Menlo Report

Last updated September 17, 2023

The Menlo Report is a report published by the U.S. Department of Homeland Security Science and Technology Directorate, Cyber Security Division that outlines an ethical framework for research involving Information and Communications Technologies (ICT).^[1]

The Menlo Report was created under an informal, grassroots process that was catalyzed by the ethical issues raised in ICT Computer security research. Discussions at conferences and in public discourse exposed growing awareness of ethical debates in computer security research, including issues that existing oversight authorities (e.g., Institutional Review Boards) might have been unaware of or determined were beyond their purview. The Menlo Report is the core document stemming from the series of working group meetings that broached these issues in an attempt to pre-empt research harms and galvanize the community around common ethical principles and applications.

This report proposes a framework for ethical guidelines for computer and information security research, based on the principles set forth in the 1979 Belmont Report, a seminal guide for ethical research in the biomedical and behavioral sciences. The Menlo Report describes how the three principles in the Belmont report can be applied in fields related to research about or involving information and communication technology. ICT research raises new challenges resulting from interactions between humans and communications technologies. In particular, today's ICT research contexts contend with ubiquitously connected network environments, overlaid with varied, often discordant legal regimes and social norms.

The Menlo Report proposes the application of these principles to information systems security research although the researchers expect the proposed framework to be relevant to other disciplines, including those targeted by the Belmont report but now operating in more complex and interconnected contexts. The Menlo Report details four core ethical principles, three from the original Belmont Report.

respect for persons
beneficence
justice

It has an additional principle - respect for law and public interest. The report explains each of these in the context of ICT research.

Principles of the Menlo Report

The Menlo Report attempts to summarize a set of basic principles to guide the identification and resolution of ethical problems arising in research of or involving ICT. The report believes that ICT has increasingly become integrated into individual and collective daily lives and affects our social interactions.

It believes that the challenges of ICTR risk assessment is derived from these three factors:

- The researcher-subject relationships, which tend to be disconnected, dispersed, and intermediated by technology

- The proliferation of data sources and analytics, which can heighten risk incalculably

- And the inherent overlap between research and operations.

In order to properly apply any of the principles in the complex setting of ICT research, it deems that it is first necessary to perform a systematic and comprehensive stakeholder analysis.

The proposed guidelines for ethical assessment of ICT Research are as follows:

Respect for Persons. Participation as a research subject is voluntary, and follows from informed consent. Therefore, the research should treat individuals as autonomous agents and respect their right to determine their own best interests, respect individuals who are not targets of research yet are impacted, Individuals with diminished autonomy who are incapable of deciding for themselves and are entitled to protection.
Beneficence. Do not harm. Maximize probable benefits and minimize probable harms. Systematically assess both risk of harm and benefit.
Justice. Each person deserves equal consideration in how to be treated, and the benefits of research should be fairly distributed according to individual need, effort, societal contribution, and merit. Selection of subjects should be fair, and burdens should be allocated equitably across impacted subjects.
Respect for Law and Public Interest. Engage in legal due diligence and be transparent in methods and results. Be accountable for actions.

Implementation of the Principles of the Menlo Report

Respect for Persons

Appropriate application of the four principles requires that Stakeholder analysis must first be performed. Thorough stakeholder analysis is important to identify: the correct entity(s) from whom to seek informed consent; the party(s) who bear the burdens or face risks of research; the party(s) who will benefit from research activity; and, the party(s) who are critical to mitigation in the event that chosen risks come to fruition.

Informed consent assures that research subjects who are put at risk through their involvement in research understand the proposed research, the purpose for which they are being asked to participate in research, the anticipated benefits of the research, and the risks of the subject's participation in that research. They are then free to choose to accept or decline participation. These risks may involve identifiability in research data but can extend to other potential harms.

Beneficence

Assessing potential research harm involves considering risks related to information and information systems as a whole. Information-centric harms stem from contravening data confidentiality, availability, and integrity requirements. This also includes infringing rights and interests related to privacy and reputation, and psychological, financial, and physical well-being. Some personal information is more sensitive than others. Very sensitive information includes government-issued identifiers such as Social Security, driver's license, health care, and financial account numbers, and biometric records. A combination of personal information is typically more sensitive than a single piece of personal information.

Basic research typically has long-term benefits to society through the advancement of scientific knowledge. Applied research generally has immediately visible benefits. Operational improvements include improved search algorithms, new queuing techniques, new user interface capabilities.

The principle of balancing risks and benefits involves weighing the burdens of research and risks of harm to stakeholders (direct or indirect), against the benefits that will accrue to the larger society as a result of the research activity. The application of this principle is perhaps the most complicated because of the characteristics of ICTR. This compels us to revisit the existing guidance on research design and ethical evaluation.

Circumstances may arise where significant harm occurs despite attempts to prevent or minimize risks, and additional harm-mitigating steps are required. ICT researchers should have (a) a response plan for reasonably foreseeable harms, and (b) a general contingency plan for low probability and high impact risks.

Justice

The report believes that research should be designed and conducted equitably between and across stakeholders, distributing research benefits and burdens. Research directed at ICT itself may be predicated on exploiting an attribute (e.g., economically disadvantaged) of persons which is not related to the research purpose. Hence, it can facilitate arbitrary targeting by proxy. On the other hand, the opacity and attribution challenges associated with ICT can inherently facilitate unbiased selection in all research as it is often impracticable to even discern those attributes.

Respect for Law and Public Interest

Applying respect for law and public interest through compliance assures that researchers engage in legal due diligence. Although ethics may be implicitly embedded in many established laws, they can extend beyond those strictures and address obligations that relate to reputation and individual well-being, for example.

Transparency is an application of respect for law and public interest that can encourage assessing and implementing accountability. Accountability ensures that researchers behave responsibly, and ultimately it galvanizes trust in ICTR. Transparency-based accountability helps researchers, oversight entities, and other stakeholders avoid guesswork and incorrect inferences regarding if, when, and how ethical principles are being addressed. Transparency can expose ethical tensions, such as the researcher's interest in promoting openness and reproducibility versus withholding research findings in the interests of protecting a vulnerable population.

Companion Report

The Companion Report^[3] is a complement to the Menlo Report that details the principles and applications in more detail and illustrates their implementation in real and synthetic case studies. It is intended for the benefit of society, by showing the potential for harm to humans (direct or indirect) and by helping researchers understand and preempt or minimize these risks in the lifecycle of their research.

Related Research Articles

In common usage, evaluation is a systematic determination and assessment of a subject's merit, worth and significance, using criteria governed by a set of standards. It can assist an organization, program, design, project or any other intervention or initiative to assess any aim, realisable concept/proposal, or any alternative, to help in decision-making; or to ascertain the degree of achievement or value in regard to the aim and objectives and results of any such action that has been completed.

Electronic services or e-services are services which make use of information and communication technologies (ICTs). The three main components of e-services are:

service provider;
service receiver; and
the channels of service delivery

Medical ethics is an applied branch of ethics which analyzes the practice of clinical medicine and related scientific research. Medical ethics is based on a set of values that professionals can refer to in the case of any confusion or conflict. These values include the respect for autonomy, non-maleficence, beneficence, and justice. Such tenets may allow doctors, care providers, and families to create a treatment plan and work towards the same common goal. It is important to note that these four values are not ranked in order of importance or relevance and that they all encompass values pertaining to medical ethics. However, a conflict may arise leading to the need for hierarchy in an ethical system, such that some moral elements overrule others with the purpose of applying the best moral judgement to a difficult medical situation. Medical ethics is particularly relevant in decisions regarding involuntary treatment and involuntary commitment.

Human subject research is systematic, scientific investigation that can be either interventional or observational and involves human beings as research subjects, commonly known as test subjects. Human subject research can be either medical (clinical) research or non-medical research. Systematic investigation incorporates both the collection and analysis of data in order to answer a specific question. Medical human subject research often involves analysis of biological specimens, epidemiological and behavioral studies and medical chart review studies. On the other hand, human subject research in the social sciences often involves surveys which consist of questions to a particular group of people. Survey methodology includes questionnaires, interviews, and focus groups.

The ethics of technology is a sub-field of ethics addressing the ethical questions specific to the Technology Age, the transitional shift in society wherein personal computers and subsequent devices provide for the quick and easy transfer of information. Technology ethics is the application of ethical thinking to the growing concerns of technology as new technologies continue to rise in prominence.

Information technology (IT)governance is a subset discipline of corporate governance, focused on information technology (IT) and its performance and risk management. The interest in IT governance is due to the ongoing need within organizations to focus value creation efforts on an organization's strategic objectives and to better manage the performance of those responsible for creating this value in the best interest of all stakeholders. It has evolved from The Principles of Scientific Management, Total Quality Management and ISO 9001 Quality management system.

Technology governance means the governance, i.e., the steering between the different sectors—state, business, and NGOs—of the development of technology. It is the idea of governance within technology and its use, as well as the practices behind them. The concept is based on the notion of innovation and of techno-economic paradigm shifts according to the theories by scholars such as Joseph A. Schumpeter, Christopher Freeman, and Carlota Perez.

An institutional review board (IRB), also known as an independent ethics committee (IEC), ethical review board (ERB), or research ethics board (REB), is a committee at an institution that applies research ethics by reviewing the methods proposed for research done at that institution to ensure that the projects are ethical. Such boards are formally designated to approve, monitor, and review biomedical and behavioral research involving humans, and they are legally required in some countries under certain specified circumstances. Most countries use some form of IRB to safeguard ethical conduct of research so that it complies with national and international norms, regulations or codes.

The Belmont Report is a 1978 report created by the National Commission for the Protection of Human Subjects of Biomedical and Behavioral Research. Its full title is the Belmont Report: Ethical Principles and Guidelines for the Protection of Human Subjects of Research, Report of the National Commission for the Protection of Human Subjects of Biomedical and Behavioral Research.

Organizational ethics is the ethics of an organization, and it is how an organization responds to an internal or external stimulus. Organizational ethics is interdependent with the organizational culture. Although it is to both organizational behavior and industrial and organizational psychology as well as business ethics on the micro and macro levels, organizational ethics is neither organizational behavior nor industrial and organizational psychology, nor is it solely business ethics. Organizational ethics express the values of an organization to its employees and/or other entities irrespective of governmental and/or regulatory laws.

National Commission for the Protection of Human Subjects of Biomedical and Behavioral Research was the first public national body to shape bioethics policy in the United States.

Principlism is an applied ethics approach to the examination of moral dilemmas that is based upon the application of certain ethical principles. This approach to ethical decision-making has been adopted enthusiastically in many different professional fields, largely because it sidesteps complex debates in moral philosophy at the theoretical level.

The Office for Human Research Protections (OHRP) is a small office within the United States Department of Health and Human Services (DHHS), specifically the Office of the Assistant Secretary for Health in the Office of the Secretary of DHHS, that deals with ethical oversights in clinical research conducted by the department, mostly through the National Institutes of Health (NIH).

Design for All in the context of information and communications technology (ICT) is the conscious and systematic effort to proactively apply principles, methods and tools to promote universal design in computer-related technologies, including Internet-based technologies, thus avoiding the need for a posteriori adaptations, or specialised design.

IT risk management is the application of risk management methods to information technology in order to manage IT risk, i.e.:

Respect for persons is the concept that all people deserve the right to fully exercise their autonomy. Showing respect for persons is a system for interaction in which one entity ensures that another has agency to be able to make a choice.

Social accounting is the process of communicating the social and environmental effects of organizations' economic actions to particular interest groups within society and to society at large. Social Accounting is different from public interest accounting as well as from critical accounting.

Internet universality is a concept and framework adopted by UNESCO in 2015 to summarize their positions on the Internet. The concept recognizes that "the Internet is much more than infrastructure and applications, it is a network of economic and social interactions and relationships, which has the potential to enable human rights, empower individuals and communities, and facilitate sustainable development. The concept is based on four principles stressing the Internet should be human rights-based, open, accessible, and based on the multistakeholder participation. These have been abbreviated as the R-O-A-M principles. Understanding the Internet in this way helps to draw together different facets of Internet development, concerned with technology and public policy, rights and development."

Regulation of algorithms, or algorithmic regulation, is the creation of laws, rules and public sector policies for promotion and regulation of algorithms, particularly in artificial intelligence and machine learning. For the subset of AI algorithms, the term regulation of artificial intelligence is used. The regulatory and policy landscape for artificial intelligence (AI) is an emerging issue in jurisdictions globally, including in the European Union. Regulation of AI is considered necessary to both encourage AI and manage associated risks, but challenging. Another emerging topic is the regulation of blockchain algorithms and is mentioned along with regulation of AI algorithms. Many countries have enacted regulations of high frequency trades, which is shifting due to technological progress into the realm of AI algorithms.

The regulation of artificial intelligence is the development of public sector policies and laws for promoting and regulating artificial intelligence (AI); it is therefore related to the broader regulation of algorithms. The regulatory and policy landscape for AI is an emerging issue in jurisdictions globally, including in the European Union and in supra-national bodies like the IEEE, OECD and others. Since 2016, a wave of AI ethics guidelines have been published in order to maintain social control over the technology. Regulation is considered necessary to both encourage AI and manage associated risks. In addition to regulation, AI-deploying organizations need to play a central role in creating and deploying trustworthy AI in line with the principles of trustworthy AI, and take accountability to mitigate the risks. Regulation of AI through mechanisms such as review boards can also be seen as social means to approach the AI control problem.

References

M. Bailey, D. Dittrich, E. Kenneally and D. Maughan, "The Menlo Report," in IEEE Security & Privacy, vol. 10, no. 2, pp. 71–75, March–April 2012., doi: 10.1109/MSP.2012.52, (article summary of Menlo Report).

↑ "Science and Technology". 12 November 2014.
↑ This article incorporates public domain material from websites or documents of the United States Department of Homeland Security . E. Kenneally and D. Dittrich, "The Menlo Report: Ethical Principles Guiding Information and Communication Technology Research", Tech. Report., U.S. Department of Homeland Security, Aug 2012.
1 2 D. Dittrich, E. Kenneally, and M. Bailey. "Applying Ethical Principles to Information and Communication Technology Research: A Companion to the Menlo Report", Tech. Report., U.S. Department of Homeland Security, Oct 2013. https://www.dhs.gov/sites/default/files/publications/CSD-MenloPrinciplesCOMPANION-20120103-r731_1.pdf, https://www.impactcybertrust.org/link_docs/Menlo-Report-Companion.pdf
↑ "6.4.4 Respect for Law and Public Interest". www.bitbybitbook.com. Retrieved 2021-04-24.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "Science and Technology". 12 November 2014.

[2] This article incorporates public domain material from websites or documents of the United States Department of Homeland Security . E. Kenneally and D. Dittrich, "The Menlo Report: Ethical Principles Guiding Information and Communication Technology Research", Tech. Report., U.S. Department of Homeland Security, Aug 2012.

[companion-3] 1 2 D. Dittrich, E. Kenneally, and M. Bailey. "Applying Ethical Principles to Information and Communication Technology Research: A Companion to the Menlo Report", Tech. Report., U.S. Department of Homeland Security, Oct 2013. https://www.dhs.gov/sites/default/files/publications/CSD-MenloPrinciplesCOMPANION-20120103-r731_1.pdf, https://www.impactcybertrust.org/link_docs/Menlo-Report-Companion.pdf

[4] "6.4.4 Respect for Law and Public Interest". www.bitbybitbook.com. Retrieved 2021-04-24.

[1]

[2]

[3]

[4]