Webster University Guidelines for Internet Research

Overview

The Internet has become a popular vehicle for data collection. There are many forms of “internet research”, from recruiting study participants via social media, to distributing online surveys via email, to observing individuals’ behaviors within online environments such as chatrooms and “comments” sections of websites. As with all research involving human participants, faculty, staff, and student investigators must first consider the Belmont Report’s fundamental principles of respect for persons, beneficence, and justice. Thus, adherence to these fundamental principles is of utmost importance when conducting internet research. Faculty, staff, and student investigators who wish to conduct internet research should carefully review the information below.

What is “Internet Research?”

The Office of Human Research Protections (OHRP) recognizes that there are multiple forms of “internet research”. Thus, the broad and overarching term "internet research" includes both the Internet as a tool for research and the Internet as a locale or venue of research.

Research employing survey instruments, search engines, databases, databanks, or aggregators would constitute using the Internet as a tool for research. Such research may or may not involve direct interaction with human subjects, but identifiers or personally identifiable information may be generated, collected, and/or analyzed. The following are general examples of the internet as a tool for research:

  • Research that uses the Internet as a vehicle for recruiting or interacting, directly or indirectly, with subjects (e.g., Qualtrics, self-testing websites, etc.). 
  • Recruitment in or through Internet locales or tools, for example social media, push technologies.

In contrast, using the Internet as a medium or locale of research entails qualitative or quantitative studies of various Internet ―spaces, such as chat rooms, gaming worlds, virtual environments, or other simulated locales. The following are general examples of the internet as a medium or locale of research:

  • Research studying information that is already available on or via the Internet without direct interaction with human subjects (harvesting, mining, profiling, scraping—observation or recording of otherwise-existing data sets, chat room interactions, blogs, social media postings, etc.). 
  • Research about the Internet itself and its effects (use patterns or effects of social media, search engines, email, etc.; evolution of privacy issues; information contagion; etc.).
  • Research about Internet users—what they do, and how the Internet affects individuals and their behaviors Research that utilizes the Internet as an interventional tool, for example, interventions that influence subjects’ behavior

Internet phoning, video conferencing, online chatting, mobile research, and other emerging and cross-platform technologies and research designs may be constitute both tool and venue. For example, applications such as Skype® or Facetime® may be used to contact subjects or participants, and interviews or focus groups can be conducted via the application.

Summary of Recommendations for Internet Research

Faculty, staff, and student investigators who wish to conduct internet research should carefully review the information in this section and, after doing so, draft their IRB applications in light of the following guidelines: 

  • The IRB strongly advises researchers to utilize Qualtrics, the university’s official web-based survey software for online data collection. Failure to do so exposes participants to undue risk (see below).
  • The fundamentals of informed consent for face-to-face data collection must also be observed for internet & online survey research. Prior to the start of the survey, an adequate informed consent document should be displayed to the participants. The participant should verify that they are at least 18 years old, when the method has excluded children.
  • A forced response that requires participants to answer all the questions before submitting the survey or before moving to the next question is not allowable and is seen as a violation of the research principles of voluntary participation. Use an N/A response or “Prefer not to Respond” as an option, if necessary.
  • Confidentiality & Data Storage:
  • If IP addresses will be collected /stored or if cookies will be used (e.g., so that only the participants who have not responded to a survey are reminded), state this in your protocol, let the participant know that this data is being collected, and when it will be deleted from the dataset. If applicable, the participant should also be informed up front that s/he will receive reminders if s/he does not respond in a specific amount of time.
  • Researchers who wish to utilize other web survey platforms (e.g., Survey Monkey, Zoomerang, etc.) must be sure that their survey platforms adhere to specific security conditions regarding the services’ security and confidentiality policies, data security, and how long the data will be stored and backed up. The researcher must clearly outline in the IRB application how such thresholds will be met (see below for specific criteria).
  • The IRB recommends the use of a phrase at the bottom of the electronic consent document that indicates the participants’ voluntary participation. This can be a phrase with a “YES” checkbox (e.g., “YES, I voluntarily agree to participate in this research. By continuing with this survey, I affirm my consent to participate and acknowledge that I meet the requirements for participation.”) that will take the participant to the first section of the actual survey, as well as a “NO” checkbox (e.g., “NO, I do not wish to participate. Please exit me from this survey.”) that will exit the survey.
  • Do not promise absolute confidentiality with an electronic medium. The IRB suggests using a sentence such as: "Your confidentiality is only as secure as your equipment. Specifically, no guarantees can be made regarding the interception of data sent via the Internet by any third parties."
  • All data should be stored in an encrypted format.
  • The IRB recommends that researchers use SSL (Secure Socket Layer protocol) to ensure that survey responses will be encrypted when submitted. Researchers conducting web-based research should be careful not to make guarantees of confidentiality or anonymity, as the security of online transmissions is not guaranteed.  A statement in the informed consent form indicating the limits to confidentiality is typically required. The following statement may be used: “Your confidentiality will be maintained to the degree permitted by the technology used. Specifically, no guarantees can be made regarding the interception of data sent via the Internet by any third parties.”

 Considerations for Internet Research

As with all research involving human participants, faculty, staff, and student investigators must first consider the Belmont Report’s fundamental principles of respect for persons, beneficence, and justice. Thus, adherence to these fundamental principles is of utmost importance when conducting internet research. Consequently, with internet research, investigators and IRBs must consider both risks related to the specific research protocol and risks related to the technologies in use. Perhaps the most critical issues for researchers planning to conduct internet research involve considerations of (1) risk and (2) informed consent.

The regulatory definition of “minimal risk” predates use of the Internet as a communications and research tool. Many Internet-related risks such as identity theft, other types of electronic fraud or security breaches, online-addictions, and electronic monitoring, stalking, or bullying, can have serious consequences, but most were not part of our daily lives—or indeed even contemplated—when the regulations were first written. In light of this unfortunate reality, the OHRP suggests that it is increasingly appropriate to include the risk of computer-related harms, such as hacking, phishing, breach, lack of appropriate security measures, etc., as among those risks encountered in daily life.

As with all research, appropriate methods for documenting informed consent should reflect the risk and complexity of the research. For straightforward minimal risk internet research, the OHRP suggests that documentation might be in the form of a simple click-through "I agree" statement preceding access to the study materials, where subjects are presented the appropriate consent information and then signal their consent either by checkbox or by completing the survey or experimental materials. In the case of more complicated research protocols, or a project that is greater than minimal risk, a signed document, sent via traditional methods or completed via e-signature may be a necessary component. The researcher has a primary responsibility to the participants to ensure that they are fully aware of their rights, risks, and responsibilities as they contribute to increased understanding of social and scientific knowledge. The researcher has an additional responsibility to the IRB to provide the rationale for the chosen consent documentation.

Because the definition of “minimal risk” references both the probability and the magnitude of harm, investigators and IRBs must consider both dimensions. A risk of significant harm (e.g., identity theft, breach of confidential medical or personal information) that is technically possible, but of small likelihood, may be judged to be minimal if the IRB is satisfied that the investigator’s data security procedures are consistent with best-practice recommendations. To this end, the Webster University IRB recommends the following guidelines for internet research.

 Guidelines for Internet Research

When investigators are entrusted with data and devices, they have a responsibility to minimize risk and to honor their obligations to subjects. Researchers conducting internet research must consider the following:

Email Distribution: Perhaps the most common form of internet research involves the use of online surveys for the collection of data. Such surveys can be distributed through email networks or posted to public websites. However, surveys completed via email represent certain ethical challenges. Researchers seeking to use email to distribute their surveys or collect survey responses should carefully consider the following guidelines:

  • Instead of recruiting with a group email, send individual recruitment emails to participants to avoid any confidentiality breach. If this is not possible, maintain confidentiality by emailing the group emails in the BCC (blind carbon copy) section of the email.
  • Avoid asking for participants’ personal information via email (e.g., asking for home address phone number and birthdate in the same email).
  • Participants should be informed that complete anonymity may not be possible. The IRB suggests the use of a phrase such as “Although it is unlikely that anyone will try to gain access to your email, you have the right to know that email transmissions are not private and therefore transmission of information through this form cannot be guaranteed to remain confidential.”

Consent: If you choose to collect data over the Internet, you should use a consent form that contains all of the information required in the printed consent form or the oral consent process. Most in-person consent forms conclude by saying, "I have read and understand the above information and voluntarily agree to participate in the research project described above," followed by a line for the participant’s printed name, signature, and the date. Thus, for an email or online survey consent form, you would replace the signature line with options to affirm or refuse participation.

  • The IRB recommends the use of a phrase at the bottom of the electronic consent document that indicates the participants’ voluntary participation. This can be a phrase with a “YES” checkbox (e.g., “YES, I voluntarily agree to participate in this research. By continuing with this survey, I affirm my consent to participate and acknowledge that I meet the requirements for participation.”) that will take the participant to the first section of the actual survey, as well as a “NO” checkbox (e.g., “NO, I do not wish to participate. Please exit me from this survey.”) that will exit the survey.
  • Depending on the response method and the other characteristics of your own unique proposal, this method of consent may preserve either full anonymity OR confidentiality.

Identifying Information: Whenever possible, identifiable data should be encrypted in transit (for most low to minimal risk studies, basic SSL encryption is acceptable) and while at rest (whole disk encryption is readily available). Data should be unlinked from identifiers and IDs destroyed as soon as they are no longer needed.

  • Data collected through email responses is NEVER “anonymous," only “confidential," because participants are identifiable through their email addresses. If you are distributing surveys through email, you should include the following statement in your consent process: “Although it is unlikely that anyone will try to gain access to your email, you have the right to know that email transmissions are not private and therefore transmission of information through this form cannot be guaranteed to remain confidential.”

Administration, Access, and Storage: The IRB advises researchers to utilize Qualtrics, the university’s official web-based survey software for online data collection. All Webster University faculty, staff, and students worldwide have integrated access (subject to the same “Acceptable Use Policy” as other Webster computing resources) through Connections.

Default settings within Qualtrics satisfy established best practices for security requirements. Note that neither Google Forms nor Facebook are secure methods of online data collection because confidentiality cannot be assured. Researchers who wish to utilize other web survey platforms (e.g., Survey Monkey, Zoomerang, etc.) must be sure that their survey platforms adhere to the following security conditions and clarify in the IRB application how such thresholds will be met:

  • The Web based survey system must employ SSL encryption of all transmissions between the respondents and the survey servers.
  • The survey results must be secured behind a password protected account with access limited to the study researchers and system administrators.
  • The survey system service provider must have a privacy policy which prevents employees of the service provider from accessing survey results without permission granted by the account holder.
  • All downloads of data from the survey system must employ SSL encryption for the transmission.