Lincoln, Yvonna, and Egon Guba, "Postpositivism and the Naturalist Paradigm," pp. 14-46 in Yvonna Lincoln and Egon Guba, Naturalistic Inquiry . Beverly Hills, CA: Sage, 1985.*

Today’s smartphone operating systems frequently fail to provide users with visibility into how third-party applications collect and share their private data. We address these shortcomings with TaintDroid, an efficient, system-wide dynamic taint tracking and analysis system capable of simultaneously tracking multiple sources of sensitive data. TaintDroid enables realtime analysis by leveraging Android’s virtualized execution environment. TaintDroid incurs only 32p performance overhead on a CPU-bound microbenchmark and imposes negligible overhead on interactive third-party applications. Using TaintDroid to monitor the behavior of 30 popular third-party Android applications, in our 2010 study we found 20 applications potentially misused users’ private information; so did a similar fraction of the tested applications in our 2012 study. Monitoring the flow of privacy-sensitive data with TaintDroid provides valuable input for smartphone users and security service firms seeking to identify misbehaving applications.

/pdf/taintdroid-an-information-flow-tracking-system-for-realtime-5d8smsr0iy.pdf

TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones

Explainable Artificial Intelligence (XAI): Concepts, Taxonomies, Opportunities and Challenges toward Responsible AI

National Institute of Standards and Technology における超伝導研究及び生活

Today's smartphone operating systems frequently fail to provide users with adequate control over and visibility into how third-party applications use their private data. We address these shortcomings with TaintDroid, an efficient, system-wide dynamic taint tracking and analysis system capable of simultaneously tracking multiple sources of sensitive data. TaintDroid provides realtime analysis by leveraging Android's virtualized execution environment. TaintDroid incurs only 14% performance overhead on a CPU-bound micro-benchmark and imposes negligible overhead on interactive third-party applications. Using TaintDroid to monitor the behavior of 30 popular third-party Android applications, we found 68 instances of potential misuse of users' private information across 20 applications. Monitoring sensitive data with TaintDroid provides informed use of third-party applications for phone users and valuable input for smartphone security service firms seeking to identify misbehaving applications.

/pdf/taintdroid-an-information-flow-tracking-system-for-realtime-3fnz9lwdso.pdf

TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones

We provide techniques to help vendors, independent testing agencies, and others verify critical security properties in direct recording electronic (DRE) voting machines. We rely on specific hardware functionality, isolation, and architectural decision to allow one to easily verify these critical security properties; we believe our techniques will help us verify other properties as well. Verification of these security properties is one step towards a fully verified voting machine, and helps the public gain confidence in a critical tool for democracy. We present a voting system design and discuss our experience building a prototype implementation based on the design in Java and C.

/pdf/designing-voting-machines-for-verification-1wqzswimr4.pdf

Designing voting machines for verification

Online dating services let users expand their dating pool beyond their social network and specify important characteristics of potential partners. To assess compatibility, users share personal information -- e.g., identifying details or sensitive opinions about sexual preferences or worldviews -- in profiles or in one-on-one communication. Thus, participating in online dating poses inherent privacy risks. How people reason about these privacy risks in modern online dating ecosystems has not been extensively studied. We present the results of a survey we designed to examine privacy-related risks, practices, and expectations of people who use or have used online dating, then delve deeper using semi-structured interviews. We additionally analyzed 400 Tinder profiles to explore how these issues manifest in practice. Our results reveal tensions between privacy and competing user values and goals, and we demonstrate how these results can inform future designs.

How Public Is My Private Life?: Privacy in Online Dating

The Internet Archive's Wayback Machine is the largest modern web archive, preserving web content since 1996. We discover and analyze several vulnerabilities in how the Wayback Machine archives data, and then leverage these vulnerabilities to create what are to our knowledge the first attacks against a user's view of the archived web. Our vulnerabilities are enabled by the unique interaction between the Wayback Machine's archives, other websites, and a user's browser, and attackers do not need to compromise the archives in order to compromise users' views of a stored page. We demonstrate the effectiveness of our attacks through proof-of-concept implementations. Then, we conduct a measurement study to quantify the prevalence of vulnerabilities in the archive. Finally, we explore defenses which might be deployed by archives, website publishers, and the users of archives, and present the prototype of a defense for clients of the Wayback Machine, ArchiveWatcher.

https://dl.acm.org/doi/pdf/10.1145/3133956.3134042

Rewriting History: Changing the Archived Web from the Present

EPC (Electronic Product Code) tags are industry-standard RFID devices poised to supplant optical barcodes in many applications. They are prevalent in case and pallet tracking, and also percolating into individual consumer items and border-crossing documents. In this paper, we explore the systemic risks and challenges created by increasingly common use of EPC for security applications. As a central case study, we examine the recently issued United States Passport Card and Washington State \enhanced" drivers license (WA EDL), both of which incorporate Gen-2 EPC tags. We explore several issues: 1. Cloning: We report on the data format of Passport Cards and WA EDLs and demonstrate their apparent susceptibility to straightforward cloning into o-theshelf EPC tags. We show that a key anti-cloning feature proposed by the U.S. Department of Homeland Security (the tag-unique TID) remains undeployed in these cards.

/pdf/epc-rfid-tags-in-security-applications-passport-cards-2yrna5z6zn.pdf

EPC RFID Tags in Security Applications: Passport Cards, Enhanced Drivers Licenses, and Beyond

Customers of direct-to-consumer (DTC) genetic testing services routinely download their raw genetic data and give it to third-party companies that support additional features. One type of analysis, called genetic genealogy, uses genetic data and genealogical methods to find new relatives. While genetic genealogy is quite popular, it has raised new privacy concerns. Genetic genealogy services can be leveraged to find the person corresponding to anonymous genetic data and have been used dozens of times by law enforcement to solve crimes. We hypothesized that the open design and broad API offered by some genetic genealogy services raise other significant security and privacy issues. To test this hypothesis, we analyzed the security practices of GEDmatch, the largest third-party genetic genealogy service. Here, we experimentally show how the GEDmatch API is vulnerable to a number of attacks from an adversary that only uploads normally formatted genetic data files and runs standard queries. Using a small number of specifically designed files and queries, an attacker can extract a large percentage of the genetic markers from other users; 92% of markers can be extracted with 98% accuracy, including hundreds of medically sensitive markers. We also find that an adversary can construct genetic data files that falsely appear like relatives to other samples in the database; in certain situations, these false relatives can be used to make the re-identification of genetic data more difficult. These attacks are possible because of the rich set of features supported by the API, including detailed visualizations, that are meant to enhance usability. We conclude with security recommendations for genetic genealogy services.

Tadayoshi Kohno

Papers

Designing voting machines for verification

How Public Is My Private Life?: Privacy in Online Dating

Rewriting History: Changing the Archived Web from the Present

EPC RFID Tags in Security Applications: Passport Cards, Enhanced Drivers Licenses, and Beyond

Genotype Extraction and False Relative Attacks: Security Risks to Third-Party Genetic Genealogy Services Beyond Identity Inference.