Ethics and Etiquette

 
Financial Cryptography and Data Security 2024

Twenty-Eighth International Conference
4–8 March 2024
Curacao Marriott Beach Resort
Willemstad, Curaçao

Ethical Considerations for Vulnerability Disclosure (From IEEE S&P)

Where research identifies a vulnerability (e.g., software vulnerabilities in a given program, design weaknesses in a hardware system, or any other kind of vulnerability in deployed systems), we expect that researchers act in a way that avoids gratuitous harm to affected users and, where possible, affirmatively protects those users. In nearly every case, disclosing the vulnerability to vendors of affected systems, and other stakeholders, will help protect users. It is the committee's sense that a disclosure window of 45 days to 90 days ahead of publication is consistent with authors' ethical obligations.

Longer disclosure windows (which may keep vulnerabilities from the public for extended periods of time) should only be considered in exceptional situations, e.g., if the affected parties have provided convincing evidence the vulnerabilities were previously unknown and the full rollout of mitigations requires additional time. The authors are encouraged to consult with the PC chairs in case of questions or concerns.

The version of the paper submitted for review must discuss in detail the steps the authors have taken or plan to take to address these vulnerabilities; but, consistent with the timelines above, the authors do not have to disclose vulnerabilities ahead of submission. If a paper raises significant ethical and/or legal concerns, it might be rejected based on these concerns. The PC chairs will be happy to consult with authors about how this policy applies to their submissions.

It is the responsibility of all paper authors to provide clear evidence that their work follows relevant ethical standards. If a paper raises significant ethical and/or legal concerns, it may be rejected. The PC chairs will consult with authors about how this policy applies to their submissions and may request additional clarifying information about submissions as needed.

Ethical Considerations for Human Subjects Research (From IEEE S&P)

Submissions that describe experiments on human subjects, that analyze data derived from human subjects (even anonymized data), or that otherwise may put humans at risk should:

  1. Disclose whether the research received an approval or waiver from each of the authors' institutional ethics review boards (IRB) if applicable.
  2. Discuss steps taken to ensure that participants and others who might have been affected by an experiment were treated ethically and with respect.

If a submission deals with any kind of personal identifiable information (PII) or other kinds of sensitive data, the version of the paper submitted for review must discuss in detail the steps the authors have taken to mitigate harms to the persons identified.

Financial Conflicts Policy (adapted from IEEE Security & Privacy)

In the interest of transparency and to help readers form their own judgements of potential bias, authors are required to declare any competing financial and/or non-financial interests in relation to published research. This declaration should accompany publication and is not required at the time of submission and review.

Competing interests are defined as financial or non-financial interests that could directly undermine, or be perceived to undermine, the objectivity and/or integrity of a publication.

Financial competing interests arise when the researchers have a significant relationship with any organization that may gain or lose financially through this publication and must be disclosed. Such relationships may include:

  • Research Support: Any support (including salaries, equipment, supplies, or reimbursement of other expenses)
  • Research Assistance: A specific role for an organization in the conceptualization, design, data collection, analysis, decision to publish, or preparation of the manuscript
  • Employment: Recent (while engaged in the research project), present or anticipated employment
  • Personal financial interests:
    • Ownership or contractual interest in stocks or shares of an organization (excluding indirect ownership for example through diversified mutual funds)
    • Consultation fees or other forms of remuneration (including reimbursements for attending symposia)
    • Patents or patent applications (awarded or pending) filed by the authors or their institutions whose value may be affected by publication. For patents and patent applications, disclosure of the following information is requested: patent applicant (whether author or institution), name of inventor(s), application number, status of application, specific aspect of manuscript covered in patent application.

It is difficult to specify a threshold at which a financial interest becomes significant, but many US universities require faculty members to disclose interests exceeding $10,000 or 5% equity in a company. Any such figure is necessarily arbitrary, so we offer as one possible practical alternative guideline: "Any undeclared competing financial interests that could embarrass you if they became publicly known after your work was published."

Information for authors:

Authors should include a disclosure of relevant financial interests in the camera-ready versions of their papers. This includes not just the standard funding lines, but should also include disclosures of any financial interest related to the research described. For example:

  • Author X is on the Technical Advisory Board of the ByteCoin Foundation
  • Professor Y is the founder and CTO of DoubleDefense, which specializes in malware analysis
  • Author Z completed this research while interning at Internet Corp, which assisted in the data collection and analysis and approved this manuscript prior to publication.

 

 

 

This conference is organized annually by the International Financial Cryptography Association.