[Federal Register Volume 77, Number 238 (Tuesday, December 11, 2012)]
[Notices]
[Pages 73669-73671]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2012-29818]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF HOMELAND SECURITY

Office of the Secretary

[Docket No. DHS-2012-0041]


Response to Comments Received for the ``The Menlo Report: Ethical 
Principles Guiding Information and Communication Technology Research'' 
(``The Menlo Report'') for the Department of Homeland Security (DHS), 
Science and Technology, Cyber Security Division (CSD), Protected 
Repository for the Defense of Infrastructure Against Cyber Threats 
(PREDICT) Project

AGENCY: Science and Technology Directorate, DHS.

ACTION: Response.

-----------------------------------------------------------------------

SUMMARY: The Department of Homeland Security (DHS), Science and 
Technology (S&T) published a 60-day public notice in the Federal 
Register on December 28, 2011 (Federal Register Volume 76, Number 249, 
Docket No. DHS-2011-0074) to invite public comment on the Menlo Report. 
The intent of the notice was to further refine the content of the Menlo 
Report beyond the working group that had generated the report. This 
notice responds to the comments received during this 60-day public 
notice.

ADDRESSES: The updated Menlo Report may be found at http://www.cyber.st.dhs.gov/.

FOR FURTHER INFORMATION CONTACT: DHS S&T, Email [email protected].

SUPPLEMENTARY INFORMATION: 

Background

    A grassroots working group composed of stakeholders in information 
and communication technology research (ICTR), with support from the 
Homeland Security Advanced Research Projects Agency (HSARPA) CSD, 
developed the Menlo Report. HSARPA CSD published this report in the 
Federal Register in December 2011 (76 FR 81517, Docket No. DHS-2011-
0074) to invite public comment, and sixteen comments were received. The 
complete text of the public comments and the Federal Register notice 
are available on the Regulations.gov web site at http://www.regulations.gov/#!docketDetail;D=DHS-2011-0074.
    To address the comments, a subset of the initial working group was 
assembled that has stewarded the document since its inception. In 
summary, the comments contained both laudatory and critical remarks and 
covered issues that ranged in scope from targeted to general. The 
approach to absorbing this valuable feedback was to analyze each 
comment, distill the issue(s) raised by the commenter, reflect on the 
relevant text in the Menlo Report, and generate a response. Those 
responses entailed identifying proposed changes intended to resolve the 
issues raised, either by modifying text that was unclear or 
misinterpreted by readers or by accepting constructive criticism.

Changes to the Report

    The Menlo Report has been updated and is available at http://www.cyber.st.dhs.gov/. Overall, the changes to the Menlo Report based 
on the comments are summarized as follows:
    1. The next version will clarify that the Menlo Report is not an 
official policy statement of DHS and that DHS does not have the 
intention or authority to permit researchers to engage in any practice 
in the name of ``ethical research.''
    2. The next version will reflect that the main focus of the Menlo 
Report is on private sector and academic researchers who may be 
government funded, rather than DHS employees. While the Menlo Report 
may certainly be applicable to government researchers, it is not 
intended to conflict with or preempt statutory or regulatory 
requirements placed on government employees.
    3. The next version will explicitly address the choice of Belmont 
Report model instead of an alternative ethical framework (i.e., a 
Belmont Report principles-in-context approach). Specifically, the next 
version of the Menlo Report will clarify the benefit to society versus 
the risks to research subjects under this model.

[[Page 73670]]

    4. The next version will address the relationship between law and 
ethics, (i.e., when a researcher's ethically-derived beliefs are in 
direct conflict with relevant laws) by stating it is beyond the scope 
of the Menlo Report to advocate a position when laws directly conflict 
with ethics. Rather, the Menlo Report reinforces the principle that 
ethics plays a role in closing gaps in laws and clarifying grayness in 
interpretation of laws.
    5. The next version will highlight the value of the Menlo Report 
guidelines to society rather than just researchers.

Detailed Comments and Responses

    S&T published a 60-day public notice in the Federal Register on 
December 28, 2011 (Federal Register Volume 76, Number 249, Docket No. 
DHS-2011-0074) to invite public comment on the Menlo Report. The notice 
helped further refine the content of the Menlo Report by seeking 
comments on the document generated by the working group. At the end of 
the 60-day comment period, S&T received sixteen comments from two 
universities, four private citizens, three non-profit organizations, 
one foreign university, and one professional association. In general, 
the comments received fall into the following categories:
    1. The Menlo Report construed as official DHS policy
    2. Interpretation of informed consent
    3. Researcher interaction with a research subject's computer
    4. Calculating benefits and harms
    5. Estimation of benefits and harms from ICTR
    6. Applicability of the Institutional Review Board (IRB) model for 
ethical review of ICTR
    7. The relationship between laws and ethics
    8. Privacy rights of individuals related to corporate monitoring
    9. Ethical considerations for future contemplation and study
    10. Standalone comments

A. The Menlo Report As Official DHS policy

    Several comments stated that the Menlo Report is an official policy 
statement of DHS and that DHS has the intention or authority to permit 
researchers to engage in any practice in the name of ``ethical 
research.''
    Response: The Menlo Report offers ethical guidance for public and 
private researchers and explicitly advocates respect for the law and 
public interest (e.g., supporting the notion that different laws may 
apply to government researchers) and is neither an official nor 
authoritative policy statement for DHS or law enforcement. As a result, 
modifications to the Menlo Report will have additional, explicit 
language to indicate that while DHS supports the Menlo Report, the 
Menlo Report does not represent official agency policy nor should it be 
interpreted as applying to, conflicting with, or superseding statutory 
mandates and other authoritative commitments governing actions by the 
government.

B. Interpretation of Informed Consent

    Several comments were received related to the discussion of 
informed consent in the Menlo Report.
    Response: Support for informed consent will be conveyed by the 
Menlo Report byh detailing how researchers and Research Ethics Boards 
(REB) should consider the situation where waivers of informed consent 
are sought. Modifications to the Menlo Report will substitute the term 
``proxy'' with the Common Rule term ``legally authorized 
representative,'' clarify the issue of their relationship to requests 
for waivers, and better balance the perspective between that of 
researchers and that of end-users or research subjects. The respondents 
agree with the observation in various comments regarding ICTR and 
waivers to informed consent and will highlight this issue in 
modifications to the Menlo Report. Given the gravity and ubiquity of 
cyber-crime, the benefits and importance of accurate research data for 
countering it is a specific situation that may satisfy the requirements 
of 45 CFR 46.116 allowing requests for alteration or elimination of 
informed consent requirements in those situations where minimal risk to 
subjects (or those reliant on information and communication technology 
(ICT) under study) exists.

C. Researcher Interaction With a Research Subject's Computer

    Multiple comments dealt with the issue of interacting with a 
research subject's computer or interacting with malicious software 
under study that the owner of the computer is not even aware exists on 
their computer.
    Response: It is understood that the study of malicious software, to 
include botnets, is an area that can pose greater than minimal risk to 
those who rely on infected computers. Ultimately, the issue of what 
constitutes ``minimal risk,'' and also whether it is ``human subjects 
research'' to interact with the computer, as opposed to the human, must 
be determined. Given that IRB in the United States today do not require 
that researchers adhere to zero-risk, but rather they are guided by 
requirements of 45 CFR 46.111, the Menlo Report will be updated to 
clarify the justification for this approach by illuminating the 
consequences of a zero-risk tolerance approach, noting, for example, 
how it would negatively impact the public's ability to benefit from 
research.

D. Calculating Benefits and Harms

    Various comments received also raised issues regarding the 
estimation of benefits and harms from ICTR, including not only who may 
be harmed but also how potential benefits and harms can be quantified.
    Response: The current ``Identifying Harms'' section of the Menlo 
Report addresses concerns about lack of comprehensive coverage of 
harms. However, to bolster this area, the Menlo Report will be updated 
to address the potential, rather than certainty, of harms resulting 
from research activities. Specifically, personal privacy and 
information confidentiality and integrity are uncontrovertibly noted as 
potential harms that must be addressed. Updates will also clarify the 
distinction and relevance of the benefit to society versus the risks to 
research subjects in ICTR. The respondents will also change the text to 
include harms resulting from notification of research, and publication 
of information that can be used to cause harm. Additional verbiage will 
also seek to clarify the distinction and relevance of the benefit to 
society versus the risks to research subjects in ICTR.

E. Applicability of the Institutional Review Board (IRB) Model

    Several comments raised the appropriateness of the Belmont/IRB 
model, related to both behavioral and biomedical research, for ethical 
review of ICTR.
    Response: The purpose of the Menlo Report is to advocate principles 
and applications, not to define enforcement mechanisms. The crux of 
these comments related to applicability of the Belmont Report. The next 
version of the Menlo Report will concretely state that it is 
deliberately founded on the Belmont model, which was originally 
developed for the biomedical research context but is not limited to 
biomedicine, as evidenced by the fact that this model is currently used 
for evaluation of behavioral research (including that which involves 
ICT).

F. Relationship Between Laws and Ethics

    Many comments were received relating to conflicts between ethical 
codes and the law.
    Response: The comments were diverse but converged on the necessity 
to add text regarding the relationship between law and ethics. The 
assertion

[[Page 73671]]

that the Menlo Report precludes the Common Rule is conjecture that 
appeared in one of the comments, and it is important to mention that 
this is not substantiated by evidence from the Menlo Report. This 
criticism does not reflect what is presently allowed by the Common Rule 
in terms of waivers (see 45 CFR 46.116, specifically subsections (c) 
and (d)). The Menlo Report currently is framed in such a way as to be 
congruous with the predominant REB model in the United States, IRB. The 
Menlo Report will be revised to include text that clarifies that the 
Menlo Report does not take any stance on addressing the situation when 
laws are viewed by the public to be unethical. It was also apparent 
from the comments that the Menlo Report needs to clarify that 
researchers are not authorized to waive consent. The Menlo Report will 
also be updated in the Respect for Law and Public Interest section to 
address conflicts with principles of compliance, transparency, and 
accountability and with the privacy interests of individuals.

G. Privacy of Individuals vs. Corporations

    Multiple comments highlighted a problem regarding the discussion on 
the privacy of an organization in relation with enhancing cyber 
security.
    Response: This discussion will be removed from the next version of 
the Menlo Report. The comments correctly indentified a potential 
inconsistency.

H. Ethical Considerations for Future Contemplation and Atudy

    Finally, there were comments suggesting a general call for further 
study and engagement with various communities and agencies in order to 
create workable guidance.
    Response: Much additional work will be done as a follow on to the 
Menlo Report to spur additional discussion of the approach to ethics in 
ICTR presented in the Menlo Report. Some of this research has already 
been undertaken and is included in a companion report to the Menlo 
Report.

I. Standalone Comments

    There were several comments that did not fall into the preceding 
categories but did spur further changes to the Menlo Report. The 
following will be reflected as updates to the Menlo Report:
    1. A clarification will be added explaining that while the Menlo 
Report adopts Belmont Report principles and the Common Rule regime in 
framing the principles and applications for evaluating and applying 
ethics in ICTR, it also highlights areas within the Common Rule that 
are more frequently exercised by ICTR or that may cause problems in 
applying it to ICTR.
    2. Language to more clearly discuss how to make inclusion/exclusion 
decisions in conformance with Justice and Equity considerations will be 
added.
    3. In general, the revised Menlo Report will take a well-rounded 
perspective to include the end-user perspective, in addition to a 
researcher-centric perspective.
    4. The discussion of the existence and management of pre-existing 
data will be expanded.
    5. The discussion regarding the creation of the Internet and its 
growth to include the hosting databases with personally identifiable 
information will be clarified.
    6. The description or context of the use of the term ``reasonable 
researcher'' will be updated.
    7. Explanatory language to address the issue of record retention 
will be included in the Mitigation of Realized Harms section.
    8. The term ``evidence-based consideration'' will be clarified.

    Dated: November 30, 2012.
Tara O'Toole,
Under Secretary for Science and Technology.
[FR Doc. 2012-29818 Filed 12-10-12; 8:45 am]
BILLING CODE 9110-9F-P