diff --git a/protocol/protocol.tex b/protocol/protocol.tex
index 9d27b6d9..ad171c77 100644
--- a/protocol/protocol.tex
+++ b/protocol/protocol.tex
@@ -1927,12 +1927,13 @@ revealing which one. This implies that a spent \note cannot be linked to the
 \transaction in which it was created. That is, from an adversary's point of
 view the set of possibilities for a given \note input to a \transaction
 ---its \noteTraceabilitySet--- includes \emph{all} previous notes that the
-adversary does not control or know to have been spent.\footnote{We make this claim
-only for \emph{fully shielded} \transactions. It does not exclude the possibility
-that an adversary may use metadata-based heuristics such as timing or the number of
-inputs and outputs to make probabilistic inferences about \transaction linkage.
+adversary does not control or know to have been spent.\footnotewithlabel{securitycaveat}{We
+make this claim only for \emph{fully shielded} \transactions. It does not exclude the
+possibility that an adversary may use data present in the cleartext of a \transaction
+such as the number of inputs and outputs, or metadata-based heuristics such as timing,
+to make probabilistic inferences about \transaction linkage.
 For consequences of this in the case of partially shielded \transactions,
-see \cite{Peterson2017} and \cite{Quesnelle2017}.} This contrasts with
+see \cite{Peterson2017}, \cite{Quesnelle2017}, and \cite{KYMM2018}.} This contrasts with
 other proposals for private payment systems, such as CoinJoin \cite{Bitcoin-CoinJoin}
 or \CryptoNote \cite{vanSaberh2014}, that are based on mixing of a limited number of
 transactions and that therefore have smaller \noteTraceabilitySets.
@@ -9424,6 +9425,8 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
     \item Remove the consensus rule
           ``If $\nJoinSplit > 0$, the \transaction{} \MUSTNOT use \sighashTypes other than $\SIGHASHALL$.'',
           which was never implemented.
+    \item Clarify the wording of the caveat\footnoteref{securitycaveat} about the claimed security
+          of shielded \transactions.
     \item Correct the definition of set difference ($S \setminus T$).
 \sapling{
     \item Use the more precise subgroup types $\SubgroupG$ and $\SubgroupJ$ in preference to
diff --git a/protocol/zcash.bib b/protocol/zcash.bib
index dd9fdc7c..38212e49 100644
--- a/protocol/zcash.bib
+++ b/protocol/zcash.bib
@@ -902,6 +902,17 @@ generic composition paradigm},
    urldate={2018-04-15}
 }
 
+@misc{KYMM2018,
+   presort={KYMM2018},
+   author={George Kappos and Haaroon Yousaf and Mary Maller and Sarah Meiklejohn},
+   title={An {E}mpirical {A}nalysis of {A}nonymity in {Z}cash},
+   howpublished={Preprint, to be presented at the 27th Usenix Security Syposium
+(Baltimore, Maryland, USA, August~15--17, 2018).},
+   date={2018-05-08},
+   url={https://smeiklej.com/files/usenix18.pdf},
+   urldate={2018-06-05}
+}
+
 @misc{EWD-831,
    presort={EWD-831},
    author={Edsger W. Dijkstra},