Khoury News

Khoury PhD student, professor, and alumnus create web extension to protect user privacy

How often do you stumble across online ads that feel suspiciously well-targeted? Seyed Ali Akhavani saw a few too many, and after spearheading an effort to address the issue, he believes he's got a solution.

by Emily Spatz

Engin Kirda (left) and Seyed Ali Akhavani discuss a project while sitting at a table
Engin Kirda (left) and Seyed Ali Akhavani

Research a product online, and suddenly you’ll see ads for it across every website you visit. It’s a routine part of using the modern internet that most people have come to accept. 

But for Seyed Ali Akhavani, a doctoral candidate at Khoury College, the experience was annoying — and slightly concerning.  

“The websites that are showing ads to me know something about what I’ve been doing on the web,” Akhavani said. “That didn’t seem right to me, because there’d been some data shared with venues that I wasn’t aware of.” 

With the help of joint Khoury College/College of Engineering Professor Engin Kirda and Florida International University Assistant Professor Amin Kharraz — who graduated with his doctorate from Khoury College in 2017 — Akhavani created a solution: PriveShield. The mechanism, Akhavani’s second doctoral project, strikes a balance between protecting users’ privacy and preserving website functionality. 

PriveShield (pronounced PRAI-vuh-sheeld) uses existing but little-known privacy features of browsers and automates them for users, Akhavani explained. The team detailed its findings in a paper published in January. 

“One focus of the work was to allow people to use existing privacy tools in browsers and to expand the capabilities of browsers to make privacy easier,” Kirda said.  

Before digging into solutions, Akhavani researched exactly how websites obtain users’ data. The answer comes down to “cookies” — files containing user data that websites store in a user’s browser. Some cookies track returning users or save login information, which can be helpful to the user. 

But other types of cookies — called “third-party cookies” — enable the modern online ad system and can pose privacy issues. Website administrators don't own the advertisements they display; they collect them from third parties that set their own cookies on a browser, Akhavani said. 

“That’s how they can identify you in the future,” he added, explaining that third-party cookies are the reason ads can track users across websites.  

Seyed Ali Akhavani sits at a table while listening to another student talk about their project
Akhavani sits with other members of Northeastern’s Secure Systems Lab. 

Solutions exist, but for website visitors and owners, they are far from optimal. Ad blockers limit owners’ ability to make revenue. Incognito browsing tabs don’t save any user data, which can mean no saved passwords or browsing history for the user.  

“The question here is, ‘Is there a way to share less data from the user, or not share users’ personal data to everyone out there, but still show ads and make the whole revenue system work without totally blocking cookies and ads?” Akhavani said.  

One way to do so would be to manually create separate browsing profiles for each category of website a user visits — shopping or news, for example. That way, data can only be shared between websites within each profile, Akhavani explained. 

But most people don’t realize this is possible ... or how to do it. 

“It’s going to take you a ton of time, and it’s impossible to do that if you want to have a sleek user experience,” he said.  

This is where PriveShield comes in. Instead of manually creating different profiles, it automates the process. When a user spends a lot of time on a website, PriveShield creates an isolated profile for that website category. Other sites can’t access data from that browsing session unless they’re in the same category. 

“You don’t have to click on anything. You install the extension, surf the web, and it automatically takes the patterns that you use to visit the websites, gets the categories, and creates all those profiles for you automatically,” Akhavani said.  

Another positive of the extension — which Akhavani tested on Google Chrome — is that unlike some other privacy mechanisms, websites can’t recognize it. 

“Ad blockers do work, but more and more websites are blocking them. You sometimes need to disable them for the specific website you want because people don’t want to lose revenue,” Kirda said.  

Engin Kirda speaks to students while sitting at a large table with his laptop in front of him
Engin Kirda 

In testing, PriveShield was 90% effective at protecting users from unwanted tracking across websites. But to be available and effective for users, PriveShield would have to be updated often to keep up with rapidly evolving web browsers. So instead of putting the extension on the market themselves, the researchers hope that industry will take the baton.  

“Rather than us maintaining it for many years, it’s better if browser vendors take the ideas and implement them,” Kirda said. 

The Khoury Network: Be in the know

Subscribe now to our monthly newsletter for the latest stories and achievements of our students and faculty

This field is for validation purposes and should be left unchanged.