Steven Englehardt will present his FPO "Automated discovery of privacy violations on the web" on Friday, 6/29/2018 at 10:00am, 402 Computer Science.  All are welcome to attend.

The members of his committee are as follows: Examiners: Arvind Narayanan (Adviser), Prateek Mittal (ELE),  and Jennifer Rexford; Readers: Ed Felten, Nick Feamster

Abstract follows below.

Tracking protection provided by browsers is often ine↵ective, while solutions based

on voluntary cooperation, such as Do Not Track, haven’t had meaningful adoption.

Knowledgeable users may turn to anti-tracking tools for protection, but we find that

even these more advanced solutions fail to fully protect against the techniques we

study.

In this dissertation, we introduce OpenWPM, a platform we developed for flexible

and modular web measurement. We’ve used OpenWPM to run large-scale studies

leading to the discovery of numerous privacy and security violations across the web

and in emails. These discoveries have curtailed the adoption of tracking techniques,

and have informed policy debates and browser privacy decisions.

In particular, we present novel detection methods and results for persistent tracking

techniques, including: device fingerprinting, cookie syncing, and cookie respawning.

Our findings include sophisticated fingerprinting techniques never before measured

in the wild. We’ve found that nearly every new API is misused by trackers

for fingerprinting. The misuse is often invisible to users and publishers alike, and in

many cases was not anticipated by API designers. We take a critical look at how the

API design process can be changed to prevent such misuse in the future.

We also explore the industry of trackers which use PII-derived identifiers to track

users across devices, and even into the o✏ine world. To measure these techniques,

we develop a novel bait technique, which allows us to spoof the presence of PII on a

large number of sites. We show how trackers exfiltrate the spoofed PII through the

abuse of browser features. We find that PII collection is not limited to the web—the

act of viewing an email also leaks PII to trackers. Overall, about 30% of emails leak

the recipient’s email address to one or more third parties.

Finally, we study the ability of a passive eavesdropper to leverage tracking cookies

for mass surveillance. If two web pages embed the same tracker, then the adversary

can link visits to those pages from the same user even if the user’s IP address varies.

We find that the adversary can reconstruct 62—73% of a typical user’s browsing

history