Panel: Debugging Bug Bounties in Cyberspace from Vulnerability Discovery to Algorithmic Harms Redress
with Ryan Ellis, Associate Professor of Communication Studies, Northeastern University, and Affiliate, Data and Society Research Institute, NYC
Camille François, Lecturer, School of International and Public Affairs; Co-lead of the Algorithmic Justice League Community Reporting of Algorithmic System Harms (CRASH) Project
Josh Kenway, Policy Analyst, PayPal; Research Fellow, Algorithmic Justice League
Yuan Stevens, Researcher, Data and Society Research Institute, NYC; Collaborator, Centre for Media, Technology and Democracy, McGill University
Moderated by Matt Goerzen, Researcher, Data and Society Research Institute, NYC
Hosted by Jason Healey, Senior Research Scholar; and Virpratap Singh, Cyber Fellow, Saltzman Institute of War and Peace Studies
Google, the Department of Defense, Starbucks, and hundreds of other companies and organizations now use “Bug Bounty” programs to buy flaws from hackers. Paying hackers to disclose bugs was once radical, now it’s common. Recently, pilot projects from Facebook, Twitter, and others have looked to extend the bounty model to address an expanded set of socio-technical harms. This event launches two reports that examine the state of bug bounty programs and what we can learn from them to address algorithmic harms. One report—Bounty Everything: Hackers and the Making of the Global Bug Marketplace—was written by Ryan Ellis and Yuan Stevens for Data & Society Research Institute and was based on 40+ interviews with bug bounty workers and cybersecurity experts. It examines the rise of bug bounty programs and highlights the risks of relying on vulnerable workers to fix vulnerable systems. The other report—Bug Bounties for Algorithmic Harms? Lessons from Cybersecurity Vulnerability Disclosure for Algorithmic Harms Discovery, Disclosure and Redress—was authored for the Algorithmic Justice League by Josh Kenway and Camille François. It examines the cautionary and constructive design lessons that can be gleaned from bug bounty programs for participatory approaches to the discovery and disclosure of sociotechnical issues, with a focus on flaws in algorithmic systems.
Ryan Ellis is an Associate Professor of Communication Studies at Northeastern University and an affiliate of Data & Society Research Institute. Ryan’s research and teaching focuses on topics related to communication law and policy, infrastructure politics, and cybersecurity. He is the author of Letters, Power Lines, and Other Dangerous Things: The Politics of Infrastructure Security (MIT Press, 2020) and the editor (with Vivek Mohan) of Rewired: Cybersecurity Governance (Wiley, 2019).
Josh Kenway is a policy analyst at PayPal working on corporate governance for technology and cybersecurity and, until mid-2021, was a research fellow with the Algorithmic Justice League where was part of the Community Reporting of Algorithmic System Harms (CRASH) Project. Prior to joining PayPal, Josh was an associate of the Cyber Threat Alliance, a non-profit organization that enables the sharing of information on cyber threats among cybersecurity companies, governments, and civil society organizations. He holds a master’s degree in international policy from Stanford University, where he focused on cybersecurity and digital policy issues, and earned his undergraduate degree in economics and political science at the University of Georgia. Josh has previously published insights on cybersecurity topics in the Stanford International Policy Review and Journal of Cyber Policy, and for organizations including the North Atlantic Treaty Organization (NATO), Third Way, and the Cyber Threat Alliance.
Yuan (“You-anne”) Stevens is a legal and policy expert focused on information security, data protection and human rights. She works towards a world where powerful actors—and the systems they build—are held accountable to the public, especially when it comes to vulnerable or marginalized people. She brings years of international experience to her work as a researcher, having examined the impacts of technology on vulnerable populations in Canada, the US, and Germany. Yuan is a research affiliate at Data & Society Research Institute and collaborator at the Centre for Media, Technology & Democracy at McGill University. She previously worked at Harvard University’s Berkman Klein Center for Internet & Society during her studies in joint degree in civil and common law at McGill University.
Camille Francois is a lecturer at the Columbia School of International and Public Affairs and the co-lead of the Algorithmic Justice League Community Reporting of Algorithmic System Harms (CRASH) Project. Her work spans several aspects of cybersecurity, from developing industry-leading programs focused on protecting vulnerable users to detecting information operations. She was previously Chief Innovation Officer at Graphika, where she built and led a team dedicated to exposing and mitigating information operations across platforms. Prior to that, she served as a Principal Researcher at Google. She has advised governments and parliamentary committees on both sides of the Atlantic and investigated Russian interference in the 2016 U.S. presidential election on behalf of the U.S. Senate Select Intelligence Committee.