MADWeb 2023 Program


Awards

Best paper award
Can You Tell Me the Time? Security Implications of the Server-Timing Header
Vik Vanderlinden, Wouter Joosen, and Mathy Vanhoef (imec-DistriNet, KU Leuven)

Best paper runner-up award
Bridging the Privacy Gap: Enhanced User Consent Mechanisms on the Web
Carl Magnus Bruhner (Linköping University), David Hasselquist (Linköping University, Sectra Communications), and Niklas Carlsson (Linköping University)

Best presentation award
Applying Accessibility Metrics to Measure the Threat Landscape for Users with Disabilities
John Breton and AbdelRahman Abdou (Carleton University)


Friday March 3, 2023 All times in PT (UTC-8)
8:00am - 9:00am Breaksfast
9:00am - 9:15am Welcome and Opening Remarks
9:15am - 10:15am

Abstract: Web privacy measurement has often focused on the implementation specifics of various tracking techniques, developing ways to block them, and producing browser add-ons which demonstrate such blocking. However, while over 20 years of this focus has yielded lots of papers, citations, and media coverage, there has been limited real-world impact. A much more promising approach to effecting systemic change at scale is to shift attention away from how tracking is performed towards evaluating if such tracking is compliant with a growing body of applicable regulations.
In this talk I will offer perspectives on compliance measurement at scale, drawing lessons from my experience in the worlds of academic research, civil liberties advocacy, class litigation, and industry. Common themes will be explored and large-scale compliance measurement technologies will be presented in-depth. Likewise, insights on how computer scientists may effectively work across and between disciplinary boundaries will be presented. Ultimately, the most effective means to achieve change at scale is not to build another add-on, it is to build coalitions of experts working together to ensure technology, business, and regulation exist in harmony.

Short Bio: Timothy Libert is a Staff Privacy Engineer at a Large Advertising Company where he is responsible for authoring and enforcing the internal cookie and web storage policy, designing cookie compliance architectures, and developing internal privacy trainings.
Prior to this position he was co-founder and Chief Technology Officer of webXray, a faculty member at Carnegie Mellon University's Privacy Engineering graduate program, and a researcher at CMU's CyLab. During this time, he consulted extensively with national- and state-level privacy regulators and civil litigants on high-profile data protections actions in the United States and abroad.
Dr. Libert is a recognized leader in privacy governance with hundreds of articles written about his research in major news outlets around the world, as well as interviews with major radio and television programs such as All Things Considered and Good Morning America. He has written editorials in The New York Times, The Guardian, and STAT. He has published research manuscripts in high-profile venues in medicine, social science, computer science, and information science. His open-source software webXray has been used in major privacy investigations and compliance tasks.

10:15am - 10:45am BREAK
10:45am - 12:15pm Session 1: Privacy & Fairness

Session chair: Jason Polakis (University of Illinois Chicago)

  Bridging the Privacy Gap: Enhanced User Consent Mechanisms on the Web
Carl Magnus Bruhner (Linköping University), David Hasselquist (Linköping University, Sectra Communications), and Niklas Carlsson (Linköping University)
  Applying Accessibility Metrics to Measure the Threat Landscape for Users with Disabilities
John Breton and AbdelRahman Abdou (Carleton University)
  Are some prices more equal than others? Evaluating platform-based price differentiation
Hugo Jonker (Open University of the Netherlands, Radboud University), Stefan Karsch (TH Köln), Benjamin Krumnow (TH Köln + Open University Netherlands), and Godfried Meesters (Open University of the Netherlands)
12:15pm - 1:30pm LUNCH
1:30pm - 2:30pm

Abstract: The Internet has become a hostile place for users’ traffic. Network-based actors, including ISPs and governments, increasingly practice sophisticated forms of censorship, content injection, and traffic throttling, as well as surveillance and other privacy violations. My work attempts to expose these threats and develop technologies to better safeguard users. Detecting and defending against adversarial networks is challenging, especially at global scale, due to the Internet’s vast size and heterogeneity, the powerful capabilities of in-network threat actors, and the lack of ground-truth on the counterfactual traffic that would exist in the absence of interference. Overcoming these challenges requires new techniques and systems, both for collecting and interpreting evidence of hostile networks and for building defensive tools that effectively meet user needs.
In this talk, I’ll first cover my approach to monitoring Internet censorship. I introduced an entirely new family of censorship measurement techniques, based on network side-channels, that can remotely detect censorship events occurring between distant pairs of network locations. To overcome the systems and data science challenges of operating these techniques and synthesizing their results into a holistic view of online censorship, my students and I created Censored Planet, a censorship observatory that continuously tests the reachability of thousands of popular or sensitive sites from over 100,000 vantage points in 221 countries. Next, I’ll discuss our efforts to understand and defend the consumer VPN ecosystem. Although millions of end-users rely on VPNs to protect their privacy and security, this multibillion-dollar industry includes numerous snakeoil products, is laxly regulated, and remains severely understudied. To address this, my lab created VPNalyzer, a project that aims to bring transparency and better security to consumer VPNs. Our work includes a cross-platform test suite that crowd-sources VPN security testing, coupled with large-scale user studies that aim to understand the needs and threat models of VPN users.

Short Bio: Roya Ensafi is a Morris Wellman assistant professor of computer science and engineering at the University of Michigan, where her research focuses on Internet security and privacy, with the goal of creating techniques and systems to better protect users online. She is particularly passionate about online censorship, geo-discrimination, surveillance, and related threats to Internet freedom. Prof. Ensafi is the founder of Censored Planet, a global censorship observatory. She has studied Russia’s throttling of Twitter, HTTPS interception in Kazakhstan, and China’s Great Cannon attack, among many other instances of network interference. She is a recipient of the Google Faculty Research Award, the NSF Research Initiation Initiative award, multiple IRTF Applied Networking Research Prizes, and the Consumer Reports Digital Lab fellowship. Her work has been cited in popular publications such as The New York Times, Newsweek, Business Insider, Wired, and Ars Technica.

2:30pm - 3:00pm Session 2: User Study

Session chair: Shehroze Farooqi (Palo Alto Networks)

  Why do Internet Devices Remain Vulnerable? A Survey with System Administrators
Tamara Bondar, Hala Assal, and AbdelRahman Abdou (Carleton University)
3:00pm - 3:30pm BREAK
3:30pm - 4:30pm Session 3: Web Attacks & Vulnerabilities

Session chair: Shehroze Farooqi (Palo Alto Networks)

  Can You Tell Me the Time? Security Implications of the Server-Timing Header
Vik Vanderlinden, Wouter Joosen, and Mathy Vanhoef (imec-DistriNet, KU Leuven)
  Tag of the Dead: How Terminated SaaS Tags Become Zombies
Takahito Sakamoto and Takuya Murozono (DataSign Inc.)
4:30pm - 5:00pm Best Paper Award and Closing Remarks




madwebwork.bsky.social
infosec.exchange/@madwebwork
@madwebwork

MADWeb 2025, in cooperation with the NDSS Symposium