ABSTRACT
Pressured by existing regulations such as the EU GDPR, online services must advertise a personal data protection policy declaring the types and purposes of collected personal data, which must then be strictly enforced as per the consent decisions made by the users. However, due to the lack of system-level support, obtaining strong guarantees of policy enforcement is hard, leaving the door open for software bugs and vulnerabilities to cause GDPR-compliance violations. We present ongoing work on building a GDPR-aware personal data policy compliance system for web development frameworks. Currently prototyped for the MERN framework, our system allows web developers to specify a GDPR manifest from which the data protection policy of the web application is automatically generated and is transparently enforced through static code analysis and runtime access control mechanisms. GDPR compliance is checked in a cross-cutting manner requiring few changes to the application code. We evaluate our prototype with four real-world applications. Our system can model realistic GDPR data protection requirements, adds modest performance overheads to the web application, and can detect GDPR violation bugs.
- Análises Clínicas LEB - Laboratórios Elisabeth Barreto. 2022. Retrieved January 14, 2022 from https://www.leb-analises.com/.Google Scholar
- Basir. 2020. Amazona - Build ECommerce Website Like Amazon. Retrieved April 13, 2022 from https://github.com/basir/node-react-ecommerce.Google Scholar
- Abhishek Bichhawat, Matt Fredrikson, Jean Yang, and Akash Trehan. 2020. Contextual and Granular Policy Enforcement in Database-Backed Applications. In AsiaCCS'20.Google Scholar
- gothinkster. 2018. Blog - RealWorld Example App. Retrieved April 13, 2022 from https://github.com/gothinkster/node-express-realworld-example-app.Google Scholar
- Marco Guarnieri, Musard Balliu, Daniel Schoepe, David Basin, and Andrei Sabelfeld. 2019. Information-Flow Control for Database-Backed Applications. In EuroS&P'19.Google Scholar
- HabitRPG. 2021. habitica - Release v4.189.0. Retrieved January 14, 2022 from https://github.com/HabitRPG/habitica/releases/tag/v4.189.0.Google Scholar
- Rishabh Khandelwal, Thomas Linden, Hamza Harkous, and Kassem Fawaz. 2021. PriSEC: A Privacy Settings Enforcement Controller. In USENIX Security'21.Google Scholar
- Nico Lehmann, Rose Kunkel, Jordan Brown, Jean Yang, Niki Vazou, Nadia Polikarpova, Deian Stefan, and Ranjit Jhala. 2021. STORM: Refinement Types for Secure Web Applications. In OSDI'21.Google Scholar
- Célestin Matte, Nataliia Bielova, and Cristiana Santos. 2020. Do Cookie Banners Respect my Choice? Measuring Legal Compliance of Banners from IAB Europe's Transparency and Consent Framework. In S&P'20.Google Scholar
- Aastha Mehta, Eslam Elnikety, Katura Harvey, Deepak Garg, and Peter Druschel. 2017. Qapla: Policy compliance for database-backed systems. In USENIX Security'17.Google Scholar
- Tamjid Al Rahat, Yu Feng, and Yuan Tian. 2019. OAUTHLINT: An Empirical Study on OAuth Bugs in Android Applications. In ASE'19.Google Scholar
- Frank Wang, Ronny Ko, and James Mickens. 2019. Riverbed: Enforcing User-defined Privacy Constraints in Distributed Web Services. In NSDI'19.Google Scholar
- Lun Wang, Usmann Khan, Joseph Near, Qi Pang, Jithendaraa Subramanian, Neel Somani, Peng Gao, Andrew Low, and Dawn Song. 2022. PrivGuard: Privacy Regulation Compliance Made Easier. In USENIX Security'22.Google Scholar
- Sebastian Zimmeck, Rafael Goldstein, and David Baraka. 2021. PrivacyFlash Pro: automating privacy policy generation for mobile apps. In NDSS'21.Google ScholarCross Ref
Index Terms
- Poster: A Systems Approach to GDPR Compliance-by-Design in Web Development Stacks
Recommendations
On GDPR Compliance of Companies’ Privacy Policies
Text, Speech, and DialogueAbstractWe introduce a data set of privacy policies containing more than 18,300 sentence snippets, labeled in accordance to five General Data Protection Regulation (GDPR) privacy policy core requirements. We hope that this data set will enable ...
Alhambra: a system for creating, enforcing, and testing browser security policies
WWW '10: Proceedings of the 19th international conference on World wide webAlhambra is a browser-based system designed to enforce and test web browser security policies. At the core of Alhambra is a policy-enhanced browser supporting fine-grain security policies that restrict web page contents and execution. Alhambra requires ...
GUARDIA: specification and enforcement of javascript security policies without VM modifications
ManLang '18: Proceedings of the 15th International Conference on Managed Languages & RuntimesThe complex architecture of browser technologies and dynamic characteristics of JavaScript make it difficult to ensure security in client-side web applications. Browser-level security policies alone are not sufficient because it is difficult to apply ...
Comments