History: | 1980–present |
Abbreviation: | IEEE S&P, IEEE SSP |
Frequency: | Annual |
The IEEE Symposium on Security and Privacy, also known as the Oakland Conference, is an annual conference focusing on topics related to computer security and privacy. The conference was founded in 1980 by Stan Ames and George Davida and is considered to be among the top conferences in the field.[1] The conference has a single track and follows a double-blind review process to ensure fairness during peer review.
The conference, initially conceived by researchers Stan Ames and George Davida in 1980 as a small workshop for discussing computer security and privacy, gradually evolved into a larger gathering within the field. Held initially at Claremont Resort, the first few iterations of the event witnessed a division between cryptographers and systems security researchers. Discussions during these early iterations predominantly focused on theoretical research, neglecting practical implementation considerations. This division persisted, to the extent that cryptographers would often leave sessions focused on systems security topics.[2] In response, subsequent iterations of the conference integrated panels that encompassed both cryptography and systems security discussions within the same sessions. Over time, the conference's attendance grew, leading to a relocation to San Francisco in 2011 due to venue capacity limitations.[3]
IEEE Symposium on Security and Privacy considers papers from a wide range of topics related to computer security and privacy. Every year, a list of topics of interest is published by the program chairs of the conference which changes based on the trends in the field. The conference uses a single-track model for its conference proceedings, deviating from the multi-track format common in many similar conferences focused on security and privacy. This approach concentrates all sessions into one cohesive track, with papers submitted for consideration reviewed using a double-blind process to ensure fairness.[4] However, this model poses challenges, as the conference is constrained in the number of papers it can accept, resulting in a low acceptance rate often in the single digits, unlike conferences which may have rates in the range of 15 to 20 percent. In 2023, IEEE Symposium of Security and Privacy introduced a Research Ethics Committee that would screen papers submitted to the conference and flag instances of potential ethical violations in the submitted papers.[5]
In 2022, a study conducted by Ananta Soneji et al. showed that review processes of top security conferences, including the IEEE Symposium on Security and Privacy were exploitable. They identified a lack of objective criteria for paper evaluation and noted a degree of randomness among reviews provided by conference reviewers as the major weaknesses of the peer review process used by the conferences. To remediate this, the researchers recommended mentoring new reviewers with a focus on enhancing review quality rather than other productivity metrics. They acknowledged an initiative by IEEE S&P allowing PhD students and postdoctoral researchers to shadow reviewers on the program committee but also pointed out findings from a 2017 report suggesting that these students tended to be more critical in their assessments compared to experienced reviewers since they were not graded on review quality. [6]
In 2021, researchers from the University of Minnesota submitted a paper titled "On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits"[7] to the 42nd iteration of a conference. They aimed to highlight vulnerabilities in the review process of Linux kernel patches, and the paper was accepted for presentation in 2021. However, their methods involved writing patches for existing trivial bugs in the Linux kernel in ways such that they intentionally introduced security bugs into the kernel.[8] This inclusion of vulnerabilities was done without Institutional Review Board (IRB) approval.[9] Despite undergoing review by the conference, this breach of ethical responsibilities was not detected during the paper's review process. This sparked significant criticism from the Linux community and broader cybersecurity circles. Greg Kroah-Hartman, one of the lead maintainers of the kernel, banned both the researchers and the university from making further contributions to the Linux project, ultimately leading the authors and the university to retract the paper and issue an apology to the community of Linux kernel developers.[10]