Abstract
Browser extensions have emerged as integrated characteristics in modern browsers, with the aim to boost the online browsing experience. Their advantageous position between a user and the Internet endows them with easy access to the user's sensitive data, which has raised mounting privacy concerns from both legislators and extension users. In this work, we propose an end-to-end approach to automatically diagnosing the privacy compliance violations among extensions. It analyzes the compliance of privacy policy versus regulation requirements and their actual privacy-related practices during runtime. This approach can serve the extension users, developers and store operators as an efficient and practical detection mechanism for privacy compliance violations. Our approach utilizes the state-of-the-art language processing model BERT for annotating the policy texts, and a hybrid technique to analyze an extension's source code and runtime behavior. To facilitate the model training, we construct a corpus named PrivAud-100 which contains 100 manually annotated privacy policies. Our large-scale diagnostic evaluation reveals that the vast majority of existing extensions suffer from privacy non-compliance issues. Around 92% of them have at least one violation of either their privacy policies or data collection practices. Based on our findings, we further propose an index to facilitate the filtering and identification of privacy-incompliant extensions with high accuracy (over 90%). Our work should raise the awareness of extension users, service providers, and platform operators, and encourage them to implement solutions toward better privacy compliance. To facilitate future research in this area, we have released our dataset, corpus and analyzer. © 2022 Owner/Author.
| Original language | English |
|---|---|
| Title of host publication | ASE '22: Proceedings of the 37th IEEE/ACM International Conference on Automated Software Engineering |
| Place of Publication | New York, NY |
| Publisher | Association for Computing Machinery |
| Number of pages | 12 |
| ISBN (Print) | 9781450394758 |
| DOIs | |
| Publication status | Published - Oct 2022 |
| Externally published | Yes |
| Event | 37th IEEE/ACM International Conference on Automated Software Engineering (ASE 2022) - Oakland Center, Rochester, United States Duration: 10 Oct 2022 → 14 Oct 2022 https://conf.researchr.org/home/ase-2022 |
Publication series
| Name | ACM International Conference Proceeding Series |
|---|
Conference
| Conference | 37th IEEE/ACM International Conference on Automated Software Engineering (ASE 2022) |
|---|---|
| Abbreviated title | ASE '22 |
| Place | United States |
| City | Rochester |
| Period | 10/10/22 → 14/10/22 |
| Internet address |
Funding
This research is supported by Singapore Ministry of Education Academic Research Fund Tier 3 under MOE’s official grant number MOE2017-T3-1-007. This research is also supported by the University of Queensland under Global Strategy and Partnerships Seed Funding and the NSRSG grant 4018264-617225, National Key R&D Program of China (2021YFB2701000), the National Natural Science Foundation of China (grant No.62072046), and the Fundamental Research Funds for the Central Universities (HUST 3004129109).
Publisher's Copyright Statement
- This full text is made available under CC-BY-NC 4.0. https://creativecommons.org/licenses/by-nc/4.0/
Fingerprint
Dive into the research topics of 'Are they Toeing the Line? Diagnosing Privacy Compliance Violations among Browser Extensions'. Together they form a unique fingerprint.Cite this
- APA
- Author
- BIBTEX
- Harvard
- Standard
- RIS
- Vancouver