Should I Get Involved? On the Privacy Perils of Mining Software Repositories for Research Participants

TL;DR

This paper discusses the privacy risks involved in mining software repositories for research, highlighting the need to balance data utility with participant privacy and ethical considerations.

Contribution

It introduces a discussion on privacy challenges and ethical issues related to participant data in MSR studies, emphasizing the importance of privacy-preserving practices.

Findings

Privacy risks linked to participant identities in MSRs

Potential for 'guilty by association' effects

Need for privacy-aware data sharing policies

Abstract

Mining Software Repositories (MSRs) is an evidence-based methodology that cross-links data to uncover actionable information about software systems. Empirical studies in software engineering often leverage MSR techniques as they allow researchers to unveil issues and flaws in software development so as to analyse the different factors contributing to them. Hence, counting on fine-grained information about the repositories and sources being mined (e.g., server names, and contributors' identities) is essential for the reproducibility and transparency of MSR studies. However, this can also introduce threats to participants' privacy as their identities may be linked to flawed/sub-optimal programming practices (e.g., code smells, improper documentation), or vice-versa. Moreover, this can be extensible to close collaborators and community members resulting "guilty by association". This position paper aims to start a discussion about indirect participation in MSRs investigations, the dichotomy of 'privacy vs. utility' regarding sharing non-aggregated data, and its effects on privacy restrictions and ethical considerations for participant involvement.