While I once hoped 2017 would be the year of privacy, 2024 closes on a troubling note, a likely decrease in privacy standards across the web. I was surprised by the recent Information Commissioner’s Office post, which criticized Google’s decision to introduce device fingerprinting for advertising purposes from Read More
Google announced that they are... Not phasing out third-party cookies? And after 4+ years of development, this is a striking change. I explain what to make out of it. Fast-forward: unclear for at least 1-2 months. It is a response to part of industry criticism, but also regulatory oversight. At Read More
As privacy engineering is getting more and more mature as a field in some settings experts are creating a "privacy checklist" of things to have. It's useful in design, development, and deployment, but also audits. Many useful things could be added to such a list. Of Read More
Is Privacy Sandbox’s Federated Learning of Cohorts leaking information about web browsing history? Let's find out. Federated Learning of Cohorts is computing a SimHash on a user's web browsing history (the lists of visited websites) to obtain the cohort ID. In principle, it is a Read More
Digital web advertising is an ecosystem undergoing strategic changes. Google’s Privacy Sandbox is promising to redesign web advertising technology in ways that will respect user’s privacy, including based on some previous designs. Detailed technically-enabled analysis should wait until more design features are known. In this post I focus Read More
This post describes some of the technologies that are or may be used, as well as the ideas of improving the privacy stance of such a certificate/passports technology. Treat it as a standardisation and food-for-thoughts consideration, with a view towards privacy-preserving Covid19 health certificates or ‘passports’. It seems that Read More
We may be in the middle of a process of redesigning how the web economy functions. Considerations include web advertisements. Such works involve many actors. Some big platforms. Some web browser vendors. Some ads companies, with a modest list of analysts or researchers keeping a close eye. I believe it’ Read More
IPv6 is a big enough topic that any short writing obviously cannot account for all the issues. But it’s important to realize that at its core, the IP version 6 (which was/is supposed to replace IPv4 at some point) is modern technology at its core from the ‘90s Read More
When big chunks of user data collected on an industrial scale continue to induce constant privacy concerns, the need to seriously address problems of privacy and data protection with respect to data processing is important as never before. Data is increasingly fed into machine learning models (i.e. “artificial intelligence” Read More
This post is built around my paper (presented to/at the International Workshop on Privacy Engineering) devoted to privacy assessment in web standards. After the previous one (Battery Status Not Included: Assessing Privacy in W3C Web Standards) this is the next insight in this domain. While I point out the Read More
Magnetometer is a less known sensor. It equips web browsers with the ability to read the magnetic field strength using the built-in magnetometer device sensors and the W3C Magnetometer API. It might be useful in some specific use cases such as peripheral devices (like a gamepad, to control the user’ Read More
Privacy vulnerabilities in mechanisms designed to improve privacy are not something expected. On the contrary, they are the last place where you’d expect a privacy bug. Intelligent Tracking Prevention (ITP) is an impressive feature of Safari, the default browser used on iPhones, iPads, and Macs. It was the first Read More
Welcome to the privacy analysis of Progressive Web Applications. With new features in steady supply, the web is changing in exciting ways. One of the more interesting trends is the concept of Progressive Web Applications (PWA). PWAs use modern and powerful web features to further blur the boundaries between web Read More
Real-Time Bidding is a technology enabling the targeting of content to mobile and web users. Real-Time Bidding has numerous problems. * Security, including malvertising (abusing ads infrastructure to deliver malware); affecting hundreds of millions of user visits; delivering malware. * Privacy, as it is a mass market for personal data, with vague Read More
Modern Web browsers are constantly getting new features. It makes for interesting challenges on the level of security and privacy reviews. This is how I usually look on this stuff. There are recently a lot of interesting new browser mechanisms. I previously analysed some in the past, such as proximity Read More
My work touches multiple dimensions: research, technology, standards and technology policy. One of the aspects of my security and privacy research involvement are the study of sensors privacy - and especially sensors exposed to websites via web browsers. The practical outcome of this work are privacy analyses of Web APIs. Read More
Recently I wrote about the new IAB (ad industry) initiative meaning to fight fraud in programmatic advertising. You can find my previous post here. As the ads.txt standard shows which Ads Exchanges are brokering ads space (somewhat related with exchange of user data), I explored the options of using Read More
When governments acknowledged that computer hacking is increasingly made by criminals, hacking techniques employed by criminals were simply banned. This has solved the problem; since then we‘re not hearing of any data theft, fraud and so on. Right. In the European Union, General Data Protection Regulation will enter into Read More
NIST has published new guidelines relating to security and privacy (I noted recent NIST’s involvement in privacy engineering here). As many of their documents, new guidelines will be influential for security and privacy engineering. Though they’re focused on Digital Identity, the reach will be much broader. I paid Read More
I am participating in the works on the ePrivacy Regulation. Last week I have attended ePrivacy Roundtables, organised at the European Parliament. That was an interesting opportunity to exchange opinions, present and exchange views. There were four Roundtables on the following topics: Cookies, Article 8, Consent, Privacy by Design and Read More
In this post we describe and demonstrate a neat trick to exfiltrate sensitive information from your browser using a surprising tool: your smartphone or laptop’s ambient light sensor. In short: 1. We provide background about the light sensor API and current discussions to expose it more broadly to websites. Read More
Understanding and perceiving privacy as a technological and strategic aspect is becoming a standard practice. The recently published NIST Internal Report “An Introduction to Privacy Engineering and Risk Management” is an interesting attempt to systematize the understanding of privacy engineering. Privacy in this view forms an important technical and strategic Read More