Echo Meißner

Quantitative empirical research is a cornerstone of many scientific disciplines, offering reproducible, statistically validated insights. Methodological reforms such as preregistration and open science aim to strengthen scientific integrity and transparency, often encouraging the publication of primary datasets. At the same time, emerging data collection methods such as mobile sensing and chatbot-based studies enable richer, more continuous, and larger-scale data acquisition. However, these developments raise substantial privacy challenges, as traditional anonymization and pseudonymization measures are increasingly vulnerable to modern de-anonymization and linkage attacks. The need to protect participant privacy without undermining scientific utility has become both pressing and complex. The specific characteristics of modern empirical research that involves open data sharing, large and sensitive datasets, and novel collection modalities, introduces requirements that current research workflows and tools do not adequately address. Solutions must (i) mitigate privacy threats across all stages of the research process, (ii) integrate robust privacy-enhancing technologies without disrupting established workflows, and (iii) maintain compatibility with reproducibility and reusability goals central to open science. This thesis first analyzes the empirical research process using a structured privacy threat modeling method applied to a realistic running example. From this analysis, requirements for a privacy-preserving workflow are derived and decomposed into participant management and data collection/analysis. Two novel cryptographic constructions, i.e., PrePaMS for participant management and PeQES for privacy-enhanced studies, are designed with formal system models and proofs of security and privacy properties. The proposed designs are implemented as web-based prototypes and evaluated with synthetic datasets. Performance results demonstrate that privacy-preserving workflows can be realized with practical performance overhead while satisfying identified privacy, security, and reproducibility requirements. The resulting prototypes demonstrate the feasibility of privacy-preserving research workflows in realistic settings, balancing participant privacy with scientific utility. Our additional transparency mechanism (WAIT) addresses an orthogonal threat to web applications with sensitive client-side code by ensuring code integrity in the presence of untrusted platform providers. This thesis provides the following contributions: (1) a comprehensive privacy risk analysis of current and emerging empirical research practices, (2) a formal requirement specification for privacy-aware open science workflows, (3) novel cryptographic protocols for participant management (PrePaMS) and data collection/analysis (PeQES), (4) an integrated open science workflow design incorporating these protocols, (5) prototype implementations with performance and feasibility evaluations, (6) an integrated workflow design balancing privacy with scientific utility, and (7) the WAIT transparency mechanism for protecting the integrity of sensitive client-side code in web applications.

Vehicular communication via V2X networks increases road safety, but is vulnerable to data manipulation which can lead to serious incidents. Existing security systems, such as misbehavior detection systems, have limitations in detecting and mitigating such threats. To address these challenges, we have implemented a software prototype of a Trust Assessment Framework (TAF) that assesses the trustworthiness of received V2X data by integrating evidence from multiple trust sources. This interactive demonstration illustrates the quantification of trust for a smart traffic light system application. We demonstrate the impact of varying evidence coming from a misbehavior detection system and a security report generator on the trust assessment process. We also showcase internal processing steps within our TAF when receiving new evidence, up to and including the eventual decision making on the trustworthiness of the received V2X data.

Connected and automated vehicles rely on data from various entities to support safety-critical applications such as Cooperative Adaptive Cruise Control (CACC). However, unauthorized data manipulation through, for example, data injection attacks can compromise vehicle safety and lead to incidents. Existing vehicular security mechanisms, such as Misbehavior Detection System (MBD), have limitations in detecting and mitigating all types of threats on their own. To address these limitations, our prior work has proposed the concept of a Trust Assessment Framework (TAF), which assesses data trustworthiness by combining evidence from multiple security systems operating as trust sources. However, TAF as a concept has not been extensively evaluated in safety-critical Cooperative Driving (CD) applications. In this work, we refine the architecture of the TAF and implement a software prototype based on it. We integrate the TAF prototype with a CACC simulation environment and implement three types of data injection attacks. We demonstrate that by incorporating multiple security mechanisms as trust sources, the TAF significantly improves attack detection performance and reduces the number of crashes by 86% compared to using a single security mechanism, such as MBD.

Taking part in surveys, experiments, and studies is often compensated by rewards to increase the number of participants and encourage attendance. While privacy requirements are usually considered for participation, privacy aspects of the reward procedure are mostly ignored. To this end, we introduce PrePaMS, an efficient participation management system that supports prerequisite checks and participation rewards in a privacy-preserving way. Our system organizes participations with potential (dis-)qualifying dependencies and enables secure reward payoffs. By leveraging a set of proven cryptographic primitives and mechanisms such as anonymous credentials and zero-knowledge proofs, participations are protected so that service providers and organizers cannot derive the identity of participants even within the reward process. In this paper, we have designed and implemented a prototype of PrePaMS to show its effectiveness and evaluated its performance under realistic workloads. PrePaMS covers the information whether subjects have participated in surveys, experiments, or studies. When combined with other secure solutions for the actual data collection within these events, PrePaMS can represent a cornerstone for more privacy-preserving empirical research.

State-machine replication (SMR) is a popular fault-tolerance technique for building highly-available services. Usually, consensus protocols are used to enforce a deterministic service-request ordering among replicas, in order to prevent their state from diverging. Over the last decades, a multitude of consensus protocols have been developed which come with different characteristics but also with different communication and programming models. Our Consensus-Agnostic Replication Toolkit (CART) is a wrapper for consensus protocols that relieves clients from most consensus configuration and support. Besides, it implements a generic client and application interface to support different consensus protocols and configurations, e.g. in cloud deployments. CART has built-in authentication of services based on BLS threshold signatures. It can further prove malicious behaviour of replicas, thus speeding up recovery in case of Byzantine faults. We evaluate the performance overhead of our approach in a real-world WAN deployment for two different consensus protocol implementations using the YCSB benchmark. Our results show that CART is able to reach up to 90% of the throughput achieved by the native consensus protocol with an additional latency overhead of only 10%.

Background: Stress levels in the general population had already been increasing in recent years, and have subsequently been exacerbated by the global pandemic. One approach for innovative online-based interventions are “chatbots” – computer programs that can simulate a text-based interaction with human users via a conversational interface. Research on the efficacy of chatbot-based interventions in the context of mental health is sparse. The present study is designed to investigate the effects of a three-week chatbot-based intervention with the chatbot ELME, aiming to reduce stress and to improve various health-related parameters in a stressed sample. Methods: In this multicenter, two-armed randomised controlled trial with a parallel design, a three-week chatbot-based intervention group including two daily interactive intervention sessions via smartphone (á 10-20 min.) is compared to a treatment-as-usual control group. A total of 130 adult participants with a medium to high stress levels will be recruited in Germany. Assessments will take place pre-intervention, post-intervention (after three weeks), and follow-up (after six weeks). The primary outcome is perceived stress. Secondary outcomes include self-reported interoceptive accuracy, mindfulness, anxiety, depression, personality, emotion regulation, psychological well-being, stress mindset, intervention credibility and expectancies, affinity for technology, and attitudes towards artificial intelligence. During the intervention, participants undergo ecological momentary assessments. Furthermore, satisfaction with the intervention, the usability of the chatbot, potential negative effects of the intervention, adherence, potential dropout reasons, and open feedback questions regarding the chatbot are assessed post-intervention. Discussion: To the best of our knowledge, this is the first chatbot-based intervention addressing interoception, as well as in the context with the target variables stress and mindfulness. The design of the present study and the usability of the chatbot were successfully tested in a previous feasibility study. To counteract a low adherence of the chatbot-based intervention, a high guidance by the chatbot, short sessions, individual and flexible time points of the intervention units and the ecological momentary assessments, reminder messages, and the opportunity to postpone single units were implemented.

Digital interactions via the internet have become the norm rather than the exception in our global society. Concerns have been raised about human-centered privacy and the often unreflected self-disclosure behavior of internet users. This study on human-centered privacy follows two major aims: first, investigate the willingness of university students as digital natives to self-disclose private data and information from psychological domains including their person, social and academic life, their mental health as well as their health behavior habits when taking part as a volunteer in a scientific online survey. Second, examine to what extent the participants’ self-disclosure behavior can be modulated by experimental induction of Privacy Awareness (PA) or Trust in Privacy (TIP) or a combination of both (PA and TIP). In addition, the role of human factors such as personality traits, gender or mental health (e.g., self-reported depressive symptoms) on self-disclosure behavior was explored and the influence of PA and TIP induction were considered. Participants were randomly assigned to four experimental groups. In group A (n = 50, 7 males), privacy awareness (PA) was induced implicitly by the inclusion of privacy concern items. In group B (n = 43, 6 males), trust in privacy (TIP) was experimentally induced by buzzwords and by visual TIP primes promising safe data storage. Group C (n = 79, 12 males) received both, PA and TIP induction, while group D (n = 55, 9 males) served as control group. Participants had the choice to answer the survey items by agreeing to one of a number of possible answers including the options to refrain from self-disclosure by choosing the response options “don’t know” or “no answer”. Self-disclosure among participants was high irrespective of experimental group and irrespective of psychological domains of the information provided. The results of this study suggest that willingness of volunteers to self-disclose private data in a scientific online study cannot simply be overruled or changed by any of the chosen experimental privacy manipulations. The present results extend the previous literature on human-centered privacy and despite limitations can give important insights into self-disclosure behavior of young people and the privacy paradox.

Modern single page web applications require client-side executions of application logic, including critical functionality such as client-side cryptography. Existing mechanisms such as TLS and Subresource Integrity secure the communication and provide external resource integrity. However, the browser is unaware of modifications to the client-side application as provided by the server and the user remains vulnerable against malicious modifications carried out on the server side. Our solution makes such modifications transparent and empowers the browser to validate the integrity of a web application based on a publicly verifiable log. Our Web Application Integrity Transparency (WAIT) approach requires (1) an extension for browsers for local integrity validations, (2) a custom HTTP header for web servers that host the application, and (3) public log servers that serve the verifiable logs. With WAIT, the browser can disallow the execution of undisclosed application changes. Also, web application providers cannot dispute their authorship for published modifications anymore. Although our approach cannot prevent every conceivable attack on client-side web application integrity, it introduces a novel sense of transparency for users and an increased level of accountability for application providers particularly effective against targeted insider attacks.

Empirical sciences and in particular psychology suffer a methodological crisis due to the non-reproducibility of results, and in rare cases, questionable research practices. Pre-registered studies and the publication of raw data sets have emerged as effective countermeasures. However, this approach represents only a conceptual procedure and may in some cases exacerbate privacy issues associated with data publications. We establish a novel, privacy-enhanced workflow for pre-registered studies. We also introduce PeQES, a corresponding platform that technically enforces the appropriate execution while at the same time protecting the participants' data from unauthorized use or data repurposing. Our PeQES prototype proves the overall feasibility of our privacy-enhanced workflow while introducing only a negligible performance overhead for data acquisition and data analysis of an actual study. Using trusted computing mechanisms, PeQES is the first platform to enable privacy-enhanced studies, to ensure the integrity of study protocols, and to safeguard the confidentiality of participants' data at the same time.

Background: Software agents are computer-programs that conduct conversations with a human. The present study evaluates the feasibility of the software agent “SISU” aiming to uplift psychological wellbeing. Methods: Within a one-group pretest-posttest trial, N = 30 German-speaking participants were recruited. Assessments took place before (t1), during (t2) and after (t3) the intervention. The ability of SISU to guide participants through the intervention, acceptability, and negative effects were investigated. Data analyses are based on intention-to-treat principles. Linear mixed models will be used to investigate short-term changes over time in mood, depression, anxiety. Intervention: The intervention consists of two sessions. Each session comprises writing tasks on autobiographical negative life events and an Acceptance- and Commitment Therapy-based exercise respectively. Participants interact with the software agent on two consecutive days for about 30 min each. Results: All participants completed all sessions within two days. User experience was positive, with all subscales of the user experience questionnaire (UEQ) M > 0.8. Participants experienced their writings as highly self-relevant and personal. However, 57% of the participants reported at least one negative effect attributed to the intervention. Results on linear mixed models indicate an increase in anxiety over time (β = 1.33, p = .001). Qualitative User Feedback revealed that the best thing about SISU was its innovativeness (13%) and anonymity (13%). As worst thing about SISU participants indicated that the conversational style of SISU often felt unnatural (73%). Conclusion: SISU successfully guided participants through the two-day intervention. Moreover, SISU has the potential to enter the inner world of participants. However, intervention contents have the potential to evoke negative effects in individuals. Expectable short-term symptom deterioration due to writing about negative autobiographical life events could not be prevented by acceptance and commitment therapy-based exercises. Hence, results suggest a revision of intervention contents as well as of the conversational style of SISU. The good adherence rate indicates the useful and acceptable format of SISU as a mental health chatbot. Overall, little is known about the effectiveness of software agents in the context of psychological wellbeing. Results of the present trial underline that the innovative technology bears the potential of SISU to act as therapeutic agent but should not be used with its current intervention content. Trial-registration: The Trial is registered at the WHO International Clinical Trials Registry Platform via the German Clinical Studies Register (DRKS): DRKS00014933 (date of registration: 20.06.2018). Link: https://www.drks.de/drks_web/navigate.do?navigationId=trial.HTML&TRIAL_ID=DRKS00014933.

Stateful applications are based on the state they hold and how it changes over time. This history of state changes is usually discarded as the application progresses. By building on concepts from event processing and storing the application history we envision a novel programming paradigm that supports retroaction. Retroactive computing introduces new opportunities for a developer to access and even modify an application timeline. By enabling the exploration of alternative scenarios, retroactive computing establishes powerful new ways to debug systems and introduces new approaches to solve problems. Initial work has shown the practicality and possibilities of this new programming paradigm and introduces further research questions and challenges.

State changes over time are inherent characteristics of stateful applications. So far, there are almost no attempts to make the past application history programmatically accessible or even modifiable. This is primarily due to the complexity of temporal changes and a difficult alignment with prevalent programming primitives and persistence strategies. Retroactive computing enables powerful capabilities though, including computations and predictions of alternate application timelines, post-hoc bug fixes, or retroactive state explorations. We propose an event-driven programming model that is oriented towards serverless computing and applies retroaction to the event sourcing paradigm. Our model is deliberately restrictive, but therefore keeps the complexity of retroactive operations in check. We introduce retro-λ, a runtime platform that implements the model and provides retroactive capabilites to its applications. While retro-λ only shows negligible performance overheads compared to similar solutions for running regular applications, it enables its users to execute retroactive computations on the application histories as part of its programming model.

Distributed event-sourced systems adopt a fairly new architectural style for data-intensive applications that maintains the full history of the application state. However, the performance implications of such systems are not yet well explored, let alone how the performance of these systems can be improved. A central issue is the lack of systematic performance engineering approaches that take into account the specific characteristics of these systems. To address this problem, we suggest a methodology for performance engineering and performance analysis of distributed event-sourced systems based on specific measurements and subsequent, targeted optimizations. The methodology blends in well into existing software engineering processes and helps developers to identify bottlenecks and to resolve performance issues. Using our structured approach, we improved an existing event-sourced system prototype and increased its performance considerably.

Event sourcing is increasingly used and implemented in event-based systems for maintaining the evolution of application state. However, unbounded event logs are impracticable for many systems, as it is difficult to align scalability requirements and long-term runtime behavior with the corresponding storage requirements. To this end, we explore the design space of log pruning approaches suitable for event-sourced systems. Furthermore, we survey specific log pruning mechanisms for event-sourced logs. In a brief evaluation, we point out the trade-offs when applying pruning to event logs and highlight the applicability of log pruning to event-sourced systems.

Stream-based graph systems continuously ingest graph-changing events via an established input stream, performing the required computation on the corresponding graph. While there are various benchmarking and evaluation approaches for traditional, batch-oriented graph processing systems, there are no common procedures for evaluating stream-based graph systems. We, therefore, present GraphTides, a generic framework which includes the definition of an appropriate system model, an exploration of the parameter space, suitable workloads, and computations required for evaluating such systems. Furthermore, we propose a methodology and provide an architecture for running experimental evaluations. With our framework, we hope to systematically support system development, performance measurements, engineering, and comparisons of stream-based graph systems.

An increasing number of distributed, event-based systems adopt an architectural style called event sourcing, in which entities keep their entire history in an event log. Event sourcing enables data lineage and allows entities to rebuild any previous state. Restoring previous application states is a straight-forward task in event-sourced systems with a global and totally ordered event log. However, the extraction of causally consistent snapshots from distributed, individual event logs is rendered non-trivial due to causal relationships between communicating entities. High dynamicity of entities increases the complexity of such reconstructions even more. We present approaches for retrospective and global state extraction of event-sourced applications based on distributed event logs. We provide an overview on historical approaches towards distributed debugging and breakpointing, which are closely related to event log-based state reconstruction. We then introduce and evaluate our approach for non-local state extraction from distributed event logs, which is specifically adapted for dynamic and asynchronous event-sourced systems.

Several data-intensive applications take streams of events as a continuous input and internally map events onto a dynamic, graph-based data model which is then used for processing. The differences between event processing, graph computing, as well as batch processing and near-realtime processing yield a number of specific requirements for computing platforms that try to unify theses approaches. By combining an altered actor model, an event-sourced persistence layer, and a vertex-based, asynchronous programming model, we propose a distributed computing platform that supports event-driven, graph-based applications in a single platform. Our Chronograph platform concept enables online and offline computations on event-driven, history-aware graphs and supports different processing models on the evolving graph.

In large-scale disaster scenarios, efficient triage management is a major challenge for emergency services. Rescue forces traditionally respond to such incidents with a paper-based triage system, but technical solutions can potentially achieve improved usability and data availability. We develop a triage management system based on commodity hardware and software components to verify this claim. We use a single-hop, ad-hoc network architecture with multi-master replication, a tablet-based device setup, and a mobile application for emergency services. We study our system in cooperation with regional emergency services and report on experiences from a field exercise. We show that state-of-the-art commodity technology provides the means necessary to implement a triage management system compatible with existing emergency service procedures, while introducing additional benefits. This work highlights that powerful real-world ad-hoc networking applications do not require unreasonable development effort, as existing tools from distributed systems, such as replicating NoSQL databases, can be used successfully.