January 28, 2020

2020 Workshop on Technology and Consumer Protection

Christo Wilson and I are pleased to announce that the Workshop on Technology and Consumer Protection (ConPro ’20) is returning for a fourth year, co-located with the IEEE Symposium on Security and Privacy in May 2020.

As in past years, ConPro seeks a diverse range of technical research with implications for consumer protection. Past talks have covered dating fraud, ad targeting, mobile app data practices, privacy policy readability, algorithmic fairness, social media phishing, unwanted calls, cryptocurrency security, and much more.

Unlike past years, ConPro 2020 will accept talk proposals for early stage research ideas in addition to short papers. Do you have a new project or idea that you’d like to refine? Are you curious about which project directions could yield the greatest impact? Pitch a talk for ConPro, and get feedback and suggestions from its diverse, engaged audience.

Each year of ConPro, I’ve been heartened by the enthusiasm towards research that can help improve consumer welfare. If this is important to you too, we hope you’ll submit a paper or talk proposal. We’re always excited to expand our community! The submission deadline is January 23, 2020.

CITP Call for Visitors 2020-21

The Center for Information Technology Policy is an interdisciplinary research center at Princeton University that sits at the crossroads of engineering, the social sciences, law, and policy.

CITP seeks applicants for various visiting positions each year. Visitors are expected to live in or near Princeton and to be in residence at CITP on a daily basis. They will conduct research and participate actively in CITP’s programs.

For all visitors, we are happy to hear from anyone working at the intersection of digital technology and public life, including experts in computer science, sociology, economics, law, political science, public policy, information studies, communication, and other related disciplines.

We have a particular interest this year in candidates working on issues related to Artificial Intelligence (AI), Blockchain and Cryptocurrencies.

There are three job postings for CITP visitors: 1) Microsoft Visiting Researcher Scholar/Visiting Professor of Information Technology Policy, 2) Visiting IT Policy Fellow, and 3) Postdoctoral Research Associate or more senior IT policy researcher. For more information about these positions and to apply, please see our hiring page.

For full consideration, all applications should be received by December 31, 2019.

Enhancing the Security of Data Breach Notifications and Settlement Notices

[This post was jointly written by Ryan Amos, Mihir Kshirsagar, Ed Felten, and Arvind Narayanan.]

We couldn’t help noticing that the recent Yahoo and Equifax data breach settlement notifications look a lot like phishing emails. The notifications make it hard for users to distinguish real settlement notifications from scams. For example, they direct users to URLs on unfamiliar domains that are not clearly owned by the company that was breached nor any other trusted entity. Practices like this lower the bar for scammers to create fake phishing emails, potentially victimizing users twice. To illustrate the severity of this problem, Equifax mixed up domain names and posted a link to a phishing website to their Twitter account. Our discussion paper presents two recommendations to stakeholders to address this issue.

First, we recommend creating a centralized database of settlements and breaches, with an authoritative URL for each one, so that users have a way to verify the notices distributed. Such a database has precedent in the Consumer Product Safety Commission (CPSC) consumer recall list. When users receive notice of a data breach, this database would serve as a reliable authority to verify the information included in the notice. A centralized database has additional value outside the data breach context as courts and government agencies increasingly turn to electronic notices to inform the public, and scammers (predictably) respond by creating false notices.

Second, we recommend that no settlement or breach notice include a URL to a new domain. Instead, such notices should include a URL to a page on a trusted, recognizable domain, such as a government-run domain or the breached party’s domain. That page, in turn, can redirect users to a dedicated domain for breach information, if desired. This helps users avoid phishing by allowing them to safely ignore links to unrecognized domains. After the settlement period is over, any redirections should be automatically removed to avoid abandoned domains from being reused by scammers.