MC2 Researchers Present Three Papers at IEEE Symposium on Security and Privacy

Published May 20, 2022

news story image

Faculty, postdocs and students in the Maryland Cybersecurity Center (MC2) are presenting three papers at the 43rd IEEE Symposium on Security and Privacy, held this year from May 23–26 in San Francisco while also being streamed online in a hybrid format.

The topics covered by the MC2 researchers involve security education, online protection for at-risk users, and “blocklisting”—a computer security protocol that lists items in a set that may require quarantine, exclusion or additional security scans.

“These papers show a broad range of MC2 work dealing with important real-world issues in security and privacy,” says Michelle Mazurek, associate professor of computer science and the director of MC2.

Mazurek is a co-author on two papers being presented. The first, “Investigating Influencer VPN Ads on YouTube,” explores the prevalence of YouTube influencer marketing ads for security and privacy products such as VPNs.

It examines how widespread these types of ads are, where on YouTube they are found, and what kind of information they convey.

Using qualitative analysis, the researchers determined that these ads commonly discuss broad security guarantees as well as specific technical features, yet ultimately produce potentially misleading claims, including overpromises and exaggerations.

The paper’s co-authors are Dave Levin, an assistant professor of computer science; computer science doctoral students Omer Akgul and Richard Roberts; and Moses Namara, a human-centered computing doctoral student at Clemson University who received an undergraduate degree in computer science from UMD.

Another paper, “SoK: A Framework for Unifying At-Risk User Research,” organizes what is known about at-risk users—people who experience elevated digital security, privacy and safety threats because of what they do, who they are, or where they are—into a framework that the digital-safety community can use to better protect these individuals online.

It examines the digital safety concerns of people considered to be at-risk users, such as those who identify as LGBTQ+, women living in repressive regions, and survivors of intimate partner abuse. These are populations that can be more prone to spear-phishing campaigns, attacks by nation-state actors, or pervasive surveillance by intimate partners.

The researchers analyzed 85 papers focused on these populations and created an at-risk framework: 10 contextual risk factors that can augment or amplify common, high-priority digital-safety threats and their resulting harms, and the protective practices at-risk users employ to mitigate these risks.

Going forward, the researchers believe their work can be used to identify opportunities for future research and to provide a structure for researchers and technology creators to more comprehensively ensure that everyone can engage safely online.

In addition to Mazurek, co-authors on the paper are Omer Akgul; Noel Warford, a fourth-year doctoral student in computer science; Kaitlyn Yang, a senior majoring in computer science; Nathan Malkin, a postdoctoral researcher in MC2; and a team of researchers from Google.

A third paper, “SNARKBlock: Federated Anonymous Blocklisting from Hidden Common Input Aggregate Proofs,” introduces scalable anonymous blocklisting, a tool that can used to combat online harassment, trolling and spam messages.

The paper is co-authored by Ian Miers, an assistant professor of computer science; Michael Rosenberg, a first-year computer science doctoral student; and Mary Maller, a cryptography researcher at the Ethereum Foundation.

In the paper, the researchers identify a common problem in many online forums: that banning a user on one platform leaves the user free to post under other accounts and on other platforms.

This can present two problems for the forum operator—access control and revocation. Because the user’s identity is unknown at post submission, the service provider cannot verify that the user is authorized to post, that is, that they aren’t blocked.

Existing approaches require that servers do work linear in the size of the blocklist for each verification of a non-membership proof, which can be costly and leave them open to attacks.

The researchers present SNARKBlock, a new protocol for zero-knowledge blocklisting with server-side verification that is logarithmic in the size of the blocklist. It is also the first approach to support ad-hoc, federated blocklisting: websites can mix and match their own blocklists from other blocklists and dynamically choose which identity providers they trust.

“SNARKBlock lets website owners block abusive users, even when the user identity is not known and without tracking users. This allows online speech to be both anonymous and accountable,” says Miers.

In addition to their work in MC2, Levin, Mazurek and Miers all have appointments in the University of Maryland Institute for Advanced Computer Studies (UMIACS).

—Story by Melissa Brachfeld

The Maryland Cybersecurity Center (MC2) is jointly supported by the A. James Clark School of Engineering and the College of Computer, Mathematical, and Natural Sciences. It receives substantial technical and administrative support from UMIACS.