Keith Ross: Exploring Internet Privacy

Keith Ross can find out who your friends are, where you live, if you’ve traveled recently, and even if you’re sharing files. Ross is the Leonard J. Shustek professor of computer science and department head at NYU-Poly, and along with fellow researchers and students, he has uncovered Internet privacy flaws on major sites like Skype and Facebook. His findings stand to impact hundreds of millions of Internet users around the world, and his work has helped build Poly’s reputation as a hub for Internet privacy research.

Last year, Ross teamed with colleagues in France and Germany to investigate potential privacy flaws in Skype. Ross and his team uncovered vulnerabilities that permitted them to track users’ locations as well as their file-sharing activity on sites like BitTorrent.

The researchers detected and exploited a security gap that allowed them to place undetected Skype calls to users with a process that revealed users’ IP addresses. They then used commercial geo-IP mapping services to find users’ locations. Over two weeks, they successfully tracked 10,000 random users—just a fraction of the 170 million Skype users who place calls each month.

“This flaw can exploited by an unsophisticated hacker with motivations ranging from the merely annoying—like a salesperson trying to build a marketing database —to the aggressive and concerning, like blackmail, stalking or fraud,” Ross explained.

As the Internet becomes increasingly central to communication, Ross sees the potential for a determined hacker to create highly detailed profiles of large numbers of people. “By exploiting security gaps and targeting users with lax privacy settings, a tremendous amount of sensitive information can be exposed,” Ross explained. He said it was possible for someone “to cross reference personal information from Facebook and combine it with details from web searches and sites like LinkedIn to uncover someone’s name, age, address, sexual orientation, employment or health history.”

Later this year, Ross will take his research into the vulnerabilities of Facebook one step further, publishing the findings of a study to determine whether the site can be exploited to compile detailed profiles of minors.

“The goal of our work is to determine where the vulnerabilities are and to see how far we can push them,” Ross said. “We have to understand how deep the problem is to recommend solutions.”

Ross acknowledges that these are some of the biggest Internet challenges of our time. And he and his colleagues are on the front lines, finding solutions.