We know companies are collecting and sharing our data. Is there anything we can do about it?

The Mon(IoT)r Lab run by David Choffnes, an associate professor in the Khoury College of Computer Sciences, is an apartment outfitted with cutting-edge smart devices, where researchers study how data is collected and shared online. Photo by Matthew Modoono/Northeastern University

It’s a trade-off we make nearly every day: In order to use a service to stay in touch with friends, or to watch our favorite television show, we consent to giving up certain information about ourselves to companies that track us and sell our data.

Usually, our personal information is used to learn our habits, and ultimately, get us to buy something. Occasionally, this information is intercepted by a hacker or leaked in a breach.

And yet, within this networked world, there exist ambiguities about how data is collected and shared online that are unclear even to the people who study these systems—though it isn’t for lack of trying.

From left to right, Alan Mislove, David Choffnes, and Woodrow Hartzog. Photos by Matthew Modoono and Adam Glanzman/Northeastern University

David Choffnes, an associate professor of computer sciences at Northeastern, studies internet-connected systems, focusing on privacy and security. He has examined how mobile applications, video doorbells, smart speakers, and other smart devices send data about users to technology companies and other third-parties.

His colleague, Alan Mislove, a professor of computer science and fellow member of the Cybersecurity and Privacy Institute at Northeastern, has developed award-winning work in understanding how personal data is shared and used by other parties such as Facebook. His research revealed that despite the changes Facebook has made, the algorithm the company uses to deliver advertisements still skews toward specific demographic groups—illustrating the difficult task of ensuring fairness in algorithms. 

David Choffnes, assistant professor in CCIS; Jingjing Ren, doctoral candidate; and Daniel Dubois, postdoctoral research assistant conduct research in the Mon(IoT)r Lab. Photo by Matthew Modoono/Northeastern University

And, Northeastern law professor Woodrow Hartzog, who specializes in privacy and data protection law, has long maintained that the laws that govern privacy on the internet fall short of protecting users as much as they should.

Combining their expertise, the researchers are teaming up on a five-year project that aims to develop a stronger understanding of how data collection can affect the privacy of users. Funded by a $10 million grant from the National Science Foundation, the initiative is anticipated to produce new technologies that safeguard personal data collected over the internet, as well as inform policy development around personal data privacy.

“What’s really exciting for us is being able to tie all of these pieces together that we’ve often been somewhat siloed into looking at one piece at a time: mobile apps, IoT (internet of things) devices, or Alan with Facebook, or Woody on the policy side,” said Choffnes. “Now we get to tie this all together, because in the end, this collection of personal data is a tangled web. We have an opportunity to untangle this web and propose ways to build it in a different way that leads to better privacy protections for consumers.”

Led by the University of California, Irvine, the project—conducted under the National Science Foundation’s Secure and Trustworthy Cyberspace Frontiers program—will additionally involve the collaboration of researchers from the University of Iowa and the University of Southern California. 

The Northeastern team will seek to develop technologies to identify how internet-connected devices collect user data, and build new systems and standards to protect that data. The project will also integrate economic and policy changes to enable durable and sustainable privacy changes. 

“The idea is we don’t just want to be a tempest in a teapot of privacy research where we make a lot of noise, but nothing changes,” Choffnes said. “By having integrated onto our team folks like Woody Hartzog—and counterparts at other universities—we can turn our findings and observations into recommendations for new laws that would take our recommendations and put them into practice.”

Policy changes aside, the researchers intend to work with the manufacturers of devices to come up with better approaches, said Choffnes, and in general, devise a new way of doing things to which the industry would be amenable. The goal, said Choffnes, is to ensure a win-win for companies and consumers; he believes that companies can embrace a monetization model that allows them to thrive without putting consumers at risk.

“We want to come up with systems that move privacy in a better direction for everyone, as opposed to just focusing on one or a handful of companies at a time,” he said.

An additional component of the project, he said, is the allotment of funding for activities at Northeastern and the other institutions to improve diversity and inclusiveness in the computer science field.

For media inquiries, please contact media@northeastern.edu.