"Ethical responsibility is an integral part of academic freedom": In conversation with Thorsten Helfer and Jannik Zeiser
Is the Research Ethics Office at CISPA something of a unicorn in cybersecurity research?
Thorsten: There are other ethics review boards at other institutions, both in computer science departments and at other research institutions, but to our knowledge, there is no other Ethics Office within the community that consists of people who deal exclusively with research ethics issues in cybersecurity research. In that sense, we are a unicorn.
You have helped establish the CISPA Research Ethics Office from the start. What was your mindset as you approached this task?
Thorsten: We are a research center for cybersecurity. This means that most of our research is ethical research. From the very beginning, it has been important to me that we help make the research even better—that we make the world a better place by improving the research.
Jannik: We’re not here to make research more difficult. We believe it is our job to facilitate high-quality research while also considering ethical perspectives. As philosophers, we are outsiders, even though we have acquired a good understanding of CISPA research by now. We want to learn from our researchers about their research so that we can solve ethical challenges together.
What does your role at the Research Ethics Office entail?
Jannik: A key focus is the Research Ethics Review Board, which we help oversee and in which we serve as members. We also provide guidance when researchers have questions about research ethics. In addition, we offer workshops and training sessions on research ethics in cybersecurity and AI, which is also an integral part of the PhD Kickoff Days. And then there’s our Ethics Sandbox, a monthly discussion event.
Thorsten: We also participate in research projects. For example, we are currently involved in a research project led by Sascha Fahl on ethics in cryptography. Another focus is building networks in the field of ethics and cybersecurity. For example, we’re part of the USENIX Research Ethics Committee. We’re also currently looking for points of contact within the Helmholtz Association to connect with other Ethics Review Boards or units that deal with research ethics. Our goal is to build an infrastructure that could institutionalize a larger net work for research ethics.
What ethical questions arise in cybersecurity research?
Jannik: User studies and personal data play a major role, especially in usable security, but it goes far beyond that. For example, when researching vulnerabilities in devices that are connected to the internet and that may react unexpectedly. It is a major challenge that research often affects people, even though it cannot be classified as a traditional User study. It is crucial to identify and assess the risks in cooperation with the researchers: How likely is it that sensitive systems will fail, or that other harm will be caused to people?
Thorsten: Ultimately, people— as beings susceptible to well-being—are connected to many digital systems. Even researchers in cryptography must ask them selves: What kind of research am I conducting? What can be done with my research? Could countries that want to increase surveillance of their populations use my research for that purpose? Privacy issues arise in AI research anyway: What do we feed into the models, what data do we train them on? Research ethics is also relevant for vulnerability research, which raises questions, for instance, about responsible disclosure—that is, when and to whom I should report the vulnerabilities I have discovered. All of these research topics, and others besides, open up ethical considerations.
What are the ethical cornerstones that guide your work? Is there an ethical consensus within the discipline?
Thorsten: There is one major cornerstone, the Menlo Report, which sets out a number of key values. Various conferences have also issued ethics guidelines for research ethics. We have written down our own CISPA Research Ethics Framework. It builds heavily on these guidelines, but it is also philosophically more precise, because we are probably two of the first full-time philosophers to be active in this field.
Jannik: Our approach is values based. It would probably be too much to go into all the details right now. But broadly speaking, it revolves around six core values that are also found in our CISPA Research Ethics Framework: autonomy, wellbeing, justice, privacy, sustainability in the sense of environmental protection, and epistemic progress—that is, the acquisition of knowledge.
How interesting! To what extent does epistemic progress count as an ethical value?
Thorsten: Epistemic progress doesn't come up very often in other frameworks. I think this has to do with the fact that ethics is often seen as an obstacle to research. But you have to ask yourself what the value is of what you’re doing. And in many projects, that value is measured by epistemic progress. You can’t act as if there was always a clear ethical answer. Rather, you have to balance the different values against one another: How can we reconcile epistemic progress with, say, minor sacrifices in wellbeing? How significant must the increase in knowledge be for us to accept other tradeoffs?
USENIX Security, a major scientific conference in cybersecurity, requires an Ethics Section in scientific papers. Is this a hurdle for early-career researchers?
Thorsten: Ethics is not part of their academic training, so researchers may not have a systematic way of thinking about it. It is helpful that we can support them with our expertise. However, it is not the case that we dictate to researchers how they should resolve ethical issues. We can't take the responsibility for people's research away from them—ethical responsibility is an integral part of academic freedom. I believe that those ethics sections help people reflect on ethical questions and potentially identify problems. These are all intelligent people who have come this far in academia for a reason. And when you ask intelligent people intelligent questions, they will come up with intelligent answers.
Both of you are trained philosophers. What professional challenges do you most enjoy about your work?
Jannik: I find it exciting to learn new things and work my way into new topics. It doesn’t really matter whether the subject is philosophy or leans more toward computer science, even though there are, of course, limits to my technical understanding that I can’t push beyond. What sets philosophy apart is an interest in questions that usually cannot be answered empirically, but that are normative or involve concepts or conceptual analyses. But I feel very comfortable in this more applied field.
Thorsten: Just like Jannik said: I enjoy learning new things. Previously, in my academic work, I always wondered how exciting applied ethics could be compared to theoretical philosophical questions. But since I started working at CISPA, I’ve realized that all of it is pretty cool. The more I delve into it, the more questions I encounter, the cooler I find it. You leave no stone of a question unturned and find that there’s yet another interesting aspect that you haven’t looked at yet; that a new problem emerges that you didn’t expect in this way. In part, this is pure philosophical, applied ethics. The fact that, as a philosopher, you can do something that has such a direct, meaningful impact, that is very cool.
Find out more about research ethics at CISPA in our latest CISPA Zine.