Add text for opt-out and opt-in

2020-07-07 17:22:11 +02:00 · 2020-07-07 17:22:11 +02:00 · 02818278bd
commit 02818278bd
parent 4cd77dc989
3 changed files with 96 additions and 4 deletions
--- a/acronym.tex
+++ b/acronym.tex
@ -32,3 +32,4 @@
 \newacronym {DNSSEC}	{DNSSEC}	{Domain Name System Security Extensions}
 \newacronym {TTL}	{TTL}		{Time To Live}
 \newacronym {PSK}	{PSK}		{Pre-Shared Key}
 \newacronym {GDPR}  {GDPR}      {General Data Protection Regulation}
--- a/defences.tex
+++ b/defences.tex
@ -20,13 +20,40 @@ against the methods discussed in chapter~\ref{chap:tracking methods}.
 The aim of this section is to present comparatively simple techniques that a
 user can employ to limit tracking. The benefit of these methods is that they are
-built into modern browsers and therefore do not require specific user knowledge.
+built into modern browsers and therefore do not require specific user knowledge
-Although their implementations vary from one browser to another, the basic idea
+of installing any additional tools. Although their implementations vary from
-remains the same.
+one browser to another, the basic idea of the underlying functionality remains
 the same.
-\subsection{Opt-out}
+\subsection{Opt-out and Opt-in}
 \label{subsec:Opt-out}
 To opt-out in the context of web tracking means to make use of the possibility
 of turning off data collection by a web site. After the user has opted-out of
 either all data collection or only a subset of all the data that a web site
 collects, an opt-out cookie is set, indicating the user's preference. Whereas
 opting-out generally means that data collection happens by default, opt-in
 requires that data collection is turned off by default. In theory it allows
 users to have fine-grained control over which aspects of their online presence
 they are comfortable with sharing by either opting-out or opting-in (depending
 on how web sites ask for consent). In practice however, the seemingly irrelevant
 difference between those two lead to very different outcomes with respect to the
 amount of users that are tracked.
 For either opt-out or opt-in to work, a web site has to provide an option for
 doing so. Because web sites increasingly use third parties to manage data
 collection on their site, consent or rejection has to be passed to these third
 parties and they have to be willing to accept such a decision. Since the
 European's \gls{GDPR} came into force in 2018, service providers operating in
 the European Union are required to ask users for explicit consent before
 collecting any data, except when that data is absolutely necessary to ensure
 basic functionality. It is not allowed to notify the user that by continuing to
 visit the web site, consent to data collection is given.  Furthermore, if
 consent is not given, the web site provider is not allowed to block the user
 from visiting the web site. \citet{sanchez-rolaCanOptOut2019a} show, however,
 that tracking is still prevalent and happens already before user consent is
 given.
 \subsection{Clearing Browser History}
 \label{subsec:Clearing Browser History}
--- a/references.bib
+++ b/references.bib
@ -110,6 +110,19 @@
  type = {{{SSRN Scholarly Paper}}}
 }
@inproceedings{bannihattikumarFindingChoiceHaystack2020,
  title = {Finding a {{Choice}} in a {{Haystack}}: {{Automatic Extraction}} of {{Opt}}-{{Out Statements}} from {{Privacy Policy Text}}},
  shorttitle = {Finding a {{Choice}} in a {{Haystack}}},
  booktitle = {Proceedings of {{The Web Conference}} 2020},
  author = {Bannihatti Kumar, Vinayshekhar and Iyengar, Roger and Nisal, Namita and Feng, Yuanyuan and Habib, Hana and Story, Peter and Cherivirala, Sushain and Hagan, Margaret and Cranor, Lorrie and Wilson, Shomir and Schaub, Florian and Sadeh, Norman},
  year = {2020},
  month = apr,
  pages = {1943--1954},
  address = {{Taipei, Taiwan}},
  abstract = {Website privacy policies sometimes provide users the option to opt-out of certain collections and uses of their personal data. Unfortunately, many privacy policies bury these instructions deep in their text, and few web users have the time or skill necessary to discover them. We describe a method for the automated detection of opt-out choices in privacy policy text and their presentation to users through a web browser extension. We describe the creation of two corpora of opt-out choices, which enable the training of classifiers to identify opt-outs in privacy policies. Our overall approach for extracting and classifying opt-out choices combines heuristics to identify commonly found opt-out hyperlinks with supervised machine learning to automatically identify less conspicuous instances. Our approach achieves a precision of 0.93 and a recall of 0.9. We introduce Opt-Out Easy, a web browser extension designed to present available opt-out choices to users as they browse the web. We evaluate the usability of our browser extension with a user study. We also present results of a large-scale analysis of opt-outs found in the text of thousands of the most popular websites.},
  series = {{{WWW}} '20}
 }
@misc{baronPreventingAttacksUser2010,
  title = {Preventing Attacks on a User's History through {{CSS}} :Visited Selectors},
  author = {Baron, David},
@ -195,6 +208,18 @@
  series = {{{WSDM}} '19}
 }
@article{bellmanSiteOptinOptout2001,
  title = {On Site: To Opt-in or Opt-out? It Depends on the Question},
  shorttitle = {On Site},
  author = {Bellman, Steven and Johnson, Eric J. and Lohse, Gerald L.},
  year = {2001},
  month = feb,
  volume = {44},
  pages = {25--27},
  journal = {Communications of the ACM},
  number = {2}
 }
@article{belloroKnowWhatYou2018,
  title = {I {{Know What You Did Last Summer}}: {{New Persistent Tracking Mechanisms}} in the {{Wild}}},
  shorttitle = {I {{Know What You Did Last Summer}}},
@ -490,6 +515,19 @@
  number = {2}
 }
@inproceedings{habibItScavengerHunt2020,
  title = {"{{It}}'s a Scavenger Hunt": {{Usability}} of {{Websites}}' {{Opt}}-{{Out}} and {{Data Deletion Choices}}},
  shorttitle = {"{{It}}'s a Scavenger Hunt"},
  booktitle = {Proceedings of the 2020 {{CHI Conference}} on {{Human Factors}} in {{Computing Systems}}},
  author = {Habib, Hana and Pearman, Sarah and Wang, Jiamin and Zou, Yixin and Acquisti, Alessandro and Cranor, Lorrie Faith and Sadeh, Norman and Schaub, Florian},
  year = {2020},
  month = apr,
  pages = {1--12},
  address = {{Honolulu, HI, USA}},
  abstract = {We conducted an in-lab user study with 24 participants to explore the usefulness and usability of privacy choices offered by websites. Participants were asked to find and use choices related to email marketing, targeted advertising, or data deletion on a set of nine websites that differed in terms of where and how these choices were presented. They struggled with several aspects of the interaction, such as selecting the correct page from a site's navigation menu and understanding what information to include in written opt-out requests. Participants found mechanisms located in account settings pages easier to use than options contained in privacy policies, but many still consulted help pages or sent email to request assistance. Our findings indicate that, despite their prevalence, privacy choices like those examined in this study are difficult for consumers to exercise in practice. We provide design and policy recommendations for making these website opt-out and deletion choices more useful and usable for consumers.},
  series = {{{CHI}} '20}
 }
@misc{hicksonWebSQLDatabase2010,
  title = {Web {{SQL Database}}},
  author = {Hickson, Ian and Google Inc.},
@ -792,6 +830,19 @@
  number = {2}
 }
@inproceedings{leonWhyJohnnyCan2012,
  title = {Why {{Johnny}} Can't Opt out: A Usability Evaluation of Tools to Limit Online Behavioral Advertising},
  shorttitle = {Why {{Johnny}} Can't Opt Out},
  booktitle = {Proceedings of the {{SIGCHI Conference}} on {{Human Factors}} in {{Computing Systems}}},
  author = {Leon, Pedro and Ur, Blase and Shay, Richard and Wang, Yang and Balebako, Rebecca and Cranor, Lorrie},
  year = {2012},
  month = may,
  pages = {589--598},
  address = {{Austin, Texas, USA}},
  abstract = {We present results of a 45-participant laboratory study investigating the usability of nine tools to limit online behavioral advertising (OBA). We interviewed participants about OBA and recorded their behavior and attitudes as they configured and used a privacy tool, such as a browser plugin that blocks requests to specific URLs, a tool that sets browser cookies indicating a user's preference to opt out of OBA, or the privacy settings built into a web browser. We found serious usability flaws in all tools we tested. Participants found many tools difficult to configure, and tools' default settings were often minimally protective. Ineffective communication, confusing interfaces, and a lack of feedback led many participants to conclude that a tool was blocking OBA when they had not properly configured it to do so. Without being familiar with many advertising companies and tracking technologies, it was difficult for participants to use the tools effectively.},
  series = {{{CHI}} '12}
 }
@inproceedings{leungShouldYouUse2016,
  title = {Should {{You Use}} the {{App}} for {{That}}? {{Comparing}} the {{Privacy Implications}} of {{App}}- and {{Web}}-Based {{Online Services}}},
  shorttitle = {Should {{You Use}} the {{App}} for {{That}}?},
@ -1099,6 +1150,19 @@
  series = {{{ACSAC}} '19}
 }
@inproceedings{sanchez-rolaCanOptOut2019a,
  title = {Can {{I Opt Out Yet}}? {{GDPR}} and the {{Global Illusion}} of {{Cookie Control}}},
  shorttitle = {Can {{I Opt Out Yet}}?},
  booktitle = {Proceedings of the 2019 {{ACM Asia Conference}} on {{Computer}} and {{Communications Security}}},
  author = {{Sanchez-Rola}, Iskander and Dell'Amico, Matteo and Kotzias, Platon and Balzarotti, Davide and Bilge, Leyla and Vervier, Pierre-Antoine and Santos, Igor},
  year = {2019},
  month = jul,
  pages = {340--351},
  address = {{Auckland, New Zealand}},
  abstract = {The European Union's (EU) General Data Protection Regulation (GDPR), in effect since May 2018, enforces strict limitations on handling users' personal data, hence impacting their activity tracking on the Web. In this study, we perform an evaluation of the tracking performed in 2,000 high-traffic websites, hosted both inside and outside of the EU. We evaluate both the information presented to users and the actual tracking implemented through cookies; we find that the GDPR has impacted website behavior in a truly global way, both directly and indirectly: USA-based websites behave similarly to EU-based ones, while third-party opt-out services reduce the amount of tracking even for websites which do not put any effort in respecting the new law. On the other hand, we find that tracking remains ubiquitous. In particular, we found cookies that can identify users when visiting more than 90\% of the websites in our dataset - and we also encountered a large number of websites that present deceiving information, making it it very difficult, if at all possible, for users to avoid being tracked.},
  series = {Asia {{CCS}} '19}
 }
@article{sanchez-rolaWebWatchingYou2017,
  title = {The Web Is Watching You: {{A}} Comprehensive Review of Web-Tracking Techniques and Countermeasures},
  shorttitle = {The Web Is Watching You},