[Federal Register Volume 77, Number 238 (Tuesday, December 11, 2012)]
[Notices]
[Pages 73669-73671]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2012-29818]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF HOMELAND SECURITY
Office of the Secretary
[Docket No. DHS-2012-0041]
Response to Comments Received for the ``The Menlo Report: Ethical
Principles Guiding Information and Communication Technology Research''
(``The Menlo Report'') for the Department of Homeland Security (DHS),
Science and Technology, Cyber Security Division (CSD), Protected
Repository for the Defense of Infrastructure Against Cyber Threats
(PREDICT) Project
AGENCY: Science and Technology Directorate, DHS.
ACTION: Response.
-----------------------------------------------------------------------
SUMMARY: The Department of Homeland Security (DHS), Science and
Technology (S&T) published a 60-day public notice in the Federal
Register on December 28, 2011 (Federal Register Volume 76, Number 249,
Docket No. DHS-2011-0074) to invite public comment on the Menlo Report.
The intent of the notice was to further refine the content of the Menlo
Report beyond the working group that had generated the report. This
notice responds to the comments received during this 60-day public
notice.
ADDRESSES: The updated Menlo Report may be found at http://www.cyber.st.dhs.gov/.
FOR FURTHER INFORMATION CONTACT: DHS S&T, Email [email protected].
SUPPLEMENTARY INFORMATION:
Background
A grassroots working group composed of stakeholders in information
and communication technology research (ICTR), with support from the
Homeland Security Advanced Research Projects Agency (HSARPA) CSD,
developed the Menlo Report. HSARPA CSD published this report in the
Federal Register in December 2011 (76 FR 81517, Docket No. DHS-2011-
0074) to invite public comment, and sixteen comments were received. The
complete text of the public comments and the Federal Register notice
are available on the Regulations.gov web site at http://www.regulations.gov/#!docketDetail;D=DHS-2011-0074.
To address the comments, a subset of the initial working group was
assembled that has stewarded the document since its inception. In
summary, the comments contained both laudatory and critical remarks and
covered issues that ranged in scope from targeted to general. The
approach to absorbing this valuable feedback was to analyze each
comment, distill the issue(s) raised by the commenter, reflect on the
relevant text in the Menlo Report, and generate a response. Those
responses entailed identifying proposed changes intended to resolve the
issues raised, either by modifying text that was unclear or
misinterpreted by readers or by accepting constructive criticism.
Changes to the Report
The Menlo Report has been updated and is available at http://www.cyber.st.dhs.gov/. Overall, the changes to the Menlo Report based
on the comments are summarized as follows:
1. The next version will clarify that the Menlo Report is not an
official policy statement of DHS and that DHS does not have the
intention or authority to permit researchers to engage in any practice
in the name of ``ethical research.''
2. The next version will reflect that the main focus of the Menlo
Report is on private sector and academic researchers who may be
government funded, rather than DHS employees. While the Menlo Report
may certainly be applicable to government researchers, it is not
intended to conflict with or preempt statutory or regulatory
requirements placed on government employees.
3. The next version will explicitly address the choice of Belmont
Report model instead of an alternative ethical framework (i.e., a
Belmont Report principles-in-context approach). Specifically, the next
version of the Menlo Report will clarify the benefit to society versus
the risks to research subjects under this model.
[[Page 73670]]
4. The next version will address the relationship between law and
ethics, (i.e., when a researcher's ethically-derived beliefs are in
direct conflict with relevant laws) by stating it is beyond the scope
of the Menlo Report to advocate a position when laws directly conflict
with ethics. Rather, the Menlo Report reinforces the principle that
ethics plays a role in closing gaps in laws and clarifying grayness in
interpretation of laws.
5. The next version will highlight the value of the Menlo Report
guidelines to society rather than just researchers.
Detailed Comments and Responses
S&T published a 60-day public notice in the Federal Register on
December 28, 2011 (Federal Register Volume 76, Number 249, Docket No.
DHS-2011-0074) to invite public comment on the Menlo Report. The notice
helped further refine the content of the Menlo Report by seeking
comments on the document generated by the working group. At the end of
the 60-day comment period, S&T received sixteen comments from two
universities, four private citizens, three non-profit organizations,
one foreign university, and one professional association. In general,
the comments received fall into the following categories:
1. The Menlo Report construed as official DHS policy
2. Interpretation of informed consent
3. Researcher interaction with a research subject's computer
4. Calculating benefits and harms
5. Estimation of benefits and harms from ICTR
6. Applicability of the Institutional Review Board (IRB) model for
ethical review of ICTR
7. The relationship between laws and ethics
8. Privacy rights of individuals related to corporate monitoring
9. Ethical considerations for future contemplation and study
10. Standalone comments
A. The Menlo Report As Official DHS policy
Several comments stated that the Menlo Report is an official policy
statement of DHS and that DHS has the intention or authority to permit
researchers to engage in any practice in the name of ``ethical
research.''
Response: The Menlo Report offers ethical guidance for public and
private researchers and explicitly advocates respect for the law and
public interest (e.g., supporting the notion that different laws may
apply to government researchers) and is neither an official nor
authoritative policy statement for DHS or law enforcement. As a result,
modifications to the Menlo Report will have additional, explicit
language to indicate that while DHS supports the Menlo Report, the
Menlo Report does not represent official agency policy nor should it be
interpreted as applying to, conflicting with, or superseding statutory
mandates and other authoritative commitments governing actions by the
government.
B. Interpretation of Informed Consent
Several comments were received related to the discussion of
informed consent in the Menlo Report.
Response: Support for informed consent will be conveyed by the
Menlo Report byh detailing how researchers and Research Ethics Boards
(REB) should consider the situation where waivers of informed consent
are sought. Modifications to the Menlo Report will substitute the term
``proxy'' with the Common Rule term ``legally authorized
representative,'' clarify the issue of their relationship to requests
for waivers, and better balance the perspective between that of
researchers and that of end-users or research subjects. The respondents
agree with the observation in various comments regarding ICTR and
waivers to informed consent and will highlight this issue in
modifications to the Menlo Report. Given the gravity and ubiquity of
cyber-crime, the benefits and importance of accurate research data for
countering it is a specific situation that may satisfy the requirements
of 45 CFR 46.116 allowing requests for alteration or elimination of
informed consent requirements in those situations where minimal risk to
subjects (or those reliant on information and communication technology
(ICT) under study) exists.
C. Researcher Interaction With a Research Subject's Computer
Multiple comments dealt with the issue of interacting with a
research subject's computer or interacting with malicious software
under study that the owner of the computer is not even aware exists on
their computer.
Response: It is understood that the study of malicious software, to
include botnets, is an area that can pose greater than minimal risk to
those who rely on infected computers. Ultimately, the issue of what
constitutes ``minimal risk,'' and also whether it is ``human subjects
research'' to interact with the computer, as opposed to the human, must
be determined. Given that IRB in the United States today do not require
that researchers adhere to zero-risk, but rather they are guided by
requirements of 45 CFR 46.111, the Menlo Report will be updated to
clarify the justification for this approach by illuminating the
consequences of a zero-risk tolerance approach, noting, for example,
how it would negatively impact the public's ability to benefit from
research.
D. Calculating Benefits and Harms
Various comments received also raised issues regarding the
estimation of benefits and harms from ICTR, including not only who may
be harmed but also how potential benefits and harms can be quantified.
Response: The current ``Identifying Harms'' section of the Menlo
Report addresses concerns about lack of comprehensive coverage of
harms. However, to bolster this area, the Menlo Report will be updated
to address the potential, rather than certainty, of harms resulting
from research activities. Specifically, personal privacy and
information confidentiality and integrity are uncontrovertibly noted as
potential harms that must be addressed. Updates will also clarify the
distinction and relevance of the benefit to society versus the risks to
research subjects in ICTR. The respondents will also change the text to
include harms resulting from notification of research, and publication
of information that can be used to cause harm. Additional verbiage will
also seek to clarify the distinction and relevance of the benefit to
society versus the risks to research subjects in ICTR.
E. Applicability of the Institutional Review Board (IRB) Model
Several comments raised the appropriateness of the Belmont/IRB
model, related to both behavioral and biomedical research, for ethical
review of ICTR.
Response: The purpose of the Menlo Report is to advocate principles
and applications, not to define enforcement mechanisms. The crux of
these comments related to applicability of the Belmont Report. The next
version of the Menlo Report will concretely state that it is
deliberately founded on the Belmont model, which was originally
developed for the biomedical research context but is not limited to
biomedicine, as evidenced by the fact that this model is currently used
for evaluation of behavioral research (including that which involves
ICT).
F. Relationship Between Laws and Ethics
Many comments were received relating to conflicts between ethical
codes and the law.
Response: The comments were diverse but converged on the necessity
to add text regarding the relationship between law and ethics. The
assertion
[[Page 73671]]
that the Menlo Report precludes the Common Rule is conjecture that
appeared in one of the comments, and it is important to mention that
this is not substantiated by evidence from the Menlo Report. This
criticism does not reflect what is presently allowed by the Common Rule
in terms of waivers (see 45 CFR 46.116, specifically subsections (c)
and (d)). The Menlo Report currently is framed in such a way as to be
congruous with the predominant REB model in the United States, IRB. The
Menlo Report will be revised to include text that clarifies that the
Menlo Report does not take any stance on addressing the situation when
laws are viewed by the public to be unethical. It was also apparent
from the comments that the Menlo Report needs to clarify that
researchers are not authorized to waive consent. The Menlo Report will
also be updated in the Respect for Law and Public Interest section to
address conflicts with principles of compliance, transparency, and
accountability and with the privacy interests of individuals.
G. Privacy of Individuals vs. Corporations
Multiple comments highlighted a problem regarding the discussion on
the privacy of an organization in relation with enhancing cyber
security.
Response: This discussion will be removed from the next version of
the Menlo Report. The comments correctly indentified a potential
inconsistency.
H. Ethical Considerations for Future Contemplation and Atudy
Finally, there were comments suggesting a general call for further
study and engagement with various communities and agencies in order to
create workable guidance.
Response: Much additional work will be done as a follow on to the
Menlo Report to spur additional discussion of the approach to ethics in
ICTR presented in the Menlo Report. Some of this research has already
been undertaken and is included in a companion report to the Menlo
Report.
I. Standalone Comments
There were several comments that did not fall into the preceding
categories but did spur further changes to the Menlo Report. The
following will be reflected as updates to the Menlo Report:
1. A clarification will be added explaining that while the Menlo
Report adopts Belmont Report principles and the Common Rule regime in
framing the principles and applications for evaluating and applying
ethics in ICTR, it also highlights areas within the Common Rule that
are more frequently exercised by ICTR or that may cause problems in
applying it to ICTR.
2. Language to more clearly discuss how to make inclusion/exclusion
decisions in conformance with Justice and Equity considerations will be
added.
3. In general, the revised Menlo Report will take a well-rounded
perspective to include the end-user perspective, in addition to a
researcher-centric perspective.
4. The discussion of the existence and management of pre-existing
data will be expanded.
5. The discussion regarding the creation of the Internet and its
growth to include the hosting databases with personally identifiable
information will be clarified.
6. The description or context of the use of the term ``reasonable
researcher'' will be updated.
7. Explanatory language to address the issue of record retention
will be included in the Mitigation of Realized Harms section.
8. The term ``evidence-based consideration'' will be clarified.
Dated: November 30, 2012.
Tara O'Toole,
Under Secretary for Science and Technology.
[FR Doc. 2012-29818 Filed 12-10-12; 8:45 am]
BILLING CODE 9110-9F-P