Menlo Report

The Menlo Report is a report published by the U.S. Department of Homeland Security Science and Technology Directorate, Cyber Security Division that outlines an ethical framework for research involving Information and Communications Technologies (ICT).

The 17-page report was published on August 3, 2012. The following year, the Department of Homeland Security published a 33-page companion report that includes case studies that illustrate how the principles can be applied.

The Menlo Report adapted the original Belmont Report principles (Respect for Persons, Beneficence, and Justice) to the context of cybersecurity research & development, as well as adding a fourth principle, "Respect for Law and Public Interest."

The Menlo Report was created under an informal, grassroots process that was catalyzed by the ethical issues raised in ICT Computer security research. Discussions at conferences and in public discourse exposed growing awareness of ethical debates in computer security research, including issues that existing oversight authorities (e.g., Institutional Review Boards) might have been unaware of or determined were beyond their purview. The Menlo Report is the core document stemming from the series of working group meetings that broached these issues in an attempt to pre-empt research harms and galvanize the community around common ethical principles and applications.

This report proposes a framework for ethical guidelines for computer and information security research, based on the principles set forth in the 1979 Belmont Report, a seminal guide for ethical research in the biomedical and behavioral sciences. The Menlo Report describes how the three principles in the Belmont report can be applied in fields related to research about or involving information and communication technology. ICT research raises new challenges resulting from interactions between humans and communications technologies. In particular, today's ICT research contexts contend with ubiquitously connected network environments, overlaid with varied, often discordant legal regimes and social norms.

The Menlo Report proposes the application of these principles to information systems security research although the researchers expect the proposed framework to be relevant to other disciplines, including those targeted by the Belmont report but now operating in more complex and interconnected contexts. The Menlo Report details four core ethical principles, three from the original Belmont Report.


 * respect for persons
 * beneficence
 * justice

It has an additional principle - respect for law and public interest. The report explains each of these in the context of ICT research.

Principles of the Menlo Report
The Menlo Report attempts to summarize a set of basic principles to guide the identification and resolution of ethical problems arising in research of or involving ICT. The report believes that ICT has increasingly become integrated into individual and collective daily lives and affects our social interactions.

It believes that the challenges of ICTR risk assessment is derived from these three factors:

- The researcher-subject relationships, which tend to be disconnected, dispersed, and intermediated by technology

- The proliferation of data sources and analytics, which can heighten risk incalculably

- And the inherent overlap between research and operations.

In order to properly apply any of the principles in the complex setting of ICT research, it deems that it is first necessary to perform a systematic and comprehensive stakeholder analysis.

The proposed guidelines for ethical assessment of ICT Research are as follows:


 * Respect for Persons. Participation as a research subject is voluntary, and follows from informed consent. Therefore, the research should treat individuals as autonomous agents and respect their right to determine their own best interests, respect individuals who are not targets of research yet are impacted, Individuals with diminished autonomy who are incapable of deciding for themselves and are entitled to protection.
 * Beneficence.  Do not harm. Maximize probable benefits and minimize probable harms. Systematically assess both risk of harm and benefit.
 * Justice. Each person deserves equal consideration in how to be treated, and the benefits of research should be fairly distributed according to individual need, effort, societal contribution, and merit. Selection of subjects should be fair, and burdens should be allocated equitably across impacted subjects.
 * Respect for Law and Public Interest. Engage in legal due diligence and be transparent in methods and results. Be accountable for actions.

Respect for Persons
Appropriate application of the four principles requires that Stakeholder analysis must first be performed. Thorough stakeholder analysis is important to identify: the correct entity(s) from whom to seek informed consent; the party(s) who bear the burdens or face risks of research; the party(s) who will benefit from research activity; and, the party(s) who are critical to mitigation in the event that chosen risks come to fruition.

Informed consent assures that research subjects who are put at risk through their involvement in research understand the proposed research, the purpose for which they are being asked to participate in research, the anticipated benefits of the research, and the risks of the subject's participation in that research. They are then free to choose to accept or decline participation. These risks may involve identifiability in research data but can extend to other potential harms.

Beneficence
Assessing potential research harm involves considering risks related to information and information systems as a whole. Information-centric harms stem from contravening data confidentiality, availability, and integrity requirements. This also includes infringing rights and interests related to privacy and reputation, and psychological, financial, and physical well-being. Some personal information is more sensitive than others. Very sensitive information includes government-issued identifiers such as Social Security, driver's license, health care, and financial account numbers, and biometric records. A combination of personal information is typically more sensitive than a single piece of personal information.

Basic research typically has long-term benefits to society through the advancement of scientific knowledge. Applied research generally has immediately visible benefits. Operational improvements include improved search algorithms, new queuing techniques, new user interface capabilities.

The principle of balancing risks and benefits involves weighing the burdens of research and risks of harm to stakeholders (direct or indirect), against the benefits that will accrue to the larger society as a result of the research activity. The application of this principle is perhaps the most complicated because of the characteristics of ICTR. This compels us to revisit the existing guidance on research design and ethical evaluation.

Circumstances may arise where significant harm occurs despite attempts to prevent or minimize risks, and additional harm-mitigating steps are required. ICT researchers should have (a) a response plan for reasonably foreseeable harms, and (b) a general contingency plan for low probability and high impact risks.

Justice
The report believes that research should be designed and conducted equitably between and across stakeholders, distributing research benefits and burdens. Research directed at ICT itself may be predicated on exploiting an attribute (e.g., economically disadvantaged) of persons which is not related to the research purpose. Hence, it can facilitate arbitrary targeting by proxy. On the other hand, the opacity and attribution challenges associated with ICT can inherently facilitate unbiased selection in all research as it is often impracticable to even discern those attributes.

Respect for Law and Public Interest
Applying respect for law and public interest through compliance assures that researchers engage in legal due diligence. Although ethics may be implicitly embedded in many established laws, they can extend beyond those strictures and address obligations that relate to reputation and individual well-being, for example.

Transparency is an application of respect for law and public interest that can encourage assessing and implementing accountability. Accountability ensures that researchers behave responsibly, and ultimately it galvanizes trust in ICTR. Transparency-based accountability helps researchers, oversight entities, and other stakeholders avoid guesswork and incorrect inferences regarding if, when, and how ethical principles are being addressed. Transparency can expose ethical tensions, such as the researcher's interest in promoting openness and reproducibility versus withholding research findings in the interests of protecting a vulnerable population.

Companion Report
The Companion Report is a complement to the Menlo Report that details the principles and applications in more detail and illustrates their implementation in real and synthetic case studies. It is intended for the benefit of society, by showing the potential for harm to humans (direct or indirect) and by helping researchers understand and preempt or minimize these risks in the lifecycle of their research.