Events & Calendars David Choffnes '02, ReCon: "Identifying and Controlling Privacy Leaks from Mobile Devices"

David Choffnes '02 is an assistant professor in the College of Computer and Information Science at Northeastern University. His research is primarily in the areas of distributed systems and networking, focusing on mobile systems, privacy and security. He earned a B.A. in physics and French from Amherst College and a Ph.D. from Northwestern and completed a postdoc at the University of Washington prior to joining Northeastern. He is a co-author of three textbooks, and his research has been supported by the National Science Foundation, the Department of Homeland Security, Google, the Data Transparency Lab, Comcast, M-Lab and a Computing Innovations Fellowship.

To see Harvest, a short documentary film using ReCon, visit this link: https://vimeo.com/189449163

Abstract:
Mobile systems have become increasingly popular thanks in part to their rich sensors and ubiquitous Internet access; however, recent studies demonstrate that software running on these systems extensively tracks and leaks users' personally identifiable information (PII). I argue that these privacy leaks persist in large part because mobile users have little visibility into PII leaked through the network traffic generated by their devices, and have poor control over how, when and where that traffic is sent and handled by third parties.

In this talk, I describe ReCon, a cross-platform system that reveals PII leaks and gives users control over them without requiring any special privileges or custom OSes. Specifically, our key observation is that PII leaks must occur over the network, so we implement our system in the network using a software middlebox. We then use a machine-learning approach to to efficiently and accurately detect users' PII without knowing a priori the content that is PII. Further, we develop techniques to block, obfuscate or ignore the PII leak, by displaying leaks via a visualization tool and letting the user decide how the system should act on transmitted PII. I discuss the design and implementation of the system and evaluate its methodology with measurements from controlled experiments and flows from a user study with more than 300 volunteer participants worldwide.

Last, I present results from our experience with the system, including how we found (and helped fix) plaintext password exposure vulnerabilities, passwords being sent to unauthorized third parties, surprising levels of user tracking, and unexpected differences between information gathering across platforms for the same online service. Through responsible disclosure and public outreach, we are trying to help users by exposing today's privacy problems and giving them tools to protect their personal information going forward.