Woah, the thing that leapt out at me, as a professor, is that they somehow got an exemption from the UMN institutional review board. Uh, how?? It's clearly human subjects research under the conventional federal definition[1] and obviously posed a meaningful risk of harm, in addition to being conducted deceptively. Someone has to have massively been asleep at the wheel at that IRB.

[1] https://grants.nih.gov/policy-and-compliance/policy-topics/h...

I've also had to deal with the IRB a lot as a professor. The retroactive application is extremely weird (although maybe better than nothing?).

This seems like one of those situations that would usually require regular review to err on the side of caution if nothing else. It's worth pointing out there are exceptions though:

https://grants.nih.gov/sites/default/files/exempt-human-subj...

Generally those exceptions fall into "publicly observable behavior", which I guess I could see this falling into?

It's ethically unjustified how the whole thing actually happened but I guess I can see an IRB coming to an exemption decision. I would probably disagree with that decision but I could see how it would happen.

In some weird legalistic sense I can also see an IRB exempting it because the study already happened and they couldn't do anything about it. It's such a weird thing to do and IRBs do weird things sometimes.

The whole story is a good example of why there are IRBs in the first place --- in any story not about this Linux kernel fiasco people generally cast them as the bad guys.

> Woah, the thing that leapt out at me, as a professor, is that they somehow got an exemption from the UMN institutional review board. .... in addition to being conducted deceptively

There are cases where deception (as they call it) can be approved (even by ethics boards). Based on the Verge's article, this research setup should not have been approved even by then. But the topic itself seems as relevant as ever with the xz case and all.

I think they should have gotten permission from IRB ahead of time, but this doesn't sound like they were researching human subjects? They were studying the community behind the Linux kernel, and specifically the process for gatekeeping bad changes from making it to the kernel; they weren't experimenting on specific community members. Would you consider it human experimentation if I was running an experiment to see if I could get crappy products listed on Amazon, for example?

A reteroactive exception!

This is retroactive ass covering by the UMN IRB.

Maybe you're over-estimating how much universities actually care about ethics and IRB.

I reported my advisor to university admin for gross safety violations, attempting to collect data on human subjects without any IRB oversight at all, falsifying data, and falsifying financial records. He brought his undergrad class into the lab one day and said we should collect data on them, (low hanging fruit!) with machinery that had just started working a few days prior, we hadn't even begun developing basic safety features for it, we hadn't even discussed design of experiments or requesting IRB approval for experiments. We (grad students) cornered the professor as a group and told him that was wildly unacceptable, and he tried it multiple more times before we reported him to university admin. Admin ignored it completely. In the next year, we also reported him for falsifying data in journal papers and falsifying financial records related to research grants. And, oh yeah, assigning Chinese nationals to work on DoD-funded work that explicitly required US citizens and lying to the DoD about it. University completely ignored that too. And then he got tenure. I was in a Top-10-US grad program. So in my experience, as long as the endowment is growing, university admin doesn't care about much else.

Don't worry, the university investigated itself (again) and (again) found no wrongdoing. /s