IoT Inspector: Princeton releases a tool to snoop on home IoT devices and figure out what they're doing

IoT Inspector is a new tool from Princeton's computer science department; it snoops on the traffic from home IoT devices and performs analysis to determine who they phone home to, whether they use encryption, and what kinds of data they may be leaking. Read the rest

You can unscramble the hashes of humanity's 5 billion email addresses in ten milliseconds for $0.0069

Marketing companies frequently "anonymize" their dossiers on internet users using hashes of their email addresses -- rather than the email addresses themselves -- as identifiers in databases that are stored indefinitely, traded, sold, and leaked. Read the rest

Attacks that unmask anonymous blockchain transactions can be used against everyone who ever relied on the defective technique

In An Empirical Analysis of Traceability in the Monero Blockchain, a group of eminent computer scientists analyze a longstanding privacy defect in the Monero cryptocurrency, and reveal a new, subtle flaw, both of which can be used to potentially reveal the details of transactions and identify their parties. Read the rest

An algorithm that converts 3D meshes into machine-knitting patterns

A group of CMU researchers have created a generalizable approach to converting the model files generated by 3D design packages into knitting patterns that can be fed into a variety of computerized knitting machines, which then "print" the solid by knitting it. Read the rest

In the USA, Trump supporters are the most prolific users and sharers of "junk news" (a mix of untruth and distastefully presented materials)

Oxford's Computational Propaganda Project surveyed 13,500 "politically active" US Twitter users and 48,000 publicly visible Facebook pages, coding them for political affiliation, then measuring how much "junk news" (a news article that fails to live up to three or more of the following: professionalism, style, credibility, bias, counterfeit) was consumed and share by users based on their political affiliation. Read the rest

An incredibly important paper on whether data can ever be "anonymized" and how we should handle release of large data-sets

Even the most stringent privacy rules have massive loopholes: they all allow for free distribution of "de-identified" or "anonymized" data that is deemed to be harmless because it has been subjected to some process. Read the rest

Web analytics companies offer "replay sessions" that let corporations watch every click and keystroke for individual users

The "replay sessions" captured by surveillance-oriented "analytics" companies like Fullstory allow their customers -- "Walgreens, Zocdoc, Shopify, CareerBuilder, SeatGeek,, Digital Ocean,, and more" -- to watch everything you do when you're on their webpages -- every move of the mouse, every keystroke (even keystrokes you delete before submitting), and more, all attached to your real name, stored indefinitely, and shared widely with many, many "partners." Read the rest

Blockers will win the ad-blocking arms race

Ad-blockers begat ad-blocker-blockers, which begat ad-blocker-blocker-blockers, with no end in sight. Read the rest

New materials allow 2.8l/day of solar-powered desert water-vapor extraction

Researchers from MIT, UC Berkeley, Lawrence Berkeley, and King Abdulaziz City for Science and Technology published a paper in Science describing a solar-powered device that uses a new type of metal organic framework (MOF) to extract up to three litres of water per day from even the most arid desert air. Read the rest

How surveillance capitalism tracks you without cookies

Princeton computer science researchers Steven Englehardt and Arvind Narayanan (previously) have just published a new paper, Online tracking: A 1-million-site measurement and analysis, which documents the state of online tracking beyond mere cookies -- sneaky and often illegal techniques used to "fingerprint" your browsers and devices as you move from site to site, tracking you even when you explicitly demand not to be track and take countermeasures to prevent this. Read the rest

Web companies can track you -- and price-gouge you -- based on your battery life

In Online tracking: A 1-million-site measurement and analysis, eminent Princeton security researchers Steven Englehardt and Arvind Narayanan document the use of device battery levels -- accessible both through mobile platform APIs and HTML5 calls -- to track and identify users who are blocking cookies and other methods of tracking. Read the rest

Free Bitcoin textbook from Princeton

The Princeton Bitcoin Book by Arvind Narayanan, Joseph Bonneau, Edward Felten, Andrew Miller and Steven Goldfeder is a free download -- it's over 300 pages and is intended for people "looking to truly understand how Bitcoin works at a technical level and have a basic familiarity with computer science and programming." Read the rest

Big Data should not be a faith-based initiative

Cory Doctorow summarizes the problem with the idea that sensitive personal information can be removed responsibly from big data: computer scientists are pretty sure that's impossible.

Eternal vigilance app for social networks: treating privacy vulnerabilities like other security risks

Social networking sites are Skinner boxes designed to train you to undervalue your privacy. Since all the compromising facts of your life add less than a dollar to the market-cap of the average social network, they all push to add more "sharing" by default, with the result that unless you devote your life to it, you're going to find your personal info shared ever-more-widely by G+, Facebook, Linkedin, and other "social" services.

Arvind Narayanan has proposed a solution to this problem: a two-part system through which privacy researchers publish a steady stream of updates about new privacy vulnerabilities introduced by the social networking companies (part one), and your computer sifts through these and presents you with a small subset of the alerts that pertain to you and your own network use. Read the rest

Scalable stylometry: can we de-anonymize the Internet by analyzing writing style?

One of the most interesting technical presentations I attended in 2012 was the talk on "adversarial stylometry" given by a Drexel College research team at the 28C3 conference in Berlin. "Stylometry" is the practice of trying to ascribe authorship to an anonymous text by analyzing its writing style; "adversarial stylometry" is the practice of resisting stylometric de-anonymization by using software to remove distinctive characteristics and voice from a text.

Stanford's Arvind Narayanan describes a paper he co-authored on stylometry that has been accepted for the IEEE Symposium on Security and Privacy 2012. In On the Feasibility of Internet-Scale Author Identification (PDF) Narayanan and co-authors show that they can use stylometry to improve the reliability of de-anonymizing blog posts drawn from a large and diverse data-set, using a method that scales well. However, the experimental set was not "adversarial" -- that is, the authors took no countermeasures to disguise their authorship. It would be interesting to see how the approach described in the paper performs against texts that are deliberately anonymized, with and without computer assistance. The summary cites another paper by someone who found that even unaided efforts to disguise one's style makes stylometric analysis much less effective.

We made several innovations that allowed us to achieve the accuracy levels that we did. First, contrary to some previous authors who hypothesized that only relatively straightforward “lazy” classifiers work for this type of problem, we were able to avoid various pitfalls and use more high-powered machinery. Second, we developed new techniques for confidence estimation, including a measure very similar to “eccentricity” used in the Netflix paper.

Read the rest

Netflix is about to commit a privacy Valdez with its customers' viewing data

Princeton's CU Boulder's Paul Ohm writes about Netflix's insane new plan to release millions of customers' personal information -- ZIP code, gender, year of birth -- as a sequel to its Netflix Challenge. Latanya Sweeney's famous study on de-anonymizing data has shown that date (not just year) of birth, gender and ZIP are sufficient to personally identify 87% of Americans. In other words, Netflix is about to put the behavioral data about viewing choices for millions of Americans into the public domain, despite its legal duty to keep this information private.

Because of this, if it releases the data, Netflix might be breaking the law. The Video Privacy Protection Act (VPPA), 18 USC 2710 prohibits a "video tape service provider" (a broadly defined term) from revealing "personally identifiable information" about its customers. Aggrieved customers can sue providers under the VPPA and courts can order "not less than $2500" in damages for each violation. If somebody brings a class action lawsuit under this statute, Netflix might face millions of dollars in damages.

Additionally, the FTC might also decide to fine Netflix for violating its privacy policy as an unfair business practice.

Either a lawsuit under the VPPA or an FTC investigation would turn, in large part, on one sentence in Netflix's privacy policy: "We may also disclose and otherwise use, on an anonymous basis, movie ratings, consumption habits, commentary, reviews and other non-personal information about customers." If sued or investigated, Netflix will surely argue that its acts are immunized by the policy, because the data is disclosed "on an anonymous basis." While this argument might have carried the day in 2006, before Narayanan and Shmatikov conducted their study, the argument is much weaker in 2009, now that Netflix has many reasons to know better, including in part, my paper and the publicity surrounding it.

Read the rest

Yet another creepy research paper proving you have no privacy online

Research by Carnegie Mellon professor Latanya Sweeney and other experts shows that an alarming number of seemingly innocuous, neutral, or "common" data points, can potentially identify an individual online. "Privacy law, mainly clinging to a traditional intuitive notion of identifiability, has largely not kept up with the technical reality," says the EFF's Seth Schoen:

A recent paper by Paul Ohm, "Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization", provides a thorough introduction and a useful perspective on this issue. Prof. Ohm's paper is important reading for anyone interested in personal privacy, because it shows how deanonymization results achieved by researchers like Latanya Sweeney and Arvind Narayanan seriously undermine traditional privacy assumptions. In particular, the binary distinction between "personally-identifiable information" and "non-personally-identifiable information" is increasingly difficult to sustain. Our intuition that certain information is "anonymous" is often wrong.

What information is "personally identifiable"? (EFF Deep Links) Read the rest

Next page