Track: Data protection

Part of:
12:40 PM, Thursday 16 Jul 2020 EDT (1 hour 15 minutes)

Use the red“Join on YouTube”button above to join the livestream. If you cannot see this button, make sure you are logged in (see the upper-right corner of your screen).

Session Chair: Carmela Troncoso

  • SoK: Anatomy of Data Breaches

    Hamza Saleem (University of Southern California) and Muhammad Naveed (University of Southern California)

    Pre-recorded presentation

    SummaryWe systematize the knowledge on data breaches into concise step-by-step breach workflows and use them to describe the breach methods. We present the most plausible workflows for 10 famous data breaches. We use information from a variety of sources to develop our breach workflows, however, we emphasize that for many data breaches, information about crucial steps was absent. We researched such steps to develop complete breach workflows; as such, our workflows pro- vide descriptions of data breaches that were previously unavailable. For generalizability, we present a general workflow of 50 data breaches from 2015. Based on our data breach analysis, we develop requirements that organizations need to meet to thwart data breaches. We describe what requirements are met by existing security technologies and propose future research directions to thwart data breaches.

  • The Privacy Policy Landscape After the GDPR artifact

    Thomas Linden (University of Wisconsin-Madison), Rishabh Khandelwal (University of Wisconsin-Madison), Hamza Harkous (EPFL), and Kassem Fawaz (University of Wisconsin-Madison)

    Pre-recorded presentation

    SummaryThe EU General Data Protection Regulation (GDPR) is one of the most demanding and comprehensive privacy regulations of all time. A year after it went into effect, we study its impact on the landscape of privacy policies online. We conduct the first longitudinal, in-depth, and at-scale assessment of privacy policies before and after the GDPR. We gauge the complete consumption cycle of these policies, from the first user impressions until the compliance assessment. We create a diverse corpus of two sets of 6,278 unique English-language privacy policies from inside and outside the EU, covering their pre-GDPR and the post-GDPR versions. The results of our tests and analyses suggest that the GDPR has been a catalyst for a major overhaul of the privacy policies inside and outside the EU. This overhaul of the policies, manifesting in extensive textual changes, especially for the EU-based websites, comes at mixed benefits to the users. While the privacy policies have become considerably longer, our user study with 470 participants on Amazon MTurk indicates a significant improvement in the visual representation of privacy policies from the users’ perspective for the EU websites. We further develop a new workflow for the automated assessment of requirements in privacy policies. Using this workflow, we show that privacy policies cover more data practices and are more consistent with seven compliance requirements post the GDPR. We also assess how transparent the organizations are with their privacy practices by performing specificity analysis. In this analysis, we find evidence for positive changes triggered by the GDPR, with the specificity level improving on average. Still, we find the landscape of privacy policies to be in a transitional phase; many policies still do not meet several key GDPR requirements or their improved coverage comes with reduced specificity.

  • Mitigator: Privacy policy compliance using trusted hardware artifact

    Miti Mazmudar (University of Waterloo) and Ian Goldberg (University of Waterloo)

    Pre-recorded presentation

    SummaryWe will be presenting Mitigator, a system to enforce compliance of a website’s source code with a privacy policy model. We use trusted hardware platforms to provide a guarantee to an end user that their data is only handled by server-side code that is compliant with the privacy policy. Our work may be of interest to researchers working across a variety of topics: web privacy, trusted hardware platforms, compliance of websites' code to legal requirements, and on improving the transparency of back-end systems.

Who's Attending 

  • 20 anonymous people