News

Privacy Flag: an EU-funded Project Success Story

  • Interdisciplinary Centre for Security, Reliability and Trust (SnT)
    05 juillet 2018
  • Catégorie
    Recherche

It’s early days for the GDPR, but the regulation, along with recent high-profile cases such as the Facebook/Cambridge Analytica fallout, has already had a big impact on the public consciousness. People who previously had little awareness of how companies were harvesting their data are now waking up to the extent to we give away personal information online.

But how can we reconcile the benefits and attractions of our favourite apps and online services with the desire to take control of our personal data? Privacy Flag is a Horizon 2020 European research project providing a range of apps and services to help citizens do just that. The European Commission recently underlined the need for such tools when it named Privacy Flag an EU-funded Project Success Story.

People are increasingly aware that companies are gathering huge amounts of personal data through apps and websites

One App to Rule them All

The average smartphone user accesses some 30 apps per month, and with the Privacy Flag app, you might find yourself making space for one more. This app compares the contents of a user’s phone to a database of ‘privacy friendly’ apps as anaylsed by Privacy Flag. It also tells you which of your apps are sharing sensory data from your phone, prompting you to block this in your settings.

The Privacy Flag app is available on Google Play

Private Browsing

For web browsing you can download the Privacy Flag add-on. This scans websites to check that they use adequate security measures and to alert you to third party trackers, such as those belonging to advertising or analytics companies. Further, Privacy Flag’s Observatory alerts users of behavioural changes to apps and websites, and of when changes to the IT landscape might have implications for these tools.

Reconciling Crowdsourcing with Privacy

All of this work has taken place across 12 partner organisations, with the team at SnT supporting the developers of the crowdsourcing aspects of the app and add-on. Both tools use crowdsourcing to harness the experience and expertise of the public, with users encouraged to rate apps and websites. Privacy flag then analyses this data together with automated security and privacy evaluations to make their recommendations.

The key challenge here is that crowdsourcing itself bears inherent privacy risks; the mere fact that someone is evaluating a certain website, or that they are doing so from a certain location, might compromise sensitive information. Further, even when data is encrypted, the way it is sent can give away a lot of information; would-be eavesdroppers can profile users by analysing when and how often the data is transferred, how much of it there is and how long it takes to transfer. And once the data arrives at the Privacy Flag servers we cannot assume that these are entirely trustworthy, so it needs to remain anonymous there.

SnT’s Dr. Karim Emara (now Ain Shams University, Egypt), Dr. Stefan Schiffner and Dr. Marharyta Aleksandrova therefore supported the Privacy Flag software developers in analysing the server’s security and implementing state-of-the-art anonymization techniques, preventing anyone – including Privacy Flag itself – from gleaning any personal information from these communications.

Supporting Companies in Compliance

In addition to supporting citizens, Privacy Flag also encompasses a second set of tools, aimed at helping companies ensure GDPR compliance. This includes Privacy Pact (a voluntary legally binding mechanism for organisations outside the European Union to commit to the GDPR), a certification scheme, and the European Privacy Portal, a database of resources on privacy and personal data protection.

An Interdisciplinary Approach

Explaining the success of the project, Stefan Schiffner emphasised the extent to which it had relied on specialists from different domains being willing to go beyond their zones of expertise. “You can’t solve these problems with technology alone, or indeed from any one viewpoint. Yes, you need lawyers to explain the legal text, but the legal text only makes sense if the lawyer understands the technical state of the art. You also need experts in user interface to ensure that the tools are user friendly; you can have the best consent text in the world from a technical and legal perspective, for example, but if it isn’t clear then you can’t use it as the legal basis for processing data.”

Judging from the enthusiastic reception of the tools – which are currently in beta testing – so far, there is high demand for trustworthy technology to help us maintain our privacy online.