Research interests: usable techniques and effective legal measures for privacy protection // privacy threats and forensic utility of inferences drawn from data // security and privacy in the software engineering process
Since October 2015 I am temporary professor for information security and privacy (Vertretungsprofessur) at University of Siegen. I am also associated to the Security in Distributed Systems Group at University of Hamburg. I hold a PhD in Computer Science (University of Hamburg, 2014) and a Diploma with Honors (equivalent to a M.Sc.) in Management Information Systems (University of Regensburg, 2008).
I work in the field of information security. Most of my work focuses on uncovering novel attacks on privacy and designing lightweight privacy enhancing techniques. My long-term goal is to analyze and overcome the circumstances that make it so difficult to resolve the conflicts between privacy and usability and the conflicts between privacy and security.
I teach in academic and non-academic settings, give public talks about the security implications of new technologies, and discuss my vision of the future with business people and policy makers. I also collaborate with scholars in related disciplines such as medicine, ethics, and law, for instance in our interdisciplinary Horizon 2020 project CANVAS.
My dissertation on Privacy Issues in the Domain Name System was awarded the GI-Dissertationspreis 2014 for the best computer science dissertation in Germany, Austria and Switzerland, the GI/CAST Promotionspreis IT-Sicherheit 2014, and the GDD-Wissenschaftspreis 2014. In 2014 I have received a GI Juniorfellowship of the German Computer Science Society. I am also honored to be the recipient of the Best Teaching Award 2016 of Fakultät III at University of Siegen.
Last updated: 16 March 2017.
Firstly, I want to create awareness for sophisticated attacks on privacy so that citizens understand what can be inferred about them by analyzing the digital traces they leave behind when they use modern information systems. For this line of work I collaborate with machine learning experts to design tailored analysis techniques that can be applied to real-world datasets (see our recent paper at AISec 2016). The same techniques can also be used to improve security, for instance in forensic investigations of attacks (see our paper at Sicherheit 2014 with case studies).
Secondly, I want to construct and evaluate privacy enhancing techniques that are effective and offer high usability for customers at the same time. In particular, I look into lightweight approaches that protect against specific observers (such as curious DNS servers) and are barely noticeable. In corporate environments privacy is often in conflict with security, for instance when the activities of employees are to be monitored in order to detect insider attacks (see our project DREI in the “Projects” section). I also consider the perspective of service providers by studying the effectiveness and efficiency of the business processes that enable users to exercise their legal right to access the data collected about them (see our paper at Sicherheit 2016).
Thirdly, I consider the needs of software engineers. Here my long-term goal is to improve the usability for engineers in order to foster the adoption of security and privacy techniques. I believe that easy-to-use frameworks, APIs, and practical strategies can help to achieve this goal. Initial research about requirements and possible solutions is carried out in our AppPETs project, which started in 2016 (scroll to the “Projects” section for an English abstract). Another activity in this line of work is our analysis of typosquatting attacks on software package repositories, which laid the ground for a currently running, more extensive study of the perils of such package repositories.
My student Nikolai Tschacher has released his bachelor thesis about typosquatting attacks on command-line based package managers. Nikolai carried out a covert field study in order to determine to what extent software developers make typos when they install packages on the command line. Installing packages on the command line has become popular with the advent of frameworks like NodeJS (npm) and languages like Ruby (gem). Typos during installation endanger development and production machines.
The CANVAS consortium will take three domains of application with unique value-profiles and complementing cybersecurity exigencies – the health system, finance, and police / national security – as starting point for outlining problems related to value-driven cybersecurity. Using a three-step process, CANVAS will (1) structure existing knowledge, (2) design a network for exchanging knowledge and generating insights across domains, and (3) disseminate the insights gained through three means: A reference curriculum, briefing packages for policy stakeholders, and a MOOC on value-driven cybersecurity.
The DREI project will design a distributed solution for security control centers that allows to detect insider attacks via anomaly detection. The project strives for high acceptance by implementing legal requirements regarding the privacy rights of employees.
AppPETs („Privacy Enhancing Technologies for mobile Apps“) aims at enabling developers to integrate privacy enhancing technologies into their smartphone apps. The project will set up a privacy infrastructure, which enables users to verify the protection of their personal data. Moreover, the project will study fair business models that are accepted by both vendors and users.
AN.ON-Next has the long-term vision to integrate privacy enhancing technologies into the infrastructure of the Internet to make them available and usable for everyone. To this end, the project will look into lightweight techniques that provide a basic level of protection as well as fundamental approaches that allow to provide strong protection without sacrificing bandwidth and latency. The concepts will be implemented and pilots will be evaluated with business partners.
In my PhD I focused on the privacy deficiencies of the Domain Name System, inference attacks, behavior-based tracking of users, and lightweight privacy enhancing technologies for DNS.
I am currently teaching at University of Siegen.
I am recipient of the Best Teaching Award 2016 of Fakultät III at University of Siegen.
I have been teaching at University of Hamburg since 2011 and at University of Regensburg since 2008. Apart from teaching in an academic setting, I have also been asked to contribute to various seminars for students and professionals, e.g., for udis (Ulmer Akademie für Datenschutz und IT-Sicherheit gGmbH), for AWW (Arbeitsstelle für wissenschaftliche Weiterbildung at University of Hamburg), and for RAV e.V. (Republikanischer Anwältinnen- und Anwälteverein e.V.).
I am a member of Gesellschaft für Informatik since 2006.
Conference and Workshop Organization:
Program Committee Memberships and Journal Reviews:
Since October 2015 I am temporary professor for information security and privacy („Vertretungsprofessur“) at University of Siegen. Before that I was a member of the Security in Distributed Systems Group chaired by H. Federrath at University of Hamburg, where I graduated with a PhD in Computer Science in 2014. Before I moved to Hamburg in 2011, I worked at University of Regensburg as a research and teaching assistant at the Chair of Management of Information Security (now chaired by D. Kesdoğan) since 2008. At University of Regensburg I was also a Program Coordinator („Studiengangskoordinator“) of the Faculty of Business, Economics and Management Information Systems, coordinating enrollment processes and course evaluation. I studied Management Information Systems („Wirtschaftsinformatik“) at University of Regensburg and University College Dublin and graduated with a Diploma with Honors (equivalent to a M.Sc.) in Management Information Systems in 2008. My diploma thesis on website fingerprinting received the CAST-Förderpreis 2008 and the GDD-Förderpreis 2008. My studies were sponsored by the German National Academic Foundation (Studienstiftung des Deutschen Volkes), the Röchling Foundation, and the Bavarian state (BayBFG).