DAVID FARBER
2018-07-25 17:21:15 UTC
Date: July 26, 2018 at 12:59:56 AM GMT+9
Subject: Re: [IP] MASSIVE ethical failure and privacy violation by Dropbox
The facts reported in Wired do not appear to support the conclusion of MASSiVE ethical failure.
1. The data was de-identified before it went to the researchers.
2. Quasi-identifiers were put into ranges, rather than being reported with individual values.
3. The researchers who received the de-identified data signed a confidentiality agreement.
U.S. law from the FTC and HHS, has supported the lawfulness of doing research on de-identified data when both technical and administrative controls of this sort are in place.
Specifically, HIPAA does not require or expect individual consent or IRB approval when the data had been properly de-identified.
An overall judgment of the sufficiency of the technical and administrative controls would require more detail than Wired reports.
Based on the reporting, however, it is not clear in what respect Dropbox varied from common good practice, even if the data were sensitive health data covered by HIPAA.
Peter
Peter Swire
Ph: 240-994-4142
www.peterswire.net
Sent from phone: apologies for brevity and typos.
This message was sent to the list address and trashed, but can be found online.
-------------------------------------------Subject: Re: [IP] MASSIVE ethical failure and privacy violation by Dropbox
The facts reported in Wired do not appear to support the conclusion of MASSiVE ethical failure.
1. The data was de-identified before it went to the researchers.
2. Quasi-identifiers were put into ranges, rather than being reported with individual values.
3. The researchers who received the de-identified data signed a confidentiality agreement.
U.S. law from the FTC and HHS, has supported the lawfulness of doing research on de-identified data when both technical and administrative controls of this sort are in place.
Specifically, HIPAA does not require or expect individual consent or IRB approval when the data had been properly de-identified.
An overall judgment of the sufficiency of the technical and administrative controls would require more detail than Wired reports.
Based on the reporting, however, it is not clear in what respect Dropbox varied from common good practice, even if the data were sensitive health data covered by HIPAA.
Peter
Peter Swire
Ph: 240-994-4142
www.peterswire.net
Sent from phone: apologies for brevity and typos.
Date: July 25, 2018 at 9:38:08 AM GMT+9
Subject: [ NNSquad ] MASSIVE ethical failure and privacy violation by Dropbox
MASSIVE ethical failure and privacy violation by Dropbox
https://www.wired.com/story/dropbox-sharing-data-study-ethics/
But it still appears this research was conducted without the
express consent of the thousands of customers whose
information Dropbox and the researchers accessed (the HBR
article originally suggested that 400,000 users' data was
analyzed, while Dropbox says that the study dealt with data
from 16,000 customers). Late Tuesday HBR added a second
editors' note indicating that the researchers started with
information on 400,000 "unique users" but pared the data set
down to 16,000 after incorporating data from Web of Science.
HBR editors also updated the article to indicate that it
wasn't 1,000 universities that were included, but rather 1,000
separate departments. Informed consent, one of the
cornerstones of academic research, is one of the things that
got Facebook in so much trouble back in 2014 ...
- - -
--Lauren--
Subject: [ NNSquad ] MASSIVE ethical failure and privacy violation by Dropbox
MASSIVE ethical failure and privacy violation by Dropbox
https://www.wired.com/story/dropbox-sharing-data-study-ethics/
But it still appears this research was conducted without the
express consent of the thousands of customers whose
information Dropbox and the researchers accessed (the HBR
article originally suggested that 400,000 users' data was
analyzed, while Dropbox says that the study dealt with data
from 16,000 customers). Late Tuesday HBR added a second
editors' note indicating that the researchers started with
information on 400,000 "unique users" but pared the data set
down to 16,000 after incorporating data from Web of Science.
HBR editors also updated the article to indicate that it
wasn't 1,000 universities that were included, but rather 1,000
separate departments. Informed consent, one of the
cornerstones of academic research, is one of the things that
got Facebook in so much trouble back in 2014 ...
- - -
--Lauren--
Archives: https://www.listbox.com/member/archive/247/=now
Modify Your Subscription: https://www.listbox.com/member/?member_id=26461375
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=26461375&id_secret=26461375-c2b8a462&post_id=20180725132125:269B00A8-902F-11E8-8298-BCE6D7E91697
Powered by Listbox: https://www.listbox.com