Research ethics rules did not appear because philosophers thought it would be tidy. They appeared because a federally funded study ran for forty years without telling participants their diagnosis, and without offering a treatment that became available partway through. Understanding where the rules come from is what makes them useful rather than merely bureaucratic.
Sign in to mark this article as read and track your progress.
From 1932 to 1972, a US Public Health Service study in Tuskegee, Alabama, enrolled Black men with syphilis and tracked the progression of their disease — without telling them their diagnosis, and without offering penicillin after it became the standard treatment in 1947. The study ran for forty years. Its exposure by a journalist in 1972 triggered the National Research Act of 1974, which created the National Commission for the Protection of Human Subjects, whose final report — the Belmont Report, published in 1979 — remains the reference point most research ethics training starts from.
The path was: a study begins (1932) → penicillin available, not offered (1947) → study exposed (1972) → National Research Act signed (1974) → Belmont Report published (1979). Forty years of harm could go unchecked because there was no formal ethics oversight requiring the question to be asked.
Respect for Persons. Individuals are autonomous agents entitled to decide, with adequate information, whether to take part in a study. This requires informed consent for anyone whose participation involves risk or whose data will be used in ways they might not have anticipated.
Beneficence. A study should maximise possible benefit and minimise possible harm to its participants — not only to the field's body of knowledge. Benefit to science does not automatically justify harm to individuals.
Justice. The burdens and the benefits of research should fall on people fairly. No single group should bear the risk while a different group receives the benefit. The Tuskegee study failed this directly: the participants bore a severe cost while contributing to knowledge that served a broader population that did not include them.
A study must satisfy all three at once. Satisfying one or two is not sufficient.
The principles were written for biomedical research, but they apply directly in technical contexts. The questions differ, but the obligations are the same:
| Principle | In human-subjects research | In security/ML research |
|---|---|---|
| Respect for Persons | Did participants agree, with full understanding of the purpose? | Do the owners of any scanned systems or monitored traffic know and agree? |
| Beneficence | Does potential benefit outweigh risk to participants? | Does publishing this vulnerability write-up create more protection than it creates risk for unpatched users? |
| Justice | Are the people who bear the risk also the ones who receive the benefit? | Are the communities whose devices are studied the same ones who will benefit from stronger defences? |
A researcher who scans a subnet she does not own, arguing that the resulting data will benefit defenders, has addressed Beneficence in one direction only. Respect for Persons requires that the owners of those systems had the opportunity to agree. Justice asks whether those systems — and the people who depend on them — are the ones who will actually receive the protection the research claims to generate.
A common misreading is that the Belmont principles apply only to studies that use human participants — interviews, surveys, medical records. In security research, many datasets that do not appear to involve people directly actually do: network traffic contains behavioural signatures; endpoint logs contain application usage patterns; IP addresses can be resolved to individuals under the right circumstances. The right test is not "did I interview anyone" but "does this data touch anyone's systems or behaviour without their knowledge?"
A researcher wants to study how quickly a new class of malware spreads across home routers. She plans to deploy it in a small test network she owns, then observe. A classmate proposes the same study but on a sample of real consumer routers found via a Shodan scan — no consent obtained, because the owners "probably don't know they're exposed anyway." Apply all three Belmont principles to both proposals. Which study passes, which does not, and on which specific principle does the second one fail?