The Web has become an essential part of our lives: billions are using Web applications on a daily basis and while doing so, are placing digital traces on millions of websites. Such traces allow advertising companies, as well as data brokers to continuously profit from collecting a vast amount of data associated to the users. At the same time, the users do not have any control of who is collecting their data and when. Website owners on their side include a vast amount of third-party content and scripts, but they do not control whether such content is tracking their users.
To give users more control over their data and hold website owners accountable for third-party trackers they include, the General Data Protection Regulation (GDPR) and upcoming EU ePrivacy Regulation are making a significant transformation in the Web tracking ecosystem. The major legal basis of processing tracking identifiers under GDPR and ePrivacy is based on the notion of user’s consent (often seen on websites in form of “cookie banners”), which should impart users with an increasing control over their data. To technically express user’s consent in Web applications, W3C has proposed Do-Not-Track (DNT). However, several challenges occur around consent requirements and their technical expression: do the proposed framework respect GDPR and ePrivacy? If so, how to technically enforce consent in the existing Web applications without “breaking” them, while at the same time protecting the Web users?
PrivaWEB aims at developing new methods for detection of advanced Web tracking technologies and new tools to integrate in existing Web applications that seamlessly protect privacy of users. In this project, we will integrate three key components into Web applications: privacy, compliance and usability. Our research will address methodological aspects (designing new detection methods and privacy protection mechanisms), practical aspects (large-scale measurement of Web applications, integration in existing Web browsers), and usability aspects (user surveys to evaluate privacy concerns and usability of existing and new protection tools).
PrivaWeb project contains three major tasks:
Task 1. Large-scale measurement in order to detect and classify advanced Web tracking technologies. The biggest challenge with respect to the previous works is to design fine-grained detection of Web tracking, revealing main practices of tracking companies at large scale, and to provide a classification of these techniques.
Task 2. Analysis of GDPR and ePrivacy Regulation in order to identify when user consent is needed, and whether it is possible to detect Web tracking behavior for consent exception automatically (for example, as in Web audience measurement exception). The next goal is to analyze how legal requirements meet Web tracking behavior we observe in Task 1, how to verify and ensure compliance with GDPR and ePrivacy automatically (and to find the limits on when this is possible). Finally, we plan to study the DNT candidate recommendation to understand whether it can be used as a mechanism for user consent under ePrivacy (in case Article 10 is accepted in ePrivacy).
Task 3. Evaluating users’ concerns and usability of Web tracking protection mechanisms and in devising new generation protection tools from advanced Web tracking.