Researchers at the University of Minnesota checked deliberately bugulent code to the Linux kernel [PDF] to demonstrate how a malicious actor might slip past the open-source review process. They were successful, but at what cost: the extraordinarily hostile and impersonal research embarassed volunteers and forced the Linux Foundation to explain itself. As a reader writes in, "it's a fascinating story of a failure in research ethics regarding an open source project."
At The Verge, Monica Chin answers the question of How a university got itself banned from the Linux kernel.
Still, the paper hit a number of nerves among a very passionate (and very online) community when Lu first shared its abstract on Twitter. Some developers were angry that the university had intentionally wasted the maintainers' time — which is a key difference between Minnesota's work and a white-hat hacker poking around the Starbucks app for a bug bounty. "The researchers crossed a line they shouldn't have crossed," Scott says. "Nobody hired this group. They just chose to do it. And a whole lot of people spent a whole lot of time evaluating their patches."
"If I were a volunteer putting my personal time into commits and testing, and then I found out someone's experimenting, I would be unhappy," Scott adds.
The researchers apologized. The university was ultimately banned from contributing to the Linux kernel, for the time being.
Kangjie Lu's research here is the Sokal Hoax with a lab coat on. Something bad is submitted to test a claim of quality control. The submission is accepted, demonstrating a quality control problem. But the results are published in a context which obscures the problem in politicized assumptions, and the research itself is so adversarial that it's doomed from the outset to generate more heat than light.
Checking in bugs was bad because it risked damage to the software, and it's reasonable for the Linux Foundation to exclude an organization that's conducting covert research on it that risks damage to the software.
But I'm not on board with this idea that it is unethical human testing. If it is, a lot of social science that doesn't involve consent forms becomes unethical. Researching if MacDonalds will take orders off-menu? Unethical. Researching telemarketer decision trees? Unethical. Behaving suspiciously to see whether police react differently to white or black suspects? Unethical.
When tempted by a claim that human subject research is unethical because the subjects were ignorant of the research or its purpose, imagine if it had been published instead as journalism or activism. As a sting, perhaps. In this case the complaints about the research would be the same—that it was unethical, that it was gross—but there would be no institutional crisis to distract everyone. The attention would be firmly where it should be: on the fact that a motivated malicious actor was able to introduce bugs into the Linux kernel.