Was that anonymous internet survey really anonymous?

by Andrea Johnson, JD, CIP, Regulatory Specialist in the Research Integrity Office at Oregon Health and Science University

I am kicking off my Advancing Ethical Research (AER) Conference experience with the pre-conference session entitled, Regulatory, Ethical and Technical Challenges in Internet Research. As I mentioned in my introductory post, I have been looking forward to this because we are seeing more and more internet research back home at OHSU. The presenters, Elizabeth Buchanan, PhD, Laura Odwazny, JD, MA, and Joseph A. Konstan, PhD, wasted no time delving into the substance of the material. I’m pretty confident that I could keep some of these discussions going over a bottle of wine well into the night.

One such example is the “Public/Private Divide,” which, as Ms. Odwazny pointed out, is really more of a continuum. The internet has drastically changed what most people consider to be private information or activities. Dr. Konstan gave several examples of the ways in which Big Data can be distilled to identify individuals. But even though we know that all of our Google searches are being logged somewhere out in the ether, we don’t necessarily want them shared openly with the world. There is still some expectation of privacy, even in the Information Age.

Characterizing information or activities as private has significant implications for institutional review board (IRB) review of research. For instance, per the Common Rule, whether a research activity even involves human subjects hinges partly on whether researchers will obtain identifiable, private information about individuals. Risks to subject privacy are also a key consideration for IRBs, and the internet can make it challenging to assess these risks. The presenters had some great insight into navigating these murky waters.

For one thing, what is considered private on the internet depends on a collection of contextual factors, not just a subject’s own personal expectation. IRBs should look to the norms of the potential subjects’ community (both online and in a more traditional sense) for clues regarding subjects’ likely expectations of privacy.

Another helpful reminder was that the definition of minimal risk, as it pertains to the categories of research eligible for expedited review, refers to the level of risk “ordinarily encountered in daily life.” As we encounter more privacy risks in our daily use of the internet and become accustomed to less privacy overall, more research involving the use of our personal information may fall within that definition.

This leads to a very important point that the presenters reinforced throughout the session: The regulations do not carve out special protections for internet research, and it should not be held to a higher standard of review solely because it takes place on the internet. While internet research creates unique risks and challenges that IRBs must understand and consider, it is helpful to step back and ask whether the same issues are present in other research contexts.

Overall, this session provided a balanced perspective on the many facets of internet research and gave me plenty of food for thought. It was a great start to the conference!