Web Security and Privacy (WESP): Weaving Together Technology Innovation with Human and Policy Considerations


Start Date: May 9, 2009 End Date: August 8th, 2013
PIs: Nestor Catano (UMa) and Norman Sadeh (CMU)

Dual Degree Ph.D. Students: Alexandre Mateus (Engineering and Public Policy)

Teams: UMa, IST/UTL, UMinho, Carnegie Mellon University
Companies: Portugal Telecom / Sapo and IBM
url: http://wesp.cmuportugal.org

With the Web mediating an ever wider range of services, with the proliferation of access channels and with the increasing complexity of underlying Web technologies, providing users with the functionality, security and privacy they have grown to expect is becoming more challenging every day. Increasingly, users are expected to control a broad range of security and privacy policies, from security settings on their cell phones and computers all the way to privacy policies that control who can access their data on social networking sites, Yet, studies have shown that both users often have great difficulty specifying their preferences using existing policy authoring technologies This in turn results in user frustration and major sources of vulnerability.

The very complexity of Web technologies also means that users find it increasingly difficult to determine what they can trust and what can be spoofed. This challenge is best illustrated by the emergence over the past few years of phishing attacks as a growing threat to individuals, companies and government organizations. The Gartner Group recently estimated that in 2007, phishing attacks just on consumers resulted in direct financial losses of over $3.2B. With the explosion of new mobile and pervasive computing applications, it becomes increasingly important to explore new mechanisms for establishing trust and reputation that better lend themselves to the spontaneous nature of many of the social interactions mediated by these new applications.

Emerging Web technologies and scenarios are also forcing governments and regulation agencies to frequently revisit the way in which they balance their dual role of maintaining trust and confidence in the infrastructure while simultaneously encouraging innovation. Policy makers need to make informed decisions that take stock of emerging usage scenarios and the limitations and costs of technologies available to enforce alternative regulatory regimes.

This project will address fundamental Web security and privacy questions that directly relate to the challenges identified above. It will do so through a research program that weaves together technology development and deployment efforts with human and policy considerations. Specifically, the project, which brings together three Portuguese Universities (University of Madeira, University of Mihno, and Instituto Superior Técnico), a multi-disciplinary team from CMU, and a Portuguese end-user organization, Portugal Telecom, is organized around five research tasks:

  • T1 – “User-Controllable Security and Privacy for Mobile and Social Networking Applications” will focus on the development and validation of novel policy authoring and auditing tools along with novel machine learning algorithms aimed at empowering users to more effectively control their security and privacy settings. This work will be validated in the context of actual deployments of mobile social software applications in Portugal and at Carnegie Mellon.
  • T2 – “Combating Phishing on the Fixed Internet and on the Move” will extend earlier research on combating phishing attacks and explore new tag-based solutions to help counter phishing attacks in the context of mobile and pervasive computing scenarios These technologies will be evaluated through a combination of user studies and pilots.
  • T3 – “Trust Services: Building Trust through Identity, Design and Reputation” will develop and evaluate new interfaces and social networking mechanisms aimed at supporting trust in the context of mobile and pervasive computing scenarios.
  • T4 – “Lawful services” will evaluate the feasibility of automated approaches to detecting copyright violations in the context of services such as peer-to-peer networks.
  • T5 – “Trusted software” will complement work conducted in Tasks T1-T4 through the development of formal methods aimed at validating policy languages developed in the context of the other tasks.

Articles published in the Portuguese media:
     Facebook: What if we could timely manage the information that we share? (Jornal I and Fibra Online, February, 2011) 
     Innovative Project Examines Privacy Online Habits (Ciência Hoje, January, 2011)