ACN - 101321555 Australasian Human Research Ethics Consultancy Services Pty Ltd (AHRECS)
Search
Generic filters
Exact text matches only
Search into
Filter by Categories
Research integrity
Filter by Categories
Human Research Ethics

Resource Library

Research Ethics MonthlyAbout Us

ResourcesDatabase

Australasian Human Research Ethics Consultancy Services Pty Ltd (AHRECS)

1.2 Billion Records Found Exposed Online in a Single Server – Wired (Lily Hay Newman | November 2019)0

Posted by Admin in on April 7, 2020
 

Here’s the next jumbo data leak, complete with Facebook, Twitter, and LinkedIn profiles.

FOR WELL OVER a decade, identity thieves, phishers, and other online scammers have created a black market of stolen and aggregated consumer data that they used to break into people’s accounts, steal their money, or impersonate them. In October, dark web researcher Vinny Troia found one such trove sitting exposed and easily accessible on an unsecured server, comprising 4 terabytes of personal information—about 1.2 billion records in all.

Does your institution have a policy/guidance document on hacked or scraped data?  If not it should.  While the data may be existing and online somewhere, it’s “fruit of a poison tree” in that it was obtained without consent, probably in contravention of a platform’s policies and there is a good chance at least one law has been broken.  At the very least an HREC would need to consider whether a waiver of the consent requirement can be approved.  It would appear to be a very serious source of risk exposure for an institution and a member of the institution’s executive should sign off on the project.

While the collection is impressive for its sheer volume, the data doesn’t include sensitive information like passwords, credit card numbers, or Social Security numbers. It does, though, contain profiles of hundreds of millions of people that include home and cell phone numbers, associated social media profiles like Facebook, Twitter, LinkedIn, and Github, work histories seemingly scraped from LinkedIn, almost 50 million unique phone numbers, and 622 million unique email addresses.
.

“It’s bad that someone had this whole thing wide open,” Troia says. “This is the first time I’ve seen all these social media profiles collected and merged with user profile information into a single database on this scale. From the perspective of an attacker, if the goal is to impersonate people or hijack their accounts, you have names, phone numbers, and associated account URLs. That’s a lot of information in one place to get you started.”
.

“What stands out about this incident is the sheer volume of data that’s been collected.”
TROY HUNT, HAVEIBEENPWNED
.

Troia found the server while looking for exposures with fellow security researcher Bob Diachenko on the web scanning services BinaryEdge and Shodan. The IP address for the server simply traced to Google Cloud Services, so Troia doesn’t know who amassed the data stored there. He also has no way of knowing if anyone else found and downloaded the data before he did, but notes that the server was easy to find and access. WIRED checked six people’s personal email addresses against the data set; four were there and returned accurate profiles. Troia reported the exposure to contacts at the Federal Bureau of Investigation. Within a few hours, he says, someone pulled the server and the exposed data offline. The FBI declined to comment for this story.

.

Read the rest of this discussion piece

Management of Data and Information in Research (NHMRC An Australian Code (2018) good practice guide | June 2019)0

Posted by Admin in on September 29, 2019
 

A guide supporting the Australian Code for the Responsible Conduct of Research

aContents

1. Introduction 1

2. Responsibilities of institutions 1
2.1 Provision of training for researchers 2
..2.2 Ownership, stewardship and control of research data and primary materials 2
2.3 Storage, retention and disposal 3
2.4 Safety, security and confidentiality 3
2.5 Access by interested parties 4
2.6 Facilities 4

3. Responsibilities of researchers 4
3.1 Retention and publication 6
3.2 Managing confidential and other sensitive information 7
3.3 Acknowledging the use of others’ data 7
3.4 Engagement with relevant training 7

4. Breaches of the Code 7

Additional Resources 8

Access the good practice guide

Fudged research results erode people’s trust in experts – The Conversation (Gavin Moodie | July 2019)0

Posted by Admin in on August 11, 2019
 

Reports of research misconduct have been prominent recently and probably reflect wider problems of relying on dated integrity protections.

The recent reports are from Retraction Watch, which is a blog that reports on the withdrawal of articles by academic journals. The site’s database reports that journals have withdrawn a total of 247 papers with an Australian author going back to the 1980s.

This compares with 324 papers withdrawn with Canadian authors, 582 from the UK and 24 from New Zealand. Australian retractions are 1.2% of all retractions reported on the site, a fraction of Australia’s 4% share of all research publications.

Read the rest of this discussion piece

Using ASCO’s Clinical Database for Commercial Research Raises Questions, Ethicists Say – Medscape (Ellie Kincaid | May 2019)0

Posted by Admin in on August 8, 2019
 

Eleven abstracts of the thousands accepted for publication at this year’s annual meeting of the American Society of Clinical Oncology (ASCO), one of the largest cancer research conferences in the world, draw upon data collected through a nonprofit subsidiary of ASCO that in 4 years has brought together the electronic health records (EHRs) of 1.2 million patients.

The ASCO subsidiary — CancerLinQ — will have its own 1200 square foot booth in prime real estate at the entrance to the meeting’s exhibit hall. It has received data from 48 healthcare institutions to help them improve care for patients and has compiled a treasure trove of data for researchers studying how expensive cancer drugs work for patients in the real world. But ethicists are concerned that CancerLinQ is allowing companies to sell access to the data after they have been stripped of patient identifiers, without asking for patients’ permission.

“I think that the ethics of profiting off of someone else’s information is dicey and at the very least the patient should go in with their eyes open, and that requires informing them,” said Robert Field, PhD, MPH, JD, a professor of law and public health at Drexel University, Philadelphia, Pennsylvania.

Read the rest of this discussion piece

0