Measuring privacy-enhancing technologies

Abstract

The digitalization of all parts of our lives is ongoing. Apart from the positive aspects of digitalization, the momentum of this progression is also disrupting current, well-defined practices. These practices include broad areas like jurisdiction, parts of the economy, and sociological and democratic practices, including privacy. Although privacy is and stays a fundamental human right, the way we perceive, honor, and live with this right has changed. Additionally, the amount of information that is handled by technical systems has increased considerably. Different communities approached this problem from diverse – including legal, sociological, and philosophical – vantage points. The technical community responded with privacy-enhancing technologies (PETs), which provide the same functionality but reduce necessary data to enhance privacy. These systems are vital tools to enhance users’ privacy, but to what extent is often unclear. Therefore, we need measurement systems to study the impact of privacy-enhancing technologies.This thesis improves online privacy from a technical vantage point by measuring PETs. This is accomplished by advancing the state of the art by designing and implementing measurement systems to examine large-scale or long-term measurements. We conduct measurements, combine different approaches and techniques, and overcome technical, organizational, and ethical challenges. Afterwards, we empirically evaluate the results and derive parameters of interest. In each step, we strive to practice openness.This thesis addresses different areas. First, we analyze the security and privacy of data in transit, which is most commonly achieved with Transport Layer Security (TLS). The capabilities of TLS are extensive, and it can be seen as the fundament of today’s web security. However, research gaps still exist. Consequently, we summarize and extend the results of our large-scale study of TLS in Non-HTTP settings. Further, we develop and evaluate new approaches for cipher suite scanning, which is an important tool to evaluate the current status of the TLS ecosystem. We then describe the long and challenging process of fully adopting HTTPS and showed multiple ways to support it. Last, we introduce a new approach that generates client-side rewrite rules automatically. Second, we consider potential middlemen that could infer private information from metadata. Because threats from malicious actors are highly studied, we focus on so-called trusted parties, like Internet service providers. We monitor techniques from different Internet providers with our long-term net neutrality study, including middleboxes and methods used for blocked and non-existing DNS requests. We also solve the scalability problem for cellular network measurement frameworks. A low entry threshold for unique measurement opportunities in a specific country or internationally is created with our SIM decoupling method. Third, we analyze technical systems that let users protect their metadata, in particular, anonymity systems. Therefore, we present a novel way to analyze the network routes taken by traffic from and to the Tor network, the most prominent anonymity system online. We extend previous research that relies on the analysis of BGP routing information and simulations and utilize the RIPE Atlas framework to measure network routes. With this thesis, we refine existing measurement methods. We define, implement, deploy, and evaluate novel measurement frameworks. We conduct measurements to indicate the current state, and we gain insights into the causes of poor PETs deployment quality.