PrivacyCon 2018: Call for Presentations

Scope of Research

The FTC is seeking research presentations on consumer privacy and security issues, with a particular focus on the economics driving those issues. We are seeking empirical research and economic frameworks, rather than pure opinion pieces on law and policy, and are particularly interested in the following areas:

  1. Nature and Evolution of Privacy and Security Risks:
    • What new privacy and security issues arise from emerging technologies, such as Internet of Things, artificial intelligence, and virtual reality?
    • What are the greatest threats to consumer privacy today? Has research been conducted to quantify the nature of these threats? Potential threats for discussion include the following:
      • Phishing
      • Business email account takeovers
      • Unpatched software
      • Internet of Things vulnerabilities, including insecure APIs or insecure transmissions
      • Ransomware
      • Distributed Denial of Service attacks
      • Identity theft, including medical identity theft
  2. Quantifying Costs and Benefits of Privacy From a Consumer Perspective
    • How can one quantify the costs and benefits to consumers of keeping data about them private?
      • What are consumers willing to pay, or services are they willing to forgo, or what steps do they take, to ensure data about them remains private, and how does that vary by consumer and across contexts?
      • To what extent are consumers’ preferences contextual? How do consumers’ stated and revealed preferences differ, and why? If consumers make choices in the context of a particular transaction, are those choices effective?
      • Does the sharing of data between businesses that interact with consumers in different contexts influence how much consumers will pay, or the steps they will take, to protect their privacy? If so, how can one account for that effect?
      • How can one quantify the costs and benefits to consumers of individual privacy or data security tools or practices?
      • How can one quantify the costs and benefits to consumers of various information uses?
    • How can one quantify the risk of harm to consumers from exposure of their information?
    • How can one quantify the probability and magnitude of the harm to the consumer from a breach, and how do those vary by type of information breached?
    • How can one apportion harm or risk to particular breaches or practices?
  3. Quantifying Costs and Benefits from a Business Perspective.
    • What are the costs and benefits of implementing security-by-design techniques and other privacy-protective technologies and behaviors?
      • How can one quantify the harms to businesses from a data breach? i.e., what are the costs to businesses of a breach.
      • How can businesses weigh the costs and benefits of individual security tools or practices?
        • What data exists on the costs and benefits of individual security tools or practices? Can benefits be broken out into reductions in the probability of incidents and reductions in harm in the event of an incident?
        • Assuming a baseline level of security, what is the marginal value of specific tools, such as chip-and-pin for payment cards?
    • What are the most efficient means of protecting consumers’ privacy and security?
    • How can businesses measure the risks of existing vulnerabilities in their systems? How can they conduct risk-assessment and risk-modeling?
    • Have researchers conducted surveys of businesses to determine how they allocate resources to privacy and security?
    • When there are multiple parties to a transaction (e.g., app developers, carriers, operating systems, ad networks), how should responsibility be allocated among them if consumers’ privacy is compromised?
  4. Incentives, Market Failures, and Interventions.
    • What are the incentives for manufacturers and software developers to implement privacy and security by design in their goods or services, and keep security up to date? What could increase the incentives to implement privacy and security by design and keep security up-to-date?
    • Are there sustained market failures in the area of privacy and data security? For example, are there failures associated with the following:
      • Information asymmetry (i.e., businesses have more information than consumers about how consumer information will be stored and used) can make it more difficult for consumers to make informed choices about their information;
      • Interdependent security (i.e. the privacy and security practices of one individual or business may expose an entire system to increased risk);
      • Secondary uses that may emerge long after consumers make the initial decision to use a product or service that requires them to share information;
      • Big data analysis, which may allow sensitive inferences to be drawn about consumers based on non-sensitive data; or
      • Difficulty of tying harm or risk to particular technologies, policies, or practices that may make it difficult for companies to assess the value of said particular technologies, policies, or practices
    • Are there examples of market successes in the area of privacy and data security?
    • Are consumer practices and social norms around privacy adapting? How and why?
    • When and how do businesses account for differences among consumers’ preferences regarding privacy and data security?
    • In what contexts do markets deliver more or less privacy protective practices? Why?
    • Provide consumers with additional insight into how companies use or store their information? or
    • Allow users to exercise additional control over their personal information?
    • If so, what do those tools cost, how would consumers value and use them, and in what contexts?
    • Are there tools that could help consumers or businesses overcome or mitigate market failures? For example, are there tools that would:
    • If there are sustained market failures in privacy and data security, what interventions are most appropriately calibrated to address any consumer injury resulting from such failures? For example, when is ex ante regulation superior to ex post enforcement? How would one measure the success of such interventions?

Event Format

  • PrivacyCon will feature sessions during which researchers will deliver 10-minute presentations that will be followed by Q&A and a panel discussion that will discuss the research presented and its relation to privacy and data security policy and law. Researchers’ presentations may be speeches (with or without slides), demonstrations, or a combination of the two. The discussion sessions will be moderated by FTC staff.

Selection Criteria and Review Process

  • Presentations may concern research that has been prepared for, previously presented at, or is under consideration for inclusion in other conferences or publications.
  • Requests must be from researchers to present their own research, completed after January 1, 2016.
  • Requests to make presentations that are substantially promotional or commercial in nature will not be granted.
  • Research exposing a previously unknown security or privacy vulnerability in a specific product or service will only be accepted if it has been responsibly disclosed to the affected entity and that entity has been given time to resolve the issue. Such Requests must be submitted only through the Accellion secure file transfer system described below and must be accompanied by: (1) a request for confidential treatment of research, and (2) a statement describing how you responsibly disclosed the vulnerability to the entity responsible for the affected product or service.
  • Requests will be granted at FTC staff’s sole discretion, based upon an assessment of the quality of the submissions, the relevance of the submissions to the FTC’s work, and the need to cover a diverse range of topics representing a variety of viewpoints.
  • Researchers who submit Requests will be notified, if possible, by December 15, 2017, whether they have been selected to present at PrivacyCon.

Submission Process

Requests to present research (Requests) must be submitted no later than 11:59 p.m. Eastern Time on November 17, 2017.

  • If you would like to request that your submission be kept confidential, you must transmit your submission, together with your confidentiality request, only through our Accellion secure file transfer system. To do so, you must first send an email by no later than 11:59 p.m. Eastern Time on November 10, 2017, to ElectronicFilings@ftc.gov with the subject line “PrivacyCon - Request for Confidential Treatment of Research Submission.” You should receive a reply email within two business days with instructions for the secure electronic submission of encrypted documents using Accellion. We must receive your submission and confidentiality request through Accellion by no later than 11:59 p.m. Eastern Time on November 17, 2017. Your confidentiality request must identify the specific portions of your submission for which confidential treatment is being requested, and the legal or factual basis for your request. See Commission Rule 4.9(c). If the General Counsel grants your request for confidential treatment, your submission will not be made publicly available, except as required by law.
  • All other submissions must be filed at https://ftcpublic.commentworks.com/ftc/privacyconresearch by no later than 11:59 p.m. Eastern Time on November 17, 2017, by following the instructions on the web-based form. Such submissions shall not be treated as confidential, and may be placed on the FTC’s public record of this matter at www.ftc.gov, including the name and state of the submitter. (The FTC will make reasonable efforts to redact any personal e-mail or home address, phone numbers, or other personal contact information before placing a submission on the public record.)
  • Requests to present research (whether accompanied by a request for confidential treatment or not) must include the following information:
  • First and last name, email address, and phone number of researcher(s) making the Request;
  • Title and abstract of the research you propose to present, summarizing your methodology, findings, and how your research differs from prior research in this area;
  • Publication details for any research that has been previously published or accepted for publication;
  • Your completed or draft research paper or extended abstract; and
  • A description of anything you would be interested in demonstrating (optional).

If You Are Selected to Present*

  • If your Request is granted, you must confirm by December 22, 2017, that you will present your research at PrivacyCon 3 during the presentation slot offered to you. If you do not confirm by this date, FTC staff may offer your slot to someone else.
  • You must make yourself available for pre-conference planning calls with FTC staff and discussants.
  • You must submit all presentation materials (e.g., slides, if you plan to use them) to the FTC by February 12, 2018.

*NOTE: The FTC does not offer compensation of any kind to presenters or participants in its conferences. In addition, PrivacyCon, including all presentations, will be available to the public via a live-stream and on the FTC’s website in archived video and transcript form.

If You Are Not Selected to Present

We recognize that, due to the small number of slots to present research, we likely will not be able to grant several high-quality Requests to present research. We will, however, post your research submission – including your name and your state – to our public website if you choose to submit via https://ftcpublic.commentworks.com/ftc/privacyconresearch by the November 17, 2017, deadline.

Research Completed After PrivacyCon

The FTC welcomes privacy and data security researchers to inform us of their latest findings. The dialogue between researchers and policymakers must continue after the PrivacyCon event. We invite you to send in your research to research@ftc.gov if you are interested in discussing your research with us or have further questions.

Back to PrivacyCon 2018 page