In a Perspective piece published in Nature Machine Intelligence, two health and ethics scientists have discussed the ethics of using data stolen from hackers to conduct scientific research. One is from the Swiss Federal Institute of Technology, the other is from ETH Zurich. The authors of the paper discuss the ethical considerations surrounding the use of hacked data, illustrate how they compare those to past developments and conclude with six guidelines that they believe researchers need to follow when considering the use of hacked data.
Researchers are regularly able to access hacked data. In 2015, for example, data from the Ashley Madison dating site was hacked and made publicly available. But by doing so, ethical concerns are raised since the individuals whose data is used for this purpose are not consenting to such use. In order to ensure ethical use of such data, the researchers propose that researchers determine whether and under what conditions it is ethical. Researchers compare this to their debate over the ethics of following the experiments conducted by Nazi-era doctors on non-consenting subjects. A number of other recent works, such as the Belmont Report and the Oviedo Convention, have also recommended guidelines for ethically challenging situations. Researchers considering using hacked data should consider a set of ethical standards that could guide them.
A hacked resource is unique. Is it so hard to find anywhere else? After identifying the value of the data, they suggest researchers compare its value to the benefits the data may provide. Researchers are further recommended to consider whether consent can be obtained from the individuals represented in the data, or if not, whether it is possible to protect the data from being linked to individuals. It is suggested that they provide proof of how much data was obtained if they use it. Moreover, the authors suggest that privacy be considered and that such data should be clearly disclosed in papers explaining the use of such data without consent. As a final note, they suggest that any research effort involving hacked data information. It must be approved by the Institutional Review Board first.