Applied Computer Security Associates (ACSA) is the sponsor of events such as the Annual Computer Security Applications Conference (ACSAC), the New Security Paradigms Workshop (NSPW), and other programs, collectively referred to as "subactivities." This policy defines the approach ACSA will take to protect the personally identifiable information (PII) of users of its websites and participants in its applicable subactivities. This policy constitutes a part of the Terms & Conditions of the subactivity Web sites, and governs your use of those sites and your interaction with ACSA and our applicable subactivities.
For the purposes of this policy, the terms "we" and "our" mean ACSA or our applicable subactivities. The terms "you" and "your" mean the user of our web sites and other information systems, to include those who voluntarily choose to participate in our applicable subactivities.
Questions or comments related to this policy may be sent to the ACSA Privacy Coordinator at privacy -at- acsac.org.
We collect, store, process and transmit personally identifiable information (PII) in a manner consistent with the laws of the United States. Further, we employ generally accepted privacy and security principles that we find appropriate in addressing your privacy needs, as well as our mission objectives.
ACSA refers to the Applied Computer Security Associates and its associated events and conferences, which are termed "subactivities."
“Applicable Subactivities” (henceforth “Subactivities”) refers to those ACSA activities that are covered by the policy, and specifically excludes those activities governed by a pre-existing memorandum of understanding (MOU) that would exclude this policy. In particular, ACSAC is covered by this policy, whereas NSPW is excluded due to its preexisting MOU.
"Personally Identifiable Information" (PII) means information that directly identifies you as an individual, except as follows: (1) Information you submit to us, or any of our subactivities, where you supply your name, affiliations, or contact information as you submit materials (e.g., papers, workshops, tutorials, training sessions, case studies, panels, talks), with the intent of publication or public dissemination. (2) PII that has been encrypted or otherwise obfuscated, via reasonable means, so as to prevent the disclosure of PII to unauthorized third-parties.
Relationship to Supplemental Policies
We will not disclose PII collected on our web sites to third parties, except as required by law or as necessary to provide conference, publication, or other services germane to our mission. We may disclose PII to our business partners as necessary to process conference registrations, hotel registrations, online/ecommerce payments and travel related reservations. In the case where we intend to disclose such information, we will publish such intent to disclose on our web site.
We will not use PII for any purposes other than those specifically related to our conferences and subactivities, except as discussed under the section titled "Mailing Lists."
We may share aggregated data, which includes data about you, with third parties. Aggregated User Data does not include PII and is shared for the purposes of determining the attainment of certain benchmarks and other statistical metrics. An example of such data would be overall demographic breakdowns of academic vs. commercial attendees.
We invite users to register for events as part of our mission in the security community. If you choose to register for an event and provide PII during registration, that information may be transferred to the registration contractor (a third-party, under contract to us) for in support of that event. These contractors collect information such as names and mailing addresses that are then shared with conference organizers to allow us to create attendee lists. Although the third-party contractor collects information to process payments, the payment information (such as credit card information) is not shared with us. However, the type of payment being made (whether it was a credit card, versus debit card or wire transfer) may be shared with us. ACSA volunteers and employees do not collect, store, process or transmit your payment information (e.g. credit card information) on personally owned equipment, even in encrypted form.
The names of registrants for our events and activities may be shared with our personnel and volunteers in order to ensure that speakers and other presenters have been registered for the subactivity.
For your convenience, we may provide links to hotel websites that are party to the organization of conference events. When you reserve a hotel room through our room block for a conference (using the link on the activity web site), the hotel may share information such as your name and address with us. We use that information to ensure that attendee's reservations are accounted for in meeting contractual obligations with our contracted hotel. For example, we may use that information to contact you if we see that a reservation has been made as part of the conference block, yet you have not registered for the conference.
Third Party Contractors
We contract with third parties (such as registrar services and hotels) in order to provide conferences and other services (subactivities). We are not responsible for the privacy practices of these third party vendors for contracts signed before the initial adoption of this policy. We work with our contractors to ensure that PII is adequately protected, but cannot state that all contractors are bound by the specific terms and conditions of this policy. You are encouraged to make your own assessment of contractor privacy policies and to alert us to any concerns you might have.
When we host a subactivity in the United States, you may request a visa letter to facilitate your obtaining a visa to attend or present at the activity. We will receive PII from you as part of this request process (for example, passport identification information), and we will provide a letter containing this information, as well as an indication of the level of participation in our activities, to you or to an embassy official designated by you.
We may disclose your PII when we have reason to believe that disclosing such information is necessary to identify, contact or bring legal action against someone who may be causing injury to or is interfering with our other users or anyone else who could be harmed by such activities.
We do not track user activity beyond use of our web sites. In particular, we do not place cookies on your computers unless explicitly indicated, nor do we collect PII as you "surf" (casually visit) our web sites. We do not record your PII unless you choose to identify yourself in communications with us or you voluntarily register for our mailing list or a subactivity. Such communication includes responses to Calls for Submissions or Calls for Participation. We treat such communiqués as PII until acceptances are announced, at which point we assume that permission has been obtained from you to publicly announce your identity as you will be participating in the relevant activity.
When submitting content for consideration as inclusion at one of our activities (for example, submitting a paper for publication), you may have cookies placed on your computer to support use of the submission application, but these cookies do not contain PII.
We may use your IP addresse(s) in order to diagnose problems with our servers, networks, and other IT elements, and to administer our applications.
If you wish to be informed of our activities, you may "opt-in" to be included in our distribution lists by going to http://www.acsac.org and providing the web application with your surface mail address, an electronic address (e-mail), or both. In like manner, you may utilize our web application to remove yourself from the surface mail list, electronic mail list, or both lists. If you participated in one of our activities or were active in the Computer Security community prior to March 2004 (specifically, prior to our implementation of the “opt-in” feature), your participation was treated as an explicit “opt-in” for our surface and electronic mailings. All individuals on the electronic list at the time of conversion were given an opportunity to “opt-in”, but those on the surface mailing list must explicitly “opt-out” if you no longer wish to receive our mailings.
If you agree to support a conference or workshop with ACSA (for example, as a reviewer of submitted papers) or if you make a submission to an ACSA-sponsored conference or workshop, we will consider that action to be an implicit opt-in and we will add your information to our lists (both physical and electronic mail). You may tell us to not to include your information on our lists. You may use our web site to remove your information from our lists.
We do not share PII with non-ACSA activities. We may forward mailings on behalf of third-parties that share the interests of our users. In these cases, we will deliver mailings to you although the content of the mailings was produced by the third-party. Your PII is not provided to these third parties. You may specifically state that you do not wish to receive such mailings via your options on the ACSA web servers. We will honor such requests and will not forward mailings from third-parties when the receipt of such mailings has been declined by you.
We may publish attendee lists for each conference and subactivity event, and the distribution for these lists is to the attendees themselves. We assume that registered attendees wish to have their name, e-mail address, affiliation, and other supplied contact information, included in these attendee lists. If you do not wish to have your information included in our attendee lists, you have the option to limit the publication of your PII by indicating so on your registration form.
While we publish attendee lists only for the use of the participants of any given event, and for our own personnel involved with that event, you should note that we have no control over further forwarding of these lists once they are out of our hands. Thus, such lists may be used by participants for purposes other than those intended by us. Our intent is to allow you to collaborate with other participants.
You may choose whether or not to submit PII while using our services. In some cases, our third parties require your PII in order to meet their obligations to us (such as in the case of hotel registration). In such cases, choosing to not disclose your PII to us may limit your ability to use all of our services.
It is our policy that reasonable, and generally accepted security controls be employed on computers that collect, store, process and transmit your PII. We periodically review and improve our security and privacy policies as necessary. We authorize our internal users to have access to computers that collect, store, process and transmit your PII on a "need to know" basis, based upon the business function of our internal user, and our mission needs. We limit the population of users with access to your PII to the minimum needed in order to accomplish the ACSA mission.
We are a not-for-profit organization and we are supported by the efforts of volunteers. In some cases, volunteers employ their personally-owned computers and other IT resources to support their work with us. This work may include the collection, storage, processing and transmission of your PII, such as your name, physical addresses, and email addresses. We advise volunteers to follow reasonable and generally accepted security practices when handling such information; however, we do not audit the security programs implemented by any given volunteer. We limit the number of volunteers with access to your PII to the minimum needed in order to accomplish our mission objectives.
With the exception of information maintained by us and conference organizers in access controlled areas, no personally identifiable information about you is kept on ACSA servers (such as www.acsac.org).
We understand that many submissions for publication at our subactivities may be the work of more than one author. If you submit work for publication that is the work of more than one author, we assume that you are acting as an authorized agent for all authors of the submission in that you have their authorization to publish their PII, as may be contained in the submission you provide to us. Per professional publication (e.g., IEEE and ACM) standards, publications must be attributed to at least one author, generally with the organizational affiliation of the authors, as well as their contact information.
If you are the person submitting a work for publication, you are required, prior to your submitting any work for consideration for publication, to have obtained the correct name, affiliation, and contact information for all authors, and to have obtained their permission to have such information published in the proceedings (or other publicly distributed publication) of the subactivity, to include inclusion of such information in the digital library of the proceedings publisher, and other summarization and citation services as may manifest themselves on the Internet, as is generally accepted in the venue of academic and professional publication of articles similar to the material that you are submitting.
We limit use of your PII to ways that are compatible with the purposes for which it was collected or subsequently authorized by you. Reasonable steps are taken to ensure that PII is retained only if it is relevant to our mission and that it is kept accurate, complete and current.
Web Site Links
Our web sites contain links to other web sites. We are not responsible for the privacy practices or content of these web sites.
Notification of Changes
We will periodically review and update this policy. Changes to this policy will be posted on the ACSAC web site.