When Cyber-Research Goes Awry: The Ethics of the Rimm "Cyberporn" Study Jim Thomas Department of Sociology Northern Illinois University DeKalb, IL (60115) jthomas@sun.soci.niu.edu -------------------------- Forthcoming in: THE INFORMATION SOCIETY, 1996: Vol 12(2). (copyright by TIS) --------------------------- ABSTRACT Like most things that we take for granted, we rarely pay attention to ethical issues in research until something goes horribly wrong. Focusing on a recent cyber-research project gone-awry, this essay illustrates why ethical issues should be continually confronted and discussed by scholars and non-scholars alike. ==================== When Laud Humphreys (1970) published Tea Room Trade over two decades ago, he drew unprecedented criticism from social scientists for the ethics of his study of gay culture and lifestyles. Humphreys developed an innovative method to identify subjects and gather data. First, he lingered in truckstop restrooms and watched for gay sexual activity, on occasion even serving as "lookout" for the participants. Then, he recorded the automobile license numbers of the participants as they left the area. From the licenses, he obtained the names and addresses of the gay participants and, several months later, contacted them as if they were randomly selected for an unrelated sociological study. Although his published works did not reveal personal or other damaging information, did not provide any details of individuals, and put no subjects at risk, Humphreys was castigated as an unethical scholar. His study also generated considerable debate over the ethical obligations of social scientists toward human subjects. Like most things that we take for granted, we rarely pay attention to ethical issues in research until something goes horribly wrong. Often relegated to peripheral lectures in methods courses, assigned to obscure academic committees for occasional review, and given little thought by anybody else, some may assume that the issues are of neither substantive importance nor significant relevance outside of a small circle of scholars. Here, I challenge this assumption. Focusing on a recent cyber-research project gone-awry, this essay illustrates why ethical issues should be continually confronted and discussed by scholars and non-scholars alike. All research possesses potential ethical dilemmas, but naturalistic research would seem to pose the greatest risks. Associated with ethnography and other methods that draw from direct observation of, participation in, or interviews with subjects, naturalistic research requires inside information and revelation about the interactions and minute activity of participants. This increases the risk of privacy intrusion, manipulation of subjects, and dissemination of potentially harmful information (Thomas and Marquart, 1988). Even the most mundane fieldwork projects can pose ethical problems, because: Fieldwork takes us into a potentially vast range of social settings which can lead to unpredictable consequences for researcher and researched. The ethical factors associated with the control and regulation of social scientific research are accentuated in participant observation because the fieldworker often has to be interactionally "deceitful" in order to survive and succeed. Ethical codes fail to solve the situational ethics of the field and threaten to restrict considerably a great deal of research (Punch, 1986, p. 71). Mario Brajuha (1986) learned this in the course of his dissertation study of restaurant workers. Brajuha collected fieldnotes and interview data, observing the usual ethical canons. During his research, there was a fire in the restaurant, and the police suspected arson. They demanded that he turn over his data in hopes of discovering a clue to the arsonist. What should he do? Formal ethical guidelines and professional codes were of little use, and he was left to work out the solution guided by his own precepts of "right." Because he had promised his subjects anonymity, he refused to release the data, and was jailed for contempt of court. The lesson for all researchers from Brajuha's experience, including those engaged in electronic data gathering, is simple, yet profound: Ethical dilemmas can occur in any research. Without constant attention to ethical problems, not only do researchers risk improprieties, but both audiences and subjects may be affected when problems arise. It may seem that positivist-derived research poses fewer problems, but such an assumption may be premature. Positivistic research most generally refers to surveys, experiments, and other forms of data gathering and processing in which observations are reduced to numbers, usually for the purposes of statistical descriptions and hypothesis testing. Examples in cyberspace include generating frequencies of posts in Usenet groups, comparing the distribution of male and female posters cross-tabulated by topic, or testing "Godwin's Law," which holds that the longer an argument continues in a discussion group, the probability of Nazis or Hitler being invoked approaches one. However, that research subjects are rendered invisible beneath the cloak of cross-tabs and regression equations does not exclude researchers from potential ethical concerns. A recent highly visible study illustrates how lapses can slip by multiple levels of professionals who presumably follow their own ethical codes. THE "CARNEGIE MELLON/MARTIN RIMM" STUDY When Time Magazine featured as its cover story a research project about "pornography" on the Internet (Elmer-Dewitt, 1995), people took notice, but not for the reasons Time editors likely had hoped. The story reported the results of a Carnegie Mellon University (CMU) undergraduate's "cyberporn" project published in The Georgetown Law Journal (Rimm, 1995a). Although discredited on intellectual and other grounds (Hoffman and Novack, 1995; Godwin, 1995), questions immediately arose about the ethics of the study and the multiple gate-keeping and oversight processes that ignored the numerous overt ethical problems (Thomas, 1995a, 1995b). The study was a long-term research project by then-undergraduate, Marty Rimm. Originally called the "Carnegie Mellon Study," but later renamed the "Rimm Study" after CMU distanced itself following revelations of impropriety, it seemed innocuous enough. The study was an analysis of the text descriptions of erotica files taken from adult BBSes in the U.S. It included analysis of Usenet posts from the alt.binaries hierarchy, and summary statistics on Usenet readership obtained from private newsgroup configuration files of users on a CMU computer system. The study claimed to be comprehensive, the first of its kind, and "scientific." It was controversial not only because of its flaws, but because of its findings, which included "discovery" of a substantial amount of freely-available "pornography in findings were presented. Normally, a fatally flawed undergraduate research project would attract little attention, even if ethical violations were serious. The Rimm study was an exception for several reasons. First, it was ostensibly on a highly controversial and timely topic, "pornography" on the Internet. Second, many of the findings were challenged by other observers. Third, it was published in a reputable, although non-peer reviewed, law journal. Fourth, it became the cover story of Time Magazine. Fifth, it received considerable media attention, including a segment on ABC's Nightline. Sixth, it was cited in Congressional hearings as evidence that the Internet should be controlled to reduce "indecent" material. Seventh, Rimm was invited to present his findings before Congressional hearings in support of the "Communications Decency Act," which was part of the larger Telecommunications Bill before Congress in 1995. Rimm's invitation to testify was withdrawn when the study's improprieties emerged. Finally, the "research team" drew attention because it was allegedly comprised of deans, professors, administrators, and others, under the direction of an undergraduate "principal investigator." THE ETHICAL VIOLATIONS OF THE RIMM STUDY The Rimm study centered on three main data gathering techniques. The primary data were gathered by initial modem or voice contact with "approximately 1,000" BBS systems to collect an initial pool of subjects (Rimm, 1995a: 1877). From these, 91 were ultimately chosen, but only 35 were used. The research team downloaded descriptions of "pornographic files" for analysis by a linguistic parsing software script designed for the study. The BBSes were not public, and the methodological discussion indicates that at least half of the BBSes required proof of age, among other information, as a requirement for access (Rimm, 1995a: 1878). In other words, the BBSes were not accessible to the general public, thus removing any compliance exemption that a project might receive for conducting research in public settings. Other data came directly from sysops about files, users, and other normally privileged information. Supplemental data were taken from the usage statistics of a university computer site that allowed tracking of "the number of individual users at the university who accessed pornographic and/or non-pornographic Usenet newsgroups one a month or more" (Rimm, 1995a: 1865-66). Drawing from the Federal Human Subjects guidelines (1991) and Belmont Report (1979) summarized in the introduction to these essays, it is evident that the Rimm study was intended as research. It is equally indisputable that it involved gathering information from human subjects. It is also indisputable that the research involved direct interaction between at least some BBS sysops, and that the data collection included gathering information from non-public sources for which there is no evidence that permission was acquired. There are several areas of ethical concern in the Carnegie Mellon study. Some are relatively minor and simply raise questions. Others are devastating. 1. The CMU research team gathered data on the Usenet reading habits of 4,227 users on a university computer system (Rimm, 1995a: 1865-66; 1870-71). It is not clear precisely how these figures were gathered, because the methodological discussion leaves room for considerable ambiguity. Only one cryptic footnote provides clues, which itself raises questions about how the CMU administration protects privacy of computer users: The research team consulted with several privacy experts and opted not to report detailed demographics of the university population of computer pornography consumers. These demographics included age, sex, nationality, marital status, position (faculty, staff, student), and department. Although the research team obtained such demographics by means available to any authorized user of the campus network, reporting them would raise complex ethical and privacy issues. The data would have to be disguised in a manner that could not be reconstructed to identify individual users (Rimm, 1995a: 1869, n40). The text suggests that the CMU team had licit access to individual rather than aggregate data, and that these data, along with other personal user data, were publicly available. While it is possible that such data may be "world-readable" in configuration files or through licit means, there is considerable debate over whether it is ethical for researchers themselves to access such data. The study's implication, however, is that a computer administrator responsible for monitoring site statistics acquired the data (Rimm, 1995a: 1865, n30). In responding to critics, Rimm acknowledges that the Usenet data were collected by "network engineers" (Rimm, 1995b). If an individual researcher snoops through personal files, even if--like an open window from a public street--they are visible, the ethical acceptability of peeping cyber-Toms is not clear cut. Such an act ought not be accepted as a licit part of a research method without careful consideration and justification. If, however, network engineers collected the Usenet data on individual users, then it raises the question of the propriety of a second party collecting and distributing information to a third party for public consumption about the aggregate viewing habits of individual users. It also suggests that users' reading habits were not public, and scrutiny of their files required systematic surveillance that, while even if defensible for system maintenance, seems not as defensible when such data are passed to a third party who ordinarily might not be authorized to receive, let alone publish them. Whether this is an ethical breach can only be determined by examining the nature of the statistics provided to the researchers and reviewing site user policies to determine the level of the expectation of privacy. Perhaps no ethical violations occurred, but the data gathering technique does raise ethical questions about one form of electronic data gathering. 2. Another seemingly minor peccadillo derived from the site data gathering is the implication that site users who protected their privacy by blocking monitoring by system statisticians might be pedophiles: First, 11% of the computer users in this study block the site. Second, some users have multiple accounts and avoid detection by using a second account to access the Usenet. While there is no evidence to suggest that Usenet and Internet users who block the monitoring of their accounts access pornography more frequently than those who do not, one also cannot assume that a notable difference does not exist. This is especially true in the context of pedophilia and child pornography consumption. Preferential molesters (i.e., pedophiles with a true sexual attraction to children) frequently employ inventive mechanisms to evade discovery, as discovery will likely lead to incarceration (Rimm, 1995a: 1865, n30). The unusual implication of such wording aside, the inexplicable association of persons on whom data is unavailable with pedophilia and worse violates the principles both of "respect for persons" and "justice." In the guise of "objective research," a category of users is defined as possible felons simply because they chose to protect their privacy. 3. More serious than the preceding concerns is the explicit prescription that researchers minimize risk to subjects by using caution and discretion in revealing data. Conventional canons of research ethics proscribe revealing potentially harmful data. That a researcher is able to acquire private and potentially sensitive data does not confer a right to publish it. Rather, it confers upon researchers an obligation to exercise special caution when information is obtained from informants who do not know they are the subjects of a study and are enticed to provide information about third parties. A violation of this obligation occurred in Rimm's commentary on Robert Thomas, sysop of Amateur Action (AA) BBS. AA BBS is a private adult system in California that requires registration and a fee before granting access to erotica files, because the information is not intended for public consumption. Although some of the information cited by the Rimm study derived from court records, the bulk appears to have come directly from Thomas and other BBS sysops. As discussed below, the CMU research team generally did not reveal their research identity to Thomas or others, and it would appear that they collected data deceptively. It is unlikely that Thomas (or any other subject) would approve of such public stigmatizing and revelation of private data and user habits. The information revealed includes not only file lists and file descriptions, but also publication of presumably private information that the AA BBS user list includes subscribers from two cities in which Thomas faced legal problems. One might argue that because Thomas is currently incarcerated on charges related to distribution of pornography, the researcher would therefore be released from the ethical obligations to protect the privacy and safety of informants. However, as both the Belmont Report and Federal guidelines indicate, precisely because Thomas is unable to provide full consent increases the ethical obligation of the researcher to protect him. Recall the wording of the Belmont Report: Respect for persons incorporates at least two ethical convictions: first, that individuals should be treated as autonomous agents, and second, that persons with diminished autonomy are entitled to protection (BR, 1979: 4). Because of Thomas's legal vulnerability, it is especially important that a researcher not disclose covertly gathered and potentially damaging information about a subject, regardless of whether consent was given. Both the nature of the information about Thomas and AA BBS and the tone of the discourse in which it is delivered (Rimm, 1995a: 1912-13) constitute an explicit violation of established ethical conventions intended to assure the respect, well-being, and autonomy of human subjects. The disclosure is of special concern because AA BBS remains in existence as a viable commercial enterprise. A second serious violation that constitutes a breach of the principles to minimize risk to subjects lies in the study's Appendix D, where cities from which BBS esers called are listed. Given the stigmatizing language and context of the article, such revelation reflects failure to comply not only with privacy norms of sysops, but it also puts at potential risk third parties (users) who would be unaware of data collection and subsequent publication. The Rimm article acknowledges that, in some countries, the penalty for possession of pornography is death. Yet, these countries are included in Appendix D. Small U.S. communities with a population of only a few thousand or less are also included. What is the risk of such a list to third-parties who are unaware of covert surveillance of their activities? How might prosecutors, politicians, or parents in a small town react if they suspected that a "porn consumer" or possible pedophile lurked in the community? Given the manner in which the data are presented as "paraphilia," "pedophilia," or worse, the consequences of discovery or suspicion would be of no small consequence to users in the current legislative and enforcement climate of "anti-porn" sentiment. Even if risks to users were negligible, it is not the right of a scholar to make the decision to put others at even minimal risk. 4. Another serious ethical violation is the deceptive nature in which Rimm and is team collected data. The study reported initial contact with over 1,000 BBSes by modem or voice to create a final population of (apparently) 91 BBSes (Rimm, 1995a: 1853). Then the team either subscribed to, or logged on as a new user or guest, to a number of representative pornographic BBS (sic) and collected descriptive lists of the files offered by each (Rimm, 1995a: 1876). The Rimm study indicates that: Many BBS (sic) either hide this information from their customers or do not provide it because of space or software limitations (Rimm, 1995a: 1879-80). .......... In these instances, MEMBERS OF THE RESEARCH TEAM EITHER SCREEN CAPTURED THE "ALLFILES" LIST IN DOUBLE LINE FORMAT, OR PERSUADED THE SYSOP TO PROVIDE THE LIST PRIVATELY (Rimm, 1995a: 1880, emphasis added). The CMU research team also indicates that they conducted "chats" (private computer interaction) with the sysops to obtain information (Rimm, 1995a: 1875). Not only is there no indication that the sysops knew they were being studied, but there is every indication that they did not: MEMBERS OF THE RESEARCH TEAM DID NOT, AS A RULE, IDENTIFY THEMSELVES AS RESEARCHERS (Rimm, 1995a: 1878, emphasis added). Recall the words from the Belmont Report: In most cases of research involving human subjects, respect for persons demands that subjects enter into the research voluntarily and with adequate information (BR, 1979: 4). If subjects do not know they are being researched, it's not immediately obvious how they can enter into a project voluntarily with adequate information. And, again from the Belmont Report: Persons are treated in an ethical manner not only by respecting their decisions and by protecting them from harm, but also by making efforts to secure their well-being (BR, 1979: 4). It is clear that Rimm engaged in deception to gather the data in a way that violated informed consent, privacy, and other explicit conventions followed by social scientists and mandated by federal principles and guidelines. If the remarks of the principle investigator were reported accurately (Meeks, 1995), it is possible that Rimm might even have gathered data fraudulently: Dispatch asked Rimm: "Did your team go uncover, as it were, when getting permission from these [BBS operators] to use their information?" He {Rimm} replied only: "Discrete, ain't we?" When asked how he was able to obtain detailed customer profiles from usually skeptical operators of adult BBSs he says: "If you were a pornographer, and you don't have fancy computers or Ph.D. statisticians to assist you, wouldn't you be just a wee bit curious to see how you could adjust your inventories to better serve your clientele? Wouldn't you want to know that maybe you should decrease the number of oral sex images and increase the number of bondage images? Wouldn't you want someone to analyze your logfiles to better serve the tastes of each of your customers? (Meeks, 1995). 5. Arguably the most egregious violation of ethics was the grant application that Rimm, his faculty advisor, and another CMU faculty colleague submitted in an attempt to secure federal funding. According to a a former participant in the project, the grant participants were aware of the Department of Justice's prosecutorial interests in "adult" BBSes (Thomas, 1995b). Because these were the subjects of Rimm's study, and because of the nature of Rimm's analysis, the grant team judged that they could devise a means to assist prosecutors in allocating resources more effectively. One co-author of the grant described the goals: 1) A summary of the statistics of "pornography" traffic that would identify the proportion of BBSes with a high percentage of material that might be worth prosecuting; 2) Consumption and usage trends over time: If pornography or pedophilia increases, then it would indicate that the BBS is trying to cultivate that market; 3) Information on individual downloads and covariance of user preferences that would correlate which types of files are most-likely to be associated other downloaded files; 4) Placing it in the space of adult bulletin boards; adult BBSes have different personalities, characteristics, and specialties...who is the worst offender on pedophilia? In his methodology, Rimm explains that he selected BBSes that were either the largest and most active "pornography" distributors, or that appeared to be aggressively moving into the "pornography" market (Rimm, 1995a: 1876-77). These BBSes are precisely those that the grant was designed to help prosecute, because they constitute the full population that Rimm claimed to study. The effect would be to identify and prosecute Rimm's research subjects. WHO GOOFED? It would be comforting if the ethical lapses could be reduced merely to the over-zealous excesses of an ambitious undergraduate student. What makes this cyber-study significant are the numerous people, all of whom are professionals presumably guided by an ethical code, who failed to recognize and respond to the explicit and unmistakable signs that something was amiss. First, of course, was the student himself. Rimm was not a typical young undergraduate, but a 31 year old with prior research experience. Second was Rimm's faculty advisor who acknowledged working closely on the project, who was aware of the methodology, and who solicited federal funding for it. Third were the two dozen deans, professors, and administrators who were listed as part of the research team. Some of these "team members" later disassociated from the study, and some apparently were unaware that they were listed as members. But, most have remained publicly silent. Fourth are the CMU funding personnel who provided internal funding without a sufficiently adequate proposal review of the nature of the research. Fifth were the CMU administration and "privacy experts" who, in the heady days of the study's initial publicity, were quite willing to identify with the study, either without having read it or without interest in the obvious problems. Sixth was the Georgetown Law Journal, whose editors found no problem in publishing an article with obvious ethical lapses. Seventh, three well-published attorneys with national reputations commented on the article in the same GLJ issue, and none apparently read the article with sufficient care to notice the problems. Eighth, Time magazine editors and staff writers read the initial article and failed to hear the alarm bells. Ninth, Congressional legislators who, in attempting to pass "ethical legislation" that would restrict the transmission of erotica on the Internet, ignored the obvious breaches in the evidence they hoped to adduce. Finally, CMU again: When confronted with the overwhelming intellectual and ethical questions, they delayed before distancing themselves from the study and initiating an investigation of breaches done in its name. As of this writing, CMU has remained publicly silent on the outcome of the inquiry. The study is instructive for several reasons. First, it illustrates how many serious ethical breaches can occur in a single study, even a seemingly innocuous one from a positivist paradigm. Second, it reminds us that ethical scholarship extends beyond the responsibility of a single researcher. Professionals and the public share part of the task of being sensitive to how data are collected, disseminated, and used. Third, the study demonstrates how many levels of gatekeeping exist at which there are opportunities for identifying and correcting problems. Fourth, all of the problems in this study could have been prevented by following existing guidelines and principles. Fifth, and most important, the study shows what can happen when we lose sight of the importance of research ethics: Those who are in a position to spot problems may fail to do so. CONCLUSION When research projects are highly visible and taken seriously by the media, legislators, and policy makers, they provide a model from which others draw for their own research. When a model teaches the wrong lessons, how can scholars who conduct research or teach research methods expect to be taken seriously? It would be tempting to excuse the excesses of the Rimm study by noting the newness or novelty of cyberspace research, the lack of social science research experience of Rimm and his faculty advisor, or the ambiguity of existing ethical principles when applied to online interaction. These excuses fail to recognize that while situations may be complex, basic precepts of decency are not. One need not be experienced to know that deception is wrong, and such basic ethical guidelines as "don't lie to subjects or put them at risk" contain little ambiguity. The view that "cyberspace" is unique because it occupies no physical space, is bodiless and incorporeal, and thus requires new rules for scholars, erroneously extracts selected characteristics of the medium and confuses the simulacra for the thing itself. This view substitutes the trope of synecdoche, conceptualizing the part as the whole, with that of metaphor, the construction of an alternative imagery of the whole. Cleaver (1996) incisively points out the errors of viewing cyberspace as a non-place: The problem with the characterization is that it treats the Net as if it were a system of machines (computers and phone lines) whereas it has only existed and only continues to exist in the communicative actions of the humans who created and continue to recreate it. This particular system of machines is just like any other system of machines: a moment of human social relationships. While the machine system is truly an "artifact so humanly constructed", the machine system is not "the Net"; it is only the sinew or perhaps the nervous system of a Net constituted by human interactions. As an evolving series of human interactions the Net occupies precisely the space of those participating human beings. Humans as corporeal beings always occupy space and their personal and collective interactions structure and restructure that space (Cleaver, 1996). The problem with conceptualizing situations shaped by new technologies, changing norms, or shifting circumstances as unique and in need of new ethical rules contains two flaws: First, it misses the point that every situation is unique, as Thales long ago observed. Second, it would require a litany of rules and principles that would lead us to a futile exercise in perpetual rule construction. No set of rules, formal or otherwise, can provide unambiguous answers to complex ethical questions that often arise. As a consequence, existing guidelines, such as the Belmont Report, and procedures for organizationally implenting these guidelines, such as federal rules specifying treatment of human subjects, are sufficient for most research. To my mind, the Golden Rule remains a solid principle, and it can be practiced by three general guidelines: 1) Never deceive subjects; 2) Never knowingly put subjects at risk; and 3) Maximize public and private good while minimizing harm. Sometimes these precepts may conflict, but a conflict only strengthens the precepts by forcing us into increased awareness of and dialogue about the relationship between "doing right" and "doing research." The value of Storm King's and the other essays in this volume is their utility for not only identifying specific problems facing researchers and inviting dialogue over the competing ways of resolving them. His insistence that we collectively engage in on-going discussion of ethics suggests that this concluding sentence is the beginning, not the end, of the message of this volume. BIBLIOGRAPHY Belmont report. 1979. "Ethical Principles and Guidelines for the Protection of Human Subjects of Research." Washington: Department of Health, Education, and Welfare. Brajuha, Mario and Lyle Hallowell. 1986. "Legal Intrusion and the Politics of Fieldwork: The Impact of the Brajua Case." Urban Life, 14:454-478. Harry Cleaver. 1996. "The 'SPACE' OF CYBERSPACE: Body Politics, Frontiers and Enclosures." Computer underground Digest, #8.09, January 30. Available at: http://www.soci.niu.edu/~cudigest/CUDS8/cud809 Elmer-Dewit, Philip. 1995. "On a Screen Near You: Cyberporn." Time Magazine, pp. 38-43. July 3. Federal Register. 1991. Part II: Federal Policy for the Protection of Human Subjects; Notices and Rules. Washington: U.S. Government Printing Office. Godwin, Mike. 1995. Collected Articles on the Mary Rimm "Cyberporn" Study. Available at: http://www.eff.org/pub/Censorship/Pornography/Rimm_CMU_Time Hoffman, Donna L. and Thomas P. Novak.and Tom Novack. 1995. "A Detailed Analysis of the Conceptual, Logical, and Methodological Flaws in the article "Marketing Pornography on the Information Superhighway" Vanderbilt University, July 2. Available at: http:www2000.ogsm.vanderbilt.edu. Humphreys, Laud. 1970. Tearoom Trade; Impersonal Sex in Public Places. Chicago: Aldine. Meeks, Brock. 1995. "Porno-O-Plenty." CyberWire Dispatch, July 13. Available at: http://www.cyberwerks.com/cyberwire/cwd/cwd.95.07.13 Punch, Maurice. 1986. The Politics and Ethics of Fieldwork. Hollywood: SAGE. Rimm, Marty. 1995. "Marketing Pornography on the Information Highway: A Survey of 917,410 Images, Descriptions, Short Stories, and Animations Downlaoded 8.5 Million Times by Consumers in Over 2000 Cities in and Territories." Georgetown Law Journal, 83(1995): 1849-1934). _____. 1995b. "Rimm Response to Hoffman and Novak." Available at: http:trfn.pgh.pa.us/guest/mrstudy.html