From COVID-19 tracing apps to facial recognition systems used by police, digital technologies pose acute risks to security and privacy on multiple fronts. What can be done to better design and implement cybersecurity and data governance? And what gaps remain in our understanding of technology and data processing systems that could lead to incomplete, unclear, or undesirable specifications in the laws regulating these systems?
These important questions provided the framework for the first event in the 2020 CLTC Research Exchange, the Center for Long-Term Cybersecurity’s annual showcase of research supported through our grants program. Held on October 1, the two-hour online event featured a combination of 15-minute presentations from researchers who received their grants in 2019, along with five-minute “lightning talks” from our 2020 grantees. (The second and third events in the Research Exchange will take place in November and December, respectively. Learn more on our Events page.)
Due to the pandemic, the conference — traditionally held at the David Brower Center, in Berkeley — was presented entirely online. “The beauty of Zoom is now that we can expand our audience outside of the Bay Area, welcoming you from around the country and around the globe,” moderator Rachel Wesen, CLTC Events and Communications Specialist at CLTC, told the roughly 60 virtual attendees. “We’re thrilled to have you all here to help you learn more about the breadth of CLTC-supported cybersecurity research happening here at UC Berkeley.”
The researchers’ presentations spanned an array of important emerging topics related to privacy and digital security. “The kind of work we’re going to talk about today is consistent with our mission of trying to look over the horizon, and at the same time, always engaging with the full spectrum of issues that manifest in cybersecurity risk and response — and that’s what excites us,” said Steven Weber, Faculty Director of CLTC, in his opening remarks. “What we’re really trying to do is leverage this research that we do on the campus to change the world, change practices and policies.”
In the first talk, Serge Egelman, Research Director for the Usable Security & Privacy Group at the International Computer Science Institute (ICSI), provided an update on his ongoing investigations into the privacy of mobile apps. As showcased on the website “AppCensus,” Egelman and his team use instrumented phones to analyze the behavior of Android apps and monitor whether (and how) they access and transmit sensitive data. Egelman’s research has spotlighted that many apps violate the Children’s Online Privacy Protection Act, and has led Google to change its policies in response.
“One of the things we’ve done in the past year is look at what the impact this has actually had,” Egelman said. “Over a year later, we re-examined over 6000 apps that are in the ‘Designed for Families’ program, which is the kids app section of the Google Play Store. And we found that things have improved. The number of apps that collect location information was previously almost five percent; it’s now close to about 1.5%. Things have improved, but they’re still not great…. We’ve been building a whole taxonomy of all of the methods we’ve been finding in the wild, and are about to embark on a study to examine the different methods apps are using to try and detect when they’re being monitored.”
The next presentation was a “lightning talk” by Bill Marczak, a postdoctoral researcher in the UC Berkeley Department of Electrical Engineering and Computer Sciences (EECS). In his pre-recorded presentation, “Measuring and Defending Against New Trends in Nation-State Surveillance of Dissidents,” Marczak provided an overview of his efforts to track spyware used by nation-states to monitor journalists and dissidents. (His past research in this area earned coverage in Vanity Fair, among other outlets.)
“Given only a single sample, we can often use an internet scanning process to attribute it to a company or a government and map out the global footprint of the hacking operation,” Marczak explained. “The companies selling their hacking tools don’t want us to be able to do this, so they take steps from time to time to vary the behavior of their servers. So there’s actually a fascinating scanning arms race that comes into play here, and advancing this arms race is part of my ongoing research.”
“It’s clear that companies in the surveillance industry are stepping up their game in terms of finding more so-called ‘zero-click’ flaws and sending fewer dodgy links to click on,” Marczak said. “There have even been reports of completely invisible zero-click flaws, were nothing at all appears on the phone screen, not even for a millisecond. My project focuses on ways to continue to detect and track these new zero-click threats.”
In his talk, Nick Merrill, Research Fellow at CLTC and Director of the Daylight Security Research Lab, presented “Internet Fragmentation: Beyond ‘Free’ and ‘Open’.” This project centers on better understanding the “splinternet,” how the internet is evolving differently in different geographies, by using proxy measures based on the layers in the internet “stack,” the physical and digital infrastructure upon which the internet runs. “For any given country, we can come up with some number that describes their fragmentation at each of these layers,” Merrill said.
Merrill’s research has exposed surprising differences among nations — and revealed that the internet is in fact “multi-polar,” with wide variances within and across geographies. “When we started this project, it was not very clear to people that blocking websites was a political relations issue,” Merrill said. “If the U.S. blocks TikTok, and the EU decides not to block TikTok, then we can reasonably predict that the EU is going to be more likely to trade with China, it’s going to be more likely to cooperate militarily with China, and the US may become estranged from the EU as a result.”
“For policymakers, our big message is that internet governance is more than a technical issue,” Merrill said. “Internet governance is about, who do you want to ally with, who do you want to trade with? Do you want to be isolated in the global community? Internet governance could be a leading indicator of geopolitical shifts.”
In his lightning talk, Prashant Vasudevan, postdoctoral researcher in the UC Berkeley EECS department, presented “A Cryptographic Study of Data Protection Laws.” His research focuses largely on understanding the mechanics of the “right to be forgotten” — when consumers can request that their data be fully deleted — as is provided by data regulation like Europe’s GDPR and the California Consumer Privacy Act.
Prashant, whose research area is cryptography and the theory of cryptography, explained that “deleting” data is not always as simple as it sounds. “A very simple consideration here is that data that I have stored and deleted could still have left traces in the memory,” he said. “We identified this need to precisely define and understand the behavior of systems, specifically computer systems with respect to data deletion. And what we do in our work is come up with a model to study this to study data deletion.”
In her talk, Alison Post, Associate Professor of Political Science and Global Metropolitan Studies at UC Berkeley, introduced her in-progress research on “The Cybersecurity of ‘Smart’ Infrastructure Systems.” Based upon interviews with public agencies, voters, and other groups, Post is working to answer emerging questions related to the cybersecurity of “smart cities,” the networks of sensors that cities are adopting to help manage infrastructure. “The aim of this paper project is to show that there are trade-offs that vary greatly across the different types of technologies, and that there’s more reason to be concerned about some technologies than others,” Post said.
In a pre-recorded lightning talk entitled “An Open Research Privacy Toolkit,” graduate student Nitin Kohli introduced a project he is developing with UC Berkeley School of Information Professor Paul Laskowski focused on helping researchers more efficiently analyze data while preserving privacy. “What we want to do in this project is enable social science research to be done on rich datasets that hold personal data,” he explained. “The fundamental question we’re considering is, how can we let researchers study such datasets?… We believe that our privacy wrapper can allow for analysis of rich datasets without having to have social scientists alter their work practices, while still allowing for strong provable privacy guarantees in the process.”
The final talk of the Research Exchange was a “fireside chat” between CLTC Executive Director Ann Cleaveland and Amit Elazari, Director of Global Cybersecurity Policy for the Intel Corporation and a lecturer in the UC Berkeley School of Information. The conversation focused in part on understanding how the work of academic researchers can be bridged into the “real world” of corporate practice and policymaking. A former CLTC grantee, Elazari has appeared at past CLTC Research Exchanges to present her research on private ordering mechanisms to facilitate safe harbor for security researchers.
“Especially if you’re looking to the future, it certainly is clear that security is a conversation that is multifaceted, and academic research is absolutely critical for that,” Elazari said. “It is that dialogue, that mutual conversation and collaboration between different disciplines, that will continue to be critical for security.”
Elazari explained that her current role includes working with policymakers and technical experts on questions like intellectual property, privacy, and security, as well as developing standards. “It’s clearer than ever that the role technology plays in connecting and enabling everybody is going to continue and grow,” she said. “We have seen policymakers around the road reaching out very actively to industry to seek input on, what are the biggest obstacles? What are the challenges?… We are going to see more importance in reliance on international standards and best practices —because of the global nature of the supply chain, because of the global nature of this threat. Academia has a really important role to play.”
Watch the full video of the Research Exchange above or on YouTube. And stay tuned for the next event of in the CLTC 2020 Research Exchange series, “Protecting and Securing a More Inclusive Society Online,” which is scheduled for November 12.
