EpochZero Learn
EpochZero LearnMulti-Domain Tech Learning Hub
Courses
LeaderboardAbout
Dashboard
EpochZero
EpochZero Learn
Multi-Domain Tech Learning Hub

Structured learning for Reverse Engineering, Cloud Security, Cryptography, and Web Development. Articles, videos, tests, and peer discussion.

Learn

  • Learning Path
  • All Articles
  • Video Lessons
  • Podcast
  • eBooks & PDFs
  • Question Banks
  • Cheatsheets
  • MCQ Banks

Tests & Forum

  • All Tests
  • REMA Tests
  • Cloud Tests
  • Forum
  • REMA Forum
  • Cloud Forum
  • Crypto Forum
  • Web Dev Forum

Campus

  • REMA Club
  • Full Stack Dev Club
  • Extension Activity
  • Events
  • CTF Competitions
  • Workshops
  • Industrial Visits

Platform

  • Dashboard
  • Leaderboard
  • About
  • Verify Certificate

© 2026 EpochZero Learn. Educational content for learning purposes.

Course Instructor: Ashish Revar

All articles
research-methodologyresearch-ethicsbelmont-principlesinformed-consent

Foundations: The Belmont Principles

Research ethics rules did not appear because philosophers thought it would be tidy. They appeared because a federally funded study ran for forty years without telling participants their diagnosis, and without offering a treatment that became available partway through. Understanding where the rules come from is what makes them useful rather than merely bureaucratic.

Ashish Revar7 July 20268 min read4 views

Sign in to mark this article as read and track your progress.

More articlesTest your knowledge

Why the Rules Exist

From 1932 to 1972, a US Public Health Service study in Tuskegee, Alabama, enrolled Black men with syphilis and tracked the progression of their disease — without telling them their diagnosis, and without offering penicillin after it became the standard treatment in 1947. The study ran for forty years. Its exposure by a journalist in 1972 triggered the National Research Act of 1974, which created the National Commission for the Protection of Human Subjects, whose final report — the Belmont Report, published in 1979 — remains the reference point most research ethics training starts from.

The path was: a study begins (1932) → penicillin available, not offered (1947) → study exposed (1972) → National Research Act signed (1974) → Belmont Report published (1979). Forty years of harm could go unchecked because there was no formal ethics oversight requiring the question to be asked.

The Three Belmont Principles

Respect for Persons. Individuals are autonomous agents entitled to decide, with adequate information, whether to take part in a study. This requires informed consent for anyone whose participation involves risk or whose data will be used in ways they might not have anticipated.

Beneficence. A study should maximise possible benefit and minimise possible harm to its participants — not only to the field's body of knowledge. Benefit to science does not automatically justify harm to individuals.

Justice. The burdens and the benefits of research should fall on people fairly. No single group should bear the risk while a different group receives the benefit. The Tuskegee study failed this directly: the participants bore a severe cost while contributing to knowledge that served a broader population that did not include them.

A study must satisfy all three at once. Satisfying one or two is not sufficient.

Translating the Principles into Security and ML Research

The principles were written for biomedical research, but they apply directly in technical contexts. The questions differ, but the obligations are the same:

PrincipleIn human-subjects researchIn security/ML research
Respect for PersonsDid participants agree, with full understanding of the purpose?Do the owners of any scanned systems or monitored traffic know and agree?
BeneficenceDoes potential benefit outweigh risk to participants?Does publishing this vulnerability write-up create more protection than it creates risk for unpatched users?
JusticeAre the people who bear the risk also the ones who receive the benefit?Are the communities whose devices are studied the same ones who will benefit from stronger defences?

A researcher who scans a subnet she does not own, arguing that the resulting data will benefit defenders, has addressed Beneficence in one direction only. Respect for Persons requires that the owners of those systems had the opportunity to agree. Justice asks whether those systems — and the people who depend on them — are the ones who will actually receive the protection the research claims to generate.

A Study Does Not Have to Involve People to Raise Ethics Questions

A common misreading is that the Belmont principles apply only to studies that use human participants — interviews, surveys, medical records. In security research, many datasets that do not appear to involve people directly actually do: network traffic contains behavioural signatures; endpoint logs contain application usage patterns; IP addresses can be resolved to individuals under the right circumstances. The right test is not "did I interview anyone" but "does this data touch anyone's systems or behaviour without their knowledge?"

Check Your Understanding

A researcher wants to study how quickly a new class of malware spreads across home routers. She plans to deploy it in a small test network she owns, then observe. A classmate proposes the same study but on a sample of real consumer routers found via a Shodan scan — no consent obtained, because the owners "probably don't know they're exposed anyway." Apply all three Belmont principles to both proposals. Which study passes, which does not, and on which specific principle does the second one fail?