With the suicide of Aaron Swartz, and the subsequent #pdftribute protest on Twitter, the movement for Open Access to research literature has gained momentum. As a scientist in the area of security and privacy I feel I should contribute, but wonder how.

I have always self-archived all my publications (except one or two where the publisher explicitly forbid me to do so) on-line. But I feel this is not enough. Back in 2011, Matt Blaze already pledged

[Not to] serve as a program chair, program committee member, editorial board member, referee or reviewer for any conference or journal that does not make its papers freely available on the web or at least allow authors to do so themselves.

Ideally, I would like to pledge the same, or even pledge to publish only in open access venues. However, this would leave me with practically no conference or journal to publish in or to be involved in. Needless to say, this would seriously damage my scientific career.

Few scientific journals or conferences in the area of security and privacy provide open access. USENIX is a notable exception, with high quality conferences like USENIX Security and workshops like HotSec. The Directory of Open Access Journals (DOAJ) lists 21 open access journals for information security. This is probably a lower bound, as it does not list Springer journals like EURASIP Journal on Information Security (published in the SpringerOpen series). None of them are really well known. Publishing fees vary. Many charge no costs, some charge a fee of $500, and I’ve seen Springer charge a whopping $3000 in their Springer Open Choice program (which is different from SpringerOpen).

Given the fact that the Open Access movement exists for more than a decade, it is really surprising the status quo hasn’t significantly changed. For journals one can argue that the journal titles (and hence the brand with the reputation) belong to the publisher. Even when the whole editorial board would resign and found a new journal, it would take years to build a journal with a similar recognised reputation. But in many cases this is not true for conferences. True, the ACM Conference on Computer and Communications Security (CCS) is bound to ACM, as it is organised by SIGSAC. And IEEE Security and Privacy is organised by the IEEE Computer Society’s Technical Committee on Security and Privacy. But many conferences publish their proceedings in Springer’s Lecture Notes of Computer Science (LNCS) series. That may once have stood for something, but that is no longer the case really.

So I wonder: why aren’t all the workshops and conferences that publish their proceedings in the LNCS series not moving to Open Access straight away? The conference is the brand, irrespective of the publisher. I am talking about the main cryptography conferences (CRYPTO, EUROCRYPT etc.) organised by the International Association for Cryptologic Research (IACR), but also ESORICS, or RFIDSec, and many others. (To be fair, the IACR publishes its proceedings in the Springer LNCS series, but release the papers published in their conferences through the IACR archive 3 years after publication.). I have been involved in some of these conferences, and feelĀ  it is time for a change.

So I have a simple question: suppose I was (in the) steering committee of a workshop or conference wishing to publish its proceedings as open access. Which open access publisher or platform should I choose? And why?