Automating Cookie Consent and GDPR Violation Detection

OPEN ACCESS

Downloads

Full text (accepted version) (PDF, 1.90 MB)

Author / Producer

Bollinger, Dino Cotrini, Carlos

Date

2022

Publication Type

Conference Paper

ETH Bibliography

yes

Citations

Altmetric
OPEN ACCESS

Downloads

Full text (accepted version) (PDF, 1.90 MB)

Data

Rights / License

In Copyright - Non-Commercial Use Permitted north_east

Abstract

The European Union’s General Data Protection Regulation (GDPR) requires websites to inform users about personal data collection and request consent for cookies. Yet the majority of websites do not give users any choices, and others attempt to deceive them into accepting all cookies. We document the severity of this situation through an analysis of potential GDPR violations in cookie banners in almost 30k websites. We identify six novel violation types, such as incorrect category assignments and misleading expiration times, and we find at least one potential violation in a surprising 94.7% of the analyzed websites. We address this issue by giving users the power to protect their privacy. We develop a browser extension, called CookieBlock, that uses machine learning to enforce GDPR cookie consent at the client. It automatically categorizes cookies by usage purpose using only the information provided in the cookie itself. At a mean validation accuracy of 84.4%, our model attains a prediction quality competitive with expert knowledge in the field. Additionally, our approach differs from prior work by not relying on the cooperation of websites themselves. We empirically evaluate CookieBlock on a set of 100 randomly sampled websites, on which it filters roughly 90% of the privacy-invasive cookies without significantly impairing website functionality.

Permanent link

https://doi.org/10.3929/ethz-b-000525815

Publication status

published

External links

https://www.usenix.org/conference/usenixsecurity22/presentation/bollinger north_east

Editor

Butler, Kevin north_east Thomas, Kurt north_east

Book title

Proceedings of the 31st USENIX Security Symposium

Journal / series

Volume

Pages / Article No.

2893 - 2910

Publisher

USENIX Association

Event

31st USENIX Security Symposium (USENIX Security 2022)

Edition / version

Methods

Software

Geographic location

Date collected

Date created

Subject

Organisational unit

03634 - Basin, David / Basin, David check_circle
02660 - Institut für Informationssicherheit / Institute of Information Security

Notes

Funding

Related publications and datasets

Cites:

More

Show all metadata