The Common Rule places security researchers in a difficult position: Large quantities of data in our possession or which are easy to get appears to be off-limits for research without prior IRB approval.