Steven Engelhardt will present his Pre-FPO "Automated discovery of privacy violations on 1 million websites" on January 3, 2018 at 10am in CS 302. The members of his committee follow below. Committee members: Arvind Narayanan (adviser), readers: Ed Felten and Nick Feamster; nonreaders: Jen Rexford and Prateek Mittal Everyone is invited to attend his talk. The talk title and abstract follow below. Title: Automated discovery of privacy violations on 1 million websites Abstract: Online tracking is increasingly invasive. Gone are the days where a user can "reset" their online profile by clearing their browser's cookies. Instead, users face persistent, cross-device tracking which blends their offline activity with their online behavior. Tracking protection provided by browsers is often ineffective and circumventable, while solutions based on voluntary cooperation, such as Do Not Track, haven’t had meaningful adoption. Knowledgeable users may turn to anti-tracking tools and ad-blockers for protection, but we find that even these more advanced solutions fail to fully protect against the techniques we study. In this talk, I will present OpenWPM, a platform we developed for flexible and modular web measurement. We’ve used OpenWPM to run repeated, large-scale studies leading to the discovery of numerous privacy and security violations across the web and in emails. These discoveries have helped curtail the adoption of advanced tracking techniques, and have repeatedly informed policy debates and browser privacy decisions. OpenWPM has already been used in over 20 academic studies, including a number of which I’ll highlight in this talk. In particular, I'll discuss the detection of several persistent tracking techniques, including device fingerprinting, cookie syncing, and cookie respawning. We’ve found that nearly every new HTML5 API introduced ends up being misused by trackers for device fingerprinting. The misuse is often invisible to users and publishers alike, and in many cases was not anticipated by API designers. I’ll show how we’re able to use the structure of fingerprinting scripts to detect new techniques, and take a critical look at how the API design process can be changed to prevent such misuse in the future. I'll also explore the budding industry of trackers which use PII-derived identifiers to track users across devices, and even into the offline world. I’ll demonstrate a novel bait technique, which allows us to spoof the presence of PII on a large number of sites. I’ll show how trackers exfiltrate the spoofed PII from websites and emails through the abuse of browser features. Finally, I'll take a critical look at the efforts by browser vendors to protect user privacy and will end with a proposal for a path forward, grounding tracking protection in measurement.