Security, Privacy and Abuse

A team of engineers, researchers, advocates, and hackers who make the Internet safer for all users.

About the team

Our team brings together experts from systems, networking, cryptography, machine learning, human-computer interaction, and user experience to advance the state of security, privacy, and abuse research. Our mission is straightforward:

Make the world's information trustworthy and safe. We strive to keep all information on the Internet free of deceptive, fraudulent, unwanted, and malicious content. Users should never be at risk for sharing personal data, accessing content, or conducting business on the Internet.

Defend users, everywhere. Internet users can face incredibly diverse threats, from governments to cybercrime and sexual abuse. We approach research, design, and product development with the goal of protecting every user, no matter their needs, from the start.

Advance the state of the art. Making the Internet safer requires support from the public, academia, and industry. We foster initiatives that shape the direction of security, privacy, and abuse research for the next generation.

Build privacy for everyone. It's a responsibility that comes with creating products and services that are free and accessible for all. This is especially important as technology progresses and privacy needs evolve. We look to these principles to guide our products, our processes, and our people in keeping our users' data private, safe, and secure.

Research areas

Human-Computer Interaction and Visualization

Machine Intelligence

Security, Privacy and Abuse Prevention

Team focus summaries

Malicious and deceptive software

Our crawlers and analysis engines represent the state of the art for detecting malware, unwanted software, deception, and targeted attacks. These threats span the web, binaries, extensions, and mobile applications.

Spam and harmful interactions

We continue to develop one of the most sophisticated machine learning and reputation systems to protect users from scams, hate and harassment, and sexual abuse.

Trustworthy infrastructure

We are pioneering advancements in browser, mobile, and cloud security including sandboxing, auto-updates, fuzzing, program analysis, formal verification, and vulnerability research.

Fraud and automation prevention

Our team of warrior scientists actively protects users and businesses from payment fraud, invalid traffic, denial of service, and bot automation. We fight all things fake—installs, clicks, likes, views, and accounts.

Usability

We are re-defining informed user decision making. Our work spans warnings, notifications, and advice. This includes informing our designs based on the privacy attitudes, personas, and segmentation across Internet users.

Protecting user data

We are developing the next generation of mechanisms for encryption (e.g., end-to-end & post-quantum) authentication, and privacy-preserving analytics. This includes advanced modeling to detect account hijacking.

Highlighted projects

Inside "MOAR TLS:" How We Think about Encouraging External HTTPS adoption on the Web

This project is guiding the web towards HTTPS everywhere by methodically hunting and addressing major hurdles for TLS adoption.

Announcing the first SHA1 collision

In collaboration with the Cryptology Group at Centrum Wiskunde & Informatica (CWI) - the national research institute for mathematics and computer science in the Netherlands we have broken SHA-1 in practice.

Meltdown and Spectre

Learn how Google’s Project Zero team discovered serious security flaws caused by “speculative execution,” a technique used by most modern processors (CPUs) to optimize performance. Independent researchers separately discovered and named these vulnerabilities “Spectre” and “Meltdown.”

Keeping 2 billion Android devices safe with machine learning

Google Play Protect's suite of mobile threat protections are built into more than 2 billion Android devices, automatically taking action in the background. We're constantly updating these protections so you don't have to think about security: it just happens.

Insider attack resistance

We are making the encryption on Google Pixel 2 devices resistant to various levels of attack—from platform, to hardware, all the way to the people who create the signing keys for Pixel devices.

Updating our “right to be forgotten” Transparency Report

We expanded the scope of our transparency reporting about the “right to be forgotten” and added new data going back to January 2016. Our goal with this project was to inform an ongoing discussion about the interplay between the right to privacy and the right to access lawful information online.

LocoMocoSec 2018

Emily Schechter talks about "The Trouble with URLs, and how Humans (Don't) Understand Site Identity"

Featured publications

SoK: Hate, Harassment, and the Changing Landscape of Online Abuse

We argue that existing security, privacy, and anti-abuse protections fail to address the growing threat of online hate and harassment. In order for our community to understand and address this gap, we propose a taxonomy for reasoning about online hate and harassment. Our taxonomy draws on over 150 interdisciplinary research papers that cover disparate threats ranging from intimate partner...

View details

SoK: Hate, Harassment, and the Changing Landscape of Online Abuse

Kurt Thomas, Devdatta Akhawe, Michael Bailey, Dan Boneh, Elie Bursztein, Sunny Consolvo, Nicola Dell, Zakir Durumeric, Patrick Gage Kelley, Deepak Kumar, Damon McCoy, Sarah Meiklejohn, Thomas Ristenpart, Gianluca Stringhini

(2021)

"Shhh...be Quiet!" Reducing the Unwanted Interruptions of Notification Permission Prompts on Chrome

Push notifications are an extremely useful feature. In web browsers, they allow users to receive timely updates even if the website is not currently open. On Chrome, the feature has become extremely popular since its inception in 2015, but it is also the least likely to be accepted by users. Our telemetry shows that, although 74% of all permission prompts are about notifications, they are also...

View details

"Shhh...be Quiet!" Reducing the Unwanted Interruptions of Notification Permission Prompts on Chrome

Igor Bilogrevic, Balazs Engedy, Jud Porter, Nina Taft, Kamila Hasanbega, Andrew Paseltiner, Hwi Lee, Edward Jung, Meggyn Watkins, PJ McLachlan, Jason James

30th USENIX Security Symposium (USENIX Security 21), USENIX Association, Vancouver, B.C. (2021)

Tracking Ransomware End-to-end

Ransomware is a type of malware that encrypts the files of infected hosts and demands payment, often in a cryptocurrency such as bitcoin. In this paper, we create a measurement framework that we use to perform a large-scale, two-year, end-to-end measurement of ransomware payments, victims, and operators. By combining an array of data sources, including ransomware binaries, seed ransom payments,...

View details

Tracking Ransomware End-to-end

Danny Y. Huang, Maxwell Matthaios Aliapoulios, Vector Guo Li, Luca Invernizzi, Kylie McRoberts, Elie Bursztein, Jonathan Levin, Kirill Levchenko, Alex C. Snoeren, Damon McCoy

Security & Privacy 2018 (2018)

Measuring HTTPS adoption on the web

HTTPS ensures that the Web has a base level of privacy and integrity. Security engineers, researchers, and browser vendors have long worked to spread HTTPS to as much of the Web as possible via outreach efforts, developer tools, and browser changes. How much progress have we made toward this goal of widespread HTTPS adoption? We gather metrics to benchmark the status and progress of HTTPS...

View details

Measuring HTTPS adoption on the web

Adrienne Porter Felt, Richard Barnes, April King, Chris Palmer, Chris Bentzel, Parisa Tabriz

USENIX Security (2017)

Data breaches, phishing, or malware? Understanding the risks of stolen credentials

In this paper, we present the first longitudinal measurement study of the underground ecosystem fueling credential theft and assess the risk it poses to millions of users. Over the course of March, 2016--March, 2017, we identify 788,000 potential victims of off-the-shelf keyloggers; 12.4 million potential victims of phishing kits; and 1.9 billion usernames and passwords exposed via data...

View details

Data breaches, phishing, or malware? Understanding the risks of stolen credentials

Kurt Thomas, Frank Li, Ali Zand, Jacob Barrett, Juri Ranieri, Luca Invernizzi, Yarik Markov, Oxana Comanescu, Vijay Eranti, Angelika Moscicki, Daniel Margolis, Vern Paxson, Elie Bursztein

(2017)

Scalable Private Learning with PATE

The rapid adoption of machine learning has increased concerns about the privacy implications of machine learning models trained on sensitive data, such as medical records or other personal information. To address those concerns, one promising approach is Private Aggregation of Teacher Ensembles, or PATE, which transfers to a "student" model the knowledge of an ensemble of "teacher" models, with...

View details

Scalable Private Learning with PATE

Nicolas Papernot, Shuang Song, Ilya Mironov, Ananth Raghunathan, Kunal Talwar, Úlfar Erlingsson

International Conference on Learning Representations (ICLR) (2018)

Exploring decision making with Android's runtime permission dialogs using in-context surveys

A great deal of research on the management of user data on smartphones via permission systems has revealed significant levels of user discomfort, lack of understanding, and lack of attention. The majority of these studies were conducted on Android devices before runtime permission dialogs were widely deployed. In this paper we explore how users make decisions with runtime dialogs on smartphones...

View details

Exploring decision making with Android's runtime permission dialogs using in-context surveys

Bram Bonné, Sai Teja Peddinti, Igor Bilogrevic, Nina Taft

Thirteenth Symposium on Usable Privacy and Security (SOUPS), Usenix (2017)

Stories from survivors: Privacy & security practices when coping with intimate partner abuse

We present a qualitative study of the digital privacy and security motivations, practices, and challenges of survivors of intimate partner abuse (IPA). This paper provides a framework for organizing survivors' technology practices and challenges into three phases: physical control, escape, and life apart. This three-phase framework combines technology practices with three phases of abuse to...

View details

Stories from survivors: Privacy & security practices when coping with intimate partner abuse

Tara Matthews, Kathleen O’Leary, Anna Turner, Manya Sleeper, Jill Palzkill Woelfer, Martin Shelton, Cori Manthorne, Elizabeth F. Churchill, Sunny Consolvo

CHI '17 Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems, ACM, New York, NY, USA (2017), pp. 2189-2201

An Experience Sampling Study of User Reactions to Browser Warnings in the Field

Web browser warnings should help protect people from malware, phishing, and network attacks. Adhering to warnings keeps people safer online. Recent improvements in warning design have raised adherence rates, but they could still be higher. And prior work suggests many people still do not understand them. Thus, two challenges remain: increasing both comprehension and adherence rates. To dig...

View details

An Experience Sampling Study of User Reactions to Browser Warnings in the Field

Rob Reeder, Adrienne Porter Felt, Sunny Consolvo, Nathan Malkin, Chris Thompson, Serge Egelman

CHI (2018)