[This invited post was written by Daniel O’Maley, who recently graduated with a PhD in cultural anthropology from Vanderbilt University. His research focuses on the global Internet freedom movement and the link between digital technology and new forms of democratic participation. You can read more about him and his research here]
Increasingly, our lives are mediated by the Internet and other digital technologies. For anthropologists like myself, this presents new opportunities for research, but the digitization, exchange, and storage of personal data also generate new privacy concerns for our participants. During my research on Brazilian Internet freedom activists, I learned about both the potentials of the Internet, as well as the way that digital technology can, and is, being abused to violate civil liberties. What I call the “privacy paradox,” refers to the situation in which the U.S. government at once defends research participants’ privacy through Institutional Review Boards (IRBs) while it simultaneously violates their privacy on a massive, global scale through mass surveillance national security apparatus.
The privacy paradox become apparent to me in July 2013, just a month after the Snowden leaks that exposed NSA mass surveillance, when I sat down to interview a high-level official of a Brazilian IT firm. Before the interview, I detailed the measures I was taking to ensure that his personal data would be protected and I explained that this was required by Vanderbilt’s IRB per U.S. law. Upon hearing this, the IT official looked at me incredulously. Over the previous two months the front pages of newspapers had been plastered with articles detailing U.S. government surveillance projects with codenames like PRISM, XKeyscore, and Stellar Wind that used the global telecommunications infrastructure to collect personal data on people around the world. My interviewee was well-versed in issues of privacy in the digital age, so to hear me state that the U.S. government was concerned with his privacy was laughable.
While I had already been paying attention to issues of privacy and mass surveillance in my research, this encounter forced me to re-evaluate the ways that U.S. government policy is impacting the work of researchers worldwide and why it is important for the academic community to defend the privacy rights of all people in a digital era.
Institutional Review Boards and Participant Privacy
In the U.S. virtually all researchers who perform research with human participants are required by federal law to have their methods evaluated and approved by an Institutional Review Board, or IRB, including social scientists like anthropologists, political scientists, psychologists, and sociologists. According to the federal Office for Human Research Protections (OHRP), which oversees IRBs in the U.S., the goal of this oversight is to protect “the rights, welfare, and wellbeing of subjects involved in research.” The current IRB system developed in the second half of the 20th century in response to a number of unethical research projects, which revealed that more oversight was necessary to protect participants. In 1974, the U.S. congress passed the National Research Act that created a government-supervised research evaluation system meant to diminish the possibility of unethical and overly risky research.
A primary concern of IRBs in evaluating research proposals is protecting the personal data of research participants, with good reason, because researchers often collect very personal and sensitive information about people that could negatively affect them if it became publicly available. For example, to protect against the accidental distribution of my participant data, Vanderbilt’s IRB required that all the information I collected digitally (i.e., notes, interview recordings, etc.) be stored on a password-protected computer that only I had access to. In many cases researchers are required to anonymize data and/or use pseudonyms when publishing. Such requirements show the extent to which IRBs are legitimately concerned with participant privacy.
Privacy is one of the topics specifically addressed on many Informed Consent documents –forms that participants must read that detail the research goals, potential risks and benefits to individuals, and rights of participants. For example, the final section in the Informed Consent form I used for my research in Brazil included this standard language:
Privacy: Your information may be shared with Vanderbilt or the government, such as the Vanderbilt University Institutional Review Board, Federal Government Office for Human Research Protections if you or someone else is in danger or if we are required to do so by law.
This language alerts participants that in certain, seemingly limited cases, the IRB and/or the U.S. government may seek to gain access to the researcher’s data. For non-U.S. citizens, it also gives the illusion that the U.S. government is concerned with their privacy and will not collect and store their data without cause. However, it is now apparent that the U.S. government is not always as concerned about individual privacy as it would appear in these informed consent forms. This is particularly true for non-U.S. citizens.
NSA Mass Surveillance
The revelations about NSA mass surveillance exposed how the U.S. government was invading the privacy of both Americans and foreigners in the name of fighting terrorism. The NSA’s mission had always been to collect foreign signals intelligence, but now it was revealed that it was performing a massive dragnet in which it was trying, as the former director General Keith Alexander put it, to “collect it all.” This meant that rather than targeting individuals or groups, the NSA was collecting as much telecommunications data as possible – sometimes all the telecommunications traffic in entire countries – and storing it in massive data warehouses.
The Snowden leaks generated a backlash in the U.S. because they revealed that the NSA was storing and analyzing the cell phone habits of millions of U.S. citizens. For many observers, the collection of such data without a warrant is a violation of the 4th Amendment of the U.S. Constitution, which prohibits unreasonable search and seizure. Indeed, a number of citizens are now suing the government, arguing this practice violates their civil liberties. In response, the Obama administration has pledged to make changes to the NSA program, in part to protect the rights of citizens.
However, there are virtually no protections for non-U.S. citizens. Thus, data collection outside of the U.S., which was always more intrusive because it had no legal limitations, most likely continues unabated. In practical terms, this means that every email and phone call of the Brazilian participants in my research project was fair game for NSA data collection. Furthermore, even U.S. citizens’ communications are swept up by the NSA when one of the people involved in the chain is thought to be outside the U.S. Indeed, just the mention of an individual thought to be under surveillance in an email or computer file is justification for its collection by the NSA under section 702 of the Foreign Intelligence Surveillance Act (FISA). Critics have called it a “backdoor loophole” to conduct surveillance on U.S. citizens. In any case, it is clear that all the communications of non-U.S. citizens, including communication with U.S.-based researchers, is currently being targeted and collected by the NSA.
In practical terms, this means that every email and phone conversation I had with my Brazilian research participants could have been collected by the NSA. Furthermore, had I posted any of the data I collected on my computer (Word document field note files, interview audio recordings, photos, etc.) to Vanderbilt’s server from Brazil, it likely would have been swept up the NSA, tapping the international telecommunications cables on which that data would be transferred. The likelihood is increased by the fact that the Brazilian government was a prime target of NSA surveillance, so my interviews with Brazilian government officials would be even more interesting to the NSA— meaning, as a researcher, I could have potentially abetted U.S. surveillance without being aware of it.
The Privacy Paradox
The privacy paradox emerges from these seemingly contradictory U.S. government policies to protect research participants from unethical studies while invading the privacy of people around the world using the telecommunications infrastructure. Recent attempts to reform the NSA surveillance system are mainly aimed at protecting the civil liberties of U.S. citizens. Thus, there is still little concern for the privacy of non-U.S. citizens whose information is being collected and stored in large data centers in the U.S.
What can researchers do practically and ethically given this difficult situation? Here are a few ideas about what we can do to protect the rights of our participants:
The most urgent task for social scientists is to become proficient with the technological tools necessary to secure the data they collect and send. Secure encryption can significantly delay the ability of global security agencies to decipher emails, field notes, audio recordings etc. All social science research methods courses need to be updated to teach researchers how to use these tools. A recent Savage Minds post by Jonatan Kurzwelly offers a number of great resources for researchers interested in further protecting the data they collect.
Researchers need to push IRBs to gain a more comprehensive grasp of cyber security issues taking into account government surveillance. For example, currently an IRB might require a researcher to store material on a secure, university-controlled serve. However, the IRB might not recognize that sending data to the server from abroad might put all of the privacy of that data at risk. No longer can IRBs ignore the actions of security agencies like the NSA and how they affect researchers working internationally.
An International Internet Rights Convention:
Academics need to become strong advocates for national policies that protect civil liberties in the digital age. Tim Berners-Lee, the British computer scientist best known as the creator of the World Wide Web, has called for a global Magna Carta on Internet rights. He launched an international campaign called The Web We Want to help people around the world create digital bills of rights in their respective countries. The Web We Want campaign was, in part, inspired by the success of Brazilian Internet freedom activists who successfully fought for the passage of a pioneering Internet freedom bill in 2014. Indeed, the Brazilian Civil Rights Framework for the Internet, one of the primary topics of my own research, included provisions meant to protect Internet user privacy. More initiatives like this around the world and potentially a global convention on Internet rights would create an environment more conducive to ethical research.
Ultimately, the privacy paradox is not one that shows signs of being resolved in the near future. Thus, social scientists must be aware of how conflicting U.S. government policies regarding privacy impact their work. For starters, this will require thoughtful engagement with technology to protect research participants. Additionally, researchers who value their own privacy and the civil liberties of all individuals need to add their voices to discussions about how to protect privacy in the digital era.