UW CSE professor Franzi Roesner, co-director of the Security and Privacy Research Lab, delivered a presentation today on the topic of online tracking and smartphone security to an audience of local business and civic leaders as part of the Technology Alliance’s Science & Technology Discovery Series in downtown Seattle.
Roesner’s work is based on the premise that security and privacy issues arise when there is a mismatch between user expectations as to how systems operate and actual systems behavior. Nowhere is this more evident than in the case of browser tracking – a legitimate function that can enhance web users’ convenience, but one that users do not fully understand and therefore are unable to control. Roesner talked about her quest to build better systems that improve privacy protections without overburdening users, giving the audience a crash course in how cookies work, the role of third-party websites, and the difference between anonymous trackers – for example, personalized advertising generators – and personal trackers tied to popular social media widgets.
Roesner and her fellow researchers built an automated detection tool, TrackingObserver, to measure tracker behavior and pervasiveness “in the wild.” The team’s work yielded some startling results: in visiting the top 500 websites, researchers encountered 524 unique trackers, and roughly half of the domains studied embed four or five different trackers. One website that the researchers visited contained 43 distinct trackers. They also found that the top three trackers – Doubleclick, Facebook and Google – were able to collect between 21 percent and 39 percent of users’ browser history. As a result of their research, Roesner and her colleagues developed a tool called ShareMeNot to empower users to counteract unwanted third-party tracking. The tool has since been integrated into the Electronic Frontier Foundation’s Privacy Badger offering.
Roesner also discussed her work in smartphone security, another area in which systems behave in ways that are not necessarily transparent or beneficial to users. As with browser tracking, there are legitimate reasons why smartphone applications would need access to users’ information – for example, location information when a user requests directions – or device features such as the camera. The problem, Roesner explained, is that users do not necessarily expect an app to have ongoing access to such information once a specific task is completed.
When Roesner began researching smartphone security, the state of the art consisted of prompts that asked the users to confirm permission for an app to access information or features, which can cause users to develop “prompt fatigue,” or install-time manifests – an all-or-nothing approach to permissions at the time of an app’s installation. Both, she noted, are overly permissive. To address these shortcomings, UW and Microsoft Research teamed up in an effort to advance user-driven access control – which, interestingly enough, more than half of users surveyed by the team thought was the norm already – by changing the underlying operating system instead of attempting to change user behavior.
Roesner concluded by highlighting emerging challenges associated with new augmented reality systems, the increasing popularity of wearable technology and the growing prevalence of sensors. The key will be to anticipate and address challenges before new systems become widely deployed, relying upon a combination of technology and good policy.