Security & Privacy

Francis' group launches Open GDA Score Project

January 2019
We have launched the Open GDA Score Project at  This is an open project to develop a set of tools and databases to generate anonymity scores for any data anonymization technique. The GDA Score, which stands for General Data Anonymity Score, is the first data anonymization measurement methodology that works with any anonymization technique. The GDA Score is a generalization of the measurement technique developed by Francis' group for the Diffix bounty program run last year. This was the first bounty program for anonymity. The GDA Score is of particular interest in Europe, where member states are expected to produce certification programs for anonymity.

Krishna Gummadi and Alan Mislove awarded a Facebook "Secure the Internet" grant

October 2018
MPI-SWS faculty member Krishna Gummadi and MPI-SWS alumnus Alan Mislove have been awarded a "Secure the Internet" grant by Facebook. Their proposal, “Towards privacy-protecting aggregate statistics in PII-based targeted advertising,” has been awarded $60,000 to develop techniques for revealing advertising statistics that provide hard guarantees of user privacy, based on a (principles-first) approach. Their goal is to develop a differential privacy-like approach that can be applied to existing advertising systems.

The Facebook "Secure the Internet" grant program is designed to improve the security, privacy, and safety of internet users. Gummadi and Mislove's proposal was one of only 10 winning proposals, which were together awarded more than $800,000 by Facebook.

Aastha Mehta invited to attend Rising Stars Workshop

September 2018
MPI-SWS Ph.D. student Aastha Mehta has been selected to attend the Rising Stars Workshop to be held at MIT from October 28-30, 2018. She is one of 76 participants, and one of only three invited from a European university. Rising Stars is a prestigious workshop that provides mentoring to women graduate students and postdocs interested in pursuing an academic career.

French Data Protection Authority CNIL Republishes Francis' Article

September 2018
The French Data Protection Authority CNIL has recognized the benefits of Diffix anonymization by republishing an article by Paul Francis in which the utility of Diffix anonymization is highlighted. Diffix is the anonymization technology developed in joint research between Francis' group and Aircloak GmbH.

Last year, CNIL published an article titled "Can anonymized data still be useful." The purpose of the article was to demonstrate that strong anonymization does not necessarily prevent useful analytics. In this work, CNIL uses K-anonymity on the New York City taxi database. Inspired by this effort, Francis shows that Diffix can be used for a wide range of analysis on the NYC taxi database, including trip times to LaGuardia airport, taxi driver work profiles, and congestion in the Manhattan financial district.

CNIL re-published the article under the title "Anonymity vs. Utility: Another shot at Anonymizing the New York City taxi dataset".

Paul Francis featured in CNIL interview

June 2018
Paul Francis was featured in an interview by CNIL, the French national data protection authority. The interview discusses the innovative way in which MPI-SWS is tackling the data anonymity problem. The interview follows Paul's visit to CNIL in May 2018, where he presented the first-ever bounty program for anonymity. The bounty program, designed by MPI-SWS and implemented by the startup Aircloak, is one of the innovative ways in which MPI-SWS develops practical data anonymity techniques.

MPI-SWS researchers have a distinguished paper at CSF 2018

May 2018
A paper by Vineet Rajani and Deepak Garg has been honored as a distinguished paper at the upcoming 31st IEEE Symposium on Computer Security Foundations (CSF 2018). The paper is titled "Types for Information Flow Control: Labeling Granularity and Semantic Models".

Paul Francis launches first-ever anonymization bounty program

January 2018
Bug bounty programs are a popular way to find security flaws in deployed systems. We are the first to use a bounty program to find flaws in anonymization schemes, namely the anonymization scheme we designed called Diffix. We take an empirical approach to anonymization rather than the more common formal approach. The empirical approach leads to anonymization schemes with high utility, but also uncertainties about the anonymization properties. The bounty program helps build understanding and confidence in Diffix. To learn more, visit

Paul Francis to lead session at the IAPP Europe Data Protection Congress 2017

April 2017
The session, entitled “Challenges and Strategies for Certifying Data Anonymization for Data Sharing,” brings together technical and legal experts to explore how Data Protection Officers (DPOs) can manage the complexities and uncertainties of GDPR-compliant data anonymization. The IAPP Congress will be held November 7-9 in Brussels.

Session Abstract:

Data sharing is increasingly important. Companies share data internally across business units to gain business insights, they share data externally with data analytics vendors, and they often share data simply to make money. Ensuring the anonymity of users in the data set is necessary. The process of approving or certifying anonymization however is costly, time consuming, and uncertain. Current approaches to anonymization are ad hoc at best. They require a custom strategy for each new data sharing scenario, and it is often unclear whether the data is really anonymized or not.

In this informative and lively session, corporate DPOs, vendors of analytics solutions, and privacy researchers share their experiences with data anonymization and the approval process. They provide case studies illustrating the pitfalls of "do it yourself" anonymization, and show how some new ready-for-use anonymization can eliminate the delays and guesswork of data anonymization.

Paul Francis to give keynote at Oakland '17 Workshop on Privacy Engineering

April 2017
Paul Francis will give the keynote address at the Oakland (IEEE S&P) Workshop on Privacy Engineering. The talk, entitled "The Diffix Framework: Revisiting Noise, Again", presents the first database anonymization system that exhibits low noise, unlimited queries, simple configuration, and rich query semantics while still giving strong anonymity.

The workshop will be held May 25 in San Jose, CA.

Talk Abstract:

For over 40 years, the holy grail of database anonymization is a system that allows a wide variety of statistical queries with minimal answer distortion, places no limits on the number of queries, is easy to configure, and gives strong protection of individual user data.  This keynote presents Diffix, a database anonymization system that promises to finally bring us within reach of that goal.  Diffix adds noise to query responses, but "fixes" the noise to the response so that repeated instances of the same response produce the same noise.  While this addresses the problem of averaging attacks, it opens the system to "difference attacks" which can reveal individual user data merely through the fact that two responses differ.  Diffix proactively examines queries and responses to defend against difference attacks.  This talk presents the design of Diffix, gives a demo of a commercial-quality implementation, and discusses shortcomings and next steps.

Targeted malware paper accepted at NDSS '17

January 2017
The paper "A Broad View of the Ecosystem of Socially Engineered Exploit Documents" was accepted at NDSS '17 (Network and Distributed System Security Symposium).  The authors include Stevens Le Blond, Cédric Gilbert, Utkarsh Upadhyay, and Manuel Gomez Rodriguez from MPI-SWS, as well as David Choffnes from Northeastern University.

Our understanding of exploit documents as a vector to deliver targeted malware is limited to a handful of studies done in collaboration with the Tibetans, Uyghurs, and political dissidents in the Middle East. In this measurement study, we present a complementary methodology relying only on publicly available data to capture and analyze targeted attacks with both greater scale and depth. In particular, we detect exploit documents uploaded over one year to a large anti-virus aggregator (VirusTotal) and then mine the social engineering information they embed to infer their likely targets and contextual information of the attacks. We identify attacks against two ethnic groups (Tibet and Uyghur) as well as 12 countries spanning America, Asia, and Europe. We then analyze the exploit documents dynamically in sandboxes to correlate and compare the exploited vulnerabilities and malware families targeting different groups. Finally, we use machine learning to infer the role of the uploaders of these documents to VirusTotal (i.e., attacker, targeted victim, or third-party), which enables their classification based only on their metadata, without any dynamic analysis. We make our datasets available to the academic community.

MPI-SWS research in the news

September 2016
MPI-SWS projects Aqua and Herd were discussed in an ArsTechnica article describing next generation anonymity networks.

MPI-SWS spinoff Aircloak wins Cisco IoT Security Grand Challenge

October 2014
MPI-SWS spinoff Aircloak has won the 2014 Cisco Internet of Things (IoT) Security Grand Challenge. Aircloak was selected for its innovative approach to privacy protection—it is building the world's first anonymized analytics system. As a grand challenge award winner, Aircloak was awarded a $75,000 cash prize and was showcased at the IoT World Forum. In addition, the award also provides the Aircloak team with mentoring, training and access to business expertise from Cisco and other supporting organizations, as well as potential investment and partnering opportunities in the future. For more info see the Cisco award announcement (in English or in German), and the Cisco blog.

MPI-SWS researchers win ERC Synergy Grant

December 2013
MPI-SWS directors Peter Druschel and Rupak Majumdar, along with Gerhard Weikum (Scientific Director at the MPI for Informatics) and Michael Backes (MPI-SWS Fellow and Professor at Saarland University), have jointly won the prestigious ERC Synergy Grant.

Over the next six years their project "imPACT: Privacy, Accountability, Compliance, and Trust in Tomorrow's Internet" will receive almost 10 million euros, which will allow them to explore how to protect users against eavesdropping and fraud on the Internet without restricting trade, freedom of expression or access to information.

MPI-SWS research in the news

April 2012

A recent WWW 2012 paper by Krishna Gummadi, Bimal Viswanath, and their coauthors was covered by GigaOM, a popular technology news blog, in an article titled Who's to blame for Twitter spam? Obama, Gaga, and you.

Steven le Blond's work on security flaws in Skype and other peer-to-peer applications has been receiving global media attention: WSJ, Le Monde (French), die Zeit (German), Daily Mail, New Scientist, Slashdot, Wired, and the New Scientist "One Percent" blog.

Three new faculty to join MPI-SWS

July 2011

We are pleased to announce that three new faculty will join MPI-SWS this fall.

Björn Brandenburg is joining us from the University of North Carolina at Chapel Hill (UNC), where he obtained his Ph.D. in computer science. Björn's research interests include multiprocessor real-time system, real-time synchronization protocols, and operating systems. Björn is the lead designer and developer of LITMUSRT, an extension of the Linux kernel for real-time scheduling and synchronization on multicore platforms.

Deepak Garg is joining us from the Cybersecurity Lab (CyLab) at Carnegie Mellon University, where he was a post-doctoral researcher. He obtained his Ph.D. from Carnegie Mellon's Computer Science Department. His research interests are in the areas of computer security and privacy, formal logic and programming languages. He is specifically interested in logic-based models of secure systems and formal analysis of security properties of systems.

Ruzica Piskac is joining us from EPFL, where she has completed her Ph.D. in computer science. The goal of her research is to make software development easier and software more reliable via automated reasoning techniques. She is specifically interested in decision procedures, their combinations and applications in program verification and software synthesis.