16

I am interested in pursuing an area of computer security that is very likely already being studied by security professionals in industry and perhaps the military as well. Some of it is published, but I imagine some of it could also be unpublished work that companies and the military might not want to share with the public.

I could see my research group independently developing some unpublished techniques that probably are already in use in some form or another by existing companies who don't wish to share those to the public. In this case, is it acceptable for me to publish this as my own research, given that I have no affiliation to the company in question (assuming such a company does exist, which could very well be the case)? If I do publish, can I be in trouble for publishing work which these companies/military don't want the public to be aware of (but which I developed independently)?

Improve this question
2
  • 6
    With differential cryptanalysis that is exactly what happened. The authors of the published work found an older industrial/government algorithm (named DES) surprisingly resistant to the novel technique. Turns out the creators of DES at IBM and NSA already knew of the attack and had prepared for it, but it was secret.
    – lvella
    Commented Jan 8, 2021 at 11:07
  • Before publishing, there is researching. Before researching, there is funding. No money, no research. No research, no affiliation. No affiliation, no money. Yes, you can be the lone wolf researching military secrets ... expect troubles!
    – EarlGrey
    Commented Jan 8, 2021 at 15:50

5 Answers 5

Reset to default
16

It is fully acceptable to work on, and to publish, results on topics als researched in secret by companies or security agencies. From an academic point of view, there is nothing wrong with that, and neither from the point of view of stealing intellectual property. (But I'm not a lawyer!) Whether those companies or agencies would be unhappy with you publishing some great new technique for breaking cryptosystems - probably not, but unless you believe in conspiracy theories, this is likely not be an issue. (They might try to hire you, though.)

There have been precedents, e.g., on the best algorithms to factor numbers, or some cryptographic algorithms. (I'd have to dig out references for that.)

Improve this answer
10
  • 2
    If OP breaks crypto, that's the one believable real-life scenario for a Jason Bourne-type person-hunt. Many people will want to keep that secret. And, to be honest, with good reason. It is still going to be some time before quantum crypto is going to replace the classical one. What shall we do when all payment over internet has ceased to be safe in one go? Return to the early 90s?
    – Captain Emacs
    Commented Jan 7, 2021 at 19:59
  • 1
    @Captain If the NSA knows how to break RSA, lattice-based crypto, or whatever else, they for sure are using safe methods since a long time. (Well, even if not, they probably are.) In fact, post-quantum-crypto techniques are available, so everyone should use them.
    – user151413
    Commented Jan 7, 2021 at 20:01
  • 6
    An obvious example is the RSA algorithm the academic paper was in 1977. GCHQ had discovered this several years before en.wikipedia.org/wiki/Clifford_Cocks
    – mmmmmm
    Commented Jan 8, 2021 at 9:47
  • @user151413 "post-quantum-crypto" - I am not a crypto expert, and have missed that. It sounds interesting, any reference?
    – Captain Emacs
    Commented Jan 8, 2021 at 15:18
  • 1
    @CaptainEmacs en.wikipedia.org/wiki/Post-quantum_cryptography
    – Bergi
    Commented Jan 8, 2021 at 16:20
9

What can be published is up to the journal editors and reviewers, though in some instances (national security...) the government will step in and put an embargo on publishing.

But the same thing is largely true for such things as trade secret internal things in commerce. As long as you work independently, you can write your papers and submit them. But it is up to others whether they are published.

If something "seems" innovative since all "known" uses are actually unknown then publishers will proceed as usual.

It would, however, probably be a mistake if you try to publish something that you know because of some relationships or employment but that hasn't been revealed publicly. You will probably be talking to a lot of lawyers in that case. Edward Snowden is an extreme case, of course.

Improve this answer
9
  • Wait, the government (where?) can embargo that e.g. a private person (say, employee on a private university) can publish in a private journal?
    – user151413
    Commented Jan 7, 2021 at 19:53
  • 3
    Yes, @user151413, they can get a court order preventing the publication of national secrets. Even ones you discover independently. Or at least embargo for a "time" so that compensations can be made. Of course this is more likely in wartime. Don't publish the back door access to the Reaper Drone.
    – Buffy
    Commented Jan 7, 2021 at 20:00
  • I see. Is this US-specific? (In any case, once it is published, it is out there ... )
    – user151413
    Commented Jan 7, 2021 at 20:02
  • See en.wikipedia.org/wiki/News_embargo for one simple example. I would assume that in some "less free" nations it can be much more of an issue. There is a lot that you can't (safely) publish in Thailand, for example.
    – Buffy
    Commented Jan 7, 2021 at 20:07
  • 5
    @user151413 It’s certainly different from country to country, but not specific just to the US (off the top of my head, France and Israel have a strong tradition of embargoing such information; so do non-Democratic states, of course, but that goes without saying). That said, the government can only prevent publication of things they hear about ahead of time. Apart from responsible disclosure you don’t generally have any obligation to let any specific agencies know about your findings, nor do journals.
    – Konrad Rudolph
    Commented Jan 8, 2021 at 14:13
2

In this case, is it acceptable for me to publish this as my own research?

Absolutely, positively, yes.

And it will indeed be your own research.

There's just a single caveat: The above is true as long as you're just suspecting "Oh, those secret government crypto researchers must surely be considering this too." If you actually got tipped off about their findings, then it's a different story.

If I do publish, can I be in trouble for publishing work which these companies/military don't want the public to be aware of (but which I developed independently)?

Ethically/morally - there is nothing wrong with this at all. On the contrary, it is laudatory, and I encourage you to write up your findings as accessibly to lay readers as you can, and publish not just in some obscure conference, but put your paper up on open-access platforms, and make posts to HackerNews, SlashDot, Reddit, or wherever is relevant.

Materially - the closer your publication is to thwarting concrete, specific commercial/military/governmental initiatives - the more likely is it that there will be some consequences to your publishing your work. That doesn't mean it is actually likely; a paper on breaking cryptographic protocols or devising new ones is probably safe enough though. But if your publication will lead immediately to embarrassing information or criminal behavior being exposed, then you cannot discount the possibility. Just look at what governments are doing to whistle-blowers and journalists these days.

Improve this answer
-2

Academically and legally speaking you are all good. But if you suspect that a thing you learned is sensitive in nature. National security type stuff.

I would urge you to submit your work to the NSA for prepublication review. https://www.nsa.gov/Resources/Prepublication-Review/

If your work is of concern to them they will likely offer you a very nice salary, and if you like this type of thing you will like working for them. I did.

And if they don't care you are likely to gain valuable feedback.

Improve this answer
1
  • 1
    It is immoral to suppress research of interest to the public with the hope of getting bought off by the US government (or any government). -1
    – einpoklum
    Commented Jan 8, 2021 at 22:34
-2

Any academic research ought to consider ethics as part of the decision on whether to conduct or publish results, both in how the research is conducted (e.g. human/animal experimental subjects, personal data, etc.), and the wider social consequences of the results. Techniques that could be used by criminals to more easily commit or get away with crime, terrorists and hostile states to kill people, authoritarian governments to oppress their populations, processes that cause harm to human health or the environment, or to violate human rights of privacy, free speech, right to a fair trial, etc. should be examined to determine whether publication of the results would do more harm than good. Where there are legal limits on the release of defence data (like the Official Secrets Act in the UK,) the test is generally on the basis of harm done to the national interest of this sort, and so should already have been considered as part of the academic ethics clearance.

On the question of whether you might get into specific legal difficulty, it depends on what legal jurisdiction you are operating in, and you (or your university ethics committee) should consult a lawyer locally. But if you consider the potential for social harm in your ethics process and act responsibly, you are much less likely to get into trouble with the law. As a rule, (in the jurisdictions I know about) if you have not been explicitly told that something is classified, you are not expected to know, and would not normally be prosecuted for innocently revealing something the military would rather not have revealed. But if it's something that obviously could do a lot of social harm, you could find yourself attracting a lot of unwelcome attention and criticism from the authorities that you and your university would much prefer to avoid. Check your ethics.

Improve this answer
1
  • 1
    While I agree that, in general, ethical considerations are part of a decision whether to publish something or not - OP did not suggest there's a specific ethical concern irrespective of the government/other parties already having worked on this secretly. Also, "techniques that could be used by criminals" are practically everything. Certainly anything in cryptography can be used by criminals to commit and get away with crimes or the state to get away with its crimes-with-official-sanction. And half the free software in the world is useful to terrorists/criminals/state forces. etc.
    – einpoklum
    Commented Jan 8, 2021 at 22:33

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .