In an age where the internet is woven into our daily lives, privacy concerns are on the rise. From cookies tracking online behavior to geolocation services pinpointing a person’s location, the digital age has increasingly become a double-edged sword.
Erik Rye, a fourth-year Ph.D. student in computer science at the University of Maryland, is aware of these issues, noting that as technology evolves, so do novel methods used to collect, analyze, and sometimes exploit personal data.
To help counter these threats, Rye is focusing his doctoral studies on security and privacy, even though his journey into the world of cybersecurity was somewhat unconventional.
After graduating from the United States Naval Academy in 2008 with a mathematics degree, he initially considered additional training for a medical career in the military. His path shifted after serving overseas as a Marine Corps officer, and he reengaged with a mathematics-based field of study, earning master’s degrees in both computer science and applied mathematics from the Naval Postgraduate School.
It was there where Rye says he found his true calling—a passion for solving complex problems arising from wireless security and digital tracking concerns.
“I never saw myself in this field,” he says. “But once I got into it, I realized how much of a difference this work can make—and that’s what keeps me going.”
Since arriving at UMD in 2022, Rye has been working closely with his adviser, Associate Professor of computer science Dave Levin, exploring how digital devices can be tracked—not just through websites, but via the very network infrastructure that powers the internet. Much of Rye’s recent work is centered on how wireless access points and Internet Protocol (IP) addresses can trace users over time and across the globe, exposing a deeper, often overlooked layer of digital surveillance.
Unlike more familiar tracking methods, such as cookies or targeted ads, Rye’s work uncovers how unique identifiers—like Wi-Fi router Media Access Control (MAC) addresses—can be used to follow individuals. Traditionally, these addresses have been static, meaning that anyone with access to a router’s MAC address could pinpoint its exact location. By aggregating these identifiers globally, Rye and Levin discovered new ways to track users’ movements.
“We realized that by querying Apple’s geolocation service, we could map wireless access points from all over the world with surprising accuracy,” Rye explains.
This breakthrough allowed them to trace millions of routers—even in remote areas—simply by knowing their MAC addresses. The implications were far-reaching: with just this data, it was possible to track an individual’s location, movements, and even daily routines.
Levin notes that Rye’s work specifically targeted these hidden privacy leaks, which is no easy feat.
“If it were obvious where these privacy lapses were, they’d have been fixed by now,” says Levin, who has an appointment in the University of Maryland Institute for Advanced Computer Studies and is a core faculty member in the Maryland Cybersecurity Center. “Instead, they’re buried within massive amounts of data—hidden needles in a global haystack. Erik, however, has an uncanny ability to build powerful magnets that can find them.”
Rye’s research took an unexpected turn when he began exploring how this tracking vulnerability might be used in conflict zones, particularly in Ukraine, where the ongoing war and the use of the Starlink satellite internet technology introduced new privacy risks.
In May 2024, Rye and Levin published a study revealing that Apple’s Wi-Fi-based Positioning System (WPS) could allow unprivileged attackers to track device movements globally by querying the WPS database with Wi-Fi access point MAC addresses.
By analyzing the WPS data, Rye and Levin tracked military personnel and devices entering Ukraine, revealing military positions and pre-deployment sites. They also followed Ukrainian refugees fleeing the country, validating reports of where they had resettled. In Gaza, the same technique was used to monitor the loss of devices, highlighting how the system can inadvertently track civilians in war zones. For Ukrainian forces, this posed a serious security threat, as adversaries could use this data to pinpoint military locations.
Their work received media coverage, prompting Rye to work directly with SpaceX, Starlink’s parent company, to implement random identifiers for Starlink devices, making it harder to track users based on fixed MAC addresses. This new protocol helped protect the privacy and security of Ukrainian forces in an increasingly hostile digital landscape.
“This wasn’t just an academic exercise—it was real-world work with serious implications and potentially dire consequences,” Rye says. “Knowing where these devices are during a military conflict could be catastrophic. Our research and follow-up work aimed to mitigate those risks and protect lives.”
Rye says his research efforts are about more than exposing vulnerabilities in high-risk environments—they’re also about creating practical solutions to protect privacy in everyday life. One key proposal is for routers to generate random identifiers each time they power on, like the privacy protections already built into mobile phones. This simple change would make it much harder to track a device based solely on its unique ID.
“If I move my router across the country, I don’t want anyone to know where I live just by knowing my Wi-Fi address,” Rye says. “We’re advocating for practical solutions to stop targeted tracking.”
—Story by Melissa Brachfeld, UMIACS communications group