Scope of Research
The FTC is seeking research presentations on consumer privacy and security issues, with a particular focus on the economics driving those issues. We are seeking empirical research and economic frameworks, rather than pure opinion pieces on law and policy, and are particularly interested in the following areas:
1. Nature and Evolution of Privacy and Security Risks
- What new privacy and security issues arise from emerging technologies, such as Internet of Things, artificial intelligence, and virtual reality?
- What are the greatest threats to consumer privacy today? Has research been conducted to quantify the nature of these threats? Potential threats for discussion include the following:
- Business email account takeovers
- Unpatched software
- Internet of Things vulnerabilities, including insecure APIs or insecure transmissions
- Distributed Denial of Service attacks
- Identity theft, including medical identity theft
2. Quantifying Costs and Benefits of Privacy From a Consumer Perspective
- How can one quantify the costs and benefits to consumers of keeping data about them private?
- What are consumers willing to pay, or services are they willing to forgo, or what steps do they take, to ensure data about them remains private, and how does that vary by consumer and across contexts?
- To what extent are consumers’ preferences contextual? How do consumers’ stated and revealed preferences differ, and why? If consumers make choices in the context of a particular transaction, are those choices effective?
- Does the sharing of data between businesses that interact with consumers in different contexts influence how much consumers will pay, or the steps they will take, to protect their privacy? If so, how can one account for that effect?
- How can one quantify the costs and benefits to consumers of individual privacy or data security tools or practices?
- How can one quantify the costs and benefits to consumers of various information uses? What are the costs to consumers of reduced information flows?
- How can one quantify the risk of harm to consumers from exposure of their information?
- How can one quantify the probability and magnitude of the harm to the consumer from a breach, and how do those vary by type of information breached?
- How can one apportion harm or risk to particular breaches or practices?
3. Quantifying Costs and Benefits from a Business Perspective
- What are the costs and benefits of implementing security-by-design techniques and other privacy-protective technologies and behaviors?
- How can one quantify the harms to businesses from a data breach? i.e., what are the costs to businesses of a breach?
- How can businesses weigh the costs and benefits of individual security tools or practices?
- What data exists on the costs and benefits of individual security tools or practices? Can benefits be broken out into reductions in the probability of incidents and reductions in harm in the event of an incident?
- Assuming a baseline level of security, what is the marginal value of specific tools, such as chip-and-pin for payment cards?
- What are the tradeoffs between product functionality and increased security or increased privacy protections? How do firms make decisions regarding this tradeoff?
- What are the most efficient means of protecting consumers’ privacy and security?
- How can businesses measure the risks of existing vulnerabilities in their systems? How can they conduct risk-assessment and risk-modeling?
- Have researchers conducted surveys of businesses to determine how they allocate resources to privacy and security?
- When there are multiple parties to a transaction (e.g., app developers, carriers, operating systems, ad networks), how should responsibility be allocated among them if consumers’ privacy is compromised?
4. Incentives, Market Failures, and Interventions
- What are the incentives for manufacturers and software developers to implement privacy and security by design in their goods or services, and keep security up to date?
- Is there evidence that market may fail to provide the correct level of privacy and data security? For example, are there market failures associated with the following:
- Information asymmetry (i.e., businesses have more information than consumers about how consumer information will be stored and used) can make it more difficult for consumers to make informed choices about their information?;
- Interdependent security (i.e., the privacy and security practices of one individual or business may expose an entire system to increased risk)?;
- Secondary uses that may emerge long after consumers make the initial decision to use a product or service that requires them to share information?;
- Big data analysis, which may allow sensitive inferences to be drawn about consumers based on non-sensitive data?; or
- Difficulty of tying harm or risk to particular technologies, policies, or practices that may make it difficult for companies to assess the value of said particular technologies, policies, or practices?
- The inability of consumers to trace harm from a data breach to a particular firm or practice?
- Is there evidence that the market is able to provide efficient levels of privacy and data security?
- How do firms respond to consumer demands for privacy and data security?
- When and how do businesses account for differences among consumers’ preferences regarding privacy and data security?
- In what contexts do markets deliver more or less privacy protective practices? Why?
- Are there tools that could help consumers or businesses overcome or mitigate market failures? For example, are there tools that would:
- Provide consumers with additional insight into how companies use or store their information? or
- Allow users to exercise additional control over their personal information?
- If so, what do those tools cost, how would consumers value and use them, and in what contexts?
- If there are sustained market failures in privacy and data security, what interventions are most appropriately calibrated to address any consumer injury resulting from such failures? For example, when is ex ante regulation superior to ex post enforcement? How would one measure the success of such interventions?
- PrivacyCon will feature sessions during which researchers will deliver 10-minute presentations that will be followed by Q&A and a panel discussion that will discuss the research presented and its relation to privacy and data security policy and law. Researchers’ presentations may be speeches (with or without slides), demonstrations, or a combination of the two. The discussion sessions will be moderated by FTC staff.
Selection Criteria and Review Process
- Presentations may concern research that has been prepared for, previously presented at, or is under consideration for inclusion in other conferences or publications.
- Requests must be from researchers to present their own research, completed after November 1, 2017.
- Requests to make presentations that are substantially promotional or commercial in nature will not be granted.
- Research exposing a previously unknown security or privacy vulnerability in a specific product or service will only be accepted if it has been responsibly disclosed to the affected entity and that entity has been given time to resolve the issue. Such Requests must be submitted only through the Accellion secure file web form described below and must be accompanied by: (1) a request for confidential treatment of research, and (2) a statement describing how you responsibly disclosed the vulnerability to the entity responsible for the affected product or service.
- Requests will be granted at FTC staff’s sole discretion, based upon an assessment of the quality of the submissions, the relevance of the submissions to the FTC’s work, and the need to cover a diverse range of topics representing a variety of viewpoints.
- Researchers who submit Requests will be notified, if possible, by April 19, 2019, whether they have been selected to present at PrivacyCon.
The deadline for submission was March 15, 2019.
As part of your submission through the web-based form, you must include the following information:
- First and last name, email address, phone number, job title, and affiliation of researcher(s) making the Request;
- Title of the research you propose to present along with an abstract summarizing your methodology, findings, and how your research differs from prior research in this area;
- Publication details for any research that has been previously published or accepted for publication;
- Your completed or draft research paper or extended abstract;
- Any additional information you would like to share (optional); and
- Whether you would like your submission to be kept confidential. Your confidentiality request must identify the specific portions of your submission for which confidential treatment is being requested, and the legal or factual basis for your request. See Commission Rule 4.9(c). If the General Counsel grants your request for confidential treatment, your submission will not be made publicly available, except as required by law. If you do not request confidential treatment of your submission, it may be placed on the FTC’s public record of this matter at www.ftc.gov, including the name and state of the submitter. (The FTC will make reasonable efforts to redact any personal e-mail or home address, phone numbers, or other personal contact information before placing a submission on the public record.)
If You Are Selected to Present*
- If your Request is granted, you must confirm by April 26, 2019, that you will present your research at PrivacyCon 2019 during the presentation slot offered to you. If you do not confirm by this date, FTC staff may offer your slot to someone else.
- You must make yourself available for pre-conference planning calls with FTC staff and discussants.
- You must submit all presentation materials (e.g., slides, if you plan to use them) to the FTC by May 31, 2019.
*NOTE: The FTC does not offer compensation of any kind to presenters or participants in its conferences. In addition, PrivacyCon, including all presentations, will be available to the public via a live-stream and on the FTC’s website in archived video and transcript form.
If You Are Not Selected to Present
We recognize that, due to the small number of slots to present research, we likely will not be able to grant several high-quality Requests to present research. We may, however, post your research submission – including your name and your state – to our public website if you choose to submit by the March 15, 2019 deadline.
Research Completed After PrivacyCon
The FTC welcomes privacy and data security researchers to inform us of their latest findings. The dialogue between researchers and policymakers must continue after the PrivacyCon event. We invite you to send in your research to email@example.com if you are interested in discussing your research with us or have further questions.