[moron4hire]

I was supposed to get an IRB review for a graphics experiment I did in undergrad where I showed people static, non-animated optical illusions on a computer screen and asked them some questions about whether or not it gave them the impression of hills. (This was, like, 20 years ago.)

Apparently there was some concern about inducing epileptic seizures. Not that there was any evidence that optical illusions, on their own, separate from the flickering of the computer screen, could cause seizures. But someone had the idea and then it couldn't be un-un-boxed.

The IRB submission process would have been too long to finish the study by the end of the semester (by the time I found out about it). So I just... didn't tell anyone I had already posted the demo online, before I ever even learned that IRB existed, and had a bunch of people on a game development forum on which I was a regular go through the study.

In my case, it was super low stakes. I mean, people into game development are subjecting themselves to the dodgy apps all the time. But when I tell this story today, there are two types of responses: those who have done academic research and laugh at my story, and those who haven't and start crying about "HuMaN eXpErImEnTaTiOn!!!"

I should start putting that on my business card: "formerly engaged in unlicensed human experimentation."

Who am I joking? I don't have business cards anymore. It's going on my Twitter profile.

[tetrep]

There's similar issues with computer security and having projects reviewed before being shipped, with the classic story of people avoiding review because they didn't think they needed it at the start of their project (not that they're qualified to determine that) and by the time someone told them about it, it was "too late" and they'd miss important deadlines by going through the requisite review.

The only sane solution I've seen to that is to make everything go through security review, even if the review is a simple "we don't need to review this." If everyone knows everything needs review, it makes it very hard to forget about it and incentivizes people to involve security folks with their projects ASAP in the hopes of getting review done early on / avoiding being blocked by it.

You'll always need exceptions to the rule, so you can have some sufficiently high up VP or similar sign off on releasing things without review (and with the caveat that it's still going to get reviewed, it just won't block release), but that's a lot easier to manage than dealing with random developers deciding it for themselves.

It also helps a lot to have a culture where developers learn about security too, but just like researchers and ethics, they'll have perverse incentives to downplay/ignore risks so you still need other, differently incentivized people, to enforce "checks and balances."

It sounds like IRBs are not designed to review all or even most (animal?) experiments and I think that's unfortunate. It seems like a win for everyone if we get better ethics coverage.