November 23, 2024

On the NSA's capabilities

Last Thursday brought significant new revelations about the capacities of the National Security Agency. While the articles in the New York Times, ProPublica, and The Guardian skirted around technical specifics, several broad themes came out. NSA has the capacity to read significant amounts of encrypted Internet traffic. NSA has some amount of cooperation from vendors […]

Let's stop Nigerian scams once and for good

A personal friend of mine’s Yahoo account was recently hacked by a Nigerian scammer. I know this because the email I got (“I’m stuck in the Philippines and need you to wire money”) had an IP address in a “Received” header that pointed squarely at Lagos, Nigeria. The modus operandi of these scammers is well […]

Uncertified voting equipment

(Or, why doing the obvious thing to improve voter throughput in Harris County early voting would exacerbate a serious security vulnerability.) I voted today, using one of the many early voting centers in my county. I waited roughly 35 minutes before reaching a voting machine. Roughly 1/3 of the 40 voting machines at the location […]

IEEE blows it on the Security & Privacy copyright agreement

Last June, I wrote about the decision at the business meeting of IEEE Security & Privacy to adopt the USENIX copyright policy, wherein authors grant a right for the conference to publish the paper and warrant that they actually wrote it, but otherwise the work in question is unquestionably the property of the authors. As I recall, there were only two dissenting votes in a room that was otherwise unanimously in favor of the motion.

Fast forward to the present. The IEEE Security & Privacy program committee, on which I served, has notified the authors of which papers have been accepted or rejected. Final camera-ready copies will be due soon, but we’ve got a twist. They’ve published the new license that authors will be expected to sign. Go read it.

The IEEE’s new “experimental delayed-open-access” licensing agreement for IEEE Security & Privacy goes very much against the vote last year of the S&P business meeting, bearing only a superficial resemblance to the USENIX policy we voted to adopt. While both policies give a period of exclusive distribution rights to the conference (12 months for USENIX, 18 months for IEEE), the devil is in the details.

For the IEEE, authors must assign “a temporary joint and undivided ownership right and interest in all copyright rights” to the IEEE, giving the IEEE an exclusive to distribute the paper for 18 months. Thereafter, the license “expires.”

Those quotation marks around “expires” are essential, because there’s language saying “IEEE shall nonetheless retain the sole and exclusive right to archive the Work in perpetuity” which sounds an awful lot to me like they’re saying that the agreement doesn’t actually expire at all. It just moves into a second phase. For contrast, USENIX merely retains a non-exclusive right to continue distributing the paper. That’s an essential difference.

There are some numbered carve-outs in the IEEE contract that seem to allow you to post your manuscript to your personal web page or institutional library page, but not to arXiv or anything else. (What if arXiv were to offer me a “personal home page service?” Unclear how this license would deal with it.) This restriction appears to apply in both the initial 18 month phase and the “in perpetuity” phase.

My conclusion: authors of papers accepted to IEEE Security & Privacy should flatly refuse to sign this. I don’t have a paper of my own that’s appearing this year at S&P, but if I did, I’d send them a signed copy of the USENIX agreement. That’s what the members agreed upon.

Disclosure: I am currently running for the board of directors of the USENIX Association. That’s because I like USENIX. Of all the venues where I publish, USENIX has been the most willing to break with traditional publishing models, and my platform in running for USENIX is to push this even further. Getting ACM and IEEE caught up to USENIX is a separate battle.

Tinkering with the IEEE and ACM copyright policies

It’s historically been the case that papers published in an IEEE or ACM conference or journal must have their copyrights assigned to the IEEE or ACM, respectively. Most of us were happy with this sort of arrangement, but the new IEEE policy seems to apply more restrictions on this process. Matt Blaze blogged about this issue in particular detail.

The IEEE policy and the comparable ACM policy appear to be focused on creating revenue opportunities for these professional societies. Hypothetically, that income should result in cost savings elsewhere (e.g., lower conference registration fees) or in higher quality member services (e.g., paying the expenses of conference program committee members to attend meetings). In practice, neither of these are true. Regardless, our professional societies work hard to keep a paywall between our papers and their readership. Is this sort of behavior in our best interests? Not really.

What benefits the author of an academic paper? In a word, impact. Papers that are more widely read are more widely influential. Furthermore, widely read papers are more widely cited; citation counts are explicitly considered in hiring, promotion, and tenure cases. Anything that gets in the way of a paper’s impact is something that damages our careers and it’s something we need to fix.

There are three common solutions. First, we ignore the rules and post copies of our work on our personal, laboratory, and/or departmental web pages. Virtually any paper written in the past ten years can be found online, without cost, and conveniently cataloged by sites like Google Scholar. Second, some authors I’ve spoken to will significantly edit the copyright assignment forms before submitting them. Nobody apparently ever notices this. Third, some professional societies, notably the USENIX Association, have changed their rules. The USENIX policy completely inverts the relationship between author and publisher. Authors grant USENIX certain limited and reasonable rights, while the authors retain copyright over their work. USENIX then posts all the papers on its web site, free of charge; authors are free to do the same on their own web sites.

(USENIX ensures that every conference proceedings has a proper ISBN number. Every USENIX paper is just as “published” as a paper in any other conference, even though printed proceedings are long gone.)

Somehow, the sky hasn’t fallen. So far as I know, the USENIX Association’s finances still work just fine. Perhaps it’s marginally more expensive to attend a USENIX conference, but then the service level is also much higher. The USENIX professional staff do things that are normally handled by volunteer labor at other conferences.

This brings me to the vote we had last week at the IEEE Symposium on Security and Privacy (the “Oakland” conference) during the business meeting. We had an unusually high attendance (perhaps 150 out of 400 attendees) as there were a variety of important topics under discussion. We spent maybe 15 minutes talking about the IEEE’s copyright policy and the resolution before the room was should we reject the IEEE copyright policy and adopt the USENIX policy? Ultimately, there were two “no” votes and everybody else voted “yes.” That’s an overwhelming statement.

The question is what happens next. I’m planning to attend ACM CCS this October in Chicago and I expect we can have a similar vote there. I hope similar votes can happen at other IEEE and ACM conferences. Get it on the agenda of your business meetings. Vote early and vote often! I certainly hope the IEEE and ACM agree to follow the will of their membership. If the leadership don’t follow the membership, then we’ve got some more interesting problems that we’ll need to solve.

Sidebar: ACM and IEEE make money by reselling our work, particularly with institutional subscriptions to university libraries and large companies. As an ACM or IEEE member, you also get access to some, but not all, of the online library contents. If you make everything free (as in free beer), removing that revenue source, then you’ve got a budget hole to fill. While I’m no budget wizard, it would make sense for our conference registration fees to support the archival online storage of our papers. Add in some online advertising (example: startup companies, hungry to hire engineers with specialized talents, would pay serious fees for advertisements adjacent to research papers in the relevant areas), and I’ll bet everything would work out just fine.