RE: Some studies on the visibility of EV sites.

Yes, but can the academic researchers get this past Human Subjects
Ethics?
 
And if vendors do it, is it sufficiently independent?
 
 
One thing I did think about was that we might do deployment amongst
employees of some company and then attack them.
 
I am not trying to say this is impossible, just trying to unearth the
limitations so someone might see a way forward


________________________________

	From: Mary Ellen Zurko
[mailto:Mary_Ellen_Zurko@notesdev.ibm.com] 
	Sent: Friday, March 07, 2008 12:01 PM
	To: Hallam-Baker, Phillip
	Cc: Serge Egelman; public-wsc-wg@w3.org
	Subject: RE: Some studies on the visibility of EV sites.
	
	

	> > You could start by attacking the users and observing what
	> > they do.  Of course, telling them ahead of time that the
	> > study is about security and that they will be attacked is
	> > going to confound your results.  I would hope that everyone
	> > can agree on this very basic point.
	
	> Its kind of hard to bring people into a lab situation without
them
	> making any assumptions as to the purpose of the study. If you
tell the
	> users that they are looking at a prototype you confound the
results.
	> They are now likely to interpret failures or errors as being
due to the
	> lab environment.
	
	> We don't usually take users into an lab and attack them in
ways that is
	> likely to result in real harm.
	
	> And I don't think we can do attacks in the field very easily
and stay
	> within ethical and legal boundaries. We can observe actual
responses to
	> attacks.
	
	Well, we sort of did that in the Notes ECL study: 
	http://www.acsa-admin.org/2002/papers/7.pdf
<http://www.acsa-admin.org/2002/papers/7.pdf>  
	
	Not that that was perfect or anything. But it was in the wild,
it used instrumentation to tell if users fell for the "attack", which
was executing unsigned code. The code itself was harmless (though
running the study not without side effect). And we were all much younger
then and knew a lot less about testing these things.