Cookies, GDPR and Dark patterns : Effect on consumer privacy

Liljedahl Hildebrand, Teodor, Nyquist, Filip

January 2021

The European General Data Protection Regulation has changed how users interact with cookie notices online. The rules state that users consent must be given via a clear, affirmative act and easily withdrawable by the end-user. Dark patterns, a way of tricking a user into giving more consent than needed with the help of, for example,size of objects, text and button colour could be applied to these notices to trick the user into giving more consent than needed. The objective of the thesis study was to develop a scraper in Python which could analyze web pages automatically against a set of created measurable parameters. That means that first, measurable parameters needed to be defined for the scraper, and then, implemented in such a way that it automatically could find and analyze cookie notices. The scraper was implemented in Python with the help of the browser testing libraries called Splinter and Selenium. The results from the experiment showed that the size of the notices was mostly small, but some pages used up the whole page for the notice. The amount of pre-ticked boxes and the readability of the notices also showed usage of dark patterns. The conclusion that can be drawn from the result is that the GDPR and e-Privacydirective have affected the usage in most web pages, as they seem to use some types of dark patterns to trick the user into giving more consent than is needed to be able to use the web page, and with an improved scraper, the result could show even more / <p>Presentation har redan ägt rum på zoom </p>

General Data Protection Regulation

dark patterns

cookie consent

user privacy

Computer Sciences

Datavetenskap (datalogi)

Elefanten i biblioteket : En studie av svenska folkbiblioteks GDPR-förberedelser / The elephant in the library : A study of Swedish public libraries’ GDPR preparations

Imberg, Louise, Johansson, Jessica

January 2018

Regarded as the biggest change in data protection law in a generation, the General Data Protection Regulation (or simply its more renowned name: the GDPR) is due to take effect on May 25th 2018. The purpose of the GDPR is to strengthen the protection of personal information, harmonize the data protection laws in the entire European Union, and modernize privacy laws to fit today’s technologically advanced society. As good as all organizations have to conform to the new law. Libraries, as prominent bearers of information and personal data, are thus no exception to the rule. This study’s objective is to gain knowledge of Swedish public libraries’ main GDPR preparations, regarding both the practical work and the difficulties they faced during the process. The result is based on the answers from an online survey, sent to every central library in Sweden’s 290 municipalities. 182 answers were received, which generated a response rate of roughly 63 percent. The theoretical analysis derives from five of John Kotter’s eight phases, concerning difficulties in early change management. The authors of this study identify the libraries’ focal points, in relation to the change work, as mainly consisting of inventory of personal data and education in the law. Difficulties are mostly found in understanding the law and how to practice it. Nonetheless, a majority of the Swedish central libraries consider themselves fairly ready for the GDPR when May 25th arrives.

GDPR

General Data Protection Regulation

dataskyddsförordningen

organisationsförändring

förberedelsearbete

personuppgifter

personlig integritet

folkbibliotek

Information Studies

Biblioteks- och informationsvetenskap

Förtroendeskapande vid personuppgiftsbehandling

Östling, Fabian, Nilsson, Patrik

January 2018

Verksamheter har idag behov av uppdaterade kundregister för att skapa konkurrensfördelar,detta har gjort att personuppgifters värde ökat. Detta har i sin tur gjortatt insamlingen av personuppgifter har ökat kraftigt de senaste åren. Samtidigt haroron för hur verksamheter behandlar personuppgifter vuxit. För att göra behandlingenav personuppgifter säkrare och skydda den enskilda individen har EU tagitfram den nya dataskyddsförordningen GDPR vilken träder i kraft 25 maj 2018.Studiens syfte var att undersöka vilka variabler i verksamheters personuppgiftshanteringsom har störst påverkan på kundförtroende. Vår huvudhypotes var att transparensskulle vara den huvudsakliga faktor som skulle skapa förtroende, men viansåg även att tid och säkerhet var två viktiga faktorer. För att uppnå syftet utformadestvå hypoteser där första hypotesen ställer variablerna transparens mot tid+säkerhetoch i andra hypotesen ställs transparens+säkerhet mot transparens+tid. Bådahypoteserna testas i fyra olika scenarier som grundar sig i GDPR. Dessa scenarierär:1. Insamling2. Registerutdrag3. Portabilitet4. Rätten att bli glömdStudiens kvantitativa data har samlats in genom två webbenkäter och den kvalitativadatan samlades in genom kortare intervjuer.Studiens resultat indikerar att transparens är den variabeln som har störst positivpåverkan på kunders förtroende vid insamlingen av personuppgifter. Däremot visarresultatet att variabeln säkerhet har störst påverkan på förtroendet i de senare scenarierna. / Businesses are today in need of updated customer records to create competitiveadvantages, which has led to an increased value of personal data. This has in turnled to an increase in the collection of personal data in recent years. At the same timeconcerns are increasing regarding how personal data is managed. To make dataprocessing more secure and to protect the individual person, a new data protectionregulation has been developed which will become enforceable on 25 May 2018.The purpose of this study was to investigate which variables in data processing havethe greatest impact on customer trust. Our main hypothesis was that transparencywould be the main factor that would create confidence, but we also thought thattime and security were two important factors. To achieve this purpose, two hypotheseswere designed, in the first hypotheses the variable transparency is up againsttime+security and in the second transparency+security is up against transparency+time. Both hypotheses is tested in four different scenarios which all are basedon parts of GDPR. These scenarios are:1. Collection2. Subject access requests3. Portability4. Right to erasureThe study’s quantitative data was collected through two web surveys and the qualitativedata was collected through shorter interviews.The study's results indicate that transparency is the variable that has the greatestpositive impact on customer confidence during the collection of personal data.However, in the case of processing data in later stages of the relationship, securitywas most likely to affect confidence.

förtroendeskapande

personuppgiftsbehandling

transparens

säkerhet.

Engineering and Technology

Teknik och teknologier

Privacy by Design & Internet of Things: managing privacy

Alhussein, Nawras

January 2018

Personlig integritet motsvarar det engelska begreppet privacy, som kan uttryckas som rätten att få bli lämnad ifred. Det har ifrågasatts många gånger om personlig integritet verkligen finns på internet, speciellt i Internet of Things-system eller smarta system som de också kallas. Fler frågor ställs i samband med att den nya allmänna dataskyddsförordningen inom europeiska unionen börjar gälla i maj. I detta arbete studeras privacy by design-arbetssättet som den allmänna dataskyddsförordningen (GDPR) bland annat kommer med. I studien besvaras om privacy by design kommer kunna öka skyddet av den personliga integriteten i Internet of Things-system. För- och nackdelar tas upp och hur företag och vanliga användare påverkas. Genom en litteraturstudie och två intervjuer har frågan kunnat besvaras. Det visade sig att en stor del av problematiken inom Internet of Things avseende personlig integritet kan lösas genom att styra data. I privacy by design-arbetssättet ingår att skydda data i alla tillstånd genom olika metoder som kryptering. På det sättet bidrar privacy by design till ökad säkerhet inom Internet of Things-system. / Privacy means the right to be left alone. It has been questioned many times if privacy really exists on the internet, especially in Internet of Things systems or smart systems as they are also called. More questions occur when the new general data protection regulation (GDPR) within the European Union applies in May. In this paper privacy by design that the general data protection regulation comes with is being studied. This study answers whether privacy by design will be able to increase the protection of privacy in Internet of Things systems. Advantages and disadvantages are also addressed and how companies and common users are affected by the implementation of privacy by design. The question has been answered by a literature review and two interviews. It turned out that a significant part of the problems in Internet of Things regarding privacy may be solved by data management. The privacy by design includes protection of data in all states through different methods such as encryption. In this way, privacy by design contributes to increased security within Internet of Things system.

Internet of Things

Privacy by design

General data protection regulation

Privacy

GDPR

Security

Engineering and Technology

Teknik och teknologier

Privacy Preserving EEG-based Authentication Using Perceptual Hashing

Koppikar, Samir Dilip

12 1900

The use of electroencephalogram (EEG), an electrophysiological monitoring method for recording the brain activity, for authentication has attracted the interest of researchers for over a decade. In addition to exhibiting qualities of biometric-based authentication, they are revocable, impossible to mimic, and resistant to coercion attacks. However, EEG signals carry a wealth of information about an individual and can reveal private information about the user. This brings significant privacy issues to EEG-based authentication systems as they have access to raw EEG signals. This thesis proposes a privacy-preserving EEG-based authentication system that preserves the privacy of the user by not revealing the raw EEG signals while allowing the system to authenticate the user accurately. In that, perceptual hashing is utilized and instead of raw EEG signals, their perceptually hashed values are used in the authentication process. In addition to describing the authentication process, algorithms to compute the perceptual hash are developed based on two feature extraction techniques. Experimental results show that an authentication system using perceptual hashing can achieve performance comparable to a system that has access to raw EEG signals if enough EEG channels are used in the process. This thesis also presents a security analysis to show that perceptual hashing can prevent information leakage.

Bio-signals

Electroencephalogram (EEG)

Perceptual hashing

Data protection.

Biometric identification.

Brain fingerprinting.

Electroencephalography.

Hashing (computer science)

Ochrana osobních údajů před vznikem a při vzniku pracovního poměru / Personal data protection before and during the establishment of the employment relationship

Adámek, Jan

January 2021

Personal data protection before and during the establishment of the employment relationship The diploma thesis is devoted to personal data protection before and during the establishment of the employment relationship. The objective of this thesis is to outline the personal data protection in the context of the employment relationship establishment, to give a comprehensive overview of its legislation in particular, describe the basic terms and principles relating to this subject matter and specify the most important rights and obligations regarding both stages of the employment relationship establishment. The basis for the thesis is primarily the legislation of the General Data Protection Regulation and Personal Data Processing Act 2019 (No. 110/2019 Coll.). The diploma thesis is divided into four chapters. The historical events with a significant influence on the personal data protection development are described in the first chapter. This chapter also explains the concept of a right to privacy and separation of the right to protection of personal data from it. The second chapter deals with personal data protection legislation on the international level, as well as EU level and national level. The third chapter defines selected fundamental terms relating to personal data protection, particularly...

Advance passenger information passenger name record : privacy rights and security awareness

Banerjea-Brodeur, Nicolas Paul

January 2003

No description available.

Data protection -- Law and legislation

Biometric identification

Airline passenger security screening

Privacy, Right of

A Security Analysis of Smartphones

Verma, Ishita

08 1900

Indiana University-Purdue University Indianapolis (IUPUI) / This work analyzes and discusses the current security environment of today's (and future) smartphones, and proposes a security model which will reduce smartphone vulnerabilities, preserving privacy, integrity and availability of smartphone native applications to authorized parties. For this purpose, we begin with an overlook of current smartphone security standards, and explore the threats, vulnerabilities and attacks on them, that have been uncovered so far with existing popular smartphones. We also look ahead at the future uses of the smartphones, and the security threats that these newer applications would introduce. We use this knowledge to construct a mathematical model, which gives way to policies that should be followed to secure the smartphone under the model. We finally discuss existing and proposed security mechanisms that can be incorporated in the smartphone architecture to meet the set policies, and thus the set security standards.

security model

mechanisms

security policies

Smartphones -- Security measures

Mobile computing -- Security measures

Data protection

Data protection in the world of AI : An assessment of the effectiveness of GDPR’s principles in relation to AI-technology and Big Data-analytics

Bitar, Ralph

January 2023

No description available.

AI

Data Protection

EU-law

GDPR

transparency

data minimisation

purpose limitation

Law and Society

Juridik och samhälle

GDPR:s påverkan på CRM-system : En kvalitativ intervjustudie / GDPR’s impact on CRM-systems : a qualitative interview study

Nilsson, Clara, Andersson, Jenny

January 2022

Den här studien syftar till att undersöka vilken påverkan som GDPR haft på verksamheters krav på säkerhet, integritet och funktionalitet vid behandling av personuppgifter i CRM-system. Den 25:e maj 2018 trädde en ny dataskyddsförordning i kraft och ersatte den tidigare Personuppgiftslagen. Dataskyddsförordningen heter GDPR, kort för General Data Protection Regulations, och innehåller lagar och regler gällande insamling, behandling och lagring av personuppgifter. Lagen inrättades av EU parlamentet och gäller för alla organisationer som är verksamma inom EU. GDPR är något som tidigare publicerad forskning menade skulle komma att få en stor inverkan på alla organisationer som behandlar personuppgifter. Tidigare studier presenterade även många negativa konsekvenser av GDPR, bland annat att lagen är mycket svårtolkad och kommer kräva mycket resurser till det omfattande förändringsarbete som behöver genomföras. För insamling av empiri har fyra semistrukturerade intervjuer genomförts med tre olika verksamheter. Respondenterna som deltagit har valts ut enligt ett ändamålsenligt urval som baseras på deras kunskaper gällande GDPR och CRM-system. Den insamlade empirin har sedan analyserats enligt grundad teoris metod. Grundad teori presenterar även ett handlingsparadigm som utgår från tre metakategorier, förutsättning, handling och konsekvens. Från analysen av empirin har vi dragit slutsatsen att GDPR har påverkat verksamheternas krav på CRM-systemets behandling av personuppgifter, då samtliga intervjuade verksamheterna har uttryckt att de behövt genomgå ett omfattande förändringsarbete. GDPR har ställt högre krav på att skydda privatpersoners integritet vilket har fått till följd att verksamheterna stärkt sina säkerhetsåtgärder. Det i sin tur har påverkat CRM-systemets funktionalitet i termer av att ny funktionalitet har implementerats eller begränsats. Studien har även resulterat i en modell som visualiserar skillnader och likheter mellan tidigare forskning och insamlad empiri. Där framkommer det att tidigare forskning presenterar mer negativa följder av GDPR medan empirin menar att även en del positiva faktorer har mynnat ut från arbetet med att anpassa deras CRM-system till GDPR. / The purpose of this study aims to examine the impact GDPR has had on organizations requirements on security, integrity, and functionality regarding processing personal data in CRM-systems. On the 25:th of May 2018 a new data protection law was established and replaced the previous personal data law (PUL). The new data protection law is called GDPR, which is short for General Data Protection Regulations, and provides regulations and legislation regarding collecting, processing, and storing personal data. GDPR was established by the European Commission and applies to all organizations operating within the EU. Previous research presents theories that GDPR will have a great impact on all organizations that process personal data. Early studies also present various negative consequences that will follow from GDPR, for example the fact that the law is very difficult to interpret and will require plenty of resources for the very extensive change work that needs to take place. To collect empirical data, four semi-structured interviews were conducted with three different organizations. The respondents who participated have been selected according to a purposive sampling based on their knowledge of GDPR and CRM-systems. The analysis of the empirical data has been conducted according to the Grounded Theory Method and its action-oriented paradigm that bases on three categories: conditions, actions and consequences. The conclusions drawn from the analysis is that GDPR has had an impact on the organizational requirements for their CRM-systems processing of personal data, as all the interviewed companies have expressed that they have had to undergo extensive change work. GDPR has placed higher demands on protecting the privacy and integrity of private individuals, which has resulted in companies strengthening their security measures. This in turn has affected the CRM system's functionality in terms of the fact that new functionality has been implemented and some has been limited. The study has also resulted in a model that visualizes differences and similarities between previous research and the empiric results. It appears that previous research presents more negative consequences of the GDPR, while the empirical evidence is that some positive factors have also resulted from the work of adapting their CRM system to the GDPR. This study is written in Swedish.

GDPR

Data protection

CRM-system

GDPR

Dataskydd

CRM-system

Information Systems