World Wide Web

, Volume 22, Issue 5, pp 2041–2062 | Cite as

Adapting HTML5 Web applications to user privacy preferences

  • Georgia M. KapitsakiEmail author
  • Theodoros Charalambous
Part of the following topical collections:
  1. Special Issue on Web Information Systems Engineering 2017


Different service providers on the Web formulate their privacy policies based on their business scope. However, the progress of HTML5 has largely facilitated the acquisition of user-relevant data via Web browsers (e.g. location, device battery level, network information). Users can give their consent on the use of this sensitive information, but should have the right to express their privacy preferences, so that Web applications can adapt themselves accordingly. In this work, we address the above by specifying a privacy preferences language for users tailored to HTML5 Web applications employing the eXtensible Access Control Markup Language, whereas we introduce a mechanism that adapts the Web application considering these user preferences. Our approach does not rely on complex structures allowing the easy specification of the policies and the context of its use utilizing a browser installed extension mechanism. We describe the process followed for the creation of the privacy preferences, the process of application adaptation and the benefits this approach provides to end-users via a demonstration and evaluation of the use of the extension.


Privacy protection Privacy policies HTML5 Web applications User data 



This work was partially funded by the European Community CEF-TC-2015-1 Safer Internet (grant agreement number INEA/CEF/IC-T/A2015/1152069) CYberSafety ( project. The authors would like to thank Kyriakos Kyriakou for his insight on the source code and are grateful to the anonymous reviewers for their constructive comments.


  1. 1.
    Achilleos, A.P., Kapitsaki, G.M.: Enabling cross-platform mobile application development: a context-aware middleware. In: International Conference on Web Information Systems Engineering, pp. 304–318 (2014)Google Scholar
  2. 2.
    Aggarwal, G., Bursztein, E., Jackson, C., Boneh, D.: An analysis of private browsing modes in modern browsers. In: 19th USENIX Conference on Security, pp. 6–6 (2010)Google Scholar
  3. 3.
    Agrawal, R., Kiernan, J., Srikant, R., Xu, Y.: An XPath-based preference language for P3P. In: 12th international Conference on World Wide Web, pp. 629–639 (2003)Google Scholar
  4. 4.
    Andrés, M.E., Bordenabe, N.E., Chatzikokolakis, K., Palamidessi, C.: Geo-indistinguishability: Differential privacy for location-based systems. In: 2013 ACM SIGSAC conference on Computer & communications security, pp. 901–914 (2013)Google Scholar
  5. 5.
    Ardagna, C., Bussard, L., De Capitani Di Vimercati, S., Neven, G., Pedrini, E., Paraboschi, S., Preiss, F., Samarati, P., Trabelsi, S., Verdicchio, M.: Primelife Policy Language. In: W3C Workshop on Access Control Application Scenarios (2009)Google Scholar
  6. 6.
    Ardagna, C.A., Cremonini, M., di Vimercati, S.D.C., Samarati, P.: An obfuscation-based approach for protecting location privacy. IEEE Trans. on Dependable and Secure Comp. 8(1), 13–27 (2011)CrossRefGoogle Scholar
  7. 7.
    Ashley, P., Hada, S., Karjoth, G., Powers, C., Schunter, M.: Enterprise privacy authorization language (EPAL). IBM Research. (2003)Google Scholar
  8. 8.
    Bagüés, S.A., Zeidler, A., Valdivielso, C.F., Matias, I.R.: Towards personal privacy control. In: OTM Confederated International Conference "On the Move to Meaningful Internet Systems", pp. 886–895 (2007)Google Scholar
  9. 9.
    Bandhakavi, S., King, S.T., Madhusudan, P., Winslett, M.: VEX: vetting browser extensions for security vulnerabilities. In: USENIX Security Symposium, vol. 10, pp. 339–354 (2010)Google Scholar
  10. 10.
    Behrooz, A., Devlic, A.: A context-aware privacy policy language for controlling access to context information of mobile users. In: International Conference on Secure and Privacy in Mobile Information and Communication Systems, pp. 25–39 (2011)Google Scholar
  11. 11.
    Beresford, A.R., Rice, A., Skehin, N., Sohan, R.: Mockdroid: trading privacy for application functionality on smartphones. In: 12th workshop on mobile computing systems and applications, pp. 49–54 (2011)Google Scholar
  12. 12.
    Boyce, B.: Emerging technology and the health insurance portability and accountability act. J. Acad. Nutr. Diet. 117(4), 517–518 (2017)CrossRefGoogle Scholar
  13. 13.
    Brush, A.J., Krumm, J., Scott, J.: Exploring end user preferences for location obfuscation, location-based services, and the value of location. In: 12th ACM international conference on Ubiquitous computing, pp. 95–104 (2010)Google Scholar
  14. 14.
    Cavoukian, A.: Privacy by design. Take the challenge. Information and privacy commissioner of Ontario. (2009). Accessed 22 April 2018
  15. 15.
    Cranor, L.: Web Privacy with P3P. O'Reilly Media, Inc (2002)Google Scholar
  16. 16.
    Cranor, L., Langheinrich, M., Marchiori, M.: A P3P Preference Exchange Language 1.0 (APPEL1.0). W3C, (2002)Google Scholar
  17. 17.
    Devlic, A., Reichle, R., Wagner, M., Pinheiro, M.K., Vanrompay, Y., Berbers, Y., Valla, M.: Context inference of users' social relationships and distributed policy management. In: IEEE International Conference on Pervasive Computing and Communications, pp. 1–8 (2009)Google Scholar
  18. 18.
    Diaz, C., Olejnik, L., Acar, G., Casteluccia, C.: The leaking battery: a privacy analysis of the html5 battery status api. In Lecture Notes in Comp. Sc. 9481, 254–263 (2015)Google Scholar
  19. 19.
    Duckham, M., Kulik, L.: A formal model of obfuscation and negotiation for location privacy. In: International conference on pervasive computing, pp. 152–170 (2005)CrossRefGoogle Scholar
  20. 20.
    Ghosh, D., Joshi, A., Finin, T., Jagtap, P.: Privacy control in smart phones using semantically rich reasoning and context modeling. In: 2012 IEEE symposium on Security and privacy workshops, pp. 82–85 (2012)CrossRefGoogle Scholar
  21. 21.
    Henne, B., Kater, C., Smith, M., Brenner, M.: Selective cloaking: Need-to-know for location-based apps. In: 2013 Eleventh Annual International Conference on Privacy, Security and Trust, pp. 19–26 (2013)CrossRefGoogle Scholar
  22. 22.
    Hu, V.C., Kuhn, D.R., Ferraiolo, D.F.: Attribute-based access control. Computer. 48(2), 85–88 (2015)CrossRefGoogle Scholar
  23. 23.
    Jin, X., Hu, X., Ying, K., Du, W., Yin, H., Peri, G.N.: Code injection attacks on html5-based mobile apps: Characterization, detection and mitigation. In: 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 66–77 (2014)Google Scholar
  24. 24.
    Kapitsaki, G.M.: Reflecting user privacy preferences in context-aware Web services. In: 2013 IEEE 20th International Conference on Web Services, pp. 123–130 (2013)CrossRefGoogle Scholar
  25. 25.
    Kapitsaki, G.M., Charalambous, T.: PrivacySafer: Privacy Adaptation for HTML5 Web Applications. In: International Conference on Web Information Systems Engineering, pp. 247–262 (2017)Google Scholar
  26. 26.
    Kapitsaki, G.M., Venieris, I.S.: PCP: privacy-aware context profile towards context-aware application development. In: 10th International Conference on Information Integration and Web-based Applications & Services, pp. 104–110 (2008)Google Scholar
  27. 27.
    Karjoth, G., Schunter, M., Waidner, M.: Privacy-enabled services for enterprises. In: IEEE 13th Int. Workshop on Databases and Expert Systems Applications, pp. 483–487 (2002)CrossRefGoogle Scholar
  28. 28.
    Kobsa, A.: Privacy-enhanced Web personalization. In: The adaptive Web, pp. 628–670 (2007)CrossRefGoogle Scholar
  29. 29.
    Krumm, J.: A survey of computational location privacy. Pers. Ubiquit. Comput. 13(6), 391–399 (2009)CrossRefGoogle Scholar
  30. 30.
    Leon, P., Ur, B., Shay, R., Wang, Y., Balebako, R., Cranor, L.: Why Johnny can't opt out: a usability evaluation of tools to limit online behavioral advertising. In: SIGCHI Conference on Human Factors in Computing Systems, pp. 589–598 (2012)Google Scholar
  31. 31.
    Lorch, M., Proctor, S., Lepro, R., Kafura, D., Shah, S.: First experiences using XACML for access control in distributed systems. In: 2003 ACM workshop on XML security, pp. 25–37 (2003)CrossRefGoogle Scholar
  32. 32.
    Lu, R., Lin, X., Shen, X.: SPOC: a secure and privacy-preserving opportunistic computing framework for mobile-healthcare emergency. IEEE Trans. on Parallel and Distributed Syst. 24(3), 614–624 (2013)CrossRefGoogle Scholar
  33. 33.
    Melicher, W., Sharif, M., Tan, J., Bauer, L., Christodorescu, M., Leon, P. G.: (Do Not) Track me sometimes: users’ contextual preferences for Web tracking. In: Privacy Enhancing Technologies, (2), pp. 135–154 (2016)Google Scholar
  34. 34.
    Orito, Y., Murata, K.: Privacy protection in Japan: cultural influence on the universal value. Electronic proceedings of Ethicomp. 5, (2005)Google Scholar
  35. 35.
    Rissanen, E.: extensible access control markup language (xacml) version 3.0. OASIS standard, 22 (2013) Accessed 22 April 2018
  36. 36.
    Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. Computer. 29(2), 38–47 (1996)CrossRefGoogle Scholar
  37. 37.
    Schaub, F., Marella, A., Kalvani, P., Ur, B., Pan, C., Forney, E., Cranor, L.F.: Watching them Watching me: Browser Extensions’ Impact on User Privacy Awareness and Concern. In: NDSS Workshop on Usable Security (2016)Google Scholar
  38. 38.
    Smutný, P.: Mobile development tools and cross-platform solutions. In: Carpathian Control Conference, pp. 653–656 (2012)Google Scholar
  39. 39.
    Sweeney, L.: k-anonymity: A model for protecting privacy. Int. Journal of Uncertainty, Fuzziness and Knowledge-Based Syst. 10(05), 557–570 (2002)MathSciNetCrossRefzbMATHGoogle Scholar
  40. 40.
    Tucker, C.E.: Social networks, personalized advertising, and privacy controls. J. Mark. Res. 51(5), 546–562 (2014)CrossRefGoogle Scholar
  41. 41.
    Voss, W. G.: European Union Data Privacy Law Reform: General Data Protection Regulation, Privacy Shield, and the Right to Delisting (2017)Google Scholar
  42. 42.
    Yang, J., Zhu, Z., Seiter, J., Tröster, G.: Informative yet unrevealing: Semantic obfuscation for location based services. In: 2nd Workshop on Privacy in Geographic Information Collection and Analysis, vol. 4, (2015)Google Scholar

Copyright information

© Springer Science+Business Media, LLC, part of Springer Nature 2019

Authors and Affiliations

  1. 1.University of CyprusAglantziaCyprus

Personalised recommendations