June 25, 2017

IEEE blows it on the Security & Privacy copyright agreement

Last June, I wrote about the decision at the business meeting of IEEE Security & Privacy to adopt the USENIX copyright policy, wherein authors grant a right for the conference to publish the paper and warrant that they actually wrote it, but otherwise the work in question is unquestionably the property of the authors. As I recall, there were only two dissenting votes in a room that was otherwise unanimously in favor of the motion.

Fast forward to the present. The IEEE Security & Privacy program committee, on which I served, has notified the authors of which papers have been accepted or rejected. Final camera-ready copies will be due soon, but we’ve got a twist. They’ve published the new license that authors will be expected to sign. Go read it.

The IEEE’s new “experimental delayed-open-access” licensing agreement for IEEE Security & Privacy goes very much against the vote last year of the S&P business meeting, bearing only a superficial resemblance to the USENIX policy we voted to adopt. While both policies give a period of exclusive distribution rights to the conference (12 months for USENIX, 18 months for IEEE), the devil is in the details.

For the IEEE, authors must assign “a temporary joint and undivided ownership right and interest in all copyright rights” to the IEEE, giving the IEEE an exclusive to distribute the paper for 18 months. Thereafter, the license “expires.”

Those quotation marks around “expires” are essential, because there’s language saying “IEEE shall nonetheless retain the sole and exclusive right to archive the Work in perpetuity” which sounds an awful lot to me like they’re saying that the agreement doesn’t actually expire at all. It just moves into a second phase. For contrast, USENIX merely retains a non-exclusive right to continue distributing the paper. That’s an essential difference.

There are some numbered carve-outs in the IEEE contract that seem to allow you to post your manuscript to your personal web page or institutional library page, but not to arXiv or anything else. (What if arXiv were to offer me a “personal home page service?” Unclear how this license would deal with it.) This restriction appears to apply in both the initial 18 month phase and the “in perpetuity” phase.

My conclusion: authors of papers accepted to IEEE Security & Privacy should flatly refuse to sign this. I don’t have a paper of my own that’s appearing this year at S&P, but if I did, I’d send them a signed copy of the USENIX agreement. That’s what the members agreed upon.

Disclosure: I am currently running for the board of directors of the USENIX Association. That’s because I like USENIX. Of all the venues where I publish, USENIX has been the most willing to break with traditional publishing models, and my platform in running for USENIX is to push this even further. Getting ACM and IEEE caught up to USENIX is a separate battle.


  1. There are some numbered carve-outs in the IEEE contract that seem to allow you to post your manuscript to your personal web page or institutional library page

    Note that this carve-out applies only to the submitted version. If you revise the manuscript before publication (such as to address reviewer comments), you are prohibited from distributing the revised version until the end of 2013.

    I was also a member of this year’s program committee, and I find it unacceptable that our contributions as reviewers will be suppressed like this. I’m certainly not going to review for IEEE again until the policy is changed.

  2. The IEEE signature line in the contract is filled in with the name of Evan M. Butterfield, Director of Products & Services. Mr. Butterfield might be a logical person to whom to address feedback on the agreement. Perhaps he can even be enticed to comment on this post–I’m curious how IEEE defends this policy.

    IEEE’s executive staff page helpfully provides his contact information:

    IEEE Computer Society
    10662 Los Vaqueros Circle
    Los Alamitos, CA 90720-1314 USA
    (O) +1 714 821 8380
    (Direct) +1 714 816 2165
    (F) +1 714 821 4010

  3. David Wagner says:

    Thanks for pointing to this, Dan. This is unfortunate.

    I would encourage members of the community who have opinions on this subject, one way or another, to contact the S&P leadership and let them know how you feel about it. You might start by contacting the TC chair, Sven Dietrich, tcchair [at] ieee-security.org. You can find the full list of officers here:


  4. Candice Hoke says:

    Dan, thanks for pointing out the problems with the IEEE proposed contract.

    In addition to writing a protest the IEEE officers and executives, and authors declining to sign the new policy, I’d like to underscore a point from anonymous commenter dated 2/11: all who are invited to serve on a program committee to review papers should decline to do so until this policy is modified to bring it in line with USENIX’s.

    Dan points out that the IEEE Security & Privacy program committee had already decided to adopt the USENIX approach. This stance should have been implemented rather than ignored.

  5. Patrick McDaniel says:

    Here is a blog with a detailed description of the policy: