Email: [email protected]
Abstract—Recently, several research papers in the area of
certainly are not as fundamental to humankind such as, for
information security were published that may or may not be
example, stem cell research or other issues in natural science,
considered unethical. Looking at these borderline cases is relevant
we still feel the need to address these ethical questions. One
as today’s research papers will influence how young researchers
important reason is that security professionals and researchers
conduct their research. In this paper we discuss fundamentalethical principles and their role in recent literature. We argue that
personal ethics are the discerning factor between white and
the establishment of ethical guidelines or frameworks without
black hats; we need to determine how far we can go in
prior discussion and consensus in the research community
research. For researchers in computer security the recent
probably would not lead to clarity on which lines in academic
success of papers such as the aforementioned are an incentive
to follow along this line of research.
Index Terms—information security; research ethics; ethical
In this work, we want to focus on the latter type of
ethical implications and aim at motivating a discussion onhow research activities in the field of information security can
be evaluated from an ethical point of view and how, we as
Recently, a new trend in computer security research can
a community, can establish ethical standards similar to other
be observed. There are several new papers that quantitatively
analyze important security issues (e.g. [1], [2], [3], [4], [5]).
While many earlier works looked at threats theoretically (e.g. Thompson et al.’s famous “Trusting Trust” [6] from 1984),
In this section, we introduce and discuss four, in our
current researchers would probably validate their research by
opinion, controversial papers and their ethical considerations.
implementing an attack and testing it “in the wild”. To some
We want to point our that all these papers got IRB approval
extent, this trend certainly comes from several major paradigm
and it is certainly not our intention to criticize the authors for
shifts we are facing in technology. Data moves from local
their research. Their papers should just server as examples for
storage to distributed services on the Internet, massive amount
of user generated content is added to social networking sites,
A. Spamalytics – An empirical analysis of spam marketing
etc. Consolidated under the term “big data” these fundamental
changes in technology usage drive the trend towards research
The basic idea of this research project was to analyze the
that directly influences real people and real data.
economics behind a botnet used to send millions of spam
Ethical implications in this line of research are obvious and
messages per day. To this end, the researches broke into a
twofold. First, we always have to think about how research
botnet, analyzed it and manipulated a small percentage of the
results could be misused. A line from a satirical song on
messages in a way that the receivers actions such as clicking
Wernher von Braun’s attitude toward the consequences of his
on links was trackable for the researchers. The authors argued
work in Nazi Germany on the V2 rocket says “Once the
that their research was ethical because they were just “passive
rockets are up, who cares where they come down? / That’s
actors”, “ensuring neutral actions” and that “users should
not my department”. Wernher von Braun was interested in
never be worse off due to [their] activities”.
researching on rocket technology and accepted that the resultsof his work were used to develop a weapon. Similar to this,
B. Your Botnet is My Botnet: Analysis of a Botnet Takeover [2]
we have to estimate how our research could be misused. Is
This paper describes the takeover of a botnet for analysis
developing analysis methods for an anonymization network
purposes. The authors were well aware of the ethical implica-
such as Tor [5] ethical in consideration of the likeliness
tions of breaking into a botnet’s C&C server and brought the
that oppressive regimes would use the research results to
• “The sinkholed botnet should be operated so that any
Second, we have to ensure that our research activities them-
harm and/or damage to victims and targets of attacks
selves do not harm others. While the possible consequences
• “The sinkholed botnet should collect enough information
Tuskegee syphilis experiment1 is one of the most important
to enable notification and remediation of affected parties”
cases of ethics in medical research. Started in 1932 it aimedat analyzing spread and possible treatments for syphilis. In
C. Pharmaleaks – understanding the business of online phar-
1947 Penicillin was found be be an effective treatment for
syphilis. Nevertheless, the experiments continued for 25 years
In this paper the underground economics of affiliate net-
before it was shutdown on public pressure in the 70’s. During
works for pharmaceutical products on the Internet was ana-
the 40 years of runtime, patients were not informed about
lyzed with the help of leaked data. At the time of research
available treatments, no precautions were taken that patients
that data already was “in the wild”, so the researchers used
did not infect others, and they were also actively given false
information regarding treatment. Today, it is obvious that such
• “[.] ethics of using data that was, in all likelihood,
a study is unethical. Doctors are not only not allowed to
gathered via illegal means. [.] We justify our own choice
withhold information about effective treatment but also have to
explain patients the study design. In randomized double-blind
• “some [.] contents have already been widely and pub-
studies neither the patient nor the doctor can decide whether
licly documented. Consequently, we cannot create any
a patient receives a new and potentially better drug or the
new harm simply through association with these entities
standard treatment. No one would withhold standard treatment
Today the lines that should not be crossed in medical
D. Is the Internet for Porn? An Insight Into the Online Adult
research are well defined (such as in the Helsinki Discords [9])
and the possible impact of unethical studies is known in detail
The authors of this paper analyzed the economics behind
though a large number of research scandals: medial research
traffic trading networks for websites offering adult content and
directly affects human lives. Arguably, the impact of research
even actively participated in the business by setting up their
in information security cannot be compared to medial research.
own website with mature content. Ethical considerations were
However, several cases throughout past years have shown that
it still can have dramatical impacts on involved people. While
• “Clearly, one question that arises is if it is ethically
not academic research the “Craigslist Experiment”2 has shown
acceptable [.] to participate in adult traffic trading. [.]
the impact of unethical studies in a very drastic way and it
we believe that realistic experiments are the only way
is absolutely possible to imagine that with a similar setup
to reliably estimate success rates of attacks in the real-
privacy-impacting behavior (such as [10]) or cyber-bullying
on a social network may be analyzed in an academic study.
• “we did not withdraw any funds but forfeited our traffic
Another problematic aspect are unpredictable effects on the
trading accounts at the end of the experiments”
analyzed systems. Often it is difficult to calculate the impactof actions performed for research purposes and harm could
occur even if it was not intended. For instance, a botnet is a
At first glance, all the brought arguments for ethical justifi-
complex and in most cases undocumented system. How can
cation of the introduced research projects seem to be valid and
analysis be done while assuring that the performed actions do
fair. We now want to discuss fundamental ethical principles
not interfere with the system and its involuntary participants
and compare them to the papers and their argumentation
regarding research ethics. These principles do not follow anyparticular ethical guidelines nor are they borrowed from other
science areas such as medicine. We rather tried to derive
The second principle is to not watch bad things happening
the most fundamental principles from common sense. The
without helping. In real life there is even the term “non-
reasoning is that we strongly believe that without a broad
assistance of a person in danger”. For instance, if you witness a
consensus across the information security community about
car accident with injured people, you have the legal obligation
the most fundamental basics of ethical research methods, the
to give first aid. At first glance, this principle seems as
proposal of too detailed guidelines and frameworks would not
obvious as the first one. However, an analysis of the previously
find acceptance among researchers. In Section IV this idea is
discussed papers shows how difficult it is to observe it.
The authors of the Spamalytics research [1] argued to be
just “passive actors” and were “ensuring neutral actions”.
It is correct that the research activities did not actively harm
A seemingly straightforward principle is that researchers
affected users (the first principle). Further, the authors argued
should not actively harm others. For example, writing your
that by manipulating some of the spam messages, they have
own malware to study user infection numbers and different
done good to at least some of the receivers of spam messages.
dissemination strategies is obviously a bad idea. However,history has shown that in other science areas, even obvi-
1http://en.wikipedia.org/wiki/Tuskegee syphilis experiment
ously looking principles sometimes get violated. The so-called
2http://en.wikipedia.org/wiki/Jason Fortuny#.22Craigslist Experiment.22
However, that is exactly the crucial point. The researcher did
would be tempting to buy botnet resources to send spam to
not prevent that still millions of real spam messages were
evaluate how well the advertised quality matches the actual
sent over the botnet causing damage to network operators
performance. Even if all recipients are not real people but
and mail service providers. The researchers knew which
prepared test-email addresses as to not really harm anybody
computers were infected, but simply watched without helping.
by sending them spam, an ethical problem persists: You spent
One could argue that spam is an annoying aspect of today’s
research money to finance illegal activity. Would it thus be a
email communication to which most users do not pay much
wise choice to use stolen credit card numbers to pay the botnet
attention. However, it should be kept clearly in mind that there
rental? The credit card company will most likely revoke the
is still a large number of people who fall for these messages –
payment once the card is locked thus depriving the criminals
otherwise the spam business would not pay off for the sender.
of their income. Nonetheless, the fact of using a stolen credit
A 2012 report by Commtouch [11] shows that still more
card by itself could be considered unethical.
than 50 percent of spam messages sent worldwide advertise
In [2] the authors describe how they broke into a botnet in
medicine or other pharmaceutical products, which are to a
order to analyze it. Intercepting and modifying messages of
large percentage counterfeited and a major health threat. Thus,
a “legal botnet” such as distributed computing projects (for
preventing spam messages from being sent probably would
instance SETI@home [12] and Folding@home [13]) would
protect people from ordering harmful fake drugs.
be unethical. Is a similar activity ethical simply because it is
In [2] the authors argued that “damage to victims [.]
aimed at “bad” people – though no argument of self-defense
would be minimized”. The problem is that it is difficult to
can be made? Similarly, breaking into a thieve’s house “to
define “minimizing damage”: Ultimately, it would mean that
analyze which good he had stolen” is probably a bad excuse
no research is possible, because the authors of the paper would
for scholarly researcher when arrested by police.
have had to take actions to shut down the botnet once they got
access to it. Informing victims after finishing the experimentsmight not meet the principle of “minimizing damage”.
Law enforcement has rules defining which actions in un-
The next obvious question is whether not to collect certain
dercover work are permitted and which not and some forms
data or discard it to avoid having all information required
of investigation require the cooperation with law enforcement.
to inform people. Assume that we would consider the last
For instance, to become a member of a group of criminals
example (botnet analysis) to be unethical, that is, we define
some form of joining ritual such as committing a crime to
that if we see someone is harmed by malware and probably not
prove one’s ability and loyalty may be required. In academic
aware of it, we should contact him. If management decides,
research, cooperation with law enforcement in not yet common
however, that it is still bad for business we could simply not
in many countries. Researchers trying to understand market
store (or delete) the IP addresses of affected machines connects
mechanisms of local drug trafficking cannot simply go out
but keep all the other data. We could still do our statistical
and sell drugs at different prices and quality to figure out
analysis for the research project but “unfortunately” we would
price elasticity and ways of disturbing an illegal market.
no longer have the data required to contact the users. Would
Besides the risk of being shot by other drug dealers, their
that (under the previous assumption) be considered ethical?
research would be illegal. Similarly, “testing” illegal markets
The argument for not collecting information may be to limit
by buying botnets or stolen credit card numbers may at least
the cost and security concerns because identifying data must
be considered unethical since bad guys receive money.
be secured well. Deleting existing data, simply to avoid the
In [14] the authors argued that they “believe that realistic
“moral duty” of contacting people does in contrast not seem
experiments are the only way to reliably estimate success
rates of attacks in the real-world”. However, this reasoning
And even if it seems both feasible and responsible to
does not solve the ethical dilemma. “We had to do it in that
inform a user that her computer is part of a botnet further
way” is never a good argument in scientific research. Nobody
challenges could occur. There might be multiple users on an
forces you to perform a particular research experiment. The
infected machine and informing an arbitrary user could cause
introduced research clearly is undercover work which could
some additional harm. For instance, the infection of an office
lead to – at least – problematic issues regarding ethics.
computer may have been caused by deactivating the anti-virus
software, surfing to Web pages not related to work, etc. Thus
On the one hand the information security research commu-
informing one person could cause another person to lose his
nity is well aware of ethical questions within their field. Most
papers dealing with large amounts of user data or breaking
C. Do not perform illegal activities to harm illegal activities
into systems include an ethics section and at least in the US,universities have institutional review boards where researchers
Another interesting question is wether it is unethical to harm
must have their proposals checked. Just recently the European
illegal activity? – or in other words: “Is being unethical to the
Union introduced an optional review process for the European
unethical unethical?” For example, a study wants to evaluate
grant program FP7 3 that is to some extent comparable to IRBs
the effectiveness of renting botnets for spamming. Since weknow from [7] that conversion rates are extremely low, it
in the US. On the other hand, however, the comparison has
we have in medical research and other natural sciences.
shown how difficult it is to fulfill even the most fundamental
ethical principles. The question that arises is how we, theinformation security community, can reach a more satisfying
The research was funded by COMET K1 and grant 826461
situation. Can the proposal of some kind of ethical framework
(FIT-IT), FFG – Austrian Research Promotion Agency.
help to make research ideas easier to evaluate regarding ethical
aspects? We are at least skeptical on that.
One reason is that things are changing fast in information
[1] C. Kanich, C. Kreibich, K. Levchenko, B. Enright, G. M. Voelker,
V. Paxson, and S. Savage, “Spamalytics: an empirical analysis of spam
technology – much faster than in other areas. We believe
marketing conversion,” Commun. ACM, vol. 52, no. 9, pp. 99–107, 2009.
there is the threat of having guidelines that do not reflect
[2] B. Stone-Gross, M. Cova, L. Cavallaro, B. Gilbert, M. Szydlowski,
the actual technological environment. A look at the recent
R. Kemmerer, C. Kruegel, and G. Vigna, “Your botnet is my botnet:Analysis of a botnet takeover,” in Proceedings of the 16th ACM
history of medial research shows the dilemma. Every newly
conference on Computer and communications security.
developed research method raises new ethical questions that
– in some cases – entail years of discussion among the
[3] T. N. Jagatic, N. A. Johnson, M. Jakobsson, and F. Menczer, “Social
phishing,” Commun. ACM, vol. 50, no. 10, pp. 94–100, 2007.
community and further (i.e. politics, religion, etc.). One of the
[4] L. Bilge, T. Strufe, D. Balzarotti, and E. Kirda, “All your contacts are
most prominent examples from recent years is the stem cell
belong to us: Automated identity theft attacks on social networks,” in
controversy which started 15 years ago with a groundbreaking
Proceedings of the 18th international conference on World wide web. ACM, 2009, pp. 551–560.
work by Thomson et al. [15]. Today, the debate is still
[5] D. McCoy, K. Bauer, D. Grunwald, T. Kohno, and D. Sicker, “Shin-
ongoing without a broad consensus in sight. Clearly, research
ing light in dark places: Understanding the tor network,” in Privacy
methodologies in information security can hardly get that
[6] K. Thompson, “Reflections on trusting trust,” Communications of the
controversial with influences from government policy stances
ACM, vol. 27, no. 8, pp. 761–763, 1984.
and religious views. However, changing research paradigms
[7] C. Kanich, C. Kreibich, K. Levchenko, B. Enright, G. Voelker, V. Pax-
through new technological possibilities can still lead to broad
son, and S. Savage, “Spamalytics: An empirical analysis of spammarketing conversion,” in Proceedings of the 15th ACM conference on
and lengthy discussions hindering the adaptation of guidelines.
Computer and communications security.
For instance, the debate on privacy in social networks is a
[8] D. McCoy, A. Pitsillidis, G. Jordan, N. Weaver, C. Kreibich, B. Krebs,
passionate one and unlikely to ebb out in the near future. How
G. Voelker, S. Savage, and K. Levchenko, “Pharmaleaks: Understandingthe business of online pharmaceutical affiliate programs,” in Proceedings
should an ethical guideline rule research activities dealing with
of the 21st USENIX conference on Security symposium.
large amounts of personal data from social networks when
there is no broad consensus about it in the community?
[9] J. Kimmelman, C. Weijer, and E. Meslin, “Helsinki discords: Fda, ethics,
and international drug trials,” The Lancet, vol. 373, no. 9657, pp. 13–14,
Another problem that we see is the lack of discussion. At
the moment, dealing with ethical questions means in most
cases getting an IRB approval and justifying the research by
dedicating a section to it in the paper. Ethical considerations
http://www.sophos.com/pressoffice/news/articles/2007/08/facebook.html.
are often seen as a necessary evil that stands between the
[11] Commtouch, “Internet threats trend report,” 2012.
author and his research and not something that should be taken
[12] D. P. Anderson, J. Cobb, E. Korpela, M. Lebofsky, and D. Werthimer,
“Seti@home: an experiment in public-resource computing,” Communi-
for granted. A more open discussion on ethical aspects of our
cations of the ACM, vol. 45, no. 11, pp. 56–61, 2002.
research would be desirable. Working groups such as the one
[13] A. L. Beberg, D. L. Ensign, G. Jayachandran, S. Khaliq, and V. S. Pande,
that resulted in the Menlo Report [16], [17] are definitely a
“Folding@ home: Lessons from eight years of volunteer distributedcomputing,” in Parallel & Distributed Processing, 2009. IPDPS 2009.
[14] G. Wondracek, T. Holz, C. Platzer, E. Kirda, and C. Kruegel, “Is
the internet for porn? an insight into the online adult industry,” inProceedings (online) of the 9th Workshop on Economics of Information
Similar to other sciences, in information security research
the gap between what is technically possible and what is
[15] J. A. Thomson, J. Itskovitz-Eldor, S. S. Shapiro, M. A. Waknitz, J. J.
acceptable from legal and ethical point of views is huge. With
Swiergiel, V. S. Marshall, and J. M. Jones, “Embryonic stem cell linesderived from human blastocysts,” science, vol. 282, no. 5391, pp. 1145–
this gap it is difficult to find the right place to draw the lines
[16] D. Dittrich and E. Kenneally, The Menlo Report: Ethical Principles
In this paper, we tried to define four fundamental ethical
Guiding Information and Communication Technology Research, USDepartment of Homeland Security, 2011.
principles that should not be violated for obvious reasons.
[17] M. Bailey, D. Dittrich, E. Kenneally, and D. Maughan, “The menlo
A comparison with recent literature, however, shows how
report,” Security & Privacy, IEEE, vol. 10, no. 2, pp. 71–75, 2012.
difficult it is to obey them. While we do not believe that theintroduced research was ethically unacceptable (after all, theauthors got IRB approval), we strongly believe that the resultsof the comparison shows how difficult it is to define absolutegenerally accepted and universally valid principles.
We believe that these questions should be actively discussed
in the future, hopefully leading to similar ethical standards as
Relatório sobre Actividades Subsidiadas Instruções de Preenchimento O b s e r v a ç õ e s (1) O Relatório sobre Actividades Subsidiadas é composto por duas partes: Parte A – Sumário Geral do Plano Subsidiado; Parte B – Sumário de Cada Actividade (2) Todas as pessoas / instituições subsidiadas devem preencher o Relatório sobre Actividades Subsidiadas composto pelas
RESERVE BANK OF ZIMBABWE BANK LICENSING, SUPERVISION & SURVEILLANCE Guideline No. 02 -2004/BSD MINIMUM INTERNAL AUDIT STANDARDS IN BANKING INSTITUTIONS TABLE OF CONTENTS 5. Organisation of the Internal Audit Function 12. Audit of Critical Areas of Operations 1. PRELIMINARY 1.1. Short – Minimum Internal Audit Standards in Banking 1.2. Authorization – T