Online inference with large language models carries serious privacy risks that many users underestimate. Prompts—often containing passwords, emails, private thoughts, medical data, intimate details, and business data—are sent in plain text and processed by third-party servers. These prompts can be seen not only by the major providers but Read More
This may well be one of the greatest strategic and business U-turns of the century: backtracking on a project more than seven years in the making, and an attempt to reshape an entire web ecosystem and its funding model. Google’s recent decision to halt its plans to phase out Read More
A new proposal to reduce the granularity of the Accept-Language header aims to decrease web fingerprinting surface to improve user privacy and reduce risks. Problem Today, when we connect to a website, the browser sends an Accept-Languageheader listing all of our preferred languages — often including specific locales like en-US, fr-CA, Read More
Web browsing history powers helpful features like styling visited links differently, allowing users to see where they've been before. While this usability feature provides navigational benefits, it also introduces a privacy risk. The handling of visited links happened to be a silent backdoor of a kind, allowing malicious Read More
Pseudonymisation is a technical and organisational measure and a data protection measure under the GDPR. It is a risk-reduction measure that minimizes the likelihood and impact of data protection breaches. It allows for controlled re-identification through stored additional information (secret information). Unlike anonymisation, which irreversibly removes the ability to link Read More
The Background Sync API (alternatively, periodic) enables web apps to defer tasks until the user has a stable connection. It may be useful for apps processing data offline. It introduces curious capabilities in web platforms, so it's important to understand the security and privacy footprint. Here I explore Read More
Are risks related to the processing of personal data, as referenced in the GDPR, fixed and exhaustive? They are not. The regulation provides a non-exhaustive list of risks solely as a foundation for protecting fundamental rights. Administrators must assess and address additional, context-specific risks beyond those explicitly listed. This requires Read More
The big day arrived. The UK Competition and Markets Authority (CMA) finally agreed for Google to phase out third-party cookies. That's terrific because it improves user welfare. Furthermore, no grace period was requested. Google could do it even today. The catch? Only on iOS, Apple's operating Read More
TLS is the fundamental protocol facilitating secure web browsing. Simply speaking it identifies the server identity and establishes an encrypted connection. That’s how we may securely use banking, do shopping, and do other things we take for granted. Establishing such a connection comes with a performance footprint because computation Read More
I track the Privacy Sandbox migration process since it's day 1 announcement. Having written some notes about architectural aspects, initial assessments, including identification of data leaks, When analysing the proposals and imagining the future system, I realised that there's a need to somehow guide the future Read More
This is an accompanying post about the contents of my LL.M. dissertation devoted to Protected Audience API. The initial post, considering privacy and data protection, is here. This post is devoted to aspects of competition, an important element of the debate around the phasing out of third-party cookies, and Read More
Data protection assessment of Privacy Sandbox's Protected Audience API. It can be deployed and designed in compliance with GDPR. Read More
In 2019 I argued and explained that we are in the midst of a perfect storm that the privacy debate has caused. I predicted the impact on the web architecture, and the web platform. The thing that billions of people use every day, that is. These very basic building fabrics Read More
Artificial Intelligence and AI Governance are hot topics in this decade. European Union has a pretty ambitious attempt to regulate AI (project here). In this post, I have a look at the proposal through the technical lens, including paying attention to cybersecurity and privacy. The goal of the regulation is Read More
User tracking technologies are ubiquitous on the web. In recent times web browsers try to fight abuses. This led to an arms race where new tracking and anti-tracking measures are being developed. The use of one of such evasion techniques, the CNAME cloaking technique is recently quickly gaining popularity. Our Read More
The last and final version of the ePrivacy Regulation was finally delivered by the Council of the European Union. The work will finally move forward. I tracked all relevant ePrivacy events since 2016. I also directly participated in the works as an expert and advisor. While this is likely the Read More
This post describes some of the technologies that are or may be used, as well as the ideas of improving the privacy stance of such a certificate/passports technology. Treat it as a standardisation and food-for-thoughts consideration, with a view towards privacy-preserving Covid19 health certificates or ‘passports’. It seems that Read More
We may be in the middle of a process of redesigning how the web economy functions. Considerations include web advertisements. Such works involve many actors. Some big platforms. Some web browser vendors. Some ads companies, with a modest list of analysts or researchers keeping a close eye. I believe it’ Read More
There’s a trend of bringing web apps closer to smartphone native apps. You can see it in the increasingly popular Progressive Web Applications (PWAs), web applications that can be installed locally to a smartphone, to subsequently be available to the user just like any other native apps, for example Read More
IPv6 is a big enough topic that any short writing obviously cannot account for all the issues. But it’s important to realize that at its core, the IP version 6 (which was/is supposed to replace IPv4 at some point) is modern technology at its core from the ‘90s Read More
Web advertising moving towards privacy - is it possible? Six issues to consider In 2016 I argued that 2017 will be the year of privacy. It was but we did not stop there. We are still in the cycle of transforming technologies into processes with privacy in mind. This process Read More
The user’s Web browsing history is usually defined as a list of websites the user has visited, such as “google.com, facebook.com, reddit.com, bbc.co.uk, random-site.org, etcetc.org.uk”. On its own, it may seem innocuous. It turns out browsing history can be processed to Read More
Imagine tens of millions of users potentially receiving a popup asking the user to grant permission to be tracked, in September 2020. The striking news emerged from this year’s Apple WWDC conference. Apple will limit the use of the IDFA “tracking identifier”. This identifier allowed advertisers to track the Read More
Magnetometer is a less known sensor. It equips web browsers with the ability to read the magnetic field strength using the built-in magnetometer device sensors and the W3C Magnetometer API. It might be useful in some specific use cases such as peripheral devices (like a gamepad, to control the user’ Read More
I was hesitant to speak about contact tracing apps because so many people speak on the subject and the ratio of repeating the same cliches over and over is also high. Little insightful things are left to be said in this rather simple problem. But recently it emerged that a Read More