Keynote Information
For PETS 2026, we will have a set of keynotes. Find their information below.
Keynote by Franziska Roesner
Title: Privacy and Ads on the Emerging Agentic Web
Abstract: Over the last two or more decades, a key privacy issue on the web has been the collection and use of data in the context of targeted advertising. Members of the computer security and privacy research community (and adjacent communities) have done substantial work over that time to characterize (and improve) this ecosystem and its risks, including: assessing the privacy implications of online tracking and ad targeting, studying problematic (e.g., manipulative or adversarial) ad content and ad targeting, and exploring privacy-preserving ad mechanisms. In this talk, I will first overview research findings and ecosystem developments around privacy and the online advertising ecosystem up until now. Then, I will look to the future in this era of generative AI, considering how tracking and advertising may manifest in the emerging “agentic web” — in which users interact substantially with AI agents, and agents interact directly with other web content — and how the landscape of privacy and related risks may evolve.
Franziska Roesner
Franziska (Franzi) Roesner is the Brett Helsel Professor in the Paul G. Allen School of Computer Science & Engineering at the University of Washington, where she co-directs the Security and Privacy Research Lab. Her research focuses broadly on computer security and privacy for end users of existing and emerging technologies. Her work has studied topics including online tracking and advertising, security and privacy for marginalized and/or vulnerable user groups, security and privacy in emerging augmented reality (AR) and IoT platforms, and online trust and safety. She is the recipient of a Google Security and Privacy Research Award and a Google Research Scholar Award, a Consumer Reports Digital Lab Fellowship, an MIT Technology Review "Innovators Under 35" Award, an Emerging Leader Alumni Award from the University of Texas at Austin, and an NSF CAREER Award. She has received paper awards or runners-up at the USENIX Security Symposium, the IEEE Symposium on Security & Privacy, the Internet Measurement Conference, the WebConf, the Annual Privacy Forum, and the CHI Conference on Human Factors in Computing Systems; as well as Test of Time Awards at NSDI, the IEEE Symposium on Security & Privacy, and USENIX Security. She currently serves on the USENIX Security steering committee. She received her PhD from the University of Washington in 2014 and her BS from UT Austin in 2008.

Keynote by John Scott Railton
Title: Autocratic AI: The Frontier AI Trilemma and the Case for a Privacy-Preserving Freedom Stack
Abstract: The 2011 Arab Spring caught autocrats by surprise. Then, they evolved. Today, they’ve co-opted social media and internet infrastructure to surveil and repress civil society. Now, the activists, journalists and dissidents we work with are already pervasively using AI. And autocrats are seeking to respond. They are preparing to exploit AI hyperscalers’ reliance on state-regulated resources, from chips and electricity to land use and market access, as well as dependency on sovereign wealth funds.
From the 2026 Anthropic order by the US Commerce Department, leading to frontier models being taken down, to China’s comprehensive AI frameworks, government pressure on the AI sector is growing fast in democracies and autocracies alike. Big companies face a frontier AI trilemma, and must choose only two of the following: global market access, very broad safety compliance, or serving inference without state censorship or monitoring.
Today, the conditions that some states attach to 'safety' compliance and market access increasingly appear as a pretext for censorship and monitoring, which precludes unrestricted inference. Combined with competitive pressure, I believe this will push companies to sacrifice unrestricted inference, and embrace broad state demands, framed as comprehensive 'safety frameworks' that subtly conflate legitimate harm reduction with political censorship and monitoring.
Such frameworks will offer all autocrats and democracies a tempting fast-track to censorship and surveillance. Unlike traditional censorship methods and blocking, these will be subtle, personalized steering, and resistant to systematic observation and evidence-driven accountability. And the surveillance, unlike mercenary spyware, won’t leave traces on devices.
To counter this, we must build a freedom stack requiring precisely the technologies that this community specializes in: a friendly and resilient ecosystem of private, secure inference with minimal-trust architectures and technical guarantees that operators cannot inspect or filter prompts. Its layers include open-weight and open-source models running in trusted execution environments (TEEs) or on user-controlled devices, seamless migration paths for existing AI users, great user experiences, and rigorous research and testing of models for political censorship and security risks. We must push back on the dynamics, however well-intentioned, that concentrate all AI capability in entities vulnerable to state coercion.
John Scott-Railton
John Scott-Railton is an expert on spyware, phishing, and information operations. As Senior Researcher at the Citizen Lab he leads the Targeted Threats team, collaborating with at-risk individuals and partners around the world to expose abuses. For more than fifteen years he has worked on collaborative investigations tracking and exposing digital attacks targeting people because of who they are, what they do, or what they say. He has testified to lawmakers in the U.S., Italy, Poland and the European parliament on the threats posed by spyware proliferation to national security and human rights.
He was the Founding Editor of the Security Planner, now operated by Consumer Reports, which provides personalized expert security advice. He has also worked on ensuring connectivity in conflicts, including ensuring the free and secure flow of information during wartime. For example, he co-founded the Voices Projects, which helped bypass internet shutdowns in Egypt and Libya. He is a past fellow at Google Ideas / Jigsaw at Alphabet where he worked on products like the Phishing Quiz.

Keynote by Fredrik Strömberg
Title: Managing complexity
Abstract: What is strategy, innovation, and cybersecurity? What is trust and trustworthiness? What design principles are useful for managing complexity - in computer systems, organizations, and life? I have tried to answer these questions for almost two decades, driven by insatiable curiosity and at times unhealthy perfectionism.
This talk is about the journey so far, more and less successful attempts at supporting and doing research, the principles that guide me and my companies, and the meaning of "good enough".
Fredrik Strömberg
Fredrik Strömberg is co-CEO at Mullvad VPN and Head of Research at the Amagicom group, consisting of Mullvad VPN, Tillitis and Glasklar Teknik. His main interest for the past decade has been the design and construction of more trustworthy computer systems. Together with colleagues and collaborators he has worked on the open-source projects System Transparency, Sigsum, Tillitis TKey, Tillitis HSM as well as open-source silicon and other open-source software and hardware-related internal research projects.
Together with his friend Daniel Berntsson he founded Amagicom AB and Mullvad VPN, 17 years ago. His interests in computer security, strategy and creativity started a decade before that, in no small part thanks to his surroundings. Today he's a proud fourth-generation business owner and third-generation inventor.
Mullvad was founded with the vision of making mass surveillance and online censorship ineffective, using entrepreneurship as a method for direct political action. Fredrik and Daniel has consistently refused outside investment in order to retain long term strategic flexibility, and re-invest much of Mullvad's profits in research and open-source software and hardware projects.
