Mechanical Turk is not anonymous
7 views
Skip to first unread message
Matt Lease
Mar 8, 2013, 9:53:22 AM3/8/13
to csdm...@googlegroups.com
Several collaborators and I are sharing news of a recently discovered
vulnerability on Amazon's Mechanical Turk platform, with potential
implications for IRB governance of human subjects research using AMT at
US universities. In particular, this vulnerability can be exploited to
obtain personally identifying information (PII) and other private
information of some workers, who may have shared this information online
in a way they did not recognize could be linked to their WorkerIDs.
The announcement of our finding is below:
Blog post: http://crowdresearch.org/blog/?p=5177
Paper: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2228728
I spoke with AMT VP at Amazon on Tuesday and they are assessing the situation. It seems unlikely they will address the issue
at the system level, but may instead try to further educate the workers to make informed choices regarding what types of information they choose to share in their Amazon profiles.
We are also specifically advocating *against* online posting of WorkerIDs due to the risk of workers not having realized that information they have shared could be linked with their worker accounts. Regardless of the vulnerability, we have also found explicit requests from workers to not post such uniquely identifying information.
We'd appreciate your help getting the word out to other researchers who might be impacted (word of mouth, email, twitter @amazonmturk, etc.), as well as anyone who may have posted WorkerIDs online which could be compromised via this vulnerability.
Thanks,
Matt
vulnerability on Amazon's Mechanical Turk platform, with potential
implications for IRB governance of human subjects research using AMT at
US universities. In particular, this vulnerability can be exploited to
obtain personally identifying information (PII) and other private
information of some workers, who may have shared this information online
in a way they did not recognize could be linked to their WorkerIDs.
The announcement of our finding is below:
Blog post: http://crowdresearch.org/blog/?p=5177
Paper: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2228728
I spoke with AMT VP at Amazon on Tuesday and they are assessing the situation. It seems unlikely they will address the issue
at the system level, but may instead try to further educate the workers to make informed choices regarding what types of information they choose to share in their Amazon profiles.
We are also specifically advocating *against* online posting of WorkerIDs due to the risk of workers not having realized that information they have shared could be linked with their worker accounts. Regardless of the vulnerability, we have also found explicit requests from workers to not post such uniquely identifying information.
We'd appreciate your help getting the word out to other researchers who might be impacted (word of mouth, email, twitter @amazonmturk, etc.), as well as anyone who may have posted WorkerIDs online which could be compromised via this vulnerability.
Thanks,
Matt
Reply all
Reply to author
Forward
0 new messages