Academic Papers
Personal item tracking devices are popular for locating lost items such as keys, wallets, and suitcases. Originally created to help users find personal items quickly, these devices are now being abused by stalkers and domestic abusers to track their victims' location over time. Some device manufacturers created `anti-stalking features' in response, and later improved on them after criticism that they were insufficient.
We analyse the effectiveness of the anti-stalking features with five brands of tracking devices through a gamified naturalistic quasi-experiment in collaboration with the Assassins' Guild student society. Despite participants knowing they might be tracked, and being incentivised to detect and remove the tracker, the anti-stalking features were not useful and were rarely used. We also identify additional issues with feature availability, usability, and effectiveness. These failures combined imply a need to greatly improve the presence of anti-stalking features to prevent trackers being abused.
This is one of two studies I have published on item tracker stalking; the sister study is “Can’t Keep Them Away”, described below.
Stop Following Me! Evaluating the Effectiveness of Anti-Stalking Features of Personal Item Tracking Devices
Kieron Ivy Turk, Alice Hutchings
Currently under review for formal publication.
The Arxiv version of this paper is available here.
Can’t Keep Them Away: The Failures of Anti-stalking Protocols in Personal Item Tracking Devices
Kieron Ivy Turk, Alice Hutchings, Alastair R Beresford
Presented at : Security Protocols Workshop 2023
Published in Lecture Notes in Computer Science, vol 14186 (Security Protocols XXVIII).
T official publication is available here, and the open-access version is available here alongside the transcript of discussion.
A number of technology companies have introduced personal item tracking devices to allow people to locate and keep track of items such as keys and phones. However, these devices are not always used for their intended purpose: they have been used in cases of domestic abuse and stalking to track others without their consent.
In response, manufacturers introduced a range of anti-stalking features designed to detect and mitigate misuse of their products. In this paper, we explore common implementations of these anti-stalking features and analyse their limitations. In other research, we identified that very few people use anti-stalking features, even when they know that someone might be tracking them and are incentivised to evade them.
We additionally identify several failures of the features that prevent them from performing their intended purpose even if they were in use. It is impossible for anti-stalking features to identify the difference between ‘bad’ tracking and ‘good’ tracking. Furthermore, some features work on some types of phones for some types of tracking devices, but not all work on all phones for all trackers. Some anti-stalking features are not enabled by default, and some require manual intervention to scan for devices. We provide suggestions for how these features could be improved, as well as ideas for additional anti-stalking features that could help mitigate the issues discussed in this paper.
This is one of two studies I have published on item tracker stalking; the sister study is “Stop Following Me”, described above.
Accessing online support services can be dangerous for some users, such as domestic abuse survivors. Many support service websites contain “quick exit” buttons that provide an easy way for users to escape the site.
We investigate where exit buttons and other escape mechanisms are currently in use (by country and type of site) and how they are implemented. We analyse both the security and usability of exit mechanisms on 323 mobile and 404 desktop sites. We find exit buttons typically replace the current page with another site, occasionally opening additional tabs. Some exit buttons also remove the page from the browser history.
When analysing the design choices and shortcomings of exit button implementations, common problems include cookie notices covering the buttons, and buttons not remaining on the screen when scrolling. We provide recommendations for designers of support websites who want to add or improve this feature on their website.
Click Here to Exit: An Evaluation of Quick Exit Buttons
Kieron Ivy Turk, Alice Hutchings
Presented at CHI 2023.
Published in the proceedings of the 2023 CHI Conference on Human Factors in Computing Systems (CHI ’23), April 23–28, 2023, Hamburg, Germany.
The publication is available here.
A tight scrape: methodological approaches to cybercrime research data collection in adversarial environments.
Kieron Turk, Sergio Pastrana, Ben Collier
Presented at WACCO 2020 : Second Workshop on Attackers and Cyber-Crime Operations
Published in the proceedings of IEEE European Symposium on Security and Privacy Workshops (EuroS&PW) 2020.
My blog post presenting this paper is available here, and the official publication in IEEE is available here.
A study of “adversarial scraping” for academic research, in which websites implement assorted defences to prevent web scraping while researchers attempt to bypass these defences to collect data for futher investigation. Inspired by the novel “attacks on the browser” encountered on a small collection of sites, we decided to document the range of features which we have encountered through assorted scraping projects, as well as the countermeasures that can be used to overcome these methods.
We then classify the defences by effectiveness, and find that a large number of the methods used to prevent crawling are inneffective, or of minimal impact. Other systems successfully slow down crawling, inhibiting historical data collection, while a small number of defences are capable of preventing scraping entirely in certain circumstances.
We identify two environments which can be analysed independently: sites hosted on Tor (“onions”) and chat channels. Onions are generally easier to scrape, due to many defences being unusable with the associated privacy restrictions (such as Javascript being near-universally disabled). Chat channels such as those on Discord and Telegram use far fewer technical measures to prevent scraping; instead, many use moderator intervention to identify and block automated accounts that are identified as bots.
University
PhD Computer Science
Tackling the use of technology for domestic abuse
For my PhD I am moving away from attacking systems to analysing how domestic abusers misuse them for abuse. My goal is to be able to identify ways to mitigate various technology-enabled abuse threats, reducing the harm done to victims and survivors of abuse.
Technology-enabled abuse takes many forms, from using smart doorbells to monitor deliveries, guests, and the victim’s location to controlling what the victim is able to do on their own devices. There is a wide range of problems that need to be tackled in this space: there are issues of raising awareness of how technology is used for abuse and identifying when it is happening; there is the problem of impeding or preventing the various misuses of technology; and there are many areas in which abuse victims can be better supported as they attempt to leave an abusive relationship. There are also broader underlying issues to tackle, such as how access control systems are not designed for the threat of a domestic abuser, and transparency both enables abusers to monitor their victims more easily as well as providing a means for victims to understand how they are being monitored, gaslit, and restricted by their abuser.
MEng Computer Science - honours pass with distinction
Specialising in what I love to do.
While my Bachelors covered a diverse range of topics, a small fraction of them would contribute to my overall area of interest - cybersecurity. With the ability to specialise during my Masters, I have studied five security oriented modules: cybercrime, hardware security, digital signal processing, computer security: foundations and principles, and technology, law and society. My masters dissertation is a security analysis of multiple smartlocks, exploring vulnerabilities in custom Bluetooth protocols, insecure Wifi setup, vulnerable smart card technologies, and physical design flaws.
BA Hons Computer Science - first class honours
An exploration of computer science.
My Bachelors allowed me to obtain a solid understanding of all areas of computer science, before diving into more complex and interesting topics in my third year such as Cryptography, Quantum Computation, Natural Language Processing and Mobile Robot Systems. As my dissertation, I created Pinpoint: a web application vulnerability scanner, which you can read about here.