Open access
Date
2022Type
- Conference Paper
ETH Bibliography
yes
Altmetrics
Abstract
The European Union’s General Data Protection Regulation (GDPR) requires websites to inform users about personal data collection and request consent for cookies. Yet the majority of websites do not give users any choices, and others attempt to deceive them into accepting all cookies. We document the severity of this situation through an analysis of potential GDPR violations in cookie banners in almost 30k websites. We identify six novel violation types, such as incorrect category assignments and misleading expiration times, and we find at least one potential violation in a surprising 94.7% of the analyzed websites.
We address this issue by giving users the power to protect their privacy. We develop a browser extension, called CookieBlock, that uses machine learning to enforce GDPR cookie consent at the client. It automatically categorizes cookies by usage purpose using only the information provided in the cookie itself. At a mean validation accuracy of 84.4%, our model attains a prediction quality competitive with expert knowledge in the field. Additionally, our approach differs from prior work by not relying on the cooperation of websites themselves. We empirically evaluate CookieBlock on a set of 100 randomly sampled websites, on which it filters roughly 90% of the privacy-invasive cookies without significantly impairing website functionality. Show more
Permanent link
https://doi.org/10.3929/ethz-b-000525815Publication status
publishedBook title
Proceedings of the 31st USENIX Security SymposiumPages / Article No.
Publisher
USENIX AssociationEvent
Organisational unit
02660 - Institut für Informationssicherheit / Institute of Information Security03634 - Basin, David / Basin, David
Related publications and datasets
More
Show all metadata
ETH Bibliography
yes
Altmetrics