Privacy & Security

This talk describes Thunderstrike, an attack that installs persistent firmware modifications into the boot ROM of Apple's popular MacBooks. The bootkit can be installed by an evil-maid via the externally accessible Thunderbolt ports. Alternatively, a remote SW attack can amplify root privileges yielding the same result. Once installed, 1) it can prevent software attempts to remove it, 2) it can survive reinstallation of the operating system as well as hard drive replacement, and 3) it can spread virally across air-gaps by infecting additional Thunderbolt devices.

Communication occurs overwhelmingly in mobile platforms. As a consequence, a typical person is far more routinely exposed to personal privacy-related decisions than at any other time. This talk will discuss the increasing presence of wearable communication devices and potential pitfalls in the cornucopia of personalized digital data. It will highlight the characteristics of synergetic personal data practices and policy concerns through the development of (failed) Google Glass. Three key areas of related political-policy concern (privacy; anti-trust; and user competence) will be summarized and possible solutions suggested, with the discussion on the future research agenda in this area. A main theme of this talk is that the data practices typical of Google Glass pose policy challenges and signal a dramatic shift to personalized data marketing, with subsequent wearable devices projected in light of 360-degree data collection.

Many online markets are dominated by firms offering services for “free”, in exchange for the tracking of personal data. There are niche services that offer more privacy in exchange for less performance or convenience. But they are not as popular. What is puzzling is that a considerable portion of users say they are concerned about their online privacy in surveys, pointing to a market gap. In this talk findings are presented from on-going interviews with entrepreneurs and developers building privacy-enhanced services. The interviews uncover some unique economic and engineering challenges. This will be followed with an open discussion on solutions.

This talk will first give an overview of the nascent field of privacy engineering. Preliminary results will then be presented from an ongoing empirical study on the impact of the shift from shrink wrap software to services and apps on software engineering practice. Instead of organizing around stable versions of client specific binaries released at longer time intervals, and installed on user owned devices, software provided as a service or in the form of apps tends toward continuous, networked and centrally controlled functionality. What kind of challenges does this shift to services and apps pose to computer science research on privacy? And, have computer scientists understood and responded to these challenges in the privacy solutions they develop?