Home // SnT // News & E... // Law and Technology: How to Police the Privacy Beat

Law and Technology: How to Police the Privacy Beat

twitter linkedin facebook google+ email this page
Published on Friday, 05 April 2019

“Most websites and web services, including Google's, don't change their behaviour when they receive a Do Not Track request. Chrome doesn't provide details of which websites and web services respect Do Not Track requests and how websites interpret them." That’s how Google Chrome concludes the FAQ page on its Do Not Track privacy feature. In the box below that, you’ll find the instructions for activating the setting, just in case you still care.

The “Do Not Track” experiment, begun in 2009, is a voluntary system to allow users to request websites not to collect data on their online activities. Although most browsers offer the feature, the scheme ultimately fell apart. It was never backed with the force of law and for many websites and third-party trackers, the advantages of collecting user data far outweighed the benefits of complying with polite “Do Not Track” requests.

The irresistible lure of collecting increasingly invasive user data has led the European Union to pass a regulation with teeth: the General Data Protection Regulation (GDPR). This has made clear that privacy violations are a crime, just like any other. But it also presents a new problem: we now need to develop new methods and standards for policing this brand new beat in the world of cybercrime. That’s how SnT’s Dr. Marharyta Aleksandrova and Dr. Stefan Schiffner got involved with the H2020-funded SAINT project — an international task-force quantifying the economic cost of cybercrimes. They are developing the understanding and the tools we need to enforce the new law.

Marharyta Aleksandrova, Stefan Schiffner and Wladimir de la Cadena Ramos

Aleksandrova’s research, concluded in 2018, focused on protecting TOR users — such as journalists, whistleblowers and dissidents — who depend on strong anonymity while online. While TOR masks a user’s identity, a third party could take advantage of the differences between website metadata to launch a “fingerprinting” attack, undermining TOR’s promised anonymity. To empower users, Aleksandrova has developed a tool that grades websites based on their susceptibility to this vulnerability. This easy-to-understand privacy score will let users decide if they really want to proceed to any particular website.

Schiffner’s research, on the other hand, is more abstract. He has been working to develop a common framework for concepts outlined in the GDPR, such as “anonymity”, “confidentiality”, and “privacy”, but which aren’t yet well defined; because before we can police violations, we need clear metrics with which to measure them. Laying the groundwork for this, Schiffner has combed through existing privacy research to map concepts and distill definitions. His aim is to formalise the existing expertise in the field of privacy research so that we can determine, for example, what really counts as the “state of the art” protections required by the GDPR. And then, finally, we might be able to really start holding corporations to account.

Read the SAINT project's whitepaper, The Finnish electronic communications regulator TRAFICOM - A cybersecurity reference model for Europe