Ben Stock (CISPA)

Failing Content Security Policy? Learning from its past to improve its future

Content Security Policy has been around for 10 years and still only a fraction of sites on the Web leverage its full potential to mitigate XSS and other flaws. In this talk, we will analyze the evolution of CSP over time and how sites could leverage it to secure against three attacks classes. This is based on our NDSS 2020 paper (https://swag.cispa.saarland/papers/roth2020csp.pdf), which sheds light on the usage of CSP on 10,000 sites over a period of six years. Furthermore, we discuss insights on technical roadblocks of CSP (NDSS 2021, https://swag.cispa.saarland/papers/steffens2021blockparty.pdf), which shows that CSP's success is in large parts blocked by third parties. Finally, we will discuss our most recent work on (un)usability aspects and fundamental roadblocks for developers (CCS 2021, https://swag.cispa.saarland/papers/roth2021usable.pdf).

Florian Kerschbaum (University of Waterloo)

Security and Privacy in Data Science

Data science is the process from collection of data to the use of new insights gained from this data. It is at the core of the big data and machine learning revolution fueling the digitization of our economy. The integration of data science and machine learning into digital and cyber-physical processes and the often sensitive nature of personally identifiable data used in the process, expose the data science process to security and privacy threats. In this talk I will review three exemplary security and privacy problems in different phases of the data science lifecycle and show potential countermeasures. First, I will show how to enhance the privacy of data collection using secure multi-party computation and differential privacy. Second, I will show how to protect data outsourced to a cloud database system and still perform efficient queries using keyword PIR and homomorphic encryption. Last, I will show that differential privacy does…

Read more

Nataliia Bielova (Inria)

Protecting Privacy of Web Users: Technical and Legal Perspectives

As millions of users browse the Web on a daily basis, their data is continuously collected by numerous companies and agencies with the help of Web tracking technologies. Website owners, however, need to become compliant with recent EU privacy regulations (such as GDPR and ePrivacy) and often rely on consent banners to either inform users or collect their consent to tracking. In this talk, I discuss our recent research in Web tracking and analysis of consent banners from three dimensions:
1) measurement: detection of Web tracking technologies and analysis of consent banners;
2) compliance: multi-disciplinary discussion with legal scholars about potential violations of GDPR and ePrivacy in the discovered practices, and with design scholar of the manipulative tactics and their legality in consent banners;
3) evidence tools: our recent efforts in building browser extensions and evaluating user studies about consent banners for the regulator.
Finally, we present the impact of our work and underline the need for multi-disciplinary research in the area of Web privacy.