Abstract
Different service providers on the Web formulate their privacy policies based on their business scope. However, the progress of HTML5 has largely facilitated the acquisition of user-relevant data via Web browsers (e.g. location, device battery level, network information). Users can give their consent on the use of this sensitive information, but should have the right to express their privacy preferences, so that Web applications can adapt themselves accordingly. In this work, we address the above by specifying a privacy preferences language for users tailored to HTML5 Web applications employing the eXtensible Access Control Markup Language, whereas we introduce a mechanism that adapts the Web application considering these user preferences. Our approach does not rely on complex structures allowing the easy specification of the policies and the context of its use utilizing a browser installed extension mechanism. We describe the process followed for the creation of the privacy preferences, the process of application adaptation and the benefits this approach provides to end-users via a demonstration and evaluation of the use of the extension.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Notes
References
Achilleos, A.P., Kapitsaki, G.M.: Enabling cross-platform mobile application development: a context-aware middleware. In: International Conference on Web Information Systems Engineering, pp. 304–318 (2014)
Aggarwal, G., Bursztein, E., Jackson, C., Boneh, D.: An analysis of private browsing modes in modern browsers. In: 19th USENIX Conference on Security, pp. 6–6 (2010)
Agrawal, R., Kiernan, J., Srikant, R., Xu, Y.: An XPath-based preference language for P3P. In: 12th international Conference on World Wide Web, pp. 629–639 (2003)
Andrés, M.E., Bordenabe, N.E., Chatzikokolakis, K., Palamidessi, C.: Geo-indistinguishability: Differential privacy for location-based systems. In: 2013 ACM SIGSAC conference on Computer & communications security, pp. 901–914 (2013)
Ardagna, C., Bussard, L., De Capitani Di Vimercati, S., Neven, G., Pedrini, E., Paraboschi, S., Preiss, F., Samarati, P., Trabelsi, S., Verdicchio, M.: Primelife Policy Language. In: W3C Workshop on Access Control Application Scenarios (2009)
Ardagna, C.A., Cremonini, M., di Vimercati, S.D.C., Samarati, P.: An obfuscation-based approach for protecting location privacy. IEEE Trans. on Dependable and Secure Comp. 8(1), 13–27 (2011)
Ashley, P., Hada, S., Karjoth, G., Powers, C., Schunter, M.: Enterprise privacy authorization language (EPAL). IBM Research. (2003)
Bagüés, S.A., Zeidler, A., Valdivielso, C.F., Matias, I.R.: Towards personal privacy control. In: OTM Confederated International Conference "On the Move to Meaningful Internet Systems", pp. 886–895 (2007)
Bandhakavi, S., King, S.T., Madhusudan, P., Winslett, M.: VEX: vetting browser extensions for security vulnerabilities. In: USENIX Security Symposium, vol. 10, pp. 339–354 (2010)
Behrooz, A., Devlic, A.: A context-aware privacy policy language for controlling access to context information of mobile users. In: International Conference on Secure and Privacy in Mobile Information and Communication Systems, pp. 25–39 (2011)
Beresford, A.R., Rice, A., Skehin, N., Sohan, R.: Mockdroid: trading privacy for application functionality on smartphones. In: 12th workshop on mobile computing systems and applications, pp. 49–54 (2011)
Boyce, B.: Emerging technology and the health insurance portability and accountability act. J. Acad. Nutr. Diet. 117(4), 517–518 (2017)
Brush, A.J., Krumm, J., Scott, J.: Exploring end user preferences for location obfuscation, location-based services, and the value of location. In: 12th ACM international conference on Ubiquitous computing, pp. 95–104 (2010)
Cavoukian, A.: Privacy by design. Take the challenge. Information and privacy commissioner of Ontario. https://www.ipc.on.ca/wp-content/uploads/Resources/pbd-implement-7found-principles.pdf (2009). Accessed 22 April 2018
Cranor, L.: Web Privacy with P3P. O'Reilly Media, Inc (2002)
Cranor, L., Langheinrich, M., Marchiori, M.: A P3P Preference Exchange Language 1.0 (APPEL1.0). W3C, (2002)
Devlic, A., Reichle, R., Wagner, M., Pinheiro, M.K., Vanrompay, Y., Berbers, Y., Valla, M.: Context inference of users' social relationships and distributed policy management. In: IEEE International Conference on Pervasive Computing and Communications, pp. 1–8 (2009)
Diaz, C., Olejnik, L., Acar, G., Casteluccia, C.: The leaking battery: a privacy analysis of the html5 battery status api. In Lecture Notes in Comp. Sc. 9481, 254–263 (2015)
Duckham, M., Kulik, L.: A formal model of obfuscation and negotiation for location privacy. In: International conference on pervasive computing, pp. 152–170 (2005)
Ghosh, D., Joshi, A., Finin, T., Jagtap, P.: Privacy control in smart phones using semantically rich reasoning and context modeling. In: 2012 IEEE symposium on Security and privacy workshops, pp. 82–85 (2012)
Henne, B., Kater, C., Smith, M., Brenner, M.: Selective cloaking: Need-to-know for location-based apps. In: 2013 Eleventh Annual International Conference on Privacy, Security and Trust, pp. 19–26 (2013)
Hu, V.C., Kuhn, D.R., Ferraiolo, D.F.: Attribute-based access control. Computer. 48(2), 85–88 (2015)
Jin, X., Hu, X., Ying, K., Du, W., Yin, H., Peri, G.N.: Code injection attacks on html5-based mobile apps: Characterization, detection and mitigation. In: 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 66–77 (2014)
Kapitsaki, G.M.: Reflecting user privacy preferences in context-aware Web services. In: 2013 IEEE 20th International Conference on Web Services, pp. 123–130 (2013)
Kapitsaki, G.M., Charalambous, T.: PrivacySafer: Privacy Adaptation for HTML5 Web Applications. In: International Conference on Web Information Systems Engineering, pp. 247–262 (2017)
Kapitsaki, G.M., Venieris, I.S.: PCP: privacy-aware context profile towards context-aware application development. In: 10th International Conference on Information Integration and Web-based Applications & Services, pp. 104–110 (2008)
Karjoth, G., Schunter, M., Waidner, M.: Privacy-enabled services for enterprises. In: IEEE 13th Int. Workshop on Databases and Expert Systems Applications, pp. 483–487 (2002)
Kobsa, A.: Privacy-enhanced Web personalization. In: The adaptive Web, pp. 628–670 (2007)
Krumm, J.: A survey of computational location privacy. Pers. Ubiquit. Comput. 13(6), 391–399 (2009)
Leon, P., Ur, B., Shay, R., Wang, Y., Balebako, R., Cranor, L.: Why Johnny can't opt out: a usability evaluation of tools to limit online behavioral advertising. In: SIGCHI Conference on Human Factors in Computing Systems, pp. 589–598 (2012)
Lorch, M., Proctor, S., Lepro, R., Kafura, D., Shah, S.: First experiences using XACML for access control in distributed systems. In: 2003 ACM workshop on XML security, pp. 25–37 (2003)
Lu, R., Lin, X., Shen, X.: SPOC: a secure and privacy-preserving opportunistic computing framework for mobile-healthcare emergency. IEEE Trans. on Parallel and Distributed Syst. 24(3), 614–624 (2013)
Melicher, W., Sharif, M., Tan, J., Bauer, L., Christodorescu, M., Leon, P. G.: (Do Not) Track me sometimes: users’ contextual preferences for Web tracking. In: Privacy Enhancing Technologies, (2), pp. 135–154 (2016)
Orito, Y., Murata, K.: Privacy protection in Japan: cultural influence on the universal value. Electronic proceedings of Ethicomp. 5, (2005)
Rissanen, E.: extensible access control markup language (xacml) version 3.0. OASIS standard, 22 http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html#_Toc325047283 (2013) Accessed 22 April 2018
Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. Computer. 29(2), 38–47 (1996)
Schaub, F., Marella, A., Kalvani, P., Ur, B., Pan, C., Forney, E., Cranor, L.F.: Watching them Watching me: Browser Extensions’ Impact on User Privacy Awareness and Concern. In: NDSS Workshop on Usable Security (2016)
Smutný, P.: Mobile development tools and cross-platform solutions. In: Carpathian Control Conference, pp. 653–656 (2012)
Sweeney, L.: k-anonymity: A model for protecting privacy. Int. Journal of Uncertainty, Fuzziness and Knowledge-Based Syst. 10(05), 557–570 (2002)
Tucker, C.E.: Social networks, personalized advertising, and privacy controls. J. Mark. Res. 51(5), 546–562 (2014)
Voss, W. G.: European Union Data Privacy Law Reform: General Data Protection Regulation, Privacy Shield, and the Right to Delisting (2017)
Yang, J., Zhu, Z., Seiter, J., Tröster, G.: Informative yet unrevealing: Semantic obfuscation for location based services. In: 2nd Workshop on Privacy in Geographic Information Collection and Analysis, vol. 4, (2015)
Acknowledgements
This work was partially funded by the European Community CEF-TC-2015-1 Safer Internet (grant agreement number INEA/CEF/IC-T/A2015/1152069) CYberSafety (http://www.cybersafety.cy/) project. The authors would like to thank Kyriakos Kyriakou for his insight on the source code and are grateful to the anonymous reviewers for their constructive comments.
Author information
Authors and Affiliations
Corresponding author
Additional information
This article belongs to the Topical Collection: Special Issue on Web Information Systems Engineering 2017
Guest Editors: Lu Chen and Yunjun Gao
Publisher’s Note Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Kapitsaki, G.M., Charalambous, T. Adapting HTML5 Web applications to user privacy preferences. World Wide Web 22, 2041–2062 (2019). https://doi.org/10.1007/s11280-018-0628-4
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11280-018-0628-4