16

I am interested in pursuing an area of computer security that is very likely already being studied by security professionals in industry and perhaps the military as well. Some of it is published, but I imagine some of it could also be unpublished work that companies and the military might not want to share with the public.

I could see my research group independently developing some unpublished techniques that probably are already in use in some form or another by existing companies who don't wish to share those to the public. In this case, is it acceptable for me to publish this as my own research, given that I have no affiliation to the company in question (assuming such a company does exist, which could very well be the case)? If I do publish, can I be in trouble for publishing work which these companies/military don't want the public to be aware of (but which I developed independently)?

user308485
  • 263
  • 2
  • 4
  • 6
    With differential cryptanalysis that is exactly what happened. The authors of the published work found an older industrial/government algorithm (named DES) surprisingly resistant to the novel technique. Turns out the creators of DES at IBM and NSA already knew of the attack and had prepared for it, but it was secret. – lvella Jan 08 '21 at 11:07
  • Before publishing, there is researching. Before researching, there is funding. No money, no research. No research, no affiliation. No affiliation, no money.

    Yes, you can be the lone wolf researching military secrets ... expect troubles!

     – EarlGrey Jan 08 '21 at 15:50

5 Answers5

16

It is fully acceptable to work on, and to publish, results on topics als researched in secret by companies or security agencies. From an academic point of view, there is nothing wrong with that, and neither from the point of view of stealing intellectual property. (But I'm not a lawyer!) Whether those companies or agencies would be unhappy with you publishing some great new technique for breaking cryptosystems - probably not, but unless you believe in conspiracy theories, this is likely not be an issue. (They might try to hire you, though.)

There have been precedents, e.g., on the best algorithms to factor numbers, or some cryptographic algorithms. (I'd have to dig out references for that.)

user151413
  • 6,057
  • 19
  • 33
  • 2
    If OP breaks crypto, that's the one believable real-life scenario for a Jason Bourne-type person-hunt. Many people will want to keep that secret. And, to be honest, with good reason. It is still going to be some time before quantum crypto is going to replace the classical one. What shall we do when all payment over internet has ceased to be safe in one go? Return to the early 90s? – Captain Emacs Jan 07 '21 at 19:59
  • 1
    @Captain If the NSA knows how to break RSA, lattice-based crypto, or whatever else, they for sure are using safe methods since a long time. (Well, even if not, they probably are.) In fact, post-quantum-crypto techniques are available, so everyone should use them. – user151413 Jan 07 '21 at 20:01
  • 6
    An obvious example is the RSA algorithm the academic paper was in 1977. GCHQ had discovered this several years before https://en.wikipedia.org/wiki/Clifford_Cocks – mmmmmm Jan 08 '21 at 09:47
  • @user151413 "post-quantum-crypto" - I am not a crypto expert, and have missed that. It sounds interesting, any reference? – Captain Emacs Jan 08 '21 at 15:18
  • 1
    @CaptainEmacs https://en.wikipedia.org/wiki/Post-quantum_cryptography – Bergi Jan 08 '21 at 16:20
  • @CaptainEmacs In essense, cryptography which (hopefully) cannot be broken by a quantum computer. – user151413 Jan 08 '21 at 16:26
  • @CaptainEmacs There will most likely be a protracted period of time in the future where quantum computers will be available to anyone who wants one but before we have the technology required for a quantum internet that can transmit qubits between systems secured using quantum cryptography. This requires cryptographic algorithms that can be used by classical computers over the classical internet but which cannot be broken even by a quantum computer. – J... Jan 08 '21 at 20:31
  • @J... I doubt that qbits will ever go through the normal Internet: Transferring them will impose extra constraints on the hardware (phase preservation at least), so it will be more expensive. But post-quantum crypto will happen, and in time before quantum computers become a commodity, so it's not necessary to make the Internet qbit-friendly. – toolforger Jan 09 '21 at 10:45
  • @toolforger Yes, that's exactly what I just said. – J... Jan 09 '21 at 13:03
  • @user151413 the government can classify your research if it deems it in the interests of national security. this would make traditional publication all but impossible. Having said that, this almost never happens. – emory Jan 09 '21 at 19:59
9

What can be published is up to the journal editors and reviewers, though in some instances (national security...) the government will step in and put an embargo on publishing.

But the same thing is largely true for such things as trade secret internal things in commerce. As long as you work independently, you can write your papers and submit them. But it is up to others whether they are published.

If something "seems" innovative since all "known" uses are actually unknown then publishers will proceed as usual.

It would, however, probably be a mistake if you try to publish something that you know because of some relationships or employment but that hasn't been revealed publicly. You will probably be talking to a lot of lawyers in that case. Edward Snowden is an extreme case, of course.

Buffy
  • 363,966
  • 84
  • 956
  • 1,406
  • Wait, the government (where?) can embargo that e.g. a private person (say, employee on a private university) can publish in a private journal? – user151413 Jan 07 '21 at 19:53
  • 3
    Yes, @user151413, they can get a court order preventing the publication of national secrets. Even ones you discover independently. Or at least embargo for a "time" so that compensations can be made. Of course this is more likely in wartime. Don't publish the back door access to the Reaper Drone. – Buffy Jan 07 '21 at 20:00
  • I see. Is this US-specific? (In any case, once it is published, it is out there ... ) – user151413 Jan 07 '21 at 20:02
  • See https://en.wikipedia.org/wiki/News_embargo for one simple example. I would assume that in some "less free" nations it can be much more of an issue. There is a lot that you can't (safely) publish in Thailand, for example. – Buffy Jan 07 '21 at 20:07
  • But if you are working in a field that is important to national security (quantum cryptography...) you probably already know that and know what can and cannot be revealed. – Buffy Jan 07 '21 at 20:10
  • 5
    @user151413 It’s certainly different from country to country, but not specific just to the US (off the top of my head, France and Israel have a strong tradition of embargoing such information; so do non-Democratic states, of course, but that goes without saying). That said, the government can only prevent publication of things they hear about ahead of time. Apart from responsible disclosure you don’t generally have any obligation to let any specific agencies know about your findings, nor do journals. – Konrad Rudolph Jan 08 '21 at 14:13
  • "Don't publish the back door access to the Reaper Drone." Oh I very much like the idea of a European researcher casually dropping a paper about this on the arxiv. I don't see it being illegal from a German perspective. Of course the ways you gained the information might be illegal. –  Jan 08 '21 at 15:49
  • Good point about government embargo on publishing. It's important to publish a draft version in a widely-accessible way before submitting to a venue under government influence, so that the government doesn't get the idea it can suppress the work. – einpoklum Jan 08 '21 at 22:37
  • There's also the notion of "born secret" - if what you create is so potentially dangerous that, even if you do so independently, you can't publish it in an open journal. That's the reason, for instance, that the detailed inner workings of modern thermonuclear weapons are still somewhat fuzzy. – NGTOne Jan 09 '21 at 13:12
2

In this case, is it acceptable for me to publish this as my own research?

Absolutely, positively, yes.

And it will indeed be your own research.

There's just a single caveat: The above is true as long as you're just suspecting "Oh, those secret government crypto researchers must surely be considering this too." If you actually got tipped off about their findings, then it's a different story.

If I do publish, can I be in trouble for publishing work which these companies/military don't want the public to be aware of (but which I developed independently)?

Ethically/morally - there is nothing wrong with this at all. On the contrary, it is laudatory, and I encourage you to write up your findings as accessibly to lay readers as you can, and publish not just in some obscure conference, but put your paper up on open-access platforms, and make posts to HackerNews, SlashDot, Reddit, or wherever is relevant.

Materially - the closer your publication is to thwarting concrete, specific commercial/military/governmental initiatives - the more likely is it that there will be some consequences to your publishing your work. That doesn't mean it is actually likely; a paper on breaking cryptographic protocols or devising new ones is probably safe enough though. But if your publication will lead immediately to embarrassing information or criminal behavior being exposed, then you cannot discount the possibility. Just look at what governments are doing to whistle-blowers and journalists these days.

einpoklum
  • 39,047
  • 6
  • 75
  • 192
-2

Academically and legally speaking you are all good. But if you suspect that a thing you learned is sensitive in nature. National security type stuff.

I would urge you to submit your work to the NSA for prepublication review. https://www.nsa.gov/Resources/Prepublication-Review/

If your work is of concern to them they will likely offer you a very nice salary, and if you like this type of thing you will like working for them. I did.

And if they don't care you are likely to gain valuable feedback.

James Wood
  • 1
  • 1
    It is immoral to suppress research of interest to the public with the hope of getting bought off by the US government (or any government). -1 – einpoklum Jan 08 '21 at 22:34
-2

Any academic research ought to consider ethics as part of the decision on whether to conduct or publish results, both in how the research is conducted (e.g. human/animal experimental subjects, personal data, etc.), and the wider social consequences of the results. Techniques that could be used by criminals to more easily commit or get away with crime, terrorists and hostile states to kill people, authoritarian governments to oppress their populations, processes that cause harm to human health or the environment, or to violate human rights of privacy, free speech, right to a fair trial, etc. should be examined to determine whether publication of the results would do more harm than good. Where there are legal limits on the release of defence data (like the Official Secrets Act in the UK,) the test is generally on the basis of harm done to the national interest of this sort, and so should already have been considered as part of the academic ethics clearance.

On the question of whether you might get into specific legal difficulty, it depends on what legal jurisdiction you are operating in, and you (or your university ethics committee) should consult a lawyer locally. But if you consider the potential for social harm in your ethics process and act responsibly, you are much less likely to get into trouble with the law. As a rule, (in the jurisdictions I know about) if you have not been explicitly told that something is classified, you are not expected to know, and would not normally be prosecuted for innocently revealing something the military would rather not have revealed. But if it's something that obviously could do a lot of social harm, you could find yourself attracting a lot of unwelcome attention and criticism from the authorities that you and your university would much prefer to avoid. Check your ethics.

Nullius in Verba
  • 1
  • 1
    While I agree that, in general, ethical considerations are part of a decision whether to publish something or not - OP did not suggest there's a specific ethical concern irrespective of the government/other parties already having worked on this secretly. Also, "techniques that could be used by criminals" are practically everything. Certainly anything in cryptography can be used by criminals to commit and get away with crimes or the state to get away with its crimes-with-official-sanction. And half the free software in the world is useful to terrorists/criminals/state forces. etc. – einpoklum Jan 08 '21 at 22:33