Should I Get Involved? On the Privacy Perils of Mining Software Repositories for Research Participants
This is an incremental position paper that raises ethical concerns for software engineering researchers and participants, but does not propose new solutions.
The paper tackles the privacy risks for software developers when their identities are linked to flawed practices in mining software repositories (MSR) studies, highlighting issues like 'guilty by association' and the trade-off between data utility and privacy.
Mining Software Repositories (MSRs) is an evidence-based methodology that cross-links data to uncover actionable information about software systems. Empirical studies in software engineering often leverage MSR techniques as they allow researchers to unveil issues and flaws in software development so as to analyse the different factors contributing to them. Hence, counting on fine-grained information about the repositories and sources being mined (e.g., server names, and contributors' identities) is essential for the reproducibility and transparency of MSR studies. However, this can also introduce threats to participants' privacy as their identities may be linked to flawed/sub-optimal programming practices (e.g., code smells, improper documentation), or vice-versa. Moreover, this can be extensible to close collaborators and community members resulting "guilty by association". This position paper aims to start a discussion about indirect participation in MSRs investigations, the dichotomy of 'privacy vs. utility' regarding sharing non-aggregated data, and its effects on privacy restrictions and ethical considerations for participant involvement.