Re MASSIVE ethical failure and privacy violation by Dropbox

["DAVID FARBER" <dfarber () me com>]

Begin forwarded message:

> From: Peter Swire <peter () peterswire net>
> Date: July 26, 2018 at 12:59:56 AM GMT+9
> To: "dave () farber net" <dave () farber net>
> Cc: ip <ip () listbox com>
> Subject: Re: [IP] MASSIVE ethical failure and privacy violation by Dropbox
>
> Dave:
>
> The facts reported in Wired do not appear to support the conclusion of MASSiVE ethical failure. 
>
> According to the article:
>
> 1. The data was de-identified before it went to the researchers. 
> 2. Quasi-identifiers were put into ranges, rather than being reported with individual values. 
> 3. The researchers who received the de-identified data signed a confidentiality agreement. 
>
> U.S. law from the FTC and HHS, has supported the lawfulness of doing research on de-identified data when both 
> technical and administrative controls of this sort are in place. 
>
> Specifically, HIPAA does not require or expect individual consent or IRB approval when the data had been properly 
> de-identified. 
>
> An overall judgment of the sufficiency of the technical and administrative controls would require more detail than 
> Wired reports. 
>
> Based on the reporting, however, it is not clear in what respect Dropbox varied from common good practice, even if 
> the data were sensitive health data covered by HIPAA. 
>
> Peter
>
> Peter Swire
> Ph: 240-994-4142
> www.peterswire.net
>
> Sent from phone: apologies for brevity and typos.
>
> > On Jul 24, 2018, at 9:04 PM, Dave Farber <farber () gmail com> wrote:
> >
> >
> >
> >
> > Begin forwarded message:
> >
> > > From: Lauren Weinstein <lauren () vortex com>
> > > Date: July 25, 2018 at 9:38:08 AM GMT+9
> > > To: nnsquad () nnsquad org
> > > Subject: [ NNSquad ] MASSIVE ethical failure and privacy violation by Dropbox
> > >
> > >
> > > MASSIVE ethical failure and privacy violation by Dropbox
> > >
> > > https://www.wired.com/story/dropbox-sharing-data-study-ethics/
> > >
> > >      But it still appears this research was conducted without the
> > >    express consent of the thousands of customers whose
> > >    information Dropbox and the researchers accessed (the HBR
> > >    article originally suggested that 400,000 users' data was
> > >    analyzed, while Dropbox says that the study dealt with data
> > >    from 16,000 customers). Late Tuesday HBR added a second
> > >    editors' note indicating that the researchers started with
> > >    information on 400,000 "unique users" but pared the data set
> > >    down to 16,000 after incorporating data from Web of Science.
> > >    HBR editors also updated the article to indicate that it
> > >    wasn't 1,000 universities that were included, but rather 1,000
> > >    separate departments.  Informed consent, one of the
> > >    cornerstones of academic research, is one of the things that
> > >    got Facebook in so much trouble back in 2014 ...
> > >
> > > - - -
> > >
> > > --Lauren--
>
> This message was sent to the list address and trashed, but can be found online.



-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
Modify Your Subscription: https://www.listbox.com/member/?member_id=18849915
Unsubscribe Now: 
https://www.listbox.com/unsubscribe/?member_id=18849915&id_secret=18849915-a538de84&post_id=20180725132125:269B00A8-902F-11E8-8298-BCE6D7E91697
Powered by Listbox: https://www.listbox.com