With our research we attempt to create awareness for attacks on privacy, for instance, via fingerprinting and inferring sensitive attributes. Thus, we help citizens understand what others can learn about them. We analyze and visualize digital traces of humans as well as the network connections and the behavior of applications. These techniques can also be used to improve security, for instance, during forensic investigations of attacks.
Secondly, we construct and evaluate privacy enhancing techniques that are effective and offer good usability. In particular, we are interested into lightweight approaches that protect against specific observers (such as curious DNS servers) and are barely noticeable. We also consider the hurdles that are encountered in corporate environments where privacy is often in conflict with security, for instance when the activities of employees are to be monitored in order to detect insider attacks. Finally, we also consider the perspective of service providers by studying the effectiveness and efficiency of the business processes that enable users to exercise their legal right to access the data collected about them. In this area we collaborate with scholars from the legal field as well as data protection agencies.
Thirdly, we consider the needs of software engineers. Our long-term goal is to improve the usability for engineers in order to foster the adoption of security and privacy techniques. Easy-to-use frameworks, APIs, and practical strategies will help to achieve this goal.
PrivacyScore.org (in public beta since June 2017) is an automated website scanner that allows anyone to investigate websites for privacy and security issues. Users can submit URLs of individual websites or scan a list of related websites to learn how they compare against each other.
On the one hand, public benchmarks improve transparency for citizens; on the other hand, such benchmarks can used by data protection agencies to audit service providers. In the long run, we want to find out whether public “blaming and shaming” and/or transparent comparisons of sites within their peer group create additional incentives that increase the willingness of site operators to implement additional security and privacy measures.
CANVAS (“Constructing an Alliance for Value-driven Cybersecurity”, 2017–2019, H2020 CSA) has been the first European project to provide an integrative view on the ethical and regulatory issues of cybersecurity. CANVAS unified technology developers with legal and ethical scholar and social scientists to approach the challenge how cybersecurity can be aligned with European values and fundamental rights. The project published various openly accessible deliverables: briefing packages, an open-access book on cybersecurity, a free MOOC, and a reference curriculum with case studies. Website: canvas-project.eu
EMPRI-DEVOPS (BMBF, 2018–2021) focuses on Employee Privacy in DevOps enviroments. With the digitization of the world of work, there is an increasing number of personal data that can be evaluated by employers. This applies also and especially to the area of software development with its many digital processes. DevOps tools may allow employers to excessively analyze the behavior of employees by evaluating metadata generated by such tools. The project analyzes the resulting privacy risks and studies how existing tools can be modified for better privacy protection. Website: empri-devops.de
The aim of WINTERMUTE (BMBF, 2020–2023) is to manage increasingly complex communication networks and protect them from attacks without violating the privacy of the network's users. These conflicting goals are addressed with methods of artificial intelligence and machine learning as well as privacy-preserving techniques. Website: projekt-wintermute.de
Wearables such as fitness trackers that record and analyze health data are popular. At the same time, only a few users read and understand the complicated privacy policies that come with their devices. As a result, it often remains unclear to them how their data will be processed. The InviDas project aims to improve awareness and generate insights about users' data profiles. The project builds a web-based platform to empower users to make informed decisions about how they use their devices. The platform makes devices and providers comparable and shows which data is exchanged with whom and for what purpose. Written privacy policies are made more accessible via data visualization and gamification. Website: invidas.gi.de
DiKuLe (“Digitale Kulturen der Lehre entwickeln”, sponsored by Stiftung Innovation in der Hochschullehre, 2021–2024) is a project that develops digital teaching and learning concepts at University of Bamberg. In the project, an environment for creating professional videos will be developed, innovative open source tools for smart didactics will be introduced, and blended learning formats in digital teaching-learning labs will be refined. The results will be disseminated through transfer-oriented exchange formats within the University of Bamberg and made available to other universities. The measures will be evaluated in a participatory manner. Website: uni-bamberg.de/dikule/
Selected publications are listed below. The complete list of all publications involving Dominik Herrmann is available in the DBLP computer sience bibliography for now.
Michael Mühlhauser, Henning Pridöhl, Dominik Herrmann:
How Private is Android's Private DNS Setting? Identifying Apps by Encrypted DNS Traffic.ARES 2021: 14:1-14:10
Abstract: DNS over TLS (DoT) and DNS over HTTPS (DoH) promise to improve privacy and security of DNS by encrypting DNS messages, especially when messages are padded to a uniform size. Firstly, to demonstrate the limitations of recommended padding approaches, we present Segram, a novel app fingerprinting attack that allows adversaries to infer which mobile apps are executed on a device. Secondly, we record traffic traces of 118 Android apps using 10 differnet DoT/DoH resolvers to study the effectiveness of Segram under different conditions. According to our results, Segram identifies apps with accuracies of up to 72 % with padding in a controlled closed world setting. The effectiveness of Segram is comparable with state-of-the-art techniques but Segram requires less computational effort. We release our datasets and code. Thirdly, we study the prevalence of padding among privacy-focused DoT/DoH resolvers, finding that up to 81 % of our sample fail to enable padding. Our results suggest that recommended padding approaches are less effective than expected and that resolver operators are not sufficiently aware about this feature
Max Maaß, Henning Pridöhl, Dominik Herrmann, Matthias Hollick:
Best Practices for Notification Studiesfor Security and Privacy Issues on the Internet. ARES2021: 90:1-90:10
Abstract: Researchers help operators of vulnerable and non-compliant internet services by individually notifying them about security and privacy issues uncovered in their research. To improve efficiency and effectiveness of such efforts, dedicated notification studies are imperative. As of today, there is no comprehensive documentation of pitfalls and best practices for conducting such notification studies, which limits validity of results and impedes reproducibility. Drawing on our experience with such studies and guidance from related work, we present a set of guidelines and practical recommendations, including initial data collection, sending of notifications, interacting with the recipients, and publishing the results. We note that future studies can especially benefit from extensive planning and automation of crucial processes, i. e., activities that take place well before the first notifications are sent
Oleg Geier, Dominik Herrmann:
The AppChk Crowd-Sourcing Platform: Which Third Parties are iOS Apps Talking To? SEC2021: 228-241
Abstract: In this paper we present a platform which is usable by novice users without domain knowledge of experts. The platform consisting of an iOS app to monitor network traffic and a website to evaluate the results. Monitoring takes place on-device; no external server is required. Users can record and share network activity, compare evaluation results, and create rankings on apps and app-groups. The results are used to detect new trackers, point out misconduct in privacy practices, or automate comparisons on app-attributes like price, region, and category. To demonstrate potential use cases, we compare 75 apps before and after the iOS 14 release and show that we can detect trends in app-specific behavior change over time, for example, by privacy changes in the OS. Our results indicate a slight decrease in tracking but also an increase in contacted domains. We identify seven new trackers which are not present in current tracking lists such as EasyList. The games category is particularly prone to tracking (53% of the traffic) and contacts on average 36.2 domains with 59.3 requests per minute.
Max Maass, Alina Stöver, Henning Pridöhl, Sebastian Bretthauer, Dominik Herrmann, Matthias Hollick, Indra Spiecker:
Effective Notification Campaigns on the Web: A Matter of Trust, Framing, and Support. USENIX Security, 2021.
Abstract: Misconfigurations and outdated software are a major cause of compromised websites and data leaks. Past research has proposed and evaluated sending automated security notifications to the operators of misconfigured websites, but encountered issues with reachability, mistrust, and a perceived lack of importance. In this paper, we seek to understand the determinants of effective notifications. We identify a data protection misconfiguration that affects 12.7 % of the 1.3 million websites we scanned and opens them up to legal liability. Using a subset of 4754 websites, we conduct a multivariate randomized controlled notification experiment, evaluating contact medium, sender, and framing of the message. We also include a link to a public web-based self-service tool that is run by us in disguise and conduct an anonymous survey of the notified website owners (N=477) to understand their perspective.
We find that framing a misconfiguration as a problem of legal compliance can increase remediation rates, especially when the notification is sent as a letter from a legal research group, achieving remediation rates of 76.3 % compared to 33.9 % for emails sent by computer science researchers warning about a privacy issue. Across all groups, 56.6 % of notified owners remediated the issue, compared to 9.2 % in the control group. In conclusion, we present factors that lead website owners to trust a notification, show what framing of the notification brings them into action, and how they can be supported in remediating the issue.
Jacob Leon Kröger, Jens Lindemann, Dominik Herrmann:
How do app vendors respond to subject access requests?: a longitudinal privacy study on iOS and Android Apps. ARES 2020: 10:1-10:10
Abstract: EU data protection laws grant consumers the right to access the personal data that companies hold about them. In a first-of-its-kind longitudinal study, we examine how service providers have complied with subject access requests over four years. In three iterations between 2015 and 2019, we sent subject access requests to vendors of 225 mobile apps popular in Germany. Throughout the iterations, 19 to 26% of the vendors were unreachable or did not reply at all. Our subject access requests were fulfilled in 15 to 53% of the cases, with an unexpected decline between the GDPR enforcement date and the end of our study. The remaining responses exhibit a long list of shortcomings, including severe violations of information security and data protection principles. Some responses even contained deceptive and misleading statements (7 to 13%). Further, 9% of the apps were discontinued and 27% of the user accounts vanished during our study, mostly without proper notification about the consequences for our personal data. While we observe improvements for selected aspects over time, the results indicate that subject access request handling will be unsatisfactory as long as vendors accept such requests via email and process them manually.
Research Areas in Detail
Inference Attacks: Privacy Threats and Forensic Utility
Encrypting or anonymizing data is not always sufficient to protect the privacy of users. Attackers may be able to infer sensitive pieces of information by searching for patterns in harmlessly-looking data. Such inference attacks are applicable in various settings, such as identifying visited websites via website fingerprinting, even though they are transmitted encryptedly (e.g., via a VPN or Tor), identifying the used browser from encrypted traffic (which may help adversaries to deliver targeted malware to users), identifying the apps that are installed on a smartphone based on their DNS requests (even when DNS over HTTPS is being used), and identifying users on the network based on their browsing behavior.
Transparency Platforms and Notification Campaigns
Service providers make conscious and unconscious decisions that affect their users, potentially exposing them to privacy and security risks in the process. One area of our research is to analyze how “naming and shaming” can be used to incentivize owners. We also study the effectiveness of individualized notifications of providers. Such studies are subject to legal and ethical challenges, which makes them particularly interesting.
Usable Techniques and Legal Measures for Privacy Protection
The benefits of digitization often result from the systematic collection and evaluation of information about systems and people. If personal data is to be processed, legal requirements must be taken into account and technical measures are necessary. The challenge here is to make the complexity manageable for users, developers, and operators – while retaining the benefits of the collected data collected.