Security & Privacy

Security and Privacy issues arise in nearly all stages in the digitalisation of our society. Examples include the smart home or smart car that need to be secured against unauthorised access or malicious remote control. Consequently, the right to privacy becomes ever more important with the growing integration of digital technologies into our daily lives. For instance, think about maintaining data privacy of our electronic health records to prevent abuse and discrimination or the problem of browser/device fingerprinting and the creation of unique digital footprints with our every move online.

In this track, we deal with the multidisciplinary challenges around security and privacy in the digital society, discuss current and upcoming problems as well as mitigation strategies in order to pave the road for a secure and privacy-preserving future! The track covers (among others) the following topics: (embedded) systems security, software security, physical attacks, privacy enhancing technologies, network security, machine learning in security and privacy, and (applied) cryptography. In addition to the broad coverage of the topics mentioned, this year’s track will have a special focus on research valorization in security and privacy.

Track chairs:
Veelasha Moonsamy (RU)
Andreas Peter (UTwente)

Invited Speakers

Bio Nataliia Bielova
Nataliia Bielova is a Research Scientist at INRIA Sophia Antipolis, where she started an interdisciplinary research in Computer Science and Data Protection Law within an ANR JCJC project PrivaWeb. Her main research interests are measurement, detection and protection from surveillance. She also collaborates with Law researchers to understand how GDPR and ePrivacy Regulation can be enforced in Web applications. Nataliia Bielova chaired the first interdisciplinary Dagstuhl seminar in Online privacy and Web Transparency in 2017 and has been a co-president of the CNIL-Inria Privacy Protection Award in 2019.


Abstract Title: Detecting online tracking and GDPR violations in Web applications
As millions of users browse the Web on a daily basis, they become producers of data that are continuously collected by numerous companies and agencies. Website owners, however, need to become compliant with recent EU privacy regulations (such as GDPR and ePrivacy) and often rely on cookie banners to either inform users or collect their consent to tracking.

In this talk, I will present recent results on detecting Web trackers and analyzing compliance of websites with GDPR and ePrivacy directive. We first develop a tracking detection methodology based on invisible pixels. By analyzing the third-party resource loading on 80K webpages, we uncover hidden collaborations between third parties and find that 68% of websites synchronize harmless firs-party cookies with privacy-invasive third-party cookies. We show that filter lists, used in the research community as a de facto approach to detect trackers, miss between 25% and 30% of cookie-based tracking we detect. Finally, we demonstrate that privacy-protecting browser extensions, such as Ghostery, Disconnect or Privacy Badger together miss 24% of tracking requests we detect.

To measure legal compliance of websites, we analyse cookie banners that are implemented by Consent Management Providers (CMPs), who respect the IAB Europe's Transparency and Consent Framework (TCF). Via cookie banners, CMPs collect and disseminate user consent to third parties. We systematically study IAB Europe's TCF and analyze consent stored behind the user interface of TCF cookie banners. We analyze the GDPR and the ePrivacy Directive to identify legal violations in implementations of cookie banners based on the storage of consent and detect such violations by crawling 23K European websites, and further analyzing 560 websites that rely on TCF. As a result, we find violations in 54% of them: 175 (12.3%) websites register positive consent even if the user has not made their choice; 236 (46.5%) websites nudge the users towards accepting consent by pre-selecting options; and 39 (7.7%) websites store a positive consent even if the user has explicitly opted out. Finally, we provide a browser extension, Cookie glasses, to facilitate manual detection of violations for regular users and Data Protection Authorities.

Security & Privacy Track Program

10:45 – 11:30 Detecting online tracking and GDPR violations in Web applications Nataliia Bielova (invited speaker) Inria Sophia Antipolis
11:30 – 11:35 short break
11:35 – 11:55 Digging the Dark Web: Unravelling operational security attributes used by hidden service actors Hugo Bijmans TNO
11:55 – 12:05 IRMAseal: encryption for e-mail using IBE and IRMA Wouter Geraedts RU
12:05 – 13:40 Lunch break + posters/demos
13:40 – 14:40 dcypher best cybersecurity research paper award (DCSRP)
14:40 – 14:45 short break
14:45 – 15:05 Counterfighting Counterfeit: detecting and taking down fraudulent webshops at the .nl ccTLD Thymen Wabeke SIDN Labs
15:05 – 15:15 The art of being (un)connected Jako Jellema RUG
15:15 – 15:25 Coffee break
15:25 – 16:10 The Rowhammer Problem: Past, Present, Future Kaveh Razavi (invited speaker) VU Amsterdam
16:10 – 16:15 short break
16:15 – 16:45 Panel on "Valorization in security & privacy" moderated by Andreas Peter (UTwente); Panel members:
Nataliia Bielova (Inria)
Kaveh Razavi (VU)
Jan Piet Barthel (dcypher)
event management
 event management