This project proposes to inform computer users of the privacy that they receive in practice. To do so, the project will record network and system measurements of laptop and desktop computers as they are used. It will then analyze those measurements to discover what personal information is exposed to whom and by which applications. This will be done as real users undertake real tasks to produce individual privacy assessments. The project will develop visual representations to convey measured information exposure to users as answers to specific privacy questions, e.g., "What does Starbucks know about me?" User studies will be run to evaluate whether representations of measured information exposure are an effective way to convey privacy risks and how they affect user behavior.
This research is motivated by the fact that people who use personal computers have little idea of how the applications they run spread their personal information over the Internet. Users must simply assume that reputable applications safeguard their privacy interests; they have no basis on which to make informed privacy decisions. The research seeks to provide users with the visibility that they lack. It will show them how their personal information is actually spread by measuring application behavior and reporting the results with simple representations. The intent is to provide non-technical users with a powerful tool to help them balance their privacy needs with the available applications. The long-term impact of this research is intended to encourage new privacy-enhancing technologies by highlighting real-world privacy problems and opportunities.
As users of mobile phones, laptops and other computers, the public relies on Internet applications on a daily basis. We use them for all manner of tasks from gaming to online shopping. And we use them in all manner of places from our homes and workplaces and while on the go. These applications clearly provide many benefits to society. However, because they use the network, these applications also spread our personal information (e.g., names, addresses, searches, and content) to many other parties. The parties range from the web sites and ISPs that we use directly, to third party ad, analytics, and profiling services that are embedded in web pages and mobile apps. By definition, the use of the web and mobile apps is rife with privacy risks for profiling, tracking, identity theft, and fraud. It is disconcerting to realize, then, that most users of networked applications have no idea how the applications treat their personal information. They do not know what information is sent over the network, where it is sent, and whether it is encrypted to hide it from unintended recipients. This is because an application may have the same "look and feel" regardless of whether it does a good or poor job with respect to privacy risks. The result is that users are not able to make informed privacy decisions. To explore this problem, our project has: 1) measured the behavior of web pages and mobile apps to look "under the covers" and reveal how they treat personal information; and 2) developed new privacy-enhancing technologies to help people lower their privacy risks while using the web and mobile apps. All of our results have been published in peer-reviewed conferences and workshops to make them widely available, and all of the software we developed has been open-sourced so others may build on it. We began by studying what happened as people used the web, focusing on web logins because they gather sensitive information. Our first outcome was to learn that a significant fraction of web sites sent login credentials over the Internet without encrypting them. This means that a nearby wireless user or ISP could harvest usernames and passwords. Moreover, ordinary users were not able to tell safe and unsafe logins apart because the sites were visually identical. (Features such as the padlock indicating HTTPS often come into play only after login.) To help users work out how to proceed, we developed the Piigeon add-on for Firefox to warn users when a login was unsafe, and to help users assess password-related risks, e.g., it is more risky to share a password across several sites when one site sends it as plaintext. Web practices are much improved since 2011, but this kind of privacy-enhancing technology remains valuable because users cannot depend on sites to assure their safety. A second outcome is a study of how different parties track Internet users for advertising and analytics. We were among the first to realize that social network sites such as Facebook were tracking where users browsed on the web through page add-ons such as the Like button. Simply visiting pages with a button informed Facebook of the visit, regardless of whether the user clicked on the button. We produced the ShareMeNot add-on for Firefox to remedy this behavior by letting the buttons function (largely) as intended but disabling tracking. During the project, we examined mobile apps, given their growing role in the Internet. A third outcome was a measurement study that showed many mobile apps leaked small amounts of personal information over the Internet. It was technically much more involved that the web studies, and required us to extend a dynamic information flow tracking system for Android. Our work and that of others raised the awareness of this issue. Interestingly, there was little outcry from mainstream users until Snowden's revelations of NSA spying showed the risk was real. In our view, mobile operating systems must evolve to do a much better job of safeguarding personal information. Finally, our last outcome was to develop a pseudonym technique to let a user separate their browsing activities into different personas, e.g., work, hobby, and family. As far as remote parties are concerned, there is no way to use web cookies or IP addresses to work out whether the activities belong to the same user or different users. Pseudonyms provide users with a new tool to help them manage their own privacy.
