95 research outputs found
An Automated Approach to Auditing Disclosure of Third-Party Data Collection in Website Privacy Policies
A dominant regulatory model for web privacy is "notice and choice". In this
model, users are notified of data collection and provided with options to
control it. To examine the efficacy of this approach, this study presents the
first large-scale audit of disclosure of third-party data collection in website
privacy policies. Data flows on one million websites are analyzed and over
200,000 websites' privacy policies are audited to determine if users are
notified of the names of the companies which collect their data. Policies from
25 prominent third-party data collectors are also examined to provide deeper
insights into the totality of the policy environment. Policies are additionally
audited to determine if the choice expressed by the "Do Not Track" browser
setting is respected.
Third-party data collection is wide-spread, but fewer than 15% of attributed
data flows are disclosed. The third-parties most likely to be disclosed are
those with consumer services users may be aware of, those without consumer
services are less likely to be mentioned. Policies are difficult to understand
and the average time requirement to read both a given site{\guillemotright}s
policy and the associated third-party policies exceeds 84 minutes. Only 7% of
first-party site policies mention the Do Not Track signal, and the majority of
such mentions are to specify that the signal is ignored. Among third-party
policies examined, none offer unqualified support for the Do Not Track signal.
Findings indicate that current implementations of "notice and choice" fail to
provide notice or respect choice
Evolution of Ego-networks in Social Media with Link Recommendations
Ego-networks are fundamental structures in social graphs, yet the process of
their evolution is still widely unexplored. In an online context, a key
question is how link recommender systems may skew the growth of these networks,
possibly restraining diversity. To shed light on this matter, we analyze the
complete temporal evolution of 170M ego-networks extracted from Flickr and
Tumblr, comparing links that are created spontaneously with those that have
been algorithmically recommended. We find that the evolution of ego-networks is
bursty, community-driven, and characterized by subsequent phases of explosive
diameter increase, slight shrinking, and stabilization. Recommendations favor
popular and well-connected nodes, limiting the diameter expansion. With a
matching experiment aimed at detecting causal relationships from observational
data, we find that the bias introduced by the recommendations fosters global
diversity in the process of neighbor selection. Last, with two link prediction
experiments, we show how insights from our analysis can be used to improve the
effectiveness of social recommender systems.Comment: Proceedings of the 10th ACM International Conference on Web Search
and Data Mining (WSDM 2017), Cambridge, UK. 10 pages, 16 figures, 1 tabl
Deception Detection in Online Media
Russian Federation and European Union are fighting againstfake news together with other countries in various topics. The disinform-ation affected British referendum of existing EU, the US election andCatalonia’s referendum are broadly studied. A need for automated fact-checking increases, European Commission’s Action Plan 8 is an evidence.In this work, we develop a model for detecting disinformation in Russianlanguage in online media. We use reliable and unreliable sources to com-pare named entities and verbs extracted using DeepPavlov library. Ourmethod shows four time greater recall compared to chosen baseline
Secure Software Development in the Era of Fluid Multi-party Open Software and Services
Pushed by market forces, software development has become fast-paced. As a
consequence, modern development projects are assembled from 3rd-party
components. Security & privacy assurance techniques once designed for large,
controlled updates over months or years, must now cope with small, continuous
changes taking place within a week, and happening in sub-components that are
controlled by third-party developers one might not even know they existed. In
this paper, we aim to provide an overview of the current software security
approaches and evaluate their appropriateness in the face of the changed nature
in software development. Software security assurance could benefit by switching
from a process-based to an artefact-based approach. Further, security
evaluation might need to be more incremental, automated and decentralized. We
believe this can be achieved by supporting mechanisms for lightweight and
scalable screenings that are applicable to the entire population of software
components albeit there might be a price to pay.Comment: 7 pages, 1 figure, to be published in Proceedings of International
Conference on Software Engineering - New Ideas and Emerging Result
Deception Detection in Online Media
Russian Federation and European Union are fighting againstfake news together with other countries in various topics. The disinform-ation affected British referendum of existing EU, the US election andCatalonia’s referendum are broadly studied. A need for automated fact-checking increases, European Commission’s Action Plan 8 is an evidence.In this work, we develop a model for detecting disinformation in Russianlanguage in online media. We use reliable and unreliable sources to com-pare named entities and verbs extracted using DeepPavlov library. Ourmethod shows four time greater recall compared to chosen baseline
The Security Lottery: Measuring Client-Side Web Security Inconsistencies
To mitigate a myriad of Web attacks, modern browsers support client-side security policies shipped through HTTP response headers. To enforce these defenses, the server needs to communicate them to the client, a seemingly straightforward process. However, users may access the same site in variegate ways, e.g., using different User-Agents, network access methods, or language settings. All these usage scenarios should enforce the same security policies, otherwise a security lottery would take place: depending on specific client characteristics, different levels of Web application security would be provided to users (inconsistencies). We formalize security guarantees provided through four popular mechanisms and apply this to measure the prevalence of inconsistencies in the security policies of top sites across different client characteristics. Based on our insights, we investigate the security implications of both deterministic and non-deterministic inconsistencies, and show how even prominent services are affected by them
- …