A required read/listen for all human beings - Randy Pausch's "Last Lecture"

I've thought much on Randy Pausch's Last Lecture since I first heard his presentation last month. If you haven't run across Dr. Pausch's lecture here is a bit of background.  Randy Pausch is a Computer Science professor at Carnegie Mellon...you may not know his name but you know his work...he specializes in Human-Computer Interaction, particularly virtual reality (VR).

In September 2007, Dr. Pausch was told by his doctors that his pancreatic cancer had returned and that he had between three and six months to live.  And so armed with that information and in basically good health, he authored a profound piece of instruction for his children, and by extension for all of the rest of us.  As an adult child of parents who died when I was very young, I can tell you that this lecture and the other things Dr. Pausch is leaving for them, will be treasured by his children because it makes the missing parent a real person...with wisdom and flaws.

Take the time to read and to listen to this lecture...send it on to your friends and family.  It is a rare thing for so much wisdom to be codified in such an accessible way and then to be available to everyone. 

My heart goes out to Dr. Pausch, his family, and friends - death is never easy nor is it often welcome to one so young...but the gift of knowledge of ones departure is amazing.  I hope his children will remember his love and that we all remember his strength, and his character...I know I will.

The link to Dr. Pausch's website takes you to a list of media coverage (some with feeds), a transcript, and a Google video of the lecture.  Gather whatever sources you need for your archive

Posted by prolurkr at 09:04 AM | Comments (1) | TrackBack

Psychological pressure on child research subjects, would it happen now?

Well here is another story I can use in my "Ethics and the IRB" presentations to Research Methods classes.  Apparently a study began in 1939 at the University of Iowa where the researcher, the late Wendell Johnson, taught orphaned kids to stutter so he could unravel the mystery of disorder by inducing it in his participants. 

The study came to be known to his graduate research assistants as the "Monster Study."  Which while the press has banged on the idea of creating monsters, the nickname may also have come from the size of the study.  None of the reading I have done this morning gives me quotes from any of the grad students to contextualize the nickname.

When I teach research ethics and IRB's we talk a lot about specific studies and I try to make students understand that many of the projects were considered ethical at the time they were done.  Now of course I am not saying they were right by any means, rather I think it is very easy for us to look at the studies like the Tuskegee Syphilis Experiment and say to our selves, "I would never do anything like that."  We overlook that hundred and possibly thousands of people know about the study both within the university, and the federal government, as well as in the research community that read the published material from the study, and until the whistle was blown in 1972, few of those people raised a red flag that anything was wrong with the ethics of the study.  It was culturally accepted that the lowered status, both racial and social, of the participants made them appropriate sacrifices to use in the research.  In other words, I want my students to think long and hard about the ethics of each project they undertake not to cop-out with a blanket thought that they are better then the historical researchers we discuss.  In truth none of us is better nor were most of the historical researchers I use as examples evil monsters in any shape or form.  Most of them were good people trying to do good research.  Think on that for awhile.

This hit my radar, admittedly somewhat belatedly, because of an Inside Higher Ed article about the lawsuits that have emerged after the nature of the "Monster Study" was made known.  Apparently the university has issued an apology but has also tried to argue that no financial redress is appropriate, in the case, since a 1939 state law foreclosed the participants from suing the state.  Well on Friday the Iowa Supreme Court, in the majority opinion,  ruled that "the research subjects had the right to sue because they sought legal relief promptly after learning what had happened, and that no Iowa statutes barred the suit."  This is not a finding on the merits of the case, just on the legal mechanism that will allow the case to progress through the courts.  It should be interesting to watch if the State of Iowa negotiates a settlement with the participants or if the legal system has to step in.

Posted by prolurkr at 07:15 AM | TrackBack

Ethics in Blogging

I don't have a complete citation on this yet, I'll edit the post when I do, but I wanted to get this link out to everyone now. I found reference to this report, Ethics in Blogging (2005), via my PubSub searches and it looks very useful.

Report Summary:

As the prevalence and social influence of weblogs continue to increase, the issue of the ethics of bloggers is relevant not only to the blogging community, but also to people outside it.

This study explored ethical beliefs and practices of two distinct groups of bloggers--personal and non-personal--through a worldwide web survey. Over a period of three weeks, 1,224 responses were collected and analysed.

Our findings show that these two groups are distinctively different in demographics, blogging experiences, and habits. We also found that there are significant differences between personal and non-personal bloggers in terms of the ethical beliefs they value and the ethical practices to which they adhere.

Key Findings:

Our findings indicate that 73% of the bloggers surveyed said that their weblogs are personal while the remaining 27% said that their weblogs are non-personal. Further investigation of, these two groups revealed many significant differences between personal and non-personal bloggers.

Demographics

Non-personal bloggers are typically older males, with more formal years of education than personal bloggers.

Blogging Experiences and Habits

Non-personal bloggers tend to have more readers, update their weblogs more frequently, and spend more time on their weblogs.

Non-personal bloggers' reasons for blogging, the people whom they write about, and their primary intended audience are also different from those of personal bloggers.

Ethical Beliefs and Practices

Personal and non-personal bloggers value and adhere to four ethical principles differently. For instance, personal bloggers believe that minimizing harm is more important than non-personal bloggers.

For both groups of bloggers, they believe attribution is the most important and accountability the least important.

The degree of association between ethical beliefs and practices is different for personal and non-personal bloggers: in general, the level of correspondence between what people believe and what they do is higher for non-personal bloggers than personal bloggers.

Both types of bloggers are quite ambivalent about whether any kind of a code is necessary.

The findings in our study indicated that personal and non-personal bloggers are indeed distinct groups of bloggers. Their demographics, blogging experiences and habits, as well as ethical beliefs and practices are different.

In addition, bloggers currently do not see a strong need for a blogging code of ethics. A code of ethics may be more valued and adhered to when bloggers' themselves see a stronger need for it.

Also, the four ethical principles have different relevance to personal and non-personal bloggers and researchers should take that into consideration if they attempt to devise new codes of ethics for blogging.

Posted by prolurkr at 09:23 AM | TrackBack

The structure of research subject queries

Today I received an apparently bulk email from a researcher who had identified my blog as being "work focused" and he wanted me to participate in his study. Of course this incident has me thinking about how such his request is structured and how I would personally structure a similar type of request. I should mention off the top that the researcher who emailed me was from the U.K. and that our Human Subjects requirement differ.

• His email is very short. It gives me no idea specifically what his research is about - it just have two links, one to a survey and one to his blog. I do like the U.S. concept of a information sheet that will tell the participant what the researcher is studying in more specific terms, and includes statements about privacy. I find it interesting that this researcher didn't provide this type of information since it has been my understanding that U.K. & E.U. policies on privacy are far more restrictive then U.S. ones. Such local policies rule the researchers work irregardless of where the subjects may be located.
• The email does give me some latitude on how I identify my blog. He is looking for work related blogs and does not define the terms nor are they limited as his email states that "work" is very broad. Well interestingly enough, and I know it is open to argument, I don't define this as a work blog. Work blogs are more procedural in my definition, what I strive for in professional-lurker is more idea driven with some personal stuff for spice. And yes there is often a fair amount of "what I did today" but it too is idea driven in some form, though I have to admit that form is often loosely defined. I think of professional-lurker as an academic & research blog so while it may be about my work it is not, in my mind at least, a work blog. I have a feeling I will be debating this issue with myself for awhile. It will be interesting to see if I still hold this belief after I finish writing about enterprise blogs.
• In light of the previous statement, it is interesting that while I can decide to participate in his survey, based on my personal definition of my blog, he has already decided to add my "work related" blog to his link list of over 300 work-related blogs. So I guess he has decided I run a work-blog no matter what my personal definition may be. I have no doubt that he means well, but by linking to my blog prior to sending me a survey request and letting me know that he has already done so in that request is a form of pressure on me to participate in the survey. It's much like the pressure kids in chat would apply to each other "I like you, don't you like me too?" This is also the same reason that my IRB won't let instructors hand out research survey forms to their students themselves (from their hands directly into the students hands)...pressure to participate.
• One very interesting part is that he is clearly using snowball data acquisition. He may be stripping sites for link lists, that is clearly invisible to me as a "participant", but on top of that the survey questions specifically ask which blogs I read while another asks which bloggers I know and how I stay in contact with them. Doing a little explicit network analysis hummm?

So how would I do this? First I think I would email potential participants with links to my academic website and to a research information sheet on a university website, yes I know not all researchers have the luxury of IT resources to which I have access and they can't build their ties to the university quite so explicitly. I know I would provide some definition of the terms just so I can make sure that I am comparing apples to apples. Saying "work" is just to loose, students work and school is their job but are their blogs "work blogs"? Which reminds me that the email I received had no age cut-offs, another point to ponder since asking adolescent question and asking to interview them can be problematic in both nations.

Second I would keep my personal blog link list and my research requests far far apart. I have added blogs to my list because they were found though data analysis but I have never told the subjects that I have done so. I think that if I have mentioned that part of it on the blog it was done so after the research itself was completed. Though I expect I have not specifically mentioned any blogs I found through research data analysis.

Lastly I would structure my survey so that it was focused on my stated research topic. While it is difficult to tell exactly what the researcher is doing with his network analysis, it does appear that there may be some extraneous information being gathered. Along with that would be my requirement for more than passive consent to participate in the survey. Especially when I am requesting information about third-parties and personal information. I find a discussion of who I communicate with and how that communication is done to be pretty personal, far more personal then say why I began my blog which has been answered publicly in the blog itself. And also in my blog I have stated that I keep third-party information private, except where the name of the person is publicly linked to the statements being made...such as when I blog a conference presentation or discuss an article I have read.

I rarely say no to requests for my participation in research projects...well most of those phone call things don't count cause they aren't legitimate research they just want to sell you something at the end. I truly believe that if I want others to participate in my research then I must also participate in general. That is me putting pressure on me. But this one I am passing on because of my concerns about the structure of the research as it was presented.

There are many ethical issues embedded in this case. Honesty, transparency, and privacy immediately come to the front. I'm curious how would you conduct a web-based survey?

Posted by prolurkr at 10:16 AM | Comments (3) | TrackBack

What I learned from the IU Phising experiment

Recently I have been involved in an interesting ethical debate with myself. Here's the background. Two Indiana University (IU) School of Informatics (SoI) Bloomington, grad students proposed a phishing study as part of their course work in an SoI class. In essence the study gathered the names and email contact information for pairs of friends from publicly accessible sites - think friend-of-a-friend (FOAF) sites. Then the researchers sent an email to person B spoofing person A's email addy. The email requested that the receiver access a specific site and in so doing they were required to provide their user name and password. No names were retained, no passwords were collected. The only data collected were counts, "x people were successfully phished". The research took place over a one week period and at the end of the week both spoofed email addresses and phished addresses received notification of what was going on. Then the proverbial doggy-do hit the fan.

I don't have space here to go into all of the arguments why some people thought this research was "unethical." If you want a complete debate hit the search engines with the following terms "phishing" and "Indiana." I will note that several of the pages that turn up on the first page of the search are IU University Information Technology Services (UITS) pages that predate this issue and are targeted at preventing successful phishing attacks.

I want to stress that the students involved did apply for Human Subject approval and were granted such. That part is massively important and I think underlines that the research is not inherently unethical, though there were some serious lessons learned by me. If I were designing a similar study at this point I would do the following:

• I would shorten the study period, probably to 24 hours. This might require a higher number of participants to guarantee that a minimum number of people would receive the emails during the period. I'm thinking here of lost emails, people away from their email, etc.
• I would have those that provided passwords to the phished site immediately taken to an informational site that explained what was happening and provided contacts for more information.
• I think I might have solicited confederates from those that I intended to spoof, though I'm somewhat conflicted on this point.

I think that one of the main things I learned from this study and the fallout after it was completed is that no matter how hard everyone involved tries to be when considering human subject protections in designing useful research, we all make mistakes. This research was not the mistake, this research is important. However all of us missed some potential issues that caused excessive concern from some of the participants.

Here is a sampling of the available press on the experiment:

- From the Indiana Daily Student (IDS), Students go 'phishing' for user info: Research technique used to show ease of login, user name theft.

- Also from the IDS, 'Phishing' experiment attracts national a debate about ethics of study

For Information Technology watchers around the country, the reaction of IU students to the misleading nature of the study has been a mix of disappointment and sympathy.

Director of Io's Center for Applied Cyber-Security Research Fred Cate said he hopes students can look past the deception.

"I can completely understand why people would be upset about this," Cate said. "When I first heard about this I was like, you've got to be kidding ... but you can't do this type of research and tell people in advance."

Cate, who is also a professor of law, said phishing is the biggest and fastest-growing fraud in the United States and affects those who use the Internet the most, like students on highly wired campuses.

"It seems like (the study is) addressing a real problem," he said.

So it seems. Studies estimate that the normal success rate of identity theft using commercial addresses, such as the auction Web site, eBay, is around 3 percent. But Filippo Menczer, one of the professors who advised Jagatic and Johnson's study, said preliminary results of the IU test show 70 percent of students clicked on the link provided in an e-mail sent by their acquaintances.

It was the Human Subjects Committee's hope that students will learn from being duped by familiar e-mail addresses that convinced it to approve the study earlier this semester.

Professor of Psychology and Chair of the Human Subjects Committee Peter Finn said there were four criteria the committee considered before approving it: whether the risk to subjects of being spoof-attacked was greater than it would be on a day-to-day basis; whether the element of surprise was needed to obtain accurate results; how the lack of prior consent would affect subjects; and lastly, whether subjects would be properly debriefed after being attacked.

"We anticipated that some people may be upset, but there's an awful lot of learning that will go on for everybody," Finn said.

- This link is to the researchers blog which was used to gather comments and questions related to the research, Phishing Attacks Using Social Networks

- "Phishing" E-mail Attacks Could Soon Get a Lot Nastier this article dated Oct 18, 2004 discusses an SoI professors concerns about the growth of phishing attacks.

Phishing messages that appear to be sent by such trusted companies as eBay, Citibank and others are currently duping 3 percent of the people who receive them, according to a recent survey by Gartner Inc. Aware of the threat, members of Congress are currently debating passage of the Internet Spyware Prevention Act, which would provide the Justice Department with $10 million to apprehend phishers and other online scam artists.

Jakobsson said preliminary data suggest that savvier, "context-aware" phishing attacks could have success rates as high as 50 percent.

Context-aware attacks, as Jakobsson envisions them, would take advantage of users' unique circumstances or personal relationships.

- And finally here is the link to the SlashDot story with some interesting, though often illogical, comments. Check out Phishing for Credit.

I have been a SpoofStick user for sometime now. SpoofStick decodes website urls so that it is visible the actual url of the site you have accessed. SO if you thought you were on PayPal responding to an email request for information with SpoofStick you can see that the actual site url bears no resemblance to PayPal. I'm probably not really likely to get sucked in by phishing emails, though everyone screws up, rather I use this tool to verify sites when I am clicking through from websites and blog posts. I really recommend the product.

Posted by prolurkr at 11:17 AM | TrackBack

New cateogry - Ethics

I've been doing a lot of thinking about ethics lately: research ethics, adminsitrative ethics, religious ethics, the ethics of humanness...research ethics is one of my stated research interests. As such I have decided to add a new category to the blog to allow me to gather some of my thoughts on the subject into one pocket. So look for the new category Ethics...thoughts on the ethics of research and life in the the bar. Entries will be coming shortly.

Posted by prolurkr at 12:58 PM | TrackBack