[seebs]

Lying is a reasonably fundamental part of research, but lying to humans can hurt them in various ways, and that's why we have human research ethics rules and standards that require an explicit process for obtaining consent to do something, even if we can't say what in advance, and debriefing and harm mitigation.

Which the IRB missed because they didn't understand that, to ask questions about a website's policy, you must get an answer from a human.

[dcow]

That’s _not_ how it works. The fact that information comes from a human does not make something a human subject experiment. The information has to be about a human. Here the information is about a process for handling CCPA requests. We can argue about whether, in a single site operator case that also qualifies as information about a human since there’s no clear organizational policy, but I want to make it clear that information simply coming from a human does not make an experiment a human subject experiment.

[wtallis]

> The fact that information comes from a human does not make something a human subject experiment. The information has to be about a human.

The experiment is collecting more information than just survey results about CCPA policies. They're also collecting and evaluating information about how humans respond to their legal threats vs how they respond to less pointed inquiries from academics. If this study was merely ordinary survey methodology with questions that aren't asking about humans, it wouldn't be human subject research. But they have actually gone outside the bounds of a mere survey with the deception and threats.