We Value Your Privacy ... Now Take Some Cookies: Measuring the GDPR's Impact on Web Privacy

The European Union's General Data Protection Regulation (GDPR) went into effect on May 25, 2018. Its privacy regulations apply to any service and company collecting or processing personal data in Europe. Many companies had to adjust their data handling processes, consent forms, and privacy policies to comply with the GDPR's transparency requirements. We monitored this rare event by analyzing the GDPR's impact on popular websites in all 28 member states of the European Union. For each country, we periodically examined its 500 most popular websites - 6,579 in total - for the presence of and updates to their privacy policy. While many websites already had privacy policies, we find that in some countries up to 15.7 % of websites added new privacy policies by May 25, 2018, resulting in 84.5 % of websites having privacy policies. 72.6 % of websites with existing privacy policies updated them close to the date. Most visibly, 62.1 % of websites in Europe now display cookie consent notices, 16 % more than in January 2018. These notices inform users about a site's cookie use and user tracking practices. We categorized all observed cookie consent notices and evaluated 16 common implementations with respect to their technical realization of cookie consent. Our analysis shows that core web security mechanisms such as the same-origin policy pose problems for the implementation of consent according to GDPR rules, and opting out of third-party cookies requires the third party to cooperate. Overall, we conclude that the GDPR is making the web more transparent, but there is still a lack of both functional and usable mechanisms for users to consent to or deny processing of their personal data on the Internet.Comment: Published at NDSS 201

Tech Policy and Legal Theory Syllabus

Technology has changed dramatically over the last couple of decades. Currently, virtually all business industries are powered by large quantities of data. The potential as well as actual uses of business data, which oftentimes includes personal user data, raise complex issues of informed consent and data protection. This course will explore many of these complex issues, with the goal of guiding students into thinking about tech policy from a broad ethical perspective as well as preparing students to responsibly conduct themselves in different areas and industries in a world growingly dominated by technology

Tracking Third-Party Cookies - an empirical analysis of the current situation

Through the act of browsing, “users,” or the individuals who participate in internet searches, develop their digital footprint cookies. Essentially, cookies are trackers stored on a user’s computer by a website or application. The trackers collect data that provides users with a more relevant internet experience. While cookies have proven to enhance user experiences on the internet, they also encompass a range of concerns over privacy and user safety. Notably, the way cookies both store and track PII (Personal Identifiable Information) without user’s consent is a significant concern. When users enter a webpage, there is an options box that prompts them to accept or reject cookies. It is unclear how transparent this process actually is, as these sites may still store user’s personal information, even after they have elected to “reject” cookies. Discussion: Therefore, the primary aim of this thesis is to understand how cookies affect the user and determine what kind of technologies or strategies can be implemented to ensure the user has a better network experience while guaranteeing that their information is secure. This will be done by researching existing published research on various aspects of cookies to understand how cookies are typically used. The detail of the methodology is discussed on page 14. Conclusion: Ultimately, it is essential that users know how to utilize cookies sensibly, it is vital to share the user’s cookie policy and protect privacy as much as possible. The main finding was that there was a gap in existing research as no articles tried to discover which 2 main sets of regulations, in the EU or US, was being implemented more successfully. The information required to do this simple analysis, such as the regional location of a site and user, is typically available but was not published in the research material

Big Tech and Online Privacy: How does big tech address privacy regulation and online privacy concern?

Objectives The main objectives of this study were to explore the methods used by big tech – Amazon, Apple, Facebook, Google and Microsoft to manage challenges posed by privacy regulation and consumer online privacy concern. The study also aimed to increase the general understanding of how companies manage online privacy concern. Summary This study approached the problem by analyzing public documents pertaining to the management of online privacy concern by the big tech companies. Various kinds of documents were assessed, with qualitative document analysis as methodology, to gain an understanding of the topic. The documents used included, for example, annual reports by the companies, to understand how the companies approach the issue of regulation and the companies’ websites, to explicate how the companies communicate to their users about issues pertaining to online privacy and concern thereof. Conclusions The results of this study indicate that big tech companies view privacy regulation both as a risk to be managed and an opportunity to be taken advantage of. While the companies expect negative effect from prevalent and upcoming regulation, the companies are proactively taking steps to affect future regulation. Most of the companies also utilize easily understandable communication towards their customers on issues pertaining to online privacy, which would be expected to reduce online privacy concern, however, more research on the subject is required in the future

Are cookie banners indeed compliant with the law? Deciphering EU legal requirements on consent and technical means to verify compliance of cookie banners

In this work, we analyze the legal requirements on how cookie banners are supposed to be implemented to be fully compliant with the e-Privacy Directive and the General Data Protection Regulation. Our contribution resides in the definition of seventeen operational and fine-grained requirements on cookie banner design that are legally compliant, and moreover, we define whether and when the verification of compliance of each requirement is technically feasible. The definition of requirements emerges from a joint interdisciplinary analysis composed of lawyers and computer scientists in the domain of web tracking technologies. As such, while some requirements are provided by explicitly codified legal sources, others result from the domain-expertise of computer scientists. In our work, we match each requirement against existing cookie banners design of websites. For each requirement, we exemplify with compliant and non-compliant cookie banners. As an outcome of a technical assessment, we verify per requirement if technical (with computer science tools) or manual (with any human operator) verification is needed to assess compliance of consent and we also show which requirements are impossible to verify with certainty in the current architecture of the Web. For example, we explain how the requirement for revocable consent could be implemented in practice: when consent is revoked, the publisher should delete the consent cookie and communicate the withdrawal to all third parties who have previously received consent. With this approach we aim to support practically-minded parties (compliance officers, regulators, researchers, and computer scientists) to assess compliance and detect violations in cookie banner design and implementation, specially under the current revision of the European Union e-Privacy framework.Comment: 75 page