Chao Wu

DOI: https://doi.org/10.1016/j.techsoc.2024.102457

IF: 6.879

2024-01-01

Technology in Society

Abstract:In recent years, data privacy has attracted increasing public concerns, especially with public scandals from top Internet companies, emerging over inappropriate data collection, lack of transparency in data usage, and manipulation of users' preferences. This has led to responsive efforts from multiple sectors of society to constrain the violation of individuals’ data privacy. Among these efforts, the regulations like GDPR are the most influential, which are believed to be able to change the foundation of the whole data ecosystem. The main concern of current regulation is data transparency, designed to enable individuals to make rational decisions about their data. However, I argue that transparency cannot mitigate a key issue of data privacy, which is the right of receiving benefits from data. This issue is getting severe with the rapid development of the data economy and will become the essential problem of social welfare and fairness in the AI era. I further point out that the key to solving this issue is to migrate the current centralized data utilization paradigm to a new decentralized paradigm. Based on the recent technical advancements, I propose an applicable pathway to implement such a paradigm. And to realize a fair and sustainable data eco-system, joint efforts should be made within this paradigm.

Sowmyan Jegatheesan

DOI: https://doi.org/10.48550/arXiv.1305.2306

2013-05-10

Abstract:Privacy has been a major concern for everybody over the internet. Governments across the globe have given their views on how the internet space can be managed effectively so that there is some control on the flow of confidential information and privacy to users and as well as to data is achieved. Taking advantage of the lack of one unified body that could govern the online space with its strict and stringent rules certain websites use the text files called cookies in collecting data from users and using them for marketing them in advertisements networks and third party websites with the help of JavaScript and flash technologies. Even before many of us think what is happening around us in the online usage we are being invaded by the cookies and are targeted with their specific information that could tempt us to buy a product or service to which we were longing for in the recent past. Though it may be argued its a kind of marketing strategy to give the customer what he wants but it can no way be something like the user is just being targeted because he has already shown interest in something and he should be disturbed until he gets hold of something. Its purely a security breach as most of the websites dont ask permission for the usage of cookies and setting them into the users browser and the most important thing is no privacy statement is issued that the information is used for targeted marketing. This analysis paper has views from different sources, an example of such an activity that is a potential security breach and various other information of what these sites do to use the deadly cookies for commercial tricks.

Computers and Society,Cryptography and Security

Holger M. Kienle,Hausi A. Müller,Hausi A. Muller

DOI: https://doi.org/10.1109/wse.2008.4655400

2008-10-01

Abstract:In this paper we argue that policies are an increasing concern for organizations that are operating a web site. Examples of policies that are relevant in the domain of the web address issues such as privacy of personal data, accessibility for the disabled, user conduct, e-commerce, and intellectual property. Web site policies—and the overarching concept of web site governance—are cross-cutting concerns that have to be addressed and implemented at different levels (e.g., policy documents, legal statements, business processes, contracts, auditing, and software systems). For web sites, policies are also reflected in the legal statements that the web site posts, and in the behavior and features that the web site offers to its users. Both policies and software tend to evolve independently, but at the same time they both have to be kept in sync. This is a practical challenge for operators of web sites that is poorly addressed right now and is, we believe, a promising avenue for future research. In this paper, we discuss various challenges that policy poses for web sites with an emphasis on privacy and data protection and identify open issues for future research.

Dylan A. Cooper,Taylan Yalcin,Cristina Nistor,Matthew Macrini,Ekin Pehlivan

DOI: https://doi.org/10.1108/jcm-04-2021-4577

2022-01-26

Journal of Consumer Marketing

Abstract:Purpose Privacy considerations have become a topic with increasing interest from academics, industry leaders and regulators. In response to consumers’ privacy concerns, Google announced in 2020 that Chrome would stop supporting third-party cookies in the near future. At the same time, advertising technology companies are developing alternative solutions for online targeting and consumer privacy controls. This paper aims to explore privacy considerations related to online tracking and targeting methods used for programmatic advertising (i.e. third-party cookies, Privacy Sandbox, Unified ID 2.0) for a variety of stakeholders: consumers, AdTech platforms, advertisers and publishers. Design/methodology/approach This study analyzes the topic of internet user privacy concerns, through a multi-pronged approach: industry conversations to collect information, a comprehensive review of trade publications and extensive empirical analysis. This study uses two methods to collect data on consumer preferences for privacy controls: a survey of a representative sample of US consumers and field data from conversations on web-forums created by tech professionals. Findings The results suggest that there are four main segments in the US internet user population. The first segment, consisting of 26% of internet users, is driven by a strong preference for relevant ads and includes consumers who accept the premises of both Privacy Sandbox and Unified ID (UID) 2.0. The second segment (26%) includes consumers who are ambivalent about both sets of premises. The third segment (34%) is driven by a need for relevant ads and a strong desire to prevent advertisers from aggressively collecting data, with consumers who accept the premises of Privacy Sandbox but reject the premises of UID 2.0. The fourth segment (15% of consumers) rejected both sets of premises about privacy control. Text analysis results suggest that the conversation around UID 2.0 is still nascent. Google Sandbox associations seem nominally positive, with sarcasm being an important factor in the sentiment analysis results. Originality/value The value of this paper lies in its multi-method examination of online privacy concerns in light of the recent regulatory legislation (i.e. General Data Protection Regulation and California Consumer Privacy Act) and changes for third-party cookies in browsers such as Firefox, Safari and Chrome. Two alternatives proposed to replace third-party cookies (Privacy Sandbox and Unified ID 2.0) are in the proposal and prototype stage. The elimination of third-party cookies will affect stakeholders, including different types of players in the AdTech industry and internet users. This paper analyzes how two alternative proposals for privacy control align with the interests of several stakeholders.

Ignacio Cofone

DOI: https://doi.org/10.2139/ssrn.2541215

2014-01-01

SSRN Electronic Journal

Abstract:Limitations on online tracking are object of a regulatory debate that has shifted to the use of default rules to enhance privacy. The European Union implemented this idea with the Cookies Directive. The Directive aims to change the default system for tracking and move to an opt-in system in which data subjects must agree to it beforehand. This article evaluates the Directive’s implementation across Member States and studies the cases of the Netherlands and the UK. It then draws from the behavioural economics literature on default rules to evaluate these regulations and to consider whether it is possible to implement the policy in a way that avoids some of the problems they faced.

Rishabh Khandelwal,Asmit Nayak,Hamza Harkous,Kassem Fawaz

DOI: https://doi.org/10.48550/arXiv.2204.04221

2022-04-15

Abstract:Online websites use cookie notices to elicit consent from the users, as required by recent privacy regulations like the GDPR and the CCPA. Prior work has shown that these notices use dark patterns to manipulate users into making website-friendly choices which put users' privacy at risk. In this work, we develop CookieEnforcer, a new system for automatically discovering cookie notices and deciding on the options that result in disabling all non-essential cookies. In order to achieve this, we first build an automatic cookie notice detector that utilizes the rendering pattern of the HTML elements to identify the cookie notices. Next, CookieEnforcer analyzes the cookie notices and predicts the set of actions required to disable all unnecessary cookies. This is done by modeling the problem as a sequence-to-sequence task, where the input is a machine-readable cookie notice and the output is the set of clicks to make. We demonstrate the efficacy of CookieEnforcer via an end-to-end accuracy evaluation, showing that it can generate the required steps in 91% of the cases. Via a user study, we show that CookieEnforcer can significantly reduce the user effort. Finally, we use our system to perform several measurements on the top 5k websites from the Tranco list (as accessed from the US and the UK), drawing comparisons and observations at scale.

Cryptography and Security

Ali Rasaii,Shivani Singh,Devashish Gosain,Oliver Gasser

DOI: https://doi.org/10.48550/arXiv.2302.05353

2023-02-11

Abstract:Web cookies have been the subject of many research studies over the last few years. However, most existing research does not consider multiple crucial perspectives that can influence the cookie landscape, such as the client's location, the impact of cookie banner interaction, and from which operating system a website is being visited. In this paper, we conduct a comprehensive measurement study to analyze the cookie landscape for Tranco top-10k websites from different geographic locations and analyze multiple different perspectives. One important factor which influences cookies is the use of cookie banners. We develop a tool, BannerClick, to automatically detect, accept, and reject cookie banners with an accuracy of 99%, 97%, and 87%, respectively. We find banners to be 56% more prevalent when visiting websites from within the EU region. Moreover, we analyze the effect of banner interaction on different types of cookies (i.e., first-party, third-party, and tracking). For instance, we observe that websites send, on average, 5.5x more third-party cookies after clicking ``accept'', underlining that it is critical to interact with banners when performing Web measurements. Additionally, we analyze statistical consistency, evaluate the widespread deployment of consent management platforms, compare landing to inner pages, and assess the impact of visiting a website on a desktop compared to a mobile phone. Our study highlights that all of these factors substantially impact the cookie landscape, and thus a multi-perspective approach should be taken when performing Web measurement studies.

Networking and Internet Architecture

David Wright,Serge Gutwirth,Michael Friedewald,Paul De Hert,Marc Langheinrich,Anna Moscibroda

DOI: https://doi.org/10.1016/j.clsr.2008.11.004

2009-01-01

Abstract:The authors contend that the emerging ubiquitous Information Society (aka ambient intelligence, pervasive computing, ubiquitous networking and so on) will raise many privacy and trust issues that are context dependent. These issues will pose many challenges for policy-makers and stakeholders because people's notions of privacy and trust are different and shifting. People's attitudes towards privacy and protecting their personal data can vary significantly according to differing circumstances. In addition, notions of privacy and trust are changing over time. The authors provide numerous examples of the challenges facing policy-makers and identify some possible responses, but they see a need for improvements in the policy-making process in order to deal more effectively with varying contexts. They also identify some useful policy-making tools. They conclude that the broad brush policies of the past are not likely to be adequate to deal with the new challenges and that we are probably entering an era that will require development of “micro-policies”. While the new technologies will pose many challenges, perhaps the biggest challenge of all will be to ensure coherence of these micro-policies.

law

Martino Trevisan,Stefano Traverso,Eleonora Bassi,Marco Mellia

DOI: https://doi.org/10.2478/popets-2019-0023

2019-04-01

Proceedings on Privacy Enhancing Technologies

Abstract:Abstract Personalized advertisement has changed the web. It lets websites monetize the content they offer. The downside is the continuous collection of personal information with significant threats to personal privacy. In 2002, the European Union (EU) introduced a first set of regulations on the use of online tracking technologies. It aimed, among other things, to make online tracking mechanisms explicit to increase privacy awareness among users. Amended in 2009, the EU Directive mandates websites to ask for informed consent before using any kind of profiling technology, e.g., cookies. Since 2013, the ePrivacy Directive became mandatory, and each EU Member State transposed it in national legislation. Since then, most of European websites embed a “Cookie Bar”, the most visible effect of the regulation. In this paper, we run a large-scale measurement campaign to check the current implementation status of the EU cookie directive. For this, we use CookieCheck, a simple tool to automatically verify legislation violations. Results depict a shady picture: 49 % of websites do not respect the Directive and install profiling cookies before any user’s consent is given. Beside presenting a detailed picture, this paper casts lights on the difficulty of legislator attempts to regulate the troubled marriage between ad-supported web services and their users. In this picture, online privacy seems to be continuously at stake, and it is hard to reach transparency.

Jukka Ruohonen,Ville Leppänen

DOI: https://doi.org/10.1109/EISIC.2017.25

2018-01-24

Abstract:Web cookies are ubiquitously used to track and profile the behavior of users. Although there is a solid empirical foundation for understanding the use of cookies in the global world wide web, thus far, limited attention has been devoted for country-specific and company-level analysis of cookies. To patch this limitation in the literature, this paper investigates persistent third-party cookies used in the Finnish web. The exploratory results reveal some similarities and interesting differences between the Finnish and the global web---in particular, popular Finnish web sites are mostly owned by media companies, which have established their distinct partnerships with online advertisement companies. The results reported can be also reflected against current and future privacy regulation in the European Union.

Cryptography and Security,Computers and Society,Networking and Internet Architecture

Cristiana Santos,Arianna Rossi,Lorena Sánchez Chamorro,Kerstin Bongard-Blanchy,Ruba Abu-Salma

DOI: https://doi.org/10.1145/3463676.3485611

2021-10-07

Abstract:A cookie banner pops up when a user visits a website for the first time, requesting consent to the use of cookies and other trackers for a variety of purposes. Unlike prior work that has focused on evaluating the user interface (UI) design of cookie banners, this paper presents an in-depth analysis of what cookie banners say to users to get their consent. We took an interdisciplinary approach to determining what cookie banners should say. Following the legal requirements of the ePrivacy Directive (ePD) and the General Data Protection Regulation (GDPR), we manually annotated around 400 cookie banners presented on the most popular English-speaking websites visited by users residing in the EU. We focused on analyzing the purposes of cookie banners and how these purposes were expressed (e.g., any misleading or vague language, any use of jargon). We found that 89% of cookie banners violated applicable laws. In particular, 61% of banners violated the purpose specificity requirement by mentioning vague purposes, including "user experience enhancement". Further, 30% of banners used positive framing, breaching the freely given and informed consent requirements. Based on these findings, we provide recommendations that regulators can find useful. We also describe future research directions.

Human-Computer Interaction

Georgios Kampanos,Siamak F. Shahandashti

DOI: https://doi.org/10.48550/arXiv.2104.05750

2021-04-13

Abstract:Cookie banners are devices implemented by websites to allow users to manage their privacy settings with respect to the use of cookies. They are part of a user's daily web browsing experience since legislation in Europe requires websites to show such notices. In this paper, we carry out a large-scale study of more than 17,000 websites including more than 7,500 cookie banners in Greece and the UK to determine compliance and tracking transparency levels. Our analysis shows that although more than 60% of websites store third-party cookies in both countries, only less than 50% show a cookie notice and hence a substantial proportion do not comply with the law even at the very basic level. We find only a small proportion of the surveyed websites providing a direct opt-out option, with an overwhelming majority either nudging users towards privacy-intrusive choices or making cookie rejection much harder than consent. Our results differ significantly in some cases from previous smaller-scale studies and hence underline the importance of large-scale studies for a better understanding of the big picture in cookie practices.

Cryptography and Security

Dawen Zhang,Boming Xia,Yue Liu,Xiwei Xu,Thong Hoang,Zhenchang Xing,Mark Staples,Qinghua Lu,Liming Zhu

DOI: https://doi.org/10.48550/arXiv.2310.07915

2023-10-11

Networking and Internet Architecture

Abstract:The World Wide Web, a ubiquitous source of information, serves as a primary resource for countless individuals, amassing a vast amount of data from global internet users. However, this online data, when scraped, indexed, and utilized for activities like web crawling, search engine indexing, and, notably, AI model training, often diverges from the original intent of its contributors. The ascent of Generative AI has accentuated concerns surrounding data privacy and copyright infringement. Regrettably, the web's current framework falls short in facilitating pivotal actions like consent withdrawal or data copyright claims. While some companies offer voluntary measures, such as crawler access restrictions, these often remain inaccessible to individual users. To empower online users to exercise their rights and enable companies to adhere to regulations, this paper introduces a user-controlled consent tagging framework for online data. It leverages the extensibility of HTTP and HTML in conjunction with the decentralized nature of distributed ledger technology. With this framework, users have the ability to tag their online data at the time of transmission, and subsequently, they can track and request the withdrawal of consent for their data from the data holders. A proof-of-concept system is implemented, demonstrating the feasibility of the framework. This work holds significant potential for contributing to the reinforcement of user consent, privacy, and copyright on the modern internet and lays the groundwork for future insights into creating a more responsible and user-centric web ecosystem.

Nivedita Singh,Yejin Do,Yongsang Yu. Imane Fouad,Jungrae Kim,Hyoungshick Kim

2024-01-11

Abstract:Despite stringent data protection regulations such as the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other country-specific regulations, many websites continue to use cookies to track user activities. Recent studies have revealed several data protection violations, resulting in significant penalties, especially for multinational corporations. Motivated by the question of why these data protection violations continue to occur despite strong data protection regulations, we examined 360 popular e-commerce websites in multiple countries to analyze whether they comply with regulations to protect user privacy from a cookie perspective.

Computers and Society

Istemi Ekin Akkus,Nicholas Weaver

DOI: https://doi.org/10.48550/arXiv.1506.04107

2015-06-13

Abstract:The privacy implications of third-party tracking is a well-studied problem. Recent research has shown that besides data aggregators and behavioral advertisers, online social networks also act as trackers via social widgets. Existing cookie policies are not enough to solve these problems, pushing users to employ blacklist-based browser extensions to prevent such tracking. Unfortunately, such approaches require maintaining and distributing blacklists, which are often too general and adversely affect non-tracking services for advertisements and analytics. In this paper, we propose and advocate for a general third-party cookie policy that prevents third-party tracking with cookies and preserves the functionality of social widgets without requiring a blacklist and adversely affecting non-tracking services. We implemented a proof-of-concept of our policy as browser extensions for Mozilla Firefox and Google Chrome. To date, our extensions have been downloaded about 11.8K times and have over 2.8K daily users combined.

Cryptography and Security,Computers and Society

Cristiana Santos,Nataliia Bielova,Célestin Matte

DOI: https://doi.org/10.48550/arXiv.1912.07144

2019-12-16

Cryptography and Security

Abstract:In this work, we analyze the legal requirements on how cookie banners are supposed to be implemented to be fully compliant with the e-Privacy Directive and the General Data Protection Regulation. Our contribution resides in the definition of seventeen operational and fine-grained requirements on cookie banner design that are legally compliant, and moreover, we define whether and when the verification of compliance of each requirement is technically feasible. The definition of requirements emerges from a joint interdisciplinary analysis composed of lawyers and computer scientists in the domain of web tracking technologies. As such, while some requirements are provided by explicitly codified legal sources, others result from the domain-expertise of computer scientists. In our work, we match each requirement against existing cookie banners design of websites. For each requirement, we exemplify with compliant and non-compliant cookie banners. As an outcome of a technical assessment, we verify per requirement if technical (with computer science tools) or manual (with any human operator) verification is needed to assess compliance of consent and we also show which requirements are impossible to verify with certainty in the current architecture of the Web. For example, we explain how the requirement for revocable consent could be implemented in practice: when consent is revoked, the publisher should delete the consent cookie and communicate the withdrawal to all third parties who have previously received consent. With this approach we aim to support practically-minded parties (compliance officers, regulators, researchers, and computer scientists) to assess compliance and detect violations in cookie banner design and implementation, specially under the current revision of the European Union e-Privacy framework.

Victor Morel,Cristiana Santos,Yvonne Lintao,Soheil Human

DOI: https://doi.org/10.48550/arXiv.2209.09946

2022-09-20

Computers and Society

Abstract:Most websites offer their content for free, though this gratuity often comes with a counterpart: personal data is collected to finance these websites by resorting, mostly, to tracking and thus targeted advertising. Cookie walls and paywalls, used to retrieve consent, recently generated interest from EU DPAs and seemed to have grown in popularity. However, they have been overlooked by scholars. We present in this paper 1) the results of an exploratory study conducted on 2800 Central European websites to measure the presence and practices of cookie paywalls, and 2) a framing of their lawfulness amidst the variety of legal decisions and guidelines.

Marija Schufrin,Steven Lamarr Reynolds,Arjan Kuijper,Jorn Kohlhammer

DOI: https://doi.org/10.1109/tvcg.2020.3028946

IF: 5.2

2021-02-01

IEEE Transactions on Visualization and Computer Graphics

Abstract:Online services are used for all kinds of activities, like news, entertainment, publishing content or connecting with others. But information technology enables new threats to privacy by means of global mass surveillance, vast databases and fast distribution networks. Current news are full of misuses and data leakages. In most cases, users are powerless in such situations and develop an attitude of neglect for their online behaviour. On the other hand, the GDPR (General Data Protection Regulation) gives users the right to request a copy of all their personal data stored by a particular service, but the received data is hard to understand or analyze by the common internet user. This paper presents TransparencyVis - a web-based interface to support the visual and interactive exploration of data exports from different online services. With this approach, we aim at increasing the awareness of personal data stored by such online services and the effects of online behaviour. This design study provides an online accessible prototype and a best practice to unify data exports from different sources.

computer science, software engineering

Dirk Beerbaum,Julia Margarete Puaschunder

DOI: https://doi.org/10.4018/978-1-5225-8003-4.ch006

2019-01-01

Abstract:Technological improvement in the age of information has increased the possibilities to control the innocent social media users or penalize private investors and reap the benefits of their existence in hidden persuasion and discrimination. This chapter takes as a case the transparency technology XBRL (eXtensible Business Reporting Language), which should make data more accessible as well as usable for private investors. Considering theoretical literature and field research, a representation issue for principles-based accounting taxonomies exists, which intelligent machines applying artificial intelligence (AI) nudge to facilitate decision usefulness. This chapter conceptualizes ethical questions arising from the taxonomy engineering based on machine learning systems and advocates for a democratization of information, education, and transparency about nudges and coding rules.