SCIENCE
09/02/2015 10:45 am ET

Ashley Madison Hack Creates Ethical Conundrum For Researchers

Some see it as a "gold mine." Others say it's a minefield.
Carl Court via Getty Images

When hackers dug into the databases of infidelity-focused dating website Ashley Madison and made the personal information of millions of users publicly available in mid-August, suspicious spouses weren't the only ones tempted to take a peek. Sex researchers, whose work is often hamstrung by subjects' reluctance to reveal intimate details in surveys, salivated at the opportunity to get an unvarnished look at the secret desires of a huge swath of Americans.

"For researchers who want to study infidelity, it's a potential gold mine," said sex researcher Dr. David Frederick of Chapman University in Orange, California.   

Most infidelity researchers tend to rely on anonymous phone or Internet surveys, which generally include input from no more than a few thousand people, for their work. The Ashley Madison hack, by contrast, includes data on 36 million users around the world, giving researchers a potential pool of subjects they could hardly have imagined.

Frederick and other experts agreed that the research applications of these data are potentially endless. At the most basic level, you could use them to tease out patterns of infidelity (or at least interest in infidelity) in terms of geography, age, race, religion, sex, height or income.

But with the tremendous benefits come serious risks. As sex researchers dig into the data from the Ashley Madison hack, they're confronted with a set of thorny questions: Is the data reliable? Is it proper for researchers to analyze? Is it even legally permissible to access?

"We're in uncharted ethical waters with the Internet and all the data that's coming out of social networks. The Ashley Madison hack is just a particularly difficult example of a much larger issue," said Dr. Sharlene Hesse-Biber, a sociologist and research ethics expert at Boston College.

The reliability question is the most pressing; after all, if the data are so unreliable that they're not usable, the ethics and logistics don't matter. Early, non-academic analysis of the data has shown that a huge share of the 36 million accounts in the hack were fake, inactive or incomplete. And Ashley Madison made essentially no effort to verify any of the information in these accounts -- even email addresses -- so much of that information may wind up being useless.

For some researchers, that's the end of the story. They believe the data are just too muddy to provide any valuable insights.

"It would be really hard to sort out, when you've got 30 million responses, which ones are real, which ones are fake," said Dr. Justin Lehmiller, a sex researcher at Harvard University. "If a significant portion are fake, that makes it hard to analyze these data and draw meaningful conclusions from them."

But there are ways to at least begin to separate the fake accounts from the real ones. You could, for example, limit your analysis to accounts that were fully filled out, those with photos or those linked to verifiable email accounts. Frederick pointed out that even if you excluded 95 percent of the profiles in the hack as fake, inactive or incomplete, you would still be left with information for about 1.8 million people -- an order of magnitude more than you would find in even the most comprehensive data set available to infidelity researchers.

Yes, there's a risk that some people, even many people, are lying or exaggerating, on their profiles -- but that risk is inherent in every study about sex, a subject that tends to solicit inflated claims from respondents if not outright lies. And researchers could take measures to sift through the misinformation by, say, sending users anonymous surveys that would complement information on their profiles; or, at a minimum, they could describe their study as a behavior analysis of Ashley Madison users, rather than a definitive study of infidelity.

Yet if researchers were able to figure out a way to pull interesting, unimpeachable insights from the data, they would only come up against much larger problems.

Psychological research is governed by a strict code of ethics, which is enforced by institutional review boards (IRBs) at universities. The code bars researchers from disclosing any information about subjects that would allow someone to personally identify them. This would be especially crucial in the case of Ashley Madison, because membership on the site is highly sensitive -- as has been shown by the cases of blackmail and divorce that have popped up in the wake of the hack. The clearest solution would be to anonymize the data by stripping out personally identifiable information, such as names and exact addresses.

The code also requires that researchers receive informed consent from human subjects before conducting research on them -- and Ashley Madison users obviously never gave such consent. For that reason, there's a major risk that an IRB would reject a researcher's request to use the data (unless, of course, the researcher emailed the users to get consent first).

"If I were sitting on an institutional review board at a university and one of our faculty came to us asking to write a study based on this data, I wouldn't be willing to approve that," said research ethics expert Dr. Gerald Koocher, dean of the College of Science and Health at DePaul University. "To me, it would seem like an unreasonable intrusion, because it's based on data stolen from people who had an expectation of privacy."

Some researchers, though, said they thought that because the hack put this data in the public domain, it is now fair game -- so much so that a researcher wishing to conduct a study wouldn't have to get approval from an IRB.

"When you have publicly available data, you don't need informed consent to use it," explained infidelity researcher Dr. Kelly Campbell of California State University, San Bernardino.

Yet the biggest -- and toughest -- question of all concerns the ethics, and even legality, of using data stemming from a hack that was itself obviously a criminal act.

That was the central issue of dispute in two discussions that sprang up this month on online message forums Reddit and ResearchGate. On both sites, researchers asked whether they could use data from the Ashley Madison hack -- and on both sites, a throng of other users slammed the original poster for even raising the issue. 

Experts who spoke with The Huffington Post were more circumspect. Many agreed that using the data is, at least, ethically dubious. They noted that analyzing the data effectively endorses the hack, and could encourage future hackers to release similar data. They said that anyone interested in using data from such a compromised source would have to think carefully about whether the insights gained outweigh the ethical cost.

"The idea is that if it's really going to add to scientific understanding, then at least something good is going to come out of something horrific," Hesse-Biber said. "But the question is always what new stuff is actually learned in these cases."

Jennifer Granick, a law professor at the Stanford Center for Internet and Society, said that the legal questions around the hack are still murky, but a few things are clear. Researchers using this data would not, she said, be guilty of any federal crime, because they are not involved in any way in the hack itself. She said a researcher who downloaded the data might theoretically run afoul of their state's statute on possession of stolen property. But, she explained, some of these statutes don't apply to digital data, and prosecutors have been very reluctant to go after individuals for cases like this. 

"I think that the risk to people for getting in any kind of criminal trouble is really low," Granick said.

Granick admitted that researchers might be open to lawsuits from individuals whose data was hacked, or even from Ashley Madison, but said that such lawsuits would be unlikely to prevail. 

"I'm not saying they have great cases," she said, "but nobody likes to be sued."

In the end, any one, or even two, of these issues might be surmountable -- but all together, they may just present too risky a data set for use. But that doesn't mean they'll have no impact on infidelity research as a whole. Indeed, the Ashley Madison hack could well spark broader interest in the topic and study.

"The stuff that's coming out in the news could serve as the impetus for research and data that are collected in a more sound way, where you don't have all of these ethical and other sorts of concerns," Lehmiller said. "That's probably the more likely influence it's gonna have."

CONVERSATIONS