short-paper

Open access

Assessing discrepancies between network traffic and privacy policies of public sector web services

Authors:

Robin Carlsson,

Ville LeppänenAuthors Info & Claims

ARES '22: Proceedings of the 17th International Conference on Availability, Reliability and Security

Article No.: 11, Pages 1 - 6

https://doi.org/10.1145/3538969.3539003

Published: 23 August 2022 Publication History

All formats PDF

Abstract

Online services are increasingly being used to complete everyday tasks, and ordinary users with very little technical knowledge have learned to use web services and applications. At the same time, many user applications are gradually moving from the traditional desktop environment to the web. Because of these developments, it is not surprising that user privacy has become a very important consideration when developing web services. In the current study, we assess the privacy of 34 web services provided and maintained by Finnish public sector bodies. We perform a network traffic analysis in order to find out what kind of personal data the studied services deliver to third party analytics services. We then take a look at the privacy policy documents of these web services and gauge their transparency and clarity by comparing their contents to the actual network data sent out by the web services. Our findings reveal numerous inconsistencies between what is said about handling personal data in the analyzed privacy policies and the actual traffic of the studied web services. Another prominent finding is the sheer amount of analytics services employed by the studied websites. We conclude that there is still an obvious need for web developers and public sector bodies to improve their awareness of existing privacy regulations and personal information their online services deliver to third parties. A lot of work also remains to be done in clearly and transparently communicating privacy-related matters to users.

References

[1]

Jaspreet Bhatia, Travis D Breaux, Joel R Reidenberg, and Thomas B Norton. 2016. A theory of vagueness and privacy risk perception. In 2016 IEEE 24th International Requirements Engineering Conference (RE). IEEE, 26–35.

[2]

Jonas Gamalielsson, Björn Lundell, Simon Butler, Christoffer Brax, Tomas Persson, Anders Mattsson, Tomas Gustavsson, Jonas Feist, and Erik Lönroth. 2021. Towards open government through open source software for web analytics: The case of Matomo. JeDEM-eJournal of eDemocracy and Open Government 13, 2(2021), 133–153.

[3]

Navpreet Kaur, Sami Azam, Krishnan Kannoorpatti, Kheng Cher Yeo, and Bharanidharan Shanmugam. 2017. Browser Fingerprinting as user tracking technology. In 2017 11th International Conference on Intelligent Systems and Control (ISCO). IEEE, 103–111.

[4]

Pierre Laperdrix, Walter Rudametkin, and Benoit Baudry. 2015. Mitigating browser fingerprint tracking: multi-level reconfiguration and diversification. In 2015 IEEE/ACM 10th International Symposium on Software Engineering for Adaptive and Self-Managing Systems. IEEE, 98–108.

Digital Library

[5]

Timothy Libert. 2018. An automated approach to auditing disclosure of third-party data collection in website privacy policies. In Proceedings of the 2018 World Wide Web Conference. 207–216.

Digital Library

[6]

Yabing Liu, Han Hee Song, Ignacio Bermudez, Alan Mislove, Mario Baldi, and Alok Tongaonkar. 2015. Identifying personal information in internet traffic. In Proceedings of the 2015 ACM on Conference on Online Social Networks. 59–70.

Digital Library

[7]

Vikas Mishra, Pierre Laperdrix, Antoine Vastel, Walter Rudametkin, Romain Rouvoy, and Martin Lopatka. 2020. Don’t count me out: On the relevance of IP address in the tracking ecosystem. In Proceedings of The Web Conference 2020. 808–815.

Digital Library

[8]

Ronald Moscato and Eric Moscato. 2007. Web site security disclosure policies of online securities firms: are they satisfactory?Issues in Information Systems 8, 2 (2007), 303–308.

[9]

Trix Mulder. 2019. Health apps, their privacy policies and the GDPR. European Journal of Law and Technology(2019).

[10]

Joel R Reidenberg, Jaspreet Bhatia, Travis D Breaux, and Thomas B Norton. 2016. Ambiguity in privacy policies and the impact of regulation. The Journal of Legal Studies 45, S2 (2016), S163–S190.

[11]

Mark Rowan and Josh Dehlinger. 2014. A privacy policy comparison of health and fitness related mobile applications. Procedia Computer Science 37 (2014), 348–355.

[12]

Paul M Schwartz. 2011. Privacy, ethics, and analytics. IEEE security & privacy 9, 3 (2011), 66–69.

[13]

Ali Sunyaev, Tobias Dehling, Patrick L Taylor, and Kenneth D Mandl. 2015. Availability and quality of mobile health app privacy policies. Journal of the American Medical Informatics Association 22, e1(2015), e28–e33.

[14]

Nik Thompson, Ravi Ravindran, and Salvatore Nicosia. 2015. Government data does not mean data governance: Lessons learned from a public sector application audit. Government information quarterly 32, 3 (2015), 316–322.

[15]

Stephanie Winkler and Sherali Zeadally. 2016. Privacy policy analysis of popular web platforms. IEEE technology and society magazine 35, 2 (2016), 75–85.

[16]

Alexander R Zheutlin, Joshua D Niforatos, and Jeremy B Sussman. 2021. Data-tracking on government, non-profit, and commercial health-related websites. Journal of general internal medicine(2021), 1–3.

Cited By

Rauti SVuorinen EPuhtila PCarlsson R(2024)Analysis of Third-Party Data Leaks on Finnish Mental Health Websites2024 47th MIPRO ICT and Electronics Convention (MIPRO)10.1109/MIPRO60963.2024.10569215(1543-1548)Online publication date: 20-May-2024
https://doi.org/10.1109/MIPRO60963.2024.10569215
Vänskä ARauti SHeino TCarlsson RMickelsson SSärmäkari N(2024)Fair Data is the New Black: Online Shopping, Data Leaks, and Broadening the Understanding of Sustainable FashionFashion Theory10.1080/1362704X.2024.233925128:3(305-333)Online publication date: 26-Apr-2024
https://doi.org/10.1080/1362704X.2024.2339251
Rauti SCarlsson RMickelsson SMäkilä THeino TPirjatanniemi ELeppänen V(2024)Analyzing third-party data leaks on online pharmacy websitesHealth and Technology10.1007/s12553-024-00819-w14:2(375-392)Online publication date: 3-Feb-2024
https://doi.org/10.1007/s12553-024-00819-w
Show More Cited By

Index Terms

Assessing discrepancies between network traffic and privacy policies of public sector web services
1. Security and privacy
  1. Software and application security
    1. Web application security

Recommendations

Towards Standardized Web Services Privacy Technologies
ICWS '04: Proceedings of the IEEE International Conference on Web Services

A Web service is defined as an autonomous unit ofapplication logic that provides either some businessfunctionality or information to other applications throughan Internet connection. Web services are based on a set ofXML standards such as Universal ...
Privacy Issues in SOAP Message Exchange Pattern for Social Services
Domain Knowledge in Knowledge Discovery and Privacy-Aware Intelligent Systems

A Web service is defined as an autonomous unit of application logic that provides either some business functionality or information to other applications through an Internet connection. Web services are based on a set of eXtensible Markup Language XML ...
E-P3P privacy policies and privacy authorization
WPES '02: Proceedings of the 2002 ACM workshop on Privacy in the Electronic Society

Enterprises collect large amounts of personal data from their customers. To ease privacy concerns, enterprises publish privacy statements that outline how data is used and shared. The Platform for Enterprise Privacy Practices (E-P3P) defines a fine-...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

ARES '22: Proceedings of the 17th International Conference on Availability, Reliability and Security

August 2022

1371 pages

ISBN:9781450396707

DOI:10.1145/3538969

Copyright © 2022 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 23 August 2022

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Short-paper
Research
Refereed limited

Funding Sources

Academy of Finland

Conference

ARES 2022

ARES 2022: The 17th International Conference on Availability, Reliability and Security

August 23 - 26, 2022

Vienna, Austria

Acceptance Rates

Overall Acceptance Rate 228 of 451 submissions, 51%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

14
Total Citations
View Citations
374
Total Downloads

Downloads (Last 12 months)229
Downloads (Last 6 weeks)38

Reflects downloads up to 26 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Rauti SVuorinen EPuhtila PCarlsson R(2024)Analysis of Third-Party Data Leaks on Finnish Mental Health Websites2024 47th MIPRO ICT and Electronics Convention (MIPRO)10.1109/MIPRO60963.2024.10569215(1543-1548)Online publication date: 20-May-2024
https://doi.org/10.1109/MIPRO60963.2024.10569215
Vänskä ARauti SHeino TCarlsson RMickelsson SSärmäkari N(2024)Fair Data is the New Black: Online Shopping, Data Leaks, and Broadening the Understanding of Sustainable FashionFashion Theory10.1080/1362704X.2024.233925128:3(305-333)Online publication date: 26-Apr-2024
https://doi.org/10.1080/1362704X.2024.2339251
Rauti SCarlsson RMickelsson SMäkilä THeino TPirjatanniemi ELeppänen V(2024)Analyzing third-party data leaks on online pharmacy websitesHealth and Technology10.1007/s12553-024-00819-w14:2(375-392)Online publication date: 3-Feb-2024
https://doi.org/10.1007/s12553-024-00819-w
Rauti SCarlsson RPuhtila PLeppänen V(2024)Third-Party Data Leaks on Municipal WebsitesProceedings of Ninth International Congress on Information and Communication Technology10.1007/978-981-97-3289-0_48(599-610)Online publication date: 2-Aug-2024
https://doi.org/10.1007/978-981-97-3289-0_48
Heino TRauti SLaato SCarlsson RLeppänen V(2024)Leaky Democracy: Third Parties in Voting Advice ApplicationsSmart Trends in Computing and Communications10.1007/978-981-97-1313-4_30(351-360)Online publication date: 2-Jun-2024
https://doi.org/10.1007/978-981-97-1313-4_30
Puhtila PVuorinen ERauti S(2024)Third-Party Data Leaks in the Websites of Finnish Social and Healthcare DistrictsGood Practices and New Perspectives in Information Systems and Technologies10.1007/978-3-031-60215-3_14(139-152)Online publication date: 11-May-2024
https://doi.org/10.1007/978-3-031-60215-3_14
Carlsson RRauti SMickelsson SMäkilä THeino TPirjatanniemi ELeppänen V(2024)Several Online Pharmacies Leak Sensitive Health Data to Third PartiesInformation Systems and Technologies10.1007/978-3-031-45642-8_16(164-175)Online publication date: 16-Feb-2024
https://doi.org/10.1007/978-3-031-45642-8_16
Carlsson RRauti SHeino T(2023)Data leaks to third parties in web services for vulnerable groups2023 46th MIPRO ICT and Electronics Convention (MIPRO)10.23919/MIPRO57284.2023.10159942(1208-1212)Online publication date: 22-May-2023
https://doi.org/10.23919/MIPRO57284.2023.10159942
Rauti S(2023)Lessons learned from studying third-party data leaks in web servicesProceedings of the 2023 8th International Conference on Information Systems Engineering10.1145/3641032.3641043(125-129)Online publication date: 16-Dec-2023
https://dl.acm.org/doi/10.1145/3641032.3641043
Heino TRauti SCarlsson RLeppänen V(2023)Third-party services as a privacy threat on university websitesProceedings of the 24th International Conference on Computer Systems and Technologies10.1145/3606305.3606335(134-138)Online publication date: 16-Jun-2023
https://dl.acm.org/doi/10.1145/3606305.3606335
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents