CAIDA's Application to the UCSD IRB
On October 17, 2008 CAIDA submitted its first application to the UCSD Human Research Protections Program (HRPP) office care of its Director, Michael Caligiuri, requesting review of our research protocol by the campus Institutional Review Board (IRB). The application covered the general traffic and other data analysis work we have done for the last 10 years, not including any research involving payload (which we define as anything past the TCP/IP header). Although we expected it to go to a full panel review, our application was given expedited review and approved within 10 days.
On October 31 2009, CAIDA resubmitted an application to the HRPP requesting review of our updated research protocol by the campus IRB for their November 30, 2009 meeting. On December 2, 2009 the committee asked for clarification for controls on, and mitigation of, potential risks of disclosure and the potential problems that might arise as a result of the data collection. On 14 December 2009, CAIDA submit a final application with clarifications for review by the IRB. On January 7, 2010 CAIDA received word from the UCSD HRPP acknowledging CAIDA's "thoughtful and substantive response" and of the IRB committee's unanimous decision that our proposed activity does not satisfy the regulatory definition of human subjects research and therefore falls outside the jurisdiction of the IRB.
In an effort to assist other researchers working with Internet data, CAIDA worked with legal advisors, data providers, network researchers, and other experts on privacy protection and risk mitigation to propose a set of ethical guidelines. The Department of Homeland Security (DHS)'s PREDICT project (Protected Repository for the Defense of Infrastructure Against Cyber Threats (PREDICT), a program in the Cyber Security Division (CSD) of DHS's Science and Technology Directorate) sponsored a series of workshops and report drafting process. The objective of the workshops was to help distill and summarize a set of basic principles to guide the identification and resolution of ethical issues in research about or involving information and communication technology (ICT). The approach was to interpret and extend traditional ethical principles, i.e,. those outlined in the 1979 Belmont Report pertaining to biomedical and psychological research, to enable ICT researchers and their oversight entities to assess and render ethically defensible research. The resulting report was released for public comment on the Federal Register on December 28, 2011, titled "The Menlo Report: Ethical Principles Guiding Information and Communication Technology Research" ("Menlo Report"). A Companion Report details the principles and applications more granularly and illustrates their implementation in real and synthetic case studies.