CyLab researchers set to present their work at PETS 2026
Michael Cunningham
Jul 1, 2026
Carnegie Mellon University faculty members and students are preparing to share their research at the 2026 Privacy Enhancing Technologies Symposium (PETS).
Held annually, the 26th PETS will take place from July 20th to the 25th in Calgary.
PETS brings together privacy experts from around the world to discuss recent advances and new perspectives on research in privacy technologies. PETS addresses the design and realization of privacy services for the Internet and other digital systems and communication networks.
Here, we’ve compiled a list of papers co-authored by CyLab researchers that will be presented at the event.
Location-Enhanced Information Flow for Home Automations
Authors: McKenna McCall, Colorado State University; Ben Weinshel, Carnegie Mellon University; Kunlin Cai and Ying Li, University of California, Los Angeles; Eric Zeng, Georgetown University; Devika Manohar, Carnegie Mellon University; Lujo Bauer and Limin Jia, Carnegie Mellon University; Yuan Tian, University of California, Los Angeles
Abstract: Smart-home automations enable users to customize smart devices to react automatically to people, the environment, and more. For example, an automation might adjust the lights when people are at home or enable a garage door to open by voice command. While automations offer convenience and accessibility, they can also inadvertently expose users to security and privacy risks, such as leaking sensitive data or allowing untrusted parties to control users’ devices. Prior work has shown that information flow analysis is a promising technique for identifying these kinds of risks, hypothesizing that the analysis would be yet more effective if it could differentiate between devices located in different places in the home.
We tested this hypothesis by developing a tool that extends prior information flow analysis approaches to account for device location. We conducted an interview study with 22 participants to build a dataset of home automations to establish a ground truth to evaluate the tool. We found that incorporating device location leads to an improved analysis that identifies more of the vulnerabilities users care about (F1 score 0.74) compared to prior work (F1 score 0.29). Our results demonstrate the feasibility of incorporating device location into an information flow analysis and, perhaps more importantly, suggest additional ways to prevent security and privacy risks beyond controlling potentially unsafe information flows.
More Space, Less Privacy? Measuring the Effectiveness of IP-based Website Fingerprinting in IPv6
Authors: Sumeer Ahmad and Michalis Polychronakis, Stony Brook University; Theophilus A. Benson, Carnegie Mellon University; and Nguyen Phong Hoang, University of British Columbia
Abstract: Despite the widespread adoption of domain name encryption protocols (e.g., DoH, DoT, and ECH), website fingerprinting attacks remain a significant threat to online privacy due to the visibility of IP connections that can be observed by network-level adversaries. This problem has been investigated in IPv4 thoroughly but remains largely unexplored in IPv6, where it is even more pronounced. From a design perspective, IPv6 offers a vastly larger address space, eliminating the need for virtual hosting and domain co-location---practices prevalent in IPv4. These practices obscure several domains behind a single IPv4 address. The adoption of IPv6 can theoretically lead to more accurate fingerprinting based on IPv6 connections because each domain is now more likely to be resolved to a unique globally routable IPv6 address unlike IPv4.
In this study, we systematically investigate the feasibility, accuracy, and privacy implications of IP-based website fingerprinting in IPv6 environments. Utilizing empirical data collected via active DNS measurements, Web crawling, and entropy-based analyses across half a million dual-stack websites, we conduct the largest evaluation of website fingerprinting in IPv6.
We find that dual-stack websites that still have some IPv4-only dependencies are easier to fingerprint, achieving close to 94\% accuracy on both IPv4 and IPv6. However, fingerprinting pure dual-stack websites is significantly harder: accuracy drops to 56\% over IPv4 and 45\% over IPv6.
These results reveal distinct trends in hosting infrastructures and indicate that IPv6 itself does not inherently diminish privacy, contrary to existing concerns in the community. Rather, fingerprinting risk is shaped by how hosting providers deploy IPv6 and their choices regarding domain co-location.
Overcoming Language Barriers: Multilingual Analysis of the 2023 Swiss Privacy Law's Impact
Authors: Luka Nenadic, ETH Zurich; David Rodriguez, Information Processing and Telecommunications Center, Universidad Politécnica de Madrid, ETSI Telecomunicación; Joseph A. Calandrino, Carnegie Mellon University
Abstract: Policymakers enact and revise privacy laws expecting meaningful benefits for their people in practice. While scholarship has measured the real-world impact of some privacy regulations—the EU and California most notably—limited empirical evidence exists for many of the more than 140 countries that have implemented some form of privacy legislation. Switzerland, a multilingual country bordered almost entirely by EU states, is one such example.
This paper analyzes the extent to which a 2023 alignment of Swiss privacy law with EU privacy regulation affected website privacy policies in Switzerland. To address Switzerland’s unique multilingual culture, we develop an LLM-based pipeline that extracts legally relevant information as document-level labels in a single inference without requiring translation. On a benchmark of 120 expert-annotated privacy policies in German, French, Italian, and English, our pipeline achieves F1 scores above 0.90 for most pairs of languages and legally relevant disclosures.
Applying this pipeline to privacy policies we collected from more than 35,000 Swiss- and EU-facing websites before and after the 2023 privacy law revision, we find significant increases in both mandatory and voluntary disclosures of data subject rights among Swiss privacy policies. In exploring the mechanisms driving increased disclosure rates, we discover heavy use of automated privacy policy generators and find that generated policies are associated with up to 15 percentage points higher disclosure rates. These results provide large-scale empirical evidence of how regulatory change and novel drafting technologies impact the content of privacy policies in a unique multilingual environment.
The Role of Online Forums in Developer Understanding of Privacy Law - A Reddit Case Study
Authors: Sara Haghighi, Clark LaChance, and Ali Pourghasemi Fatideh, University of Maine; Travis Breaux, Carnegie Mellon University; Sepideh Ghanavati, University of Maine
Abstract: Software practitioners use online forums to navigate complex and often ambiguous legal privacy requirements, yet little is known about their professional backgrounds, what challenges they face, and how they use and assess the credibility of the advice received, or how they resolve ambiguities in posts. We report the findings of a survey of 223 Reddit users from regulatory-focused subreddits, complemented by a qualitative analysis of 2,248 posts and responses. Our results show that, despite holding privacy-related certifications, most participants frequently use forums to seek legal advice. Key challenges reported or identified include implementing a data protection impact assessment, reporting a data breach, and obtaining cookie consent. Reddit users often assess credibility by reviewing respondents' post history, verifying sources cited, trusting advice from recognized experts, and following up for clarity before responding. We highlight research and educational directions to bridge gaps in support needed for regulatory compliance guidance.