The Privacy Paradox: IRBs in an Era of NSA Mass Surveillance

[This invited post was written by Daniel O’Maley, who recently graduated with a PhD in cultural anthropology from Vanderbilt University. His research focuses on the global Internet freedom movement and the link between digital technology and new forms of democratic participation. You can read more about him and his research here]

Increasingly, our lives are mediated by the Internet and other digital technologies. For anthropologists like myself, this presents new opportunities for research, but the digitization, exchange, and storage of personal data also generate new privacy concerns for our participants. During my research on Brazilian Internet freedom activists, I learned about both the potentials of the Internet, as well as the way that digital technology can, and is, being abused to violate civil liberties. What I call the “privacy paradox,” refers to the situation in which the U.S. government at once defends research participants’ privacy through Institutional Review Boards (IRBs) while it simultaneously violates their privacy on a massive, global scale through mass surveillance national security apparatus.

The privacy paradox become apparent to me in July 2013, just a month after the Snowden leaks that exposed NSA mass surveillance, when I sat down to interview a high-level official of a Brazilian IT firm. Before the interview, I detailed the measures I was taking to ensure that his personal data would be protected and I explained that this was required by Vanderbilt’s IRB per U.S. law. Upon hearing this, the IT official looked at me incredulously. Over the previous two months the front pages of newspapers had been plastered with articles detailing U.S. government surveillance projects with codenames like PRISM, XKeyscore, and Stellar Wind that used the global telecommunications infrastructure to collect personal data on people around the world. My interviewee was well-versed in issues of privacy in the digital age, so to hear me state that the U.S. government was concerned with his privacy was laughable.

While I had already been paying attention to issues of privacy and mass surveillance in my research, this encounter forced me to re-evaluate the ways that U.S. government policy is impacting the work of researchers worldwide and why it is important for the academic community to defend the privacy rights of all people in a digital era.

Institutional Review Boards and Participant Privacy

In the U.S. virtually all researchers who perform research with human participants are required by federal law to have their methods evaluated and approved by an Institutional Review Board, or IRB, including social scientists like anthropologists, political scientists, psychologists, and sociologists. According to the federal Office for Human Research Protections (OHRP), which oversees IRBs in the U.S., the goal of this oversight is to protect “the rights, welfare, and wellbeing of subjects involved in research.” The current IRB system developed in the second half of the 20th century in response to a number of unethical research projects, which revealed that more oversight was necessary to protect participants. In 1974, the U.S. congress passed the National Research Act that created a government-supervised research evaluation system meant to diminish the possibility of unethical and overly risky research.

A primary concern of IRBs in evaluating research proposals is protecting the personal data of research participants, with good reason, because researchers often collect very personal and sensitive information about people that could negatively affect them if it became publicly available. For example, to protect against the accidental distribution of my participant data, Vanderbilt’s IRB required that all the information I collected digitally (i.e., notes, interview recordings, etc.) be stored on a password-protected computer that only I had access to. In many cases researchers are required to anonymize data and/or use pseudonyms when publishing. Such requirements show the extent to which IRBs are legitimately concerned with participant privacy.

Privacy is one of the topics specifically addressed on many Informed Consent documents –forms that participants must read that detail the research goals, potential risks and benefits to individuals, and rights of participants. For example, the final section in the Informed Consent form I used for my research in Brazil included this standard language:

Privacy: Your information may be shared with Vanderbilt or the government, such as the Vanderbilt University Institutional Review Board, Federal Government Office for Human Research Protections if you or someone else is in danger or if we are required to do so by law.

This language alerts participants that in certain, seemingly limited cases, the IRB and/or the U.S. government may seek to gain access to the researcher’s data. For non-U.S. citizens, it also gives the illusion that the U.S. government is concerned with their privacy and will not collect and store their data without cause. However, it is now apparent that the U.S. government is not always as concerned about individual privacy as it would appear in these informed consent forms. This is particularly true for non-U.S. citizens.

NSA Mass Surveillance

The revelations about NSA mass surveillance exposed how the U.S. government was invading the privacy of both Americans and foreigners in the name of fighting terrorism. The NSA’s mission had always been to collect foreign signals intelligence, but now it was revealed that it was performing a massive dragnet in which it was trying, as the former director General Keith Alexander put it, to “collect it all.” This meant that rather than targeting individuals or groups, the NSA was collecting as much telecommunications data as possible – sometimes all the telecommunications traffic in entire countries – and storing it in massive data warehouses.

The Snowden leaks generated a backlash in the U.S. because they revealed that the NSA was storing and analyzing the cell phone habits of millions of U.S. citizens. For many observers, the collection of such data without a warrant is a violation of the 4th Amendment of the U.S. Constitution, which prohibits unreasonable search and seizure. Indeed, a number of citizens are now suing the government, arguing this practice violates their civil liberties. In response, the Obama administration has pledged to make changes to the NSA program, in part to protect the rights of citizens.

However, there are virtually no protections for non-U.S. citizens. Thus, data collection outside of the U.S., which was always more intrusive because it had no legal limitations, most likely continues unabated. In practical terms, this means that every email and phone call of the Brazilian participants in my research project was fair game for NSA data collection. Furthermore, even U.S. citizens’ communications are swept up by the NSA when one of the people involved in the chain is thought to be outside the U.S. Indeed, just the mention of an individual thought to be under surveillance in an email or computer file is justification for its collection by the NSA under section 702 of the Foreign Intelligence Surveillance Act (FISA). Critics have called it a “backdoor loophole” to conduct surveillance on U.S. citizens. In any case, it is clear that all the communications of non-U.S. citizens, including communication with U.S.-based researchers, is currently being targeted and collected by the NSA.

In practical terms, this means that every email and phone conversation I had with my Brazilian research participants could have been collected by the NSA. Furthermore, had I posted any of the data I collected on my computer (Word document field note files, interview audio recordings, photos, etc.) to Vanderbilt’s server from Brazil, it likely would have been swept up the NSA, tapping the international telecommunications cables on which that data would be transferred. The likelihood is increased by the fact that the Brazilian government was a prime target of NSA surveillance, so my interviews with Brazilian government officials would be even more interesting to the NSA— meaning, as a researcher, I could have potentially abetted U.S. surveillance without being aware of it.

The Privacy Paradox

The privacy paradox emerges from these seemingly contradictory U.S. government policies to protect research participants from unethical studies while invading the privacy of people around the world using the telecommunications infrastructure. Recent attempts to reform the NSA surveillance system are mainly aimed at protecting the civil liberties of U.S. citizens. Thus, there is still little concern for the privacy of non-U.S. citizens whose information is being collected and stored in large data centers in the U.S.

What can researchers do practically and ethically given this difficult situation?  Here are a few ideas about what we can do to protect the rights of our participants:

Encryption:

The most urgent task for social scientists is to become proficient with the technological tools necessary to secure the data they collect and send. Secure encryption can significantly delay the ability of global security agencies to decipher emails, field notes, audio recordings etc. All social science research methods courses need to be updated to teach researchers how to use these tools. A recent Savage Minds post by Jonatan Kurzwelly offers a number of great resources for researchers interested in further protecting the data they collect.

IRB Reform: 

Researchers need to push IRBs to gain a more comprehensive grasp of cyber security issues taking into account government surveillance. For example, currently an IRB might require a researcher to store material on a secure, university-controlled serve. However, the IRB might not recognize that sending data to the server from abroad might put all of the privacy of that data at risk. No longer can IRBs ignore the actions of security agencies like the NSA and how they affect researchers working internationally.

An International Internet Rights Convention: 

Academics need to become strong advocates for national policies that protect civil liberties in the digital age. Tim Berners-Lee, the British computer scientist best known as the creator of the World Wide Web, has called for a global Magna Carta on Internet rights. He launched an international campaign called The Web We Want to help people around the world create digital bills of rights in their respective countries. The Web We Want campaign was, in part, inspired by the success of Brazilian Internet freedom activists who successfully fought for the passage of a pioneering Internet freedom bill in 2014. Indeed, the Brazilian Civil Rights Framework for the Internet, one of the primary topics of my own research, included provisions meant to protect Internet user privacy. More initiatives like this around the world and potentially a global convention on Internet rights would create an environment more conducive to ethical research.

Ultimately, the privacy paradox is not one that shows signs of being resolved in the near future. Thus, social scientists must be aware of how conflicting U.S. government policies regarding privacy impact their work. For starters, this will require thoughtful engagement with technology to protect research participants. Additionally, researchers who value their own privacy and the civil liberties of all individuals need to add their voices to discussions about how to protect privacy in the digital era.

Rebecca Nelson is the executive director of América Solidaria U.S. She recently graduated with a Ph.D. in cultural anthropology from the University of Connecticut. Her research focuses on volunteer tourism in Guatemala and how it is opening up new avenues for tourists and hosts to develop more cosmopolitan understandings of the world (as well as opening up new forms of friction over the circulation of knowledge).

6 thoughts on “The Privacy Paradox: IRBs in an Era of NSA Mass Surveillance

  1. Daniel: You don’t mention who funded your dissertation research. I believe that Vanderbilt is a member of the Flexibility Coalition, a group of universities that have “unchecked the box” — they have only agreed to require IRB approval of research funded by a federal agency; research funded by non-federal agencies (e.g. the Wenner-Gren Foundation), typically is not subject to IRB approval or oversight for universities that have unchecked the box. Note that federal law does not require that all human subjects research be approved or monitored by an IRB: the requirement is, minimally, that for an institution to receive federal research grants, it must subject research conducted under those grants to IRB oversight.

  2. Barbara: Excellent question/comment. The bulk of my research was funded by the Fulbright Foundation. I also received some funding from the US Department of Education and Vanderbilt University. I had not heard of the Flexibility Coalition before reading your comment, and indeed Vanderbilt does appear to be an affiliate. That being said, currently at Vanderbilt all research that involves human subjects must be reviewed by Vanderbilt’s IRB per university policy. I am in favor of IRB oversight because when done correctly it can it helps protect individuals and groups.

  3. Hi, Daniel. Your response clarifies things a bit, but your note that “I am in favor of IRB oversight because when done correctly it can it helps protect individuals and groups.” may be problematic. You, as the researcher, protect individuals and groups, not IRB oversight — which may offer a suggestion or two, but usually is guilty of massive over-reach and mission creep. If you don’t know it, check out Zach Schrag’s blog http://www.institutionalreviewblog.com/ and see his book “Ethical Imperialism” for an alternative perspective from a historian. Many of us have been frustrated by IRBs that regard institutional risk management as their primary role, and IRB policies that are based on medical experimentation rather than observational social science research. I’ll calm down now….. 😉

  4. Great post and a revealing ethnographic moment!
    I would just like to add that GCHQ in Great Britain is a similar beast, if not worst, to the NSA. The same paradox applies to all UK based anthropologists and the same concerns can be raised. As we have learned from the leak of Hacking Team emails, many governments have bought technologies that allow them for many types of digital surveillance. Thus at the same time as we can fight for TimBL’s magna carta and try to change structures of academia and singular universities, we could also start doing some small steps in our own departments. Including digital security training as part of research preparation could be a good start, rising awareness of future generations of anthropologists.

    Also to mention today’s news – the European Parliament has approved a resolution in which “They urge the EU Commission to ensure that all data transfers to the US are subject to an “effective level of protection” and ask EU member states to grant protection to Edward Snowden, as a “human rights defender”.” [ http://www.europarl.europa.eu/news/en/news-room/content/20151022IPR98818/html/Mass-surveillance-EU-citizens'-rights-still-in-danger-says-Parliament ]

Comments are closed.