Scope of Research
The FTC is seeking research presentations on consumer privacy and security issues. For PrivacyCon 2020, we welcome research on any topic related to consumer privacy and security, and plan to focus in particular on research on the privacy and security of health data collected, stored, and transmitted by mobile applications (“apps”).
Health apps can offer consumers important benefits, including the ability to easily access, organize, and analyze health data from medical records, wearable devices such as blood pressure or heart rate monitors, and patients’ direct input. Market observers expect enormous growth in this area, particularly after the Department of Health and Human Services issues final rules relating to patient access to electronic health information. At the same time, some observers have expressed concern that consumers may not appreciate the privacy and security risks associated with health apps. Moreover, some stakeholders argue, consumers may not realize that health information protected by the Health Information Portability and Accountability Act (“HIPAA”) when part of a healthcare provider’s records may fall outside HIPAA’s purview when transferred to the health app of the patient’s choice. (The FTC Act, of course, would likely apply to such apps and information). To explore this area further, we are seeking empirical research (rather than pure opinion pieces on law and policy) on privacy and security in the health app area.
We are interested in the following areas:
1. Privacy and Security of Established Products and Emerging Technologies
- What are the greatest threats to the privacy and security of consumer health information today?
- What new privacy and security issues arise from emerging technologies such as apps that analyze sensitive personal information, virtual assistants, predictive algorithms, and artificial intelligence?
- How do the risks vary by data, product type, or commercial use or context?
- For example, for data held by health apps, how does the risk vary by app type (e.g., fitness tracker versus medical record apps) and data type (e.g., daily sleep patterns versus HIV status)?
- Which products are transmitting user data to third parties, who are the recipients, what are the data, and what are the current and potential future purposes for these transmissions?
- With respect to apps, is there evidence that apps are circumventing app platform permission systems?
- How are transmissions of user data collected by the product secured (e.g., through encryption)?
- What is the best way to measure the security of various products (e.g., apps, Internet of Things devices)?
- How prevalent are heightened security features, such as multi-factor authentication?
- Do particular security measures correlate with better overall security or lower (or greater) risk of consumer harm?
- What is the relationship, if any, between security or privacy-protective behavior and more readily observable characteristics like the product’s popularity, cost, or endorsement by a credible organization?
2. Representations to Consumers Regarding the Privacy and Security of Products That Collect, Store, and Transmit Personal Information
- What representations are made to consumers regarding privacy and security?
- Are these representations accessible and understandable?
- With respect to apps, are the permissions requested, especially so-called “dangerous” permissions, consistent with privacy and security representations made to consumers?
- Are any organizations developing privacy or security-related “scores”? How feasible is such an effort and how should their efficacy be measured?
3. Costs and Benefits of Privacy and Security
- What are the known costs and benefits of implementing security techniques and other privacy-protective technologies and behaviors? How have these been identified and measured?
- What are the tradeoffs between product functionality (including the ability to combine data from various devices) and increased security or increased privacy protections? How do firms make decisions regarding this tradeoff?
- What are the most efficient means of protecting consumers’ privacy and security?
- When there are multiple parties to a transaction (e.g., app developers, operating system health platforms (e.g., Apple Health and Google Fit), ad networks, healthcare providers, health-related device manufacturers), how should responsibility be allocated among them if consumers’ privacy is compromised?
- Has empirical work assessed the degree to which developers and manufacturers understand which law(s) apply to their products and what obligations such laws impose?
- Is there evidence that the market is able to provide efficient levels of privacy and data security, or, conversely, that the market may fail to provide the correct level of privacy and data security?
When considering these research questions, we invite all submissions to consider their application in the context of health apps, and whether such apps exhibit unique attributes or characteristics that merit special attention or focus.
- PrivacyCon will feature sessions during which researchers will deliver 10-minute presentations that will be followed by Q&A and a panel discussion that will discuss the research presented and its relation to privacy and data security policy and law. Researchers’ presentations may be speeches (with or without slides), demonstrations, or a combination of the two. The discussion sessions will be moderated by FTC staff.
Selection Criteria and Review Process
- Presentations may concern research that has been prepared for, previously presented at, or is under consideration for inclusion in other conferences or publications.
- Requests must be from researchers to present their own research, completed after January 1, 2019.
- Requests to make presentations that are substantially promotional or commercial in nature will not be granted.
- Research exposing a previously unknown security or privacy vulnerability in a specific product or service will only be accepted if it has been responsibly disclosed to the affected entity and that entity has been given time to resolve the issue. Such Requests must be submitted only through the Accellion secure file web form described below and must be accompanied by: (1) a request for confidential treatment of research, and (2) a statement describing how you responsibly disclosed the vulnerability to the entity responsible for the affected product or service.
- Requests will be granted at FTC staff’s sole discretion, based upon an assessment of the quality of the submissions, the relevance of the submissions to the FTC’s work, and the need to cover a diverse range of topics representing a variety of viewpoints.
- Researchers who submit Requests will be notified, if possible, by May 15, 2020, whether they have been selected to present at PrivacyCon.
The deadline for submission was April 10, 2020.
As part of your submission through the web-based form, you must include the following information:
- First and last name, email address, phone number, job title, and affiliation of researcher(s) making the Request;
- A single point of contact for communications with FTC staff.
- The title of the research you propose to present along with an abstract summarizing your methodology, findings, and how your research differs from prior research in this area;
- Publication details for any research that has been previously published or accepted for publication;
- Your completed or draft research paper or extended abstract;
- Any additional information you would like to share (optional); and
- Whether you would like your submission to be kept confidential. Your confidentiality request must identify the specific portions of your submission for which confidential treatment is being requested, and the legal or factual basis for your request. See Commission Rule 4.9(c). If the General Counsel grants your request for confidential treatment, your submission will not be made publicly available, except as required by law. If you do not request confidential treatment of your submission, it may be placed on the FTC’s public record of this matter at www.ftc.gov, including the name and state of the submitter (The FTC will make reasonable efforts to redact any personal e-mail or home address, phone numbers, or other personal contact information before placing a submission on the public record.)
If You Are Selected to Present*
- If your Request is granted, you must confirm by May 22, 2020, that you will present your research at PrivacyCon 2019 during the presentation slot offered to you. If you do not confirm by this date, FTC staff may offer your slot to someone else.
- You must make yourself available for pre-conference planning calls with FTC staff and discussants.
- You must submit all presentation materials (e.g., slides, if you plan to use them) to the FTC by June 19, 2020.
*NOTE: The FTC does not offer compensation of any kind to presenters or participants in its conferences. In addition, PrivacyCon, including all presentations, will be available to the public via a live-stream and on the FTC’s website in archived video and transcript form.
If You Are Not Selected to Present
We recognize that we likely will receive more high-quality Requests to present research than we have available slots to present research at PrivacyCon. If you are not selected for participation, we may still request permission to post relevant research submissions to our public event website.
Research Completed After PrivacyCon
The FTC welcomes privacy and data security researchers to inform us of their latest findings, especially as it relates to technology that impacts the privacy and security of consumers’ sensitive personal information, such as health data. The dialogue between researchers and policymakers must continue after the PrivacyCon event. We invite you to send in your research to firstname.lastname@example.org if you are interested in discussing your research with us or have further questions.
 HHS is charged with implementing provisions in Title IV of the 21st Century Cures Act through rulemaking. The proposed rule issued by the Office of the National Coordinator for Health Information Technology calls on the healthcare industry to adopt standardized application programming interfaces (APIs), which will help allow individuals to securely and easily access electronic health information using apps. The Centers for Medicare & Medicaid Services (CMS) issued a proposed rule that would similarly create opportunities to make patient data more transferable through open, secure, standardized formats. See Press Release, HHS Proposes New Rules to Improve the Interoperability of Electronic Health Information, Dep’t Health & Human Servs. (Feb. 11, 2019), https://www.hhs.gov/about/news/2019/02/11/hhs-proposes-new-rules-improve-interoperability-electronic-health-information.html (linking to proposed rules).