[talks] Steven Engelhardt will present his Pre-FPO "Automated discovery of privacy violations on 1 million websites" on January 3, 2018 at 10am in CS 302

Fri Dec 29 22:00:00 EST 2017

Steven Engelhardt will present his Pre-FPO "Automated discovery of privacy violations on 1 million websites" on January 3, 2018 at 10am in CS 302.  The members of his committee follow below.

Committee members: Arvind Narayanan (adviser), readers: Ed Felten and Nick Feamster; nonreaders:  Jen Rexford and Prateek Mittal

Everyone is invited to attend his talk.  The talk title and abstract follow below.

Title: Automated discovery of privacy violations on 1 million websites

Abstract: Online tracking is increasingly invasive. Gone are the days 
where a user can "reset" their online profile by clearing their 
browser's cookies. Instead, users face persistent, cross-device tracking 
which blends their offline activity with their online behavior. Tracking 
protection provided by browsers is often ineffective and circumventable, 
while solutions based on voluntary cooperation, such as Do Not Track, 
haven’t had meaningful adoption. Knowledgeable users may turn to 
anti-tracking tools and ad-blockers for protection, but we find that 
even these more advanced solutions fail to fully protect against the 
techniques we study.

In this talk, I will present OpenWPM, a platform we developed for 
flexible and modular web measurement. We’ve used OpenWPM to run 
repeated, large-scale studies leading to the discovery of numerous 
privacy and security violations across the web and in emails. These 
discoveries have helped curtail the adoption of advanced tracking 
techniques, and have repeatedly informed policy debates and browser 
privacy decisions. OpenWPM has already been used in over 20 academic 
studies, including a number of which I’ll highlight in this talk.

In particular, I'll discuss the detection of several persistent tracking 
techniques, including device fingerprinting, cookie syncing, and cookie 
respawning. We’ve found that nearly every new HTML5 API introduced ends 
up being misused by trackers for device fingerprinting. The misuse is 
often invisible to users and publishers alike, and in many cases was not 
anticipated by API designers. I’ll show how we’re able to use the 
structure of fingerprinting scripts to detect new techniques, and take a 
critical look at how the API design process can be changed to prevent 
such misuse in the future.

I'll also explore the budding industry of trackers which use PII-derived 
identifiers to track users across devices, and even into the offline 
world. I’ll demonstrate a novel bait technique, which allows us to spoof 
the presence of PII on a large number of sites. I’ll show how trackers 
exfiltrate the spoofed PII from websites and emails through the abuse of 
browser features. Finally, I'll take a critical look at the efforts by 
browser vendors to protect user privacy and will end with a proposal for 
a path forward, grounding tracking protection in measurement.