Ethical Frameworks and Computer Security Trolley Problems: Foundations for Conversations

Full Paper PDF

PDF of paper here
The above PDF is the full version of the following paper: Tadayoshi Kohno, Yasemin Acar, and Wulf Loh. Ethical frameworks and computer security trolley problems: Foundations for conversations. In USENIX Security, 2023.

A runaway trolley with no brakes is heading down a track. Five people are tied to the trolley tracks. There is an alternate track. One person is tied to the alternate track. A trolley operator observes the trolley and sees five people on the main track and one person on the alternate track. The trolley operator has the ability to press a lever, resulting in the trolley taking the alternate track. Should the trolley operator do nothing (resulting in the death of five people)? Or, should the trolley operator press the lever and make the trolley take the alternate track (resulting in the death of one person)?
For an interactive exploration of the above and other trolley problems, see: https://neal.fun/absurd-trolley-problems/.

Scenario A: Researchers discover a vulnerability in a medical device that cannot be patched. What should they do?
Scenario B: Researchers wish to study data that was stolen from a company. What should they do?
Scenario C: A program committee member encounters a confidential submission that describes an undisclosed vulnerability in the product made by the program committee member’s company. What should the program committee member do?
Anonymous Google Form (requires Google Authentication) for Scenarios A, B, and C: https://forms.gle/GYyXqUvXHbd8sUbZ9. After entering your answers, you can see charts detailing how other respondents answered.

Scenarios D*: This family of scenarios focus on vulnerability disclosures. What should researchers do upon discovering a vulnerability in a product? Does the answer change under different circumstances?
Anonymous Google Form (requires Google Authentication) for Scenarios D*: https://forms.gle/MUsjkTJgjUAdsKkm6. After entering your answers, you can see charts detailing how other respondents answered.

Scenarios E*: This family of scenarios focuses on considerations within program committees. Suppose that a paper is submitted that details the results of an experiment that raises ethical concerns. What should the program committee do? Does the answer change under different circumstances?
Scenario F: Suppose the paper in Scenario E1 is rejected due to ethical concerns. What should the authors of the rejected submission do?
Anonymous Google Form (requires Google Authentication) for Scenarios E* and F: https://forms.gle/hj4mELZoibKkafYa6. After entering your answers, you can see charts detailing how other respondents answered.

Slide deck: Google Slides Presentation. Educators are welcome to use this slide deck in their courses.
If an educator uses this slide deck in their course, we would appreciate knowing. Please fill out this Google Form: https://forms.gle/hW5MMzsw7GDjh57e7.
If educators have feedback about this deck, e.g., what worked well or thougths for future versions of this deck, we would appreciate knowing. Please fill out this Google Form: https://forms.gle/hW5MMzsw7GDjh57e7 (same form as above).

In addition to structured, computer security-themed trolley problems, we believe that it is valuable to create a repository of past ethics-related experiences and outcomes within the computer security community (research, industry, government, and more).
Please fill out this form if you have had or know of any experiences that you are comfortable sharing publicly (with attribution if desired or anonymously if preferred): https://forms.gle/PLoJ7dEdzcgGjR187.