did facebook and okcupid experiments violate maryland law?

According to James Grimmelmann, professor of law at the University of Maryland, the recent controversial studies by Facebook and OkCupid violated Maryland’s research ethics law. For past posts on the studies see here and here. The long version of Grimmelmann’s argument is up on Medium. The short version is:

Maryland’s research ethics law makes informed consent and IRB review mandatory for all research on people, even when carried out by private companies. As we explain in a letter to Maryland Attorney General Doug Gansler Facebook and OkCupid broke Maryland law by conducting experiments on users without informed consent or IRB review.

Not only does Maryland require IRB and informed consent for research, it also requires that IRB meetings provide documentation on request, which both FB and OkCupid have failed to do. Grimmelmann and a colleague, Leslie Meltzer Henry, have asked the Attorney General of Maryland to enjoin the companies from conducting further research until they enter into compliance.

Author: Dan Hirschman

I am a sociologist interested in the use of numbers in organizations, markets, and policy. For more info, see here.

15 thoughts on “did facebook and okcupid experiments violate maryland law?”

    1. Yeah. I’d be curious to know how the law defines research. I’m sure some of what Google does would count – and clearly FB’s studies (intended to produce generalizable knowledge, published in academic journals) must count. But some sorts of testing might not (i.e. the famous Google A/B tests of which shade of blue to use). But I don’t know anything specific about the legal/regulatory definition of research.

      That said, “everybody’s doing it” has never been a compelling legal (or ethical) defense, and even more than usual in this case.


    2. For reference, the Federal “Common Rule” defines research as follows (via HHS.gov):
      “Research means a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge. Activities which meet this definition constitute research for purposes of this policy, whether or not they are conducted or supported under a program which is considered research for other purposes. For example, some demonstration and service programs may include research activities.”

      I assume there’s case law and further rules on what, exactly is covered, and I don’t know if Maryland adopted the same standards, but that definition is an interesting place to start. Google’s “shade of blue” would like be exempt, FB’s emotional contagion clearly fits. We can go from there to thinking about when and where an A/B test would cross the line.


  1. As long as the ASA is taking up causes, can we figure out a way to fix the broken IRB system. Does a blog post count as “generalizable knowledge”? If so, then Slate, the Washington Post, and Vox are also all in violation of Maryland state law if we hold journalism to the same standard as academic research. I think that the rules of the IRB need reform. Perhaps I can suggest to my state legislators they start that reform in Maryland.


    1. In fairness to ASA, they have been involved with revisions to the common rule. I honestly think this is important enough that (assuming ASA is as involved in this as they claim to be) it probably justifies the locational decision of being in DC, and by extension the high dues they charge the members.

      And on the subject of broken IRB, on Twitter yesterday Grimmelmann was saying that the medical IRB model “carries over,” as if that’s a good thing. Likewise, he was holding up the “generalizable knowledge” standard for when IRB rules apply, which in practice means that if companies refrain from collaborating w academics and publishing, not only will their A/B testing be inconspicuous, but it meets the standard even if the privacy fanatics find out about it.

      I find it hard to understand how any social scientist who actually does empirical work can sympathize with people who think the medical IRB model is just hunky dory and endorses a standard that would have the effect of closing off industry collaboration and dialog w academia (a model which, let us remember, not only produced multiple STEM Nobel Prizes from Bell Labs, but was responsible for some of the great achievements of mid 20th c basic research in social science, and is likely to be increasingly important if Congressional demagogues kill NSF-SES). Applying a broken model in this fashion will have the effect of keeping social science academia stuck in the mindset of random-digit dialing and locked out of the future of social science while industry continues to A/B test whatever it wants, but keeps it all internal.

      Liked by 1 person

      1. I think – and hope – we can be critical of FB and OKC without in any way denying that the medical model has produced a horrible IRB system for the social sciences. As usual, Kieran nailed it in the same Twitter conversation:

        “Please don’t tell me my data regime choice is going to be “Valley Firms Do What They Like” v “Lawyers and Medical IRB Model Eat the World.

        Wait, it’s going to be both, isn’t it?”

        So, the question becomes, can we find a third, better option that gives us a framework for holding FB accountable without that framework being the awful system we already hate?


      2. The short answer is “no, we can’t have a third way.” If you try you’re only going to end up at “lawyers and medical IRB eat the world.”
        There are two reasons for this.
        1) Risk aversion tends to lead bureaucracies to a building a wall around the Torah mentality. You already see this with the fact that the common rule has guidelines for what is “exempt” but in practice this really means “expedited” since most IRBs want you to submit paperwork showing that it’s exempt rather than letting you judge for yourself. This is in addition to the basic issue of IRB creep, where things like pedagogy that are supposed to be outside IRB’s purview under the common rule get subjected to periodic territorial annexation, or at least raiding parties and scouting expeditions, by IRB. A common mechanism for this is that every unfortunate occurrence requires a new rule, so just like when some crackpot gets tackled by the front door of the White House this means the Secret Service doesn’t say “good job, we stopped this guy and protected the democratically elected head of state” but “let’s extend the perimeter.” Likewise, when somebody with more pedagogical enthusiasm than sense has her TAs role-play as street walkers, we start saying “when in doubt, best practice is to run it by IRB.”
        2) There is a qualitative difference between a permission culture and permissionless innovation. Even an easy-going permission culture is still a permission culture. This is one thing that law professors, whether in ethics or intellectual property, tend not to get. You talk to intellectual property lawyers and they say, well just get a license for IP, which may be reasonable if you’re Michael Bay and want to license Aerosmith for your movie’s soundtrack but in effect precludes small scale producers and pastiche art forms, which is why Girl Talk’s best defense against trolls like Bridgeport is that he distributes his own music through the appropriately name Illegal Art and so doesn’t have especially deep pockets. Likewise, you talk to IRB types and they say, the easy cases can get expedited review but they don’t get that even expedited review slows down the research. The response to this is you have a fox-henhouse situation if you let researchers judge for themselves, but this isn’t an issue when you have bright-line rules or even relatively clear rules like “no more discomfort or risk than encountered in every day life.” Of course the IRBistas don’t see it like that because they can’t imagine that they are the problem when they really are trying to be so reasonable and have they mentioned Milgram or Tuskegee yet? The problem is that when you are the transaction costs made flesh and sent to dwell amongst us, you tend to downplay the friction caused by transaction costs, which is why the patent bar doesn’t think patent litigation inhibits innovation and IRBistas think it’s no big deal to have you run everything up the flag pole and wait three weeks to hear back.

        I’d also add that I think a lot of IRB is just myth and ritual that doesn’t really protect research subjects but is more of a burnt offering to the ethics spirits. For instance, debriefing after deception is a standard IRB practice, but in the case of OK Cupid the debriefing was arguably a greater source of harm than the A/B test per se. Likewise, I have never been convinced that it does research subjects any benefit to scare them by reading them a page of legalese about what phone number to call in case your toenails fall out before reading them some Likert scale questions.

        Listen, I still want IRB to be there for injecting people with chemicals or locking them in the psych lab basement. But I also want to be able to ask people completely inoffensive questions or A/B test two shades of blue without having to run it by a committee. Or if I’m doing a longitudinal survey that I have to file adverse event forms for survey subjects who died (presumably from the stress of remembering whether it is 1 or 5 that means “strongly agree”). Likewise, if I’m showing babies a puppet show, I should probably have to run the basic design by IRB because it’s a vulnerable population, but I shouldn’t have to file an amendment every time I want to change the color felt one of the puppets is made of.


      3. Gabriel — touché. I forgot that they were involved in the common rule.

        Dan — I think that we have a fundamental disagreement about the problems with Facebook. I don’t see how the A/B testing that they do is any different than A/B testing of other types of products. Once, while visiting the Hershey Chocolate factory, my wife and I were included in a blind taste test of sugarless Twizzlers. I don’t remember having to give informed consent (though they were smart enough to ask about allergies). If I had visited Hershey, Maryland rather than Hershey, Pennsylvania, then the Hershey corporation might have violated Maryland’s law.

        Facebook is first and foremost a commercial product, just like Twizzlers or toilet paper or soda. We give broad consent (which arguably is sufficient consent in the EULA and terms of service) to allow them to do with our data what they please for the convenience we get of sharing our kids’ pictures with their grandparents and participating in slacktivist campaigns.

        If we want to argue that they have a special obligations because they control channels of media that hold a potentially special place among different products, then I would agree. But that seems to me to be a regulation at the FCC or FTC, not IRBs.


      4. This is an amen to Garbiel’s second rant, adding only the comment that the IRB becomes less about protecting people than about protecting the institution from any conceivable legal or political action, and that it is truly astounding the far-fetched scenarios people can dream up about how people might be harmed by seemingly-innocuous surveys.


      5. OW,
        thanks. btw, I was trying to find a link to your horror story about IRB demanding anonymity for data from newspaper archives or something like that but couldn’t find the link.


      6. Gabriel: it wasn’t that bad. It was a former IRB staffer who argued that “perhaps” research on newspaper stories ought to come under IRB review if it collected identifiable information about particular people because that information might stigmatize or harm them. But she didn’t actually get anybody else to support her and was later removed from the IRB job due to dissatisfaction of others (although I’m not sure whether it for this kind of opinion.) This occurred in the context of discussions about what kinds of Internet research needed review. We successfully defended the position that written texts (including those on the Internet as well as those in the library or sold in bookstores or newsstands) are NOT human subjects if the texts are publicly available to everyone without special permission. E.g. things that you can see on the Internet without a login are texts, but if you have to supply a login to see them, then there is an expectation of privacy.

        Notice that what we did was to define the boundary of a “human subject.” We have gained zero traction on arguing that some kinds of human subjects research ought not to require any review. (Well, except the successful action some years ago to remove from review certified anonymized data sets.)

        Liked by 1 person

  2. I wonder if we’d be having the same discussion on other, “more scientific” field experiments not associated with large Internet corporations. I am not talking about the legal problem of not having an IRB approval or records, but about the ethical problem of no informed consent when there is a manipulation, as long as there is a debriefing afterwards. This very interesting study in the Am J of Pol Sci manipulated emails to a listserv of LGBT rights supporters in their invitation to a rally (http://onlinelibrary.wiley.com/doi/10.1111/ajps.12076/abstract). The experiment, based offering different social/emotional incentives for participating in a rally, led to changes in rally attendance. Recipients of the email did not grant informed consent, nor were they debriefed, because there was no “deception,” there was anonymity, enrollment in the listserv was voluntary, and by not informing participants about the experiment they were not exposed to any risks. Beyond the IRB issue, I see the OKCupid study as complying with more ethical standards if they were debriefed, unless we think that there was a risk from their participation in the study. The FB study could use the same excuse to say why they did not inform participants beforehand. So, if we say that IRBs don’t really help with ethical issues, I don’t see much of a problem. On the other hand, I think that if we agree that IRBs are not enough to address ethical concerns, corporations conducting research (and perhaps also universities) should require some sort of external IRB approval that guarrantees ethical standards, or at least publicly available records of their IRB meetings, as the Md. law indicates. But if they did, perhaps both OKC and FB studies should have been approved by an IRB.


    1. “I see the OKCupid study as complying with more ethical standards if they were debriefed”

      I agree debriefing would be more in keeping with IRB standards, but this just illustrates of how clumsy the standards are.

      Suppose you used this website and went on a date with someone, it went well, and you set up a second date for next weekend. Then you and your partner each getting emails debriefing you that your dyad was not actually a 90% match but a 30% match. Your date cancels. Are you now better off than if the relationship had played out organically?

      Debriefing is designed for things like psych lab experiments where you tell someone “I got a confession to make, you weren’t really playing prisoners’ dilemma with Chip and Muffy, but with a computer programmed with a tit-for-tat algorithm.” But I fail to see how debriefing is substantively (as compared to procedurally) ethical when it amounts to saying “dude, that loser you think you like, she’s totally wrong for you.”

      OTOH, I will confess that I am not entirely comfortable with the OK Cupid experiment because of the magnitude of the manipulation (30/90) and the intimacy of the relationships. I would have no problem with OK Cupid A/B testing small manipulations on the order of 80/90 (or A/B testing two versions of their metric) nor would I have a problem with a large-scale mismatch manipulation for less intimate relationships, like a lab collaboration task (in fact it is a fairly standard manipulation to assign groups at random but say you’re doing it on some substantive basis).

      (I think the Facebook study is much ado about nothing, both scientifically and ethically, given that the effects sizes were infinitesimally small in a way that makes ridiculous the hyperbolic terror of privacy fanatics that racheting down how many positive affect status updates people saw would leave in its wake a landscape littered with the corpses of suicides).


      1. Apologies, I should have said “since they were debriefed”, in that OKC told people about the actual percentage match, although I don’t remember or know if they published more about the details of the “debriefing”.

        You raise a good point, that debriefing should be substantively ethical in this case and maybe it wasn’t, and I agree with your concerns about debriefing in this case. But I also think it’s better to do it than not to do it in this case, even if you already went on a date. A good solution would have been to interrupt the study and debrief the participants as soon as they exchanged contact information, before they went out on a date.

        I also agree with your point about the magnitude of the manipulation. In a way, while the effect would have probably been smaller, 90/80 would have been the best manipulation, because I believe the contribution of their algorithm, lies in filtering out the hundreds (or thousands?) of people who share 80% and reducing the number to a much more manageble number of those people over 90%.

        Liked by 1 person

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.