[This is the email that Theodore Ts'o replied to, but it fails to reach the email server due to not using plain mode. Here I resent.] (Note: this thread has become a hot Internet discussion on China's Twitter.) I am a graduate student working in applied crypto, and CoI: I know one of the authors of the S&P paper. Some thoughts. [1] I think the UMN IRB makes an incorrect assertion that the research is not human research, and that starts the entire problem and probably continues to be. It clearly affects humans. I think UMN IRB lacks experience regarding human experiments in CS research, and should be informed that their decisions that this is not human research are fundamentally wrong--- it misled the reviewers as well as misled the researchers. --- [2] Banning UMN seems to be a temporary solution. I don't disagree. But it still might not prevent such proof-of-concept efforts: one could use a non-campus address. It might be helpful to inform the PC chairs of major security conferences, S&P, USENIX Security, CCS, and NDSS, regarding the need to discourage software security papers from making proofs-of-concept in the real world in wild that may be hurtful, as well as concerns on the sufficiency of IRB review---some IRB may lack experience for CS research. Some conferences have been being more careful about this recently. For example, NDSS accepts a paper on a browser bug but attaches a statement saying that the PC has ethical concerns. See: "Tales of Favicons and Caches: Persistent Tracking in Modern Browsers", NDSS '21 --- [3] Let us not forget that the author is using their real campus address and is open to such pressure. Thus, I think the authors, as students and researchers, have no bad faith; but they are misled that this experimental procedure is acceptable, which is not. Sorry for jumping in... Weikeng
