This PDF is the current document as it appeared on Public Inspection on 12/10/2012 at 08:45 am.
The Department of Homeland Security (DHS), Science and Technology (S&T) published a 60-day public notice in the Federal Register on December 28, 2011 (Federal Register Volume 76, Number 249, Docket No. DHS-2011-0074) to invite public comment on the Menlo Report. The intent of the notice was to further refine the content of the Menlo Report beyond the working group that had generated the report. This notice responds to the comments received during this 60-day public notice.
The updated Menlo Report may be found at http://www.cyber.st.dhs.gov/.
FOR FURTHER INFORMATION CONTACT:
DHS S&T, Email Menlo_Report@dhs.gov.
A grassroots working group composed of stakeholders in information and communication technology research (ICTR), with support from the Homeland Security Advanced Research Projects Agency (HSARPA) CSD, developed the Menlo Report. HSARPA CSD published this report in the Federal Register in December 2011 (76 FR 81517, Docket No. DHS-2011-0074) to invite public comment, and sixteen comments were received. The complete text of the public comments and the Federal Register notice are available on the Regulations.gov web site at http://www.regulations.gov/#!docketDetail;D=DHS-2011-0074.
To address the comments, a subset of the initial working group was assembled that has stewarded the document since its inception. In summary, the comments contained both laudatory and critical remarks and covered issues that ranged in scope from targeted to general. The approach to absorbing this valuable feedback was to analyze each comment, distill the issue(s) raised by the commenter, reflect on the relevant text in the Menlo Report, and generate a response. Those responses entailed identifying proposed changes intended to resolve the issues raised, either by modifying text that was unclear or misinterpreted by readers or by accepting constructive criticism.
Changes to the Report
The Menlo Report has been updated and is available at http://www.cyber.st.dhs.gov/. Overall, the changes to the Menlo Report based on the comments are summarized as follows:
1. The next version will clarify that the Menlo Report is not an official policy statement of DHS and that DHS does not have the intention or authority to permit researchers to engage in any practice in the name of “ethical research.”
2. The next version will reflect that the main focus of the Menlo Report is on private sector and academic researchers who may be government funded, rather than DHS employees. While the Menlo Report may certainly be applicable to government researchers, it is not intended to conflict with or preempt statutory or regulatory requirements placed on government employees.
3. The next version will explicitly address the choice of Belmont Report model instead of an alternative ethical framework (i.e., a Belmont Report principles-in-context approach). Specifically, the next version of the Menlo Report will clarify the benefit to society versus the risks to research subjects under this model.
4. The next version will address the relationship between law and ethics, (i.e., when a researcher's ethically-derived beliefs are in direct conflict with relevant laws) by stating it is beyond the scope of the Menlo Report to advocate a position when laws directly conflict with ethics. Rather, the Menlo Report reinforces the principle that ethics plays a role in closing gaps in laws and clarifying grayness in interpretation of laws.
5. The next version will highlight the value of the Menlo Report guidelines to society rather than just researchers.
Detailed Comments and Responses
S&T published a 60-day public notice in the Federal Register on December 28, 2011 (Federal Register Volume 76, Number 249, Docket No. DHS-2011-0074) to invite public comment on the Menlo Report. The notice helped further refine the content of the Menlo Report by seeking comments on the document generated by the working group. At the end of the 60-day comment period, S&T received sixteen comments from two universities, four private citizens, three non-profit organizations, one foreign university, and one professional association. In general, the comments received fall into the following categories:
1. The Menlo Report construed as official DHS policy
2. Interpretation of informed consent
3. Researcher interaction with a research subject's computer
4. Calculating benefits and harms
5. Estimation of benefits and harms from ICTR
6. Applicability of the Institutional Review Board (IRB) model for ethical review of ICTR
7. The relationship between laws and ethics
8. Privacy rights of individuals related to corporate monitoring
9. Ethical considerations for future contemplation and study
10. Standalone comments
A. The Menlo Report As Official DHS policy
Several comments stated that the Menlo Report is an official policy statement of DHS and that DHS has the intention or authority to permit researchers to engage in any practice in the name of “ethical research.”
Response: The Menlo Report offers ethical guidance for public and private researchers and explicitly advocates respect for the law and public interest (e.g., supporting the notion that different laws may apply to government researchers) and is neither an official nor authoritative policy statement for DHS or law enforcement. As a result, modifications to the Menlo Report will have additional, explicit language to indicate that while DHS supports the Menlo Report, the Menlo Report does not represent official agency policy nor should it be interpreted as applying to, conflicting with, or superseding statutory mandates and other authoritative commitments governing actions by the government.
B. Interpretation of Informed Consent
Several comments were received related to the discussion of informed consent in the Menlo Report.
Response: Support for informed consent will be conveyed by the Menlo Report byh detailing how researchers and Research Ethics Boards (REB) should consider the situation where waivers of informed consent are sought. Modifications to the Menlo Report will substitute the term “proxy” with the Common Rule term “legally authorized representative,” clarify the issue of their relationship to requests for waivers, and better balance the perspective between that of researchers and that of end-users or research subjects. The respondents agree with the observation in various comments regarding ICTR and waivers to informed consent and will highlight this issue in modifications to the Menlo Report. Given the gravity and ubiquity of cyber-crime, the benefits and importance of accurate research data for countering it is a specific situation that may satisfy the requirements of 45 CFR 46.116 allowing requests for alteration or elimination of informed consent requirements in those situations where minimal risk to subjects (or those reliant on information and communication technology (ICT) under study) exists.
C. Researcher Interaction With a Research Subject's Computer
Multiple comments dealt with the issue of interacting with a research subject's computer or interacting with malicious software under study that the owner of the computer is not even aware exists on their computer.
Response: It is understood that the study of malicious software, to include botnets, is an area that can pose greater than minimal risk to those who rely on infected computers. Ultimately, the issue of what constitutes “minimal risk,” and also whether it is “human subjects research” to interact with the computer, as opposed to the human, must be determined. Given that IRB in the United States today do not require that researchers adhere to zero-risk, but rather they are guided by requirements of 45 CFR 46.111, the Menlo Report will be updated to clarify the justification for this approach by illuminating the consequences of a zero-risk tolerance approach, noting, for example, how it would negatively impact the public's ability to benefit from research.
D. Calculating Benefits and Harms
Various comments received also raised issues regarding the estimation of benefits and harms from ICTR, including not only who may be harmed but also how potential benefits and harms can be quantified.
Response: The current “Identifying Harms” section of the Menlo Report addresses concerns about lack of comprehensive coverage of harms. However, to bolster this area, the Menlo Report will be updated to address the potential, rather than certainty, of harms resulting from research activities. Specifically, personal privacy and information confidentiality and integrity are uncontrovertibly noted as potential harms that must be addressed. Updates will also clarify the distinction and relevance of the benefit to society versus the risks to research subjects in ICTR. The respondents will also change the text to include harms resulting from notification of research, and publication of information that can be used to cause harm. Additional verbiage will also seek to clarify the distinction and relevance of the benefit to society versus the risks to research subjects in ICTR.
E. Applicability of the Institutional Review Board (IRB) Model
Several comments raised the appropriateness of the Belmont/IRB model, related to both behavioral and biomedical research, for ethical review of ICTR.
Response: The purpose of the Menlo Report is to advocate principles and applications, not to define enforcement mechanisms. The crux of these comments related to applicability of the Belmont Report. The next version of the Menlo Report will concretely state that it is deliberately founded on the Belmont model, which was originally developed for the biomedical research context but is not limited to biomedicine, as evidenced by the fact that this model is currently used for evaluation of behavioral research (including that which involves ICT).
F. Relationship Between Laws and Ethics
Many comments were received relating to conflicts between ethical codes and the law.
Response: The comments were diverse but converged on the necessity to add text regarding the relationship between law and ethics. The assertion that the Menlo Report precludes the Common Rule is conjecture that appeared in one of the comments, and it is important to mention that this is not substantiated by evidence from the Menlo Report. This criticism does not reflect what is presently allowed by the Common Rule in terms of waivers (see 45 CFR 46.116, specifically subsections (c) and (d)). The Menlo Report currently is framed in such a way as to be congruous with the predominant REB model in the United States, IRB. The Menlo Report will be revised to include text that clarifies that the Menlo Report does not take any stance on addressing the situation when laws are viewed by the public to be unethical. It was also apparent from the comments that the Menlo Report needs to clarify that researchers are not authorized to waive consent. The Menlo Report will also be updated in the Respect for Law and Public Interest section to address conflicts with principles of compliance, transparency, and accountability and with the privacy interests of individuals.
G. Privacy of Individuals vs. Corporations
Multiple comments highlighted a problem regarding the discussion on the privacy of an organization in relation with enhancing cyber security.
Response: This discussion will be removed from the next version of the Menlo Report. The comments correctly indentified a potential inconsistency.
H. Ethical Considerations for Future Contemplation and Atudy
Finally, there were comments suggesting a general call for further study and engagement with various communities and agencies in order to create workable guidance.
Response: Much additional work will be done as a follow on to the Menlo Report to spur additional discussion of the approach to ethics in ICTR presented in the Menlo Report. Some of this research has already been undertaken and is included in a companion report to the Menlo Report.
I. Standalone Comments
There were several comments that did not fall into the preceding categories but did spur further changes to the Menlo Report. The following will be reflected as updates to the Menlo Report:
1. A clarification will be added explaining that while the Menlo Report adopts Belmont Report principles and the Common Rule regime in framing the principles and applications for evaluating and applying ethics in ICTR, it also highlights areas within the Common Rule that are more frequently exercised by ICTR or that may cause problems in applying it to ICTR.
2. Language to more clearly discuss how to make inclusion/exclusion decisions in conformance with Justice and Equity considerations will be added.
3. In general, the revised Menlo Report will take a well-rounded perspective to include the end-user perspective, in addition to a researcher-centric perspective.
4. The discussion of the existence and management of pre-existing data will be expanded.
5. The discussion regarding the creation of the Internet and its growth to include the hosting databases with personally identifiable information will be clarified.
6. The description or context of the use of the term “reasonable researcher” will be updated.
7. Explanatory language to address the issue of record retention will be included in the Mitigation of Realized Harms section.
8. The term “evidence-based consideration” will be clarified.
Dated: November 30, 2012.
Under Secretary for Science and Technology.
[FR Doc. 2012-29818 Filed 12-10-12; 8:45 am]
BILLING CODE 9110-9F-P