Brian Jay Tang
November 20, 2022

Detection of Inconsistencies in Privacy Practices of Browser Extensions

Posted on November 20, 2022  •  2 minutes  • 280 words  •

Authors

Duc Bui , Brian Tang, Kang G. Shin

Conference

Accepted at 44th IEEE Symposium on Security and Privacy (2023)

Abstract

Online trackers, such as advertising and analytics service companies, have provided users with choices to opt out of their tracking and data collection to mitigate the users’ concerns of increasing privacy risks. While opt-out choices of online services for the cookies placed on their own websites have been examined before, the choices provided by trackers for their third-party tracking services on publisher websites have been largely overlooked. There is no guarantee that a tracker’s opt-out option would faithfully follow the statements in its privacy policy. To address this concern, we develop an automated framework, called OptOutCheck, that analyzes (in)consistencies between trackers’ data practices and the opt-out choice statements in their privacy policies. We create sentence-level classifiers, which achieve ≥84.6% precision on previously-unseen statements, to extract the opt-out policies that state neither tracking nor data collection for opted-out users from trackers’ privacy-policy documents. OptOutCheck analyzes both tracker and publisher websites to detect opt-out buttons, perform the opt-out, and extract the data flows to the tracker servers after the user opts out. Finally, we formalize the opt-out policies and data flows to derive logical conditions to detect the inconsistencies. In a large-scale study of 2.9k popular trackers, OptOutCheck detected opt-out choices on 165 trackers and found 11 trackers who exhibited data practices inconsistent with their stated opt-out policies. Since inconsistencies are violations of the trackers’ privacy policies and demonstrate data collection without user consent, they are likely to cause a loss of users’ trust in the online trackers and trigger the necessity of an automatic auditing process.

Figures

https://www.computer.org/csdl/proceedings-article/sp/2023/933600a037/1He7XKorLcQ

Follow or contact me

I publish and open-source my work. I also occasionally post random thoughts.