Homework #17 - Legal and Ethical Issues - Due Sunday Oct 30, 11PM


Turn in this assignment via email (vern@berkeley.edu) by the due date, with the term Homework in the Subject.

Read the following papers:

  1. Conducting Cybersecurity Research Legally and Ethically, Aaron Burstein, First USENIX Workshop on Large-scale Exploits and Emergent Threats (LEET '08).
  2. Designing and Conducting Phishing Experiments, Peter Finn and Markus Jakobsson, IEEE Technology and Society Magazine, Special Issue on Usability and Security, 2007.

Answer the following:

  1. The first paper frames (i) the Wiretap Act, (ii) the Pen Register / Trap and Trace statute, and (iii) the Stored Communications Act. For each of these, sketch:
    1. What sort of data does it cover? (The type of information that is subject to regulation.)
    2. What does it say about collecting, use of, and disclosing that data?
    3. What exceptions does it allow for?
    4. How does it affect security research?
    It's fine to write your answers in either paragraph-discussion form or bullet form. You should frame your answers in your own words; it's okay to take a few phrases directly from the papers, but if you do, quote them as such.

  2. Frame a new legal issue relating to computer security research (doesn't have to be network security) that you would like to explore, where "new" means not already developed in the assigned papers. Give your view of what is probably the "answer" based on your understanding from the papers. (Identify any sources you used in putting together your viewpoint.) Does this issue also raise ethical questions?

  3. Consider a security study involving human subjects that a researcher might want to pursue. (It's fine to shape this to fit a specific IRB-related issue that you would like to explore.) Propose a methodology for it and analyze how an IRB might assess the issues it raises. In particular, discuss: (1) why it's in scope for the IRB, (2) the role of consent, if any, (3) the role of deception, if any, and (4) your view of what is probably the "answer" (the decision the IRB would make) based on your current understanding. Keep in mind that generally IRBs want to enable research, so they look for ways to mitigate harm rather than simply reasons to say No.

  4. Optional: Feel free to include additional legal, ethical, or IRB issues, for which you needn't go into your views of the "answer", but which can serve as fodder for discussion during lecture.