May 20, 2018

Archives for 2017

No boundaries: Exfiltration of personal data by session-replay scripts

This is the first post in our “No Boundaries” series, in which we reveal how third-party scripts on websites have been extracting personal information in increasingly intrusive ways. [0]
by Steven Englehardt, Gunes Acar, and Arvind Narayanan

Update: we’ve released our data — the list of sites with session-replay scripts, and the sites where we’ve confirmed recording by third parties.

You may know that most websites have third-party analytics scripts that record which pages you visit and the searches you make.  But lately, more and more sites use “session replay” scripts. These scripts record your keystrokes, mouse movements, and scrolling behavior, along with the entire contents of the pages you visit, and send them to third-party servers. Unlike typical analytics services that provide aggregate statistics, these scripts are intended for the recording and playback of individual browsing sessions, as if someone is looking over your shoulder.

[Read more…]

HOWTO: Protect your small organization against electronic adversaries

October is “cyber security awareness month“. Among other notable announcements, Google just rolled out “advanced protection” — free for any Google account. So, in the spirit of offering pragmatic advice to real users, I wrote a short document that’s meant not for the usual Tinker audience but rather for the sort of person running a small non-profit, a political campaign, or even a small company.

If there’s one thing we learned from the leaks of the DNC emails during the 2016 presidential campaign it’s this: cyber-security matters. Whether or not you believe that the release of private campaign emails cost Clinton the election, they certainly influenced the process to the extent that any political campaign, any small non-profit, and any advocacy group has to now consider the possible impacts of cyber-attacks against their organizations. These could involve espionage (i.e., internal secrets being leaked) or sabotage (i.e., internal data being corrupted or destroyed). And your adversaries might be criminal hackers or foreign nation-state governments.

If you were a large multinational corporation, you’d have a dedicated team of security specialists to manage your organization. Unfortunately, you’re not and you can’t afford such a team. To help out, I’ve written a short document summarizing low-cost tactics you can take to reduce your vulnerabilities using simple techniques like two-factor authentication, so a stolen password isn’t enough for an attacker to log into your account. This document also recommends particular software and hardware configurations that move your organization “into the cloud” where providers like Google or Microsoft have security professionals who do much of the hard work on your behalf.

Enjoy!

https://www.cs.rice.edu/~dwallach/howto-electronic-adversaries.pdf

The Second Workshop on Technology and Consumer Protection

Arvind Narayanan and I are excited to announce that the Workshop on Technology and Consumer Protection (ConPro ’18) will return in May 2018, once again co-located with the IEEE Symposium on Security and Privacy.

The first ConPro brought together researchers from a wide range of disciplines, united by a shared goal of promoting consumer welfare through empirical computer science research. The topics ranged from potentially misleading online transactions to emerging biomedical technologies. Discussions were consistently insightful. For example, one talk explored the observed efficacy of various technical and non-technical civil interventions against online crime. Several—including a panel with technical and policy experts—considered steps that researchers can take to make their work more usable by policymakers, such as examining and documenting the agreement between researched practices and a company’s public statements.

We think the first workshop was a success. Participants were passionate about the social impact of their own research, and just as passionate in encouraging similarly thoughtful but dramatically different work. We aim to foster and build this engaged and supportive community.

As a result, we are thrilled to be organizing a second ConPro. Our interests lie wherever computer science intersects with consumer protection, including security, e-crime, algorithmic fairness, privacy, usability, and much more. Our stellar program committee reflects this range of interests. Check out the call for papers for more information. The submission deadline is January 23, 2018, and we look forward to reading this year’s great work!