The paper “Automating Cook Consent and GDPR Violation Detection” by Dino Bollinger, Karel Kubicek, Carlos Cotrini, and David Basin received the Distinguished Artifact Award at USENIX Security 2022. Congratulations!
The European Union’s General Data Protection Regulation (GDPR) requires websites to inform users about personal data collection and request consent for cookies. Yet the majority of websites do not give users any choices, and others attempt to deceive them into accepting all cookies. The paper’s authors document the severity of this situation through an analysis of potential GDPR violations in cookie banners in almost 30k websites. They identify six novel violation types, such as incorrect category assignments and misleading expiration times, and we find at least one potential violation in a surprising 94.7% of the analyzed websites.
The authors address this issue by giving users the power to protect their privacy. They develop a browser extension, called CookieBlock, that uses machine learning to enforce GDPR cookie consent at the client. It automatically categorizes cookies by usage purpose using only the information provided in the cookie itself. At a mean validation accuracy of 84.4%, their model attains a prediction quality competitive with expert knowledge in the field. Additionally, their approach differs from prior work by not relying on the cooperation of websites themselves. The four authors empirically evaluate CookieBlock on a set of 100 randomly sampled websites, on which it filters roughly 90% of the privacy-invasive cookies without significantly impairing website functionality.
Read the whole paper here.