RuleKeeper: GDPR-Aware Personal Data Compliance for Web Frameworks

Pressured by existing regulations such as the EU GDPR, online services must advertise a personal data protection policy declaring the types and purposes of collected personal data, which must then be strictly enforced as per the consent decisions made by the users. However, due to the lack of system-level support, obtaining strong guarantees of policy enforcement is hard, leaving the door open for software bugs and vulnerabilities to cause GDPR-compliance violations.We present RuleKeeper, a GDPR-aware personal data policy compliance system for web development frameworks. Currently ported for the MERN framework, RuleKeeper allows web developers to specify a GDPR manifest from which the data protection policy of the web application is automatically generated and is transparently enforced through static code analysis and runtime access control mechanisms. GDPR compliance is checked in a cross-cutting manner requiring few changes to the application code. We used our prototype implementation to evaluate RuleKeeper with four real-world applications. Our system can model realistic GDPR data protection requirements, adds modest performance overheads to the web application, and can detect GDPR violation bugs.

[1]  D. Basin,et al.  DPL: A Language for GDPR Enforcement , 2022, 2022 IEEE 35th Computer Security Foundations Symposium (CSF).

[2]  Patrick McDaniel,et al.  Building a Privacy-Preserving Smart Camera System , 2022, Proc. Priv. Enhancing Technol..

[3]  Balaji Ganesan,et al.  Fine Grained Classification of Personal Data Entities with Language Models , 2022 .

[4]  Kang G. Shin,et al.  Consistency Analysis of Data-Usage Purposes in Mobile Apps , 2021, CCS.

[5]  Zsolt István,et al.  Software-Defined Data Protection: Low Overhead Policy Compliance at the Storage Layer is Within Reach! , 2021, Proc. VLDB Endow..

[6]  P. Papadopoulos,et al.  User Tracking in the Post-cookie Era: How Websites Bypass GDPR Consent to Track Users , 2021, WWW.

[7]  Naomi Saphra,et al.  Understanding Privacy-Related Questions on Stack Overflow , 2020, CHI.

[8]  Jennifer Bothun NORWEGIAN , 2020, Cheers!.

[9]  Midas Nouwens,et al.  Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influence , 2020, CHI.

[10]  Michael Backes,et al.  JStap: a static pre-filter for malicious JavaScript detection , 2019, ACSAC.

[11]  Nataliia Bielova,et al.  Do Cookie Banners Respect my Choice? Measuring Legal Compliance of Banners from IAB Europe's Transparency and Consent Framework , 2019, ArXiv.

[12]  Arun C. S. Kumar,et al.  Understanding and benchmarking the impact of GDPR on database systems , 2019, Proc. VLDB Endow..

[13]  David A. Basin,et al.  Monitoring the GDPR , 2019, ESORICS.

[14]  Martin Degeling,et al.  (Un)informed Consent: Studying GDPR Consent Notices in the Field , 2019, CCS.

[15]  Eddie Kohler,et al.  Position: GDPR Compliance by Construction , 2019, Poly/DMAH@VLDB.

[16]  Deborah Estrin,et al.  Ancile: Enhancing Privacy for Ubiquitous Computing with Use-Based Privacy , 2019, WPES@CCS.

[17]  Leyla Bilge,et al.  Can I Opt Out Yet?: GDPR and the Global Illusion of Cookie Control , 2019, AsiaCCS.

[18]  Vijay Chidambaram,et al.  Analyzing GDPR Compliance Through the Lens of Privacy Policy , 2019, Poly/DMAH@VLDB.

[19]  Michael Pradel,et al.  An Empirical Study of Information Flows in Real-World JavaScript , 2019, PLAS@CCS.

[20]  Marco Guarnieri,et al.  Information-Flow Control for Database-Backed Applications , 2019, 2019 IEEE European Symposium on Security and Privacy (EuroS&P).

[21]  Vijay Chidambaram,et al.  Analyzing the Impact of GDPR on Storage Systems , 2019, HotStorage.

[22]  Vijay Chidambaram,et al.  The Seven Sins of Personal-Data Processing Systems under GDPR , 2019, HotCloud.

[23]  Matt Fredrikson,et al.  Contextual and Granular Policy Enforcement in Database-backed Applications , 2018, AsiaCCS.

[24]  Martin Degeling,et al.  We Value Your Privacy ... Now Take Some Cookies , 2018, Informatik Spektrum.

[25]  V. N. Venkatakrishnan,et al.  NAVEX: Precise and Scalable Exploit Generation for Dynamic Web Applications , 2018, USENIX Security Symposium.

[26]  Michael Backes,et al.  Deemon: Detecting CSRF with Dynamic Analysis and Property Graphs , 2017, CCS.

[27]  Michelle L. Mazurek,et al.  Security Developer Studies with GitHub Users: Exploring a Convenience Sample , 2017, SOUPS.

[28]  Haoyu Wang,et al.  Understanding the Purpose of Permission Use in Mobile Apps , 2017, ACM Trans. Inf. Syst..

[29]  Angelos D. Keromytis,et al.  The Cracked Cookie Jar: HTTP Cookie Hijacking and the Exposure of Private Information , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[30]  Kelly Caine,et al.  Local Standards for Sample Size at CHI , 2016, CHI.

[31]  Musard Balliu,et al.  JSLINQ: Building Secure Applications across Tiers , 2016, CODASPY.

[32]  Srdjan Marinovic,et al.  Strong and Provably Secure Database Access Control , 2015, 2016 IEEE European Symposium on Security and Privacy (EuroS&P).

[33]  Natalia Juristo Juzgado,et al.  Are Students Representatives of Professionals in Software Engineering Experiments? , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[34]  Zhong Chen,et al.  AutoCog: Measuring the Description-to-permission Fidelity in Android Applications , 2014, CCS.

[35]  Andrei Sabelfeld,et al.  SeLINQ , 2014, ICFP.

[36]  A. Sabelfeld,et al.  SeLINQ , 2014 .

[37]  Alessandra Gorla,et al.  Checking app behavior against app descriptions , 2014, ICSE.

[38]  Saikat Guha,et al.  Bootstrapping Privacy Compliance in Big Data Systems , 2014, 2014 IEEE Symposium on Security and Privacy.

[39]  Konrad Rieck,et al.  Modeling and Discovering Vulnerabilities with Code Property Graphs , 2014, 2014 IEEE Symposium on Security and Privacy.

[40]  Lorrie Faith Cranor,et al.  The Privacy and Security Behaviors of Smartphone App Developers , 2014 .

[41]  Deian Stefan,et al.  Hails: Protecting Data Privacy in Untrusted Web Applications , 2012, OSDI.

[42]  Adam Chlipala,et al.  Static Checking of Dynamically-Varying Security Policies in Database-Backed Applications , 2010, OSDI.

[43]  Gavriel Salvendy,et al.  Number of people required for usability evaluation , 2010, Commun. ACM.

[44]  Xin Qi,et al.  Fabric: a platform for secure distributed computation and storage , 2009, SOSP '09.

[45]  Xi Wang,et al.  Improving application security with data flow assertions , 2009, SOSP '09.

[46]  Nikhil Swamy,et al.  Cross-tier, label-based security enforcement for web applications , 2009, SIGMOD Conference.

[47]  Andrew C. Myers,et al.  SIF: Enforcing Confidentiality and Integrity in Web Applications , 2007, USENIX Security Symposium.

[48]  S. Sudarshan,et al.  Extending query rewriting techniques for fine-grained access control , 2004, SIGMOD '04.

[49]  Проспект Перемоги,et al.  Administrative , 1990, IEEE Aerospace and Electronic Systems Magazine.

[50]  D. Basin,et al.  Automating Cookie Consent and GDPR Violation Detection , 2022, USENIX Security Symposium.

[51]  Yinzhi Cao,et al.  Mining Node.js Vulnerabilities via Object Dependence Graph and Query , 2022, USENIX Security Symposium.

[52]  Joseph P. Near,et al.  PrivGuard: Privacy Regulation Compliance Made Easier , 2022, USENIX Security Symposium.

[53]  Deian Stefan,et al.  STORM: Refinement Types for Secure Web Applications , 2021, OSDI.

[54]  Sebastian Zimmeck,et al.  PrivacyFlash Pro: Automating Privacy Policy Generation for Mobile Apps , 2021, NDSS.

[55]  Leah Zhang-Kennedy,et al.  "Whether it's moral is a whole other story": Consumer perspectives on privacy regulations and corporate data practices , 2021, SOUPS @ USENIX Security Symposium.

[56]  Giancarlo Pellegrino,et al.  JAW: Studying Client-side CSRF with Hybrid Property Graphs and Declarative Traversals , 2021, USENIX Security Symposium.

[57]  Michael Backes,et al.  Share First, Ask Later (or Never?) Studying Violations of GDPR's Explicit Consent in Android Apps , 2021, USENIX Security Symposium.

[58]  Kassem Fawaz,et al.  PriSEC: A Privacy Settings Enforcement Controller , 2021, USENIX Security Symposium.

[59]  William Enck,et al.  Actions Speak Louder than Words: Entity-Sensitive Privacy Policy and Data Flow Analysis with PoliCheck , 2020, USENIX Security Symposium.

[60]  Hilary J Allen,et al.  The United States Securities and Exchange Commission , 2020 .

[61]  Travis Alabanza Overflow , 2020, Overflow.

[62]  Frank Wang,et al.  Riverbed: Enforcing User-defined Privacy Constraints in Distributed Web Services , 2019, NSDI.

[63]  Peter Druschel,et al.  Qapla: Policy compliance for database-backed systems , 2017, USENIX Security Symposium.