short-paper

Standardizing and Implementing Do Not Sell

Authors:

Sebastian Zimmeck,

Kuba AlickiAuthors Info & Claims

WPES'20: Proceedings of the 19th Workshop on Privacy in the Electronic Society

Pages 15 - 20

https://doi.org/10.1145/3411497.3420224

Published: 09 November 2020 Publication History

Abstract

The California Consumer Privacy Act gives consumers the right to request that businesses do not sell their personal information. "Selling'' is defined broadly and covers, among others, making personal information available to ad networks on websites via third party cookies. We began standardizing and implementing Do Not Sell technologies with the goal of integrating Do Not Sell directly into browser settings. Based on OptMeowt, our proof of concept Do Not Sell browser extension, we conduct experiments on the design, implementation, and current state of Do Not Sell. OptMeowt automatically places Do Not Sell cookies on visited sites and sends Do Not Sell headers per our draft standard. We believe that standardizing Do Not Sell provides an important building block for evolving the web towards increased privacy protections.

References

[1]

Coline Boniface, Imane Fouad, Nataliia Bielova, Cédric Lauradoux, and Cristiana Santos. 2019. Security Analysis of Subject Access Request Procedures How to authenticate data subjects safely when they request for their data. https://hal.inria.fr/hal-02072302/document. In APF '19. Springer, Rome, Italy, 1--20. Accessed: October 7, 2020.

[2]

California Department of Justice. 2020. California Consumer Privacy Act Final Statement of Reasons. https://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/ccpafsor.pdf. Accessed: October 7, 2020.

[3]

California Department of Justice. 2020. California Consumer Privacy Act Final Statement of Reasons, Appendix A: Summary and Response to Comments Submitted During 45-day Period. https://oag.ca.gov/sites/all/files/agweb/pdfs/ privacy/ccpa-fsor-appendix-a.pdf. Accessed: October 7, 2020.

[4]

California Department of Justice. 2020. California Consumer Privacy Act Final Text of Regulations. https://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/oalsub-final-text-of-regs.pdf. Accessed: October 7, 2020.

[5]

California State Legislature. 2020. California Consumer Privacy Act of 2018. https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=3. &part=4.&lawCode=CIV&title=1.81.5. Accessed: October 7, 2020.

[6]

Cookiepedia. 2020. Cookiepedia. https://cookiepedia.co.uk/. Accessed: October 7, 2020.

[7]

DAA. 2020. DAACCPA Opt Out Tool for theWeb. https://digitaladvertisingalliance. org/DAA_style/ADS/CCPA_Opt_Out_Tool_Technical_Description.pdf. Accessed: October 7, 2020.

[8]

Data Transfer Project. 2020. https://datatransferproject.dev/. Accessed: October 7, 2020.

[9]

Didomi. 2020. https://www.didomi.io/en/. Accessed: October 7, 2020.

[10]

EasyList filter list project. 2020. EasyList. https://easylist.to/. Accessed: October 7, 2020.

[11]

IAB. 2020. IAB CCPA Compliance Framework for Publishers & Technology Companies. https://www.iab.com/guidelines/ccpa-framework/. Accessed: October 7, 2020.

[12]

IAB. 2020. US Privacy User Signal Mechanism ?USP API?. https://github.com/ InteractiveAdvertisingBureau/USPrivacy/blob/master/CCPA/USP%20API.md. Accessed: October 7, 2020.

[13]

IETF. 2019. Well-Known Uniform Resource Identifiers (URIs). https://tools.ietf.org/html/rfc8615. Accessed: October 7, 2020.

[14]

Alastair Mactaggart. 2019. The California Privacy Rights Act of 2020 Amendments to Version 3. https://oag.ca.gov/system/files/initiatives/pdfs/19- 0021A%20%28Consumer%20Privacy%20-%20Version%203%29_1.pdf. Accessed: October 7, 2020.

[15]

Microsoft. 2019. Microsoft will honor California?s new privacy rights throughout the United States. https://blogs.microsoft.com/on-the-issues/2019/11/11/ microsoft-california-privacy-rights/. Accessed: October 7, 2020.

[16]

OneTrust. 2020. https://www.onetrust.com/. Accessed: October 7, 2020.

[17]

privacy-tech-lab. 2020. OptMeowt. https://github.com/privacy-techlab/optmeowt-browser-extension. Accessed: October 7, 2020.

[18]

R. Slavin, X. Wang, M.B Hosseini, W. Hester, R. Krishnan, J. Bhatia, T.D. Breaux, and J. Niu. 2016. Toward a Framework for Detecting Privacy Policy Violation in Android Application Code. https://ieeexplore.ieee.org/document/7886889. In ICSE '16. ACM, Austin, Texas, USA, 25--36. Accessed: October 7, 2020.

[19]

The New York Times Company. 2020. California Notice. https: //www.nytimes.com/privacy/california-notice. Accessed: October 7, 2020.

[20]

The Verge. 2020. Google to ?phase out? third-party cookies in Chrome, but not for two years. https://www.theverge.com/2020/1/14/21064698/google-third-partycookies-chrome-two-years-privacy-safari-firefox. Accessed: October 7, 2020.

[21]

TrustArc. 2020. https://www.trustarc.com/products/privacy-platform/. Accessed: October 7, 2020.

[22]

United States Senate Committee on the Judiciary. 2020. Testimony of Alastair Mactaggart, United States Senate Committee on the Judiciary. https: //www.judiciary.senate.gov/imo/media/doc/Mactaggart%20Testimony1.pdf. Accessed: October 7, 2020.

[23]

Tobias Urban, Martin Degeling, Thorsten Holz, and Norbert Pohlmann. 2019. ?Your Hashed IP Address: Ubuntu.?: Perspectives on Transparency Tools for Online Advertising. https://dl.acm.org/doi/10.1145/3359789.3359798. In ACSAC '19. ACM, New York, NY, USA, 702--717. Accessed: October 7, 2020.

Digital Library

[24]

Sophie Veys, Madison Stamos, Nathan Reitinger, Michelle L. Mazurek, and Blase Ur. 2020. Designing Visualization and Exploration Tools for Data Access Under GDPR/CCPA. https://www.ieee-security.org/TC/SPW2020/ConPro/papers/veysconpro20-talk.pdf. In ConPro ?20. IEEE, Virtual Event, 1--2. Accessed: October 7, 2020.

[25]

W3C. 2020. Do Not Track. https://www.w3.org/2011/tracking-protection/. Accessed: October 7, 2020.

[26]

W3C Privacy Community Group. 2020. Standardizing Do Not Sell Email Thread. https://www.w3.org/Search/Mail/Public/search?keywords=CCPA+Do-NotSell&hdr-1-name=subject&hdr-1-query=&index-grp=Public_FULL&indextype=t&type-index=public-privacycg. Accessed: October 7, 2020.

[27]

W3C Privacy Community Group. 2020. Standardizing Do Not Sell GitHub Issue. https://github.com/privacycg/proposals/issues/10. Accessed: October 7, 2020.

[28]

Xiaoyin Wang, Xue Qin, Mitra Bokaei Hosseini, Rocky Slavin, Travis D. Breaux, and Jianwei Niu. 2017. GUILeak: Identifying Privacy Practices on GUI-Based Data. https://pdfs.semanticscholar.org/ced1/ 313acaacd3897b5b231cdccb1383d01d20c4.pdf. Accessed: October 7, 2020.

[29]

Takuya Watanabe, Mitsuaki Akiyama, Tetsuya Sakai, and Tatsuya Mori. 2015. Understanding the Inconsistencies between Text Descriptions and the Use of Privacy-sensitive Resources of Mobile Apps. https://www.usenix.org/system/ files/conference/soups2015/soups15-paper-watanabe.pdf. In SOUPS '15. USENIX Assoc., Ottawa, Canada, 241--255. Accessed: October 7, 2020.

[30]

Sebastian Zimmeck. 2013. The Information Privacy Law of Web Applications and Cloud Computing. https://digitalcommons.law.scu.edu/cgi/viewcontent.cgi? referer=&httpsredir=1&article=1564&context=chtlj. Santa Clara Computer & High Tech. L.J. 29, 3 (2013), 451--487. Accessed: October 7, 2020.

[31]

Sebastian Zimmeck, Peter Story, Abhilasha Ravichander, Daniel Smullen, Ziqi Wang, Joel Reidenberg, N. Cameron Russell, and Norman Sadeh. 2019. MAPS: Scaling Privacy Compliance Analysis to a Million Apps. https://petsymposium.org/2019/files/papers/issue3/popets-2019-0037.pdf. In PETS '19, Vol. 3. Sciendo, Stockholm, Sweden, 66--86. Accessed: October 7, 2020.

[32]

Sebastian Zimmeck, Ziqi Wang, Lieyong Zou, Roger Iyengar, Bin Liu, Florian Schaub, Shormir Wilson, Norman Sadeh, Steven M. Bellovin, and Joel Reidenberg. 2017. Automated Analysis of Privacy Requirements for Mobile Apps. https://www.ndss-symposium.org/wpcontent/uploads/2017/09/ndss2017_05A-5_Zimmeck_paper.pdf. In NDSS '17. Internet Society, San Diego, CA, 1--15. Accessed: October 7, 2020.

Cited By

Birrell ERodolitz JDing ALee JMcReynolds EHutson JLerner A(2024)SoK: Technical Implementation and Human Impact of Internet Privacy Regulations2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00206(673-696)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00206
Rodríguez-Galán GTorres J(2024)Personal data filtering: a systematic literature review comparing the effectiveness of XSS attacks in web applications vs cookie stealingAnnals of Telecommunications10.1007/s12243-024-01022-8Online publication date: 18-Apr-2024
https://doi.org/10.1007/s12243-024-01022-8
Kirkman DVaniea KWoods D(2023)DarkDialogs: Automated detection of 10 dark patterns on cookie dialogs2023 IEEE 8th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP57164.2023.00055(847-867)Online publication date: Jul-2023
https://doi.org/10.1109/EuroSP57164.2023.00055
Show More Cited By

Index Terms

Standardizing and Implementing Do Not Sell

Recommendations

On the Privacy Practices of Just Plain Sites
WPES '15: Proceedings of the 14th ACM Workshop on Privacy in the Electronic Society

In addition to visiting popular sites such as Facebook and Google, web users often visit more modest sites, such as those operated by bloggers, or by local organizations such as schools. Such sites, which we call "Just Plain Sites" (JPSs), are likely to ...
Exclusive: How the (synced) Cookie Monster breached my encrypted VPN session
EuroSec'18: Proceedings of the 11th European Workshop on Systems Security

In recent years, and after the Snowden revelations, there has been a significant movement in the web from organizations, policymakers and individuals to enhance the privacy awareness among users. As a consequence, more and more publishers support TLS in ...
Third-Party Web Tracking: Policy and Technology
SP '12: Proceedings of the 2012 IEEE Symposium on Security and Privacy

In the early days of the web, content was designed and hosted by a single person, group, or organization. No longer. Webpages are increasingly composed of content from myriad unrelated "third-party" websites in the business of advertising, analytics, ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

WPES'20: Proceedings of the 19th Workshop on Privacy in the Electronic Society

November 2020

212 pages

ISBN:9781450380867

DOI:10.1145/3411497

General Chairs:
Jay Ligatti
University of South Florida, USA
,
Xinming Ou
University of South Florida, USA
,
Program Chairs:
Wouter Lueks
EÉcole Polytechnique Feédeérale de Lausanne, Switzerland
,
Paul Syverson
U.S. Naval Research Laboratory, USA

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 09 November 2020

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Short-paper

Funding Sources

Wesleyan University
Wesleyan University Department of Mathematics and Computer Science
Anil Fernando Endowment

Conference

CCS '20

Sponsor:

SIGSAC

CCS '20: 2020 ACM SIGSAC Conference on Computer and Communications Security

November 9, 2020

Virtual Event, USA

Acceptance Rates

Overall Acceptance Rate 106 of 355 submissions, 30%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
186
Total Downloads

Downloads (Last 12 months)20
Downloads (Last 6 weeks)1

Reflects downloads up to 23 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Birrell ERodolitz JDing ALee JMcReynolds EHutson JLerner A(2024)SoK: Technical Implementation and Human Impact of Internet Privacy Regulations2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00206(673-696)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00206
Rodríguez-Galán GTorres J(2024)Personal data filtering: a systematic literature review comparing the effectiveness of XSS attacks in web applications vs cookie stealingAnnals of Telecommunications10.1007/s12243-024-01022-8Online publication date: 18-Apr-2024
https://doi.org/10.1007/s12243-024-01022-8
Kirkman DVaniea KWoods D(2023)DarkDialogs: Automated detection of 10 dark patterns on cookie dialogs2023 IEEE 8th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP57164.2023.00055(847-867)Online publication date: Jul-2023
https://doi.org/10.1109/EuroSP57164.2023.00055
Human SPandit HMorel VSantos CDegeling MRossi ABotes WJesus VKamara I(2022)Data Protection and Consenting Communication Mechanisms: Current Open Proposals and Challenges2022 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)10.1109/EuroSPW55150.2022.00029(231-239)Online publication date: Jun-2022
https://doi.org/10.1109/EuroSPW55150.2022.00029
Ijaz DNissan FDare HWilliams JRadatz SParker WBogle SMahmoud M(2021)The Impact of Social Media On HCI2021 International Conference on Computational Science and Computational Intelligence (CSCI)10.1109/CSCI54926.2021.00284(1421-1431)Online publication date: Dec-2021
https://doi.org/10.1109/CSCI54926.2021.00284

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents