Mauro Conti,Vittoria Cozza,Marinella Petrocchi,Angelo Spognardi

DOI: https://doi.org/10.1109/wifs.2015.7368607

2015-11-01

Abstract:In the last decade, the advertisement market spread significantly in the web and mobile app system. Its effectiveness is also due thanks to the possibility to target the advertisement on the specific interests of the actual user, other than on the content of the website hosting the advertisement. In this scenario, became of great value services that collect and hence can provide information about the browsing user, like Facebook and Google. In this paper, we show how to maliciously exploit the Google Targeted Advertising system to infer personal information in Google user profiles. In particular, the attack we consider is external from Google and relies on combining data from Google AdWords with other data collected from a website of the Google Display Network. We validate the effectiveness of our proposed attack, also discussing possible application scenarios. The result of our research shows a significant practical privacy issue behind such type of targeted advertising service, and call for further investigation and the design of more privacy-aware solutions, possibly without impeding the current business model involved in online advertisement.

Marija Jegorova,Chaitanya Kaul,Charlie Mayor,Alison Q. O'Neil,Alexander Weir,Roderick Murray-Smith,Sotirios A. Tsaftaris

DOI: https://doi.org/10.48550/arXiv.2107.01614

2022-09-09

Abstract:Leakage of data from publicly available Machine Learning (ML) models is an area of growing significance as commercial and government applications of ML can draw on multiple sources of data, potentially including users' and clients' sensitive data. We provide a comprehensive survey of contemporary advances on several fronts, covering involuntary data leakage which is natural to ML models, potential malevolent leakage which is caused by privacy attacks, and currently available defence mechanisms. We focus on inference-time leakage, as the most likely scenario for publicly available models. We first discuss what leakage is in the context of different data, tasks, and model architectures. We then propose a taxonomy across involuntary and malevolent leakage, available defences, followed by the currently available assessment metrics and applications. We conclude with outstanding challenges and open questions, outlining some promising directions for future research.

Machine Learning

Midas Nouwens,Ilaria Liccardi,Michael Veale,David Karger,Lalana Kagal

DOI: https://doi.org/10.1145/3313831.3376321

2020-04-21

Abstract:New consent management platforms (CMPs) have been introduced to the web to conform with the EU's General Data Protection Regulation, particularly its requirements for consent when companies collect and process users' personal data. This work analyses how the most prevalent CMP designs affect people's consent choices. We scraped the designs of the five most popular CMPs on the top 10,000 websites in the UK (n=680). We found that dark patterns and implied consent are ubiquitous; only 11.8% meet our minimal requirements based on European law. Second, we conducted a field experiment with 40 participants to investigate how the eight most common designs affect consent choices. We found that notification style (banner or barrier) has no effect; removing the opt-out button from the first page increases consent by 22-23 percentage points; and providing more granular controls on the first page decreases consent by 8-20 percentage points. This study provides an empirical basis for the necessary regulatory action to enforce the GDPR, in particular the possibility of focusing on the centralised, third-party CMP services as an effective way to increase compliance.

Arpit Jain,Mala Kamboj,Arushi Goyal

DOI: https://doi.org/10.55041/ijsrem36265

2024-07-04

INTERANTIONAL JOURNAL OF SCIENTIFIC RESEARCH IN ENGINEERING AND MANAGEMENT

Abstract:In the rapidly evolving digital marketing landscape, Google Tag Manager (GTM) plays a pivotal role in streamlining tag management, enhancing data tracking, and optimizing marketing strategies. This whitepaper explores the transformative potential of integrating Generative AI with GTM, aiming to address the current challenges faced in tag management and harness AI's capabilities to drive innovation and efficiency. Generative AI, with its advanced capabilities in data analysis, automation, and personalization, offers significant enhancements to GTM strategies. This whitepaper delves into how AI can automate tag generation, optimize tag performance through predictive analytics, and enable dynamic adjustments based on real-time user data. It also explores the impact of AI on content personalization, improving user engagement, and driving higher conversion rates. Through detailed case studies, the paper illustrates the practical applications of AI in GTM, showcasing how companies have successfully implemented AI-driven solutions to automate tag management, enhance performance analysis, and personalize user experiences. Each case study highlights the specific AI tools used, the challenges addressed, and the measurable outcomes achieved. The whitepaper further provides a practical implementation guide, outlining the steps for integrating AI with GTM, best practices for leveraging AI to enhance tag management strategies, and recommendations for selecting suitable AI tools. It also addresses the critical aspects of security, including compliance with data protection regulations and the ethical implications of AI use. Looking ahead, the whitepaper discusses emerging trends and advancements in AI that are poised to impact GTM strategies, emphasizing the need for marketers to stay abreast of these developments to maintain a competitive edge. In conclusion, this whitepaper underscores the synergy between Generative AI and Google Tag Manager, offering insights into how AI can revolutionize tag management and marketing optimization. It serves as a call to action for marketers to explore and adopt AI-enhanced GTM strategies to drive innovation, improve performance, and ensure security and compliance in their digital marketing efforts.

Célestin Matte,Nataliia Bielova,Cristiana Santos

DOI: https://doi.org/10.48550/arXiv.1911.09964

2020-02-21

Abstract:As a result of the GDPR and the ePrivacy Directive, European users encounter cookie banners on almost every website. Many of such banners are implemented by Consent Management Providers (CMPs), who respect the IAB Europe's Transparency and Consent Framework (TCF). Via cookie banners, CMPs collect and disseminate user consent to third parties. In this work, we systematically study IAB Europe's TCF and analyze consent stored behind the user interface of TCF cookie banners. We analyze the GDPR and the ePrivacy Directive to identify legal violations in implementations of cookie banners based on the storage of consent and detect such violations by crawling 22 949 European websites. With two automatic and semi-automatic crawl campaigns, we detect violations, and we find that: 141 websites register positive consent even if the user has not made their choice; 236 websites nudge the users towards accepting consent by pre-selecting options; and 27 websites store a positive consent even if the user has explicitly opted out. Performing extensive tests on 560 websites, we find at least one violation in 54% of them. Finally, we provide a browser extension to facilitate manual detection of violations for regular users and Data Protection Authorities.

Cryptography and Security

Minjun Long,David Evans

2024-05-21

Abstract:While third-party cookies have been a key component of the digital marketing ecosystem for years, they allow users to be tracked across web sites in ways that raise serious privacy concerns. Google has proposed the Privacy Sandbox initiative to enable ad targeting without third-party cookies. While there have been several studies focused on other aspects of this initiative, there has been little analysis to date as to how well the system achieves the intended goal of preventing request linking. This work focuses on analyzing linkage privacy risks for the reporting mechanisms proposed in the Protected Audience (PrAu) proposal (previously known as FLEDGE), which is intended to enable online remarketing without using third-party cookies. We summarize the overall workflow of PrAu and highlight potential privacy risks associated with its proposed design, focusing on scenarios in which adversaries attempt to link requests to different sites to the same user. We show how a realistic adversary would be still able to use the privacy-protected reporting mechanisms to link user requests and conduct mass surveillance, even with correct implementations of all the currently proposed privacy mechanisms.

Cryptography and Security

Nikhil Jha,Martino Trevisan,Marco Mellia,Daniel Fernandez,Rodrigo Irarrazaval

2024-02-29

Abstract:In response to growing concerns about user privacy, legislators have introduced new regulations and laws such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) that force websites to obtain user consent before activating personal data collection, fundamental to providing targeted advertising. The cornerstone of this consent-seeking process involves the use of Privacy Banners, the technical mechanism to collect users' approval for data collection practices. Consent management platforms (CMPs) have emerged as practical solutions to make it easier for website administrators to properly manage consent, allowing them to outsource the complexities of managing user consent and activating advertising features.

Computers and Society

Evin Jaff,Yuhao Wu,Ning Zhang,Umar Iqbal

2024-08-24

Abstract:LLM app ecosystems are quickly maturing and supporting a wide range of use cases, which requires them to collect excessive user data. Given that the LLM apps are developed by third-parties and that anecdotal evidence suggests LLM platforms currently do not strictly enforce their policies, user data shared with arbitrary third-parties poses a significant privacy risk. In this paper we aim to bring transparency in data practices of LLM apps. As a case study, we study OpenAI's GPT app ecosystem. We develop an LLM-based framework to conduct the static analysis of natural language-based source code of GPTs and their Actions (external services) to characterize their data collection practices. Our findings indicate that Actions collect expansive data about users, including sensitive information prohibited by OpenAI, such as passwords. We find that some Actions, including related to advertising and analytics, are embedded in multiple GPTs, which allow them to track user activities across GPTs. Additionally, co-occurrence of Actions exposes as much as 9.5x more data to them, than it is exposed to individual Actions. Lastly, we develop an LLM-based privacy policy analysis framework to automatically check the consistency of data collection by Actions with disclosures in their privacy policies. Our measurements indicate that the disclosures for most of the collected data types are omitted in privacy policies, with only 5.8% of Actions clearly disclosing their data collection practices.

Cryptography and Security,Artificial Intelligence,Computation and Language,Computers and Society,Machine Learning

Cristiana Santos,Midas Nouwens,Michael Toth,Nataliia Bielova,Vincent Roca

DOI: https://doi.org/10.48550/arXiv.2104.06861

IF: 6.4588

2021-04-14

Human-Computer Interaction

Abstract:Consent Management Providers (CMPs) provide consent pop-ups that are embedded in ever more websites over time to enable streamlined compliance with the legal requirements for consent mandated by the ePrivacy Directive and the General Data Protection Regulation (GDPR). They implement the standard for consent collection from the Transparency and Consent Framework (TCF) (current version v2.0) proposed by the European branch of the Interactive Advertising Bureau (IAB Europe). Although the IAB's TCF specifications characterize CMPs as data processors, CMPs factual activities often qualifies them as data controllers instead. Discerning their clear role is crucial since compliance obligations and CMPs liability depend on their accurate characterization. We perform empirical experiments with two major CMP providers in the EU: Quantcast and OneTrust and paired with a legal analysis. We conclude that CMPs process personal data, and we identify multiple scenarios wherein CMPs are controllers.

Ryan Amos,Gunes Acar,Eli Lucherini,Mihir Kshirsagar,Arvind Narayanan,Jonathan Mayer

DOI: https://doi.org/10.1145/3442381.3450048

2021-07-21

Abstract:Automated analysis of privacy policies has proved a fruitful research direction, with developments such as automated policy summarization, question answering systems, and compliance detection. Prior research has been limited to analysis of privacy policies from a single point in time or from short spans of time, as researchers did not have access to a large-scale, longitudinal, curated dataset. To address this gap, we developed a crawler that discovers, downloads, and extracts archived privacy policies from the Internet Archive's Wayback Machine. Using the crawler and following a series of validation and quality control steps, we curated a dataset of 1,071,488 English language privacy policies, spanning over two decades and over 130,000 distinct websites. Our analyses of the data paint a troubling picture of the transparency and accessibility of privacy policies. By comparing the occurrence of tracking-related terminology in our dataset to prior web privacy measurements, we find that privacy policies have consistently failed to disclose the presence of common tracking technologies and third parties. We also find that over the last twenty years privacy policies have become even more difficult to read, doubling in length and increasing a full grade in the median reading level. Our data indicate that self-regulation for first-party websites has stagnated, while self-regulation for third parties has increased but is dominated by online advertising trade associations. Finally, we contribute to the literature on privacy regulation by demonstrating the historic impact of the GDPR on privacy policies.

Computers and Society

Dylan Cooper,Taylan Yalcin,Cristina Nistor,Matthew Macrini,Ekin Pehlivan

DOI: https://doi.org/10.2139/ssrn.4012936

2021-01-01

SSRN Electronic Journal

Abstract:Purpose: Privacy considerations have become a topic with increasing interest from academics, industry leaders, and regulators. In response to consumers’ privacy concerns, Google announced in 2020 that Chrome would stop supporting third-party cookies in the near future. At the same time, advertising technology companies are developing alternative solutions for online targeting and consumer privacy controls. In this paper, we explore privacy considerations related to online tracking and targeting methods used for programmatic advertising (i.e., third-party cookies, Privacy Sandbox, Unified ID 2.0) for a variety of stakeholders: consumers, AdTech platforms, advertisers, and publishers.Design/methodology/approach: We analyze the topic of internet user privacy concerns, through a multi-pronged approach: industry conversations to collect information, a comprehensive review of trade publications, and extensive empirical analysis. We use two methods to collect data on consumer preferences for privacy controls: a survey of a representative sample of US consumers and field data from conversations on web-forums created by tech professionals. Findings: Our results suggest that there are four main segments in the US internet user population. The first segment, consisting of 26% of internet users, is driven by a strong preference for relevant ads and includes consumers who accept the premises of both Privacy Sandbox and UID 2.0. The second segment (26%) includes consumers who are ambivalent about both sets of premises. The third segment (34%) is driven by a need for relevant ads and a strong desire to prevent advertisers from aggressively collecting data, with consumers who accept the premises of Privacy Sandbox but reject the premises of UID 2.0. The fourth segment (15% of consumers) rejected both sets of premises about privacy control. Text analysis results suggest that the conversation around UID 2.0 is still nascent. Google Sandbox associations seem nominally positive, with sarcasm being an important factor in the sentiment analysis results. Originality: The value of this paper lies in its multi-method examination of online privacy concerns in light of the recent regulatory legislation (i.e., GDPR and CCPA) and changes for third-party cookies in browsers such as Firefox, Safari, and Chrome. Two alternatives proposed to replace third-party cookies (Privacy Sandbox and Unified ID 2.0) are in the proposal and prototype stage. The elimination of third-party cookies will affect stakeholders, including different types of players in the AdTech industry and internet users. We analyze how two alternative proposals for privacy control align with the interests of several stakeholders.

Reuben Binns,Ulrik Lyngs,Max Van Kleek,Jun Zhao,Timothy Libert,Nigel Shadbolt

DOI: https://doi.org/10.1145/3201064.3201089

2018-10-18

Abstract:Third party tracking allows companies to identify users and track their behaviour across multiple digital services. This paper presents an empirical study of the prevalence of third-party trackers on 959,000 apps from the US and UK Google Play stores. We find that most apps contain third party tracking, and the distribution of trackers is long-tailed with several highly dominant trackers accounting for a large portion of the coverage. The extent of tracking also differs between categories of apps; in particular, news apps and apps targeted at children appear to be amongst the worst in terms of the number of third party trackers associated with them. Third party tracking is also revealed to be a highly trans-national phenomenon, with many trackers operating in jurisdictions outside the EU. Based on these findings, we draw out some significant legal compliance challenges facing the tracking industry.

Computers and Society

Bayrem Kaabachi,Farah Briki,Bogdan Kulynych,Jérémie Despraz,Jean Louis Raisaro

DOI: https://doi.org/10.3233/SHTI240634

2024-08-22

Abstract:Generative machine learning models such as Generative Adversarial Networks (GANs) have been shown to be especially successful in generating realistic synthetic data in image and tabular domains. However, it has been shown that such generative models, as well as the generated synthetic data, can reveal information contained in their privacy-sensitive training data, and therefore must be carefully evaluated before being used. The gold standard method through which such privacy leakage can be estimated is simulating membership inference attacks (MIAs), in which an attacker attempts to learn whether a given sample was part of the training data of a generative model. The state-of-the art MIAs against generative models, however, rely on strong assumptions (knowledge of the exact training dataset size), or require a lot of computational power (to retrain many "surrogate" generative models), which make them hard to use in practice. In this work, we propose a technique for evaluating privacy risks in GANs which exploits the outputs of the discriminator part of the standard GAN architecture. We evaluate our attacks in terms of performance in two synthetic image generation applications in radiology and ophthalmology, showing that our technique provides a more complete picture of the threats by performing worst-case privacy risk estimation and by identifying attacks with higher precision than the prior work.

Marius Köppel,Jan-Philipp Muttach,Gerrit Hornung

2024-07-04

Abstract:The paper discusses the legal requirements and implications of the processing of information and personal data for advertising purposes, particularly in the light of the "Planet49" decision of the European Court of Justice (ECJ) and the "Cookie Consent II" decision by the German Federal Court (Bundesgerichtshof, BGH). It emphasises that obtaining explicit consent of individuals is necessary for setting cookies. The introduction of the German Telecommunication Telemedia Data Protection Act (Telekommunikation-Telemedien-Datenschutzgesetz, TTDSG) has replaced the relevant section of the German Telemedia Act (Telemediengesetz, TMG) and transpose the concept of informed consent for storing and accessing information on terminal equipment, aligning with Article 5(3) ePrivacy Directive. To meet these requirements, companies exploring alternatives to obtaining consent are developing technical mechanisms that rely on a legal basis. Google tested initially "Federated Learning of Cohorts" (FLoC) as part of their "Privacy Sandbox" strategy. This technology was significantly criticized, Google introduced a new project called "Google Topics", which aims to personalize advertising by categorizing users into interest groups, called topics. Implementation of this technology began in July 2023.

Computers and Society

Kinshuk Jerath,Klaus M. Miller

2024-05-29

Abstract:In response to privacy concerns about collecting and using personal data, the online advertising industry has been developing privacy-enhancing technologies (PETs), e.g., under Google's Privacy Sandbox initiative. In this research, we use the dual-privacy framework, which postulates that consumers have intrinsic and instrumental preferences for privacy, to understand consumers' perceived privacy violations (PPVs) for current and proposed online advertising practices. The key idea is that different practices differ in whether individual data leaves the consumer's machine or not and in how they track and target consumers; these affect, respectively, the intrinsic and instrumental components of privacy preferences differently, leading to different PPVs for different practices. We conducted online studies focused on consumers in the United States to elicit PPVs for various advertising practices. Our findings confirm the intuition that tracking and targeting consumers under the industry status quo of behavioral targeting leads to high PPV. New technologies or proposals that ensure that data are kept on the consumer's machine lower PPV relative to behavioral targeting but, importantly, this decrease is small. Furthermore, group-level targeting does not differ significantly from individual-level targeting in reducing PPV. Under contextual targeting, where there is no tracking, PPV is significantly reduced. Interestingly, with respect to PPV, consumers are indifferent between seeing untargeted ads and no ads when they are not being tracked. We find that consumer perceptions of privacy violations under different tracking and targeting practices may differ from what technical definitions suggest. Therefore, rather than relying solely on technical perspectives, a consumer-centric approach to privacy is needed, based on, for instance, the dual-privacy framework.

General Economics

Yohan Beugin,Patrick McDaniel

2023-09-09

Abstract:Today, targeted online advertising relies on unique identifiers assigned to users through third-party cookies--a practice at odds with user privacy. While the web and advertising communities have proposed solutions that we refer to as interest-disclosing mechanisms, including Google's Topics API, an independent analysis of these proposals in realistic scenarios has yet to be performed. In this paper, we attempt to validate the privacy (i.e., preventing unique identification) and utility (i.e., enabling ad targeting) claims of Google's Topics proposal in the context of realistic user behavior. Through new statistical models of the distribution of user behaviors and resulting targeting topics, we analyze the capabilities of malicious advertisers observing users over time and colluding with other third parties. Our analysis shows that even in the best case, individual users' identification across sites is possible, as 0.4% of the 250k users we simulate are re-identified. These guarantees weaken further over time and when advertisers collude: 57% of users with stable interests are uniquely re-identified when their browsing activity has been observed for 15 epochs, increasing to 75% after 30 epochs. While measuring that the Topics API provides moderate utility, we also find that advertisers and publishers can abuse the Topics API to potentially assign unique identifiers to users, defeating the desired privacy guarantees. As a result, the inherent diversity of users' interests on the web is directly at odds with the privacy objectives of interest-disclosing mechanisms; we discuss how any replacement of third-party cookies may have to seek other avenues to achieve privacy for the web.

Cryptography and Security

Shidong Pan,Dawen Zhang,Mark Staples,Zhenchang Xing,Jieshan Chen,Xiwei Xu,James Hoang

2023-09-23

Abstract:Privacy regulations protect and promote the privacy of individuals by requiring mobile apps to provide a privacy policy that explains what personal information is collected and how these apps process this information. However, developers often do not have sufficient legal knowledge to create such privacy policies. Online Automated Privacy Policy Generators (APPGs) can create privacy policies, but their quality and other characteristics can vary. In this paper, we conduct the first large-scale empirical study and comprehensive assessment of APPGs for mobile apps. Specifically, we scrutinize 10 APPGs on multiple dimensions. We further perform the market penetration analysis by collecting 46,472 Android app privacy policies from Google Play, discovering that nearly 20.1% of privacy policies could be generated by existing APPGs. Lastly, we point out that generated policies in our study do not fully comply with GDPR, CCPA, or LGPD. In summary, app developers must carefully select and use the appropriate APPGs with careful consideration to avoid potential pitfalls.

Software Engineering,Cryptography and Security

Tobias Urban,Dennis Tatang,Martin Degeling,Thorsten Holz,Norbert Pohlmann

DOI: https://doi.org/10.1145/3320269.3372194

2018-11-21

Abstract:The European General Data Protection Regulation (GDPR), which went into effect in May 2018, leads to important changes in this area: companies are now required to ask for users' consent before collecting and sharing personal data and by law users now have the right to gain access to the personal information collected about them. In this paper, we study and evaluate the effect of the GDPR on the online advertising ecosystem. In a first step, we measure the impact of the legislation on the connections (regarding cookie syncing) between third-parties and show that the general structure how the entities are arranged is not affected by the GDPR. However, we find that the new regulation has a statistically significant impact on the number of connections, which shrinks by around 40%. Furthermore, we analyze the right to data portability by evaluating the subject access right process of popular companies in this ecosystem and observe differences between the processes implemented by the companies and how they interpret the new legislation. We exercised our right of access under GDPR with 36 companies that had tracked us online. Although 32 companies (89%) we inquired replied within the period defined by law, only 21 (58%) finished the process by the deadline set in the GDPR. Our work has implications regarding the implementation of privacy law as well as what online tracking companies should do to be more compliant with the new regulation.

Cryptography and Security

Amirhossein Aleyasen,Oleksii Starov,Alyssa Phung Au,Allan Schiffman,Jeff Shrager

DOI: https://doi.org/10.48550/arXiv.1507.00790

2015-08-12

Abstract:In addition to visiting high profile sites such as Facebook and Google, web users often visit more modest sites, such as those operated by bloggers, or by local organizations such as schools. Such sites, which we call "Just Plain Sites" (JPSs) are likely to inadvertently represent greater privacy risks than high profile sites by virtue of being unable to afford privacy expertise. To assess the prevalence of the privacy risks to which JPSs may inadvertently be exposing their visitors, we analyzed a number of easily observed privacy practices of such sites. We found that many JPSs collect a great deal of information from their visitors, share a great deal of information about their visitors with third parties, permit a great deal of tracking of their visitors, and use deprecated or unsafe security practices. Our goal in this work is not to scold JPS operators, but to raise awareness of these facts among both JPS operators and visitors, possibly encouraging the operators of such sites to take greater care in their implementations, and visitors to take greater care in how, when, and what they share.

Computers and Society