Please note: All times US Pacific Daylight Time (PDT = UTC/GMT-7:00 hours).
In 2012, ICANN started allowing public applications for new generic top-level domains (gTLDs). Since then, the number of gTLDs has expanded from around two dozen to around two thousand. ICANN anticipated that this would significantly alter the web and justified the decision, stating "unless there is a good reason to restrain it, innovation should be allowed to run free."
We believe there to be "good reason to restrain" the creation of new gTLDs. To make safe, responsible decisions online, consumers must be able to determine with whom they are communicating, and one of the only reliable sources of information they have for is a website's domain name. We already see many examples of domain impersonation attacks, where a domain is maliciously registered or constructed to appear visually similar to a valuable target domain. In this talk, we explore how the bloat of new gTLDs may bolster domain impersonation attacks, further complicating users' ability to evaluate who they are communicating with. We discuss a user survey designed to measure the impact that gTLDs have on the effectiveness of domain impersonation attacks, compared to country-code TLDs and "common" TLDs (.com, .net, .org). We then look at measurements of domain impersonation in the wild, and compare the prevalence of different TLDs in these attacks. Finally, we discuss potential solutions and guidelines for the creation of new gTLDs.
Sources of funding: NSF 5233582, CNS Core: Large: Collaborative Research: Towards an Evolvable Public Key Infrastructure
The consumer Internet of Things (IoT) space has experienced a significant rise in popularity in the recent years. From smart speakers, to baby monitors, and smart kettles and TVs, these devices are increasingly found in households around the world whose residents may be unaware of the risks associated with owning these devices. Previous work showed that these devices can threaten user privacy and security by exposing information over the Internet to a large number of service providers and third party analytics services. Our analysis shows that many of these Internet connections (and the information they expose) are neither critical, nor even essential to the operation of these devices. However, automatically separating out critical from non-critical network traffic for an IoT device is nontrivial, and at first glance would seem to require expert analysis based on manual experimentation in a controlled setting.
In this work, we ask whether it is possible to automatically classify network traffic destinations as either critical (essential for devices to function properly) or not, hence allowing the home gateway to act as a firewall to block undesired, noncritical destinations. We take the first steps towards designing and evaluating IoTrimmer, a framework for automated testing and analysis of various destinations contacted by devices, and selectively blocking the ones that do not impact device functionality. (PDF)
Sources of funding: This research was partially supported by the NSF CNS-1909020, the EPSRC Databox (EP/N028260/1), and the EPSRC Defence Against Dark Artefacts (EP/R03351X/1) grants.
The monetization of user-generated content on social media platforms through advertising is a rising phenomenon. One of its expressions, integrating advertising in the actual content (also known as influencer marketing) led to a 9 billion dollar industry in 2019 and is projected to reach a worth of 15 billion by 2022. The buzz around this trend has led to a lot of legal research on the standards applicable to the disclosure of advertising in various jurisdictions around the world. In addition to existing rules, regulators seem to have caught on to the fact that through its nature, influencer marketing leaves room for more potential to mislead or deceive consumers. While regulatory pressure is supposed to improve the standard of consumer protection, influencer marketing remains a peer-to-peer industry defined by a plethora of business models. Our research project brings together expertise from Natural Language Processing (NLP) and European Consumer Law and aims to make a gap-filling contribution focused on determining which particular influencer marketing business models can be identified on social media, and how influencers use them. To this end, we gather Instagram posts from selected influencers from different countries, and we design a classifier to identify the recognizable business models and analyze their prevalence. By comparing the results from different countries, we hope to gain insights into whether influencers from countries with more stringent enforcement disclose more of their commercial activities than their counterparts in countries with less rigorous enforcement. In addition to the empirical part of the project, we also describe the legal regime applicable to each business model according to European consumer protection, to contribute to the interdisciplinary development of computer science and consumer protection in ways which can inspire further research, vital for the interests of consumer enforcement agencies. (PDF)
Software developers routinely use application programming interfaces (APIs) to leverage existing data and functionality offered by external services. Online services such as Facebook and Google offer their own APIs for that purpose, and allow developers to access private user information like messages, files, and calendars if given proper user authorization. This has, however, produced serious privacy breaches, most notably Cambridge Analytica's unexpectedly broad collection of user data through the Facebook API. In light of this, we examined a corpus of 987 Google API apps on the G Suite Marketplace. We found that nearly half of those apps are able to communicate with outside services, whose identities aren't reliably disclosed to users. Additionally, our data suggests that app auditing measures meant to protect users from potential API misuse may fall short: a new user limit placed on potentially risky unverified apps is not rigidly enforced, and thousands of users will nonetheless authorize risky apps if allowed. We offer potential directions for improvement of this ecosystem and hope to spur further investigations of online APIs as a whole. (PDF)
In accordance with GDPR and CCPA data-access rights, many companies now allow users to download or view their data related to a particular website or app. However, these data files are often loaded with jargon, poorly organized, and altogether difficult for users to understand. To help users better understand their data, we hope to generate ideas for data visualization tools via site-specific participatory-design sessions. We hope that our findings will inform the design of such tools, which could make data collection and use more transparent. (PDF)
Sources of funding: A UMIACS contract under the partnership between the University of Maryland and DoD and internal funding from the University of Chicago