CITP: Stitching Up the Internet of Things

News Body

August 2, 2016

Prof. Nick Feamster and Ph.D. student Sarthak Grover

Princeton Ph.D. student Sarthak Grover’s conclusion about the Internet of Things (IoT) at the Federal Trade Commission’s PrivacyCon in January was direct: Be Afraid.

The target of his warning was what he and his adviser, Computer Science Professor Nick Feamster, call the Internet of Unpatched Things, where so-called smart devices can be remarkably dumb—especially when it comes to protecting the privacy and security of the people who buy them.

Many IoT devices on the market have security vulnerabilities that are discovered only after they reside in thousands of homes and that may never be patched. Unless users receive and install updated software, they risk having unwelcome visitors dissect their day-to-day activities with surprising ease. One example that Grover and Feamster tested was a digital photoframe that allows users to download new pictures anytime to Granny’s bedside. Unfortunately, it also lets in eavesdroppers and attackers—who may spy on your photos, learn your email address or even install malware—because “the photoframe fails to encrypt its traffic or authenticate any incoming traffic,” Grover explained.

“As a first step, we’re trying to raise awareness,” he said. “As consumers, we often figure ‘my device is popular so it must be OK.’ Our presentation showed that even widely deployed, popular devices leak information about you and your home to third parties, where even unsophisticated parties can observe user activities and private data. Solutions to these problems will require a combination of new technology and sound policy.” [To watch a video of Grover’s presentation to the FTC, click here.]

This kind of real-world, people-oriented research is bread and butter for Princeton’s Center for Information Technology Policy (CITP), a nexus of expertise in technology, engineering, public policy, and the social sciences to address digital technologies as they interact with society.

Ed Felten, the Robert E. Kahn Professor of Computer Science and Public Affairs, founded CITP in 2005. Feamster, who joined the CS faculty last year from Georgia Tech, is serving as acting director through July 2017, when Felten returns from a posting as deputy chief technology officer in the White House’s Office of Science and Technology Policy.

CITP strives to present technical research in ways that are actionable for policymakers and palatable to the public. By explaining computer science findings in forums like the FTC’s PrivacyCon—as well as the center’s own public conferences, lectures, and Freedom to Tinker blog—CITP makes sure that this knowledge is not locked away in an ivory tower.

CITP’s research projects address a broad spectrum of public interest issues that lie at the intersection of technology and society. Their goals include uncovering security vulnerabilities in electronic voting machines, developing ways to improve government transparency, measuring and improving users’ quality of experience when using the Internet, studying the performance and reliability of broadband Internet access, exploring issues raised by Bitcoin and other cryptocurrencies, and studying the capability for and consequences of “de-anonymization” of datasets that were supposedly scrubbed of personal identifiers.

CITP-affiliated Ph.D. student Steve Englehardt also presented at the FTC PrivacyCon conference. He discussed OpenWPM, an open-source platform for measuring online privacy, in a presentation called “The Web Never Forgets.” With his adviser, CS faculty and CITP member Arvind Narayanan, he and others developed the platform as part of CITP’s Web Transparency and Accountability Project.

CITP is also a leader in developing continuous measurements of Internet censorship; the center measures Internet censorship practices in nearly 200 countries around the world. Feamster is working with two postdoctoral research associates, Roya Ensafi and Philipp Winter, who are studying China’s Great Firewall, examining how censors use “active probing” to identify and block servers being used to circumvent censorship. Feamster leads a team of researchers producing the most comprehensive study of Internet filtering and controls; the team designs and builds systems that perform automated scans for these censoring behaviors, collecting reliable data across time and on a global scale. The researchers also are working on tools that make it easy for activists, policymakers, and other researchers to use the measurements to better understand where and how Internet censorship takes place around the world.

CITP also is working on projects that explore how machine learning and artificial intelligence can affect society, such as when these algorithms result in discrimination. CITP researchers led by Ed Felten are designing what they call “accountable algorithms.” Computers now count votes, approve loans and pick targets of police scrutiny, but the bureaucracies and laws governing these decisions lag behind the technology. Recent graduate Joshua Kroll’s dissertation developed tools to help govern decision-making code. An interdisciplinary group of scholars affiliated with CITP is developing ways to apply these new algorithms.

During the next few years, CITP plans to place special emphasis on security and privacy for the Internet of Things. In addition to continuing technical research in this area, CITP is planning several events that bring together the broader community to discuss and tackle issues on this topic.

CITP will host a public conference on tech policy issues surrounding security for IoT on Oct. 21 in the Friend Center convocation room. Attendees will include representatives from civil society groups, government and industry as well as academics from disciplines ranging from computer science to sociology. The conference will kick off the broader research initiative.

“We think that CITP’s position as part of both the School of Engineering and Applied Science and the Woodrow Wilson School gives the center the rare ability to bring together both technical and policy experts to work on practical solutions for Internet of Things security policy,” said CITP Associate Director Joanna Huey. More information will be available in September.

CITP will organize its second policy hackathon in Spring 2017, most likely around the theme of the Internet of Things and smart cities. CITP organizes hackathons that bring together technologists and policymakers. The first such hackathon, on the topic of transportation policy, took place in February. The civic hacking group Code for Princeton co-organized the event, which also received support from local groups, including the municipality of Princeton. 

Feamster says that while the center’s relatively small scale means that it must be judicious in selecting specific topics to focus on, the center has uniquely broad ambitions for reshaping the world of tech policy.

“CITP brings technologists, social scientists, and policymakers together to address public interest issues at the intersection of digital technology and public life,” he said.  “It is the only center of its kind that has roots in world-class engineering and public policy departments. We aim to ensure that technologists have a seat at the table where tech policy decisions are made, by both engaging directly on these issues and educating the next generation of tech-savvy policymakers.”

— Doug Hulette

Photo Credit: David Kelly Crow