Scope of Research
The FTC sought research presentations on consumer privacy and security issues, with a particular focus on the economics driving those issues. We sought empirical research and economic frameworks, rather than pure opinion pieces on law and policy, and were particularly interested in the following areas:
- Nature and Evolution of Privacy and Security Risks:
- What new privacy and security issues arise from emerging technologies, such as Internet of Things, artificial intelligence, and virtual reality?
- What are the greatest threats to consumer privacy today? Has research been conducted to quantify the nature of these threats? Potential threats for discussion include the following:
- Phishing
- Business email account takeovers
- Unpatched software
- Internet of Things vulnerabilities, including insecure APIs or insecure transmissions
- Ransomware
- Distributed Denial of Service attacks
- Identity theft, including medical identity theft
- Quantifying Costs and Benefits of Privacy From a Consumer Perspective
- How can one quantify the costs and benefits to consumers of keeping data about them private?
- What are consumers willing to pay, or services are they willing to forgo, or what steps do they take, to ensure data about them remains private, and how does that vary by consumer and across contexts?
- To what extent are consumers’ preferences contextual? How do consumers’ stated and revealed preferences differ, and why? If consumers make choices in the context of a particular transaction, are those choices effective?
- Does the sharing of data between businesses that interact with consumers in different contexts influence how much consumers will pay, or the steps they will take, to protect their privacy? If so, how can one account for that effect?
- How can one quantify the costs and benefits to consumers of individual privacy or data security tools or practices?
- How can one quantify the costs and benefits to consumers of various information uses?
- How can one quantify the risk of harm to consumers from exposure of their information?
- How can one quantify the probability and magnitude of the harm to the consumer from a breach, and how do those vary by type of information breached?
- How can one apportion harm or risk to particular breaches or practices?
- How can one quantify the costs and benefits to consumers of keeping data about them private?
- Quantifying Costs and Benefits from a Business Perspective.
- What are the costs and benefits of implementing security-by-design techniques and other privacy-protective technologies and behaviors?
- How can one quantify the harms to businesses from a data breach? i.e., what are the costs to businesses of a breach.
- How can businesses weigh the costs and benefits of individual security tools or practices?
- What data exists on the costs and benefits of individual security tools or practices? Can benefits be broken out into reductions in the probability of incidents and reductions in harm in the event of an incident?
- Assuming a baseline level of security, what is the marginal value of specific tools, such as chip-and-pin for payment cards?
- What are the most efficient means of protecting consumers’ privacy and security?
- How can businesses measure the risks of existing vulnerabilities in their systems? How can they conduct risk-assessment and risk-modeling?
- Have researchers conducted surveys of businesses to determine how they allocate resources to privacy and security?
- When there are multiple parties to a transaction (e.g., app developers, carriers, operating systems, ad networks), how should responsibility be allocated among them if consumers’ privacy is compromised?
- What are the costs and benefits of implementing security-by-design techniques and other privacy-protective technologies and behaviors?
- Incentives, Market Failures, and Interventions.
- What are the incentives for manufacturers and software developers to implement privacy and security by design in their goods or services, and keep security up to date? What could increase the incentives to implement privacy and security by design and keep security up-to-date?
- Are there sustained market failures in the area of privacy and data security? For example, are there failures associated with the following:
- Information asymmetry (i.e., businesses have more information than consumers about how consumer information will be stored and used) can make it more difficult for consumers to make informed choices about their information;
- Interdependent security (i.e. the privacy and security practices of one individual or business may expose an entire system to increased risk);
- Secondary uses that may emerge long after consumers make the initial decision to use a product or service that requires them to share information;
- Big data analysis, which may allow sensitive inferences to be drawn about consumers based on non-sensitive data; or
- Difficulty of tying harm or risk to particular technologies, policies, or practices that may make it difficult for companies to assess the value of said particular technologies, policies, or practices
- Are there examples of market successes in the area of privacy and data security?
- Are consumer practices and social norms around privacy adapting? How and why?
- When and how do businesses account for differences among consumers’ preferences regarding privacy and data security?
- In what contexts do markets deliver more or less privacy protective practices? Why?
- Are there tools that could help consumers or businesses overcome or mitigate market failures? For example, are there tools that would:
- Provide consumers with additional insight into how companies use or store their information? or
- Allow users to exercise additional control over their personal information?
- If so, what do those tools cost, how would consumers value and use them, and in what contexts?
- If there are sustained market failures in privacy and data security, what interventions are most appropriately calibrated to address any consumer injury resulting from such failures? For example, when is ex ante regulation superior to ex post enforcement? How would one measure the success of such interventions?
Event Format
- PrivacyCon will feature sessions during which researchers will deliver 10-minute presentations that will be followed by Q&A and a panel discussion that will discuss the research presented and its relation to privacy and data security policy and law. Researchers’ presentations may be speeches (with or without slides), demonstrations, or a combination of the two. The discussion sessions will be moderated by FTC staff.
Selection Criteria and Review Process
- Presentations may concern research that has been prepared for, previously presented at, or is under consideration for inclusion in other conferences or publications.
- Requests must be from researchers to present their own research, completed after January 1, 2016.
- Requests to make presentations that are substantially promotional or commercial in nature would not be granted.
- Research exposing a previously unknown security or privacy vulnerability in a specific product or service would only be accepted if it had been responsibly disclosed to the affected entity and that entity has been given time to resolve the issue. Such Requests were required to be submitted only through the Accellion secure file transfer system and accompanied by: (1) a request for confidential treatment of research, and (2) a statement describing how you responsibly disclosed the vulnerability to the entity responsible for the affected product or service.
- Requests would be granted at FTC staff’s sole discretion, based upon an assessment of the quality of the submissions, the relevance of the submissions to the FTC’s work, and the need to cover a diverse range of topics representing a variety of viewpoints.
- Researchers who submitted Requests would be notified, if possible, by December 15, 2017, whether they had been selected to present at PrivacyCon.
If You Have Been Selected to Present*
- If your Request is granted, you must confirm by December 22, 2017, that you will present your research at PrivacyCon 2018 during the presentation slot offered to you. If you do not confirm by this date, FTC staff may offer your slot to someone else.
- You must make yourself available for pre-conference planning calls with FTC staff and discussants.
- You must submit all presentation materials (e.g., slides, if you plan to use them) to the FTC by February 16, 2018.
*NOTE: The FTC does not offer compensation of any kind to presenters or participants in its conferences. In addition, PrivacyCon, including all presentations, will be available to the public via a live-stream and on the FTC’s website in archived video and transcript form.
If You Have Not Been Selected to Present
Due to the small number of slots to present research, we have not been able to grant several high-quality Requests to present research. We have, however, posted your research submission – including your name and your state – to our public website if you chose to submit via https://ftcpublic.commentworks.com/ftc/privacyconresearch by the November 17, 2017, deadline.
Questions?
If you have any questions, please contact us at PrivacyCon@ftc.gov.
Research Completed After PrivacyCon
The FTC welcomes privacy and data security researchers to inform us of their latest findings. The dialogue between researchers and policymakers must continue after the PrivacyCon event. We invite you to send in your research to research@ftc.gov if you are interested in discussing your research with us or have further questions.