Providers do not keep secret how their websites use your personal information – it's always shown in their privacy policy. But hardly anybody ever reads that information. That's why PhD candidate Elisa Costante of TU/e has developed algorithms that analyze the privacy policy of websites and calculate their 'privacy costs'. She has also developed a tool that detects abnormal behavior in databases with personal data, to prevent abuse of the data they contain. Costante gained her PhD on Tuesday 31 March.
Costante's work is a prototype and can be built into web browsers, which then give users an advance warning of the extent to which websites make use of their personal data. The tool gives websites a rating of between 0 and 1, where zero stands for 'no privacy costs'. Companies like Google have a very high score, says the researcher: "Google stores every search you make, including when and where you made it and from which devices. That's quite a frightening thought."
In calculating the privacy cost, the Italian researcher looked at factors including the sensitivity of the data and for how for long it is stored. Her algorithms also take into account the fact that many web services link many other services, each of which has its own privacy policy. For example a travel site, which users the sites of hotels, car rental sites and Google Maps. Costante's tool works in steps: it first looks at the completeness in terms of the subjects included in the privacy policy, then at what they mean, and finally at the seriousness of the way the data is use by the provider.
Unsafe databases
In her PhD research Costante looked at the entire cycle of online data traffic to find solutions to weaknesses for each point in the cycle. She found for example that the databases in which providers store personal data are not secure. They may have access control (who is allowed to access them and what are they allowed to see), but they don't monitor what users do once they have been admitted. To do this, Costante developed a tool that creates profiles of users' regular behavior. It then monitors everything they do, to allow timely detection of deviations.
Data theft such as at Sony, in which data from 77 million PlayStation users was stolen a few years ago, can be stopped more quickly with her tool, the TU/e researcher explains. That can save companies costly losses and reputation damage.
There have been earlier attempts to build this kind of tool, but this is the first that gives such low numbers of false alarms and does not significantly slow down data traffic. SecurityMatters, a spin-off from TU/e and the University of Twente, also intends to offer the results of Costante's work as a product, for example to banks.
Provided by Eindhoven University of Technology
