Decoding the Digital World: A Conversation with Prof. Gosain
From unraveling the complexities of online anonymity to shaping the future of privacy laws, Prof. Devashish Gosain is at the forefront of network security research. As a core faculty member at IITB Trust Lab, his journey spans leading institutions such as Max Planck Institute, KU Leuven, and IIIT Delhi. In this candid conversation, he discusses how real-world challenges inspire his work, the evolving threats to digital privacy, and why measurement-driven security research is more crucial than ever. Explore his perspectives on the hidden layers of the Internet, the battle for user privacy, and the innovations shaping our online world.
You’ve had a diverse academic journey, from IIIT Delhi for your Ph.D. to postdoctoral positions in Germany and Belgium. How have these experiences shaped your research perspective?
I immensely enjoyed my work at all three institutions. IIIT Delhi, a relatively young research institution, provided me with a vibrant and dynamic environment in which to conduct systems research. The world-class infrastructure and supporting staff and faculty were always eager to help. Moreover, since my hometown is Delhi, I had ample time to meet my family and childhood friends, who constantly supported me throughout my PhD.
When I moved to the Max Planck Institute of Informatics Germany, I did not observe a significant difference in the research environment; however, the institute’s policies to facilitate research were better structured. For instance, guidelines for conducting measurements were well-defined, and the sysadmins were prompt and highly skilled. This helped reduce logistics time immensely, and I availed more time for research.
In KU Leuven, I enjoyed similar facilities; however, the city and the people of Leuven were friendlier and more fun to mingle with. Overall, I cherished the best of all three places.
Can you describe a moment in your research career that significantly changed your perspective or approach?
During my Ph.D and postdocs, I often felt I was not suitable for research, as top-quality security research pushes you back numerous times. (Later, I found out it’s called ‘Imposter Syndrome’, and Ph.D students often feel that). I remember an instance when I finished my paper; five days were left before the deadline, and I was proofreading the paper. Suddenly, I found that some other authors also published the paper along similar lines. It was a shock, as the paper I was working on was the output of two years of blood and sweat, and for a moment, I felt the game was over! But with the help of great colleagues and family, I regained the energy, modified the story, conducted additional experiments, quantified the delta difference with the new paper, and submitted the paper. This changed my approach entirely, and now I feel more confident when I see similar research. The key lesson is to admit that we are stressed, ease your burden by discussing with friends and colleagues, take a break, and bounce back with full energy.
Your research interests span networks, privacy, anonymity, and Internet measurements. Could you tell us a little bit about each of these areas?
Indeed, I work on the intersection of all these areas. I strongly feel that applied security and privacy research cannot be conducted in isolation. This requires deeper knowledge of networks and the notion of privacy and security. Let me elaborate a bit more.
What is security? In an abstract sense, security means that when Mohit and Nalini communicate with each other, only they can understand the communication. Moreover, they can verify each other’s identities.
What is privacy? Privacy has subtle shades and is different from traditional security concerns. For instance, even if Ria uses the best encryption algorithms and achieves confidentiality of the data, she cannot hide her communication pattern. Assume she regularly visits newspaper.com, then uses Google Maps to reach her office, periodically purchases a particular type of medicine, watches some specific genre of movies, talks to her friends late at night, and loves to book party tickets online. Mere actions (especially repetitive ones) are enough to create her profile and curate aspects of her personality that she herself might not know about. Online trackers and surveillance agencies exploit user privacy with such meta-data. Bart Preneel, a renowned cryptographer, once said, “Often people do not know that they have a lot to hide.’’ Thus, we require stronger privacy-enhancing technologies, and there is a compelling need to educate the masses about potential privacy violations online and offline.
What is anonymity? Anonymity has several definitions, but the one I like most is, “state or quality of being unidentified or unrecognizable in a set of objects’’. For example, if someone tells you to identify a person wearing a white shirt, and in a group, all are wearing white shirts, can you precisely identify the person? The answer is NO. We can say it’s the best possible scenario for anonymity. On the contrary, if only one person wears a white shirt, the system offers zero anonymity. In practice, this becomes very complex, as one can have a scenario, where folks will wear white, off-white, light white, and multiple shades of white. Can we still say the system offers good anonymity? The problem becomes even more common when the group of objects is the Internet. One popular solution that hides your IP address is Tor, which provides a decent level of anonymity.
What are Internet Measurements? This is a wide area of network and security research where we send multiple queries (typically network packets) to assess the state of the deployed system. For example, let’s assume all Indian Universities decide to upgrade their firewalls; they collaborate and develop their own firewall and eventually deploy them. A measurements researcher will send various probes (imitating an attacker),and measure the responses of the firewall longitudinally. The researcher will then analyze the data, identify anomalies, verify the firewall’s response in peak hours, etc., to identify the flaws and performance bottlenecks of such firewalls. Overall, measurement research is the art of creating intelligent queries without increasing the networking load and understanding the intricate workings of a deployed system.
You’ve published several papers on privacy laws such as General Data Protection Regulation(GDPR). What are some of the biggest challenges in this field, and where do you see it heading?
Online services (e.g., websites) monetize their audience through advertising and data collection without prior consent. They use trackers, i.e., third-party services that profile users’ sensitive information (e.g., browsing activity), to display targeted ads and personalized content. Numerous such tracking platforms exist, with many of them gathering information from almost all netizens. This has led to the creation of regulatory bodies that have started governing the scenario. The General Data Protection Regulation (GDPR) enforced in Europe is the most comprehensive law to protect the privacy of data related to all its citizens. Numerous studies explore how effective such laws are. In our recent work, we further show the myriad factors that can influence the efficacy of such laws. However, many countries either do not have privacy regulations or have recently implemented them (e.g., India and Brazil). I wish to study the technical efficacy of privacy laws in such countries. For example, India recently passed a data privacy bill. I aim to conduct longitudinal measurement studies to see how websites and other service providers store user data in India. This will involve geolocating the web servers (where data is being stored), which is a known networking problem requiring innovative solutions. Also, does this law result in a reduction in user tracking on Indian websites? A comparative analysis between European, Indian, and Brazilian websites can provide better insights into how effective the respective laws are in reducing targeted advertisement and user tracking.
What emerging technologies do you think will have the biggest impact on network privacy in the coming years?
Cutting-edge research is happening in different thrust areas that can significantly impact the privacy landscape.
Quantum Computing: Quantum computing promises to break traditional encryption methods, especially those based on public-key cryptography (e.g., RSA). However, quantum-safe cryptography is being developed to counteract this, and the transition to quantum-resistant algorithms could become a significant challenge for privacy.
Artificial Intelligence (AI) and Machine Learning (ML): AI and ML technologies can help enhance network security by detecting anomalies and identifying potential threats more efficiently. However, malicious actors could also use them to perform sophisticated attacks like deep packet inspection or automated exploit discovery. As AI-driven surveillance and data collection technologies advance, privacy risks could increase.
Zero Trust Architecture (ZTA): Zero Trust is gaining traction as a model for network security, where no user or device is trusted by default, even inside the network perimeter. It enhances privacy by ensuring that access is constantly verified, reducing the potential for unauthorized data access. ZTA is expected to grow in importance as more organizations move toward cloud and hybrid environments.
Homomorphic Encryption: This cryptographic technique allows data to be processed while still encrypted. This means sensitive information can be analyzed without being exposed in plaintext. As this technology matures, it has the potential to transform cloud computing and data analytics, preserving privacy while enabling powerful data operations.
Secure Multiparty Computation (SMC): SMC allows multiple parties to collaboratively compute a function using their combined data without revealing their inputs. This has significant implications for privacy in industries like healthcare, finance, and research, where sensitive data needs to be shared but not exposed.
Privacy-Enhancing Technologies (PETs): PETs are designed to protect users’ personal information while still allowing for useful data processing. Technologies like differential privacy, anonymization techniques, and private set intersection are being developed and refined to enable privacy-preserving data analytics without compromising utility.
The combination of these technologies will likely reshape how privacy is managed on networks, creating both new opportunities for stronger privacy protections and new challenges as new attack vectors and privacy risks emerge.
How do you see the relationship between academic research and industry practices in the area of network security?
In my opinion, big tech companies should fund privacy research more, especially in the developing world. We are the biggest consumer market for them. Shoshana Zuboff alarmingly explains in her book that we live in the age of surveillance capitalism. There are enough scientific studies that establish that the privacy paradox exists, i.e., people want privacy, but their actions and choices do not support their mental models. With help from the industry, we can develop privacy-preserving solutions that capitalize on human data but with prior intimation to the end users. One such example is cookie banners in the EU. Similarly, in India, one can work jointly with the industry to develop techniques to follow DPDPA (new Indian privacy law) without curtailing their profits.
As someone who has recently transitioned from Postdoctoral research to a faculty position, what advice would you give to Ph.D. students or early-career researchers in the field of network security and privacy?
In network security, the rule of thumb I follow is: always keep in mind the end user, starting from the idea’s inception. Whatever solutions we develop are eventually to protect and ease the end-user experience. Obviously, visiting academic conferences like PoPETS, Usenix Security, and NDSS helps in formulating a good problem, but if we keep our eyes and ears open to what challenges people are facing, it can help us develop more useful and impactful solutions. Moreover, feedback is the key. I take feedback from different people at different stages of the research project. For instance, I tend to discuss the research idea with senior folks, and under execution, I involve not only my cohorts but also the students. In my experience, good feedback can save us from initial rejections.
As a new faculty member at IITB Trust Lab, what are you most looking forward to in terms of research collaborations or new areas of exploration?
At the core, I am a measurement person. Thus, I would like to conduct extensive measurements to understand the behavior of deployed firewalls, proxies, etc. The Internet is a beautiful mess with various (transparent) devices that alter packets and eventually disrupt standard routing and security policies. My research will illuminate such devices (or middleboxes) to characterize their impact. Importantly, I would also like to explore the usable security are in light of DPDPA and user perceptions about end-to-end-encrypted messaging (e.g., WhatsApp). I strongly feel that engaging with Indian users will provide us with interesting perspectives, given our sheer diversity.
On a personal note, can you tell us about some of your hobbies or interests outside of your academic and research pursuits?
I am an art fan. I consider good movies, songs, poems, paintings, and books analogous to a solid PhD. All of them have a common thread: there are guidelines to gauge their correctness and appreciation of their beauty, but there is no well-defined metric. Also, I like to play badminton and hike.
