(pictured with fellow Tech Policy Lab member Ada Lerner)
The Tech Policy Lab has interesting projects in the works thanks to our student scholars. We are lucky to count Franzi Roesner from UW’s Computer Science & Engineering as one of our Lab members. Part of the 2013 Rising Stars in EECS at MIT, Franzi is doing fascinating work on security and privacy for modern and emerging client platforms, specifically in the domains of third-party web tracking, permission granting in modern operating systems (such as smartphones), secure embedded user interfaces, and most recently, emerging augmented reality platforms.
In work based out of Lab Director Tadayoshi Kohno’s UW Security and Privacy Research Lab, Franzi has investigated Snapchat, analyzed the security of augmented reality systems, and helped remotely take over cars. Her latest paper (with Professor Kohno and David Molnar), Security and Privacy for Augmented Reality Systems was just published as the cover story in the April issue of Communications of the ACM (Association for Computing Machinery), and considers the security and privacy concerns associated with augmented reality systems and the supporting technologies.
We asked Franzi how she decided she wanted to research computer security and privacy:
“When I took a computer security class during my time as an undergraduate, I was hooked. Most other classes I had taken taught me how to get things to work better, faster, and smarter, but this one taught me how to view designs skeptically and to challenge assumptions. That was exciting and seemed important. Besides fitting well with my naturally anxious nature, security and privacy as a research area also allows me to be very broad in what topics or technologies I focus on, to work at different levels of the computing stack (from low-level system details to human users), and to interact with researchers across different areas of computer science and beyond. I also believe that security and privacy issues are among the most important problems that affect real users of technology, and I want to help make sure that we can have the benefits of exciting emerging technologies—like augmented reality—without opening ourselves up to new risks.”
Below is some of Franzi’s recent work
Web and smartphone applications commonly embed third-party user interfaces like advertisements and social media widgets. However, this capability comes with security implications and while browsers have evolved to address many of these issues, mobile systems do not yet support true embedding. In, Securing Embedded User Interfaces: Android and Beyond, Franzi explores the requirements for a system to support secure embedded user interfaces, describes the experience of modifying Android, and discusses concrete techniques for creating secure embedded user interfaces.
Malicious or suspicious smartphone applications can misuse their access to the user’s system to secretly leak location data or send costly premium SMS messages. Today’s smartphone operating systems, such Android and iOS, rely on the user to make decisions about which permissions an application should have. We know that asking the user—such as with a prompt that asks if it’s okay for an application to use the current location—is neither particularly usable nor secure. In User-Driven Access Control: Rethinking Permission Granting in Modern Operating Systems, Franzi proposes a technique called access control gadgets to capture a user’s intent to grant a permission to an application in more usable way.
Third-party tracking on the web gets a lot of attention, but in her paper, Detecting and Defending Against Third-Party Tracking on the Web, Franzi explains its workings remain poorly understood. The authors’ goal was to dissect how mainstream web tracking occurs, and they developed a method for detecting and classifying five kinds of third-party trackers. They found that most commercial pages are tracked by multiple parties, trackers vary widely in their coverage, and many trackers exhibit a combination of tracking behavior. Based on this work, they released a web tracking detection platform called TrackingObserver and a defense for social media trackers (such as the Facebook “Like” button) called ShareMeNot.