Collateral damage of Facebook third-party applications: a comprehensive study

Third-party applications on Facebook can collect personal data of the users who install them, but also of their friends. This raises serious privacy issues as these friends are not notified by the applications nor by Facebook and they have not given consent. This paper presents a detailed multi-faceted study on the collateral information collection of the applications on Facebook. To investigate the views of the users, we designed a questionnaire and collected the responses of 114 participants. The results show that participants are concerned about the collateral information collection and in particular about the lack of notification and of mechanisms to control the data collection. Based on real data, we compute the likelihood of collateral information collection affecting users: we show that the probability is significant and greater than 80% for popular applications such as TripAdvisor. We also demonstrate that a substantial amount of profile data can be collected by applications, which enables application providers to profile users. To investigate whether collateral information collection is an issue to users’ privacy we analysed the legal framework in light of the General Data Protection Regulation. We provide a detailed analysis of the entities involved and investigate which entity is accountable for the collateral information collection. To provide countermeasures, we propose a privacy dashboard extension that implements privacy scoring computations to enhance transparency toward collateral information collection. Furthermore, we discuss alternative solutions highlighting other countermeasures such as notification and access control mechanisms, cryptographic solutions and application auditing. To the best of our knowledge this is the first work that provides a detailed multi-faceted study of this problem and that analyses the threat of user profiling by application providers

Missed by Filter Lists: Detecting Unknown Third-Party Trackers with Invisible Pixels

Web tracking has been extensively studied over the last decade. To detect tracking, previous studies and user tools rely on filter lists. However, it has been shown that filter lists miss trackers. In this paper, we propose an alternative method to detect trackers inspired by analyzing behavior of invisible pixels. By crawling 84,658 webpages from 8,744 domains, we detect that third-party invisible pixels are widely deployed: they are present on more than 94.51% of domains and constitute 35.66% of all third-party images. We propose a fine-grained behavioral classification of tracking based on the analysis of invisible pixels. We use this classification to detect new categories of tracking and uncover new collaborations between domains on the full dataset of 4,216,454 third-party requests. We demonstrate that two popular methods to detect tracking, based on EasyList&EasyPrivacy and on Disconnect lists respectively miss 25.22% and 30.34% of the trackers that we detect. Moreover, we find that if we combine all three lists 379,245 requests originated from 8,744 domains still track users on 68.70% of websites.Comment: This paper has been accepted to PETs 202

Electronic Identity in Europe: Legal challenges and future perspectives (e-ID 2020)

This deliverable presents the work developed by the IPTS eID Team in 2012 on the large-encompassing topic of electronic identity. It is structured in four different parts: 1) eID: Relevance, Le-gal State-of-the-Art and Future Perspectives; 2) Digital Natives and the Analysis of the Emerging Be-havioral Trends Regarding Privacy, Identity and Their Legal Implications; 3) The "prospective" use of social networking services for government eID in Europe; and 4) Facial Recognition, Privacy and Iden-tity in Online Social Networks.JRC.J.3-Information Societ

Missed by Filter Lists: Detecting Unknown Third-Party Trackers with Invisible Pixels

International audienceWeb tracking has been extensively studied over the last decade. To detect tracking, previous studies and user tools rely on filter lists. However, it has been shown that filter lists miss trackers. In this paper, we propose an alternative method to detect trackers inspired by analyzing behavior of invisible pixels. By crawling 84,658 webpages from 8,744 domains, we detect that third-party invisible pixels are widely deployed: they are present on more than 94.51% of domains and constitute 35.66% of all third-party images. We propose a fine-grained behavioral classification of tracking based on the analysis of invisible pixels. We use this classification to detect new categories of tracking and uncover new collaborations between domains on the full dataset of 4,216,454 third-party requests. We demonstrate that two popular methods to detect tracking, based on EasyList & EasyPrivacy and on Disconnect lists respectively miss 25.22% and 30.34% of the trackers that we detect. Moreover, we find that if we combine all three lists, 379,245 requests originated from 8,744 domains still track users on 68.70% of websites

Analysis and Design of Privacy-Enhancing Information Sharing Systems

Recent technological advancements have enabled the collection of large amounts of personal data of individuals at an ever-increasing rate. Service providers, organisations and governments can collect or otherwise acquire rich information about individuals’ everyday lives and habits from big data-silos, enabling profiling and micro-targeting such as in political elections. Therefore, it is important to analyse systems that allow the collection and information sharing between users and to design secure and privacy enhancing solutions. This thesis contains two parts. The aim of the first part is to investigate in detail the effects of the collateral information collection of third-party applications on Facebook. The aim of the second part is to analyse in detail the security and privacy issues of car sharing systems and to design a secure and privacy-preserving solution. In the first part, we present a detailed multi-faceted study on the collateral information collection privacy issues of Facebook applications; providers of third-party applications on Facebook exploit the interdependency between users and their friends. The goal is to (i) study the existence of the problem, (ii) investigate whether Facebook users are concerned about the issue, quantify its (iii) likelihood and (iv) impact of collateral information collection affecting users, (v) identify whether collateral information collection is an issue for the protection of the personal data of Facebook users under the legal framework, and (vi) we propose solutions that aim to solve the problem of collateral information collection. In order to investigate the views of the users, we designed a questionnaire and collected the responses of participants. Employing real data from the Facebook third-party applications ecosystem, we compute the likelihood of collateral information collection affecting users and quantify its significance evaluating the amount of attributes collected by such applications. To investigate whether collateral information collection is an issue in terms of users’ privacy we analysed the legal framework in light of the General Data Protection Regulation. To provide countermeasures, we propose a privacy dashboard extension that implements privacy scoring computations to enhance transparency towards collateral information collection

LA NUOVA DISCIPLINA IN MATERIA DI PROTEZIONE DEI DATI PERSONALI

L’incessante evoluzione delle tecnologie e l'accesso sempre più frequente al web hanno comportato maggiori occasioni di esposizione della sfera privata delle persone fisiche, con un notevole incremento dei rischi connessi al trattamento dei relativi dati. È sorta pertanto la necessità di predisporre una più efficace tutela del diritto alla protezione dei dati personali. Dopo un excursus sull’emersione di tale diritto nel quadro dei diritti fondamentali dell’UE, l’elaborato focalizza la recente riforma del sistema europeo di data protection, che mira proprio a dettare un quadro di regole moderne e funzionali alla realtà del mercato digitale. Il regolamento (UE) 2016/679, che abroga e sostituisce la direttiva 95/46/CE, introduce una disciplina armonizzata in tutto il territorio dell’Unione e stabilisce standard più elevati di tutela. Al termine della disamina dei profili più innovativi e discussi del nuovo regime si tenta un bilancio provvisorio dell’impatto del predetto regolamento

Aufwachsen in überwachten Umgebungen

Digital technologies are exerting a growing influence on the lives of children and teenagers: from video monitoring of babies and educational robots in nursery school to AI-powered learning assistants used to guarantee individual success in education. However, issues relating to privacy, surveillance and data protection are seldom reflected on with regard to this sensitive and important social sphere. The majority of these applications generate data which reveal a great deal about the adolescents who use them. This study addresses this subject area. Together with practitioners from the field of education and with the goal of laying the foundations for addressing this issue in both academic and (socio-) political discourse, it depicts interdisciplinary and transdisciplinary exchange that extends beyond disciplines and academic borders. The authors Regina Ammicht Quinn, Jutta Croll, Sephan Dreyer, Michael Freidewald, Elena Frense, Marit Hansen, Asmae Harrach-Lasfaghi, Jessica Heesen, Gerrit Hornung, Andreas Janson, Nicole Krämer-Mertens, Leonie Kreidel, Marco Leimeister, Yannic Meier, Judith Meinert, Maxi Nebel, Carsten Ochs, Dr. Senta Pfaff-Rüdiger, Alexander Roßnagel, Sofia Schöbel, Reinhold Schulze-Tammena, Matthias Söllner, Ingrid Stapf and Prof. Dr. Isabel Zorn.illustratorDigitale Technologien prägen zunehmend Kindheit und Jugend: von der Videoüberwachung im Säuglingsalter über den Lernroboter im Kindergarten bis hin zu den durch Künstliche Intelligenz gesteuerten Lernassistenten für den individuellen Bildungserfolg. Worüber jedoch wenig reflektiert wird, sind Privatheits-, Überwachungs- und Datenschutzfragen in diesem sensiblen und wichtigen gesellschaftlichen Bereich. In den meisten dieser Anwendungen fallen Daten an, die viel über die Heranwachsenden aussagen. Diesem Themenkomplex widmet sich die vorliegende Publikation. Abgebildet wird der inter- und transdisziplinäre Austausch über Disziplinen und Wissenschaftsgrenzen hinaus, gemeinsam mit PraktikerInnen aus der Bildungsarbeit und mit dem Ziel einer Grundlegung im wissenschaftlichen sowie (gesellschafts)-politischen Diskurs. Die Autoren Regina Ammicht Quinn, Jutta Croll, Sephan Dreyer, Michael Freidewald, Elena Frense, Marit Hansen, Asmae Harrach-Lasfaghi, Jessica Heesen, Gerrit Hornung, Andreas Janson, Nicole Krämer-Mertens, Leonie Kreidel, Marco Leimeister, Yannic Meier, Judith Meinert, Maxi Nebel, Carsten Ochs, Dr. Senta Pfaff-Rüdiger, Alexander Roßnagel, Sofia Schöbel, Reinhold Schulze-Tammena, Matthias Söllner, Ingrid Stapf und Prof. Dr. Isabel Zorn