Professor Douglas LeithChair of Computer Systems
- New tech report: Two Models are Better than One: Federated Learning Is Not Private For Google GBoard Next Word Prediction We demonstrate that the words a user types on their mobile handset, e.g. when sending text messages, can be recovered with high accuracy under a wide range of conditions and that counter-measures such a use of mini-batches and adding local noise are ineffective. This raises obvious privacy concerns. (30th Oct 2022)
- What Data Do The Google Dialer and Messages Apps On Android Send to Google? We find that these apps tell Google when message/phone calls are made/received. The data sent by Google Messages includes a hash of the message text, allowing linking of sender and receiver in a message exchange. The data sent by Google Dialer includes the call time and duration, again allowing linking of the two handsets engaged in a phone call. Phone numbers are also sent to Google. In addition, the timing and duration of other user interactions with the apps are sent to Google. There is no opt out from this data collection. On foot of this report Google say that they plan to make multiple changes to their Messages and Dialer apps. (14th March 2022, accepted for SecureComm 2022)
- The app data is sent via the Google Play Services Clearcut logger and Google/Firebase Analytics. The data is binary encoded, but we have reverse engineered much of the format used and posted details on github, including scripts for decoding captured data. Instructions for capturing raw data from your phone are given here.
Its Not Just Google That's Using Android OS To Watch What You're Doing:
- Android Mobile OS Snooping By Samsung,Xiaomi, Huawei and Realme Handsets. An in-depth analysis of the data sent by six variants of the Android OS, namely those developed by Samsung, Xiaomi, Huawei, Realme, LineageOS and /e/OS. (6th Oct 2021)
Comparing Privacy of Android and iOS:
- Mobile Handset Privacy: Measuring The Data iOS and Android Send to Apple And Google, the first systematic study of data that iPhones share with Apple and directly comparing data sharing by Apple iOS and Google Android. (25th March 2021, updated 10th June 2021. Now published in Proc SECURECOM 2021)
- You should be able to reproduce the measurements in this report yourself. I've created setup instructions. These are for a macbook plus iphone, but I'll add more later. Note that its necessary to use an older iphone in order for the jailbreak to work (I've used an iphone 8 and an iphone 6s).
Web Browser Privacy:
- Web Browser Privacy: What Do Browsers Say When They Phone Home? (24th Feb 2020, updated 19th March 2020, now published in IEEE Access).
Covid-19 Contact Tracing Apps:
- Coronavirus Contact Tracing App Privacy: What
Data Is Shared By The Singapore OpenTrace App? (28th April 2020)
Update 27th June 2020: Accepted for SecureComm 2020.
See also: Podcast and Short Talk at IEEE Security & Privacy Conference, May 2020
- Coronavirus Contact Tracing: Evaluating The Potential Of Using Bluetooth Received Signal Strength For Proximity Detection (6th May 2020)
Update 18th Aug 2020: Accepted for ACM Computer Communications Review.
Measurement data from this report. See also news reports in: Science, New Scientist
- Tech report: A Coronavirus Contact Tracing App Replay Attack with Estimated Amplification Factors (19th May 2020)
- Tech report: Measurement-Based Evaluation Of Google/Apple Exposure Notification API For Proximity Detection In A Commuter Bus (15th June 2020)
Update: Accepted for PLOS One.
Measurement data from this report. See also news reports in: BBC News, Irish Times, Irish Examiner, Telegraph.
- GAEN Due Diligence: Verifying The Google/Apple Covid Exposure Notification API (16th June 2020)
Update 23rd August 2020: Accepted for Corona Defcon21 Workshop, part of NDSS 2021
- We were invited to make a submission to the Oireachtas (the Irish parliament) committee that is considering Ireland's response to the pandemic. Our submission is here (16 June 2020).
- Measurement-Based Evaluation Of Google/Apple Exposure Notification API For Proximity Detection In A Light-Rail Tram (26th June 2020)
Update 16th Sept 2020: Accepted for publication in PLOS ONE
Measurement data from this report. See also some German news coverage: Heise, Deutsches Arzteblatt, Frankfurter Allgemeine Zeitung, Bild. And a more recent New York Times retrospective on the efficacy of COVID apps.
- Countries using the Google/Apple API publish the TEKs of the handsets of infected people. We've started to monitor these to track trend, see here. (28th June 2020)
- We've made available the GAEN Logger app that we used for testing/verification of Google/Apple API operation, although it also highlights how people running apps based on the Google/Apple API need to be aware of how that might affect their privacy.
- I was invited to take part in an interesting online panel discussion on contact tracing apps organised by the German National Academy of Science, video of proceedings (15th July 2020)
- Contact Tracing App Privacy: What Data Is Shared By Europe's GAEN Contact Tracing Apps (18th July 2020)
Update 7th Dec 2020: Accepted for publication in Proc IEEE INFOCOM 2021.
Short presentation at INFOCOM 2021
Some news coverage: Wall St Journal, Bloomberg, Heise, ZDF, Irish Independent, thejournal.ie, Irish Times, Hill Times Canada, Saldo.ch
- Tech report:Contact Tracing App Privacy: What Data Is Shared By Non-GAEN Contact Tracing Apps (11th Jan 2021)
Update 14th May 2020: Accepted for publication in Mobile Networks and Applications.
Predictive Analytics & Decision Making Under Uncertainty
Multipath Transport and Coded TCP
And some links for students ...