This is incorrect. It's only human subjects research if the researcher is obtaining data about a human. This is the "about whom" requirement. A classic example is calling a business and asking someone about the products and prices they offer. That's not human subjects research.
If you say "I am a researcher studying X, can you please answer the following questions" then you might be studying a "what", depending on the specific questions.
When you lie about who you are, what your purposes are, and use scary legal language in an attempt to elicit a response, that is absolutely human research. You may be able do those things ethically as scientist but you absolutely need IRB review becausr it is definitely human research.
My guess is that the IRB in this case was not informed of the deceptive nature of some of the emails as lieing is absolutely a red flag that you are doing human research and not just information gathering. Indeed, evaluating such lies for potential harm is an important part of why we have IRBs for psychological and sociological research.
This is not Princeton's organizational policy or internal regulation, this is the regulatory definition of human subjects research as set by the government. Its semantic interpretation and the "about whom" requirement is exactly how you go about making a determination about whether your research is human subjects research.
The US federal government does, as do many western governments. Research that involves humans usually comes under many delineations and sub-delineations with precise names that reflect specific ways in which the research takes place and the corresponding laws and regulations which the researchers must follow.
Determining which category a specific research project comes under usually involves checking specific criteria, in the US they have flowcharts, in Europe they have tables. Either way you can be sure a lot of people are going to be looking at it, most of whom have had to undertake ethics training as part of their career, and some of whom have spent their entire life studying these questions and seen them put to the test over hundreds of trials.
In that light, whether this category of research has got "human" in its name is not going to get you far wrt understanding the problem at hand.
source: I've undertaken interventionist medical research in the U.S and Europe.
An example of something that's not human subjects research would be emailing people who have websites and asking about their privacy policy.
An example of something that is human subjects research would be emailing people who have websites and asking what inspired them to start a website.
I realize that may seem like a subtle difference, but it's an important distinction from an IRB perspective. For reference, and because a lot of people seem confused on this thread, here's what the human subjects research training at my university says about this...
"...some research that involves interactions with people does not meet the regulatory definition of research with human subjects because the focus of the investigation is not the opinions, characteristics, or behavior of the individual. In other words, the information being elicited is not about the individual ('whom'), but rather is about 'what.' For example, if a researcher calls the director of a shelter for battered women and asks her for the average length of stay of the women who use the shelter, that inquiry would not meet the definition of research with human subjects because the information requested is not 'about' the director. If the researcher interviewed the director about her training, experience, and how she defines the problem of battering, then the inquiry becomes about her - and therefore 'about whom.'"
You misunderstand the research in question. To quote from the researchers website
> When the system has even higher confidence, it sends up to several emails that simulate real user inquiries about GDPR or CCPA processes. This research method is analogous to the audit and “secret shopper” methods that are common in academic research, enabling realistic evaluation of business practices. Simulating user inquiries also enables the study to better understand how websites respond to users from different locations.
They are not just asking for the existing privacy policy, they are actively attempting to put the subjects into a realistic environment and seeing how they respond. The focus is the behavior of the individual. This should also be evident from the fact that they felt the need to lie to and threaten them...
He understands perfectly well.
What's relevant is whether the response is a property of the individual or the organization, and it's arguable, and controversial, but you'll find a lot of studies performed using this technique that were not considered human subjects research.
As to whether it's deceptive and threatening (the latter of which I find pretty hyperbolic, this is a pretty boilerplate request), that has no relevance as to whether it's human subjects research.
Maybe they should have limited the scope to larger organizations.
Someone looking up the exact statute and quoting it, while not a direct legal threat, certainly carries a lot of implied threats. People don't just look up legal statutes for shits and giggles.
I don't buy that interpretation. That is, I'm willing to believe that's how your university interprets the regulations, but I personally think it's perverse and unethical when applied to this situation.
When you deliberately deceive someone in order to obtain information that you think they would be otherwise unwilling to give you, the response you get back is as much "about" their behavior in response to your deception as it is about the subject of your inquiry. (And if the researchers in this case didn't think the deception would make their targets more willing to cooperate, why the threatening language?)
That doesn't necessarily mean this kind of research should never be allowed, but it should definitely go through an IRB's oversight.
> An example of something that's not human subjects research would be emailing people who have websites and asking about their privacy policy.
No, that's an example of human subjects research that may be exempt from the regulations due to specific reasons, such as by only interacting with subjects through surveys and interviews (while adhering to further restrictions, that this research probably runs afoul of since it's not anonymous).
> For example, if a researcher calls the director of a shelter for battered women and asks her for the average length of stay of the women who use the shelter, that inquiry would not meet the definition of research with human subjects because the information requested is not 'about' the director.
What a terrible example. They've only demonstrated that the director does not qualify as a human subject, while ignoring the question of whether the women staying at the shelter would qualify as human subjects!
Epistemologically, using a fake name and a threat of legal action to elicit a response from whoever's picking up the phone is no different from dressing up as a cop and harassing someone on the street. The question of whether the content of your accusation stems from their own or their employer's action is peanuts compared to the ethical boundary you crossed when you decided to impersonate authority to witness their reaction.
This feels like it creates a massive ethical loophole.
There are different ways to gather pure factual information, too. In particular where the factual information you are trying to gather is information about the extent to which someone complies with the law, there's some real danger in being able to fall back on a 'we're just gathering facts' defense.
Take this example: "a researcher calls the director of a shelter for battered women and asks her for the average length of stay of the women who use the shelter"
What are the regulatory requirements shelters need to comply with? Do any of them concern length of stay? Are there any liabilities a shelter might expose itself to if it were known that it had women staying there for longer than a certain period? Or individual liabilities if it were discovered that they restrict how long people can stay? Would they potentially expose any of their clients to danger if the length of stay information were revealed to a particular person?
If so, then providing the answer to that question is something the shelter needs to give some thought to. And the manner of their response might be different if that question were posed to them by:
- a woman enquiring about staying at the shelter
- a government inspector
- their landlord
- a random man phoning them
- a journalist
- an academic researcher identifying themselves and the nature of the study they are conducting
So if as an academic you ask a 'just gathering information' question, but conceal your identity, don't share whether the information will be aggregated or identifiable, and don't explain what you're gathering the information for, you are not just collecting a fact - you are forcing the person you are asking to make an evaluation of what information to provide; in other words, you are creating a human behavior, and what you are studying will be the outcome of that.
I think one problem is that with small websites run by a single person or small group, a person can feel the website is an extension of herself. So a question about the website in some way becomes a question about the person.
