I recently had the honor of participating on a panel at Avanade’s annual TechSummit conference. Organized by Steven Tiell of Accenture’s TechVision team, we were tasked with discussing the role of digital ethics and digital trust in enterprise. I joined Steven on stage with Bill Hoffman, Associate Director of the World Economic Forum and Scott David, Director of Policy at the University of Washington Center for Information Assurance and Cybersecurity. Below are my prepared remarks, which of course differ extensively from what I actually got around to saying on stage.
1. We’ve seen ethics requirements for medical and academic research, particularly when federal dollars are at play. Why should businesses care about ethics in their research?
Businesses should care about ethics most of all because it is, by definition, the right thing to do. But to go beyond a pat answer, I think it is useful to define the domain of “ethics.” I think of ethics as the methods and tools you use to make a consequential decision when there is relatively little settled guidance about the right thing to do. If you knew the right thing to do, then it would probably be a matter for compliance or legal departments. I like how digital sociologist Annette Markham recently put it when discussing a major data research scandal: “ethics is about making choices at critical juncture,” particularly when those choices affect other people. What I would add to Annette’s definition is that ethics is not just the decisions, but also all the work you have to do in advance to enable those critical decisions. You need the capacity to identify and evaluate those critical junctures, and to then make efficient, consistent and actionable decisions. Done well, ethics is a future-oriented stance. In my opinion, building the habits and infrastructures that make it possible for business to make good choices at critical junctions is simply something that will be good for the bottom line in the long run. It will certainly enable businesses to identify and mitigate risks more effectively.
When it comes to the matter of research ethics in particular, there are three aspects that bear more scrutiny when considering how and why enterprises should engage in ethics review practices.
First, because businesses now hold more data about human behavior than any other entity in human history, the value of those businesses is increasingly indexed to what they can do with that data now and in the future. Thus, the types of research being done looks like the types of research that have traditionally been located in university settings. It should indicate something important to us that academic researchers and institutions have invested so much in handling research ethics: research practices carry significant risk and require sustained attention.
Second, anyone can now be a researcher and everyone is a research subject. Yet all of our familiar ethics norms and infrastructures make certain outdated assumptions about institutional boundaries that create formal and informal professional limits on who can do consequential research. But those assumptions do not hold when human data research happens everywhere. Without the familiar institutional boundaries, businesses will need to make up the slack somehow.
Third, big data research methods simply do pose new kinds of risks for enterprise. Holding so much private data and using that data to intervene in people’s’ lives in a tailored, personalized fashion, poses risks beyond simply privacy. Research is often perceived as creepy or controlling, where even products that do the same thing might not. Thus it is important to align design practices, product development and ethics review in a manner that users of your services or providers of your data can be comfortable with.
2. Is there a first mover advantage for implementing strong practices for data ethics at businesses? Why not wait for others to act first?
We have to come at this from the other direction, in my opinion. There’s a lot potential disadvantage in being a late mover. Businesses that don’t want to be first movers risk being first scandals.
Facebook is releasing a peer-reviewed paper today, along with a conference hosted by the Future of Privacy Forum in DC, regarding their new ethics review practices that were developed following the controversy around their emotional contagion study a few years ago. While other major tech companies have ethics review committees of various stripes, Facebook is really taking the lead with regards to grounding their review process in best practices adapted from academic contexts and publicly explaining how they conduct their reviews. I think they are going to get positive buzz for being a first mover in this area, and really not carry much risk.
3. How long will it take a business to get up to speed?
It depends quite a bit on what they hope to accomplish. The 100 and 365 day plans in the new Accenture data ethics report are a good starting point. A basic audit could be done in a month pretty easily. If you have help, getting a fairly robust practice off the ground should be doable in 6 months. Some scholars are suggesting that a twinned internal/external review committee is a good idea, but of course anything external takes more time.
It’s important to note that the practices of ethics review and regulation tend to get easier with time. Spinning them up takes a lot more effort than keeping them running, particularly if ethics review becomes a normal and lightweight part of research and product development workflows. Also, having a system to maintain institutional memory tends to build momentum. Organizations need some method for retaining the decisions that were made at critical junctures. If you can’t remember your reasons for making a decision in the past, you will have to start at the ground floor for future decisions.
4. What’s the role here for public policy?
The role of public policy in corporate ethics review is ultimately going to be inverse to the amount of effort companies put into their own review practices. In the history of professional ethics codes and review practices, one of the key reasons to have shared norms and practices is to minimize regulation by external bodies. Shared, publicly stated and enforceable norms signal to the public that a profession is mature and trustworthy enough to avoid heavy regulation.
The question of public policy also points to a quirk of data ethics as a domain. Privacy has a fairly robust infrastructure with clearly delineated obligations. The FTC, and analogous bodies in other nations, has set a minimum standard of care, and any company handling personally identifiable information is going to have compliance officers and lawyers ensuring that the company meets that bar. “Privacy” is thus an ethical principle that has solid practical backstops, for better or worse. Yet because “privacy” is the most robust ethical principle in the tech/data domain we tend to lump in a lot of other ethical concerns that are kind of like privacy but are really tangential to the practical concerns of privacy regulation. So data ethics review offers an opportunity to ask the questions that don’t really fit in with the privacy protection infrastructure, even though privacy is at root an ethical concern. You can see this in operation with Facebook’s review processes: privacy review and ethics review are collaborative but distinct processes.
So one way of thinking of ethics review is “all the normative questions that are not directly addressed by public policy and compliance requirements.” If public policy were to require ethics review, it would look a lot more like compliance, it would probably fall into some of the same problems as university-based IRB’s, and it would have a more tightly-defined domain. At the moment, I think the fact that public policy is largely quiet on these matters is on balance beneficial for those of us trying to figure out how to do review practices well.
5. What would we see different if robust data ethics was widespread?
First, we would see more deliberation and collaboration about normative questions inside of companies, and between companies. The only way to proceed with decisions at critical junctures to which you don’t have a clear answer is to work together.
Second, doing ethics review well requires balancing principles and practice. The industry as a whole needs to work on both. However, I tend to think that addressing practice is absolutely essential to addressing principle, but the inverse is not necessarily true. Think of review practices as an ongoing, punctuated conversation. Precedent, history and momentum matter (in applied ethics this approach is known as casuistry, which is the lingua franca of medical ethics committees). As ethics review committees meet and discuss and experiment, we will start to get some footholds into the matters of principle that look so daunting now.