Proactive Prevention of Harm
We expect authors to carefully consider and address the potential harms associated with carrying out their research, as well as the potential negative consequences that could stem from publishing their work. Failure to adequately discuss such potential harms within the body of the submission may result in rejection of a submission, regardless of its quality and scientific value.
Although risking to cause harm is sometimes a necessary and legitimate aspect of scientific research in computer security and privacy, authors are expected to document how they addressed and mitigated such risks. This includes, but is not limited to, considering the impact of the research on deployed systems, understanding the costs the research imposes on others, safely and appropriately collecting data, and following responsible disclosure practices. Papers should include a clear statement as to how the benefit of the research outweighs the potential harms, and how the authors have taken measures and followed best practices to ensure safety and minimize the potential harms caused by their research.
If the submitted research has potential to cause harm, and authors have access to an Institutional Review Board (IRB), we expect that this IRB was consulted appropriately and that its approval and recommendations are documented in the paper. We note that IRBs are not necessarily well-versed in computer security research and may not know the best practices and community norms in our field, so IRB approval does not absolve researchers from considering ethical aspects of their work. In particular, IRB approval is not sufficient to guarantee that the PC will not have additional concerns with respect to harms associated with the research.
We encourage authors to consult existing documentation, e.g., Common Pitfalls in Writing about Security and Privacy Human Subjects Experiments, and How to Avoid Them or the Menlo Report and existing Safety consultation entities, e.g., the Tor Safety Research Board. These can help in thinking about potential harms, and in designing the safest experiments and disclosure processes.