Gunes Acar - Homepage

I am a tenured assistant professor at the Digital Security group of Radboud University. I am also affiliated with iHub, Radboud's interdisciplinary research hub on digitalization and society.

My research focuses on security and privacy threats from websites, mobile apps and IoT devices, with a special emphasis on novel online tracking mechanisms. I also study anonymous communication networks such as Tor, and investigate deceptive and manipulative (dark) design patterns.

Current and past positions:

2021- ... @ Radboud University: Assistant Professor (tenured, since 2022), Digital Security Group and iHub
2019-2021 @ FWO / KU Leuven: The Research Foundation – Flanders (FWO) Postdoctoral research fellow at the COSIC research group
2017-2019 @ Princeton University: Postdoctoral research associate at the Center for Information Technology Policy.
2012-2017 @ KU Leuven: Predoc and PhD at the COSIC research group under the supervision of Claudia Diaz and Bart Preneel.

Selected Publications

See my dblp, ORCID, or Google Scholar pages for the full list of publications.

Targeted and Troublesome: Tracking and Advertising on Children's Websites
Z. Moti, A. Senol, H. Bostani, F. Z. Borgesius, V. Moonsamy, A. Mathur, G. Acar. To appear, 2024 IEEE Symposium on Security and Privacy, 2024.
Unveiling the Impact of User-Agent Reduction and Client Hints: A Measurement Study (Website • Dataset (TBD))
A. Senol, G. Acar. In Proceedings of the Workshop on Privacy in the Electronic Society (WPES), 2023.
The Time is Ticking: The Effect of Limited Time Discounts on Consumers’ Buying Behavior and Experience
J. Tiemessen, H. Schraffenberger, G. Acar. In Extended Abstracts of the 2023 CHI Conference on Human Factors in Computing Systems, 2023.
Leaky Forms: A Study of Email and Password Exfiltration Before Form Submission (Website • Dataset)
A. Senol, G. Acar, M. Humbert, F. Z. Borgesius. In Proceedings of the 31st USENIX Security Symposium (USENIX), 2022.
From “Onion Not Found” to Guard Discovery
L. Oldenburg, G. Acar, Claudia Diaz. In Proceedings on Privacy Enhancing Technologies, 2022(1), 22 pages, 2022.
The CNAME of the Game: Large-scale Analysis of DNS-based Tracking Evasion
Y. Dimova, G. Acar, L. Olejnik, W. Joosen, and T. Van Goethem. In Proceedings on Privacy Enhancing Technologies, 2021(3), 21 pages, 2021.
Privacy Policies over Time: Curation and Analysis of a Million-Document Dataset
R. Amos, G. Acar, E. Lucherini, M. Kshirsagar, A. Narayanan, and J. Mayer In Proceedings of the The Web (WWW) Conference, 22 pages, 2021.
IoT Inspector: Crowdsourcing Labeled Network Traffic from Smart Home Devices at Scale
D. Yuxing Huang, N. Apthorpe, F. Li, G. Acar, and N. Feamster. In Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies 4(2), 14 pages, 2020.
No boundaries: data exfiltration by third parties embedded on web pages
G. Acar, S. Englehardt, and A. Narayanan. In Proceedings on Privacy Enhancing Technologies 2020(4), 19 pages, 2020.
Improving Privacy through Fast Passive Wi-Fi Scanning
F. Goovaerts, G. Acar, R. Galvez, F. Piessens, and M. Vanhoef. In Proceedings of the 2019th Nordic Workshop on Secure Computer Systems (NORDSEC 2019) LNCS, 11875, A. Askarov, and W. Rafnsson (eds.), pp. 37-52, 2019.
Watching You Watch: The Tracking Ecosystem of Over-the-Top TV Streaming Devices
H. Mohajeri Moghaddam, G. Acar, B. Burgess, A. Mathur, N. Feamster, E. W. Felten, P. Mittal, A. Narayanan, and D. Yuxing Huang. In ACM Conference on Computer and Communications Security 2019, J. Katz, and X. Wang (eds.), ACM, pp. 131-147, 2019.
Dark Patterns at Scale: Findings from a Crawl of 11K Shopping Websites
A. Mathur, G. Acar, M. Chetty, M. Friedman, E. Lucherini, J. Mayer, and A. Narayanan. In Proceedings of the ACM on Human-Computer Interaction 3, ACM, pp. 81:1-81:32, 2019.
The Web's Sixth Sense: A Study of Scripts Accessing Smartphone Sensors
A. Das, A. Pradeep, G. Acar, and N. Borisov. In ACM Conference on Computer and Communications Security, ACM, pp. 1515-1532, 2018.
Web-based attacks to discover and control local IoT devices
G. Acar, D. Yuxing Huang, F. Li, A. Narayanan, and N. Feamster. In Proceedings of the 2018 Workshop on IoT Security and Privacy, ACM, pp. 29-35, 2018.
How Unique is Your .onion? An Analysis of the Fingerprintability of Tor Onion Services
R. Overdorf, M. Juarez, G. Acar, C. Diaz, and R. Greenstadt. In ACM Conference on Computer and Communications Security, ACM, pp. 2021-2036, 2017.
Online Tracking Technologies and Web Privacy
G. Acar, PhD thesis, KU Leuven, C. Diaz, and B. Preneel (promotors), 242 pages, 2017.
Leaky Birds: Exploiting Mobile Application Traffic for Surveillance
E. Vanrykel, G. Acar, M. Herrmann, and C. Diaz. In Financial Cryptography and Data Security - 20th International Conference, FC 2016, Lecture Notes in Computer Science 9603, Springer-Verlag, pp. 367-384, 2016.
Shopping for privacy: Purchase details leaked to PayPal
S. Preibusch, T. Peetz, G. Acar, and B. Berendt. Electronic Commerce Research and Applications(15), pp. 52-64, 2016.
The leaking battery: A privacy analysis of the HTML5 Battery Status API
L. Olejnik, G. Acar, C. Casteluccia, and C. Diaz. In Data Privacy Management, Autonomous Spontaneous Security, and Security Assurance, Lecture Notes in Computer Science 9481, Springer-Verlag, pp. 254 - 263, 2015.
Facebook Tracking Through Social Plug-ins
G. Acar, B. Van Alsenoy, F. Piessens, C. Diaz, and B. Preneel, Technical report prepared for the Belgian Privacy Commission, 24 pages, 2015.
Purchase details leaked to PayPal
S. Preibusch, T. Peetz, G. Acar, and B. Berendt. In Financial Cryptography and Data Security - 19th International Conference, FC 2015, Lecture Notes in Computer Science, Springer-Verlag, pp. 217 - 226, 2015.
The Web never forgets: Persistent tracking mechanisms in the wild
G. Acar, C. Eubank, S. Englehardt, M. Juarez, A. Narayanan, and C. Diaz. In ACM Conference on Computer and Communications Security, ACM, pp. 674-689, 2014.
A Critical Evaluation of Website Fingerprinting Attacks
M. Juarez, S. Afroz, G. Acar, C. Diaz, and R. Greenstadt. In ACM Conference on Computer and Communications Security, ACM, pp. 263-274, 2014.
Browse at your own risk
N. Nikiforakis, G. Acar, and D. Salinger. IEEE Spectrum Magazine 35(8), pp. 30-35, 2014.
FPDetective: Dusting the web for fingerprinters
G. Acar, M. Juarez, N. Nikiforakis, C. Diaz, S. Gurses, F. Piessens, and B. Preneel. In 20th ACM Conference on Computer and Communications Security, ACM, pp. 1129-1140, 2013.

Academic and Other Services

2023: Expert panel member for the Empirical Study on Dark Commercial Patterns (commissioned by the OECD)
2023: Vice Program Chair, PETS 2024
2023: Poster and Demo Chair, PETS 2023
2022: Expert committee member for the Canada Foundation for Innovation’s 2023 Innovation Fund competition.

Program Committee Memberships

2023: ACM CCS, PoPETs, MADWeb, ConPro, SecWeb
2022: USENIX Security, PoPETs, MADWeb, ConPro, SecWeb
2021: USENIX Security, PoPETs, MADWeb, ConPro, SecWeb, CFail
2020: USENIX Security, Financial Crypto, SecWeb
2019: PoPETs, ESORICS Poster Session
2018: PoPETs
2017: PoPETs, DPM, IWPE
2016: IWPE, IFIP SEC

External Reviews

2016: PETS
2015: PETS, ESSOS
2014: ACM CCS, PETS, ESORICS, SPACE
2013: PETS, WPES, HotPETs
2012: USENIX FOCI

Grants and Achievements

🏆 2022 CNIL-Inria Award for Privacy Protection (2023)
Leaky Forms: A Study of Email and Password Exfiltration Before Form Submission (USENIX Security'22)
🏆 Top Reviewer Award, Privacy Enhancing Technologies Symposium (2022)
Given to "reviewers [who] consistently performed constructive, but critical, i.e. helpful, reviews on time and followed up in the discussions. It covers roughly 30% of senior and regular PC".
Runner-up for the Caspar Bowden Award for Outstanding Research in Privacy Enhancing Technologies (2021)
Watching You Watch: The Tracking Ecosystem of Over-the-Top TV Streaming Devices (CCS'19)
Runner-up for the The Andreas Pfitzmann Best Student Paper Award (2021)
The CNAME of the Game: Large-scale Analysis of DNS-based Tracking Evasion (PoPETS'21)
Runner-up for the CNIL-Inria Privacy Protection Prize (2020)
No Boundaries: Data Exfiltration by Third Parties Embedded on Web Pages (PETS’20)
Postdoctoral Research Fellowship, FWO, Research Foundation - Flanders (2019-2022)
Ranked 1st in the Expert Panel: Informatics and Knowledge Technology. Awarded in 2017, suspended until 2019 due to my position at Princeton University.
Mobile Web Inspector: A Mobile Web Measurement Tool for JavaScript Analysis (2020-)
Project grant by armasuisse, The Swiss Federal Office for Defence Procurement. This project provides the funding for Asuman Senol who I co-supervise with Claudia Diaz (PI). I was involved in writing the grant application, preparing the job posting, interviewing the candidates, and making the hiring decision.
🏆 Future of Privacy Forum’s Annual Privacy Papers for Policymakers Award (2020)
Dark Patterns at Scale: Findings from a Crawl of 11K Shopping Websites (CSCW’19)
Runner-up for the Caspar Bowden Award for Outstanding Research in Privacy Enhancing Technologies (2018)
How Unique is Your .onion? An Analysis of the Fingerprintability of Tor Onion Services (CCS’17)
Finalist for the Best Paper Award at the ACM CCS (2017)
How Unique is Your .onion? An Analysis of the Fingerprintability of Tor Onion Services (CCS’17)
Runner-up for the Caspar Bowden Award for Outstanding Research in Privacy Enhancing Technologies (2015)
FPDetective: Dusting the Web for Fingerprinters (CCS’13)
FWO Long-term Travel Grant (August-Sep 2014)
For the internship at the Electronic Frontier Foundation (EFF), San Francisco, CA, USA.
Privacy Enhancing Technologies Symposium Stipend (2013, 2014, 2016)
UNICEF-Turkey Student Grant for the IAMCR Conference (2011)

Talks

Why some online trackers accidentally collect your passwords?

Keynote at SURF Security and Privacy Conference, Utrecht, 29 June 2023

An empirical (CS) research perspective & potentials for interdisciplinary collaboration

Workshop: Exploring the Relationship Between Market Power and Data Protection, Utrecht University, Utrecht, 15 May 2023

Training on Web Technologies, Online Tracking and Dark Patterns

Finnish Competition and Consumer Authority, Helsinki, 6 May 2022

Distinguished Lectures on Security & Privacy

University of Regensburg, Regensburg, 11-12 November 2021

No Boundaries: Data Exfiltration by Third Parties Embedded on Web Pages

Brave Research Reading Group, online, 11 February 2021
MIT CSAIL Security Seminar, online, 17 December 2020
The US Senate (private briefing to senate staffers; hosted by Rafi Martina) - Washington, D.C., 28 February 2018
PrivacyCon 2018, Federal Trade Commission (FTC) - Washington, D.C., 28 February 2018
Electronic Frontier Foundation (EFF) - San Francisco, CA, 2 February 2018
International Computer Science Institute (ICSI) - Berkeley, CA, 1 February 2018

Dark Patterns at Scale: Findings from a Crawl of 11K Shopping Websites

Workshop: Data-driven Marketing: Opportunities, Challenges and Ethics , Queen Mary University London, London, 17 March 2023
e-Enforcement Academy, European Commission: (training given to over 40 members of European consumer protection authorities). Online, 22 September 2021
Symposium Consumer and Data Privacy: The Digital Revolution of Legal, Social and Economic Interaction - Maastricht, 24 January 2020
Mozilla Security Research Summit - Vienna, 8 November 2019
Maastricht Law & Tech Lab launching event - Maastricht, 17 October 2019

How Unique is Your .onion? An Analysis of the Fingerprintability of Tor Onion Services

Princeton University CITP Luncheon, Princeton, NJ, 7 November 2017 Available online: https://www.youtube.com/watch?v=xDL8IMbB2BA

Battery Status Not Included: Assessing Privacy in Web Standards

IETF Privacy Enhancements and Assessments Research Group (PEARG) - 7 November 2018

Online Tracking Technologies and Web Privacy

European Data Protection Supervisor (EDPS) Working Meeting, Leuven, 20 June 2017

Advanced Online Tracking: A look into the Past and the Future

University College of London, Academic Centre of Excellence for Cyber Security Research - London, 24 November 2016

Web Privacy & Tracking

SuperMinds Conference, - Brussels, 27 October 2016 Available online: https://www.youtube.com/watch?v=1MiFFU3POgc
IPICS Summer Course - Leuven, 8 July 2016

User Control over Web Tracking

II. Internet Privacy Engineering Network (IPEN) Workshop - Leuven, 5 June 2015

Facebook's Tracking Capabilities Through Social Plug-ins

Belgian Privacy Commission - Brussels, 9 March 2015

The Web Never Forgets: Persistent Tracking Mechanisms in the Wild

IMDEA Software - Madrid, 30 October 2015
Dutch Data Protection Agency - The Hague, NL, 16 October 2014
UC Berkeley, TRUST Security Seminar - Berkeley, CA, 11 September 2014

FPDetective: Dusting the Web for Fingerprinters

French Data Protection Agency (CNIL) - Paris, 7 April 2014
Federal Trade Commission (FTC), Bureau of Consumer Protection, New York City, NY, 21 February 2014

Obfuscation for and against Device Fingerprinting

Symposium on Obfuscation at NYU, New York City, NY, 15 February 2014

Software

GitHub: @gunesacar

Lead developer:

tor-browser-selenium Tor Browser automation with Selenium 59 forks, 66 dependent repositories (as of 12/2020) including the SecureDrop whistleblower platform by the Freedom of the Press Foundation. Used in numerous studies involving Tor Browser automation.
fpdetective: A crawler based on a modified Chromium to detect font-based fingerprinting (CCS’13)
modCrawler: A crawler based on a modified Firefox to detect canvas fingerprinting (CCS’14)
privacy-policy-historical: The web frontend and GitHub backend for the Princeton-Leuven Longitudinal Corpus of Privacy Policies (WWW'21)
OpenWPM-mobile: A mobile web privacy measurement framework based on OpenWPM (CCS’18)

Contributed to:

EFForg/privacybadger: A browser extension that automatically learns to block invisible trackers
mozilla/OpenWPM: A web privacy measurement framework
torproject/tor-browser-bundle-testsuite: Test suite for the Tor Browser bundle
dark-patterns: Public code release for the “Dark patterns at scale:...” (CSCW’19) paper
no-boundaries: A fork of OpenWPM used in the “No boundaries” (PETS’20) paper
TheWebNeverForgets: Public code release for the “The web never forgets” (CCS’14) paper

Press

Press coverage

Wired: Thousands of Popular Websites See What You Type—Before You Hit Submit May 2022
Fortune: Meta, TikTok and thousands of major websites are found swiping data you enter on forms—even if you don’t hit submit May 2022
The Markup (interview): The Online Tracking Company That Knows Your Name May 2022
Help Net Security: CNAME-based tracking increasingly used to bypass browsers’ anti-tracking defenses February 2021
CNN: Buyer beware! These are the tricks online stores use to get you buying more stuff November 2019
New York Times: They Know What You Watched Last Night (25 October 2019)
The Verge: Smart TVs are data-collecting machines, new study shows October 2019
Washington Post: You watch TV. Your TV watches back 18 September 2019
New York Times: How E-Commerce Sites Manipulate You Into Buying Things You May Not Want June 2019
CNBC: Facebook users’ data exposed to web trackers when using its login feature for other sites: Report April 2018
Wired: Mobile Websites Can Tap Into Your Phone's Sensors Without Asking September 2018
Wired: Covert 'Replay Sessions' Have Been Harvesting Passwords by Mistake February 2018
Vice Motherboard: Over 400 of the World's Most Popular Websites Record Your Every Keystroke, Princeton Researchers Find November 2017
The Guardian: How your smartphone's battery life can be used to invade your privacy August 2015
Newsweek: Facebook Admits to Tracking Web Browsing Activity of Non-Users April 2015
Der Spiegel: Canvas Fingerprinting: Neue Methode zum Online-Tracking macht Verstecken fastunmöglich July 2014
BBC: Browser 'fingerprints' help track users July 2014
American Scientist: Uniquely Me! (March-April 2014 Issue)
Le Monde: Publicité: une nouvelle technique pour pister les internautes July 2014
ProPublica: Meet the Online Tracking Device That is Virtually Impossible to Block July 2014
Ars Technica: Top sites (and maybe the NSA) track users with "device fingerprinting" October 2013

Media collaborations

NBC Nightly News: Privacy And Power: Your Digital Fingerprint
Provided tracker visualizations, demonstrated OpenWPM software (December 2019)
New York Times: I Visited 47 Sites. Hundreds of Trackers Followed Me
Collaborated with the paper’s visual journalism department; modified OpenWPM for manual crawls; built analysis notebooks (August 2019)
Washington Post: Sex, drugs, and self-harm: Where 20 years of child online protection law went wrong
Surveyed child-directed websites for improper ads and PUP ads; investigated Google’s ad disclosures (June 2019)
PBS Frontline: What Facebook Knows About You and How [EXPLAINER] | FRONTLINE
Provided measurements of Facebook’s prevalence on the web using the Princeton Web Census data (October 2018)
Associated Press: AP Exclusive: Google tracks your movements, like it or not
Verified and further investigated unconsented location tracking by Google (August 2018)

Supervision

PhD students:

Contact

Email: g.acar@cs.ru.nl
Address: Mercator 1 Toernooiveld 212 6525 EC NIJMEGEN The Netherlands
Office: 03.01
Tel: +31 24 36 52 077

Güneş Acar

Assistant Professor
Radboud University

Selected Publications

Academic and Other Services

Program Committee Memberships

External Reviews

Grants and Achievements

Talks

Software

Lead developer:

Contributed to:

Press

Press coverage

Media collaborations

Supervision

Contact

Güneş Acar

Assistant Professor Radboud University

Program Committee Memberships

External Reviews

Lead developer:

Contributed to:

Press coverage

Media collaborations

Assistant Professor
Radboud University