CyLab researchers set to present their work at PETS 2025

Carnegie Mellon University faculty members and students are preparing to share their research at the 2025 Privacy Enhancing Technologies Symposium (PETS).

Held annually, the 25th PETS will be a hybrid event taking place July 14-19, with a physical gathering held in Washington, D.C. and a concurrent virtual event.

PETS brings together privacy experts from around the world to discuss recent advances and new perspectives on research in privacy technologies. PETS addresses the design and realization of privacy services for the Internet and other digital systems and communication networks.

Here, we’ve compiled a list of papers co-authored by CyLab researchers that will be presented at the event.

Privacy Settings of Third-Party Libraries in Android Apps: A Study of Facebook SDKs

Authors: David Rodriguez, Universidad Politécnica de Madrid; Joseph A. Calandrino, Carnegie Mellon University; Jose M. Del Alamo, Universidad Politécnica de Madrid; and Norman Sadeh, Carnegie Mellon University

Abstract: Previous studies have demonstrated that privacy issues in mobile apps often stem from the integration of third-party libraries (TPLs). To shed light on factors that contribute to these issues, we investigate the privacy-related configuration choices available to and made by Android app developers who incorporate the Facebook Android SDK and Facebook Audience Network SDK in their apps. We compile these Facebook SDKs' privacy-related settings and their defaults. Employing a multi-method approach that integrates static and dynamic analysis, we analyze more than 6,000 popular apps to determine whether the apps incorporate Facebook SDKs and, if so, whether and how developers modify settings. Finally, we assess how these settings align with the privacy practices that developers disclose in the apps’ privacy labels and policies. We observe widespread inconsistencies between practices and disclosures in popular apps. These inconsistencies often stem from privacy settings, including a substantial number of cases in which apps retain default settings over alternatives that offer greater privacy. We observe fewer possible compliance issues in potentially child-directed apps, but issues persist even in these apps. We discuss remediation strategies that SDK and TPL providers could employ to help developers, particularly developers with fewer resources who rely heavily on SDKs. Our recommendations include aligning default privacy settings with data minimization principles and other conservative practices and making privacy-related SDK information both easier to find and harder to miss.

Rethinking Fingerprinting: An Assessment of Behavior-based Methods at Scale and Implications for Web Tracking

Authors: Kyle Crichton, Georgetown University; Lorrie Faith Cranor, Carnegie Mellon University; and Nicolas Christin, Carnegie Mellon University

Abstract: Most common forms of web tracking fail to maintain the continuity of a user’s identity over long periods of time: cookies get deleted, IP addresses are reassigned, attributes used for browser fingerprinting change. These identity discontinuities help prevent adversaries from conducting persistent long-term tracking. In fact, many privacy-enhancing technologies (e.g., automatic cookie deletion, use of proxy servers, fingerprint obfuscation) are predicated on the ability of identity discontinuities to disrupt an adversary’s tracking capability. While only evaluated on a limited scale, behavioral fingerprinting—identifying users based on habitual patterns in their web browsing—may provide adversaries the key to linking users’ identities across these discontinuities.

To assess this potential threat, we provide an analysis of behavioral fingerprinting at scale, with over 150,000 users across two years, and the first assessment of the impact of these techniques on user anonymity online. Overall, we find that behavioral fingerprints are relatively unique, with most browsing sessions retaining little to no anonymity even at scale. Furthermore, users’ behavioral fingerprints are consistent, evolving slowly over the course of months to years. Together, these findings satisfy the preconditions for effective identity linking. We go on to demonstrate that optimal performance is achieved when an adversary can observe 15–25 browsing sessions prior to a discontinuity and 10–15 sessions after. However, an adversary can eliminate 84–95% of a user’s anonymity having observed just a single session pre- and post-discontinuity. After a discontinuity occurs, a user loses an average of 78–85% of their anonymity within the first 60 seconds of browsing and 90% of their anonymity within the first 10 minutes—largely negating the anonymity gains of privacy protections that induce discontinuities. We find that visiting fewer web pages, diversifying the websites visited, and avoiding niche content can help a user’s browsing remain anonymous. Finally, we demonstrate that the combination of behavioral and browser fingerprinting can outperform each method individually, achieving an F1 score of 0.869 across 100,000 users.

Sybil-Resistant Parallel Mixnets

Authors: Maya Kleinstein, Hebrew University of Jerusalem; Riad S. Wahby, Carnegie Mellon University; and Yossi Gilad, Hebrew University of Jerusalem