Sharon Boehlefeld Doing the Right Thing: Ethical Cyber Research When I think about research, I first think of doing some good, and, failing that, doing no harm. While the first goal might not always be easy to rea ch, I think it's worth striving for. As to the latter, I think it should actual ly be foremost in the minds of researchers. And that's where ethics enters the picture. Others in this forum have mentioned research (e.g., Lauderdale's The Tear oom Trade) in which the second goal might have been jeopardized by the resear cher's methods, some of which generally have been considered unethical. But when a new phenomenon crops up, like the Internet, questions arise which seem so imp ortant or exciting that researchers might, in their enthusiasm, focus more on th eir questions than on the fact that there are people on the "other side" of t heir data. When we talk about cyberspace research, we may be unnecessarily myst ifying the medium in which we hope to work. Storm King has focused on a formal e thics statement of a social science discipline. I'd like to move out of the are a of social science, though, and take a look at an ethical statement promulgat ed by computer scientists, and consider whether it offers any insight which mig ht be useful for social scientists to bear in mind when devising and conducting their own studies. At the very least, offending computer scientists--by exhibit ing unethical behavior--could result in losing computer privileges, and that could mean conducting no study at all. At the worst, social science researchers could damage others' reputations, livelihoods and personal relationships throug h irresponsible cyberspace research. Somewhere between those extremes are what I expect would be the most likely events. Research that might have been useful is disregarded because of th e dubious methods and practices employed by the researcher. Research is nev er completed or reported because a researcher is unsure whether data was eth ically gathered. Research that is reported and disseminated (e.g., the Carnegie Mellon cypberporn study as reported in Time magazine) might be believed without regard to the way it was conducted. If ethical canons are misunderstood or consi stently ignored by researchers, there is potential for loss to both the researche rs and the researched. In this paper, I argue that an understanding of ethics from the per spective of computer professionals might help social science researchers in planni ng and carrying out ethical cyberspace research. I propose to discuss elements o f the ethics statement of the Association of Computing Machinery (ACM), and the n to consider some similarities between computers and other media of communica tion, and how those similarities might influence our understanding of what cons titutes ethical research. The ACM code The ACM adopted a new ethical statement in late 1992. The statement, along with several case studies designed to stimulate discussion about ethical issues, was published in Communications of the ACM (February 1993) the following spring. It comprises four sections: * General moral imperatives (ACM, 101); * More specific professional responsibilities (ACM, 103); * Organizational leadership imperatives; and * Compliance with the code (ACM, 105). Of particular relevance to researchers in other disciplines are several e lements included in the general moral imperatives, as well as a few from the prof essional responsibilities and leadership imperatives. In this paper, I intend to f ocus on only a few of those code elements. I'll first review sections of the c ode, then comment on some implications for social science researchers. In the first section of the code, ACM professionals begin with a sim ilar standard to the first I mentioned. Their first imperative is: "1.1 Contri bute to society and human well-being" (ACM, 101). What may surprise those outs ide the computer field is that the first concern of the organization includes ens uring "...that the products of their efforts will be used in socially responsib le ways, will meet social needs and will avoid harmful effects to health and welfa re" (ACM, 101, emphasis added). Whether computer professionals define social in the same way (or way s) as social scientists is not as important as that they do recognize social ramifications of their work, work viewed by some as merely "technical." T hose of us in other disciplines can consider what is or should be meant by "so cial," but I think it's clear that one element of the social is the environment for action created through interaction. As Durkheim, Becker and others have o bserved, whether an activity is commended or condemned often hinges on the reactio ns of those who observe, or are influenced, by it; hence, the meaning of the ac tion is socially defined within its context, or environment. King's discussion focused on research into areas in which finding pot ential harm seems simple (e.g., various support groups). He is concerned with th e actions of researchers and the possible effects of those actions on parti cipants in Internet and other computer mediated discussion groups. While we may n ot yet fully understand those effects, clearly both the professionals who design and maintain the computer systems that make such research possible, and those who do or would conduct such research, recognize the social nature of the act ivities that take place using those systems. It also seems obvious that the goals of the computer professionals and the social science researchers agree that thei r actions should attempt to provide social benefits. Immediately after focusing on "doing good," the ACM code states: "1. 2 Avoid harm to others" (ACM, 101). The ACM defines "harm" as: ...injury or negative consequences, such as undesirable loss of information, loss of property, property damage, or unwanted environmental impacts. ... If system features are misrepresented to users, coworkers, or supervisors, the individual computing professional is responsible for any resulting injury. ...[A computer professional] has the obligation to report any signs of system dangers that might result in serious personal or social damage. If one's superiors do not act to curtail or mitigate such dangers, it may be necessary to "blow the whistle" to help correct the problem or reduce the risk (ACM, 101). Computer professionals know tales of hackers who have broken into systems , sometimes damaging or otherwise manipulating files. They have heard stori es of people who have had credit records destroyed, or phone connections unlink ed or improperly charged. While these seem clear violations of a code that puts contributions to society and avoiding harm to others first, the examples used by computer professionals focus on tangible harms. Social scientists, in their considerations, have tended to focus on less tangible, but no less real, harms. Perhaps a social science researcher collecting data for a psychological, sociological or other study might not see him- or herself as posing a ris k to others. But, as Thomas (1995) and King have already noted, there are pote ntial risks to unwilling or uninformed participants of social science research in cyberspace. Since the papers in this discussion have already detailed a number o f the less tangible harms, I won't repeat them. But we can draw on the lessons of the second ACM code by realizing that we, too, should acknowledge that there we have an obligation to be aware of and to report to our department chairs, to o ur human subjects committees, to our advisors, or to appropriate others such "...d angers that might result in serious personal or social damage" in order to avoid or minimize these dangers. Another item in the general imperatives is "1.7 Respect the privacy of others" (ACM, 101). It states: Computing and communications technology enables the collection and exchange of personal information on a scale unprecedented in the history of civilizations. ... It is the responsibility of professionals to maintain the privacy and integrity of data describing individuals. This includes taking precautions to ensure the accuracy of data, as well as protecting it from unauthorized access or accidental disclosure to inappropriate individuals. ... This imperative implies that only the necessary amount of personal information be collected in a system, ... and that personal information gathered for a specific purpose not be used for other purposes without consent of the individual(s). These principles apply to electronic communications, including electronic mail, and prohibit procedures that capture or monitor electronic user data, including messages, without the permission of users or bona fide authorization related to system operation and maintenance (ACM, 101, 103). The ACM imperative clearly advises limiting the amount of information gat hered, and seeking consent of individuals whose information a researcher is inte rested in using. Neither of these imperatives conflicts with suggestions in King 's paper. A potential conflict arises from the ACM's inclusion of electronic messages and mail within the category of personal information. Computer m essages are the source of material for much of the cyberspace research in questio n here. How is it possible for social science researchers to do any research on cyberspace without violating this principle, and, likely, losing computin g privileges? First, computer professionals understand that some elements o f system design help to distinguish between private and public areas. Access to pr ivate email, for example, is protected by passwords. System users cannot (easil y) read each other's mail, and those who do gain unauthorized access would clearl y risk losing computer privileges. But computing systems are designed to allow f or public discussion areas. What is the ethical responsibility of a research er who is interested in using material from such areas? An answer to that question also lies in the ACM imperative. The grou p recommends collecting no more personal information than is necessary for a particular study. For example, if one is interested in research about sex ual abuse survivors, then the only "personal" information which is necessary is that an individual says he or she is such a survivor, and, if it can be determ ined, whether that individual is male or female, and what he or she says about the experience. Such personal information can add depth of understanding to a n individual's experience as it is related in a discussion group. But, exce pt when using a specific quotation, as is often done on qualitative research, inf ormation of that type can be aggregated. It's also fairly simple to remove identif ying elements from message headers (e.g., the name of the list, or the identif ier of the individual posting). A researcher can also be judicious in selecting material to use in quotations, making sure to eliminate or disguise elements which tend to identify a specific individual. Early in my own investigations of cyberspace, I became interested in the social construction of gender on the nets. In a first draft of a paper on the subject (circulated only to a few individuals), I attempted to modify som e of the "To:" lines to disguise senders. One individual to whom I sent the pa per passed it along to another individual. I was surprised when that second individual later told me that self-recognition was easy when one recogniz es one's own words in the text. The same individual also told me that, while self-recognition came as a surprise, seeing comments made months earlier was n ot offensive. I might also note that, in struggling to write the previous paragrap h without using even "him" or "her," I found the exercise a bit tedious. Nevertheless, I managed to make my point without identifying the poster b y a gender-specific term. I also left out any indication of the list from whi ch the posts were drawn. While there is a risk that the individual in the exampl e might see this paper and remember the incident, the anonymity of the poster is intact. Using gender-neutral terms and refraining from identifying lists are two ways that researchers can make use of information gathered in cyberspace while safeguarding the anonymity of the individuals who provided it. While the former may be a bit awkward at times, it is possible. The latter is simple. Yes, some data is "lost," but what is retained is often sufficient for reporting st udy results. In the second section of the ACM code, dealing with more professiona l responsibilities, the seventh item is important. It reads, "Improve publi c understanding of computing and its consequences" (ACM, 105). The full tex t reads: Computing professionals have a responsibility to share technical knowledge with the public by encouraging understanding of computing, including the impacts of computer systems and their limitations. This imperative implies an obligation to counter any false views related to computing (ACM, 105). In terms of the many concerns about anonymity, privacy and confidentialit y, this may be the most practical imperative for social science researchers to ke ep in mind. It may be equally important for us to make sure we don't help to so w seeds of misunderstanding among ourselves, the people we teach, and the people we learn from. Computer systems are designed, as I mentioned before, to allow both public and private areas for data storage and discussion. Before we begin seriou s research, it would behoove us to learn all we can about how systems opera te in terms of establishing private and public areas. In most cases, research a bout communication uses of computers involves public areas. We should do all w e can to ensure we neither hold nor disseminate "false views related to computi ng." In the final section of the code, the ACM proposes several guideline s for exercising effective leadership. Social science researchers may also bene fit from considering some of them. For example, consider: 3.4 Ensure that users and those who will be affected by a system have their needs clearly articulated during the assessment and design of requirements (ACM, 105). While it might once have been difficult to articulate the needs of system users who find themselves, unintentionally and sometimes unknowingly, in a posi tion to become subjects of research, that seems much less likely today. As oth ers in this forum have noted, there is among some users a "perceived" or "expect ed" sense of privacy about communications which are, in fact, quite public. O ne need, then, of such users is to ensure that genuine privacy is maintained. The ACM addresses the issue in its next guideline: 3.5 Articulate and support policies that protect the dignity of users and others affected by a computing system. ...Computer professionals who are in decision-making positions should verify that systems are designed and implemented to protect personal privacy and enhance personal dignity (ACM, 105). One simple way to help ensure personal privacy is to close public areas o f computing systems. While that may be simple, it would certainly prove det rimental to the conduct of some types of work. How, for example, would research pr oceed if all libraries were available only to private subscribers? It would be equally impractical in many instances to eliminate public areas from computing sy stems. Closing "the commons" of computing seems as potentially disruptive as the closing of common grazing areas was centuries ago. How then can researchers refrain from abusing the commons of computi ng while ensuring personal privacy and dignity? I believe that keeping in mind som e of the ACM guidelines that I've just outlined will help. But it may also hel p to consider the ways people use other communications media. Other communications media Computer mediated communication is just one form of communication op en to people today. There are abundant other resources when face-to-face commun ication is difficult or impossible. Some alternatives include the postal service, telephones, newspapers, radio and television. Each has advantages and disadvantages for various types of communication. If we were to consider each of these communications media in terms of various attributes, it might he lp us to understand how each is useful. While the list I'm about to discuss is not exhaustive in terms of media or attributes, I believe it will clarify som e of my discussion. I have selected five attributes, each of which I'll define briefly. First, though, let me explain the media I will refer to in the table. "CMC" refe rs to Computer Mediated Communication, including private email, discussion list s, Internet Relay Chat, and other forms. "Phone" refers to conventional and wireless telephone communications, including person-to-person and conference calls 2E "Mail" refers to paper mail delivered by the postal service. "Radio" includes co mmercial news and entertainment stations, and amateur and citizen band radio. TV r efers to commercial and cable networks. "Print" refers to newspapers, magazines , academic journals and the like. I define the attribute of "privacy" in a conventional way, as restri cting the accessibility of a communication to individuals for whom it is intend ed. When I refer to "audience," I have in mind both the conventional uses and the design of the media in terms of the numbers of people who can be reached through it. I might substitute "interactivity" for "direction," but I believe the ter m is too broad, since an argument can be made that any communications media is "interactive." What I have in mind, in terms of "direction" of communicat ion is not whether it is possible to hold a two-way conversation in any of these media, because it is possible, but whether that media is generally used for two-way communication. I use "temporality" to refer to whether the medium support s "real-time," immediate communication, or "asynchronous," delayed communication. By "accuracy," I mean to refer to whether a particular medium is well-suited to reach specific individuals.