A new system developed by Cornell Tech researchers helps users detect when their online accounts have been compromised — without exposing their personal devices to invasive tracking by web services.
The researchers presented the system, called Client-Side Encrypted Access Logging (CSAL), at the USENIX Security Symposium on Aug. 15 in Seattle. Its “privacy-first” method verifies whether a login came from a user’s own device, addressing a flaw in how major platforms like Google and Facebook currently log account access.
The new system could be especially useful for users at heightened risk of targeted cyberattacks, such as journalists, activists and public figures, who need to verify account activity, the researchers said. The study was motivated by the authors’ work with survivors of intimate partner violence at Cornell Tech’s Clinic to End Tech Abuse (CETA); the safety of survivors often relies on knowing if and when their partners have been accessing their accounts.
The research was led by Carolina Ortega Pérez and Alaa Daffalla, both Ph.D. candidates in computer science, and Thomas Ristenpart, professor at Cornell Tech and the Cornell Ann S. Bowers College of Computing and Information Science. The team found that existing access logs rely on client-side data – such as device identifiers and IP addresses — that attackers can easily spoof. Even after an account is compromised, the logs may misleadingly suggest that the login came from a familiar device.
“For at-risk users, an incident of account compromise could be life-threatening. Tools such as CSAL empower these users to diagnose illicit accesses to their online accounts, which is crucial for their safety,” said Daffalla.
CSAL offers a cryptographic alternative. Instead of sending service providers client-side data, the system encrypts it end-to-end using a key known only to the client devices. During login, the client device’s operating system generates a cryptographic token containing device identifiers, which is encrypted end-to-end and stored by the service provider, ensuring that only the user can later decrypt and verify the login’s origin.
This approach allows users to detect unauthorized access without revealing their identifying information to the platform they are using. It also avoids the need for platforms to collect and store detailed device fingerprints, which are often used for tracking, the team said.
The research shows how this system can be integrated into existing authentication workflows with minimal overhead. The system is also compatible with widely used security protocols, making it feasible for adoption by major platforms, the researchers said. By rethinking how access logs are generated and interpreted, the team said, CSAL offers a promising path forward for balancing security and privacy in digital account management.
The research was supported in part by a grant from the National Science Foundation and funding from Google.
Grace Stanley is a staff writer-editor for Cornell Tech.