top | item 46607352

(no title)

paultopia | 1 month ago

Woah, the thing that leapt out at me, as a professor, is that they somehow got an exemption from the UMN institutional review board. Uh, how?? It's clearly human subjects research under the conventional federal definition[1] and obviously posed a meaningful risk of harm, in addition to being conducted deceptively. Someone has to have massively been asleep at the wheel at that IRB.

[1] https://grants.nih.gov/policy-and-compliance/policy-topics/h...

discuss

derbOac|1 month ago

I've also had to deal with the IRB a lot as a professor. The retroactive application is extremely weird (although maybe better than nothing?).

This seems like one of those situations that would usually require regular review to err on the side of caution if nothing else. It's worth pointing out there are exceptions though:

https://grants.nih.gov/sites/default/files/exempt-human-subj...

Generally those exceptions fall into "publicly observable behavior", which I guess I could see this falling into?

It's ethically unjustified how the whole thing actually happened but I guess I can see an IRB coming to an exemption decision. I would probably disagree with that decision but I could see how it would happen.

In some weird legalistic sense I can also see an IRB exempting it because the study already happened and they couldn't do anything about it. It's such a weird thing to do and IRBs do weird things sometimes.

amypetrik214|1 month ago

>I've also had to deal with the IRB a lot as a professor. The retroactive application is extremely weird (although maybe better than nothing?).

I mean I feel like the IRB is mostly dealing with medical stuff. "I want to electrocute these students every week to see if it cures asthma". "No that's too much.. every other week at most". "Great I'll charge up the electrodes"

So if a security researcher rolls in after the fact and says "umm yea so this has to do with nerd stuff, computers and kernels, no humans, and I just want it all to be super secure and nobody gets hacked, sound good" "ok sure we don't care if no people are involved and don't really understand that nerd stuff, but hackers bad and you're fighting hackers"

harvey9|1 month ago

I can see the irb giving retroactive approval solely because of political pressure. Which is why legitimate studies seek approval in advance.

tptacek|1 month ago

The whole story is a good example of why there are IRBs in the first place --- in any story not about this Linux kernel fiasco people generally cast them as the bad guys.

NetMageSCW|1 month ago

Since this IRB approved the study, what good were they?

something765478|1 month ago

I think they should have gotten permission from IRB ahead of time, but this doesn't sound like they were researching human subjects? They were studying the community behind the Linux kernel, and specifically the process for gatekeeping bad changes from making it to the kernel; they weren't experimenting on specific community members. Would you consider it human experimentation if I was running an experiment to see if I could get crappy products listed on Amazon, for example?

nearlyepic|1 month ago

> they weren't experimenting on specific community members.

Yes, they were. What kind of argument is this? If you submit a PR to the kernel you are explicitly engaging with the maintainer(s) of that part of the kernel. That's usually not more than half a dozen people. Seems pretty specific to me.

firefax|1 month ago

>I think they should have gotten permission from IRB ahead of time, but this doesn't sound like they were researching human subjects?

I assure you that it falls under IRB's purview -- I came into the thread intending to make grandparent's comment. When using deception in a human subjects experiment, there is an additional level of rigor -- you usually need to debrief the participant about said deception, not wait for them to read about it in the press.

(And if a human is reviewing these patches, then yes, it is human subjects research.)

dessimus|1 month ago

> Would you consider it human experimentation if I was running an experiment to see if I could get crappy products listed on Amazon, for example?

Yes, if in the course of that experimentation, you also shipped potentially harmful products to buyers of those products "to see if Amazon actually let me".

fwip|1 month ago

A community is made out of humans.

jruohonen|1 month ago

> Woah, the thing that leapt out at me, as a professor, is that they somehow got an exemption from the UMN institutional review board. .... in addition to being conducted deceptively

There are cases where deception (as they call it) can be approved (even by ethics boards). Based on the Verge's article, this research setup should not have been approved even by then. But the topic itself seems as relevant as ever with the xz case and all.

tdeck|1 month ago

Right, that's something to discuss at the IRB review. But they didn't even do an IRB review before conducting the experiment. After the outcry, they went back to the IRB and said "was this OK?"

lawejrj|1 month ago

Maybe you're over-estimating how much universities actually care about ethics and IRB.

I reported my advisor to university admin for gross safety violations, attempting to collect data on human subjects without any IRB oversight at all, falsifying data, and falsifying financial records. He brought his undergrad class into the lab one day and said we should collect data on them, (low hanging fruit!) with machinery that had just started working a few days prior, we hadn't even begun developing basic safety features for it, we hadn't even discussed design of experiments or requesting IRB approval for experiments. We (grad students) cornered the professor as a group and told him that was wildly unacceptable, and he tried it multiple more times before we reported him to university admin. Admin ignored it completely. In the next year, we also reported him for falsifying data in journal papers and falsifying financial records related to research grants. And, oh yeah, assigning Chinese nationals to work on DoD-funded work that explicitly required US citizens and lying to the DoD about it. University completely ignored that too. And then he got tenure. I was in a Top-10-US grad program. So in my experience, as long as the endowment is growing, university admin doesn't care about much else.

samgranieri|1 month ago

This is retroactive ass covering by the UMN IRB.

advisedwang|1 month ago

A reteroactive exception!

knallfrosch|1 month ago

Don't worry, the university investigated itself (again) and (again) found no wrongdoing. /s