Learning to Protect User Data

When you open WebMD.com to check symptoms, the domain places one cookie on your browser. Pop over to ESPN.com for the latest scores, and 49 cookies start tracking user information. Click on Wired.com to browse the headlines and their server transmits 102 cookies.

While utility functions of certain session cookies and first-party cookies can enhance user experience and improve website functionality, such as maintaining shopping items in your cart or retaining login information, privacy-invasive cookies enable third-party tracking and selling of user data.

A team of computer science students in the COMP_SCI 312, 412: Data Privacy course — Hunter Disco, Harrison Gillespie, Sebastian Myhr, and Joseph Prette — investigated and classified the cookies of 500 top-performing websites and built the Cookie Analysis Dashboard to increase user awareness. Of the 11,333 cookies scored by the team, they considered only 129 to be fully safe.

“Individuals and organizations often trust institutions with their data with the expectation that our data is private from others or to the handling institutions and that it is not used for unfair practices,” said Sruti Bhagavatula, assistant professor of instruction at Northwestern Engineering.

Bhagavatula emphasizes "security by design," a concurrent strategy for incorporating security and privacy from the start of working with or building any general application. This mindset resonated with Disco, who graduated this month with a dual degree in computer science and cognitive science and plans to pursue a career in software development.

“If you're going to do any sort of app development, you need to know what is best for the user,” Disco said. “I wanted to learn the techniques to build safely.”

Gillespie and Prette took CS 312/412, in part, to learn how their personal data is being collected and used on the internet.

“I wanted to understand what I can do to be safer online, limit the information collected on me when I’m going to different websites, and reduce the risk of my data being leaked during some type of attack,” Prette said.

Launched by Bhagavatula in winter 2022, CS 312/412 Data Privacy introduces students to mechanisms and protocols used to preserve data privacy, including algorithmic fairness, database anonymization, differential privacy, and anonymous communication protocols.

During a showcase event on June 5, 11 teams presented the work they developed over the quarter.

Analyzing privacy perceptions

A team including computer science students Matthew Britt-Webb, Gregorio Chavez, Clark Hanlon, and Gracelyn Shi analyzed user comprehension of the privacy policies for OpenAI’s and Anthrophic’s large language models (LLMs).

Quizzed on key policy areas, the team’s survey respondents misunderstood data deletion and data retention claims, misinterpreted data disclosure terms, and over- or under-estimated company practices around data collection. Shi explained, for example, that most of the team’s study participants believe OpenAI is much more invasive than it is, assuming incorrectly that the company aggregates public web data to augment user profile data.

“With Claude.ai, the response was the exact opposite. A lot of people thought they do not collect this data even though it explicitly mentions in the privacy policy that they do,” Shi said. “This gap in the perception versus the reality leads to issues around informed consent. Users don't really know what they're using. They don't know when their data is being collected. And they're making these very uninformed decisions about a tool that is so ubiquitous and completely affects our lives.”

To support users as they attempt to navigate LLM privacy policies and improve comprehension, the team designed a lightweight AI tool that simplifies the terminology and structure of complex statements and allows users to ask clarifying questions.

The CS 312/412 Data Privacy student team of Mariama Bah, Hein Kim, Gulsimo Osimi, and George Philip also explored data privacy perceptions, specifically the gap between what users say about their data privacy concerns versus the actions they take to preserve their privacy. They analyzed the attitudes, knowledge, and behaviors of 43 Northwestern students and 14 faculty members and found that, while unauthorized access to personal data is a universal concern, students tended to prioritize convenience and utility over privacy to a larger degree than faculty members.

The team’s survey also revealed that both the students and faculty members prefered receiving privacy education from more informal sources, with students obtaining information primarily from social media sources, and faculty relying on trial and error or conversations with friends and coworkers.

“The findings of our study really imply that we need to have privacy education that's more than just about awareness,” said Philip, who graduated this month with a degree in computer science. “We need to teach users the linkage between the actions that they take and the adverse effects it can have on their privacy.”

Building on the foundations of security

In CS 312/412, Bah, Kim, Osimi, and Philip built on the knowledge and skills they gained in the COMP_SCI 308: Foundations of Security course.

“The two classes really complement each other well and they help students build foundational knowledge of everything you need to know in order to keep your information safe and keep your devices safe,” said Osimi, who is earning a combined bachelor’s degree in statistics and data science and master’s degree in computer science and plans to pursue a career in technical project management. “If I want the project or product to be trustworthy, I need to know about the risks that it can expose the consumers to, and I need to know how to prevent those risks.”

Bhagavatula launched CS 308 in fall 2023 as a defensive security course applicable to any CS major who will be building systems, in whatever context. Focused on safeguarding systems and data, defensive security measures identify and mitigate vulnerabilities and implement protocols to prevent or detect unauthorized activity.

Through hands-on web application modules and other practical assignments, CS 308 students learn concepts including threat modeling, designing secure applications, security and software design, authentication, cryptography, access control, data security, and security beyond the technology.

“After taking Foundations of Security, I had a much better understanding of the concrete things we can do to protect our data by designing technologies with security in mind, said Kim, who graduated this month with a bachelor’s degree in computer science and starts med school in the fall at the University of Illinois Urbana-Champaign’s Carle Illinois College of Medicine.

Through the Foundations of Security course, Bhagavatula hopes that students learn to develop a defensive security mindset and will apply best practices in security enhancement, such as modeling system weaknesses, when designing any kind of technology.

"Security is not optional, though it is often treated that way as designers of systems tend to focus on functionality and efficiency when trying to put out a product. This is evidenced through the prevalence of data breaches and security incidents in the news,” Bhagavatula said. “Overall, I want students to become comfortable with the idea of ‘defending’ their systems as they build them from the ground up."

From rejecting cookies to disabling tracking on apps and browsers to using a VPN, Kim, Osimi, Bah, and Philip have changed their behavior because of CS 308 and CS 312/412.

“What I found when I took these classes was that what we assume must be complex, sophisticated ways of infiltrating systems, is often just exploiting vulnerabilities due to simple human error, like reusing passwords,” Philip said. “We live in an era where data is the new money, and we need to preserve it.”