Hacker News new | ask | show | jobs
by tmotwu 1884 days ago
Yeah, it's not a great apology. I would say as far as justifications go, I think it's a certain level of depth expected from academics, you shouldn't overthink it.

As far as giving benefit of the doubt, it's likely not done out of malice in the first place. Just a combination of poor reasoning and doesn't exactly clear up if they even considered alternatives to control their variables. Unfortunately, it seems like they were already given the benefit of the doubt from their first offense, but did not take any lessons away from that, so it would be understandable if the maintainers kept their ban.
1 comments
sombragris 1884 days ago
I don't think they had malice, but the breach of elemental ethics is just appalling. They show no remorse for being trusted and abusing that trust and good faith. They show no remorse for using human beings as involuntary guinea pigs.

In sum, they show not remorse for doing wrong.

link
tmotwu 1884 days ago
For me, it's not learning the lesson the first time around.

I completely agree their experiment is unethical. However, it's not actually clear cut to most researchers the ethical bounds of their work, especially for study papers that's never really been explored before. Ethics in of itself is largely a active subtopic for many areas in CS, not only security research. AI is one area where qualifying potential harm to human beings remains largely controversial. Ask any ML scientist, and they'll tell you that determining the ethics of a project is not their responsibility.

link
shkkmo 1884 days ago
I could not disagree more.

The ethics around research that involves deception have been pretty well established and are are several good comments here explaining them.

Every scientist is personally respsible for the ethics of the research they conducts. Full Stop, no caveats allowed.

If your research is in an area where the ethics are controversial or grey, that means your need to spend MORE time considering the ethics of your research, not that you get a free pass from being responsible.

If a any scientist espouses the opinion that determining the ethics of their projects is not their responsibility, they should be permanently barred from recieving grant money.

link
tmotwu 1884 days ago
> The ethics around research that involves deception have been pretty well established and are are several good comments here explaining them.

Ethics in computing research remains an active research area. This incident will be used as a case study in the future, but it's not that well established. Many people have been using anecdotals, which honestly don't fit the scenario because so many variables and parameters distinguish other types of pentesting from this. And disappointingly, not a single post has actually produced the documents that establish this.

Arguably the first set of guidelines for ethics in computer security research [1] was published in 2012 and not yet widely taught in Ethics lectures (I only know about it because I learned Computer Security from one of the authors).

On identifying harms:

> "Challenges identifying harms in ICTR environments stem from the scale and rapidity at which risk can manifest, the difficulty of attributing research risks to specific individuals and/or organizations, and our limited understanding of the causal dynamics between the physical and virtual worlds. As with all exploratory research, it can be challenging to articulate benefits such that subjects can make informed decisions. In ICTR our ability to qualitatively and quantitatively foresee the probable benefits is particularly immature."

On this type of research:

> "Research of criminal activity often involves deception or clandestine research activity, so requests for waivers of both informed consent and post hoc notification and debriefing may be relatively common as compared with research studies of non-criminal activity."

This isn't a huge change from 30 years ago since Moor [2] wrote his thesis on Computer Ethics, see:

> "A typical problem in computer ethics arises because there is a policy vacuum about how computer technology should be used. Computers provide us with new capabilities and these in turn give us new choices for action. Often, either no policies for conduct in these situations exist or existing policies seem inadequate. A central task of computer ethics is to determine what we should do in such cases, i.e., to formulate policies to guide our actions."

Researchers themselves are far from educated on this topic; you won't ever explore this in depth unless you're in this particular sub-field. IRB/REB boards are considered the most qualified but are possibly too outdated to navigate around this. It's a whole mess, there is currently a lot of questionable research in many areas of computing, but the clock moves forward.

[1] https://www.dhs.gov/sites/default/files/publications/CSD-Men...

[2] https://web.cs.ucdavis.edu/~rogaway/classes/188/spring06/pap...

link
sombragris 1884 days ago
Great insight. But as for the ML scientists you mention, ethics _is_ their responsibility. We all are ethical beings.
link
spfzero 1884 days ago
How is malice different from a breach of elemental ethics? How is malice different from abusing trust and showing no remorse from doing wrong?

These guys are malicious clowns, who came up with an idea that would hurt Linux, but advance their careers, and they went all in on it.

link