Cyber-security Research Ethics Dialog & Strategy Workshop (CREDS 2013)

The Cyber-security Research Ethics Dialog & Strategy (CREDS 2013) was held on May 23, 2013 in San Francisco, CA, co-located with The 34th IEEE Symposium on Security and Privacy (IEEE S&P 2013), an event of The IEEE Computer Society's Security and Privacy Workshops (SPW 2013).

There were workshop registration fees required to attend, as required for IEEE S&P 2013 and SPW 2013.

Co-located with the The 34th IEEE Symposium on Security and Privacy (IEEE S&P 2013)
Date: May 23 (Thu), 2013
Place: The Westin St. Francis Hotel, San Francisco, CA, USA

Overview

The future of online trust, innovation & self-regulation is threatened by a widening gap between users. expectations, formed by laws and norms, and the capacity for great benefits and harms generated by technological advances. As this gap widens, so too does ambiguity between asserted rights and threats. How do we close this gap and thereby lower risks, while also instilling trust in online activities? The solution embraces fundamental principles of ethics to guide our decisions in the midst of information uncertainty.

One context where this solution is germinating is cybersecurity research. Commercial and public researchers and policymakers are tackling novel ethical challenges that exert a strong influence for online trust dynamics. These challenges are not exceptional, but increasingly the norm: (i) to understand and develop effective defenses to significant Internet threats, researchers infiltrate malicious botnets; (ii) to understand Internet fraud (phishing) studies require that users are unaware they are being observed in order to ascertain typical behaviors; and (iii) to perform experiments measuring Internet usage and network characteristics that require access to sensitive network traffic.

These research activities are prerequisite for evidence-based policymaking that impacts us individually and collectively, such as infrastructure security, network neutrality, free market competition, spectrum application and broadband deployment, technology transfer, and intellectual property rights. Therefore, in the wake of failures to resolve these mounting tensions, ethics has re-emerged as a crucial ordering force. For this reason, ethics underpins the debate among CS researchers, oversight entities, industrial organizations, the government and end users about what research activity is or is not acceptable.

This workshop is anchored around the theme of "ethics-by-design", and aims to:

Educate participants about underlying ethics principles and applications;
Discuss ethical frameworks and how they are applied across the various stakeholders and respective communities who are involved;
Impart recommendations about how ethical frameworks can be used to inform policymakers in evaluating the ethical underpinning of critical policy decisions;
Explore cybersecurity research ethics techniques, tools, standards and practices so researchers can apply ethical principles within their research methodologies; and
Discuss specific case vignettes and explore the ethical implications of common research acts and omissions.

Agenda

For talks with presenters, the format will be 15 minutes talk time by the presenter, followed by 30 minutes of group dialogue.

May 23 (Thursday)

Place: The Westin St. Francis Hotel, San Francisco, CA

09:00 - 09:15 Welcome, Introductions, Opening Remarks
- Michael Bailey and Erin Kenneally
09:15 - 10:30 Theme A: Brave New World - Ethical Research Amidst Expanding Opportunities
Discussions focused on the lines being drawn between ethical and unethical research in the ICTR community
- Henry Corrigan-Gibbs and Bryan Ford, Ethics of Internet Freedom Promotion - Welcome to the World of Human Rights: Please Make Yourself Uncomfortable
- Sebastian Schrittwieser, Martin Mulazzani and Edgar Weippl, Ethics in Security Research: Which lines should not be crossed?
- John Aycock and John Sullins, Why "No Worse Off" is Worse Off
10:30 - 10:50 break
10:50 - 12:20 Theme B: Checking Our Collective Assumptions- Risks and Benefits at the Frontline of ICT Research
Discussions that highlight evaluating and balancing risks and benefits and finding common ground
- Stefan Savage and Tadayoshi Kohno, Vulnerability Research in the CyberPhysical World
- Mark Allman, Traffic Monitoring Considered Reasonable
- Ty Bross and Jean Camp, I Just Want Your Anonymized Contacts! Benefits and Education in Security & Privacy Research
12:20 - 13:20 lunch
13:20 - 14:35 Theme C: Teaching Researchers to Fish - Tools to Implement Ethics Principles and Applications
Discussions that explore techniques, tools, standards and practices to facilitate the application of ethical principles in practice
- Stuart Schechter, Cristian Bravo-Lillo, Cormac Herley, Serge Egelman and Janice Tsai, You Needn't Build That: Reusable Ethics-Compliance Infrastructure for Human Subjects Research
- Ronen Margulies and Amir Herzberg, Conducting Ethical yet Realistic Usable Security Studies
- Rula Sayaf, James B. Rule and Dave Clarke, Can Users Control their Data in Social Software? An Ethical Analysis of Control Systems
14:35 - 15:00 Theme D: Who's Driving the Train?
Discussions about the shifting roles, responsibilities, and relationships between Researchers, ERBs, Government, Professional Societies, and Program Committees in incentivizing and overseeing ethical research
15:00 - 15:15 break
15:15 - 15:45 Theme D, cont'd.
15:45 - 16:30 Theme E: Seeing the Forest and the Trees
A group discussion exploring the ethical underpinnings of other recent and impactful issues that beckon for policy recommendations
16:30 - 17:00 Wrap-up and Post-Op

Organizing Committee

Co-Chair Michael Bailey, University of Michigan
Co-Chair Erin Kenneally, Cooperative Association of Internet Data Analysis (CAIDA), University of California San Diego; Elchemy