Adapting HTML5 Web applications to user privacy preferences

Abstract

Different service providers on the Web formulate their privacy policies based on their business scope. However, the progress of HTML5 has largely facilitated the acquisition of user-relevant data via Web browsers (e.g. location, device battery level, network information). Users can give their consent on the use of this sensitive information, but should have the right to express their privacy preferences, so that Web applications can adapt themselves accordingly. In this work, we address the above by specifying a privacy preferences language for users tailored to HTML5 Web applications employing the eXtensible Access Control Markup Language, whereas we introduce a mechanism that adapts the Web application considering these user preferences. Our approach does not rely on complex structures allowing the easy specification of the policies and the context of its use utilizing a browser installed extension mechanism. We describe the process followed for the creation of the privacy preferences, the process of application adaptation and the benefits this approach provides to end-users via a demonstration and evaluation of the use of the extension.

This is a preview of subscription content, log in to check access.

Figure 1
Figure 2
Figure 3
Figure 4
Figure 5
Figure 6
Figure 7
Figure 8
Figure 9

Notes

  1. 1.

    https://adblockplus.org

  2. 2.

    http://www.abine.com

  3. 3.

    https://disconnect.me

  4. 4.

    https://www.ghostery.com

  5. 5.

    https://www.eff.org/privacybadger

  6. 6.

    https://addons.mozilla.org/el/firefox/addon/lightbeam

  7. 7.

    https://github.com/chatziko/location-guard

  8. 8.

    https://addons.mozilla.org/en-US/firefox/addon/fake-location

  9. 9.

    https://groups.google.com/forum/#!msg/mozilla.dev.platform/5U8NHoUY-1k/9ybyzQIYCAAJ

  10. 10.

    https://github.com/CS-UCY-SEIT-lab/PrivacySafer-policy/blob/master/html5-data-taxonomy-1.0.owl

  11. 11.

    https://github.com/CS-UCY-SEIT-lab/privacy-safer-policy

  12. 12.

    http://docs.oasis-open.org/xacml/xacml-json-http/v1.0/xacml-json-http-v1.0.html

  13. 13.

    https://stackoverflow.com/questions/10604417/does-mobile-google-chrome-support-browser-extensions

  14. 14.

    http://privacysafer.cs.ucy.ac.cy/

  15. 15.

    https://github.com/CS-UCY-SEIT-lab/PrivacySafer-chrome-firefox

  16. 16.

    https://github.com/CS-UCY-SEIT-lab/PrivacySafer-mozilla-add-on

  17. 17.

    https://whatismyipaddress.com

  18. 18.

    https://developer.mozilla.org/en-US/Add-ons/WebExtensions

  19. 19.

    https://bugs.chromium.org/p/chromium/issues/detail?id=520765

References

  1. 1.

    Achilleos, A.P., Kapitsaki, G.M.: Enabling cross-platform mobile application development: a context-aware middleware. In: International Conference on Web Information Systems Engineering, pp. 304–318 (2014)

    Google Scholar 

  2. 2.

    Aggarwal, G., Bursztein, E., Jackson, C., Boneh, D.: An analysis of private browsing modes in modern browsers. In: 19th USENIX Conference on Security, pp. 6–6 (2010)

    Google Scholar 

  3. 3.

    Agrawal, R., Kiernan, J., Srikant, R., Xu, Y.: An XPath-based preference language for P3P. In: 12th international Conference on World Wide Web, pp. 629–639 (2003)

    Google Scholar 

  4. 4.

    Andrés, M.E., Bordenabe, N.E., Chatzikokolakis, K., Palamidessi, C.: Geo-indistinguishability: Differential privacy for location-based systems. In: 2013 ACM SIGSAC conference on Computer & communications security, pp. 901–914 (2013)

    Google Scholar 

  5. 5.

    Ardagna, C., Bussard, L., De Capitani Di Vimercati, S., Neven, G., Pedrini, E., Paraboschi, S., Preiss, F., Samarati, P., Trabelsi, S., Verdicchio, M.: Primelife Policy Language. In: W3C Workshop on Access Control Application Scenarios (2009)

    Google Scholar 

  6. 6.

    Ardagna, C.A., Cremonini, M., di Vimercati, S.D.C., Samarati, P.: An obfuscation-based approach for protecting location privacy. IEEE Trans. on Dependable and Secure Comp. 8(1), 13–27 (2011)

    Article  Google Scholar 

  7. 7.

    Ashley, P., Hada, S., Karjoth, G., Powers, C., Schunter, M.: Enterprise privacy authorization language (EPAL). IBM Research. (2003)

  8. 8.

    Bagüés, S.A., Zeidler, A., Valdivielso, C.F., Matias, I.R.: Towards personal privacy control. In: OTM Confederated International Conference "On the Move to Meaningful Internet Systems", pp. 886–895 (2007)

    Google Scholar 

  9. 9.

    Bandhakavi, S., King, S.T., Madhusudan, P., Winslett, M.: VEX: vetting browser extensions for security vulnerabilities. In: USENIX Security Symposium, vol. 10, pp. 339–354 (2010)

    Google Scholar 

  10. 10.

    Behrooz, A., Devlic, A.: A context-aware privacy policy language for controlling access to context information of mobile users. In: International Conference on Secure and Privacy in Mobile Information and Communication Systems, pp. 25–39 (2011)

    Google Scholar 

  11. 11.

    Beresford, A.R., Rice, A., Skehin, N., Sohan, R.: Mockdroid: trading privacy for application functionality on smartphones. In: 12th workshop on mobile computing systems and applications, pp. 49–54 (2011)

    Google Scholar 

  12. 12.

    Boyce, B.: Emerging technology and the health insurance portability and accountability act. J. Acad. Nutr. Diet. 117(4), 517–518 (2017)

    Article  Google Scholar 

  13. 13.

    Brush, A.J., Krumm, J., Scott, J.: Exploring end user preferences for location obfuscation, location-based services, and the value of location. In: 12th ACM international conference on Ubiquitous computing, pp. 95–104 (2010)

    Google Scholar 

  14. 14.

    Cavoukian, A.: Privacy by design. Take the challenge. Information and privacy commissioner of Ontario. https://www.ipc.on.ca/wp-content/uploads/Resources/pbd-implement-7found-principles.pdf (2009). Accessed 22 April 2018

  15. 15.

    Cranor, L.: Web Privacy with P3P. O'Reilly Media, Inc (2002)

  16. 16.

    Cranor, L., Langheinrich, M., Marchiori, M.: A P3P Preference Exchange Language 1.0 (APPEL1.0). W3C, (2002)

  17. 17.

    Devlic, A., Reichle, R., Wagner, M., Pinheiro, M.K., Vanrompay, Y., Berbers, Y., Valla, M.: Context inference of users' social relationships and distributed policy management. In: IEEE International Conference on Pervasive Computing and Communications, pp. 1–8 (2009)

    Google Scholar 

  18. 18.

    Diaz, C., Olejnik, L., Acar, G., Casteluccia, C.: The leaking battery: a privacy analysis of the html5 battery status api. In Lecture Notes in Comp. Sc. 9481, 254–263 (2015)

    Google Scholar 

  19. 19.

    Duckham, M., Kulik, L.: A formal model of obfuscation and negotiation for location privacy. In: International conference on pervasive computing, pp. 152–170 (2005)

    Google Scholar 

  20. 20.

    Ghosh, D., Joshi, A., Finin, T., Jagtap, P.: Privacy control in smart phones using semantically rich reasoning and context modeling. In: 2012 IEEE symposium on Security and privacy workshops, pp. 82–85 (2012)

    Google Scholar 

  21. 21.

    Henne, B., Kater, C., Smith, M., Brenner, M.: Selective cloaking: Need-to-know for location-based apps. In: 2013 Eleventh Annual International Conference on Privacy, Security and Trust, pp. 19–26 (2013)

    Google Scholar 

  22. 22.

    Hu, V.C., Kuhn, D.R., Ferraiolo, D.F.: Attribute-based access control. Computer. 48(2), 85–88 (2015)

    Article  Google Scholar 

  23. 23.

    Jin, X., Hu, X., Ying, K., Du, W., Yin, H., Peri, G.N.: Code injection attacks on html5-based mobile apps: Characterization, detection and mitigation. In: 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 66–77 (2014)

    Google Scholar 

  24. 24.

    Kapitsaki, G.M.: Reflecting user privacy preferences in context-aware Web services. In: 2013 IEEE 20th International Conference on Web Services, pp. 123–130 (2013)

    Google Scholar 

  25. 25.

    Kapitsaki, G.M., Charalambous, T.: PrivacySafer: Privacy Adaptation for HTML5 Web Applications. In: International Conference on Web Information Systems Engineering, pp. 247–262 (2017)

    Google Scholar 

  26. 26.

    Kapitsaki, G.M., Venieris, I.S.: PCP: privacy-aware context profile towards context-aware application development. In: 10th International Conference on Information Integration and Web-based Applications & Services, pp. 104–110 (2008)

    Google Scholar 

  27. 27.

    Karjoth, G., Schunter, M., Waidner, M.: Privacy-enabled services for enterprises. In: IEEE 13th Int. Workshop on Databases and Expert Systems Applications, pp. 483–487 (2002)

    Google Scholar 

  28. 28.

    Kobsa, A.: Privacy-enhanced Web personalization. In: The adaptive Web, pp. 628–670 (2007)

    Google Scholar 

  29. 29.

    Krumm, J.: A survey of computational location privacy. Pers. Ubiquit. Comput. 13(6), 391–399 (2009)

    Article  Google Scholar 

  30. 30.

    Leon, P., Ur, B., Shay, R., Wang, Y., Balebako, R., Cranor, L.: Why Johnny can't opt out: a usability evaluation of tools to limit online behavioral advertising. In: SIGCHI Conference on Human Factors in Computing Systems, pp. 589–598 (2012)

    Google Scholar 

  31. 31.

    Lorch, M., Proctor, S., Lepro, R., Kafura, D., Shah, S.: First experiences using XACML for access control in distributed systems. In: 2003 ACM workshop on XML security, pp. 25–37 (2003)

    Google Scholar 

  32. 32.

    Lu, R., Lin, X., Shen, X.: SPOC: a secure and privacy-preserving opportunistic computing framework for mobile-healthcare emergency. IEEE Trans. on Parallel and Distributed Syst. 24(3), 614–624 (2013)

    Article  Google Scholar 

  33. 33.

    Melicher, W., Sharif, M., Tan, J., Bauer, L., Christodorescu, M., Leon, P. G.: (Do Not) Track me sometimes: users’ contextual preferences for Web tracking. In: Privacy Enhancing Technologies, (2), pp. 135–154 (2016)

  34. 34.

    Orito, Y., Murata, K.: Privacy protection in Japan: cultural influence on the universal value. Electronic proceedings of Ethicomp. 5, (2005)

  35. 35.

    Rissanen, E.: extensible access control markup language (xacml) version 3.0. OASIS standard, 22 http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html#_Toc325047283 (2013) Accessed 22 April 2018

  36. 36.

    Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. Computer. 29(2), 38–47 (1996)

    Article  Google Scholar 

  37. 37.

    Schaub, F., Marella, A., Kalvani, P., Ur, B., Pan, C., Forney, E., Cranor, L.F.: Watching them Watching me: Browser Extensions’ Impact on User Privacy Awareness and Concern. In: NDSS Workshop on Usable Security (2016)

    Google Scholar 

  38. 38.

    Smutný, P.: Mobile development tools and cross-platform solutions. In: Carpathian Control Conference, pp. 653–656 (2012)

    Google Scholar 

  39. 39.

    Sweeney, L.: k-anonymity: A model for protecting privacy. Int. Journal of Uncertainty, Fuzziness and Knowledge-Based Syst. 10(05), 557–570 (2002)

    MathSciNet  Article  MATH  Google Scholar 

  40. 40.

    Tucker, C.E.: Social networks, personalized advertising, and privacy controls. J. Mark. Res. 51(5), 546–562 (2014)

    Article  Google Scholar 

  41. 41.

    Voss, W. G.: European Union Data Privacy Law Reform: General Data Protection Regulation, Privacy Shield, and the Right to Delisting (2017)

    Google Scholar 

  42. 42.

    Yang, J., Zhu, Z., Seiter, J., Tröster, G.: Informative yet unrevealing: Semantic obfuscation for location based services. In: 2nd Workshop on Privacy in Geographic Information Collection and Analysis, vol. 4, (2015)

Download references

Acknowledgements

This work was partially funded by the European Community CEF-TC-2015-1 Safer Internet (grant agreement number INEA/CEF/IC-T/A2015/1152069) CYberSafety (http://www.cybersafety.cy/) project. The authors would like to thank Kyriakos Kyriakou for his insight on the source code and are grateful to the anonymous reviewers for their constructive comments.

Author information

Affiliations

Authors

Corresponding author

Correspondence to Georgia M. Kapitsaki.

Additional information

Publisher’s Note Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

This article belongs to the Topical Collection: Special Issue on Web Information Systems Engineering 2017

Guest Editors: Lu Chen and Yunjun Gao

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Kapitsaki, G.M., Charalambous, T. Adapting HTML5 Web applications to user privacy preferences. World Wide Web 22, 2041–2062 (2019). https://doi.org/10.1007/s11280-018-0628-4

Download citation

Keywords

  • Privacy protection
  • Privacy policies
  • HTML5
  • Web applications
  • User data