Category: Privacy & Security
-
Demystifying The Dark Web: Peeling Back the Layers of Tor’s Onion Services
by Philipp Winter, Annie Edmundson, Laura Roberts, Agnieskza Dutkowska-Żuk, Marshini Chetty, and Nick Feamster Want to find US military drone data leaks online? Frolick in a fraudster’s paradise for people’s personal information? Or crawl through the criminal underbelly of the Internet? These are the images that come to most when they think of the dark…
-
Internet of Things in Context: Discovering Privacy Norms with Scalable Surveys
by Noah Apthorpe, Yan Shvartzshnaider, Arunesh Mathur, Nick Feamster Privacy concerns surrounding disruptive technologies such as the Internet of Things (and, in particular, connected smart home devices) have been prevalent in public discourse, with privacy violations from these devices occurring frequently. As these new technologies challenge existing societal norms, determining the bounds of “acceptable” information handling…
-
Against privacy defeatism: why browsers can still stop fingerprinting
In this post I’ll discuss how a landmark piece of privacy research was widely misinterpreted, how this misinterpretation deterred the development of privacy technologies rather than spurring it, how a recent paper set the record straight, and what we can learn from all this. The research in question is about browser fingerprinting. Because of differences…
-
Fast Web-based Attacks to Discover and Control IoT Devices
By Gunes Acar, Danny Y. Huang, Frank Li, Arvind Narayanan, and Nick Feamster Two web-based attacks against IoT devices made the rounds this week. Researchers Craig Young and Brannon Dorsey showed that a well known attack technique called “DNS rebinding” can be used to control your smart thermostat, detect your home address or extract unique…
-
Exfiltrating data from the browser using battery discharge information
Modern batteries are powerful – indeed they are smart, and have a privileged position enabling them to sense device utilization patterns. A recent research paper has identified a potential threat: researchers (from Technion, University of Texas Austin, Hebrew University) devise a scenario where malicious batteries are supplied to user devices (e.g. via compromised supply chains): An…
-
When Terms of Service limit disclosure of affiliate marketing
By Arunesh Mathur, Arvind Narayanan and Marshini Chetty In a recent paper, we analyzed affiliate marketing on YouTube and Pinterest. We found that on both platforms, only about 10% of all content with affiliate links is disclosed to users as required by the FTC’s endorsement guidelines. One way to improve the situation is for affiliate…
-
No boundaries for Facebook data: third-party trackers abuse Facebook Login
by Steven Englehardt [0], Gunes Acar, and Arvind Narayanan So far in the No boundaries series, we’ve uncovered how web trackers exfiltrate identifying information from web pages, browser password managers, and form inputs. Today we report yet another type of surreptitious data collection by third-party scripts that we discovered: the exfiltration of personal identifiers from…
-
When the business model *is* the privacy violation
Sometimes, when we worry about data privacy, we’re worried that data might fall into the wrong hands or be misused for unintended purposes. If I’m considering participating in a medical study, I’d want to know if insurance companies will obtain the data and use it against me. In these scenarios, we should look for ways…
-
Routing Attacks on Internet Services
by Yixin Sun, Annie Edmundson, Henry Birge-Lee, Jennifer Rexford, and Prateek Mittal [In this post, we discuss a recent thread of research that highlights the insecurity of Internet services due to the underlying insecurity of Internet routing. We hope that this thread facilitates important dialog in the networking, security, and Internet policy communities to drive…
-
Is It Time for an Data Sharing Clearinghouse for Internet Researchers?
Today’s Senate hearing with Facebook’s Mark Zuckerberg will start a long discussion on data collection and privacy from Internet companies. Although the spotlight is currently on Facebook, we shouldn’t forget that the picture is broader: companies from device manufacturers to ISPs collect network traffic and use it for a variety of purposes. The uses that…