RPR Review of Policy Research

531

Viewpoints and Perspectives ropr_521 531..538

Blurred Boundaries: Probing the Ethics of

Cyberspace Research
Ronald Deibert
Citizen Lab and Canada Centre for Global Security Studies, Munk School of Global
Affairs, University of Toronto

Masashi Crete-Nishihata
Citizen Lab and Canada Centre for Global Security Studies, Munk School of Global
Affairs, University of Toronto

KEY WORDS: cyberspace, cyber security, research ethics

Introduction

In December of 2008, researchers from the University of Bonn and RWTH Aachen
University presented a talk at the 25th Chaos Communication Congress. The
researchers revealed they had the ability to take over command and control (C&C)
functions of the Storm botnet (a huge network of compromised computers), includ-
ing instructing compromised computers to download and execute codes. Although
the Storm botnet was being used to engage in illegal activities worldwide, the
security group cautioned that intervening in ways that affect compromised com-
puters is prohibited in many jurisdictions. They ultimately decided to monitor and
document, but not interfere, in the botnet’s activities (Danchev, 2009).
In April 2011, the Federal Bureau of Investigation and the U.S. Justice Depart-
ment issued a warrant that allowed Microsoft security personnel to take over the
Coreflood botnet, which had used stolen user credentials to steal an estimated $100
million from victims. With a court order permitting them to take over the C&C
servers, the personnel sent codes directly to compromised machines, stopping the
bots from contacting the C&C servers and effectively disabling the botnet. Govern-
ment filings claimed that the commands sent would not cause any damage to
compromised machines and would not provide officials with access to any user data.
However, some questioned how certain investigators could be that this approach
would not damage sensitive equipment, while others questioned whether this would
open the floodgates to other requests to disrupt the computers of individuals
engaged in questionable activity for a wide range of reasons (Richmond, 2011;
Zetter, 2011).
These two examples offer just a few illustrations of the growing number of
complex ethical and legal issues around cyberspace research, particularly in the
area of security. Our research group, the Citizen Lab (http://www.citizenlab.org/),
has been involved in several cases of cyber security research where ethical and legal
issues like these have confronted us directly.1 The cases include documenting major
global cyber espionage networks infecting thousands of computers in hundreds of
countries (Information Warfare Monitor, 2009), recovering copies of hundreds of
classified documents that were exfiltrated from victims in national security estab-
Review of Policy Research, Volume 28, Number 5 (2011)
© 2011 by The Policy Studies Organization. All rights reserved.
532 Ronald Deibert and Masashi Crete-Nishihata

lishments and embassies (Information Warfare Monitor, 2010), downloading from

Chinese-based servers evidence of millions of personally identifiable chats that were
obtained without consent by a covert surveillance system (Villeneuve, 2008), and
revealing the operations of a major global cyber crime network (Villeneuve, 2010).
In these and numerous other instances, we were faced with ethical and legal
dilemmas ranging from the nature of our methods, to the retention and storage of
data, to responsibilities we may have to notify victims, law enforcement, intelligence,
and foreign governments. As the research area was novel, with very few prior cases
of relevance, there was little to no precedent for us to guide the choices we made.
In many ways we were, and to a large degree still are, in terra incognita.
In the hope of further developing an ethical, normative, and legal framework to
guide our own and other’s research in cyberspace, in January 2011, we convened a
closed door workshop on principles of cyber security research. The workshop
brought together academics from numerous disciplines, representatives from ethics
review boards, private sector actors, and officials from law enforcement and gov-
ernment offices. Participants were divided into working groups to tackle real cases
and hard questions.2 Our efforts yielded some important insights and suggestions
for areas for further research, which we summarize below.

Principles and Ethics of Cyberspace Research: Terra Incognita

All research methods entail ethical considerations. Over time, scholars adhere to
protocols and best practices that are conventionalized within the discipline, as well
as local laws of the jurisdictions within which they live. Research areas that are
novel, however, present special challenges as boundaries and legal limits around
acceptable practices and methods may not be settled, and there may not be an
obvious set of precedents from which to draw. As a dynamic, newly emerging, and
increasingly contested domain that cuts across numerous political jurisdictions, and
public and private sectors, research on cyberspace politics and security squarely falls
into the latter category. There are at least three distinct areas of concern: methods,
data handling, and notification.

Principles and Ethics of Research Methods

Research on computer networks involves a variety of tools and methods, including
technical reconnaissance and monitoring, data collection, and remote inspection of
computers. Some of these methods involve accessing servers, accounts, and data
streams across or over computer networks in ways that raise ethical questions and
challenge prevailing assumptions and metaphors about what can be considered
acceptable research practices. For example, should we assign servers that have been
set up with the intent of committing a crime, the same protections against unau-
thorized access as are applied to servers operating under normal circumstances? In
the Coreflood case mentioned earlier, the matter was settled in the negative, but
with the backing of a court order. In the course of normal research circumstances,
academics are unlikely to operate under the authority of warrants and have to
search for guidance on their own. For its part, the Citizen Lab has chosen to draw
a red line around exploiting vulnerabilities that would be analogous to breaking
 Blurred Boundaries 533

into computers, but has approved of researchers engaging in reconnaissance on

what appear to be computers engaged in malicious activities that were improperly
secured or protected from public browsing. However thoughtfully these decisions
are made, they are still made in the absence of clear guidelines and with some
degree of ambiguity around what constitutes malicious behavior. In our workshop,
at least some participants likened such monitoring to “trespassing” while a majority
felt that the method was justified.
Another related ethical question around research methods concerns how
researchers conduct themselves online and engage the objects of analysis. Research-
ers may interface with the attackers, criminals, and others who are the object of their
research on web forums, Internet relay chat, and instant messaging programs.
While it may seem obvious for researchers to identify themselves clearly in the
circumstances of normal research, when that research is being conducted on mali-
cious activity the reasoning may not be so obvious. Self-identification may result in
the researcher being excluded from conversations altogether, or drive malicious
behavior to underground or alternative modes of communication, thus undermin-
ing the research. This quandary raises the question of under what conditions is it
ethical to deceive attackers, and whether research can be undertaken clandestinely.
For example, one method that Citizen Lab researchers have employed is to create
what is known as a “honeypot” computer to lure malicious actors to attempt
penetrations on controlled systems which can reveal information about their loca-
tion and possibly identity. Clearly, under normal research circumstances, such
deception would be considered unethical; however, the use of honeypots in com-
puter security research is a fairly common and accepted practice today.

Treatment of Confidential, Sensitive, Proprietary, Personal,

and Classified Information
The deluge of information generated by cyberspace and advances in techniques
and tools for data analytics introduce a variety of ethical issues. Data collection,
analysis, and fusion have become enormous commercial market sectors; new tools
and techniques are now regularly available to researchers that can produce detailed
profiles that include personally identifiable information obtained without the
consent of users. For example, a group of U.S. security researchers created an
awareness-raising project called “I Can Stalk U” in which they built an automated
scanning tool to collect hidden meta-data contained in uploaded photographs in
popular social networking sites that showed the precise geographic coordinates of
the user when the photograph was taken (see http://icanstalku.com/). Without the
permission of the users, the project shows the image and the resulting Google map
of the location—all obtained by passively scanning data that is secreted to the
Internet by unwitting users. Should consent be obtained prior to such research and
publication? Clearly, such consent would nullify the research project altogether, and
dash the awareness-raising objectives of the research project. But where to draw the
line between research that exposes such privacy-invasive problems for the public’s
good, and that which constitutes a breach of privacy itself, is not entirely clear.
Similarly, researchers are able to recover data from compromised computers or
criminal networks that contain personally identifiable information or even national
534 Ronald Deibert and Masashi Crete-Nishihata

security secrets. With whom and how should the data be shared? How should the
data be stored? What about data that is owned by a government and classified as
“restricted” or “secret,” or proprietary information that is stolen from a business?
Researchers may ask themselves under what conditions should sensitive or other-
wise confidential/private information be published, or redacted in some manner,
which bears upon questions of self-censorship and academic freedom. A decision
has to be rendered as to whether the publication of such information constitutes a
“public good,” and whether it needlessly endangers individuals or organizations, or
violates their rights to privacy. In some cases, such as handling of personally
identifiable information, there are clear guidelines from other areas of research and
public law that should be employed in the domain of cyberspace research. In other
areas—whether to publish national security secrets or proprietary information—
there is not a large prior precedence from which to draw guidance. As several
recent high-profile leaks and hacking attacks testify, the area as a whole is highly
turbulent and many sensitive and proprietary documents have been pushed to the
public domain

Notification and Outreach

A related set of ethical and legal questions concerns how far researchers may be
obligated to cooperate with law enforcement or intelligence agencies should they
come across evidence of criminal behavior, or activities that impinge upon national
security. It may seem sensible to assume that researchers should cooperate with law
enforcement and intelligence in all circumstances. However, law enforcement agen-
cies may request researchers withhold or delay publication of their findings so as
not to interfere with an ongoing criminal investigation. Cooperating with intelli-
gence agencies may undermine the perceived and real autonomy of academics, and
call into question the objectivity of the research enterprise as a whole—especially
when those agencies themselves are implicated in the research itself or the research
relates to an adversary country. Further questions arise when researchers are
located in jurisdictions other than those of the affected parties, or are collaborating
with each other across multiple national jurisdictions. Whom to notify in such
circumstances can be complicated, and even affect issues of international politics,
putting academics in the potentially precarious position of being “players,” as
opposed to “spectators,” of the domain they study.
A different set of questions surround the notification of victims. Individuals,
organizations, companies, and governments have all been victims of cyberspace
security breaches in recent years. What obligations do researchers have to notify
victims uncovered in the course of their research? Again, the answer may seem
intuitively obvious, but in practical terms the complexities and problems can be
enormous. For example, the Information Warfare Monitor’s Tracking Ghostnet
report uncovered thousands of compromised machines in 103 countries, many of
them in diplomatic missions’, governments’, and even in prime minister’s offices.
The scale of the task of the notification alone was thus quite substantial and beyond
the means of a small research unit. A more manageable, but still open-ended set of
questions concerns notification of hosting and service providers whose customers’
accounts may be breached, or used as the staging ground for malicious activities.
 Blurred Boundaries 535

Notification in such circumstances may help rid the Internet of malicious activity,
but it could also amount to a form of extra-judicial vigilantism, whereby users are
severed from the Internet without due process because of the actions taken by
researchers in coordination with hosting companies.

Gaps in Institutional Oversight

Finding guidance for navigating the vexing ethical questions raised earlier is
further complicated by institutional gaps in traditional academic research ethics
bodies. Research ethics standards and protocols for biomedical and behavioral
research are well developed. However, these guidelines do not necessarily directly
translate to cyberspace research. In cyberspace research, the study subjects are
typically computers and networks rather than human participants. The lack of
direct interaction with a human subject, and agreed-upon metrics for assessing
harm, complicates the application of research ethics principles such as informed
consent, systematic assessment of risk and benefits, and selection of subjects.
Cyberspace researchers have recognized the importance of research ethics com-
mittees in evaluating research protocols, but contend that they may be ill-equipped
to assess the ethical soundness of cyberspace studies because of a lack of shared
community values and insufficient subject matter expertise on review boards
(Dittrich, Bailey, & Dietrich, 2010; Garfinkel, 2008). On the other side of the
equation, cyberspace researchers may not have the same level of experience with
research ethics review processes and consideration as colleagues in more traditional
disciplines.

Conclusion
The rapid and extensive growth of cyberspace has made the domain a global
environment that increasingly pervades all human activity. This expansion has
brought about steadily increasing digital footprints and information saturation. We
now live in the era of “big data.” As the deluge of information continues so do efforts
to develop data analysis and fusion capabilities to monitor and understand the
properties and interactions of cyberspace. At the forefront of these efforts are
technology companies and government agencies who have clear interests and
extensive resources to advance analytical tools and techniques (Lazer et al., 2009).
The demand for such development has created a major commercial sector and
there are estimates that the global cyber security market is between USD 80 and 140
billion annually (Seetharaman, 2010). As cyberspace continues to expand, and
malicious activity increases, the questions outlined in our paper will only grow and
become more critical.
Although best practices for cyberspace research will evolve in time, until then
there are several steps that can be taken to nurture the processes of good research
while guarding against unethical and even illegal choices.

Improve Academic Ethics Review Boards’ Literacy of Cyberspace Research and

Cyberspace Researchers’ Literacy of Research Ethics

Further engagement on all of the issues stated earlier, through the vehicles of
interdisciplinary workshops and case studies of real-world research projects, will
536 Ronald Deibert and Masashi Crete-Nishihata

help illuminate the ethical and legal puzzles facing researchers in this area. Cyber-
space researchers should engage in ethics review committees and research ethics
should be introduced in computer security education and conferences to help
promote dialogue and increased knowledge transfer between these communities.3

The Need for Explicit Research Rationales and the Use of Research Warrants

In lieu of a research ethics board review for specific projects, which may not be
appropriate in every circumstance of cyberspace research (for example, technical
research that does not involve human subjects), researchers should aim to set the
highest possible standards for every step of their research, including methods, data
handling, and notification and outreach. The best way to ensure that these stan-
dards are met is through careful, clear, and explicit documentation of research
methods and justification of the choices that are made along each step of a particu-
lar project. Doing so can build up reference points and a knowledge base for future
research. In the reports in which the Citizen Lab has faced vexing ethical and legal
questions, we have employed “research warrants,” written by the principal investi-
gator, that outline the nature and justification for all aspects of the research, which
are then incorporated into the text of the published reports. Researchers facing
similar uncertainties may want to employ the same “research warrant” model as a
way to build up case-studies and lessons learned for future research.

Research Advocacy

As cyberspace becomes increasingly contested, and security issues become more

critical, there are growing pressures to regulate the space. Such regulations may
impact the ability of cyberspace researchers to conduct their studies. For example,
intellectual property laws have led to a tightening around the freedom of academics
to engage in research on cryptographic methods that could be seen as a violation of
those laws (Ku, 2004–2005). Cyberspace researchers have a responsibility to advo-
cate for the importance of the field and its methods under the rubric of academic
freedom principles so they do not become threatened by legislation that may
unduly encroach on the ability to conduct research. This advocacy could include
getting the topic into the mainstream, making the practitioner community sensitive
to the issues, and furthering the ethics of cyberspace research as a field of study of
its own.

Research Autonomy

Relatedly, the securitization of cyberspace is helping to produce a major military

industrial complex of enormous proportions (Deibert & Rohozinski, 2011). A huge
market for cyber security research, services, and products has exploded that serves
both the government and the private sector. Academics may be tempted by the
research funds and other opportunities that come available as this market segment
grows. It is imperative, however, that researchers be cautious that such funds and
opportunities do not come with strings that impinge on academic freedom or
prejudice research findings to suit parochial government or commercial interests.
 Blurred Boundaries 537

Acknowledgements
We are grateful for the input and assistance of Rafal Rohozinski, Adam Senft, Howard
Simkevitz, Nart Villeneuve, and our colleagues at the OpenNet Initiative and the Information
Warfare Monitor projects. We would like to especially thank all the participants of CTRL X
Ethics workshop held on January 17–18, 2011 at the Munk School of Global Affairs (University
of Toronto) for engaging the issues with us and sharing their thoughts and feedback. Support
for this project was provided by the Canada Centre for Global Security Studies, the John D. and
Catherine T. MacArthur Foundation, and the SecDev Group (Ottawa).

Notes
1 Dr. Rafal Rohozinski, Senior Scholar at the Canada Centre for Global Security Studies, Munk School
of Global Affairs (University of Toronto) and CEO of the SecDev Group and Psiphon Inc. is a principal
investigator of the Information Warfare Monitor and OpenNet Initiative. Dr. Rohozinski was instru-
mental in all of these projects as well as the workshop from which this paper draws.
2 A synthesis and analytical report on the workshop is available at http://www.infowar-monitor.net/
ethicsreport
3 There has been some recent progress in this area. For example, the Symposium on Usable Privacy and
Security now requires that article submissions outline “how the authors addressed any ethical consid-
erations applicable to the research and user studies, such as passing an Institutional review” (see
http://cups.cs.cmu.edu/soups/2011/cfp.html). In other efforts the U.S. Department of Homeland Secu-
rity has convened a multi-stakeholder working group to draft ethical guidelines for cyber security
research (see Kenneally et al., 2011).

References
Danchev, D. (2009, January 16). Legal concerns stop researchers from disrupting the Storm Worm botnet. ZD Net.
Retrieved from http://www.zdnet.com/blog/security/legal-concerns-stop-researchers-from-disrupting-the-
storm-worm-botnet
Deibert, R., & Rohozinski, R. (2011, March 28). The new cyber military-industrial complex. Globe and mail.
Retrieved from http://www.theglobeandmail.com/news/opinions/opinion/the-new-cyber-military-
industrial-complex/article1957159
Dittrich, D., Bailey, M., & Dietrich, S. (2010). Building an active computer security ethics community. IEEE
Security and Privacy, 99, 88–93.
Garfinkel, S. L. (2008). IRBs and security research: Myths, facts and mission creep. In proceedings of USENIX
Usability, Privacy, and Security 2008, April 14, San Francisco, CA. Retrieved from http://www.usenix.org/
events/upsec08/tech/full_papers/garfinkel/garfinkel.pdf
Information Warfare Monitor. (2009). Tracking ghostnet: Investigating a cyber espionage network. Retrieved from
http://infowar-monitor.net/ghostnet
Information Warfare Monitor. (2010). Shadows in the cloud: Investigating cyber espionage 2.0. Retrieved from
http://shadows-in-the-cloud.net
Kenneally, E., Stavrou, A., McHugh, J., & Christin, N. (2011). Moving forward, building an ethics community (panel
statements). In proceedings of 2nd Workshop on Ethics in Computer Security Research 2011. Retrieved
from http://www.caida.org/ . . . /moving_forward_building_ethics/moving_forward_building_ethics.pdf
Ku, V. (2004–2005). A critique of the digital millennium copyright act’s exemption on encryption research: Is
the exemption too narrow? Yale Journal of Law & Technology, 7, 466–490.
Lazer, D., Pentland, A., Adamic, L., Aral, S., Barabási, A., Brewer, D., et al. (2009). Computational social science.
Science, 329, 721–723.
Richmond, R. (2011, April 14). U.S. says it shut down password theft network. New York Times. Retrieved
from http://bits.blogs.nytimes.com/2011/04/14/u-s-says-it-shut-down-password-theft-network/?scp=4&
sq=rustock&st=cse
Seetharaman, D. (2010, September 10). Arms makers turn focus from bombs to bytes. Reuters. Retrieved from http:
//www.reuters.com/article/2010/09/10/us-aero-arms-summit-cybersecurity-idUSTRE6893EI20100910
Villeneuve, N. (2008). Breaching trust: An analysis of surveillance and security practices on China’s TOM-Skype platform.
Information Warfare Monitor. Retrieved from http://infowar-monitor.net/breachingtrust
Villeneuve, N. (2010). Koobface: Inside a crimeware network. Information Warfare Monitor. Retrieved from
http://infowar-monitor.net/koobface
Zetter, K. (2011, April 13). With court order, FBI hijacks “Coreflood” botnet, sends kill signal. Wired: Threat level.
Retrieved from http://www.wired.com/threatlevel/2011/04/coreflood/
Copyright of Review of Policy Research is the property of Wiley-Blackwell and its content may not be copied
or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission.
However, users may print, download, or email articles for individual use.