A pair of health and ethics scientists, one with the Swiss Federal Institute of Technology, the other ETH Zurich, has published a Perspective piece in the journal Nature Machine Intelligence, discussing the ethics of researchers using hacked data in their research efforts. In their paper, Marcello Inca and Effy Vayena discuss the ethical boundaries involved in using hacked data, compare it with past similar situations and conclude by suggesting six requirements that they believe researchers should use when considering the use of hacked data.

As the authors note, hacked data becomes available to researchers on a regular basis; data from the Ashley Madison dating site, for example, was hacked and posted on the internet back in 2015. By posting it, the data became public, which made it legal for researchers to use it in their own studies if they wished. Doing so, however, raises ethical questions because the people represented by the data have not given their permission for their data to be used for such purposes.

The authors, therefore, suggest that the research community needs to establish whether using such data is ethical, and if so, under what conditions. The authors compare this with other instances of moral ambiguity, such as medical scientists debating the ethics of using data gathered by Nazi-era doctors conducting torturous experiments on nonconsenting people. They also note recent work by others who have attempted to set guidelines for ethically challenging situations, such as the Belmont Report and the Oviedo Convention. The authors conclude by proposing a set of ethical requirements that researchers could use when considering using hacked data in their efforts.

The first is uniqueness—is the hacked data such a unique resource that it cannot be found elsewhere? Next, they suggest researchers conduct a risk-benefit assessment of the value of the data compared to the social benefit that might be gained from its use. They also suggest researchers consider whether there is a possibility of gaining consent from the people represented in the data, and if not if it would be possible to prevent data from being tied to individuals. They further suggest that if researchers do use such data, they should be required to provide a record of how it was obtained. And they also suggest that user privacy be considered and that researchers make it clear in their papers that such data was used without consent. And finally, they suggest that any research effort involving the use of hacked data should first receive Institutional Review Board approval.