• Leading data privacy experts produced four protocols that they said were popular ways to render personal information anonymous so it could be shared or sold publicly

• Experts relied on the HIPAA Safe Harbor, a flawed use of k-anonymity, an enclave, randomization, and standardized statistical values

• None of their protocols achieved the privacy protection they promised

Sequence of 4 litmus tests to perform on a Sander Team protocol.

2018-11-13

• Examines the spread of two competing narratives on Twitter following the sarin gas attack in Syria in April 2017

• Finds that false narratives tend to spread via widely networked distribution nodes, many of which are amplifier accounts created for the express purpose of increasing activity around a particular hashtag

• Russian digital disinformation efforts are the result of new methods applied to old tactics, and tend to target online communities which have the greatest latent potential for agitation

A Gephi visualization diagram showing the viral and explosive transmission of the #SyriaHoax story on Twitter over a four-day period

2018-11-13

• We used newspaper data to match names to anonymized patient records in statewide hospital data from Maine and Vermont

• We found that 28.3 percent of names from Maine news stories and 34 percent of names from Vermont news stories uniquely matched to one hospitalization in the Maine and Vermont hospital data.

• When redacted to the HIPAA Safe Harbor standard, the Maine data allowed for a 3.2 percent re-identification rate and Vermont data allowed for a 10.6 percent re-identification rate.

Re-identification example using details from news articles and de-identified hospital records from Maine

2018-10-09

• We randomly sampled 693 Airbnb listings from Wisconsin from urban, suburban, and rural areas with varying population densities

• We introduced a method to probabilistically re-identify Airbnb hosts using public voter files from Wisconsin and the fuzzed location of Airbnb listings

• Despite Airbnb’s efforts to protect personal data, we re-identified 94% of cases using the first name and town of resident living closest to the location provided by a listing

Example of an Airbnb listing that includes first name of the host, town of the listing, and approximate location

2018-10-09

• Presents a curated list of 44 historically noteworthy incidents in which individuals suffered privacy harms that were not the result of data breaches (theft of personal information).

• Shows application of Solove’s Taxonomy of Privacy to recent privacy incidents.

Non-Breach Privacy Events

2018-10-09

• Websites for 35 states and DC in 2016 were vulnerable to voter identity theft attacks: an imposter could submit changes to voter registration information

• An imposter needed a combination of voter’s name, date of birth, gender, address, Social Security Number, or Driver’s License Number

• Relevant data can be acquired from government, data brokers, or darknet markets. Total cost of an automated attack against 1% of all vulnerable voter registrations nationwide ranged from $10,081 to $24,926 depending on the data source used. States cost less, e.g., $1 for Alaska and $1,020 for Illinois

Ways an attacker can acquire the personal data needed to impersonate voters

2017-09-06

• India has a widespread national ID system, Aadhar, that uses biometrics to verify identity before accessing many essential state and social services

• Aadhar lacks significant privacy and data protections and has significant failure to match rates of up to 49%

• India should consider greater privacy protections for Aadhar that follow ethical data practices including privacy by design

Comparing biometric regulation in India, EU, and the USA.

2017-08-29

• The HIPAA Safe Harbor is not sufficient to protect data against re-identification

• We found correct re-identifications for ~25% of records in a subset of a HIPAA-compliant environmental health dataset

• We used demographic and non-demographic fields to link a HIPAA-compliant dataset with external data sources

Re-identification strategy to associate an ID in the Study Data with an Address and Name of a participant in the study

2017-08-28

• The Clinton administration HIPAA Privacy Rule proposed a broad privacy health care policy that generally required patient consent for treatment, payment and health care operations disclosures but allowed providers and insurers to decline treatment or payment if a patient refused consent

• The Bush administration HIPAA Privacy Rule removed the need for patient consent for treatment, payment, and health care operations as well as the ability of providers and insurers to decline treatment or payment because a patient refused consent

• The Bush HIPAA Privacy Rule removed a Clinton provision that allowed covered entities to use patient records for direct marketing on behalf of third parties

Similarities and Differences of the Clinton and Bush HIPAA Privacy Rule. The Bush HIPAA Privacy Rule is the final rule that was implemented on August 14, 2002.

2017-07-31

• We implemented a large-scale examination of certificates used to authenticate and secure communications online by comparing the practices of 27,000 Federal Deposit Insurance Corporation (FDIC)-insured banks against the top 1 million most popular general websites

• We found only 23 percent of banks had official ranked domains, and 50 percent of those domains lacked certificates

• In general, more bank website certificates (45 percent) had very long validity times (a risky practice) than did general websites (24 percent)

Banks have fewer domain-name mismatches (half as many as popular general interest sites), but are much more risk seeking when it comes to certificate lifetime.

2016-04-15

• The French Intelligence Act in July 2015 was passed in response to the January Charlie Hebdo attacks without a significant public debate before being ruled to be within the principles of the French Republic

• In 2001, the US PATRIOT Act was passed with similar language focusing on the need for security and surveillance in exceptional circumstances

• Both French and American governments focused on the need for surveillance as a patriot matter to prevent future attacks from outsiders of society

Comparing the lead-up to the passage of the French Intelligence Act to the USA PATRIOT Act.

2016-03-15

• A computer science research project in January 2015 executed code on the web browsers of unsuspecting users to detect censorship worldwide including in China and Iran

• This raises the ethical issue of should researchers be permitted to surreptitiously alter the behavior of Internet-connected devices in order to gain scientific data?

• We analyze this issue from the ethical, benefit-harm, consent, transparency, and legal perspective

Key issues and questions about the Encore study analyzed in this paper

2015-12-15

• We repeated a 2012 survey of tracking mechanisms such as HTTP cookies, Flash cookies, and HTML5 storage, used by top 25,000 most popular websites

• We found that users who merely visit the homepages of the top 100 most popular sites would collect over 6,000 HTTP cookies with 83% being third-party cookies

• We found that Google tracking infrastructure is on 92 of the top 100 most popular websites and on 923 of the top 1,000 websites, providing Google with a significant surveillance infrastructure online

Overall summary of results for shallow and deep crawls for the top 100, 1,000 and 25,000 websites

2015-12-15

• We explain why consumers might be misled by advertorials—even when labeled—when advertising material has elements of editorial content

• We surveyed nearly 600 consumers online with an advertorial embedded on a blog site

• 27% of consumers thought the advertorial was written by a reporter or editor

Changing the background of the photo to blue was able to significantly increase how much credibility viewers assigned to the testimonial

2015-12-15

• We tested 110 popular, free Android and iOS apps to look for apps that shared personal, behavioral, and location data with third parties

• 73% of Android apps shared personal information such as email address with third parties, and 47% of iOS apps shared geo-coordinates and other location data with third parties

• 93% of Android apps tested connected to a mysterious domain, safemovedm.com, likely due to a background process of the Android phone

Sharing of sensitive data by Android apps (left) to domains (right)

2015-10-30

• I examined privacy policies for 110 popular Android and iOS apps. App stores provided working links to privacy policies for 67% of iOS apps and 75% of Android apps

• 61% of privacy policies specifically stated that data would be encrypted. 31% had general language that could be read to imply that encryption would be used. Another 5% of privacy policies said nothing about security. One policy stated that it did not use encryption

Availability of links to privacy policies at online stores for the 110 apps examined

2015-10-30

• We built Meddle, which redirects a mobile device’s internet traffic to a VPN proxy that we use monitor privacy leaks from apps and traffic differentiation by ISPs

• Testing 309 popular apps, we found that 21% of Android apps leaked Device IDs, and 6% of iOS apps leaked email addresses in unencrypted plaintext

• We found 6 popular iOS apps and 1 Android app leaking passwords in plaintext vulnerable to capture by attackers

Screen captures of the tool built to display how users’ personal information and location leaks over the network

2015-10-30

• The Venmo app allows people to pay each other online. I created an extension that visualizes information Venmo makes publicly available

• I analyzed the transactions of 350,000 Venmo users and found that 74% had at least 5 public transactions, with 21% averaging a public transaction more than once a week

• My extension can identify relationships between users, including how much time they spend together. It can also identify members of private social organizations, attendees of private events, and even users’ food purchases

Demo screenshot of visualization created by the Money Trail Extension of transactions between the central user, Nishant, and his friends on Venmo

2015-10-29

• We introduce datatags as a means of specifying security and access requirements for sensitive data

• The datatags approach reduces the complexity of thousands of data-sharing regulations to a small number of tags

• We show implementation details for medical and educational data and for research and corporate repositories

Definitions for each of six ordered Blue to Crimson sample datatags.

2015-10-16

• South Korea’s national identifier, the Resident Registration Number (RRN) includes encoded demographic information and a checksum with a publicly-known pattern

• We conducted two de-anonymization experiments on 23,163 encrypted RRNs from prescription data of South Koreans

• We demonstrate the data’s vulnerability to de-anonymization by revealing all 23,163 unencrypted RRNs in both experiments

Coding table that replaced digits of South Korean national identifiers with letters in shared prescription data

2015-09-29

• Iceland’s national identifier, the Kennitala (KT), is computed from one’s date of birth and some random digits

• I found five Icelandic subjects online and was able to guess and verify their KT using a dating app

• This experiment suggests that KT registry may be reverse-engineered and expose personal data on services that rely on the KT for authentication to imposters

Using an online server to identify which potentially valid national identifiers are assigned.

2015-09-29

• Washington State is one of 33 states that share or sell anonymized health records

• I conducted an example re-identification study by showing how newspaper stories about hospital visits in Washington State leads to identifying the matching health record 43% of the time

• This study resulted in Washington State increasing the anonymization protocols of the health records including limiting fields used for the re-identification study

Matching public medical information to news stories to identify patients.

2015-09-29

• I evaluated 1.5 million tweets from 1,500 ISIS-affiliated Twitter accounts to determine if they were humans or bots

• I compared ISIS tweets to a control group of 700,000 non-ISIS Arabic tweets

• ISIS tweets exhibited unique, un-unified tweet, retweet, and favoriting patterns suggesting that the accounts are controlled by humans

Proportion of retweet rates of suspected ISIS-supporters versus control group.

2015-09-29

• I developed a monitoring program that searches Twitter in real time for tweets with potentially suspicious links

• The program found more than 70,000 suspicious tweets in 24 hours, with 56% of the tested links appearing fraudulent

Most frequently occurring tweets in 24 hours that contain the words muscle, weight, diet, acai, cambogia, lose fast, or miracle pill.

2015-09-29

• Find a website that asks for a ZIP or postal code before showing the price of a good or service. Submit its URL to this challenge.

• On October 27, 2015, we will post a list of URLs submitted to us that may determine pricing by ZIP or postal code.

• We will honor the individual or group that submits the most qualifying URLs as Data Detective(s) of the Month.

2015-09-01

• We tested whether customers are seeing the same price for SAT tutoring on The Princeton Review's website

• We searched the website from 33,000 ZIP codes across the US

• We found 3 different prices depending on the ZIP code input seemingly on a regional basis

The Princeton Review's SAT tutoring package price across the US

2015-09-01

• We analyzed the price variations for an online SAT tutoring service offered by The Princeton Review

• Our analysis showed that Asians were 1.8 times as likely to be quoted a higher price than non-Asians

• People who live in high-income ZIP codes were twice as likely to be quoted a higher price than lower income residents

Logistic Regression Model for the Princeton Review's Pricing Scheme

2015-09-01

• We tested if Asians receive lower prices on Airbnb’s vacation rental website

• We identified 101 White and Asian hosts on Airbnb in Oakland and Berkeley in April 2015

• We found that on average Asian hosts earn $90 less per week or 20% less than White hosts for similar rentals

Price differences between White and Asian hosts on Airbnb

2015-09-01

• I created separate Facebook and Gmail accounts based on political preference for Democrats or Republicans

• On Facebook, the two profiles received different suggestions while on Gmail similar ads appeared

Facebook suggestions by user's online partisan participation

2015-09-01

• In 2012, a media outlet reported that Facebook Messenger shared personal geolocations by default

• In 2015, my demonstration displayed Facebook's shared data on a map; it was downloaded over 85,000 times

• After 9 days of news coverage, Facebook released an update that requires a user's permission to share geolocations

News coverage by day

2015-08-11

• We examined changes to Facebook's Privacy Policy from 2005 to 2015 using the relevant parts of the 2008 Patient Privacy Rights (PPR) framework.

• We found that Facebook's score declined by 2015 in 22 of 33 measures of privacy protection and transparency on a 5-point scale. The measures included the extent of internet monitoring, informing users about what is shared with third parties, clearly identifying data used for profiling, and giving users choices in privacy settings.

Facebook privacy policy rating over time as a percentage of the best possible score. Dots highlight dates of a policy heavily criticized by advocacy groups (A) and the next revision (B). Gap identifies missing archived policies.

2015-08-11

• In 2013, the United Kingdom launched care.data, an NHS England initiative to centralize patient health and social care data

• care.data faces multiple challenges due to its mismanagement and miscommunications, inadequate protections for patient anonymity, and conflicts with doctors

• Lessons from the care.data experience show the need for clear communications to the public, easy-to-understand consent rules, and strong oversight over purchases of patient data

UK care.data Timeline

2015-08-11

• Health insurance plans on 34 state exchanges are studied for pricing changes from 2014 to 2015

• The largest insurance company in each state on average increased their rates 75% more than smaller insurers in the same state

• The largest insurance companies do not appear to be paying for higher medical costs per premium dollar versus smaller insurers in the reported experience period of 2013

Average premium increase from '14 to '15 by insurance company size in states

2015-08-11

• We tested whether customers from around the world see the same price online when searching for U.S. hotel rooms and rental cars.

• We simulated connecting online from 30 countries around the world to travel site Kayak.com

• Simulated customers in five locations, including Hong Kong and Australia, were quoted hotel prices significantly above the global average. Prices shown to domestic customers in the U.S. were slightly below the average

Los Angeles hotel and rental car price quotes averaged worldwide

2015-08-11