When Anna Lysyanskaya graduated 10 years ago from Smith College with a B.A. in math and computer science, she was unsure where her career path would take her.
But when she started graduate school at the Massachusetts Institute of Technology, she got involved with the study of cryptography. She soon found that her interests lay with math-based privacy questions, specifically as they relate to individuals using the Internet.
“It sounds kind of boring, but I actually do identify with this privacy issue,” she said. It doesn’t take long to see at least one reason it matters to her.
“I grew up, actually, in the Soviet Union. And so it was the constant horror with the totalitarian Big Brother watching you at all times. It’s really scary and if you leak some of that information, you can make that a reality.”
She eventually completed her master’s and doctoral degrees from MIT, and today she is a computer science professor focused on cryptography at Brown University, trying to find a mathematical solution to keeping personal information safe on the Web.
And for her work, Lysyanskaya has been named one of 35 Young Innovators Under 35 in the September-October issue of Technology Review.
She’s received praise for a piece of software designed to help individuals logging onto subscription Web sites – including newspapers, e-mail services and bank sites – keep their personal information out of the wrong hands.
With most subscription Web sites, users are prompted for a personal identifier – like a user name – and the site administrator then stores that information and likely tracks viewed pages. And that is where the problem starts, according to Lysyanskaya.
“That would be how things work right now, but the [vulnerability with] this model of doing things is that you leave some sort of a trail,” she said.
The trail created by that user name is then at risk of being leaked to online predators.
“Information is not really [stored safely]; credit card numbers get leaked all the time,” said Lysyanskaya. “Even information where they actively take steps to store it – that private information – it still gets leaked. And something like a transaction log can easily get leaked. So somebody who gets control of that data can see what you’re reading.”
What you are reading can then be put together with other gathered information, leading to a full picture of what a person does online. Or worse yet, it can be used to create their financial profile. So, instead of a user name, Lysyanskaya said Web sites should be asking for some other sort of proof for users.
It works like this: Lysyanskaya’s program would be installed on both the user’s and Web site administrator’s computers, and when a user logs in, the computers would separately generate the same password – different for each login by every user — to determine the user’s identity.
“You don’t have to do anything yourself, you just press the button that you want to log in, then it’s all taken care of from the user’s perspective,” she said. “The challenge in actually figuring out how to design this protocol is math.”
If it works, she said, “every time that you log in, you log in using yet another pseudonym. So they can’t even say that it was the same person reading the weather forecast in Providence and the horoscopes. They can’t even link together the various pieces of information that might identify you.”
