Cyber-security Research Ethics Dialog & Strategy Workshop (CREDS II - The Sequel)

The 2nd Cyber-security Research Ethics Dialog & Strategy (CREDS II) was held on May 17, 2014 in San Jose, CA, co-located with the 35th IEEE Symposium on Security and Privacy (IEEE S&P), an event of the IEEE CS Security and Privacy Workshops (SPW).

Overview

The future of online trust, innovation & self-regulation is threatened by a widening gap between users' expectations, formed by laws and norms, and the capacity for great benefits and harms generated by technological advances. As this gap widens, so too does ambiguity between asserted rights and threats. How do we close this gap and thereby lower risks, while also instilling trust in online activities? The solution embraces fundamental principles of ethics to guide our decisions in the midst of information uncertainty.

One context where this solution is germinating is cybersecurity research. Commercial and public researchers and policymakers are tackling novel ethical challenges that exert a strong influence for online trust dynamics. These challenges are not exceptional, but increasingly the norm: (i) to understand and develop effective defenses to significant Internet threats, researchers infiltrate malicious botnets; (ii) to understand Internet fraud (phishing) studies require that users are unaware they are being observed in order to ascertain typical behaviors; and (iii) to perform experiments measuring Internet usage and network characteristics that require access to sensitive network traffic.

This workshop anchors off of discussions, themes, and momentum generated from the inaugural CREDS 2013 workshop. Specifically, it targets the shifting roles, responsibilities, and relationships between Researchers, Ethical Review Boards, Government Agencies, Professional Societies, and Program Committees in incentivizing and overseeing ethical research. Its objective is to spawn dialogue and practicable solutions around the following proposition: Building a more effective research ethics culture is a prerequisite for balancing research innovation (i.e., academic freedom, reduced burdens and ambiguities) with public trust (i.e., respect for privacy and confidentiality, accountability, data quality), so we explore the pillars of such a culture as well as the strategies that might be adopted to incorporate them into research operations.

CREDS II invites case studies, research experience and position papers that explore the following questions:

What can we learn from other domains that struggle with ethical issues?
What leadership should be engaged (i.e., institutional, government, peer groups), and what should their respective roles and responsibilities be?
What education and awareness is needed?
What information sharing/coordination needs to be improved: among researchers, among oversight entities, and between researchers and oversight entities?
What knowledge and technology-transfer mechanisms can meet stated needs?

Our goal is to create a set of targeted discussions among relevant stakeholders whose actions impact cyber security research ethics policy and practice, rather than a peer reviewed mini-conference. As such, will be reviewed by the Chairs for content quality and relevance, vetted by the PC for topic suitability an interest, but will not be peer reviewed as a mini-conference might.

How to Participate

Authors are invited to submit abstracts, case studies, or position papers (maximum 5 pages, including the references and appendices) via EasyChair (CREDS 2014). Papers accepted by the workshop will be published in the Conference Proceedings published by IEEE Computer Society Press.

While there are NO formatting requirements for your submissions, any accepted text will need will need to comply with IEEE guidelines for publication (i.e., Papers must be formatted for US letter (not A4) size paper. The text must be formatted in a two-column layout, with columns no more than 9.5 in. tall and 3.5 in. wide. The text must be in Times font, 10-point or larger, with 11-point or larger line spacing. Authors are encouraged to use the IEEE conference proceedings templates. LaTeX submissions should use IEEEtran.cls version 1.8, dated 2012/12/27).

Costs/Fees: There are workshop registration fees required to attend, as this workshop is co-located with the 35th IEEE Symposium on Security and Privacy (IEEE S&P 2014), an event of The IEEE Computer Society's Security and Privacy Workshops (SPW 2014).

Deadlines

Submission deadline	March 15, 2014
Workshop acceptance notification date	March 22, 2014
Final paper submission deadline	April 1, 2014
Workshop date	May 17, 2014 (Saturday)

Agenda

May 17 (Saturday)

Place: The Fairmont, San Jose, CA

07:30 - 08:30 Breakfast
09:00 - 09:15 Welcome, Introductions, Opening Remarks
- Expectation setting for the day
- Brief intros
09:15 - 10:00 Exploring the Pillars of a More Effective Research Ethics Culture
- What education and awareness is needed?
  - "Case Study in Developing Malware Ethics Education", John Sullins (Sonoma State University)
- What information sharing/coordination, and knowledge and technology transfer mechanisms need to be developed or improved to meet ethical needs?
  - "Ethics in Data Sharing - Developing a Model for Best Practice," Sven Dietrich (Stevens Institute of Technology), et al.
10:00 - 10:30 Morning coffee break
10:30 - 12:00 Exploring the Pillars - Community and Leadership
- Ethics and Big Data
  - "Ethical issues in online trust", Robin Wilton (Internet Society)
  - "Ethics in Social Networking," Maritza Johnson (Facebook)
- What leadership should be engaged (i.e., institutional, government, peer groups), and what should their respective roles and responsibilities be?
  - What is the role of Program Committees in ensuring published papers meet standards of ethics?
  - What might the focus and structure of a community-informed "best practices" look like?
12:00 - 13:00 Lunch
13:00 - 14:30 Chairs Session: Exploring the Pillars in Practice
- the growing market of practical controversies where both industry and researchers have a stake (and sometimes even a co-dependency) in the outcomes
  - Botnet takedown (e.g. proxying consent for vulnerable users, account suspension/blocking thresholds and criteria), Paul Vixie (Farsight)
  - Group Discussion
14:30 - 14:45 Closing Remarks

Chairs and Organizers

Co-Chair Michael Bailey, University of Michigan
Co-Chair Erin Kenneally, Cooperative Association of Internet Data Analysis (CAIDA), University of California San Diego