Events & News

ZISC organizes a number events. The annual ZISC Workshop brings together leading experts to present and discuss their latest research results on a chosen information security and privacy topics. The weekly ZISC Lunch Seminar presentations illustrate the research done at the affiliated research groups and invite exciting speakers from other research institutes and companies.

Latest News

Design for Digital Cash nominated for ETH Spark Award

Decentralized Cryptocurrencies such as Bitcoin or Ether have become popular over the last few years, a development that has not gone unnoticed by central banks. Due to this popularity, as well as the increasing digitalization of payments and the constantly reducing role of cash in society, central banks around the world are increasingly interested in deploying a digital equivalent of cash, a so-called central bank digital currency (CBDC).

Even though most recent research on digital currencies focuses on blockchain technology, it is unlikely that this technology provides the optimal solution for a CBDC, in particular due to its inherently centralized trust model.
Former ZISC researcher Karl Wüst, together with ZISC researchers Kari Kostiainen and Srdjan Capkun have developed a privacy-focused design for such a CBDC, called Platypus, that works in this centralized trust model. Platypus was recently nominated, and selected to be one of the Top 5 finalists, for the ETH Spark Award that is awarded yearly to the most promising invention at ETH in the previous year. As part of the nomination process, ETH produced a video about the invention for all finalists, which was released during the award ceremony last week.

In Platypus, users trust the central bank for the integrity of the currency (e.g. to ensure that a user cannot spend the same money twice), but not for their privacy. The system makes use of zero-knowledge proofs to ensure that no party, including the central bank, can see any information about a transaction, other than that the transaction is a valid payment. The system design also includes mechanisms to enforce compliance rules in a privacy-preserving way. For example, such a rule could include that a user needs to report high value transactions to a regulator. Platypus ensures that users cannot circumvent such rules but at the same time fully protects privacy against any party other than the regulator.
More information can be found in the research paper.

Solving deceptive cookie banners with machine learning

Cookie banners are fooling users into consent and the websites do not respect user choices. ETH researchers show the prevalence of this deceptive website behavior and developed a solution: a browser extension CookieBlock that uses machine learning to protect user’s privacy.

Cookies make web browsing stateful. They enable websites’ customization and authenticated sections. However, they are also used to track users’ behavior for targeted advertising. Privacy regulations such as GDPR and ePrivacy Directive therefore came into force to limit the latter usage. Websites are no longer allowed to set tracking cookies without users’ consent, so they use cookie banners to inform users and allow users to choose what private data the website can use.

However, the practice of cookie banners is far from what the regulations intended. Prior research showed that these consents are largely non-compliant as they nudge users to accept all cookies or they are incomplete and according to regulations.

Dino Bollinger, Karel Kubicek, Carlos Cotrini, and David Basin also investigated the effectiveness of the consent banners. They focused on banners with specific choices of which cookie categories the user may accept. They found at least one potential legal violation by almost 95% of websites. These violations are not only about deceptive content. More than 20% of websites use cookies that the user specifically rejected and 70% of websites activate cookies prior user interaction with the banner in the first place. This suggests that the majority of websites do not enable users to protect their privacy according to regulations. Users are again as vulnerable as before GDPR, but this time they are also annoyed and deceived by the banners.

Given the vast prevalence of these violations, it is difficult for data protection authorities to enforce the law.

“We cannot expect the websites to mitigate all the violations, we have to give the power to users to protect themselves. That is why we developed the browser extension CookieBlock.“

CookieBlock uses machine learning to categorize cookies into privacy categories, namely useful cookies as “necessary” or “functional” and tracking cookies as “analytics” and “advertising”. When users install CookieBlock, they are asked which categories they allow and which should be rejected and this is meant to be the last consent that the users ever need to grant to cookies. CookieBlock then monitors all cookies, automatically classifies them, and removes those in rejected categories.

Since CookieBlock works in the browser, it truly removes privacy threatening cookies even if the website would use them disregarding the law. It also works independently of the user’s location, so users outside of the EU can enforce the same privacy protection as GDPR mandates for EU citizens.

CookieBlock is available for Chrome, Firefox, Edge, and Opera browsers (Safari cannot be supported for technical reasons). The installation and setup is easy: just three clicks enable the protection. Since machine learning is prone to errors, the extension popup allows adding exceptions to websites similarly as ad blockers. The authors improve CookieBlock continuously and try to prevent issues on websites. Lastly, CookieBlock is not meant for removing the cookie banners themselves, it just supersedes them. Yet for the user’s convenience, the authors recommend installing an extension I don’t care about cookies or uBlock Origin with Annoyances filters (e.g., EasyList Cookie). The latter provides further privacy protection for safe browsing.

 

Bollinger D, Kubicek K, Cotrini C, Basin D: Automating Cookie Consent and GDPR Violation Detection, 31st USENIX Security Symposium, August 2022, (Preprint). https://www.usenix.org/conference/usenixsecurity22/presentation/bollinger

 

SCION enters everyday service

Members of the ETH community who need a fast, secure and reliable internet connection for their data now have an alternative: SCION network technology, invented at ETH Zurich, is now also available to any ETH lecturers, researchers or employees with special security, performance or reliability requirements.

SCION is a fast, secure and reliable alternative to conventional internet infrastructure. It was invented and developed at ETH Zurich by Adrian Perrig, Professor of Computer Science, and his Network Security Group. Other computer science professors play a key role, too: David Basin’s Information Security Group helps maintain the high security of the system and Peter Müller’s Program Methodology Group helps ensure the security of the implementation.

The name SCION stands for “Scalability, Control, and Isolation On Next-​Generation Networks”. In contrast to conventional internet infrastructure, a data packet sent via SCION is not only provided with the receiving address, but already contains the entire route it is to take on its way through the internet at the time of sending. This means that with SCION, data packets don’t take detours – as they often do in today’s internet – and confidential data doesn’t go astray unexpectedly.

Now, as part of its “SCION @ ETH Domain (SCI-​ED)” project, IT Services (ITS) has installed the SCION network at ETH Zurich. From now on, ITS will operate the data network for the ETH community and make it available to members on demand. SCION has yet to be integrated into the IT Service catalogue. Should any group have a need to use SCION, they can contact ITS and ITS will look at how best to provide it to them.

Read the full article here.

SCION Day 2022
26 January 2022, from 9:00 a.m.

To present the latest developments in the SCION secure internet architecture to various interested parties from science and industry, the Network Security Group, together with ETH spin-​off Anapaya and AWK Group, has organised the SCION Day 2022.

This full-​day event will take place on 26 January 2022 as an online event with a livestream. It is divided into two parts: in the morning, there will be a presentation of the latest technical advances in research and industry, and the afternoon will focus on the latest business developments concerning SCION. The event is free of charge and requires registration.

For registration and details, please visit https://scion-​architecture.net/pages/scion_day_2022/

ZISC faculty member Prof. Perrig named IEEE Fellow

The IEEE Fellow Committee announced the newly elevated IEEE Fellows of 2021 — amongst them is ZISC faculty member and ETHZ Professor Adrian Perrig. This distinction recognises the extensive research and outstanding accomplishments in any of the IEEE fields of interest.

Adrian Perrig has been named IEEE Fellow for his contributions to network and system security. Perrig’s research in attestation has led to the new research area of software-​based attestation and has had profound impact in HW attestation techniques. His TESLA protocol has shaped the field of broadcast authentication, has been widely used in industry and academia, and is today considered for the authentication of Galileo GNSS. Perrig’s work on SPINS has formed the foundation for ZigBee security, which is deployed today in hundreds of millions of devices. Furthermore, his work on the SCION Internet architecture is the first inter-​domain routing architecture with global deployment since BGP’s deployment in 1994.

We congratulate Professor Perrig for this great respect in the technical community which is considered an important career achievement!

The annual ZISC Report for 2021 is published

With the year 2021 being a challenging one in regards to the ongoing Covid situation, our ZISC researchers still continued their excellent work and were able to deliver promising results in both main mandates: applied research projects with the industry partners and long-term basic research.

Our researchers and partner companies worked on multiple projects and addressed fundamental challenges in information security and privacy, while also making contributions to projects that have societal importance beyond academia and industry.

Please read the details in our recently published ZISC REPORT 2021.

The ZISC center wishes you all a healthy and successful 2022!