Internet Research Guidelines
These guidelines are intended for Fordham researchers conducting recruitment, informed consent and/or data collection procedures over the Internet. If you have any further questions, please contact the Research Compliance Director, Michele Kuchera at 718-817-0876 or [email protected].
The Internet is widely used for research activities including data collection and recruitment via web surveys, email, listservs, forums, social media and video calls. All uses pose unique concerns for the investigator and the IRB.
With the various uses the internet provides, there are challenges that may result pertaining to privacy, confidentiality, informed consent which can be complex and therefore require the investigator and the IRB to take extra provisions to ensure that privacy and confidentiality are not breached.
Protection of human subjects is no less important when the research involves observation of online behavior. The investigator and the IRB should make every effort to ensure individuals grant consent before having their discussions used for research purposes.
- The IRB must review and approve all recruitment materials used for internet research. Examples of Internet-based recruitment methods include emails, online advertising, and chatroom postings.
- The proper identification and qualification of subjects is a challenge in Internet-based research. Without face-to-face or voice-to-voice interaction, it is difficult for investigators to be sure that participants are not misrepresenting themselves. In certain situations, investigators should discuss measures taken to authenticate subjects. These situations may include studies for which authentication of subjects is important to the validity of the data or that consist of particularly sensitive topics. Examples of such measures include:
- Providing each study participant (in person or by U.S. Postal Service mail) with a Personal Identification Number (PIN) to be used for authentication in subsequent computer- and Internet-based data collection. In this example, the PIN used must not be one that could be used by others to identify the individual (e.g. social security number, phone number, birth date, etc.).
- In most studies involving no greater than minimal risk, it is sufficient for the informed consent document to simply ask participants to confirm that they are the appropriate age. If necessary, minors may be screened out such as when the study presents more than minimal risk to subjects or asks particularly sensitive questions. Or investigators might want to increase the validity of their study by screening out minors if their research is focused on adult subjects.
C. Informed Consent
- Investigators should include all of the required elements of informed consent as stated in the federal regulations when generating consent documents for online research. When online research is being employed, the Fordham online consent form template should be followed.
- In general, investigators conducting Internet-based research with minors must obtain both child assent and parent permission. Researchers may request a waiver of parent permission provided the study fits the appropriate criteria.
- Fordham IRB generally accepts the use of "I agree" or "I do not agree" buttons (or other electronic methods for indicating affirmative consent) on online pages in lieu of signatures.
- There may be instances, the Fordham IRB determines that documented consent is required, the consent form may be mailed or emailed to the participant who can then print and sign the form and return it to investigators via email, postal mail, or fax.
- The process of requesting consent should not disrupt normal group activity. Researchers need to be particularly sensitive of this when entering online communities and chatrooms as the process of requesting consent is often perceived as disruptive. If seeking informed consent will harm the validity of a study or make the research impracticable, it may be possible to obtain a waiver of consent provided the study meets the appropriate criteria. When requesting a waiver of informed consent, issues regarding deception or incomplete disclosure may need to be addressed in the researcher’s application.
- Collecting data over the Internet may increase potential risks to confidentiality because of the frequent involvement of third party sites and the risk of third party interception when transmitting data across a network. For example, when using a third party website to administer surveys, the website might store collected data on backups or server logs beyond the timeframe of the research project. In addition, third party sites may have their own security measures that do not match those of the investigators. Participants should be informed of these potential risks in the informed consent document. For example:
- “Although every reasonable effort has been taken, confidentiality during actual Internet communication procedures cannot be guaranteed.”
- “Your confidentiality will be kept to the degree permitted by the technology being used. No guarantees can be made regarding the interception of data sent via the Internet by any third parties”
- “Data may exist on backups or server logs beyond the timeframe of this research project.”
- Online consent may not be suitable for high risk studies where the research involves data that:
- places participants at risk of criminal or civil liability, or could damage their financial standing, employability, insurability, reputation, or could be stigmatizing.
- Personas, or avatars, are social identities that Internet users establish in online communities and websites. These personas allow individuals to reveal varying levels of personal information and also allow them to navigate the virtual world as a particular character or alter-ego. Names of Internet personas (characters or avatars) or real names may be used in reports and publications only with consent from the participating individual. In these situations, specific language concerning the release of identifiable information must be included in the informed consent document and specific consent must be sought from subjects for this release. If research participants give consent to be identified, data must still be secured properly to avoid any misuse by a third party.
D. Data Collection
Research involving observation and reporting of online behavior is sometimes called data mining. The term data mining also refers to sorting through data to identify patterns and establish relationships.
Consider the following:
- Not all content on the internet is “public information.” Access is not a justification for collecting data without consent from the subject(s).
- Researchers should inform participants that "observation" is taking place, and that any information exchanged may be used for research purposes when observing a chat room that is not open to the public.
- Most online groups do not require individuals to participate in discussions. After obtaining IRB approval and PRIOR to collecting ANY research data, permission must be sought from the list/group/community manager, and an announcement should be made to the list/group/community of the investigator’s intention to conduct research on the group.
- Consent must always be obtained from subjects before attempting to collect private information. However, the investigator may request a waiver of informed consent. Concern that permissions will not be granted is not a justifiable reason for the IRB to waive consent.
- Procedures must be in place to verify that research participants are adults.
- Survey instruments should be designed in such a way that allows participants to skip questions or provide a response such as “I choose not to answer.”
- At the end of the survey, there should be one button to submit the data and another button to discard the data. The purpose of these buttons is to ensure that a subject may withdraw at any time and to help them understand that if they do withdraw, even after completing the survey, their data can be discarded prior to transmission to the researcher.
- The Qualtrics Research Suite is a web-based survey tool that Fordham IT provides for free to all Fordham students, faculty, and staff at fordham.qualtrics.com. This robust and professional survey system, designed for academic and business research, allows users to easily design and implement surveys and provides many tools to evaluate the results. As such, Fordham University recommends the use of this survey instrument for research studies.
- When using validity/attention checks in a survey, researchers must make sure to explain the use of these in the consent form. Researchers should be clear about the criteria on which work will be accepted or rejected (i.e., the number of validity questions participants can answer incorrectly before their responses are considered invalid). The consent form should also state whether or not the participant will receive compensation if their submission is rejected due to these checks. If the 'captcha' or 'reverse Turing test' questions appear to be noticeably incongruent with the rest of the study, it should be made clear that they are included to verify the legitimacy of the other answers. Two examples of such questions are “Who is the president of the United States?” and “What is 2 + 2?” Please make sure to include the validity/attention checks you plan to use when submitting your application materials and documents to the IRB.
E. Data Security
Researchers must consider additional data-security issues when conducting Internet-based research.
- All data must be protected as it moves along the communication pathways (e.g., from the participant to the server, from the server to the Investigator). Additionally, all databases storing identifiable information or data must be protected regardless of the source creating the data (e.g., encryption of the database, de-identifying the data).
- Investigators must provide information regarding the transmission and storage of the data in their IRB application.
- Use Google Drive on your Fordham email account to securely store and control how files with sensitive data are shared. If files contain sensitive information, they should first be encrypted or de-identified before being stored on Google Drive. Carefully set up different folders to support the different modes of sharing needed for your protocol. (Note: you must comply with the terms of any applicable data use agreements. Data use agreements must be reviewed by University Research Administration.)
- The level of security should be appropriate to the risk. Research involving sensitive topics may require additional protections such as certified digital signatures for informed consent, encryption of data transmission, or technical separation of identifiers and data, housing data on a professional manager server. For most research, standard security measures like encryption and secure socket layer (SSL) will suffice.
- Researchers must take special care to treat online identities (personas or avatars) and their corresponding character names just like real ones. People care about the reputation of their personas and these aliases can usually be traced back to real-world names.
- Even when it is not the intention of the researcher to collect identifiable information, Internet protocol (IP) addresses are potentially identifiable; thus, if IP addresses will be collected, proper confidentiality measures must be in place in order to protect the subject’s identity. These measures include password protection and encryption.
- All identifiable or coded data transmitted over the Internet must be encrypted. This helps ensure that any data intercepted during transmission cannot be decoded and that individual responses cannot be traced back to an individual respondent. It is important to note that encryption standards vary from country to country, and there are legal restrictions regarding the export of certain encryption software outside US boundaries. It is the investigator’s responsibility to research possible restrictions and plan data security measures accordingly.
- There are various protocols for transmitting data securely over the internet with SSL (Secure Sockets Layer) connections or Secure HTTP. Both SSL and S-HTTP can work interdependently or together. On an IRB application, the investigator must describe the technology chosen for implementation of the research and justify the plan based upon the sensitivity of the research.
For more information and guidance on Data Security, please visit the IRB’s Research Data Security Guidance page.
F. Tips for Investigators
- Researchers should design research protocols which use the internet with the same considerations and standards for approval of research as outlined in the federal regulations (45 CFR 46.111), for informed consent, and voluntary participation as all other research activities under the jurisdiction of the IRB.
- Researchers working with children online are also subject to the Children's Online Privacy Protection Act (COPPA). COPPA prohibits researchers from collecting personal information from a child without posting notices about how the information will be used and without getting verifiable parental consent.
- Researchers conducting research which excludes minor participants should describe the procedures to be employed to authenticate that the participants are adults.
- Researchers should provide appropriate payment which allows participants to receive an incentive without revealing his/her identity (e.g., gift certificates from online retailers provided by displaying the unique certificate redemption number to respondents at the completion of a questionnaire.)
- Researchers should describe methods to authenticate respondents when necessary, e.g., to protect participants' privacy. (e.g., Researchers can provide each subject (in person or by U.S. mail) with a Personal Identification Number (PIN) to be used for authentication in subsequent computer- and internet- based data collection.