Computer- and internet-based methods of collecting, storing, utilizing, and transmitting data in research involving human participants are developing at a rapid rate. As these new methods become more widespread in research in the social, psychological, and social sciences, they present new challenges to the protection of research participants. The Institutional Review Board (IRB) believes that computer- and internet-based research protocols must address fundamentally the same risks (e.g., violation of privacy, legal risks, psychosocial stress) and provide the same level of protection as any other types of research involving human participants.
All studies including those using computer and internet technologies must (a) ensure that the procedures fulfill the principles of voluntary participation and informed consent, (b) maintain the confidentiality of information obtained from or about human participants, and (c) adequately address possible risks to participants including psychosocial stress and related risks.
At the same time, the IRB recognizes that computer- and internet-based research presents unique problems and issues involving the protection of human participants. The IRB further recognizes that computer and internet technologies are evolving rapidly, that these advances may pose new challenges to the protection of human participants in research, and that both the IRB and researchers employing new technologies must maintain their diligence in addressing new problems, issues, and risks as they arise in the coming years.
The purpose of these guidelines is to help researchers plan, propose, and implement computer- and internet-based research protocols that provide the same level of protection of human participants as more traditional research methodologies. The guidelines are comprised of requirements and recommendations that are consistent with the basic IRB principles applied to all research involving human participants.
When Minimal Risk Study May Not Apply
Internet-based research may not be suitable for greater than minimal risk studies where the research involves data that:
- places participants at risk of criminal or civil liability, or
- could damage their financial standing, employability, insurability, reputation, or
- could be stigmatizing, or
- could result in stolen identity.
Internet Research vs. Research Conducted in the "Actual" World
Much of the research done using the computer- and internet (as a tool or mechanism) follows similar methodology to that done elsewhere. However, there are at least four reasons that standard methodologies and the protection of subjects and data must be considered when using the Internet for research:
- Data that would be ephemeral in other contexts (e.g., things observed, read, or heard during participant observation; interviews conducted with subjects, etc.) become permanent or semi-permanent when they become cached web pages, data stored on host servers, and/or email and chat conversations between the researcher(s) and subjects that are stored on subjects' computers or on their email/chat servers.
- Data that would be ordinarily be preserved for a minimum of three years and then destroyed — e.g., surveys, and field notes and/or transcriptions of the sorts of data — also become permanent or semi-permanent.
- May be searchable using widely-available search engines.
- The Internet is a context in which people are often creative in their presentation of self and in their conduct. For example, pseudonyms are often carefully protected by subjects because these are the names attached to reputations, social networks, and claims to special knowledge. Misuse of these pseudonyms poses new risks to subjects and their social networks and virtual social worlds.
Analyzing and/or Freely Quoting Information Without Consent
In certain cases, information may be freely quoted and/or analyzed without consent. The three relevant questions / issues to consider to see if this applies to your situation are:
- Information that is officially and publicly archived — i.e., is intended to be information for the general public and is not protected by a password or login. AND
- Site policy does not prohibit the direct quotation of material from the site (or prohibit research more generally). AND
- Information in which the topic covered is not greater than minimal risk. Rutgers classifies data into restricted, limited access, and public data. Refer to the document Minimum Security Standards for Networked Devices, for examples of specific definitions used by Rutgers.
For everything else, consent would typically be required.
Informed Consent Process For Internet-Based Research:
- For anonymous internet-based surveys, include "I agree" or "I do not agree" buttons on the website for participants to click to indicate their active choice of whether or not they consent to participate. For anonymous surveys sent to and returned by participants through email, include an information sheet with consent information and inform participants that submitting the completed survey implies their consent.
- If the IRB determines that written consent is required, the consent form can be mailed or emailed to the participant who can then sign the form and return it via fax or postal mail.
- Researchers conducting web-based research should be careful not to make guarantees of confidentiality or anonymity, as the security of online transmissions is not guaranteed. A statement in the informed consent form indicating the limits to confidentiality is typically required. The following statement may be used:
"Your confidentiality will be maintained to the degree permitted by the technology used. Specifically, no guarantees can be made regarding the interception of data sent via the Internet by any third parties."
From Whom Must The Researcher Obtain Consent
If research is being done on a site or chat platform that requires consenting to a EULA (End User License Agreement), TOS (Terms of Service), or other site or platform rules, users must follow the guidelines that users agree to when accepting the EULA, TOS, and/or site or platform rules. If this includes requiring permission from the host site's administrator(s), users must first obtain consent from the administrator(s).
Given the nature of the information transmitted via the internet, researchers may also be required to obtain consent from individual subjects.
How to Obtain Consent in Internet Research
The process of requesting consent should not disrupt the normal activity of a site that is not expressly set up for research purposes and for which the researcher is not the administrator. In real-time environments (including chatrooms, virtual worlds, multiplayer gaming, etc.) the process of requesting consent publicly is often perceived as disruptive or worse. In such cases, consider announcing publicly that you are conducting research. Researchers may then request that people contact them via PM (private messaging using the site or platform in question), IM (instant messaging on another platform), email, website, etc.
Following the guidelines below, researchers may then obtain consent.
- If the risks to subjects are greater than minimal:
- researchers may be required to obtain consent with a signature on paper, which is then returned to the researcher(s) via fax or conventional mail.
- If the risks to subjects are not greater than minimum:
- Researchers may use a web-based assent form, which utilizes checkboxes, if you follow the steps outlined below.
- Researchers may use a document-based consent form, which can be signed electronically — subjects scan a picture of their signature and insert the picture in the signature line.
- If subjects are minors or otherwise not permitted to provide consent for themselves:
- The consent of parents or guardians may be obtained on paper (sent to the researcher(s) via fax or conventional mail) if the research is not greater than minimal risk.
- The consent of parents or guardians may be required to be obtained by hard copy if the research is greater than minimal risk.
Gaining Consent Online with a Checkbox
For not greater than minimal risk research, a single checkbox (similar to that used by a software company) may be acceptable.
For greater than minimal risk research, a single checkbox (similar to that used by a software company) may not acceptable. Since Internet culture is such that people often check such boxes without reading the content of that to which they are consenting, one cannot assume that their consent is informed. Instead of a single checkbox at the end of a consent form, researchers may use a checkbox for each item in the consent form, taking subjects through each step of the informed consent process. It is also possible that researchers will be required to obtain signed print copies of consent in some circumstances. A statement about how to opt-out of the study should also be included.
- Computer- and internet-based procedures for advertising and recruiting potential study participants (e.g., internet advertising, e-mail solicitation, banner ads) must follow the IRB guidelines for recruitment that apply to any traditional media, such as newspapers and bulletin boards. All advertising and recruitment material must be reviewed and approved by the IRB.
- Investigators are advised to review the University’s policy on Use of Student Directory Information from the University’s Registrar. Contact the University's Office of Student Affairs Compliance for individual policies regarding lists of student directory information.
- Investigators are advised to review the University’s policy on Use of Official Email Lists prior to soliciting participants by email. Contact list moderators for individual list policies regarding solicitations.
Data Collection Tips
- It is strongly recommended that any data collected from human participants over computer networks be transmitted in encrypted format. This helps insure that any data intercepted during transmission cannot be decoded and that individual responses cannot be traced back to an individual respondent.
- The level of security should be appropriate to the risk. For most research, standard security measures like encryption and secure socket layer (SSL) will suffice. However, with sensitive topics additional protections include certified digital signatures for informed consent, encryption of data transmission, technical separation of identifiers.
- Researchers are cautioned that encryption standards vary from country to country and that there are legal restrictions regarding the export of certain encryption software outside US boundaries.
- Internet-based survey instruments must be formatted in a way that will allow participants to skip questions if they wish or provide a response such as “I choose not to answer.” Also, at the end of the survey, there should be two buttons: one to allow participants to discard the data and the other to submit it for inclusion in the study. Finally, if applicable, online surveys must include mechanisms for withdrawal. For example, if a participant decides to withdraw, there should be a mechanism for identifying the responses of a participant for the purposes of discarding those responses.
- Researchers working with children online are subject to Children’s Online Privacy Protection Act (COPPA) in addition to human subjects regulations. Researchers are prohibited from collecting personal information from a child without posting notices about how the information will be used and without getting verifiable (likely written) parental permission. For minimal risk research written permission may be obtained by via paper mail or fax. If the research is more than minimal risk, parental permission should be obtained in a face-to-face meeting.
- Screen out minors by checking for internet monitoring software such as SafeSurf and RSACi rating or using Adult Check systems.
Use of SurveyMonkey.com, Psychsurveys.org, Qualtrics, Amazon MTurk and other online survey tools is permitted for minimal risk studies that do not involve the collection of sensitive data. As noted above, the IRB recommends that data be transmitted in a secure format. Therefore, researchers who wish to use SurveyMonkey should upgrade to a Professional account which offers SSL encryption. Psychsurveys offers SSL encryption for all studies. The level of encryption used by the online survey tool must be described in the IRB-1 and IRB-5.
For more than minimal risk studies that involve the collection of sensitive data, the IRB recommends it be housed on an Rutgers server. The server should be administered by a professionally trained person with expertise in computer and internet security. Access to the server should be limited to key project personnel. The server should receive frequent, regularly scheduled security audits.
Data Storage/Disposal Tips
- If a server is used for data storage, personal identifying information should be kept separate from the data, and data should be stored in encrypted format. Use of Social Security Numbers is not permitted.
- It is recommended that data backups be stored in a safe location, such as a secure data room that is environmentally controlled and has limited access.
- It is recommended that competent data destruction services be used to ensure that no data can be recovered from obsolete electronic media.
- Researchers must adhere to the University’s Device and Media Control Policy or University Policy 70.2.3.
Frequently Asked Questions
- May researchers quote verbatim from subjects who have given consent?
- For not greater than minimal risk research, this is acceptable provided the data pose only minimal risk to subjects. Details that would be harmful to subjects if revealed should be omitted or modified so that it cannot be linked/identified.
- For greater than minimal risk research, quotes should be paraphrased so that they are not searchable. Searchable data may be traced back to individuals, thereby putting them at risk.
- May researchers use subjects' Internet pseudonyms?
- For not greater than minimal risk research, pseudonyms and real names may be used with permission of individual subjects — provided the use of identifying information is not prohibited by other IRB guidelines.
- For greater than minimal risk research, pseudonyms and other identifying information (place, organizational affiliation, institutional names, etc.) should be changed. Additionally, false details may be deliberately introduced to further protect research subjects.
The information contained in this document has been adapted, in part, from the following documents:
- Bruckman, Amy. 2002. Ethical guidelines for research online. http://www.cc.gatech.edu/~asb/ethics/. Accessed June 11, 2010.
- Hedrick, Charles. 2010. Guidelines for computer security and privacy. Unpublished document.
- IRB Advisor. 2010. Internet research raises data storage, informed consent issues. IRB advisor, 10(7):73-74. Atlanta, GA: AHC Media, LLC.
- IRB Advisor. 2010. Concerns to consider in reviewing web studies. IRB advisor, 10(7):75. Atlanta, GA: AHC Media, LLC.
Additional source material for this policy guidance was adapted and provided by the Pennsylvania State University, the University of Georgia and the University of Connecticut IRBs. The Rutgers IRB gratefully acknowledges this support.