Privacy Protection and ePrivacy Compliance for Web Users – PrivaWEB

Technical:

We have used one existing measurement platform for large-scale data collection (OpenWPM) and developed our own web crawler Cookinspect to detect and analyse cookie banner providers at scale. Using an adopted version of OpenWPM, we have collected traffic and cookie-related data from 85K websites, while with Cookinspect we have gathered data on the usage of consent banners on 23K EU domains.

We developed an open source “Cookie Glasses” browser extension that brings transparency to the banners that rely on IAB Europe TCF.

We have detected the presence of 16.8K Google Chrome extensions on the web browsers of 16.4K users who have visited our testing website and found out that 55% of users with at least one extension are uniquely identifiable by their browser extensions.

Legal:

Since 2019, the W3C has announced that the DNT candidate is obsolete, while the ePrivacy Regulation that was expected to be finalized by the EU in early 2019 is still under discussion. We have adopted the project’s investigation into the curret EU Data Protection framework: GDPR and ePrivacy Directive.

We proposed a fine-grained classification of stateful web tracking behaviours. We identified the behavioral patterns for cookie synching that allows companies to exchange user data even if the user has deleted some of the cookies. Published at the top privacy international journal, PoPETs 2020.

We have identified 4 potential violations of GDPR and ePrivacy directive in cookie banners. The large-scale analysis with Cookinspect, as well as fine-grained analysis with Cookie Glasses revealed suspected violations of GDPR and ePrivacy on 54% of websites that we analysed. Published at one of the top-4 flagship security and privacy international conferences, IEEE S&P 2020.

We have adopted the project’s investigation into the curret EU Data Protection framework: GDPR and ePrivacy Directive. We have analysed both legal and technical requirements from GDPR and ePrivacy Directive and identified 22 fine-grained requirements and means to verify them with manual, computer science tools or user studies. This work, comprised in 45 page journal article, had been published at the international journal Tehcnology and Regulation, 2020.

We concluded that only the purpose of a tracking technology can determine exception from user consent. We have then performed large-scale analysis of 20K third party cookies and concluded that their purpose doesn’t comply with the GPDR and ePrivacy requirements for 95% of the cookies. Published at the international workshop IWPE 2020.

Our collaboration with Cristiana SANTOS on legal and technical requirements of consent in websites have attracted attention of a design scholar, Colin M. GRAY who is internationally known for his work on dark patterns and manipulation in the UX design. Together with Colin M. GRAY we extended our work on legal analysis of cookie banners to design analysis. This work achieved very positive reviews in the top-rang peer- reviewed international conference ACM CHI 2021.

“None Of Your Business« (NOYB) NGO issued a complaint to the French Data Protection Authority (CNIL) based on the results of our work where we detected potential violations of GDPR and ePrivacy directive in cookie banners of hundreds of websites. NOYB used our open source “Cookie Glasses” browser extension that brings transparency to the banners that rely on IAB Europe TCF. The complaint addressed three popular French websites: CDiscount, AlloCine and VanityFair. December 2019.

This outstanding impact on society has been covered in a number of medias (selection below):

www.lemonde.fr/pixels/article/2019/12/10/vie-privee-cdiscount-allocine-et-vanity-fair-vises-par-une-plainte-d-une-ong_6022380_4408996.html

www.businessinsider.fr/cdiscount-et-2-autres-sites-francais-auraient-collecte-des-donnees-dutilisateurs-malgre-leur-refus/

www.nextinpact.com/news/108495-cookies-refuses-mais-installes-cdiscount-allocine-et-vanity-fair-attaques-devant-cnil.htm

Dark Patterns and the Legal Requirements ofConsent Banners: An Interaction Criticism Perspective Colin M. Gray, Cristiana Santos, Nataliia Bielova, Michael Toth, Damian Clifford. ACM CHI Conference on Human Factors in Computing Systems (ACM CHI 2021) Accepted for publication.

Do Cookie Banners Respect my Choice? Measuring Legal Compliance of Banners from IAB Europe’s Transparency and Consent Framework. Ce´lestin Matte, Nataliia Bielova, Cristiana Santos. IEEE Symposium on Security and Privacy (IEEE S&P 2020).

On Compliance of Cookie Purposes with the Purpose Specification Principle. Imane Fouad, Cristiana Santos, Feras Al Kassar, Nataliia Bielova and Stefano Calzavara
International Workshop on Privacy Engineering (IWPE 2020)

Purposes in IAB Europe’s TCF: which legal basis and how are they used by advertisers? Ce´lestin Matte, Cristiana Santos, Nataliia Bielova. Annual Privacy Forum (APF 2020).

Security Analysis of Subject Access Request Procedures.
Coline Boniface, mane Fouad, Nataliia Bielova, Ce´dric Lauradoux, and Cristiana Santos. Annual Privacy Forum (APF 2019).

The Web has become an essential part of our lives: billions are using Web applications on a daily basis and while doing so, are placing digital traces on millions of websites. Such traces allow advertising companies, as well as data brokers to continuously profit from collecting a vast amount of data associated to the users. At the same time, the users do not have any control of who is collecting their data and when. Even well-known privacy extensions fall short to protect user’s privacy entirely because companies use sophisticated techniques to track users on the Web. At the same time, website owners include a vast amount of third-party content and scripts in their websites, often to measure Web audience or for additional functionalities. However, website owners do not control whether such content is tracking their users.

To give users more control over their data and hold website owners accountable for third-party trackers they include, the upcoming EU ePrivacy Regulation will make a significant transformation in the Web tracking ecosystem. ePrivacy will be based on the notion of user’s consent, which will impart users with an increasing control over their data. To technically express user’s consent in a Web browser, W3C has proposed a Do-Not- Track (DNT) standard. A remaining challenge is how the consent can be technically enforced in the existing Web applications without “breaking” them, while at the same time protecting the Web users.

PrivaWeb aims at developing new methods for detection of advanced Web tracking technologies and new tools to integrate in existing Web applications that seamlessly protect privacy of users. In this project, we will integrate three key components into Web applications: privacy, compliance and usability. Our research will address methodological aspects (designing new detection methods and privacy protection mechanisms), practical aspects (large-scale measurement of Web applications, browser extensions implementation), and usability aspects (user surveys to evaluate privacy concerns and usability of existing and new protection tools).