PrivacyCon 2018: Student Poster Session Call for Submissions

The Federal Trade Commission recently announced its third PrivacyCon, which will take place on February 28, 2018, and simultaneously issued a call for presentations. Now, in an effort to encourage the next generation of privacy and data security researchers, the FTC announces the PrivacyCon Student Poster Session and issues a call for submissions.

The Student Poster Session will coincide with the third PrivacyCon and be hosted in the conference rooms of the FTC’s Constitution Center, adjacent to the auditorium where PrivacyCon will be presented. PrivacyCon presenters and attendees will be encouraged to view the posters and interact with students during the session and lunch breaks.

The Student Poster Session call for submissions seeks research and input on the same wide range of issues and questions to build on previously presented research and promote discussion, as the PrivacyCon Call for Presentations, including:

• What are the greatest threats to consumer privacy today? What are the costs of mitigating these threats? How are the threats evolving? How does the evolving nature of the threats impact consumer welfare and the costs of mitigation?
• How can companies weigh the costs and benefits of security-by-design techniques and privacy-protective technologies and behaviors? How can companies weigh the costs and benefits of individual tools or practices?
• How can companies assess consumers’ privacy preferences?
• Are there market failures (e.g., information asymmetries or externalities) in the area of privacy and data security? If so, what tools and strategies can businesses or consumers use to overcome or mitigate those failures? How can policymakers address those failures?

The Student Poster Session aims to start conversations between experienced researchers and students who have just begun to focus their studies on the privacy and security implications of emerging technologies (e.g., the Internet of Things, artificial intelligence, and virtual reality), as well as the economics of privacy including how to quantify the harms that result from companies’ failure to secure consumer information, and how to balance the costs and benefits of privacy-protective technologies and practices. See the full list of the areas of research we are seeking.

Submissions for the Student Poster Session must be made by December 15, 2017.

Event Format

The Student Poster Session at PrivacyCon 3 will provide students an opportunity to present and discuss their research and its relation to privacy and data security policy and law. Researchers’ presentations should be accompanied by posters and/or other visual demonstrations.

Selection Criteria and Review Process

• Presentations may concern research that has been prepared for, previously presented at, or is under consideration for inclusion in other conferences or publications.
• Requests must be from researchers to present their own research, completed after January 1, 2017.
• Requests to make presentations that are substantially promotional or commercial in nature will not be granted.
• Requests will be granted at FTC staff’s sole discretion, based upon an assessment of the quality of the submissions, the relevance of the submissions to the FTC’s work, and the need to cover a diverse range of topics representing a variety of viewpoints.
• Presentations that were submitted for consideration to PrivacyCon 3, but not accepted may be invited to participate in the Student Poster Session.
• Researchers who submit Requests will be notified, if possible, by January 19, 2018, whether they have been selected to present at the PrivacyCon Student Poster Session.

Submission Process

• Requests to present research (Requests) must be submitted no later than 11:59 p.m. Eastern Time on December 15, 2017.
• Research exposing a previously unknown security or privacy vulnerability in a specific product or service will only be accepted if it has been responsibly disclosed to the affected entity and that entity has been given time to resolve the issue. Such Requests must be submitted only through the Accellion secure file transfer system described below and must be accompanied by: (1) a request for confidential treatment of research, and (2) a statement describing how you responsibly disclosed the vulnerability to the entity responsible for the affected product or service.
• If you would like to request that your submission be kept confidential, you must transmit your submission, together with your confidentiality request, only through our Accellion secure file transfer system. To do so, you must first send an email by no later than 11:59 p.m. Eastern Time on December 8, 2017, to ElectronicFilings@ftc.gov with the subject line “PrivacyCon - Request for Confidential Treatment of Poster Session Submission.” You should receive a reply email within two business days with instructions for the secure electronic submission of encrypted documents using Accellion. We must receive your submission and confidentiality request through Accellion by no later than 11:59 p.m. Eastern Time on December 15, 2017. Your confidentiality request must identify the specific portions of your submission for which confidential treatment is being requested, and the legal or factual basis for your request. See Commission Rule 4.9(c). If the General Counsel grants your request for confidential treatment, your submission will not be made publicly available, except as required by law.
• All other submissions must be filed at https://ftcpublic.commentworks.com/ftc/privacyconposters by no later than 11:59 p.m. Eastern Time on December 15, 2017, by following the instructions on the web-based form. Such submissions shall not be treated as confidential, and may be placed on the FTC’s public record of this matter at www.ftc.gov, including the name and state of the submitter. (The FTC will make reasonable efforts to redact any personal e-mail or home address, phone numbers, or other personal contact information before placing a submission on the public record.)
• Requests to present research (whether accompanied by a request for confidential treatment or not) must include the following information:
  • First and last name, email address, and phone number of researcher(s) making the Request;
  • Title and abstract of the research you propose to present, summarizing your methodology, findings, and how your research differs from prior research in this area;
  • Publication details for any research that has been previously published or accepted for publication;
  • Your completed or draft research paper or extended abstract; and
  • A description of anything you would be interested in demonstrating (optional).

If You Are Selected to Present*

If your Request is granted, you must confirm by February 2, 2018, that you will present your research at the Student Poster Session of PrivacyCon 3. If you do not confirm by this date, FTC staff may offer your slot to someone else.

*NOTE: The FTC does not offer compensation of any kind to presenters or participants in its conferences.

Research Completed After PrivacyCon

The FTC welcomes privacy and data security researchers to inform us of their latest findings. The dialogue between researchers and policymakers must continue after the PrivacyCon event. We invite you to send in your research to research@ftc.gov if you are interested in discussing your research with us or have further questions.

Questions?

If you have any questions, please contact us at PrivacyConPosters@ftc.gov.

Scope of Research

The FTC is seeking research presentations on consumer privacy and security issues, with a particular focus on the economics driving those issues. We are seeking empirical research and economic frameworks, rather than pure opinion pieces on law and policy, and are particularly interested in the following areas:

1. Nature and Evolution of Privacy and Security Risks:

• What new privacy and security issues arise from emerging technologies, such as Internet of Things, artificial intelligence, and virtual reality?
• What are the greatest threats to consumer privacy today? Has research been conducted to quantify the nature of these threats? Potential threats for discussion include the following:
  • Phishing;
  • Business email account takeovers;
  • Unpatched software;
  • Internet of Things vulnerabilities, including insecure APIs or insecure transmissions;
  • Ransomware;
  • Distributed Denial of Service attacks; or
  • Identity theft, including medical identity theft

2. Quantifying Costs and Benefits of Privacy From a Consumer Perspective

• How can one quantify the costs and benefits to consumers of keeping data about them private?
  • What are consumers willing to pay, or services are they willing to forgo, or what steps do they take, to ensure data about them remains private, and how does that vary by consumer and across contexts?
  • To what extent are consumers’ preferences contextual? How do consumers’ stated and revealed preferences differ, and why? If consumers make choices in the context of a particular transaction, are those choices effective?
  • Does the sharing of data between businesses that interact with consumers in different contexts influence how much consumers will pay, or the steps they will take, to protect their privacy? If so, how can one account for that effect?
  • How can one quantify the costs and benefits to consumers of individual privacy or data security tools or practices?
  • How can one quantify the costs and benefits to consumers of various information uses?
• How can one quantify the risk of harm to consumers from exposure of their information?
• How can one quantify the probability and magnitude of the harm to the consumer from a breach, and how do those vary by type of information breached?
• How can one apportion harm or risk to particular breaches or practices?

3. Quantifying Costs and Benefits from a Business Perspective.

• What are the costs and benefits of implementing security-by-design techniques and other privacy-protective technologies and behaviors?
  • How can one quantify the harms to businesses from a data breach? (i.e., what are the costs to businesses of a breach)
  • How can businesses weigh the costs and benefits of individual security tools or practices?
    • What data exists on the costs and benefits of individual security tools or practices? Can benefits be broken out into reductions in the probability of incidents and reductions in harm in the event of an incident?
    • Assuming a baseline level of security, what is the marginal value of specific tools, such as chip-and-pin for payment cards?
• What are the most efficient means of protecting consumers’ privacy and security?
• How can businesses measure the risks of existing vulnerabilities in their systems? How can they conduct risk-assessment and risk-modeling?
• Have researchers conducted surveys of businesses to determine how they allocate resources to privacy and security?
• When there are multiple parties to a transaction (e.g., app developers, carriers, operating systems, ad networks), how should responsibility be allocated among them if consumers’ privacy is compromised?

4. Incentives, Market Failures, and Interventions

• What are the incentives for manufacturers and software developers to implement privacy and security by design in their goods or services, and keep security up to date? What could increase the incentives to implement privacy and security by design and keep security up-to-date?
• Are there sustained market failures in the area of privacy and data security? For example, are there failures associated with the following:
  • Information asymmetry (i.e., businesses have more information than consumers about how consumer information will be stored and used) can make it more difficult for consumers to make informed choices about their information;
  • Interdependent security (i.e. the privacy and security practices of one individual or business may expose an entire system to increased risk);
  • Secondary uses that may emerge long after consumers make the initial decision to use a product or service that requires them to share information;
  • Big data analysis, which may allow sensitive inferences to be drawn about consumers based on non-sensitive data; or
  • Difficulty of tying harm or risk to particular technologies, policies, or practices that may make it difficult for companies to assess the value of said particular technologies, policies, or practices
• Are there examples of market successes in the area of privacy and data security?
  • Are consumer practices and social norms around privacy adapting? How and why?
  • When and how do businesses account for differences among consumers’ preferences regarding privacy and data security?
  • In what contexts do markets deliver more or less privacy protective practices? Why?
• Are there tools that could help consumers or businesses overcome or mitigate market failures? For example, are there tools that would:
  • Provide consumers with additional insight into how companies use or store their information? or
  • Allow users to exercise additional control over their personal information?
  • If so, what do those tools cost, how would consumers value and use them, and in what contexts?
• If there are sustained market failures in privacy and data security, what interventions are most appropriately calibrated to address any consumer injury resulting from such failures? For example, when is ex ante regulation superior to ex post enforcement? How would one measure the success of such interventions?