In this work, we model the end-to-end pipeline of the advertising ecosystem, allowing us to identify two main issues with the current trajectory of private advertising proposals. First, prior work has largely considered ad targeting and engagement metrics individually rather than in composition. This has resulted in privacy notions that, while reasonable for each protocol in isolation, fail to compose to a natural notion of privacy for the ecosystem as a whole, permitting advertisers to extract new information about the audience of their advertisements. The second issue serves to explain the first: we prove that perfect privacy is impossible for any, even minimally, useful advertising ecosystem, due to the advertisers' expectation of conducting market research on the results. Having demonstrated that leakage is inherent in advertising, we re-examine what privacy could realistically mean in advertising, building on the well-established notion of sensitive data in a specific context. We identify that fundamentally new approaches are needed when designing privacy-preserving advertising subsystems in order to ensure that the privacy properties of the end-to-end advertising system are well aligned with people's privacy desires.

Large language models have shown considerable abilities across many tasks, but their capacity to detect sensitive user information from text raises significant privacy concerns. While recent approaches have explored sanitizing text to hide private features, a deeper challenge remains: distinguishing true privacy preservation from deceptive transformations. In this paper, we investigate whether LLM-based sanitization reduces private feature leakage without misleading an adversary into confidently predicting incorrect labels. Using LLM as both sanitizer and adversary, we measure leakage using two entropy-based metrics: Empirical Average Objective Leakage (E-AOL) and Empirical Average Confidence Boost (E-ACB). These allow us to quantify not only how accurate adversarial predictions are, but also how confident they remain post-sanitization. We posit that deception, while reducing adversarial accuracy, will also increase confidence in incorrect inferences, and hence reduced accuracy alone should not be interpreted as true privacy. We show that while current LLMs can hide private features, their transformations sometimes cause deception. Finally, we evaluate the semantic utility of sanitized outputs using sentence embeddings, LLM-based similarity judgments, and standard metrics like BLEU and ROUGE. Our findings emphasize the importance of explicitly distinguishing between privacy and deception in LLM-based sanitization and provide a framework for evaluating this distinction under realistic adversarial conditions.

This study examines the pedagogical approaches and experiences of community-engaged educators—individuals who teach privacy, online safety, or security to specific communities through community organizations, companies, or local institutions, such as libraries. We draw on interviews with 21 such educators across the United States and find that, unlike some privacy and security advice that may emphasize knowledge retention of common skills and strategies, these educators prioritized teaching for independent decision-making. Our participants conceptualized privacy literacy as a process for taking informed action, and, from their insights, we identified five core competencies of privacy literacy: (1) data fluency, (2) account security, (3) fraud detection, (4) information vetting, and (5) surveillance capitalism. Notably, these competencies integrate privacy, security, and online safety concepts into privacy literacy—reflecting an increasingly integrated threat landscape. Embedded within the communities they serve, these educators shared their deep understanding of their students’ needs, which varied dramatically, and shared ways in which they tailored their programming accordingly. However, educators also shared significant teaching constraints, including limited time, resources, and organizational support. We discuss the implications of our findings for privacy literacy and for supporting community-engaged privacy literacy efforts.

We present SEED, a system that enables the deployment of distributed privacy-preserving micro-services in the cloud while maintaining the secrecy of user code and data and ensuring correct, complete results. Unlike prior approaches that minimize the TCB by pushing large parts of the software stack outside the enclave, SEED includes the entire container software stack—from the application layer up to the operating system—inside the TCB. This holistic design protects proprietary software, datasets, and optional ML models from exposure; prevents leakage of sensitive inputs or queries; and thwarts metadata-inference attacks that could reveal workload identity or versioning. Yet we achieve an optimized TCB (22 MB in total), over 30× smaller than the typical 690 MB TCB for confidential privacy-enhancing VMs. In practice, SEED runs on AMD SEV-SNP–capable machines and supports real container workloads (i.e., TensorFlow, OpenVINO inference, PyTorch training, Redis, NGINX, Apache httpd). We demonstrate that SEEDCore matches or outperforms mainstream runtime workload deployment, staying within 5% of native throughput and reaching up to 6× higher performance on CPU-bound jobs. Finally, we conduct a thorough privacy and security evaluation against 11 cloud attack vectors and show that SEED blocks or confines every exploit that remains possible even under the state-of-the-art Gramine-TDX model, thanks to late binding, per-container PCR chains, and continuous in-TEE attestation throughout the workload’s lifetime.

The rapid growth of platforms for customizing Large Language Models (LLMs), such as OpenAI’s GPTs, has raised new privacy and security concerns, particularly related to the exposure of user data via third-party API integrations in LLM apps. To assess privacy risks and data practices, we conducted a large-scale analysis of OpenAI’s GPTs ecosystem. Through the analysis of 5,286 GPTs and the 44,102 parameters they use through API calls to external services, we systematically investigated the types of user data collected, as well as the completeness and discrepancies between actual data flows and GPTs’ stated privacy policies. Our results highlight that approximately 35% of API parameters enable the sharing of sensitive or personally identifiable information, yet only 15% of corresponding privacy policies provide complete disclosure. By quantifying these discrepancies, our study exposes critical privacy risks and underscores the need for stronger oversight and support tools in LLM-based application development. Furthermore, we uncover widespread problematic practices among GPT creators, such as missing or inaccurate privacy policies and a misunderstanding of their privacy responsibilities. Building on these insights, we propose design recommendations that include actionable measurements to improve transparency and informed consent, enhance creator responsibility, and strengthen regulation.

Mainstream messaging platforms offer a variety of features designed to enhance user privacy, such as password-protected chats and end-to-end encryption (E2EE), which primarily protect message contents. Beyond contents, a lot can be inferred about people simply by tracing who sends and receives messages, when, and how often. This paper explores user perceptions of and attitudes toward 'untraceability', defined as preventing third parties from tracing who communicates with whom, to inform the design of privacy-enhancing technologies and untraceable communication protocols. Through a vignette-based qualitative study with 189 participants, we identify a diverse set of features that users perceive to be useful for untraceable messaging, ranging from using aliases instead of real names to VPNs. Through a reflexive thematic analysis, we uncover three overarching attitudes that influence the support or rejection of untraceability in messaging platforms and that can serve as a set of new privacy personas: privacy fundamentalists, who advocate for privacy as a universal right; safety fundamentalists, who support surveillance for the sake of accountability; and optimists, who advocate for privacy in principle but also endorse exceptions in idealistic ways, such as encryption backdoors. We highlight a critical gap between the threat models assumed by users and those addressed by untraceable communication protocols. In particular, many participants understood untraceability as a form of anonymity, but interpret it as senders and receivers hiding their identities from each other, rather than from external network observers. We discuss implications for the design of strategic communication and user interfaces of untraceable messaging protocols, and propose framing untraceability as a form of 'altruistic privacy', i.e., adopting privacy-enhancing technologies to protect others, as a promising strategy to foster broader adoption.

Recent research on online censorship has provided valuable insights into common censorship strategies and censors' tolerance for collateral damage. A consistent finding across these studies is that censors tend to favour cost-effective techniques such as proxy enumeration, active probing, and deep packet inspection (DPI), rather than more complex and non-deterministic methods such as deep learning-based traffic analysis. For example, a recent study on the Snowflake censorship evasion system reinforced this finding by demonstrating that authoritarian regimes primarily relied on DPI to target the system. However, as censorship techniques continue to evolve, two critical questions arise: (1) What future attack vectors are likely to emerge based on current research and observed censor capabilities? (2) How can these emerging threats, along with previously utilised censorship methods, be effectively mitigated? In this paper, we present Obscura, a censorship evasion system designed to resist cost-effective, historically grounded censorship techniques while also defending against a class of plausible future attacks within a cost-effective threat model targeting WebRTC-based censorship evasion systems. Obscura is built upon four core features: (1) encapsulation of traffic within WebRTC media streams, (2) the use of a reliability layer, (3) support for both browser-based and Pion-based clients and proxy instances, and (4) the use of ephemeral proxies. Each feature is intended to mitigate either a known attack observed in the wild or a theoretically plausible attack consistent with the capabilities of a cost-effective censor. We provide a security analysis to justify our design choices and a performance evaluation to demonstrate that Obscura maintains reasonable throughput for typical online activities.

As chatbots become increasingly integrated into group conversations on instant messaging platforms, concerns arise about their impact on user privacy. While prior research has examined chatbot risks in one-on-one interactions, little is known about how users perceive and respond to privacy threats in group settings, where chatbots may silently access messages and metadata. To address this gap, we conducted an online survey (N=374) across five popular messaging platforms—WhatsApp, Discord, Telegram, Viber, and LINE—to evaluate user awareness, understanding of chatbot access, privacy concerns, and behavioral responses. We found that many users were unaware of bots in their group chats and significantly underestimated their data access: only 41.7% correctly identified what messages chatbots could access. Privacy concerns also rose sharply after users learned about actual bot permissions. Based on our findings, we propose a five-stage model that captures how users detect, interpret, and respond to chatbot-related privacy risks. We further analyzed the designs of platforms with official chatbot support through this model and found mismatches between design choices and user expectations. Finally, we offer design recommendations to improve transparency and user control in group chatbot-interactions.

Ensuring transparency of data practices related to personal information is a core requirement of the General Data Protection Regulation (GDPR). However, large-scale compliance assessment remains challenging due to the complexity and diversity of privacy policy language. Manual audits are labour-intensive and inconsistent, while current automated methods often lack the granularity required to capture nuanced transparency disclosures. In this paper, we present a modular large language model (LLM)-based pipeline for fine-grained word-level annotation of privacy policies with respect to GDPR transparency requirements. Our approach integrates LLM-driven annotation with passage-level classification, retrieval-augmented generation, and a self-correction mechanism to deliver scalable, context-aware annotations across 21 GDPR-derived transparency requirements. To support empirical evaluation, we compile a corpus of 703,791 English-language privacy policies and generate a ground-truth sample of 200 manually annotated policies based on a comprehensive, GDPR-aligned annotation scheme. We propose a two-tiered evaluation methodology capturing both passage-level classification and span-level annotation quality and conduct a comparative analysis of seven state-of-the-art LLMs on two annotation schemes, including the widely used OPP-115 dataset. The results of our evaluation show that decomposing the annotation task and integrating targeted retrieval and classification components significantly improve annotation accuracy, particularly for well-structured requirements. Our work provides new empirical resources and methodological foundations for advancing automated transparency compliance assessment at scale.

Fingerprinting attacks on encrypted network traffic may reveal sensitive information about users of anonymous communication systems, such as visited websites or watched videos, linking users' activities to their identities. Defenses come at the cost of bandwidth and delay overheads, impacting the user experience and making wide-scale deployment challenging. There is a rich history of attacks and defenses, with continual improvements in deep learning as a catalyst, making deployment of defenses an ever more pressing matter. This paper introduces a new defense strategy against fingerprinting attacks---ephemeral defenses---where efficient defense search enables the generation of unique per-connection defenses. We demonstrate that ephemeral defenses are multipurpose network-layer defenses against circuit, website, and video fingerprinting attacks, achieving competitive performance compared to related work. Furthermore, we create tunable ephemeral defenses that are not overly specialized to a particular fingerprinting attack, dataset, or network conditions. Ephemeral defenses are practical, demonstrated through integration with WireGuard and deployment at Mullvad VPN for a year, serving thousands of daily users.