Extended Abstract: Analysis of 1000 Arbiter PUF based RFID Tags

In this extended abstract a large-scale analysis of 4- way Arbiter PUFs is performed with measurement results from 1000 RFID tags. Arbiter PUFs are one of the most important building blocks in PUF-based protocols and have been the subject of many papers. However, in the past often only software simulations or a limited number of test chips were available for analysis. Therefore, the goal of this work is to verify earlier findings in regard to the uniqueness and reliability of Arbiter PUFs by using a much larger measurement set. Furthermore, we used machine learning algorithms to approximate and compare the internal delay differences of the employed PUF. One of the main research questions in this paper is to examine if any “outliers” occurred, i.e., if some tags performed considerably different. This might for example happen due to some unusual manufacturing variations or faults. However, our findings are that for all of the analyzed tags the parameters fell within the range of a Gaussian distribution without significant outliers. Hence, our results are indeed in line with the results of prior work

We Value Your Privacy ... Now Take Some Cookies: Measuring the GDPR's Impact on Web Privacy

The European Union's General Data Protection Regulation (GDPR) went into effect on May 25, 2018. Its privacy regulations apply to any service and company collecting or processing personal data in Europe. Many companies had to adjust their data handling processes, consent forms, and privacy policies to comply with the GDPR's transparency requirements. We monitored this rare event by analyzing the GDPR's impact on popular websites in all 28 member states of the European Union. For each country, we periodically examined its 500 most popular websites - 6,579 in total - for the presence of and updates to their privacy policy. While many websites already had privacy policies, we find that in some countries up to 15.7 % of websites added new privacy policies by May 25, 2018, resulting in 84.5 % of websites having privacy policies. 72.6 % of websites with existing privacy policies updated them close to the date. Most visibly, 62.1 % of websites in Europe now display cookie consent notices, 16 % more than in January 2018. These notices inform users about a site's cookie use and user tracking practices. We categorized all observed cookie consent notices and evaluated 16 common implementations with respect to their technical realization of cookie consent. Our analysis shows that core web security mechanisms such as the same-origin policy pose problems for the implementation of consent according to GDPR rules, and opting out of third-party cookies requires the third party to cooperate. Overall, we conclude that the GDPR is making the web more transparent, but there is still a lack of both functional and usable mechanisms for users to consent to or deny processing of their personal data on the Internet.Comment: Published at NDSS 201

Resonant-Tunnelling Diodes as PUF building blocks

Resonant-Tunnelling Diodes (RTDs) have been proposed as building blocks for Physical Unclonable Functions (PUFs). In this paper we show how the unique RTD current-voltage (I-V) spectrum can be translated into a robust digital representation. We analyse 130 devices and show that RTDs are a viable PUF building block

Comparing Large-Scale Privacy and Security Notifications

Over the last decade, web security research has used notification campaigns as a tool to help web operators fix security problems or stop infrastructure abuse. First attempts at applying this approach to privacy issues focused on single services or vendors. Hence, little is known if notifications can also raise awareness and encourage remediation of more complex, vendor-independent violations of privacy legislation at scale, such as informed consent to cookie usage under the EU's ePrivacy Directive or the General Data Protection Regulation's requirement for a privacy policy. It is also unclear how privacy notifications perform and are perceived compared to those about security vulnerabilities. To fill this research gap, we conduct a large-scale, automated email notification study with more than 115K websites we notify about lack of a privacy policy, use of third-party cookies without or before informed consent, and input forms for personal data that do not use HTTPS. We investigate the impact of warnings about fines and compare the results with security notifications to more than 40K domains about openly accessible Git repositories. Based on our measurements and interactions with operators through email and a survey, we find that notifications about privacy issues are not as well received as security notifications. They result in lower fix rates, less incentive to take immediate action, and more negative feedback. Specific reasons include a lack of awareness and knowledge of privacy laws' applicability, difficulties to pinpoint the problem, and limited intrinsic motivation

Fiction Fix 05

https://digitalcommons.unf.edu/fiction_fix/1015/thumbnail.jp

A Tale of Two Regulatory Regimes: Creation and Analysis of a Bilingual Privacy Policy Corpus

Over the past decade, researchers have started to explore the use of NLP to develop tools aimed at helping the public, vendors, and regulators analyze disclosures made in privacy policies. With the introduction of new privacy regulations, the language of privacy policies is also evolving, and disclosures made by the same organization are not always the same in different languages, especially when used to communicate with users who fall under different jurisdictions. This work explores the use of language technologies to capture and analyze these differences at scale. We introduce an annotation scheme designed to capture the nuances of two new landmark privacy regulations, namely the EU\u27s GDPR and California\u27s CCPA/CPRA. We then introduce the first bilingual corpus of mobile app privacy policies consisting of 64 privacy policies in English (292K words) and 91 privacy policies in German (478K words), respectively with manual annotations for 8K and 19K fine-grained data practices. The annotations are used to develop computational methods that can automatically extract “disclosures” from privacy policies. Analysis of a subset of 59 “semi-parallel” policies reveals differences that can be attributed to different regulatory regimes, suggesting that systematic analysis of policies using automated language technologies is indeed a worthwhile endeavor. © European Language Resources Association (ELRA), licensed under CC-BY-NC-4.0

Privacy Rarely Considered: Exploring Considerations in the Adoption of Third-Party Services by Websites

Modern websites frequently use and embed third-party services to facilitate web development, connect to social media, or for monetization. This often introduces privacy issues as the inclusion of third-party services on a website can allow the third party to collect personal data about the website’s visitors. While the prevalence and mechanisms of third-party web tracking have been widely studied, little is known about the decision processes that lead to websites using third-party functionality and whether efforts are being made to protect their visitors' privacy. We report results from an online survey with 395 participants involved in the creation and maintenance of websites. For ten common website functionalities we investigated if privacy has played a role in decisions about how the functionality is integrated, if specific efforts for privacy protection have been made during integration, and to what degree people are aware of data collection through third parties. We find that ease of integration drives third-party adoption but visitor privacy is considered if there are legal requirements or respective guidelines. Awareness of data collection and privacy risks is higher if the collection is directly associated with the purpose for which the third-party service is used

Fiction Fix 06

https://digitalcommons.unf.edu/fiction_fix/1007/thumbnail.jp

Resonant-Tunnelling Diodes as PUF Building Blocks

Resonant-Tunnelling Diodes (RTDs) have been proposed as building blocks for Physical Unclonable Functions (PUFs). In this paper we show how the unique RTD current-voltage (I-V) spectrum can be translated into a robust digital representation. We analyse 130 devices and show that RTDs are a viable PUF building block