The Haystack Project



Install the Lumen Privacy Monitor for Android!




Direct download


[ About The ICSI Haystack Project ]


Your phone hosts a rich array of information about you and your activities. This includes a range of identifiers, location data and even your contacts list. Often time, apps collect such privacy-sensitive information and share it with third parties such as ad networks and analytics services without your consent for advertising and tracking purposes.


The Haystack Project is an academic initiative led by independent academic researchers at ICSI--UC Berkeley and IMDEA Networks in collaboration with UMass and Stony Brook University. At the core of the project is the Lumen app, an Android app that analyzes your mobile traffic and helps you to identify privacy leakes inflicted by your apps and the organizations collecting this information.


Project sponsors:


The Haystack project is sponsored by the National Science Foundation (NSF) and the DataTransparencyLabs (DTL).

Keep control of your data

Lumen identifies apps leaking your privacy-sensitive data over the network so that you stay in control of your network fingerprint.

Find Online Trackers

Lumen reports the third-party organizations collecting your personal information.

HTTPS/TLS Support

Lumen supports TLS interception so you can identify apps leaking privacy-sensitive information over encrypted traffic in real-time.

Be part of a research study!

Lumen comes from a research team at ICSI--UC Berkeley. By installing Lumen, you actively contribute to ongoing research efforts aiming to improve the operational transparency of mobile technologies.

[ Lumen features ]

Easy to Use

Finding out how your apps behave in the networks and how they extract or leak your personal information is as simple as clicking the start button and letting Lumen run! For security purposes, Android will inform you that your traffic will be intercepted, asking you for permission to continue. You may need to also install an additional TLS certificate to enable intercepting TLS traffic. If you miss it during installation time, don't worry! You can re-install it any time from the app settings. We strongly recommend reading in its entirety the tutorial shown the first time you run the app.

Learn About Your Mobile Apps

Most likely, very soon after turning on Lumen you will quickly learn interesting facts about the apps that you run on your phone. You can use Lumen to understand where your apps connect to, which data they share with third parties and even how much traffic they waste for advertising and tracking purposes so you can decide whether to uninstall those that strike you as too intrusive. Not all devices provide the features required by Lumen to operate. If after a few minutes you observe that Lumen does not identify any privacy leaks, read our FAQ and feel free to get in touch with us.

Detailed Reports

Apps may sometimes leak information to not only their own servers but also to online advertising networks or other online tracking services that monetize your metadata. Lumen aims to help you to understand many dynamics that may remain unknown for you! Lumen analyzes your mobile traffic and generates reports about the traffic patterns and the private data collected by each application and online service.

Illuminating App Behavior

Nearly 70% of Android apps leak personal data to third-party services such as analytics services and ad networks. The data provided by Lumen users is used to promote app and service transparency. For instance, you can play with our interactive ICSI panopticon tool to better understand the whole mobile ecosystem and how apps use third-party online trackers. You can also contribute to our research efforts by installing and running our Lumen app!

[ Papers ]


Tracking the deployment of TLS 1.3 on the web: a story of experimentation and centralization


Ralph Holz, Jens Hiller, Johanna Amann, Abbas Razaghpanah, Thomas Jost, Narseo Vallina-Rodriguez, Oliver Hohlfeld


ACM SIGCOMM Computer Communication Review (CCR), 2020






The Price is (Not) Right: Comparing Privacy in Free and Paid Apps


Catherine Han, Irwin Reyes, Álvaro Feal, Joel Reardon, Primal Wijesekera, Narseo Vallina-Rodriguez, Amit Elazari, Kenneth A Bamberger, Serge Egelman


Proceedings on Privacy Enhancing Technologies (PETS), 2020






Angel or Devil? A Privacy Study of Mobile Parental Control Apps


Álvaro Feal, Paolo Calciati, Narseo Vallina-Rodriguez, Carmela Troncoso, Alessandra Gorla


Proceedings on Privacy Enhancing Technologies (PETS), 2020






An Analysis of Pre-installed Android Software


Julien Gamba, Mohammed Rashed, Razaghpanah Abbas, Narseo Vallina-Rodriguez, Juan Tapiador


IEEE Symposium on Security and Privacy (Oakland), 2020 [BEST PRACTICAL PAPER AWARD]






Don’t accept candy from strangers: An analysis of third-party SDKs


Julien Gamba, Mohammed Rashed, Razaghpanah Abbas, Narseo Vallina-Rodriguez, Juan Tapiador


CPDP Book Series, 2020






50 ways to leak your data: An exploration of apps' circumvention of the android permissions system


Joel Reardon, Álvaro Feal, Primal Wijesekera, Amit Elazari Bar On, Narseo Vallina-Rodriguez, Serge Egelman


USENIX Security Symposium, 2019 [DISTINGUISHED PAPER AWARD]






On the ridiculousness of notice and consent: Contradictions in app privacy policies


Ehimare Okoyomon, Nikita Samarin, Primal Wijesekera, Amit Elazari Bar On, Narseo Vallina-Rodriguez, Irwin Reyes, Álvaro Feal, Serge Egelman


IEEE ConPro Workshop, 2019






Do you get what you pay for? Comparing the privacy behaviors of free vs. paid apps


Catherine Han, Irwin Reyes, Amit Elazari Bar On, Joel Reardon, Álvaro Feal, Serge Egelman, Narseo Vallina-Rodriguez


IEEE ConPro Workshop, 2019






Coming of Age: A Longitudinal Study of TLS Deployment


Platon Kotzias, Abbas Razaghpanah, Johanna Amann, Kenneth G. Paterson, Narseo Vallina-Rodriguez, and Juan Caballero


Proceedings of the ACM Internet Measurements Conference (IMC), 2018 [DISTINGUISHED PAPER AWARD]






An Empirical Analysis of the Commercial VPN Ecosystem


Mohammad Taha Khan, Joe DeBlasio, Geoffrey M. Voelker, Alex C. Snoeren, Chris Kanich, and Narseo Vallina-Rodriguez


Proceedings of the ACM Internet Measurements Conference (IMC), 2018






Beyond google play: A large-scale comparative study of chinese android app markets


Haoyu Wang, Zhe Liu, Jingyue Liang, Narseo Vallina-Rodriguez, Yao Guo, Li Li, Juan Tapiador, Jingcun Cao, Guoai Xu


Proceedings of the ACM Internet Measurements Conference (IMC), 2018




“Won’t Somebody Think of the Children?” Examining COPPA Compliance at Scale


Irwin Reyes, Primal Wijesekera, Joel Reardon, Amit Elazari Bar On, Abbas Razaghpanah, Narseo Vallina-Rodriguez, Serge Egelman


Proceedings on Privacy Enhancing Technologies (PETS), 2018 [CASPAR BOWDEN PETS AWARD 2020]






The Cloud that Runs the Mobile Internet: A Measurement Study of Mobile Cloud Services


Foivos Michelinakis, Hossein Doroud, Abbas Razaghpanah, Andra Lutu, Narseo Vallina-Rodriguez, Phillipa Gill, Joerg Widmer


IEEE International Conference on Computer Communications (INFOCOM), 2018





Apps, Trackers, Privacy, and Regulators: A Global Study of the Mobile Tracking Ecosystem


Abbas Razaghpanah, Rishab Nithyanand, Narseo Vallina-Rodriguez, Srikanth Sundaresan, Mark Allman, Christian Kreibich, Phillipa Gill


Network and Distributed System Security Symposium (NDSS), 2018





Bug Fixes, Improvements,... and Privacy Leaks


Jingjing Ren, Martina Lindorfer, Daniel J. Dubois, Ashwin Rao, David Choffnes and Narseo Vallina-Rodriguez


Network and Distributed System Security Symposium (NDSS), 2018





Studying TLS Usage in Android Apps


Abbas Razaghpanah, Arian Akhavan Niaki, Narseo Vallina-Rodriguez, Srikanth Sundaresan, Johanna Amann, Phillipa Gill


ACM International Conference on emerging Networking EXperiments and Technologies (CoNEXT), 2017





Dissecting DNS Stakeholders in Mobile Networks


Alessandro Finamore, Diego Perino, Narseo Vallina-Rodriguez, Mario Almeida, Matteo Varvello


ACM International Conference on emerging Networking EXperiments and Technologies (CoNEXT), 2017





"Is Our Children's Apps Learning?" Automatically Detecting COPPA Violations


Irwin Reyes, Primal Wiesekera, Abbas Razaghpanah, Joel Reardon, Narseo Vallina-Rodriguez, Serge Egelman and Christian Kreibich


Workshop on Technology and Consumer Protection (ConPro 2017), in conjunction with the 38th IEEE Symposium on Security and Privacy (IEEE S&P 2017), 2017





Tracking the Trackers: Towards Understanding the Mobile Advertising and Tracking Ecosystem


Narseo Vallina-Rodriguez, Srikanth Sundaresan, Abbas Razaghpanah, Rishab Nithyanand, Mark Allman, Christian Kreibich, Phillipa Gill


1st Data and Algorithm Transparency Workshop (DAT), 2016




Haystack: In Situ Mobile Traffic Analysis in User Space


Abbas Razaghpanah, Narseo Vallina-Rodriguez, Srikanth Sundaresan, Christian Kreibich, Phillipa Gill, Mark Allman, Vern Paxson


arXiv, 2015




[ FAQ ]

What data do you collect for your research studies?





Why does Lumen need so many permissions?





how much data does Lumen take from my data plan?





Why Haystack does not identify any leak on my phone?





How can I uninstall the root certificate for TLS interception?





Get in touch with us!





[ team ]