Homework #17 - Legal and Ethical Issues - Due Sunday Oct 30, 11PM
Turn in this assignment via email (firstname.lastname@example.org)
by the due date, with the term Homework in the Subject.
Read the following papers:
Conducting Cybersecurity Research Legally and Ethically, Aaron Burstein,
First USENIX Workshop on Large-scale Exploits and Emergent Threats (LEET '08).
and Conducting Phishing Experiments, Peter Finn and Markus Jakobsson,
IEEE Technology and Society Magazine, Special Issue on Usability and Security, 2007.
Answer the following:
- The first paper frames (i) the Wiretap Act, (ii) the Pen
Register / Trap and Trace statute, and (iii) the Stored Communications
Act. For each of these, sketch:
It's fine to write your answers in either paragraph-discussion form or
bullet form. You should frame your answers in your own words;
it's okay to take a few phrases directly from the papers,
but if you do, quote them as such.
- What sort of data does it cover? (The type of information that is subject
- What does it say about collecting, use of, and disclosing that data?
- What exceptions does it allow for?
- How does it affect security research?
- Frame a new legal issue relating to computer security research (doesn't
have to be network security) that you would like to explore, where
"new" means not already developed in the assigned papers.
Give your view
of what is probably the "answer" based on your understanding from the
papers. (Identify any sources you used in putting together your
viewpoint.) Does this issue also raise ethical questions?
Consider a security study involving
human subjects that a researcher might want to pursue.
(It's fine to shape this to fit a specific
IRB-related issue that you would like to explore.)
Propose a methodology
for it and analyze how an IRB might assess the issues it
raises. In particular,
discuss: (1) why it's in scope for the IRB, (2) the role of consent, if any,
(3) the role of deception, if any, and (4) your view of what is probably
the "answer" (the decision the IRB would make) based on your current
Keep in mind that generally IRBs want to enable research, so they
look for ways to mitigate harm rather than simply reasons to say No.
- Optional: Feel free to include additional legal, ethical,
or IRB issues,
for which you needn't go into your views of the "answer", but which can
serve as fodder for discussion during lecture.