argument for not collecting information may be to limit by buying botnets or stolen credit card numbers may at least the cost and security concerns because identifying data must be considered unethical since bad guys receive money.
be secured well. Deleting existing data, simply to avoid the In [14] the authors argued that they “believe that realistic “moral duty” of contacting people does in contrast not seem experiments are the only way to reliably estimate success rates of attacks in the real-world”. However, this reasoning And even if it seems both feasible and responsible to does not solve the ethical dilemma. “We had to do it in that inform a user that her computer is part of a botnet further way” is never a good argument in scientific research. Nobody challenges could occur. There might be multiple users on an forces you to perform a particular research experiment. The infected machine and informing an arbitrary user could cause introduced research clearly is undercover work which could some additional harm. For instance, the infection of an office lead to – at least – problematic issues regarding ethics.
computer may have been caused by deactivating the anti-virus software, surfing to Web pages not related to work, etc. Thus On the one hand the information security research commu- informing one person could cause another person to lose his nity is well aware of ethical questions within their field. Most papers dealing with large amounts of user data or breaking C. Do not perform illegal activities to harm illegal activities into systems include an ethics section and at least in the US,universities have institutional review boards where researchers Another interesting question is wether it is unethical to harm must have their proposals checked. Just recently the European illegal activity? – or in other words: “Is being unethical to the Union introduced an optional review process for the European unethical unethical?” For example, a study wants to evaluate grant program FP7 3 that is to some extent comparable to IRBs the effectiveness of renting botnets for spamming. Since weknow from [7] that conversion rates are extremely low, it in the US. On the other hand, however, the comparison has we have in medical research and other natural sciences.
shown how difficult it is to fulfill even the most fundamental ethical principles. The question that arises is how we, theinformation security community, can reach a more satisfying The research was funded by COMET K1 and grant 826461 situation. Can the proposal of some kind of ethical framework (FIT-IT), FFG – Austrian Research Promotion Agency.
help to make research ideas easier to evaluate regarding ethical aspects? We are at least skeptical on that.
One reason is that things are changing fast in information [1] C. Kanich, C. Kreibich, K. Levchenko, B. Enright, G. M. Voelker, V. Paxson, and S. Savage, “Spamalytics: an empirical analysis of spam technology – much faster than in other areas. We believe marketing conversion,” Commun. ACM, vol. 52, no. 9, pp. 99–107, 2009.
there is the threat of having guidelines that do not reflect [2] B. Stone-Gross, M. Cova, L. Cavallaro, B. Gilbert, M. Szydlowski, the actual technological environment. A look at the recent R. Kemmerer, C. Kruegel, and G. Vigna, “Your botnet is my botnet:Analysis of a botnet takeover,” in Proceedings of the 16th ACM history of medial research shows the dilemma. Every newly conference on Computer and communications security.
developed research method raises new ethical questions that – in some cases – entail years of discussion among the [3] T. N. Jagatic, N. A. Johnson, M. Jakobsson, and F. Menczer, “Social phishing,” Commun. ACM, vol. 50, no. 10, pp. 94–100, 2007.
community and further (i.e. politics, religion, etc.). One of the [4] L. Bilge, T. Strufe, D. Balzarotti, and E. Kirda, “All your contacts are most prominent examples from recent years is the stem cell belong to us: Automated identity theft attacks on social networks,” in controversy which started 15 years ago with a groundbreaking Proceedings of the 18th international conference on World wide web.
ACM, 2009, pp. 551–560.
work by Thomson et al. [15]. Today, the debate is still [5] D. McCoy, K. Bauer, D. Grunwald, T. Kohno, and D. Sicker, “Shin- ongoing without a broad consensus in sight. Clearly, research ing light in dark places: Understanding the tor network,” in Privacy methodologies in information security can hardly get that [6] K. Thompson, “Reflections on trusting trust,” Communications of the controversial with influences from government policy stances ACM, vol. 27, no. 8, pp. 761–763, 1984.
and religious views. However, changing research paradigms [7] C. Kanich, C. Kreibich, K. Levchenko, B. Enright, G. Voelker, V. Pax- through new technological possibilities can still lead to broad son, and S. Savage, “Spamalytics: An empirical analysis of spammarketing conversion,” in Proceedings of the 15th ACM conference on and lengthy discussions hindering the adaptation of guidelines.
Computer and communications security.
For instance, the debate on privacy in social networks is a [8] D. McCoy, A. Pitsillidis, G. Jordan, N. Weaver, C. Kreibich, B. Krebs, passionate one and unlikely to ebb out in the near future. How G. Voelker, S. Savage, and K. Levchenko, “Pharmaleaks: Understandingthe business of online pharmaceutical affiliate programs,” in Proceedings should an ethical guideline rule research activities dealing with of the 21st USENIX conference on Security symposium.
large amounts of personal data from social networks when there is no broad consensus about it in the community? [9] J. Kimmelman, C. Weijer, and E. Meslin, “Helsinki discords: Fda, ethics, and international drug trials,” The Lancet, vol. 373, no. 9657, pp. 13–14, Another problem that we see is the lack of discussion. At the moment, dealing with ethical questions means in most cases getting an IRB approval and justifying the research by dedicating a section to it in the paper. Ethical considerations http://www.sophos.com/pressoffice/news/articles/2007/08/facebook.html.
are often seen as a necessary evil that stands between the [11] Commtouch, “Internet threats trend report,” 2012.
author and his research and not something that should be taken [12] D. P. Anderson, J. Cobb, E. Korpela, M. Lebofsky, and D. Werthimer, “Seti@home: an experiment in public-resource computing,” Communi- for granted. A more open discussion on ethical aspects of our cations of the ACM, vol. 45, no. 11, pp. 56–61, 2002.
research would be desirable. Working groups such as the one [13] A. L. Beberg, D. L. Ensign, G. Jayachandran, S. Khaliq, and V. S. Pande, that resulted in the Menlo Report [16], [17] are definitely a “Folding@ home: Lessons from eight years of volunteer distributedcomputing,” in Parallel & Distributed Processing, 2009. IPDPS 2009.
[14] G. Wondracek, T. Holz, C. Platzer, E. Kirda, and C. Kruegel, “Is the internet for porn? an insight into the online adult industry,” inProceedings (online) of the 9th Workshop on Economics of Information Similar to other sciences, in information security research the gap between what is technically possible and what is [15] J. A. Thomson, J. Itskovitz-Eldor, S. S. Shapiro, M. A. Waknitz, J. J.
acceptable from legal and ethical point of views is huge. With Swiergiel, V. S. Marshall, and J. M. Jones, “Embryonic stem cell linesderived from human blastocysts,” science, vol. 282, no. 5391, pp. 1145– this gap it is difficult to find the right place to draw the lines [16] D. Dittrich and E. Kenneally, The Menlo Report: Ethical Principles In this paper, we tried to define four fundamental ethical Guiding Information and Communication Technology Research, USDepartment of Homeland Security, 2011.
principles that should not be violated for obvious reasons.
[17] M. Bailey, D. Dittrich, E. Kenneally, and D. Maughan, “The menlo A comparison with recent literature, however, shows how report,” Security & Privacy, IEEE, vol. 10, no. 2, pp. 71–75, 2012.
difficult it is to obey them. While we do not believe that theintroduced research was ethically unacceptable (after all, theauthors got IRB approval), we strongly believe that the resultsof the comparison shows how difficult it is to define absolutegenerally accepted and universally valid principles.
We believe that these questions should be actively discussed in the future, hopefully leading to similar ethical standards as

Source: http://research.securityresearch.at/wp-content/uploads/publications/creds2013_preprint.pdf