The Menlo Report is a report published by the U.S.

Department of Homeland Security The United States Department of Homeland Security (DHS) is the U.S. federal executive department responsible for public security, roughly comparable to the interior or home ministries of other countries. Its stated missions involve anti-terr ...

Cyber Security Computer security, cybersecurity (cyber security), or information technology security (IT security) is the protection of computer systems and networks from attack by malicious actors that may result in unauthorized information disclosure, the ...

Division that outlines an ethical framework for research involving

Information and Communications Technologies Information and communications technology (ICT) is an extensional term for information technology (IT) that stresses the role of unified communications and the integration of telecommunications (telephone lines and wireless signals) and computers, ...

(ICT). The 17-page report was published on August 3, 2012. The following year, the

published a 33-page companion reportD. Dittrich, E. Kenneally, and M. Bailey. "Applying Ethical Principles to Information and Communication Technology Research: A Companion to the Menlo Report", Tech. Report., U.S. Department of Homeland Security, Oct 2013. https://www.dhs.gov/sites/default/files/publications/CSD-MenloPrinciplesCOMPANION-20120103-r731_1.pdf, https://www.impactcybertrust.org/link_docs/Menlo-Report-Companion.pdf that includes case studies that illustrate how the principles can be applied. The Menlo Report adapted the original

Belmont Report The ''Belmont Report'' is a report created by the National Commission for the Protection of Human Subjects of Biomedical and Behavioral Research. Its full title is the ''Belmont Report: Ethical Principles and Guidelines for the Protection of Human ...

principles (Respect for Persons, Beneficence, and Justice) to the context of

cybersecurity Computer security, cybersecurity (cyber security), or information technology security (IT security) is the protection of computer systems and networks from attack by malicious actors that may result in unauthorized information disclosure, the ...

research & development, as well as adding a fourth principle, "Respect for Law and Public Interest." The Menlo Report was created under an informal,

grassroots A grassroots movement is one that uses the people in a given district, region or community as the basis for a political or economic movement. Grassroots movements and organizations use collective action from the local level to effect change at t ...

process that was catalyzed by the ethical issues raised in ICT

Computer security Computer security, cybersecurity (cyber security), or information technology security (IT security) is the protection of computer systems and networks from attack by malicious actors that may result in unauthorized information disclosure, the ...

research. Discussions at conferences and in public discourse exposed growing awareness of

ethical Ethics or moral philosophy is a branch of philosophy that "involves systematizing, defending, and recommending concepts of right and wrong behavior".''Internet Encyclopedia of Philosophy'' The field of ethics, along with aesthetics, concerns ma ...

debates in computer security research, including issues that existing oversight authorities (e.g.,

Institutional Review Boards An institutional review board (IRB), also known as an independent ethics committee (IEC), ethical review board (ERB), or research ethics board (REB), is a committee that applies research ethics by reviewing the methods proposed for research to ens ...

) might have been unaware of or determined were beyond their purview. The Menlo Report is the core document stemming from the series of

working group A working group, or working party, is a group of experts working together to achieve specified goals. The groups are domain-specific and focus on discussion or activity around a specific subject area. The term can sometimes refer to an interdis ...

meetings that broached these issues in an attempt to pre-empt research harms and galvanize the community around common ethical principles and applications. This report proposes a framework for ethical guidelines for computer and

information security Information security, sometimes shortened to InfoSec, is the practice of protecting information by mitigating information risks. It is part of information risk management. It typically involves preventing or reducing the probability of unauthorize ...

research, based on the principles set forth in the 1979

, a seminal guide for ethical research in the

biomedical Biomedicine (also referred to as Western medicine, mainstream medicine or conventional medicine)

and

behavioural sciences Behavioral sciences explore the cognitive processes within organisms and the behavioral interactions between organisms in the natural world. It involves the systematic analysis and investigation of human and animal behavior through naturalistic o ...

. The Menlo Report describes how the three principles in the Belmont report can be applied in fields related to research about or involving information and communication technology. ICT research raises new challenges resulting from interactions between humans and communications technologies. In particular, today's ICT research contexts contend with ubiquitously connected network environments, overlaid with varied, often discordant legal regimes and social norms. The Menlo Report proposes the application of these principles to

information systems An information system (IS) is a formal, sociotechnical, organizational system designed to collect, process, information storage, store, and information distribution, distribute information. From a sociotechnical perspective, information systems a ...

security research although the researchers expect the proposed framework to be relevant to other disciplines, including those targeted by the Belmont report but now operating in more complex and interconnected contexts. The Menlo Report details four core ethical principles, three from the original Belmont Report. * respect for persons * beneficence *

justice Justice, in its broadest sense, is the principle that people receive that which they deserve, with the interpretation of what then constitutes "deserving" being impacted upon by numerous fields, with many differing viewpoints and perspective ...

It has an additional principle - respect for law and public interest. The report explains each of these in the context of ICT research.

Principles of the Menlo Report

The Menlo Report attempts to summarize a set of basic principles to guide the identification and resolution of ethical problems arising in research of or involving ICT. The report believes that ICT has increasingly become integrated into individual and collective daily lives and affects our social interactions. It believes that the challenges of ICTR

risk assessment Broadly speaking, a risk assessment is the combined effort of: # identifying and analyzing potential (future) events that may negatively impact individuals, assets, and/or the environment (i.e. hazard analysis); and # making judgments "on the to ...

is derived from these three factors: - The researcher-subject relationships, which tend to be disconnected, dispersed, and intermediated by technology - The proliferation of data sources and analytics, which can heighten risk incalculably - And the inherent overlap between research and operations. In order to properly apply any of the principles in the complex setting of ICT research, it deems that it is first necessary to perform a systematic and comprehensive stakeholder analysis. The proposed guidelines for ethical assessment of ICT Research are as follows: * Respect for Persons. Participation as a research subject is voluntary, and follows from

informed consent Informed consent is a principle in medical ethics and medical law, that a patient must have sufficient information and understanding before making decisions about their medical care. Pertinent information may include risks and benefits of treatme ...

. Therefore the research should treat individuals as

autonomous In developmental psychology and moral, political, and bioethical philosophy, autonomy, from , ''autonomos'', from αὐτο- ''auto-'' "self" and νόμος ''nomos'', "law", hence when combined understood to mean "one who gives oneself one's ow ...

agents and respect their right to determine their own best interests, respect individuals who are not targets of research yet are impacted, Individuals with diminished autonomy who are incapable of deciding for themselves and are entitled to protection. * Beneficence. Do not harm. Maximize probable benefits and minimize probable harms. Systematically assess both risk of harm and benefit. * Justice. Each person deserves equal consideration in how to be treated, and the benefits of research should be fairly distributed according to individual need, effort, societal contribution, and merit. Selection of subjects should be fair, and burdens should be allocated equitably across impacted subjects. * Respect for Law and Public Interest. Engage in legal

due diligence Due diligence is the investigation or exercise of care that a reasonable business or person is normally expected to take before entering into an agreement or contract with another party or an act with a certain standard of care. It can be a l ...

and be transparent in methods and results. Be accountable for actions.

Implementation of the Principles of the Menlo Report

Respect for Persons

Appropriate application of the four principles requires that

Stakeholder analysis Stakeholder analysis (in conflict resolution, business administration, environmental health sciences decision making, Industrial ecology, and project management) is the process of assessing a system and potential changes to it as they relate to rel ...

must first be performed. Thorough stakeholder analysis is important to identify: the correct entity(s) from whom to seek informed consent; the party(s) who bear the burdens or face risks of research; the party(s) who will benefit from research activity; and, the party(s) who are critical to

mitigation Mitigation is the reduction of something harmful or the reduction of its harmful effects. It may refer to measures taken to reduce the harmful effects of hazards that remain ''in potentia'', or to manage harmful incidents that have already occur ...

in the event that chosen risks come to fruition.

Informed consent Informed consent is a principle in medical ethics and medical law, that a patient must have sufficient information and understanding before making decisions about their medical care. Pertinent information may include risks and benefits of treatme ...

assures that research subjects who are put at risk through their involvement in research understand the proposed research, the purpose for which they are being asked to participate in research, the anticipated benefits of the research, and the risks of the subject's participation in that research. They are then free to choose to accept or decline participation. These risks may involve

identifiability In statistics, identifiability is a property which a model must satisfy for precise inference to be possible. A model is identifiable if it is theoretically possible to learn the true values of this model's underlying parameters after obtaining an ...

in research data but can extend to other potential harms.

Beneficence

Assessing potential research harm involves considering risks related to information and

as a whole. Information-centric harms stem from contravening data confidentiality, availability, and integrity requirements. This also includes infringing rights and interests related to privacy and reputation, and

psychological Psychology is the scientific study of mind and behavior. Psychology includes the study of conscious and unconscious phenomena, including feelings and thoughts. It is an academic discipline of immense scope, crossing the boundaries between t ...

, financial, and physical well-being. Some personal information is more sensitive than others. Very sensitive information includes government-issued identifiers such as

Social Security Welfare, or commonly social welfare, is a type of government support intended to ensure that members of a society can meet basic human needs such as food and shelter. Social security may either be synonymous with welfare, or refer specificall ...

, driver's license, health care, and financial account numbers, and

biometric Biometrics are body measurements and calculations related to human characteristics. Biometric authentication (or realistic authentication) is used in computer science as a form of identification and access control. It is also used to identify in ...

records. A combination of personal information is typically more sensitive than a single piece of personal information.

Basic research Basic research, also called pure research or fundamental research, is a type of scientific research with the aim of improving scientific theories for better understanding and prediction of natural or other phenomena. In contrast, applied resear ...

typically has long-term benefits to society through the advancement of scientific knowledge. Applied research generally has immediately visible benefits. Operational improvements include improved

search algorithms In computer science, a search algorithm is an algorithm designed to solve a search problem. Search algorithms work to retrieve information stored within particular data structure, or calculated in the search space of a problem domain, with eith ...

, new queuing techniques, new

user interface In the industrial design field of human–computer interaction, a user interface (UI) is the space where interactions between humans and machines occur. The goal of this interaction is to allow effective operation and control of the machine f ...

capabilities. The principle of balancing risks and benefits involves weighing the burdens of research and risks of harm to stakeholders (direct or indirect), against the benefits that will accrue to the larger society as a result of the research activity. The application of this principle is perhaps the most complicated because of the characteristics of ICTR. This compels us to revisit the existing guidance on

research design Research design refers to the overall strategy utilized to carry out research that defines a succinct and logical plan to tackle established research question(s) through the collection, interpretation, analysis, and discussion of data. Incorporat ...

and ethical evaluation. Circumstances may arise where significant harm occurs despite attempts to prevent or minimize risks, and additional harm-mitigating steps are required. ICT researchers should have (a) a response plan for reasonably foreseeable harms, and (b) a general

contingency plan A contingency plan, also known colloquially as Plan B, is a plan devised for an outcome other than in the usual (expected) plan. It is often used for risk management for an exceptional risk that, though unlikely, would have catastrophic conseque ...

for low probability and high impact risks.

Justice

The report believes that research should be designed and conducted equitably between and across stakeholders, distributing research benefits and burdens. Research directed at ICT itself may be predicated on exploiting an attribute (e.g.,

economically disadvantaged The "disadvantaged" is a generic term for individuals or groups of people who: * Face special problems such as physical or mental disability * Lack money or economic supportKingdom of Nepal: Economic and Social Inclusion of the Disadvantaged Poo ...

) of persons which is not related to the research purpose. Hence, it can facilitate arbitrary targeting by

proxy Proxy may refer to: * Proxy or agent (law), a substitute authorized to act for another entity or a document which authorizes the agent so to act * Proxy (climate), a measured variable used to infer the value of a variable of interest in climate ...

. On the other hand, the opacity and attribution challenges associated with ICT can inherently facilitate unbiased selection in all research as it is often impracticable to even discern those attributes.

Respect for Law and Public Interest

Applying respect for law and public interest through compliance assures that researchers engage in legal due diligence. Although ethics may be implicitly embedded in many established laws, they can extend beyond those strictures and address obligations that relate to reputation and individual well-being, for example. Transparency is an application of respect for law and public interest that can encourage assessing and implementing

accountability Accountability, in terms of ethics and governance, is equated with answerability, blameworthiness, liability, and the expectation of account-giving. As in an aspect of governance, it has been central to discussions related to problems in the publ ...

. Accountability ensures that researchers behave responsibly, and ultimately it galvanizes trust in ICTR. Transparency-based accountability helps researchers, oversight entities, and other stakeholders avoid guesswork and incorrect

inferences Inferences are steps in reasoning, moving from premises to logical consequences; etymologically, the word ''infer'' means to "carry forward". Inference is theoretically traditionally divided into deduction and induction, a distinction that in E ...

regarding if, when, and how ethical principles are being addressed. Transparency can expose ethical tensions, such as the researcher's interest in promoting openness and

reproducibility Reproducibility, also known as replicability and repeatability, is a major principle underpinning the scientific method. For the findings of a study to be reproducible means that results obtained by an experiment or an observational study or in a ...

versus withholding research findings in the interests of protecting a vulnerable population.

Companion Report

The Companion Report is a complement to the Menlo Report that details the principles and applications in more detail and illustrates their implementation in real and synthetic case studies. It is intended for the benefit of society, by showing the potential for harm to humans (direct or indirect) and by helping researchers understand and preempt or minimize these risks in the

lifecycle Life cycle, life-cycle, or lifecycle may refer to: Science and academia * Biological life cycle, the sequence of life stages that an organism undergoes from birth to reproduction ending with the production of the offspring *Life-cycle hypothesis ...

of their research.

References

*M. Bailey, D. Dittrich, E. Kenneally and D. Maughan,
The Menlo Report
" in ''IEEE Security & Privacy,'' vol. 10, no. 2, pp. 71–75, March–April 2012., doi: 10.1109/MSP.2012.52, (article summary of Menlo Report). {{Reflist United States Department of Homeland Security