Ten years ago, I defended my Ph.D. thesis at the French INRIA (now: Institute for Research in Digital Science and Technology). It feels like the right time to reflect on how the privacy landscape has evolved since then. At that time, web privacy leaks and tracking were widespread. However, in the following years, the full extent of these risks became apparent, establishing privacy as one of the most pressing concerns in the digital world.

My research focused on web security and privacy, particularly regarding the tracking and profiling of web users. I explored how web browsing histories are highly unique. This uniqueness means that browsing histories can act as behavioral fingerprints, potentially classifying them as personal data under privacy regulations such as the General Data Protection Regulation (GDPR). The landscape of web tracking resembled the Wild West.

My early research on web browsing history has been strongly validated by a Mozilla study, confirming the uniqueness of web browsing histories and a significant chance of reidentification of users. The findings showed that even a small number of visited sites can enable fingerprinting, with major web platforms holding significant power in user tracking. This evidence confirms that web browsing histories are personal data under the GDPR.

Real-Time Bidding (RTB) is an online advertising auction system that highlights privacy risks. Our study showed that bid prices usually ranged from $0.0001 to $0.001 per ad impression, even though users perceive their data to be worth much more. I realized very early that this system can be used to direct various types of information, including for political manipulation and influence, as well as disinformation. It turned out to be correct, as we know since 2016.

Today, privacy has improved in many ways. Companies are actively working to enhance protections. Third-party cookies are being phased out. Privacy engineering, design, and assessment is important. However, new tracking methods, such as fingerprinting, have emerged. Additionally, private data is now processed on an industrial scale to create AI models. While the challenges remain significant, the conversation surrounding privacy is more prominent than ever.

Later in my later research, I expanded into broader aspects of web privacy, policy, and security standards. I examined evasion techniques used by trackers, such as CNAME cloaking to bypass browser protections. I assessed the privacy risks posed by web APIs like the Ambient Light Sensor and Battery Status API. My work influenced web standardization efforts, contributing to web browser vendors like Apple or Mozilla to modify or restrict privacy-invasive features. These studies bridged technical, regulatory, and policy considerations, reinforcing the need for privacy-aware technological design.

Beyond research, have contributed to privacy and security policy at various levels, including advising a Member of the European Parliament on the ePrivacy Regulation, being elected to the W3C Technical Architecture Group, and advising the International Committee of the Red Cross on cyberwarfare. Additionally, I provided expertise at the European Data Protection Supervisor and earned an LL.M. in Information Technology Law from the University of Edinburgh to reinforce my cross-domain experience.

I authored two books: Philosophy of Cybersecurity, and Propaganda.

I work as an independent researcher and consultant while also being a visiting senior research fellow at King’s College London’s War Studies Department.

Looking back, the privacy landscape has changed significantly, with advancements in tracking mechanisms and stronger regulatory oversight. Many issues from my Ph.D. research were very relevant to the global privacy discussions and online data protection policies.

I'm also pleased to see improvements in network and web infrastructures for better security and privacy.

me@lukaszolejnik.com