January 16, 2017

CITP Call for Visitors and Affiliates for 2017-18

The Center for Information Technology Policy is an interdisciplinary research center at Princeton that sits at the crossroads of engineering, the social sciences, law, and policy.

We are seeking applicants for various residential visiting positions and for non-residential affiliates. For more information about these positions, please see our general information page and yearly call for applications and our lists of current and past visitors.

We are happy to hear from anyone working at the intersection of digital technology and public life, including experts in computer science, sociology, economics, law, political science, public policy, information studies, communication, and other related disciplines.

We have a particular interest this year in candidates working on issues related to Interconnection, the Internet of Things (IoT), and the ethics of big data and algorithms.


All visitors must apply online through the Jobs at Princeton site. There are three job postings for CITP visitors: 1) the Microsoft Visiting Professor of Information Technology Policy, 2) Visiting IT Policy Fellow, and 3) IT Policy Researcher.

A Visiting IT Policy Fellow is on leave from a full-time position (for example, a professor on sabbatical); an IT Policy Researcher will have Princeton University as the primary affiliation during the visit to CITP (for example, a postdoctoral researcher or a professional visiting for a year between jobs). As such, applicants should apply to only one of the Visiting IT Policy Fellow position or the IT Policy Researcher position as appropriate; applicants to either position may also apply to be the Microsoft Visiting Professor.
For all visitors, we are happy to hear from anyone working at the intersection of digital technology and public life, including experts in computer science, sociology, economics, law, political science, public policy, information studies, communication, and other related disciplines.

Applicants should submit a current curriculum vitae, a research plan (including a description of potential courses to be taught if applying for the Visiting Professorship), and a cover letter describing background, interest in the program, and any funding support for the visit. CITP has secured limited resources from a range of sources to support visitors. However, many of our visitors are on paid sabbatical from their own institutions or otherwise provide some or all of their own outside funding.

Microsoft Visiting Professor of Information Technology Policy

The successful applicant must possess at least a bachelor’s degree and will be appointed to a ten-month term, beginning September 1st, with the possibility of renewal for a second year. The Visiting Professor must teach one course in technology policy per academic year. Preference will be given to current or past professors in related fields and to nationally or internationally recognized experts in technology policy.

The application process for the Microsoft Visiting Professor of Information Technology position is generally open from November through the end of January for the upcoming year.

To apply to become the Microsoft Visiting Professor, please go to Jobs at Princeton, click on “Search Open Positions,” and enter requisition number 1600994.

Visiting IT Policy Fellow; IT Policy Researcher

The successful applicant must possess an advanced degree and typically will be appointed to a nine- to twelve-month term, beginning September 1st. These visitors may teach a seminar if desired, subject to the approval of the Dean of the Faculty. We encourage candidates at all levels to apply.

As noted above, candidates should apply to either the Visiting IT Policy Fellow position (if they will be on leave from a full-time position) or the IT Policy Researcher position (if not). Please do not apply to both listings.

Full consideration for the Visiting IT Policy Fellow and IT Policy Researcher positions is given to those who apply from November through the end of January for the upcoming year.

To apply to become a Visiting IT Policy Fellow, please go to Jobs at Princeton, click on “Search Open Positions,” and enter requisition number 1600996.

To apply to become an IT Policy Researcher, enter requisition number 1600995.

Princeton University is an Equal Opportunity/Affirmative Action employer and all qualified applicants will receive consideration for employment without regard to age, race, color, religion, sex, sexual orientation, gender identity or expression, national origin, disability status, protected veteran status, or any other characteristic protected by law.

All offers and appointments are subject to review and approval by the Dean of the Faculty.


Technology policy researchers and experts who wish to have an affiliation with CITP, but cannot be in residence in Princeton, may apply to become a CITP Affiliate. The affiliation typically will last for two years. Affiliates do not have any formal appointment at Princeton University.

Applicants should email applications to between November and the end of January for affiliations beginning the following academic year. Please send a current curriculum vitae and a cover letter describing background and interest in the program.

New Workshop on Technology and Consumer Protection

[Joe Calandrino is a veteran of Freedom to Tinker and CITP. As long time readers will remember,  he did his Ph.D. here, advised by Ed Felten. He recently joined the FTC as research director of OTech, the Office of Technology Research and Investigation. Today we have an exciting announcement. — Arvind Narayanan.]

Arvind Narayanan and I are thrilled to announce a new Workshop on Technology and Consumer Protection (ConPro ’17) to be co-hosted with the IEEE Symposium on Security and Privacy (Oakland) in May 2017:

Advances in technology come with countless benefits for society, but these advances sometimes introduce new risks as well. Various characteristics of technology, including its increasing complexity, may present novel challenges in understanding its impact and addressing its risks. Regulatory agencies have broad jurisdiction to protect consumers against certain harmful practices (typically called “deceptive and unfair” practices in the United States), but sophisticated technical analysis may be necessary to assess practices, risks, and more. Moreover, consumer protection covers an incredibly broad range of issues, from substantiation of claims that a smartphone app provides advertised health benefits to the adequacy of practices for securing sensitive customer data.

The Workshop on Technology and Consumer Protection (ConPro ’17) will explore computer science topics with an impact on consumers. This workshop has a strong security and privacy slant, with an overall focus on ways in which computer science can prevent, detect, or address the potential for technology to deceive or unfairly harm consumers. Attendees will skew towards academic and industry researchers but will include researchers from government agencies with a consumer protection mission, including the Federal Trade Commission—the U.S. government’s primary consumer protection body. Research advances presented at the workshop may help improve the lives of consumers, and discussions at the event may help researchers understand how their work can best promote consumer welfare given laws and norms surrounding consumer protection.

We have an outstanding program committee representing an incredibly wide range of computer science disciplines—from security, privacy, and e-crime to usability and algorithmic fairness—and touching on fields across the social sciences. The workshop will be an opportunity for these different disciplinary perspectives to contribute to a shared goal. Our call for papers discusses relevant topics, and we encourage anyone conducting research in these areas to submit their work by the January 10 deadline.

Computer science research—and computer security research in particular—excels at advancing innovative technical strategies to mitigate potential negative effects of digital technologies on society, but measures beyond strictly technical fixes also exist to protect consumers. How can our research goals, methods, and tools best complement laws, regulations, and enforcement? We hope this workshop will provide an excellent opportunity for computer scientists to consider these questions and find even better ways for our field to serve society.

The Effects of the Forthcoming FCC Privacy Rules on Internet Security

Last week, the Federal Communications Commission (FCC) announced new privacy rules that govern how Internet service providers can share information about consumers with third parties.  One focus of this rulemaking has been on the use and sharing of so-called “Consumer Proprietary Network Information (CPNI)”—information about subscribers—for advertising. The Center for Information Technology Policy and the Center for Democracy and Technology jointly hosted a panel exploring this topic last May, and I have previously written on certain aspects of this issue, including what ISPs might be able to infer about user behavior, even if network traffic were encrypted.

Although the forthcoming rulemaking targets the collection, use, and sharing of customer data with “third parties”, an important—and oft-forgotten—facet of this discussion is that (1) ISPs rely on the collection, use, and sharing of CPNI to operate and secure their networks and (2) network researchers (myself included) rely on this data to conduct our research.  As one example of our work that is discussed today in the Wall Street Journal, we used DNS domain registration data to identify cybercriminals before they launch attacks. Performing this research required access to all .com domain registrations. We have also developed algorithms that detect the misuse of DNS domain names by analyzing the DNS lookups themselves. We have also worked with ISPs to explore the relationship between Internet speeds and usage, which required access to byte-level usage data from individual customers. ISPs also rely on third parties, including Verisign and Arbor Networks, to detect and mitigating attacks; network equipment vendors also use traffic traces from ISPs to test new products and protocols. In summary, although the goal of the FCC’s rulemaking is to protect the use of consumer data, the rulemaking could have had unintended negative consequences for the stability and security of the Internet, as well as for Internet innovation.

In response to the potential negative effects this rule could have created for Internet security and networking researchers, I filed comment with the FCC highlighting how network operators researchers depend on data to keep the network operating well, to keep it secure, and to foster continued innovation.  My comment in May highlights the type of data that Internet service providers (ISPs) collect, how they use it for operational and research purposes, and potential privacy concerns with each of these datasets.  In my comment, I exhaustively enumerate the types of data that ISPs collect; the following data types are particularly interesting because ISPs and researchers rely on them heavily, yet they also introduce certain privacy concerns:

  • IPFIX (“NetFlow”) data, which is the Internet traffic equivalent of call data records. IPFIX data is collected at a router and contains statistics about each traffic flow that traverses the router. It contains information about the “metadata” of each flow (e.g., the source and destination IP address, the start and end time of the flow). This data doesn’t contain “payload” information, but as previous research on information like telephone metadata has shown, a lot can be learned about a user from this kind of information. Nonetheless, this data has been used in research and security for many purposes, including (among other things) detecting botnets and denial of service attacks.
  • DNS Query data, which contains information about the domain names that each IP address (i.e., customer) is looking up (i.e., from a Web browser, from an IoT device, etc.). DNS query data can be highly revealing, as we have shown in previous work. Yet, at the same time, DNS query data is also incredibly valuable for detecting Internet abuse, including botnets and malware.

Over the summer, I gave a follow-up a presentation and filed follow-up comments (several of which were jointly authored with members of the networking and security research community) to help draw attention to how much Internet research depends on access to this type of data.  In early August, a group of us filed a comment with proposed wording for the upcoming rule. In this comment, we delineated the types of work that should be exempt from the upcoming rules. We argue that research should be exempt from the rulemaking if the research: (1) aims to promote security, stability, and reliability of networks, (2) does not have the end-goal of violating user privacy; (3) has benefits that outweigh the privacy risks; (4) takes steps to mitigate privacy risks; (5) would be enhanced by access to the ISP data.  In delineating this type of research, our goal was to explicitly “carve out” researchers at universities and research labs without opening a loophole for third-party advertisers.

Of course, the exception notwithstanding, researchers also should be mindful of user privacy when conducting research. Just because a researcher is “allowed” to receive a particular data trace from an ISP does not mean that such data should be shared. For example, much network and security research is possible with de-identified network traffic data (e.g., data with anonymized IP addresses), or without packet “payloads” (i.e., the kind of traffic data collected with Deep Packet Inspection). Researchers and ISPs should always take care to apply data minimization techniques that limit the disclosure of private information to only the granularity that is necessary to perform the research. Various practices for minimization exist, such as hashing or removing IP addresses, aggregating statistics over longer time windows, and so forth. The network and security research communities should continue developing norms and standard practices for deciding when, how, and to what degree private data from ISPs can be minimized when it is shared.

The FCC, ISPs, customers, and researchers should all care about the security, operation, and performance of the Internet.  Achieving these goals often involves sharing customer data with third-parties, such as the network and security research community. As a member of the research community, I am looking forward to reading the text of the rule, which, if our comments are incorporated, will help preserve both customer privacy and the research that keeps the Internet secure and performing well.