[talks] Steven Englehardt will present his FPO "Automated discovery of privacy violations on the web" on Friday, 6/29/2018 at 10:00am in CS 402.

[Nicki Gotsis]

Steven Englehardt will present his FPO "Automated discovery of privacy violations on the web" on Friday, 6/29/2018 at 10:00am, 402 Computer Science. All are welcome to attend. 

The members of his committee are as follows: Examiners: Arvind Narayanan (Adviser), Prateek Mittal (ELE), and Jennifer Rexford; Readers: Ed Felten, Nick Feamster 

Abstract follows below. 

Tracking protection provided by browsers is often ine↵ective, while solutions based 

on voluntary cooperation, such as Do Not Track, haven’t had meaningful adoption. 

Knowledgeable users may turn to anti-tracking tools for protection, but we find that 

even these more advanced solutions fail to fully protect against the techniques we 

study. 

In this dissertation, we introduce OpenWPM, a platform we developed for flexible 

and modular web measurement. We’ve used OpenWPM to run large-scale studies 

leading to the discovery of numerous privacy and security violations across the web 

and in emails. These discoveries have curtailed the adoption of tracking techniques, 

and have informed policy debates and browser privacy decisions. 

In particular, we present novel detection methods and results for persistent tracking 

techniques, including: device fingerprinting, cookie syncing, and cookie respawning. 

Our findings include sophisticated fingerprinting techniques never before measured 

in the wild. We’ve found that nearly every new API is misused by trackers 

for fingerprinting. The misuse is often invisible to users and publishers alike, and in 

many cases was not anticipated by API designers. We take a critical look at how the 

API design process can be changed to prevent such misuse in the future. 

We also explore the industry of trackers which use PII-derived identifiers to track 

users across devices, and even into the o✏ine world. To measure these techniques, 

we develop a novel bait technique, which allows us to spoof the presence of PII on a 

large number of sites. We show how trackers exfiltrate the spoofed PII through the 

abuse of browser features. We find that PII collection is not limited to the web—the 

act of viewing an email also leaks PII to trackers. Overall, about 30% of emails leak 

the recipient’s email address to one or more third parties. 

Finally, we study the ability of a passive eavesdropper to leverage tracking cookies 

for mass surveillance. If two web pages embed the same tracker, then the adversary 

can link visits to those pages from the same user even if the user’s IP address varies. 

We find that the adversary can reconstruct 62—73% of a typical user’s browsing 

history 




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cs.princeton.edu/pipermail/talks/attachments/20180620/47a49ef6/attachment.html>