An Automated Approach to Auditing Disclosure of Third-Party Data Collection in Website Privacy Policies

Libert, Timothy

doi:10.1145/3178876.3186087

Cited by 70 publications

(92 citation statements)

References 27 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…For the measurements in the months in between, we used the lists from previous months to download privacy policies. In the majority of cases, we found links to privacy policies in the footer of a website (an approach also used by Libert [25]) or through links in cookie consent notices. When there was no footer or no link to a privacy policy, annotators inspected the site in more detail.…”

Section: B Manual Reviewmentioning

confidence: 99%

We Value Your Privacy ... Now Take Some Cookies: Measuring the GDPR's Impact on Web Privacy

Degeling

Utz

Lentzsch

et al. 2019

Proceedings 2019 Network and Distributed System Security Symposium

158

171

View full text Add to dashboard Cite

The European Union's General Data Protection Regulation (GDPR) went into effect on May 25, 2018. Its privacy regulations apply to any service and company collecting or processing personal data in Europe. Many companies had to adjust their data handling processes, consent forms, and privacy policies to comply with the GDPR's transparency requirements. We monitored this rare event by analyzing changes on popular websites in all 28 member states of the European Union. For each country, we periodically examined its 500 most popular websites -6,579 in total -for the presence of and updates to their privacy policy between December 2017 and October 2018. While many websites already had privacy policies, we find that in some countries up to 15.7 % of websites added new privacy policies by May 25, 2018, resulting in 84.5 % of websites having privacy policies. 72.6 % of websites with existing privacy policies updated them close to the date. After May this positive development slowed down noticeably. Most visibly, 62.1 % of websites in Europe now display cookie consent notices, 16 % more than in January 2018. These notices inform users about a site's cookie use and user tracking practices. We categorized all observed cookie consent notices and evaluated 28 common implementations with respect to their technical realization of cookie consent. Our analysis shows that core web security mechanisms such as the same-origin policy pose problems for the implementation of consent according to GDPR rules, and opting out of third-party cookies requires the third party to cooperate. Overall, we conclude that the web became more transparent at the time GDPR came into force, but there is still a lack of both functional and usable mechanisms for users to consent to or deny processing of their personal data on the Internet.

show abstract

Section: B Manual Reviewmentioning

confidence: 99%

We Value Your Privacy ... Now Take Some Cookies: Measuring the GDPR's Impact on Web Privacy

Degeling

Utz

Lentzsch

et al. 2019

Proceedings 2019 Network and Distributed System Security Symposium

158

171

View full text Add to dashboard Cite

show abstract

“…Thus, end users are often forced to accept privacyrelevant third party behavior if they want to make use of the apps' functionality [24]. Although their study was focused only on websites and not mobile apps, Libert [26] audited the disclosure of third party data collection practices on 200,000 privacy policies for websites. He found that the names of third parties are usually not explicitly disclosed in website privacy policies.…”

Section: Privacy Surveysmentioning

confidence: 99%

MAPS: Scaling Privacy Compliance Analysis to a Million Apps

Zimmeck

Story

Smullen

et al. 2019

Proceedings on Privacy Enhancing Technologies

132

141

View full text Add to dashboard Cite

The app economy is largely reliant on data collection as its primary revenue model. To comply with legal requirements, app developers are often obligated to notify users of their privacy practices in privacy policies. However, prior research has suggested that many developers are not accurately disclosing their apps’ privacy practices. Evaluating discrepancies between apps’ code and privacy policies enables the identification of potential compliance issues. In this study, we introduce the Mobile App Privacy System (MAPS) for conducting an extensive privacy census of Android apps. We designed a pipeline for retrieving and analyzing large app populations based on code analysis and machine learning techniques. In its first application, we conduct a privacy evaluation for a set of 1,035,853 Android apps from the Google Play Store. We find broad evidence of potential non-compliance. Many apps do not have a privacy policy to begin with. Policies that do exist are often silent on the practices performed by apps. For example, 12.1% of apps have at least one location-related potential compliance issue. We hope that our extensive analysis will motivate app stores, government regulators, and app developers to more effectively review apps for potential compliance issues.

show abstract

“…People's control over data, as previously mentioned, is sometimes limited, experts have noted, due to the increased data sharing between different organizations and corporations. The volume of information an individual is required to process, in order to figure out the journey of data collection and sharing is beyond human cognitive abilities; and thus it is questionable whether data sharing could be an informed choice for an individual trying to get people to make informed decisions is really difficult because of the sheer insane fire‐hose volume of information they'd have to pass in order to make – and the cognitive load of making decisions all the time, every day, about things which are trivial until they're not and you don't know what, in advance, what is going to be trivial and what's going to be significant is just – we've basically created a world way outside our biological capability to handle.…”

Section: Results From the Thematic Analysismentioning

confidence: 99%

Challenges in assessing privacy impact: Tales from the front lines

Ferra

Wagner

Boiten

et al. 2019

Security and Privacy

View full text Add to dashboard Cite

Data protection impact assessments (DPIAs) aim to identify, rank, and mitigate privacy risks. Even though DPIAs are legally mandated in some cases and privacy professionals perform DPIAs on a daily basis, facilitating the systematic measurement of privacy risks is an open problem. Research on privacy risk measurement often does not take into account the practical needs and requirements for DPIAs in real organizations. In this article, we fill this gap by reporting on focus groups we held with a diverse group of privacy professionals. Through thematic analysis, we identify three themes that emerged from the focus groups: (a) how privacy in the contemporary society affects privacy risk assessment; (b) current practices and procedures in privacy risk assessment; and (c) common issues and challenges. Based on these themes, we identify future research directions for privacy risk measurement. Our article can help to ground research on privacy risk measurement in practical challenges faced by privacy professionals.

show abstract

An Automated Approach to Auditing Disclosure of Third-Party Data Collection in Website Privacy Policies

Cited by 70 publications

References 27 publications

We Value Your Privacy ... Now Take Some Cookies: Measuring the GDPR's Impact on Web Privacy

We Value Your Privacy ... Now Take Some Cookies: Measuring the GDPR's Impact on Web Privacy

MAPS: Scaling Privacy Compliance Analysis to a Million Apps

Challenges in assessing privacy impact: Tales from the front lines

Contact Info

Product

Resources

About