Studio apartment or research lab? Inside Khoury College’s cybersecurity and privacy research
Wed 10.13.21 / Milton Posner
Studio apartment or research lab? Inside Khoury College’s cybersecurity and privacy research
Wed 10.13.21 / Milton Posner
Wed 10.13.21 / Milton Posner
Wed 10.13.21 / Milton Posner
Studio apartment or research lab? Inside Khoury College’s cybersecurity and privacy research
Wed 10.13.21 / Milton Posner
Studio apartment or research lab? Inside Khoury College’s cybersecurity and privacy research
Wed 10.13.21 / Milton Posner
Wed 10.13.21 / Milton Posner
Wed 10.13.21 / Milton Posner
Ever gotten an ad that seemed too precisely targeted? Was it selling you something you’d just told a friend about? Did you wonder whether your phone, computer, or smart speaker was listening to you more than their manufacturers let on?
Well, microphones may be the only method of data collection you don’t need to worry about—for now.
“That’s a common urban legend that we hear. We investigated apps that can record audio and found that they don’t seem to be recording your conversations when they shouldn’t,” said David Choffnes, associate professor at the Khoury College of Computer Sciences. “But many other things you do online leak plenty of information for targeting. We don’t always know why you see the ads that are displayed. Some are coincidences, some are pervasive online tracking that allows hyper-targeted advertisement.”
At a time when our data is frequently collected, leveraged, and stolen, Choffnes has studied the devices in our homes, pockets, and purses to find out how they compromise us. Now, as the new executive director of Northeastern’s Cybersecurity and Privacy Institute, his goal remains the same.
“I realized by turning over rocks and looking in dark places, there were all kinds of creepy-crawly things,” he said. “I’m particularly focused on things that we use every day, the risks of using those systems, and how we can make them better for consumers as opposed to the companies or bad actors who are trying to access or steal our data.”
Researching the things companies would rather we didn’t know
Choffnes’s path wasn’t always a straight line. After pivoting from undergraduate study of physics and French to a networking and distributed systems specialization, he says he “tripped and fell into security and privacy.” He became interested in mobile devices as cell phones became more ubiquitous, with Edward Snowden’s 2013 revelations further spurring his interest in privacy.
“With these phones, unlike our PCs or laptops, we had almost no visibility into what they were doing with our data, and the data they had was more personal than ever,” Choffnes explained. “I started looking at network traffic as an internet user wanting to make things better for myself … It started me down this path of asking ‘What are these apps doing with our data? How many other people are getting access to it?’”
These questions have underlined much of the research Choffnes has undertaken since joining Khoury College in 2013. Chief among those is ReCon, which uses machine learning to detect personal information leaks in network traffic, then alerts users.
“We came up with ways to automatically detect when your personal data was being sent by these apps without you having to tell us what your data is,” Choffnes said. “And then allow people to tell our system to change or block that data. Our analysis substantially improved mobile app security and privacy.”
After a 300-user study demonstrated ReCon’s efficacy, Choffnes and his team passed their findings to app developers, regulators, and app stores. App developers fixed cases where passwords were sent over the internet without encryption, regulators used ReCon to investigate potentially deceptive business practices, and the Apple and Google Play app stores banned third-party app code that recorded users’ screens without their knowledge.
ReCon is a rarity among computer science research efforts in that it provided the foundation for Harvest, a 2017 documentary that appeared at several prestigious film festivals. But if that wasn’t enough, another of Choffnes’s projects is big enough that it has its own apartment. Literally.
Tucked within Northeastern’s Interdisciplinary Science and Engineering Complex is a custom-built, one-of-a-kind lab designed like a small studio apartment. It’s called The Mon(IoT)r Lab (pronounced “monitor lab”) as a nod to the Internet of Things devices researchers monitor for privacy issues. CPI personnel can use the space and interact with its devices, which are connected to a router with packet-recording software.
“We monitor all of the network traffic, and we observe potential privacy and security concerns that arise when you’re completely surrounded by devices … that share data with third parties,” Choffnes explained. “In many cases, you have to actually interact with these devices to see what the risks are, so it’s essential to have a ‘living’ lab scenario.”
One example is their smart fridge, replete with interior cameras, a tablet interface, and Android apps. Over the four years they’ve owned it, the fridge has made increased use of its cameras to scan food items and make recommendations. It leveraged an existing feature for a new data-sharing purpose.
Another example is Amazon’s Ring doorbell, which, when accessed via phone app, shows a green light to indicate that it’s recording. But Choffnes’ team found that it would also record when it detected motion, this time without displaying the green light. There was no mechanism to make it stop, and accessing the resulting videos at all required a more expensive subscription.
These often-invisible shifts, Choffnes said, point to a worrying reality.
“It ends up that you’re not buying the product,” he concluded. “In this case the product is you, and the companies are putting the smart features in so they can record what you’re doing and monetize that data.”
How can we protect ourselves online?
In many respects, Choffnes notes, “we’re unfortunately at the whims of these companies that collect data as disclosed in their fine print.”
“Given the lack of strong privacy regulations that protect consumers in the US, there’s a lot of burden on us as individuals to protect our privacy,” he said. “And that is often too much of a burden for us to bear. Most of the time we just click ‘okay’ and accept whatever they’re asking for.”
But Choffnes notes that we can take some protective steps.
“It’s hard to use the services we know and love without giving up a lot of our data; these services were designed that way,” he conceded. “So when it comes to installing an app, just think twice. Do you really need that app? Do you need yet another company to get access to your data? When you get data requests, can you use the app without honoring those requests?”
Choffnes also recommends a password manager, which is usually free and enables you to change your passwords often.
“The idea is that you should never have to write down your passwords,” he said. “Ideally you have software that generates random, strong passwords and fills out the password fields for you.”
Backing up the manager with multi-factor authentication, he added, should thwart most attacks.
“If you have multi-factor authentication, the attacker still needs something else—like your phone or a phone app that generates a unique code—to fully compromise your account,” Choffnes said. “At some point, we’re all going to be victims of some form of cyberattack. These techniques limit the damage that anyone compromised credential could have.”
Choffnes also wants the study of computer security and data protection to be taught to kids in the same way other types of safety are, so that they can understand the necessity and methods of shielding themselves.
“What I’m talking about is not rocket science,” he said. “Cybersecurity awareness is just something you get better at over time and it becomes second nature.”
What’s next?
Much of Choffnes’ recent work falls within the five-year-old Cybersecurity and Privacy Institute. With 17 core and affiliate faculty spanning Khoury College, the School of Law, CAMD, and the College of Engineering, the CPI collaborates on interdisciplinary cybersecurity research topics including mobile devices, cryptography, cloud security, malware analysis, and machine learning. It also offers undergraduate, graduate, and doctoral degrees in cybersecurity, and integrates with other universities, technology companies, and defense contractors. In July, Choffnes became the CPI’s third executive director, a position he expects to hold for two years.
On top of his directorial responsibilities, Choffnes is continuing with some highlight-reel research endeavors. One, a multi-university project funded by $10 million from the National Science Foundation’s Secure and Trustworthy Cyberspace Frontiers program, is a collaboration with Khoury College Interim Dean Alan Mislove and School of Law affiliate CPI member Woody Hartzog.
“It’s about developing a stronger understanding of how data collection over the internet affects individual privacy, and developing new software, hardware, and policy recommendations focused on safeguarding personal data,” Choffnes explained. “The award sends a strong message that we need this kind of multidisciplinary approach to solve our online privacy and security issues.”
READ: We know companies are collecting and sharing our data. Is there anything we can do about it?
Another project, powered by a five-year, $15.7 million NSF grant, is on the horizon. Led by the Network Science Institute’s David Lazer, and in collaboration with Choffnes and CPI colleague Christo Wilson, the team is planning to build what Choffnes calls “an observatory like Hubble, but instead of looking at the stars, to look into how people interact with the internet and how those interactions influence society.” It will provide a platform for open and ethical data collection that allows researchers to study important aspects of online human behavior, including the political and social impact of misinformation, disinformation, and social media content algorithms.
“We’re building infrastructure that is not just for us to research things,” Choffnes explained, “but to allow other researchers to deploy their own experiments to see what people are seeing online, what the implications are, survey people’s opinions about the things that they’re seeing, and get a much richer understanding of what people are doing online and what the impacts of it are.”
These large efforts allow Choffnes to focus on his passion: improving internet performance, privacy, and security. He strives for a world where internet users can better control their data.
“I think people are becoming more aware of online privacy and security,” Choffnes said. “Our mission since starting CPI has been to safeguard critical technology and to create partnerships with experts, industry, government, and academia worldwide. The recent NSF grants are helping us to substantially move the needle on these topics, with the potential for enormous impact.”
Ever gotten an ad that seemed too precisely targeted? Was it selling you something you’d just told a friend about? Did you wonder whether your phone, computer, or smart speaker was listening to you more than their manufacturers let on?
Well, microphones may be the only method of data collection you don’t need to worry about—for now.
“That’s a common urban legend that we hear. We investigated apps that can record audio and found that they don’t seem to be recording your conversations when they shouldn’t,” said David Choffnes, associate professor at the Khoury College of Computer Sciences. “But many other things you do online leak plenty of information for targeting. We don’t always know why you see the ads that are displayed. Some are coincidences, some are pervasive online tracking that allows hyper-targeted advertisement.”
At a time when our data is frequently collected, leveraged, and stolen, Choffnes has studied the devices in our homes, pockets, and purses to find out how they compromise us. Now, as the new executive director of Northeastern’s Cybersecurity and Privacy Institute, his goal remains the same.
“I realized by turning over rocks and looking in dark places, there were all kinds of creepy-crawly things,” he said. “I’m particularly focused on things that we use every day, the risks of using those systems, and how we can make them better for consumers as opposed to the companies or bad actors who are trying to access or steal our data.”
Researching the things companies would rather we didn’t know
Choffnes’s path wasn’t always a straight line. After pivoting from undergraduate study of physics and French to a networking and distributed systems specialization, he says he “tripped and fell into security and privacy.” He became interested in mobile devices as cell phones became more ubiquitous, with Edward Snowden’s 2013 revelations further spurring his interest in privacy.
“With these phones, unlike our PCs or laptops, we had almost no visibility into what they were doing with our data, and the data they had was more personal than ever,” Choffnes explained. “I started looking at network traffic as an internet user wanting to make things better for myself … It started me down this path of asking ‘What are these apps doing with our data? How many other people are getting access to it?’”
These questions have underlined much of the research Choffnes has undertaken since joining Khoury College in 2013. Chief among those is ReCon, which uses machine learning to detect personal information leaks in network traffic, then alerts users.
“We came up with ways to automatically detect when your personal data was being sent by these apps without you having to tell us what your data is,” Choffnes said. “And then allow people to tell our system to change or block that data. Our analysis substantially improved mobile app security and privacy.”
After a 300-user study demonstrated ReCon’s efficacy, Choffnes and his team passed their findings to app developers, regulators, and app stores. App developers fixed cases where passwords were sent over the internet without encryption, regulators used ReCon to investigate potentially deceptive business practices, and the Apple and Google Play app stores banned third-party app code that recorded users’ screens without their knowledge.
ReCon is a rarity among computer science research efforts in that it provided the foundation for Harvest, a 2017 documentary that appeared at several prestigious film festivals. But if that wasn’t enough, another of Choffnes’s projects is big enough that it has its own apartment. Literally.
Tucked within Northeastern’s Interdisciplinary Science and Engineering Complex is a custom-built, one-of-a-kind lab designed like a small studio apartment. It’s called The Mon(IoT)r Lab (pronounced “monitor lab”) as a nod to the Internet of Things devices researchers monitor for privacy issues. CPI personnel can use the space and interact with its devices, which are connected to a router with packet-recording software.
“We monitor all of the network traffic, and we observe potential privacy and security concerns that arise when you’re completely surrounded by devices … that share data with third parties,” Choffnes explained. “In many cases, you have to actually interact with these devices to see what the risks are, so it’s essential to have a ‘living’ lab scenario.”
One example is their smart fridge, replete with interior cameras, a tablet interface, and Android apps. Over the four years they’ve owned it, the fridge has made increased use of its cameras to scan food items and make recommendations. It leveraged an existing feature for a new data-sharing purpose.
Another example is Amazon’s Ring doorbell, which, when accessed via phone app, shows a green light to indicate that it’s recording. But Choffnes’ team found that it would also record when it detected motion, this time without displaying the green light. There was no mechanism to make it stop, and accessing the resulting videos at all required a more expensive subscription.
These often-invisible shifts, Choffnes said, point to a worrying reality.
“It ends up that you’re not buying the product,” he concluded. “In this case the product is you, and the companies are putting the smart features in so they can record what you’re doing and monetize that data.”
How can we protect ourselves online?
In many respects, Choffnes notes, “we’re unfortunately at the whims of these companies that collect data as disclosed in their fine print.”
“Given the lack of strong privacy regulations that protect consumers in the US, there’s a lot of burden on us as individuals to protect our privacy,” he said. “And that is often too much of a burden for us to bear. Most of the time we just click ‘okay’ and accept whatever they’re asking for.”
But Choffnes notes that we can take some protective steps.
“It’s hard to use the services we know and love without giving up a lot of our data; these services were designed that way,” he conceded. “So when it comes to installing an app, just think twice. Do you really need that app? Do you need yet another company to get access to your data? When you get data requests, can you use the app without honoring those requests?”
Choffnes also recommends a password manager, which is usually free and enables you to change your passwords often.
“The idea is that you should never have to write down your passwords,” he said. “Ideally you have software that generates random, strong passwords and fills out the password fields for you.”
Backing up the manager with multi-factor authentication, he added, should thwart most attacks.
“If you have multi-factor authentication, the attacker still needs something else—like your phone or a phone app that generates a unique code—to fully compromise your account,” Choffnes said. “At some point, we’re all going to be victims of some form of cyberattack. These techniques limit the damage that anyone compromised credential could have.”
Choffnes also wants the study of computer security and data protection to be taught to kids in the same way other types of safety are, so that they can understand the necessity and methods of shielding themselves.
“What I’m talking about is not rocket science,” he said. “Cybersecurity awareness is just something you get better at over time and it becomes second nature.”
What’s next?
Much of Choffnes’ recent work falls within the five-year-old Cybersecurity and Privacy Institute. With 17 core and affiliate faculty spanning Khoury College, the School of Law, CAMD, and the College of Engineering, the CPI collaborates on interdisciplinary cybersecurity research topics including mobile devices, cryptography, cloud security, malware analysis, and machine learning. It also offers undergraduate, graduate, and doctoral degrees in cybersecurity, and integrates with other universities, technology companies, and defense contractors. In July, Choffnes became the CPI’s third executive director, a position he expects to hold for two years.
On top of his directorial responsibilities, Choffnes is continuing with some highlight-reel research endeavors. One, a multi-university project funded by $10 million from the National Science Foundation’s Secure and Trustworthy Cyberspace Frontiers program, is a collaboration with Khoury College Interim Dean Alan Mislove and School of Law affiliate CPI member Woody Hartzog.
“It’s about developing a stronger understanding of how data collection over the internet affects individual privacy, and developing new software, hardware, and policy recommendations focused on safeguarding personal data,” Choffnes explained. “The award sends a strong message that we need this kind of multidisciplinary approach to solve our online privacy and security issues.”
READ: We know companies are collecting and sharing our data. Is there anything we can do about it?
Another project, powered by a five-year, $15.7 million NSF grant, is on the horizon. Led by the Network Science Institute’s David Lazer, and in collaboration with Choffnes and CPI colleague Christo Wilson, the team is planning to build what Choffnes calls “an observatory like Hubble, but instead of looking at the stars, to look into how people interact with the internet and how those interactions influence society.” It will provide a platform for open and ethical data collection that allows researchers to study important aspects of online human behavior, including the political and social impact of misinformation, disinformation, and social media content algorithms.
“We’re building infrastructure that is not just for us to research things,” Choffnes explained, “but to allow other researchers to deploy their own experiments to see what people are seeing online, what the implications are, survey people’s opinions about the things that they’re seeing, and get a much richer understanding of what people are doing online and what the impacts of it are.”
These large efforts allow Choffnes to focus on his passion: improving internet performance, privacy, and security. He strives for a world where internet users can better control their data.
“I think people are becoming more aware of online privacy and security,” Choffnes said. “Our mission since starting CPI has been to safeguard critical technology and to create partnerships with experts, industry, government, and academia worldwide. The recent NSF grants are helping us to substantially move the needle on these topics, with the potential for enormous impact.”
Ever gotten an ad that seemed too precisely targeted? Was it selling you something you’d just told a friend about? Did you wonder whether your phone, computer, or smart speaker was listening to you more than their manufacturers let on?
Well, microphones may be the only method of data collection you don’t need to worry about—for now.
“That’s a common urban legend that we hear. We investigated apps that can record audio and found that they don’t seem to be recording your conversations when they shouldn’t,” said David Choffnes, associate professor at the Khoury College of Computer Sciences. “But many other things you do online leak plenty of information for targeting. We don’t always know why you see the ads that are displayed. Some are coincidences, some are pervasive online tracking that allows hyper-targeted advertisement.”
At a time when our data is frequently collected, leveraged, and stolen, Choffnes has studied the devices in our homes, pockets, and purses to find out how they compromise us. Now, as the new executive director of Northeastern’s Cybersecurity and Privacy Institute, his goal remains the same.
“I realized by turning over rocks and looking in dark places, there were all kinds of creepy-crawly things,” he said. “I’m particularly focused on things that we use every day, the risks of using those systems, and how we can make them better for consumers as opposed to the companies or bad actors who are trying to access or steal our data.”
Researching the things companies would rather we didn’t know
Choffnes’s path wasn’t always a straight line. After pivoting from undergraduate study of physics and French to a networking and distributed systems specialization, he says he “tripped and fell into security and privacy.” He became interested in mobile devices as cell phones became more ubiquitous, with Edward Snowden’s 2013 revelations further spurring his interest in privacy.
“With these phones, unlike our PCs or laptops, we had almost no visibility into what they were doing with our data, and the data they had was more personal than ever,” Choffnes explained. “I started looking at network traffic as an internet user wanting to make things better for myself … It started me down this path of asking ‘What are these apps doing with our data? How many other people are getting access to it?’”
These questions have underlined much of the research Choffnes has undertaken since joining Khoury College in 2013. Chief among those is ReCon, which uses machine learning to detect personal information leaks in network traffic, then alerts users.
“We came up with ways to automatically detect when your personal data was being sent by these apps without you having to tell us what your data is,” Choffnes said. “And then allow people to tell our system to change or block that data. Our analysis substantially improved mobile app security and privacy.”
After a 300-user study demonstrated ReCon’s efficacy, Choffnes and his team passed their findings to app developers, regulators, and app stores. App developers fixed cases where passwords were sent over the internet without encryption, regulators used ReCon to investigate potentially deceptive business practices, and the Apple and Google Play app stores banned third-party app code that recorded users’ screens without their knowledge.
ReCon is a rarity among computer science research efforts in that it provided the foundation for Harvest, a 2017 documentary that appeared at several prestigious film festivals. But if that wasn’t enough, another of Choffnes’s projects is big enough that it has its own apartment. Literally.
Tucked within Northeastern’s Interdisciplinary Science and Engineering Complex is a custom-built, one-of-a-kind lab designed like a small studio apartment. It’s called The Mon(IoT)r Lab (pronounced “monitor lab”) as a nod to the Internet of Things devices researchers monitor for privacy issues. CPI personnel can use the space and interact with its devices, which are connected to a router with packet-recording software.
“We monitor all of the network traffic, and we observe potential privacy and security concerns that arise when you’re completely surrounded by devices … that share data with third parties,” Choffnes explained. “In many cases, you have to actually interact with these devices to see what the risks are, so it’s essential to have a ‘living’ lab scenario.”
One example is their smart fridge, replete with interior cameras, a tablet interface, and Android apps. Over the four years they’ve owned it, the fridge has made increased use of its cameras to scan food items and make recommendations. It leveraged an existing feature for a new data-sharing purpose.
Another example is Amazon’s Ring doorbell, which, when accessed via phone app, shows a green light to indicate that it’s recording. But Choffnes’ team found that it would also record when it detected motion, this time without displaying the green light. There was no mechanism to make it stop, and accessing the resulting videos at all required a more expensive subscription.
These often-invisible shifts, Choffnes said, point to a worrying reality.
“It ends up that you’re not buying the product,” he concluded. “In this case the product is you, and the companies are putting the smart features in so they can record what you’re doing and monetize that data.”
How can we protect ourselves online?
In many respects, Choffnes notes, “we’re unfortunately at the whims of these companies that collect data as disclosed in their fine print.”
“Given the lack of strong privacy regulations that protect consumers in the US, there’s a lot of burden on us as individuals to protect our privacy,” he said. “And that is often too much of a burden for us to bear. Most of the time we just click ‘okay’ and accept whatever they’re asking for.”
But Choffnes notes that we can take some protective steps.
“It’s hard to use the services we know and love without giving up a lot of our data; these services were designed that way,” he conceded. “So when it comes to installing an app, just think twice. Do you really need that app? Do you need yet another company to get access to your data? When you get data requests, can you use the app without honoring those requests?”
Choffnes also recommends a password manager, which is usually free and enables you to change your passwords often.
“The idea is that you should never have to write down your passwords,” he said. “Ideally you have software that generates random, strong passwords and fills out the password fields for you.”
Backing up the manager with multi-factor authentication, he added, should thwart most attacks.
“If you have multi-factor authentication, the attacker still needs something else—like your phone or a phone app that generates a unique code—to fully compromise your account,” Choffnes said. “At some point, we’re all going to be victims of some form of cyberattack. These techniques limit the damage that anyone compromised credential could have.”
Choffnes also wants the study of computer security and data protection to be taught to kids in the same way other types of safety are, so that they can understand the necessity and methods of shielding themselves.
“What I’m talking about is not rocket science,” he said. “Cybersecurity awareness is just something you get better at over time and it becomes second nature.”
What’s next?
Much of Choffnes’ recent work falls within the five-year-old Cybersecurity and Privacy Institute. With 17 core and affiliate faculty spanning Khoury College, the School of Law, CAMD, and the College of Engineering, the CPI collaborates on interdisciplinary cybersecurity research topics including mobile devices, cryptography, cloud security, malware analysis, and machine learning. It also offers undergraduate, graduate, and doctoral degrees in cybersecurity, and integrates with other universities, technology companies, and defense contractors. In July, Choffnes became the CPI’s third executive director, a position he expects to hold for two years.
On top of his directorial responsibilities, Choffnes is continuing with some highlight-reel research endeavors. One, a multi-university project funded by $10 million from the National Science Foundation’s Secure and Trustworthy Cyberspace Frontiers program, is a collaboration with Khoury College Interim Dean Alan Mislove and School of Law affiliate CPI member Woody Hartzog.
“It’s about developing a stronger understanding of how data collection over the internet affects individual privacy, and developing new software, hardware, and policy recommendations focused on safeguarding personal data,” Choffnes explained. “The award sends a strong message that we need this kind of multidisciplinary approach to solve our online privacy and security issues.”
READ: We know companies are collecting and sharing our data. Is there anything we can do about it?
Another project, powered by a five-year, $15.7 million NSF grant, is on the horizon. Led by the Network Science Institute’s David Lazer, and in collaboration with Choffnes and CPI colleague Christo Wilson, the team is planning to build what Choffnes calls “an observatory like Hubble, but instead of looking at the stars, to look into how people interact with the internet and how those interactions influence society.” It will provide a platform for open and ethical data collection that allows researchers to study important aspects of online human behavior, including the political and social impact of misinformation, disinformation, and social media content algorithms.
“We’re building infrastructure that is not just for us to research things,” Choffnes explained, “but to allow other researchers to deploy their own experiments to see what people are seeing online, what the implications are, survey people’s opinions about the things that they’re seeing, and get a much richer understanding of what people are doing online and what the impacts of it are.”
These large efforts allow Choffnes to focus on his passion: improving internet performance, privacy, and security. He strives for a world where internet users can better control their data.
“I think people are becoming more aware of online privacy and security,” Choffnes said. “Our mission since starting CPI has been to safeguard critical technology and to create partnerships with experts, industry, government, and academia worldwide. The recent NSF grants are helping us to substantially move the needle on these topics, with the potential for enormous impact.”
Ever gotten an ad that seemed too precisely targeted? Was it selling you something you’d just told a friend about? Did you wonder whether your phone, computer, or smart speaker was listening to you more than their manufacturers let on?
Well, microphones may be the only method of data collection you don’t need to worry about—for now.
“That’s a common urban legend that we hear. We investigated apps that can record audio and found that they don’t seem to be recording your conversations when they shouldn’t,” said David Choffnes, associate professor at the Khoury College of Computer Sciences. “But many other things you do online leak plenty of information for targeting. We don’t always know why you see the ads that are displayed. Some are coincidences, some are pervasive online tracking that allows hyper-targeted advertisement.”
At a time when our data is frequently collected, leveraged, and stolen, Choffnes has studied the devices in our homes, pockets, and purses to find out how they compromise us. Now, as the new executive director of Northeastern’s Cybersecurity and Privacy Institute, his goal remains the same.
“I realized by turning over rocks and looking in dark places, there were all kinds of creepy-crawly things,” he said. “I’m particularly focused on things that we use every day, the risks of using those systems, and how we can make them better for consumers as opposed to the companies or bad actors who are trying to access or steal our data.”
Researching the things companies would rather we didn’t know
Choffnes’s path wasn’t always a straight line. After pivoting from undergraduate study of physics and French to a networking and distributed systems specialization, he says he “tripped and fell into security and privacy.” He became interested in mobile devices as cell phones became more ubiquitous, with Edward Snowden’s 2013 revelations further spurring his interest in privacy.
“With these phones, unlike our PCs or laptops, we had almost no visibility into what they were doing with our data, and the data they had was more personal than ever,” Choffnes explained. “I started looking at network traffic as an internet user wanting to make things better for myself … It started me down this path of asking ‘What are these apps doing with our data? How many other people are getting access to it?’”
These questions have underlined much of the research Choffnes has undertaken since joining Khoury College in 2013. Chief among those is ReCon, which uses machine learning to detect personal information leaks in network traffic, then alerts users.
“We came up with ways to automatically detect when your personal data was being sent by these apps without you having to tell us what your data is,” Choffnes said. “And then allow people to tell our system to change or block that data. Our analysis substantially improved mobile app security and privacy.”
After a 300-user study demonstrated ReCon’s efficacy, Choffnes and his team passed their findings to app developers, regulators, and app stores. App developers fixed cases where passwords were sent over the internet without encryption, regulators used ReCon to investigate potentially deceptive business practices, and the Apple and Google Play app stores banned third-party app code that recorded users’ screens without their knowledge.
ReCon is a rarity among computer science research efforts in that it provided the foundation for Harvest, a 2017 documentary that appeared at several prestigious film festivals. But if that wasn’t enough, another of Choffnes’s projects is big enough that it has its own apartment. Literally.
Tucked within Northeastern’s Interdisciplinary Science and Engineering Complex is a custom-built, one-of-a-kind lab designed like a small studio apartment. It’s called The Mon(IoT)r Lab (pronounced “monitor lab”) as a nod to the Internet of Things devices researchers monitor for privacy issues. CPI personnel can use the space and interact with its devices, which are connected to a router with packet-recording software.
“We monitor all of the network traffic, and we observe potential privacy and security concerns that arise when you’re completely surrounded by devices … that share data with third parties,” Choffnes explained. “In many cases, you have to actually interact with these devices to see what the risks are, so it’s essential to have a ‘living’ lab scenario.”
One example is their smart fridge, replete with interior cameras, a tablet interface, and Android apps. Over the four years they’ve owned it, the fridge has made increased use of its cameras to scan food items and make recommendations. It leveraged an existing feature for a new data-sharing purpose.
Another example is Amazon’s Ring doorbell, which, when accessed via phone app, shows a green light to indicate that it’s recording. But Choffnes’ team found that it would also record when it detected motion, this time without displaying the green light. There was no mechanism to make it stop, and accessing the resulting videos at all required a more expensive subscription.
These often-invisible shifts, Choffnes said, point to a worrying reality.
“It ends up that you’re not buying the product,” he concluded. “In this case the product is you, and the companies are putting the smart features in so they can record what you’re doing and monetize that data.”
How can we protect ourselves online?
In many respects, Choffnes notes, “we’re unfortunately at the whims of these companies that collect data as disclosed in their fine print.”
“Given the lack of strong privacy regulations that protect consumers in the US, there’s a lot of burden on us as individuals to protect our privacy,” he said. “And that is often too much of a burden for us to bear. Most of the time we just click ‘okay’ and accept whatever they’re asking for.”
But Choffnes notes that we can take some protective steps.
“It’s hard to use the services we know and love without giving up a lot of our data; these services were designed that way,” he conceded. “So when it comes to installing an app, just think twice. Do you really need that app? Do you need yet another company to get access to your data? When you get data requests, can you use the app without honoring those requests?”
Choffnes also recommends a password manager, which is usually free and enables you to change your passwords often.
“The idea is that you should never have to write down your passwords,” he said. “Ideally you have software that generates random, strong passwords and fills out the password fields for you.”
Backing up the manager with multi-factor authentication, he added, should thwart most attacks.
“If you have multi-factor authentication, the attacker still needs something else—like your phone or a phone app that generates a unique code—to fully compromise your account,” Choffnes said. “At some point, we’re all going to be victims of some form of cyberattack. These techniques limit the damage that anyone compromised credential could have.”
Choffnes also wants the study of computer security and data protection to be taught to kids in the same way other types of safety are, so that they can understand the necessity and methods of shielding themselves.
“What I’m talking about is not rocket science,” he said. “Cybersecurity awareness is just something you get better at over time and it becomes second nature.”
What’s next?
Much of Choffnes’ recent work falls within the five-year-old Cybersecurity and Privacy Institute. With 17 core and affiliate faculty spanning Khoury College, the School of Law, CAMD, and the College of Engineering, the CPI collaborates on interdisciplinary cybersecurity research topics including mobile devices, cryptography, cloud security, malware analysis, and machine learning. It also offers undergraduate, graduate, and doctoral degrees in cybersecurity, and integrates with other universities, technology companies, and defense contractors. In July, Choffnes became the CPI’s third executive director, a position he expects to hold for two years.
On top of his directorial responsibilities, Choffnes is continuing with some highlight-reel research endeavors. One, a multi-university project funded by $10 million from the National Science Foundation’s Secure and Trustworthy Cyberspace Frontiers program, is a collaboration with Khoury College Interim Dean Alan Mislove and School of Law affiliate CPI member Woody Hartzog.
“It’s about developing a stronger understanding of how data collection over the internet affects individual privacy, and developing new software, hardware, and policy recommendations focused on safeguarding personal data,” Choffnes explained. “The award sends a strong message that we need this kind of multidisciplinary approach to solve our online privacy and security issues.”
READ: We know companies are collecting and sharing our data. Is there anything we can do about it?
Another project, powered by a five-year, $15.7 million NSF grant, is on the horizon. Led by the Network Science Institute’s David Lazer, and in collaboration with Choffnes and CPI colleague Christo Wilson, the team is planning to build what Choffnes calls “an observatory like Hubble, but instead of looking at the stars, to look into how people interact with the internet and how those interactions influence society.” It will provide a platform for open and ethical data collection that allows researchers to study important aspects of online human behavior, including the political and social impact of misinformation, disinformation, and social media content algorithms.
“We’re building infrastructure that is not just for us to research things,” Choffnes explained, “but to allow other researchers to deploy their own experiments to see what people are seeing online, what the implications are, survey people’s opinions about the things that they’re seeing, and get a much richer understanding of what people are doing online and what the impacts of it are.”
These large efforts allow Choffnes to focus on his passion: improving internet performance, privacy, and security. He strives for a world where internet users can better control their data.
“I think people are becoming more aware of online privacy and security,” Choffnes said. “Our mission since starting CPI has been to safeguard critical technology and to create partnerships with experts, industry, government, and academia worldwide. The recent NSF grants are helping us to substantially move the needle on these topics, with the potential for enormous impact.”