Amazon Mechanical Turk is not anonymous
Research find vulnerability in Amazon Mechanical Turk, which can be exploited to obtain personally identifying information on some workers.
This may be of interest to anyone in the data mining community using Amazon's Mechanical Turk platform for research, as well as those more generally interested in how online data can be linked in ways that can be surprising to people and compromise privacy.
Several collaborators and I have just announced discovery of a vulnerability on Amazon's Mechanical Turk platform, with potential implications for IRB governance of human subjects research using AMT at US universities. In particular, this vulnerability can be exploited to obtain personally identifying information (PII) and other private information of some workers, who may have shared this information online in a way they did not recognize could be linked to their WorkerIDs.
This may impact IRB oversight of research conducted at UT with AMT, as well as what research is classified as human research and subject to IRB governance. I am just starting to follow up on this now with our IRB coordinator here at UT Austin.
The announcement of our finding is below:
Blog post: crowdresearch.org/blog/?p=5177
We are now trying to get the word out to be AMT workers, as well as researchers whose might be impacted or who may have posted WorkerIDs online which could be compromised via this vulnerability. We would appreciate your help with this.
We are also specifically advocating *against* online posting of WorkerIDs due to the risk of workers not having realized that information they have shared could be linked with their worker accounts. Regardless of the vulnerability, we have also found explicit requests from workers to not post such uniquely identifying information.
University of Texas at Austin