Workshop Program


Day 1 - June 7, 2017

09:00 Arrival of attendees and coffee
09:15 Welcome address


Session 1 - Privacy challenges


Krishna Gummadi, (MPI/CISPA - Max Planck Institute/Center for IT-Security, Privacy and Accountability, Saarbrücken, Germany)

Title: "Privacy and Fairness Concerns with PII-based Targeted Advertising"

AbstractAll popular social media sites like Facebook, Twitter, and Pinterest are funded by advertising, and the detailed user data that these sites collect make them attractive platforms for advertisers. Historically, these advertising platforms allowed advertisers to target users with certain attributes, but not to target users directly. Recently, most advertising platforms have begun allowing advertisers to target users directly by uploading the personal information of the users who they wish to advertise to (e.g., their names, email addresses, phone numbers, etc). Such targeting is referred to as custom audience targeting.
In this talk, I will discuss numerous privacy and fairness concerns that arise with such custom audience targeting on the Facebook ad platform. I will show how custom audience targeting would allow malicious advertisers to leverage existing public records (e.g., voter records) for discriminatory advertising (i.e., excluding people of a certain race), and how this type of discrimination is significantly more difficult for Facebook to detect automatically. We also find that the custom audiences can be abused by malicious advertisers to learn about hundreds of demographic, behavioral, and interest attributes of a Facebook user even with limited knowledge about their PII like their email addresses or phone numbers. Finally, we find that users generally have no control over their data that is used to create custom audiences. Overall, our results indicate that advertising platforms need to more carefully consider the privacy and fairness concerns that arise out of custom audience targeting.


Daniel Coloma (Data Transparency Lab - DTL, Telefonica)

Title: "The Power of Transparency"

AbstractMost popular Internet services rely on asymmetric business models, where people that get service do not pay directly for the service, and service providers monetize their services in alternative ways, most of them based on using people’s data for different purposes. However, few people are really aware of how much data is harvested from them, who has really access to that data and how that data is used. The Data Transparency Lab is an open initiative founded by Telefónica and other players intended to solve those answers for end-users, NGOs, regulators, journalists, etc.
In this talk some of the work done by the DTL will be explained as well as how Transparency is playing an important role in Telefónica, especially in the launch of the Aura initiative that was unveiled during Mobile World Congress. We will address some of the cases in which users can get direct benefits from their data while always being under control.

11:10 Coffee break


Session 2 - Security challenges


Jarno Niemela, (F-Secure Labs, Helsinki, Finland)

Title: "IOT, the current situation, and what should be done"

AbstractThe situation in IOT front is very close to what security used to be with PCs at late 90s and early 2000, when Internet was very new thing for PCs and vendors were interested in creating new things rather than fixing and maintaining what they have already sold. So as there are similarities in the problems, maybe there are also similarities in solutions that helped PCs reach the current security level.
In this talk, we will cover latest IOT threats and focusing on the reasons at the background of the current IOT situation and presenting thoughts how situation could be helped to improve from what it is.


Pablo San Emeterio Lopez (ElevenPaths/Telefonica, Madrid, Spain)

Title: "Mobile Threat Intelligence, how we collaborate on hunting bad guys"

Abstract: In this talk, we will introduce some cases in which we were able to point some guys that were behind some pieces of Android Malware, and helped withdraw them. In these cases, we use some tools developed inside ElevenPaths, the Cybersecurity Unit of Telefonica, that helps Telefonica security analysts in this task. With almost 1.5M apps on Android Markets, and between 3000 and 5000 new apps uploaded every day, detecting new threats quickly is not that easy with traditional tools. Moreover, nearly 2000 apps deleted every day. We need tools to gather all the information and let the intelligence do the hard work.

13:20 Lunch break with ​student poster presentations


Session 3 - Networking challenges


Alberto CORRAL (Akamai Technologies)

Title: "Internet challenges on a fast moving online business over a not dynamic environment called Internet"

AbstractThe talk will discuss what happened 18 years ago when Akamai was created and the goals the company was achieving at the time. It will touch on how Internet Business has evolved, and how Akamai moved to provide solutions to customer requirements in face of Internet protocols not evolving as fast as desired.


Christos Gkantsidis (Microsoft Research, Cambridge, UK)

Title: "mbTLS: Secure Communication for More Than Two Parties"

AbstractNetwork communications want to be encrypted: https has already surpassed in popularity the (unencrypted) http; other protocols enable encryption by default. This is great for protecting the integrity and the privacy of the communication, but, unfortunately, renders a number of network middleboxes unable to provide the performance and functionality benefits that the current Internet depends on. There is a pressing need to integrate middleboxes into secure communication sessions, without compromising security and without requiring a complete overhaul of existing protocols and practices.
We have designed and implemented Middlebox TLS (mbTLS), a small set of TLS extensions, that enables middleboxes to announce their presence and prove their capabilities to the TLS endpoints. mbTLS uses trusted computing technology (Intel SGX in our implementation) to provide security guarantees on untrusted hardware. mbTLS allows middleboxes to participate in the TLS session without compromising integrity or privacy, even if only one endpoint is mbTLS-aware, and with modest performance overhead.

16:30 Coffee break


Session 4 - Censorship and surveillance challenges


Phillipa Gill (University of Massachusetts at Amherst, MA, USA)

Title: "Developing a Science of Internet Censorship Resistance: Opportunities and Challenges for Network Measurement"

AbstractThe Internet has become a critical communication infrastructure for citizens to obtain accurate information, organize political actions, and express dissatisfaction with their governments. This fact has not gone unnoticed, with governments clamping down on this medium via censorship, surveillance and even large-scale Internet take-downs. As online information controls become more common, circumvention researchers are left working tirelessly to stay one step ahead. In this talk, I will present my research which leverages network measurement as a basis to stay one step ahead in the censorship arms race. First, I will present our characterization of attacks that correlate traffic entering and exiting the Tor anonymity system to deanonymize users. This characterization is the first to tackle the challenge of estimating the presence of adversaries on both forward and reverse network paths using empirical data. Our analysis shows that more than half of the time Tor builds a circuit that is vulnerable to these attacks. I will then discuss Astoria, a system that uses knowledge of network paths to build circuits that avoid traffic correlation attacks, effectively reducing the number of vulnerable circuits by 4X. In the second half of the talk, I will present our work measuring specifically which products are being used for censorship. While these products were originally designed to improve performance and protect users from inappropriate content, they are also used to censor Web content by authoritarian regimes around the globe. Using a combination of measurements by individuals in the field, and a novel experiment methodology we were able to identify two North American products being used by ISPs in Saudi Arabia, United Arab Emirates (UAE), Qatar and Yemen to block content protected in the UN Declaration of Human Rights. Finally, I will discuss ongoing work with the ICLab platform and how it is enabling rigorous measurements of censorship around the globe.

17:50 Closing address
20:30 Social dinner in the center of Madrid (for IMDEA faculty, IMDEA SC members, and invited speakers)


Day 2 - June 8, 2017

09:00 Arrival of attendees, coffee and starting address
  Session 5 - Privacy and security challenges 2

Jon Crowcroft (University of Cambridge, UK)

Title: "GDPR, ML and the Cloud"

Abstract: New data protection law has an consequence for the current model of cloud services (and IoT+Cloud style deployments) - in this talk, i present a top down and IoT+bottom up approach to tackling these problems, and outline some of the technical (network & operating) systems challenges that remain to enable these approaches.

10:10 Coffee break

Alessandro Mei (Sapienza University of Rome, Italy)

Title"Privacy in the Internet Era: Two Short Stories"

Abstract: Pervasive collection of human data have brought privacy concerns to a whole new level. Information technology is making cities "smart" and we live a life with the expectation that we are always connected and that we can do everything in the Internet. In the world we are shaping, privacy expectations are even higher than ever. In this talk, we will see two short stories related to privacy in the Internet: One from the use of Wi-Fi, one from the DarkWeb.


Matthias Hollick (Technische Universität Darmstadt, Germany)

Title: "All Your Wireless Are Belong To Us: Practical Attacks Against The Internet Of Things"

Abstract: The Internet of Things (IoT) is getting real: we are witnessing the massive deployment of Internet-connected devices at homes, workplaces, and in public spaces, which promise to transform our daily lives. IoT-devices are typically  wirelessly networked using standards such as Wi-Fi, Bluetooth, ZigBee or alike. This lifeline of the IoT is at the same time one of its weakest spots. 
In this talk, I will introduce how the IoT challenges the notion of security and privacy as we have known it in the "good old Internet days". I will then discuss a number of tools developed in my team to analyze the security of wireless access technologies that allowed us to demonstrate practical attacks against these technologies. First, I will present how Wi-Fi firmware modifications can transform your smartphone into a versatile, programmable tool for networking and security research and demonstrate attacks against the availability of Wi-Fi communications. Second, I will show how Wi-Fi can be used to inconspicuously exfiltrate data from networks with high data rates, without the ability to detect this exfiltration with off-the-shelf intrusion detection systems or regular Wi-Fi devices. Third, I will show that security solutions based on NFC-technology can easily be compromised if not secured by additional security means.

12:20 Lunch break with ​student poster presentations

Alumni event: "Career Development"
This is a student-oriented event that will count with the participation of former IMDEA Alumni, who will explain their experiences after they left the institute. 
Confirmed speakers:

  • Andra Lutu, IMDEA Alumnus, 2014 (currently at Simula School of Research and Innovation (SSRI), Fornebu, Norway)
  • Juan Camilo Cardona, IMDEA Alumnus, 2016 (currently at Cisco Systems, Barcelona, Spain)
  • Elli Zavou, IMDEA Alumnus, 2016 (currently at Inria Grenoble - Rhône-Alpes & INSA Lyon, France)
  • Angelos Chatzipapas, IMDEA Alumnus, 2016 (currently at Lloyds Banking Group, London, UK)
  • Jon Crowcroft (University of Cambridge, UK)
  • Jarno Niemelä (F-Secure Labs, Helsinki, Finland)
  • Phillipa Gill (University of Massachusetts at Amherst, MA, USA)
  • Christos Gkantsidis (Microsoft Research, Cambridge, UK)