Research Directions

My goal is to help protect the security, privacy, and safety of users of future computer technologies.

I structure my research around four broad themes, which I briefly summarize below. A complete list of my publications is available here.

• Emerging Technologies, Security, and Privacy. I am deeply drawn to overcoming the computer security and privacy challenges associated with emerging, embedded, pervasive technologies and applications. I try to stay one step ahead of the "bad guys" by identifying emerging technologies that might have significant security and privacy risks and then developing solutions for mitigating those risks before real threats manifest. I have focused on a number of different technologies over the years, including electronic voting machines [ref, ref, ref, ref, ref], RFIDs [ref, ref, ref], wireless robots and toys [ref], and other personal ubicomp devices [ref]. Today, most of my active research is focused on augmented reality [ref, ref, ref, ref, ref, ref, ref, ref, ref, ref], and IoT [ref, ref]. In the past I have also worked on computer security and privacy for wireless medical devices [ref, ref, ref, ref, ref, ref, ref, ref, ref], automobiles [ref, ref, ref], privacy and home powerline measurements [ref], privacy controls for sensed data [ref, ref], security for conventional devices in networked homes (light bulbs) [ref], security for telerobotics [ref, ref], cell-site simulators [ref], tech-policy issues with crypto currencies like Bitcoin [ref], understanding QR code usage and risks in the wild [ref], attacking machine learning models [ref], and security for computational biology systems [ref]. I am also interested in security for ICTD [ref].

• The Cloud, The Network, Security, and Privacy. I am committed to helping protect the security and privacy of our information as we become increasingly reliant on networks and the cloud. There are three key inter-related strands to this work. First, I identify and assess new weaknesses within the Internet, e.g., our work on remotely fingerprinting physical machines based on their clock skews [ref], and our exploration of mechanisms for leveraging the online advertising ecosystem for low-cost intelligence gathering [ref]. Second, I measure properties of the Internet at a large scale, e.g., our measurement study of ISP modifications to Web traffic between Web servers and users [ref], our study of the practices with which recording studios send DMCA takedown notices [ref], our study of Internet censorship [ref], our studies of the Web tracking ecosystem (both past [ref] and present [ref]), and our study of the susceptibility of web archives to remote manipulation [ref]. Third, I design and build new systems with strong security and privacy properties, e.g., our design and analysis of new anonymous wireless networks [ref], wired networks that offer both user anonymity and forensic capabilities [ref, ref], privacy-respecting systems for tracking lost or stolen mobile devices [ref], methods for auditing accesses to files on lost or stolen devices [ref], systems for controlling the lifetimes of data on the Web [ref, ref], new methods for avoiding certain types of Web tracking [ref], new methods for censorship resistance and understanding censorship [ref], new methods for authentication [ref], new methods for protecting against certain classes of Web attacks [ref], methods for user-driven access control [ref], a user-interface toolkit designed for security [ref], and a secure method for embedding applications within Android [ref].

• Humans and Computer Security. Third, I believe that technologies should not be designed nor evaluated in isolation; rather, technologies should be considered in the broader milieu of users, other people in the users' environments, manufacturers, government bodies, public interest groups, and so on. This perspective permeates my research. Usability is part of this broader consideration, e.g., our study of graphical password usability [ref]. But usability is only one part. Much of my work has focused on understanding the interactions and trade-offs between security/privacy and other critical human values [ref, ref, ref]. For example, we interviewed cardiac device patients, found that some of the proposed security solutions for wireless implantable medical devices may interact with a person's self-image, sense of dignity, or psychological comfort, and then proposed defensive directions that account for these human values [ref]. We similarly interviewed ICTD practitioners to inform the design of future ICTD digital data collection platforms [ref]. We have also recently started to study privacy and online dating [ref] and the impacts of censorship on populations [ref]. Less directly related security and privacy, I am also interested in technologies that support mindfulness [ref, ref].

• Education. I am very interested in developing techniques to help increase the overall awareness and understanding of key computer security concepts amongst broad collections of individuals, including students (both those enrolled in computer security courses and those enrolled in general, introductory computing courses, including at the high school level), industry professionals (both technical and non-technical), and the general public. I introduced security reviews, current events reports, and science fiction prototyping into my undergraduate computer security course [ref]. Variants of these approaches have now been used at a number of universities, and my course's use of "security reviews" was discussed in Wired. In 2012 we introduced Control-Alt-Hack(TM), a computer security-themed card game designed to not only be fun to play, but to also help address our educational goals [ref, ref]. We also recently released the The Security Cards: A Security Threat Brainstorming Toolkit, which is a collection of 42 cards designed to assist in computer security-related brainstorming and education.

Computer security is a very broad field, and I also have a number of past and present projects that do not fall squarely under the above themes. For example, I recently did some work on "seeing through" obscure glass [ref], I am involved with the integrity preservation of records from the International Criminal Tribunal for Rwanda [ref], I conduct research at the intersection between applied and theoretical cryptography, e.g., [ref, ref, ref, ref, ref, ref], and I am a member of the Skein hash function design team [ref]. Please see my publications for additional information about these and other projects.

Additional information can be found at the UW Security and Privacy Research Lab home page. If you are interested in supporting UW CSE, please visit this URL (for general departmental support) or this URL (and search for "computer security").