Noah Apthorpe will present his Pre FPO, "Network Privacy and User Protection in the Internet of Things" on Wednesday, December 4, 2019 at 10:30am in CS 402. 

The members of his committee are as follows: Nick Feamster (adviser), Examiners: Ed Felten and Arvind Narayanan; Readers: Jennifer Rexford and Marshini Chetty

Everyone is invited to attend his talk.  The talk abstract follows below.

In this talk, I will present my research combining networks, human-computer interaction, and machine learning to study privacy repercussions of Internet of things (IoT) devices and associated online services. This interdisciplinary approach has provided a unique perspective for measuring privacy issues at scale, protecting users from privacy vulnerabilities, and understanding how privacy norms interact with data collection and regulation.

First, I will demonstrate that passive network observers can easily infer private in-home user activities from IoT network traffic metadata. This is possible because most user interactions with home IoT devices cause noticeable changes in network traffic rates that are detectable with thresholds or machine learning methods. The limited functionality of these devices makes it easy to associate these traffic rate changes with specific user activities. Fixed distribution traffic shaping can efficiently protect IoT devices that tolerate long network latencies or that have relatively constant traffic rates, but devices with more complicated network activity require more sophisticated protections. I will discuss a zero-latency traffic shaping algorithm, “Stochastic Traffic Padding,” that mimics user activity patterns, provides probabilistic limits on adversary inference accuracy, and allows for tuning of privacy protection versus bandwidth overhead.

Next, I will present a survey instrument based on the theory of contextual integrity that allows researchers to measure individual and societal privacy norms at scale. My collaborators and I first applied this survey method to discover home IoT privacy norms of 1,731 U.S. adults, providing recommendations for IoT device manufacturers, regulators, and consumer advocates. We then surveyed 195 U.S. parents, showing that data handling requirements from the Children’s Online Privacy Protection Act (COPPA) generally align with parents’ privacy expectations for IoT toys. However, observed variations in the perceived acceptability of data collection across specific toys, information types, and other conditions emphasize the importance of detailed contextual factors to privacy norms and suggest potential improvements to COPPA.

I will conclude with a summary of my ongoing research and a timeline for the completion of my degree.