In one of the darkest chapters in medical ethics, the United States government ran an experiment from the 1930s to the 1970s in which it withheld treatment and medical information from rural African-American men suffering from syphilis. The public uproar generated by the Tuskegee Syphilis Study eventually resulted in regulations restricting government-supported research testing on humans. These regulations are called the “Common Rule,” and they are right now up for their first full update.

The  Common Rule, also known as the "Federal Policy for the Protection of Human Subjects," is supposed to affirmatively protect us from the abuses of the future. However, the proposed regulation is lousy with loopholes, including ones that could exempt tracking online behavior and experiments related to intelligence activities.

File a comment on the “Federal Policy for the Protection of Human Subjects” through

What is the Common Rule

The Common Rule was created in 1991 as an outgrowth of the Belmont Report, a series of ethical and principles and guidelines created by the National Commission for the Protection of Human Subjects of Biomedical and Behavioral Research to address issues raised by the Tuskegee experiment. The Common Rule claims to strike a balance between the three goals identified in the Belmont Report: 1) respecting persons, 2) ‘beneficence’ (i.e., maximizing the social value of science and research), and 3) justice.

This federal policy purportedly binds the Department of Health and Human Services (HHS) and numerous other agencies, including the CIA and Department of Homeland Security (per Executive Order 12333). But as we’ve seen, these agencies are adept at honing in on small loopholes, so the proposed language needs a serious edit if it is going to provide any real protection.

EFF filed a comment when HHS first proposed this update in 2011, and we are drafting a new comment laying out our biggest concerns to file by January 6, 2016.

The Biospecimen Consent Loophole

Perhaps the most glaring problem in the proposed rule is its weak update of the ethical practices around biospecimens or biological samples—such as blood, toenails, or DNA—taken from human beings. The proposed rule requires only “broad consent” before researchers can exempt secondary research (research done on leftover biospecimen after the initial purpose for the draw is complete) from review by independent ethics boards. This kind of ‘consent’ is almost no consent at all: it doesn’t let human subjects know what the future biospecimen research entails, how it will affect them, or how the biospecimen or research data will be shared.

These specimens contain DNA that are more likely to be identifiable given the rise of genetic databases.  While genomic-related research and technology is of great potential benefit, its rapid evolution also presents significant risk and uncertainty to privacy and social control, especially given the increasing use by law enforcement and government of genetic identification. 

The "Public" Behavior Loophole

We are also concerned that the rule proposes an ethics-review exemption for all studies collecting “public behavior” as long as that information is “uninfluenced by the investigators” and properly anonymized.

In the first place, this places too much trust in the benefits of what currently qualifies as “anonymization.” Traditional de-identification techniques are often no match for modern data analytics.

Second, the Common Rule cannot be considered a modern ethical standard if it potentially leaves sensitive Internet traffic beyond protection merely because it is not occurring in a single “private” physical place in one person’s home. Knowing what we know about the impact of tracking who gathers where, and with whom they communicate—it is inexcusable to ignore the danger of creating language flexible enough to risk entirely exempting this subject matter from review.

The Intelligence Surveillance Activities Loophole

Lastly, HHS proposes absolute ethics-review exemptions for “intelligence surveillance activities.” This would exempt actions “conducted to fulfill a department or agency’s legal mandate to ensure the safety and protection of the United States, its people, and its national security interests.” The government is professing to fence DHS and the CIA in through E.O. 12333, but they’re actually building in a gaping breach for them to stroll right back out through.  

Existing law under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule already includes a national security exception that permits doctors, hospitals, and any other "covered entity" to disclose individual health information "to authorized federal officials for the conduct of lawful intelligence, counter-intelligence, and other national security activities authorized by the National Security Act." But this is an exemption that needs to be patched over, not replicated.  

Deadline Approaches 

These loopholes discussed above are just a sample of many we hope to force HHS to reckon with when we file our comments by January 6, 2016. Please join us in respecting the memories of those abused by human subject research in the past by filing a comment of your own.