Security & Privacy

Security and Privacy issues arise in nearly all stages in the digitalisation of our society. Examples include the smart home or smart car that need to be secured against unauthorised access or malicious remote control. Consequently, the right to privacy becomes ever more important with the growing integration of digital technologies into our daily lives. For instance, think about maintaining data privacy of our electronic health records to prevent abuse and discrimination or the problem of browser/device fingerprinting and the creation of unique digital footprints with our every move online.

In this track, we deal with the multidisciplinary challenges around security and privacy in the digital society, discuss current and upcoming problems as well as mitigation strategies in order to pave the road for a secure and privacy-preserving future! The track covers (among others) the following topics: (embedded) systems security, software security, physical attacks, privacy enhancing technologies, network security, machine learning in security and privacy, and (applied) cryptography. In addition to the broad coverage of the topics mentioned, this year’s track will have a special focus on research valorization in security and privacy.

Track chairs:
Veelasha Moonsamy (RU)
Andreas Peter (UTwente)

Track committee:
Luca Allodi (TU/e)
Bárbara Vieira (ABN AMRO)
Stefanie Roos (TU Delft)

Track programme

  Wednesday 10 February

10.40 - 11.55

Fighting the dark web

Hugo Bijmans - Analyzing the Dutch phishers: "Don't forget the green lock!”

Thymen Wabeke - Counterfighting Counterfeit: detecting at the .nl ccTLD

Critiana Santos - Legal requirements for consent banners and dark patterns

14.00 - 14.45

Cyber-physical systems security

Jan Tobias Muehlberg - Trusted Execution and Availability for Mixed-Criticality Embedded Systems

Chenglu Jin - Lightweight Signature Schemes for Cyber-Physical Systems

  Thursday 11 February

10.40 - 11.55

Network security and science communication

Thijs van Ede - FlowPrint: Semi-Supervised Mobile-App Fingerprinting on Encrypted Network Traffic

Florian Weber - Post-Quantum WireGuard

Ali Reza Ghavamipour - Privacy-preserving Logistic Regression with Secret Sharing

Jako Jellema - The art of being (un)connected

14.00 - 14.45

Invited speaker

Invited speaker Nataliia Bielova - Detecting online tracking and GDPR violations in Web applications
- abstract and bio below -

Invited Speaker

Bio Nataliia Bielova

Nataliia Bielova is a Research Scientist at at Privatics team in Inria (France), where she started an interdisciplinary research in Computer Science and EU Data Protection Law. Her main research interests are measurement, detection and protection from Web tracking. She continuously collaborates with researchers in Law to understand how GDPR and ePrivacy Regulation can be enforced in Web applications, and with researchers in Design to analyze and detect dark patterns in consent collection mechanisms on the Web.

Nataiia Bielova earned a PhD in Computer Science from the University of Trento (Italy) in 2011. She obtained an interdisciplinary personal project ANR PrivaWeb in 2018, received an Inria PEDR Award for PhD supervision and research in 2017 and LabEx Postdoctoral Fellowship in 2012. Nataiia Bielova has been a recognised member of an emerging interdisciplinary research between legal scholars and computer scientists in privacy protection. She is a co-founder of the first Dagstuhl seminar on Online privacy and Web Transparency in 2017, a co-president of CNIL-Inria Privacy Protection Award in 2019 and 2020, and a member of Casper Bowden PETs Award commitee in 2020. Nataliia Bielova has also significantly contributed to the Privacy education of general public: she co-authored the Massive Open Online Course on Privacy protection that has been followed by over 43,000 French-Speaking participants in 2018-2020.

Homepage: http://www-sop.inria.fr/members/Nataliia.Bielova/

Abstract: Detecting online tracking and GDPR violations in Web applications

As millions of users browse the Web on a daily basis, they become producers of data that are continuously collected by numerous companies and agencies. Website owners, however, need to become compliant with recent EU privacy regulations (such as GDPR and ePrivacy) and often rely on cookie banners to either inform users or collect their consent to tracking.

In this talk, I will present recent results on detecting Web trackers and analyzing compliance of websites with GDPR and ePrivacy directive. We first develop a tracking detection methodology based on invisible pixels. By analyzing the third-party resource loading on 80K webpages, we uncover hidden collaborations between third parties and find that  68% of websites synchronize harmless firs-party cookies with privacy-invasive third-party cookies.  We show that filter lists, used in the research community as a de facto approach to detect trackers, miss between 25% and 30% of cookie-based tracking we detect. Finally, we demonstrate that privacy-protecting browser extensions, such as Ghostery, Disconnect or Privacy Badger together miss 24% of tracking requests we detect.

To measure legal compliance of websites, we analyse cookie banners that are implemented by Consent Management Providers (CMPs), who respect the IAB Europe's Transparency and Consent Framework (TCF). Via cookie banners, CMPs collect and disseminate user consent to third parties. We systematically study IAB Europe's TCF and analyze consent stored behind the user interface of TCF cookie banners. We analyze the GDPR and the ePrivacy Directive to identify legal violations in implementations of cookie banners based on the storage of consent and detect such violations by crawling 23K European websites, and further analyzing 560 websites that rely on TCF. As a result, we find violations in 54% of them: 175 (12.3%) websites register positive consent even if the user has not made their choice; 236 (46.5%) websites nudge the users towards accepting consent by pre-selecting options; and 39 (7.7%) websites store a positive consent even if the user has explicitly opted out. Finally, we provide a browser extension, Cookie glasses, to facilitate manual detection of violations for regular users and Data Protection Authorities.

 

event registration made easy
 event registration made easy