Academic researchers by necessity spend a lot of their time thinking about how to minimize harm in the conduct of their research. Prompted by the dark history of abuses in human subjects research, research ethics have become a deeply ingrained part of methods training and institutional review.
But what it means to minimize harm may be evolving in the digital age, as researchers encounter threats from an increasing number of sources. There is no easy solution to conducting research ethically in an environment of mass surveillance—but there are practices that researchers can adopt to ensure they are doing the best they can to protect their data and keep participants well informed of the evolving landscape of risks.
Today we’re unveiling a new playlist for Surveillance Self-Defense intended to help academic researchers navigate the complicated maze of considerations involved in conducting their research in a safe and secure way.
This playlist addresses three separate but interrelated themes: first, the ethical conduct of research involving human participants, second, the protection of research data, and lastly, protection of the researchers themselves.
Ethical Research Includes Encryption
The Belmont Report, the leading document outlining ethical guidelines for research, establishes that researchers must help the participants in any project adequately assess the risks and benefits associated with being a part of the research. For example, before participating in a clinical trial for a new drug, participants have to be informed about any potential health risks associated with taking the drug. The Beneficence principle famously laid out in the same 1979 report dictates that researchers have a fundamental ethical obligation to minimize risks and maximize benefits to their human research participants—a standard that has been endorsed by most subsequent guidelines for ethical research.
Similar rules apply to online research; participants should be made aware of the digital risks that may come from participating in a project, though what those risks are exactly may range widely depending on the community involved, the method of research, and the researcher’s relationship to the community. This could include the risk of leaving a data trail in communicating about the research, the likelihood that identifiable information may be exposed through their metadata, or the possibility that the data collected in the research could be subpoenaed by law enforcement.
For example, when communicating with participants it is the researcher's responsibility to ensure that they are able to do so in a confidential and anonymous manner. However, effectively anonymizing data has become a very difficult problem: even when obviously identifying information is removed from a data set, even a minimal amount of data can still be used to de-anonymize a person.
According to one study, 53 percent of Americans can be identified with just their city, birth date, and sex. Another set of researchers found they were able to de-anonymize Netflix users from a data set provided by the company that had been wiped for sensitive information, using the Internet Movie Database as a source of background knowledge. With only a little bit of information, the researchers were able to uncover not only their viewing history, but their political preferences and other sensitive information.
Researchers must take great care to minimize similar risks when choosing to share such data. Even where they avoid collecting identifiable information themselves, researchers may do so inadvertently through the collection of metadata—several survey products collect IP addresses by default, for example, and many of the cloud-based platforms used for crunching data have terms of service that allow them to repurpose data for uses outside of the researchers' control.
Understanding these risks is therefore a critical element of methods training for researchers and protecting research participants requires researchers to go beyond the basics of sound research design to anticipate the harms that may come from participating in the project both on and offline.
Keeping Data Safe From Harm
Researchers also face new challenges in protecting the data they collect from outside threats. Often, unpublished data may be attractive to third parties, such as law enforcement authorities or others who may have a vested interest in it. Acts as simple as encrypting one’s hard drive or using a stronger passphrase can serve as an important safeguard, and an especially critical one for researchers who conduct fieldwork and travel for conferences.
Private communications between researchers can be a target for attacks too. In the case now known as the Climategate incident, a server belonging to the Climatic Research Unit at the University of East Anglia was breached by an unknown attacker, who copied thousands of the group’s emails and documents. The files were posted online shortly before the 2009 Copenhagen Summit on climate change.
IRB procedures can also sometimes require the data collected be retained for a certain period of time before destruction, so that the results of an experiment can be verified. Learning secure procedures to store and delete research data is an important skill for researchers to learn in order to comply with these guidelines.
Protecting Yourself from Harassment
In too many cases, researchers themselves may become targets of harassment in the conduct of their research. In putting together this playlist, I consulted a number of different academics who had dealt with threats to their security over the course of their research. Many of them had experienced some form of harassment either online or in real life for their work, and from a surprising variety of sources.
Often the threats researchers face may be to their mental or emotional well-being. Building trust with participants is a challenge in every context, but is particularly important for researchers working in online communities. Several researchers found that identifying themselves publicly as a researcher—a best practice in obtaining informed consent—attracted suspicion that their motives were not what they claimed they were. One person I spoke to was targeted with personal attacks and eventually a death threat in an attempt by one troll to intimidate her out of promoting research on a forum, claiming that she was secretly working with law enforcement. The researcher was well-versed in using encryption technologies to protect herself online, but said social skills and community support were just as critical to moving on from the experience.
In other cases, the threat may be to the researcher’s physical freedom. Just last year, PhD researcher Alexander Sodiqov was arrested and held for a month by security services in Tajikistan on suspicion of espionage for conducting interviews with Tajik civil society leaders in the city of Khorog on the Afghan border. His flash drives and computers were confiscated by the authorities during his detention, according to reports. He was released after five weeks in jail after an advocacy campaign spearheaded by his advisor and peers at the University of Toronto lobbied the Tajik government for his release.
An article Sodiqov’s adviser, Edward Schatz, wrote about the case sums up well both the challenges and value of conducting academic research: “The detention of Alexander Sodiqov cuts to the core of what research scholars do. They rigorously collect data, analyze them, and disseminate knowledge. Sometimes the intellectual questions they ask take them to places like Khorog, Tajikistan … But it is hard—and indeed troubling—to imagine a world where the passion for asking important intellectual questions and pursuing research about them is squelched.”
Negotiating these threats requires a new set of skills on the part of researchers that may go beyond the training they receive in basic methods courses. We hope this toolkit will be a helpful resource and guide to thinking through these evolving challenges.