November 20, 2022

Detection of Inconsistencies in Privacy Practices of Browser Extensions

November 20, 2022  •  2 min  • 313 words  •
Tags: ML Privacy NLP Conference
Pdf

Information

Authors

Duc Bui , Brian Tang, Kang G. Shin

Conference

44th IEEE Symposium on Security and Privacy (2023)

Blog

Intro

All major web browsers support extensions to provide additional functionalities and enhance users’ browsing experience while the extensions can access and collect users’ data during their web browsing. Although web extensions inform users of their data practices via multiple forms of notices, prior work has overlooked the gap between the actual data practices and the published privacy notices of browser extensions. To fill this gap, we propose ExtPrivA that automatically detects the inconsistencies between browser extensions’ data collection and their privacy disclosures.

System Design

From the privacy policies and Dashboard disclosures, ExtPrivA extracts privacy statements to have a clear interpretation of the privacy practices of an extension. The system emulates user interactions to trigger the extension’s functionalities and analyzes the initiators of network requests to accurately extract the users’ data transferred by the extension from the browser to external servers. Our end-to-end evaluation has shown ExtPrivA to detect inconsistencies between the privacy disclosures and data-collection behavior with an 85% precision.

Evaluation

In a large-scale study of 47.2k extensions on the Chrome Web Store, we have found 820 extensions with 1,290 flows that are inconsistent with their privacy statements. Even worse, we have found 525 pairs of contradictory privacy statements in the Dashboard disclosures and privacy policies of 360 extensions. These discrepancies between the privacy disclosures and the actual data-collection behavior of an extension are deemed as serious violations of the Store’s policies. Our findings highlight the critical issues in the privacy disclosures of browser extensions that potentially mislead, and pose high privacy risks to end-users.

Citation

@inproceedings{bui2022detection,
title={Detection of Inconsistencies in Privacy Practices of Browser Extensions},
    author={Bui, Duc and Tang, Brian and Shin, Kang G},
    booktitle={2023 IEEE Symposium on Security and Privacy (SP)},
    pages={37--55},
    year={2022},
    organization={IEEE Computer Society}
}

https://www.computer.org/csdl/proceedings-article/sp/2023/933600a037/1He7XKorLcQ

Follow or contact me

I publish and open-source my work. I also occasionally post random thoughts.