Computer Laboratory

Cambridge Cybercrime Centre: Guide for data suppliers

This page is a guide for companies and other organisations who are considering supplying datasets to the Cybercrime Centre. You will also need to read the agreement itself.

You may also find it helpful to read the 'Guide for data recipients' and the agreement that researchers are required to sign.

What is the purpose of this agreement?

The Cybercrime Centre is committed to promoting high-quality, reproducible cybercrime research. This 'inbound' agreement, in combination with 'outbound' agreements signed by cybercrime researchers, ensures that access to any data you supply is exclusively for research purposes and that all researchers are bound by conditions protecting your interests and those of individuals who might be implicated in the data.

What does it say?

The agreement is three pages. This guide is not a substitute for reading it, nor does it change what it means. Follow-up questions are always welcome.

Why can't I give data directly to researchers?

You can. However, the Centre is offering a single agreement and gateway, with conditions designed to match and strongly protect the interests of suppliers, as well as undertaking the effort to liaise with interested researchers.

How do I know data won't go to the wrong place?

We will perform due diligence on institutions and individual researchers to ensure they are legitimate researchers. All researchers must define a project involving cybercrime research and analysis, and their access to the data is restricted to working on that project. Contractual requirements of security and privacy are placed on all researchers. Researchers are never permitted to reverse engineer the source of the data or use it for any commercial purpose.

Will I find out how the data is used?

Research always aims towards publication. Disseminating data and promoting publications are our top priorities. This makes clauses #3 and #6 particularly vital to the Centre's work. We have required that all results be accessible in open access formats in order to address the needs of data suppliers, and we will use our best efforts to let you know as soon as new research that uses your data is published.

What is the role of the Cybercrime Centre?

We aim to stimulate responsible, trusted data sharing that leads to high-quality, reproducible, research results. We catalogue, clean and generate some derived data from supplied data, provide access to legitimate researchers, and ensure that the letter and spirit of the data sharing agreements are satisfied.

Will I be identified as a data supplier?

We recognise that different suppliers have different motivations in engaging with researchers. If you would like to be identified, either as a general supplier, or as a named supplier of particular datasets, we would be happy to accommodate. Equally, we would be happy to ensure that your identity is never passed to researchers, and that they are prohibited from revealing it, even if (against contractual terms) they could reverse engineer your identity.

How long does the agreement last?

Naturally, you can stop supplying data at any time. The Centre will continue to process data that you have provided historically, to ensure that ongoing research is not disrupted, and to address the need for results to be reproducible and verifiable.

What data security and privacy measures are required?

As cybercrime researchers, we are acutely aware of the need for best practice in our security and privacy systems and practices. Conditions #7 and #8 of both agreements address this necessity.

I do not want my data to be open.

The data that you provide will never become open data. The aim is to facilitate access to trusted third parties, but not to allow access to criminals, your client companies or to your competitors.

Will law enforcement have access to the data?

We do not expect, and it would not make sense, for law enforcement to contact licensees and sub-licensees of datasets, rather than the original suppliers. Nevertheless, if this does happen, we have asked researchers to contact us immediately, and we will contact you.

I do not like clause #X. Can I change it?

Talk to us about your concerns and we will find a solution.

I want to use my agreement rather than yours.

This may slow things down, but in principle there is no difficulty with this, provided that we can still redistribute the data for research. Note that we have drafted the agreement based on previous contracts where commercial data suppliers have allowed us to work on datasets on an individual basis so it should be broadly the same as your own agreement already -- we have strived to protect your rights at every stage.

Formal "incoming" agreement:

Guide for data recipients: https://www.cambridgecybercrime/outGuide.html

Legal overview: