I guess that depends on whether you consider this a sociology experiment or white hat work.
I'm not sure that I agree that sociology experiments have 'informed consent' the way you appear to be thinking of it. Yes, you know you're in an experiment, but if you know what the experiment actually is, then your reactions are not authentic and you skew the results (which always makes me wonder about clever people in experiments).
In white hat stories, it's not always the case that everyone knows ahead of time, but 'enough' people know. Those who do know bear part of the responsibility of ensuring that things don't 'go too far', and they give organizational consent but not personal consent. Although I confess that OSS might be a little fuzzy here because I didn't sign anything when I started. You can't tapdance around informing me by pointing to some employment agreement.
You are free to disagree. Obviously, not every scenario can be navigated using an arbitrary policy for conduct, which was what clearly happened here. 'Informed consent' in the context of cybersecurity research is described in the Menlo Report [1].
And fyi, not all white hat stories are clean in their approaches, that in itself remains a controversial topic for another discussion. Furthermore, employees in an organization are under a different set of contractual obligations, full of caveats, to their employers. In some ways, they've already "consented" to specific bare minimums(white-hat can be framed as security awareness training required in your job role).
Open source contributors and reviewers are individual third party actors. No one has established any tolerance limits. So "enough" people doesn't really apply here because no one was made the arbiter source to decide that.
That is not as cut and dried a decision as you frame it to be.
California emissions testing for vehicles includes licensed smog test stations and a process where undercover inspectors bring cars that are in violation to those stations. If the smog test station is incompetent, they will be cited and perhaps stripped of their operating license.
If another state decided that they’d like to start performing random tests upon their network of smog test stations, without any retaliation to those stations, then it would not be a violation of ethics for that state to send undercover cars through the stations.
It would be unethical to punish those who fail undercover tests, unless the state had announced that random undercover testing was beginning and that punishments would be applied for failures.
The researchers were not attempting to modify the behavior of the participants, nor did they seem to be interested in naming and shaming specific maintainers, so it’s not as simple as “anyone who comes into contact with the experiment must be fully informed”.
California controls the licenses for smog test stations. I would imagine there’s a clause in the contract that says “California, at any time, may do random undercover inspections of the smog testing facility to ensure compliance” which the owner of the licensed smog station would be aware of.
Do you see how that differs from an academic randomly experimenting on an open source project with no notice or warning?
Retail store owners/managers contract out “mystery shoppers” to test compliance with retail store policy and procedure. This example is also nothing like the UMN experimenting on Linux, since there’s a contract and both parties are aware.
A similar example to the UMN/Linux situation would be an academic doctor deciding to randomly test blood donor screening by sending in HIV positive people to lie about their status in order to donate tainted blood and only telling the Red Cross or whoever after the blood has been donated.
I'm not sure that I agree that sociology experiments have 'informed consent' the way you appear to be thinking of it. Yes, you know you're in an experiment, but if you know what the experiment actually is, then your reactions are not authentic and you skew the results (which always makes me wonder about clever people in experiments).
In white hat stories, it's not always the case that everyone knows ahead of time, but 'enough' people know. Those who do know bear part of the responsibility of ensuring that things don't 'go too far', and they give organizational consent but not personal consent. Although I confess that OSS might be a little fuzzy here because I didn't sign anything when I started. You can't tapdance around informing me by pointing to some employment agreement.